From mbabinsk at redhat.com Mon Jan 4 08:02:50 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 4 Jan 2016 09:02:50 +0100 Subject: [Freeipa-devel] [PATCH 0118] fix Py3 incompatible exception instantiation in replica install code Message-ID: <568A272A.5060805@redhat.com> -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0118-fix-Py3-incompatible-exception-instantiation-in-repl.patch Type: text/x-patch Size: 1837 bytes Desc: not available URL: From mkosek at redhat.com Mon Jan 4 08:51:49 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 4 Jan 2016 09:51:49 +0100 Subject: [Freeipa-devel] ipa-devel repos on jdennis.fedorapeople.org In-Reply-To: <56797C5F.7040800@redhat.com> References: <55A532DF.7070302@redhat.com> <55A53D93.4050201@redhat.com> <20150715074450.GL4218@redhat.com> <55DEC9F5.4070302@redhat.com> <20150827083452.GN22106@redhat.com> <56796323.1000303@redhat.com> <567977B9.9020907@redhat.com> <5679782B.4040601@redhat.com> <56797C5F.7040800@redhat.com> Message-ID: <568A32A5.4030405@redhat.com> On 12/22/2015 05:37 PM, Petr Vobornik wrote: > On 12/22/2015 05:19 PM, Petr Spacek wrote: >> On 22.12.2015 17:18, John Dennis wrote: >>> On 12/22/2015 09:50 AM, Petr Spacek wrote: >>>> John, the machines which used to generate the repos are basically dead now. >>>> >>>> Could you remove the directories and replace them with a README with sentence >>>> that the repos were discontinued, please? >>> >>> I'd be happy to, but shouldn't the README contain a pointer to the preferred >>> repo/copr whatever it is now? What is it? >> >> AFAIK we do not have nightly builds yet :-( >> >> Petr, could we have some nightly or post-commit builds in Fedora Copr? >> > > It is easy to setup a vm for nightly copr builds. > > We should investigate a possibility of getting a project copr account. It is > not good to build everything in mkosek's namespace. Makes sense. I filed a ticket for Fedora infra: https://fedorahosted.org/fedora-infrastructure/ticket/5048 We will see what is their suggestion. Martin From mkosek at redhat.com Mon Jan 4 09:17:23 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 4 Jan 2016 10:17:23 +0100 Subject: [Freeipa-devel] New FreeIPA official COPR URL (Re: ipa-devel repos on jdennis.fedorapeople.org) In-Reply-To: <568A32A5.4030405@redhat.com> References: <55A532DF.7070302@redhat.com> <55A53D93.4050201@redhat.com> <20150715074450.GL4218@redhat.com> <55DEC9F5.4070302@redhat.com> <20150827083452.GN22106@redhat.com> <56796323.1000303@redhat.com> <567977B9.9020907@redhat.com> <5679782B.4040601@redhat.com> <56797C5F.7040800@redhat.com> <568A32A5.4030405@redhat.com> Message-ID: <568A38A3.3000706@redhat.com> On 01/04/2016 09:51 AM, Martin Kosek wrote: > On 12/22/2015 05:37 PM, Petr Vobornik wrote: >> On 12/22/2015 05:19 PM, Petr Spacek wrote: >>> On 22.12.2015 17:18, John Dennis wrote: >>>> On 12/22/2015 09:50 AM, Petr Spacek wrote: >>>>> John, the machines which used to generate the repos are basically dead now. >>>>> >>>>> Could you remove the directories and replace them with a README with sentence >>>>> that the repos were discontinued, please? >>>> >>>> I'd be happy to, but shouldn't the README contain a pointer to the preferred >>>> repo/copr whatever it is now? What is it? >>> >>> AFAIK we do not have nightly builds yet :-( >>> >>> Petr, could we have some nightly or post-commit builds in Fedora Copr? >>> >> >> It is easy to setup a vm for nightly copr builds. >> >> We should investigate a possibility of getting a project copr account. It is >> not good to build everything in mkosek's namespace. > > Makes sense. I filed a ticket for Fedora infra: > https://fedorahosted.org/fedora-infrastructure/ticket/5048 > > We will see what is their suggestion. I talked to Mirek Suchy, creator of COPR service. It looks like COPR already supports groups, which is exactly what we want: https://fedorahosted.org/fedora-infrastructure/ticket/5048#comment:1 I created new "freeipa" COPR alias which allows all members of "gitfreeipa" FAS group to manage FreeIPA COPRs: https://copr.fedoraproject.org/groups/g/freeipa/coprs/ Let this be the new FreeIPA official COPR from now on! The new version repos and the discussed nightly repos can be there. HTH, Martin From pspacek at redhat.com Mon Jan 4 13:14:55 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 4 Jan 2016 14:14:55 +0100 Subject: [Freeipa-devel] [PATCH 0072-0082] DNSSEC: fixes In-Reply-To: <567950DB.7050708@redhat.com> References: <56780DBA.60703@redhat.com> <56781085.4070106@redhat.com> <56783D51.3070005@redhat.com> <567950DB.7050708@redhat.com> Message-ID: <568A704F.9050603@redhat.com> On 22.12.2015 14:32, Petr Spacek wrote: > On 21.12.2015 18:56, Martin Basti wrote: >> >> >> On 21.12.2015 15:45, Martin Basti wrote: >>> >>> >>> On 21.12.2015 15:33, Petr Spacek wrote: >>>> Hello, >>>> >>>> this patch set fixes key rotation in DNSSEC. >>>> >>>> You can use attached template files for OpenDNSSEC config to shorten time >>>> intervals between key rotations. >>>> >>>> Please let me know if you have any questions, I'm all ears! >>>> >>> Please fix whitespace error: >>> >>> Applying: DNSSEC: logging improvements in ldapkeydb.py >>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:14: trailing >>> whitespace. >>> >>> warning: 1 line adds whitespace errors. >>> >> *) DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal >> >> Is is safe to do not use try - except with ipatuil.run()? What if ods-signer >> command failed? > > That is intentional. The call should never fail, so if it fails there is no > way how to recover cleanly except restarting the daemon. > > The unhandled exception will kill the daemon and systemd will restart it later on. > > >> *) DNSSEC: Improve error reporting from ipa-ods-exporter >> IMO log.exception(ex) is enough, do we need to add traceback to msg? > > msg is sent over socket to another process (see send_systemd_reply(conn, msg) > call in finally: block). Without this the remote party would not receive the > error information. > > >> *) DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP >> I think this is okay because we want to use KSK instantly, but just to be >> sure, is Publish->Activate okay? >> + bind_times['idnsSecKeyActivate'] = ods_times['idnsSecKeyPublish'] >> >> Just to be sure how this will be handle during KSK key rotation? > > We have to copy semantics from OpenDNSSEC. Please see design page > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates > , it describes in detail why I done it this way. > > >> *) DNSSEC: Make sure that current key state in LDAP matches key state in BIND >> LGTM >> >> *) DNSSEC: remove obsolete TODO note >> ACK >> >> *) DNSSEC: add debug mode to ldapkeydb.py >> A) >> You can remove __str__ method, python will use __repr__ as default > > Done. > > >> B) >> for attr in ['ipaPrivateKey', 'ipaPublicKey', 'ipk11publickeyinfo']: >> Do we need to sanitize *public*Key and publicKeyinfo? > > Yes, we need it. The output with any of ['ipaPrivateKey', 'ipaPublicKey', > 'ipk11publickeyinfo'] is huge blob and printing it does not help readability. > Purpose of the patch is to make it easy to read and debug so printing useless > blobs would go directly against the purpose :-) > > >> C) >> in odsmgr.py is used ipa_log_manager, can we use the same for consistency? > > Fixed, thanks. > > >> D) >> Do we need logging there, everything is printed via print except debug info >> about connecting, can you just redirect it to stderr, and usable data leave in >> stdout? > > Yes, we need it because it eases debugging. print() prints useful information > to stdout. 'Garbage' about connecting to LDAP, IPA framework initialization > and so on does via logger to stderr, so it can be easily separated from useful > information using redirection in BASH. > > I've added a comment right below if __name__ == '__main__': to make it clear > why we do not use logger in there. > > >> *) DNSSEC: logging improvements in ldapkeydb.py >> IMO commit message should be: ".... in ipa-ods-exporter" >> >> Otherwise LGTM > > Fixed, thanks. > > >> *) DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP >> >> A) coding style: please use (), instead of "\" >> assert set(pubkeys_local) == set(privkeys_local), ( >> "IDs of private and public keys for DNS zones in local HSM does " >> "not match to key pairs: %s vs. %s" % >> (hex_set(pubkeys_local), hex_set(privkeys_local)) >> ) > > Fixed. > > >> B) coding style >> assert not matched_already, ( >> "key %s is in more than one keyset" % hexlify(keyid) >> ) > > Not relevant anymore, see below. > > >> C) schedule_key_deletion() >> how about case when keyid is not in any keyset, then keyid will not be >> replaced by object and it blow up somewhere else > > Not relevant anymore, see below. > > >> D) +class KeyDeleter(object): >> I would like to have a check there which blows up nicely if _update_key() is >> called twice on the same object. With current implementation you will get >> NoneType has no delete_entry method. > > Not relevant anymore, see below. > > >> E) >> I somehow does not like the placeholder object. Could we just extend Key >> object with attribute "to_be_deleted" or something similar, and if this >> attribute is set to True, Key._update_key() can remove, instead of creation a >> new object. >> Key.prepare_deletion() can set the value "to_be_deleted" to True. > > Main purpose of the KeyDeleter object was to be incompatible the Key object. I > want to be 100 % that is not possible to call schedule_delete() and > subsequenty modify the Key object. > > I've reworked the Key object so it has schedule_deletion() method and that all > other methods call __assert_not_deleted() to make sure that the object was not > deleted. > > Is it better? > > >> *) DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP >> How often is keysyncer initialized? Might happen the case where one of >> dnssec_zones has been disabled and keysyncer is not aware of this change? > > KeySyncer is SyncReplConsumer, so it gets constant stream of updates from > LDAP. IMHO the answer is no, it cannot miss the update. > > >> You may want to use DNSName from ipapython.dnsutil instead of pure dns.name > > Other places in daemons are using dns.name too, so I will keep it that way. > For this particular case there would be no advantage anyway. > > >> *) DNSSEC: ipa-ods-exporter: add ldap-cleanup command >> LGTM > > Old and new version of patches can be found on Github: > * old: https://github.com/pspacek/freeipa/tree/dnssec_fixes > * new: https://github.com/pspacek/freeipa/tree/dnssec_fixes2 > > Fixed patched (+1 new) are attached. Rebased patches are attached (and were also force-pushed to https://github.com/pspacek/freeipa/tree/dnssec_fixes2) -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0072-3-DNSSEC-Improve-error-reporting-from-ipa-ods-exporter.patch Type: text/x-patch Size: 1059 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0073-3-DNSSEC-Make-sure-that-current-state-in-OpenDNSSEC-ma.patch Type: text/x-patch Size: 8091 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0074-3-DNSSEC-Make-sure-that-current-key-state-in-LDAP-matc.patch Type: text/x-patch Size: 1800 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0075-3-DNSSEC-remove-obsolete-TODO-note.patch Type: text/x-patch Size: 1005 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0076-3-DNSSEC-add-debug-mode-to-ldapkeydb.py.patch Type: text/x-patch Size: 3382 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0077-3-DNSSEC-logging-improvements-in-ipa-ods-exporter.patch Type: text/x-patch Size: 2756 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0078-3-DNSSEC-remove-keys-purged-by-OpenDNSSEC-from-master-.patch Type: text/x-patch Size: 9666 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0079-3-DNSSEC-ipa-dnskeysyncd-Skip-zones-with-old-DNSSEC-me.patch Type: text/x-patch Size: 4507 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0080-3-DNSSEC-ipa-ods-exporter-add-ldap-cleanup-command.patch Type: text/x-patch Size: 4806 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0081-3-DNSSEC-ipa-dnskeysyncd-call-ods-signer-ldap-cleanup-.patch Type: text/x-patch Size: 1444 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0082-3-DNSSEC-Log-debug-messages-at-log-level-DEBUG.patch Type: text/x-patch Size: 1112 bytes Desc: not available URL: From ndehadra at redhat.com Mon Jan 4 14:45:50 2016 From: ndehadra at redhat.com (Nikhil Dehadrai) Date: Mon, 4 Jan 2016 20:15:50 +0530 Subject: [Freeipa-devel] Fwd: [PUBLIC] Re: [IPAQE][REVIEW-REQUEST][TEST PLAN] Replica promotion In-Reply-To: <56728F78.4080304@redhat.com> References: <56558E00.8030006@redhat.com> <566FDF19.4060605@redhat.com> <56713F1E.7060303@redhat.com> <56717266.1080800@redhat.com> <56717814.1050604@redhat.com> <56728F78.4080304@redhat.com> Message-ID: <568A859E.8080701@redhat.com> Hi There, Just wanted to followup on the suggested new scenarios for the test plan. Let me know. Thanks and Regards, Nikhil Dehadrai On 12/17/2015 04:03 PM, Nikhil Dehadrai wrote: > Hi Martin, > > Ok. Understood. > > But how about the observations, what do you think of that? > > As far as new test scenarios is concerned, will wait for an update > from other members too who can help clarify the behavior under such > scenarios. > > Thanks and Best Regards, > Nikhil Dehadrai > > On 12/16/2015 08:11 PM, Martin Babinsky wrote: >> On 12/16/2015 03:17 PM, Nikhil Dehadrai wrote: >>> Hi There, >>> >>> Based on the URL for REPLICA PROMOTION Test plan >>> (http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan), I have >>> following observations / queries. >>> >>> Observations: >>> ------------------- >>> 1. For "ipa-kra-install" and "ipa-ca-install" , expected result for >>> step >>> 1 should be FAILED, But it is marked as SUCCEED. (What is the correct >>> behavior here). >>> >>> Questions: >>> -------------- >>> 1. As per current design (IPA 4.2) we can prepare replica server file >>> on an existing replica server using "ipa-replica-prepare" and use this >>> file to setup new replica host, how can we achieve this behavior under >>> this new feature when MASTER domain level is set to 1.? >> >> You can't. The whole point of replica installation by promotion is to >> eliminate the need to lug around files to set up new replicas. >> >> In domain level 1 the ipa-replica-prepare command is disabled and >> running it raises an error (See test case 2 in >> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan). Also >> there is no MASTER domain level, the domain level is uniform across >> the whole topology >> >>> 2. How will the "ipa topologysegment-add" work for a 3 repilca >>> scenario? >>> Since, under domain level 1 it uses "rightnode" and "leftnode" to >>> form a >>> new segment. Can I add 3rd replica to this already created "Newsegment" >>> or we need to have it created separately? How will it work? >>> >> Topology segments describe replication agreements between *two* >> endpoints (think about them as graph edges connecting two nodes). So >> you set up a segment between replica1 and replica2. To connect third >> replica to the topology, you have to create new segment connecting >> either replica1 and replica3, or replica2 and replica3. >> >>> We can add New Test Scenarios as well: >>> ----------------------------------------------------- >>> 1. Add scenario for domain level details at UI. Since it talks of >>> reflecting the domain level changes at UI. >>> 2. Add scenario to validate once domain level of master is raised to 1, >>> after that it cannot be lowered. >>> 3. Add scenario for "ipa-restore" using master and replica topology >>> , so >>> as to identify the effect of restoration on replica by using "ipa >>> topologysegment-find realm" command.( What will be the expected >>> behavior >>> in this case) >>> >> I'm not quite sure about point 3 either. I guess that you have to >> reenroll the replica after restore, but maybe someone more >> knowledgeable about the feature will chime in. >>> >>> Let me know. >>> >>> Thanks and Best Regards, >>> Nikhil Dehadrai >>> >>> >> >> > From mbabinsk at redhat.com Mon Jan 4 15:05:56 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 4 Jan 2016 16:05:56 +0100 Subject: [Freeipa-devel] [PATCH 0119] ipalib/x509.py: revert deletion of ipalib api import Message-ID: <568A8A54.8030506@redhat.com> Fixes https://fedorahosted.org/freeipa/ticket/5561 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0119-ipalib-x509.py-revert-deletion-of-ipalib-api-import.patch Type: text/x-patch Size: 955 bytes Desc: not available URL: From mbabinsk at redhat.com Mon Jan 4 15:08:08 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 4 Jan 2016 16:08:08 +0100 Subject: [Freeipa-devel] [PATCH 0119] ipalib/x509.py: revert deletion of ipalib api import In-Reply-To: <568A8A54.8030506@redhat.com> References: <568A8A54.8030506@redhat.com> Message-ID: <568A8AD8.6060104@redhat.com> On 01/04/2016 04:05 PM, Martin Babinsky wrote: > Fixes https://fedorahosted.org/freeipa/ticket/5561 > > > This is for master branch only, ipa-4-{2,3} does not have this problem. -- Martin^3 Babinsky From mbasti at redhat.com Mon Jan 4 16:43:00 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 4 Jan 2016 17:43:00 +0100 Subject: [Freeipa-devel] [PATCH 0119] ipalib/x509.py: revert deletion of ipalib api import In-Reply-To: <568A8AD8.6060104@redhat.com> References: <568A8A54.8030506@redhat.com> <568A8AD8.6060104@redhat.com> Message-ID: <568AA114.6020701@redhat.com> On 04.01.2016 16:08, Martin Babinsky wrote: > On 01/04/2016 04:05 PM, Martin Babinsky wrote: >> Fixes https://fedorahosted.org/freeipa/ticket/5561 >> >> >> > > This is for master branch only, ipa-4-{2,3} does not have this problem. > ACK Pushed to master: 2fad223dbebf5a0824d65e94eb323211a11d2b8f From mbasti at redhat.com Mon Jan 4 18:23:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 4 Jan 2016 19:23:48 +0100 Subject: [Freeipa-devel] [PATCH 0077] ipa-dns-install: Do not check for zone overlap when DNS, installed. In-Reply-To: <567966F8.9090900@redhat.com> References: <5673DF56.8060906@redhat.com> <5673E832.3020609@redhat.com> <56741AA8.5060807@redhat.com> <56793EC0.3010107@redhat.com> <56795121.7060804@redhat.com> <567966F8.9090900@redhat.com> Message-ID: <568AB8B4.5030203@redhat.com> On 22.12.2015 16:06, Martin Basti wrote: > > > On 22.12.2015 14:33, Petr Spacek wrote: >> On 22.12.2015 13:14, David Kupka wrote: >>> On 18/12/15 15:39, Petr Vobornik wrote: >>>> On 12/18/2015 12:04 PM, Petr Vobornik wrote: >>>>> On 12/18/2015 11:26 AM, David Kupka wrote: >>>>>> Standalone DNS installer always performed overlap check effectively >>>>>> preventing installation on replica when other DNS instance was >>>>>> already >>>>>> installed in topology. >>>>>> >>>>>> >>>>> I don't like the position of api argument in the install_check. It is >>>>> not consistent with install_check in KRA plus it's between two >>>>> related >>>>> options: standalone and replica. >>>>> >>>>> Is there a reason behind it which I don't see? >>>> NACK, the API call is incorrect. >>>> >>>> It should be api.Command['dns_is_enabled']()['result'] or >>>> api.Command.dns_is_enabled()['result'] >>>> >>>> >>>> ipa-dns-install --forwarder=$DNS_FORWARDER >>>> >>>> The log file for this installation can be found in >>>> /var/log/ipaserver-install.log >>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>> TypeError: __call__() takes exactly 1 argument (2 given) >>>> >>>> >>>> log file: >>>> >>>> 2015-12-18T14:33:30Z DEBUG File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>> line 736, in run_script >>>> return_value = main_function() >>>> >>>> File "/sbin/ipa-dns-install", line 137, in main >>>> dns_installer.install_check(True, api, False, options, >>>> hostname=api.env.host) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", >>>> line 113, in install_check >>>> already_enabled = api.Command('dns_is_enabled')['result'] >>>> >>>> 2015-12-18T14:33:30Z DEBUG The ipa-dns-install command failed, >>>> exception: TypeError: __call__() takes exactly 1 argument (2 given) >>>> >>> Thanks for catch. Sometimes I mess up with patch files. Fixed patch >>> attached. >> ACK, works for me. >> > Pushed to master: 8ad39a974fd4e1cc6fd2a09b1d9d0c8724983b15 > Pushed to ipa-4-3: bfad829586f40e20ada21ea932377089901aaf61 > When I tried to install ipa-replica-install --setup-dns, I got error: ipa.ipapython.install.cli.install_tool(Replica): ERROR DNS zone ipa.test. already exists in DNS and is handled by server(s): master.ipa.test. ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information I have DNS installed on master, so this patch does not fix it completely or adds regression. From rcritten at redhat.com Mon Jan 4 18:57:38 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 4 Jan 2016 13:57:38 -0500 Subject: [Freeipa-devel] certmonger everywhere In-Reply-To: <56710E17.9060706@redhat.com> References: <566FC72B.3050406@redhat.com> <56703075.7040108@redhat.com> <20151216004006.GK23644@dhcp-40-8.bne.redhat.com> <56710E17.9060706@redhat.com> Message-ID: <568AC0A2.6020202@redhat.com> Jan Cholasta wrote: > On 16.12.2015 01:40, Fraser Tweedale wrote: > > I'm not proposing to change cert-request to a client side command - I'm > proposing to change the way cert-request is handled *on the server*. > This way we can keep all the configuration on the server and make > changes to it without having to reconfigure all clients. > > This is how I envision the workflow: > > 1. client requests a certificate with "getcert request", using "IPA" as > the CA and, optionally, a string identifying the sub-CA (for the lack of > better term) > > 2. "getcert request" forwards the request to certmonger over D-Bus and > exits > > 3. certmonger creates CSR for the request > > 4. certmonger executes the IPA CA helper to handle the request > > 5. the IPA CA helper calls the cert-request command on the server over > RPC, using local host credentials for authentication > > 6. cert-request on the server validates the request > > 7. cert-request fetches the configuration for the specified sub-CA, or > the default sub-CA if none was specified, from LDAP > > 8. cert-request forwards the request to the certmonger CA helper > specified in the LDAP configuration over D-Bus (this is the D-Bus method > that currently does not exist and needs to be implemented) > > 9. certmonger executes the specified CA helper to handle the request > > 10. the CA helper requests the certificate from the CA and returns > either the certificate, wait delay or error > > 11. certmonger returns the result back to cert-request > > 12. cert-request returns the result back to IPA CA helper on the client > > 13. the IPA CA helper on the client returns the result back to certmonger > > 14. if the result was wait delay, certmonger waits and then retries the > request from step 4, otherwise it stores the certificate or sets error > status > I guess this would work but I think you'd have quite a difficult time returning usable error messages to a user (and they are pretty bad now in cert-request). I assume that a CSR can be seeded into the certmonger request process but I've never tried it myself. Do you know if it works? I really wonder how the case of delayed issuance would be handled. Would you leave the server-side certmonger request to idle until the second step was handled? Wouldn't this have the potential to have an unmanageable number of certmonger requests? It gets confusing enough for users for the 8 typical tracked certs, what about hundreds? If you want to eventually use the requestors credentials won't this require a pretty big change in certmonger to be able to use passed-in credentials? How will those work in the two-step case? rob From nalin at redhat.com Mon Jan 4 22:38:02 2016 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 4 Jan 2016 17:38:02 -0500 Subject: [Freeipa-devel] Added kpasswd_server directive in client krb5.conf In-Reply-To: <5677A06C.3080708@redhat.com> References: <5677A06C.3080708@redhat.com> Message-ID: <20160104223802.GB21493@redhat.com> On Mon, Dec 21, 2015 at 12:17:08PM +0530, Abhijeet Kasurde wrote: > Hi All, > > Please review patches attached. The port number should probably be changed from 749 to 464. HTH, Nalin From jcholast at redhat.com Tue Jan 5 07:54:08 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 5 Jan 2016 08:54:08 +0100 Subject: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8 Message-ID: <568B76A0.7010009@redhat.com> Hi, the attached patch replaces the default_encoding_utf8 binary module with 2 lines of equivalent Python code. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-536-ipapython-remove-default_encoding_utf8.patch Type: text/x-patch Size: 8650 bytes Desc: not available URL: From lslebodn at redhat.com Tue Jan 5 09:37:23 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 5 Jan 2016 10:37:23 +0100 Subject: [Freeipa-devel] 4.3 on rawhide build task fail In-Reply-To: <56796CD0.5010905@redhat.com> References: <56796CD0.5010905@redhat.com> Message-ID: <20160105093721.GA6431@mail.corp.redhat.com> On (22/12/15 16:31), Petr Vobornik wrote: >Build of 4.3 on Fedora rawhide failed at the end on rpmdiff check. Builds for >all arches were successful and also works in COPR. > 0 free 1 open 4 done 0 failed >12284450 build (rawhide, /freeipa:b2442d51ba3f2a5f907f72e9bd90c5889bd89c0e): >open (buildppcle-07.phx2.fedoraproject.org) -> FAILED: BuildError: mismatch >when analyzing python3-ipatests-4.3.0-1.fc24.noarch.rpm, rpmdiff output was: >error: cannot open Packages index using db5 - Permission denied (13) >error: cannot open Packages database in /var/lib/rpm >error: cannot open Packages database in /var/lib/rpm >removed REQUIRES python3-ipalib(armv7hl-32) = 4.3.0-1.fc24 >added REQUIRES python3-ipalib(x86-64) = 4.3.0-1.fc24 >0 free 0 open 4 done 1 failed I think that log file is crystal clear. The noarch package "python3-ipatests-4.3.0-1.fc24.noarch.rpm" requires packages with strict architecture. sh$ wget https://kojipkgs.fedoraproject.org//work/tasks/4513/12284513/python3-ipatests-4.3.0-1.fc24.noarch.rpm sh $rpm -qp --requires python3-ipatests-4.3.0-1.fc24.noarch.rpm /usr/bin/python3 freeipa-client-common = 4.3.0-1.fc24 python(abi) = 3.5 python3-coverage python3-ipalib(x86-64) = 4.3.0-1.fc24 python3-nose python3-polib python3-pytest >= 2.6 python3-pytest-multihost >= 0.5 python3-pytest-sourceorder rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsXz) <= 5.2-1 tar xz noarch pacakges are build for each architecture: armv7hl-32, x86-64, i686 But the same package should be built on each platform. In your case requires, provides are different. This is a reason why rpmdiff failed for some noarch packages. Attached are two patches which fix issues with build in koji. The 1st patch removes usage of %{_isa} in noarch packages. The second one violates python packaging guidelines http://fedoraproject.org/wiki/Packaging:Python#Reviewer_checklist But there seems to be bug (in rpmbuild???) because "rpm --eval" does not generate provides with architecture. sh$ wget https://kojipkgs.fedoraproject.org//work/tasks/4513/12284513/python2-ipatests-4.3.0-1.fc24.noarch.rpm sh$ rpm -qp --provides python2-ipatests-4.3.0-1.fc24.noarch.rpm freeipa-tests(x86-64) = 4.3.0-1.fc24 ipa-tests(x86-64) = 4.3.0 python-ipatests = 4.3.0-1.fc24 python-ipatests(x86-64) = 4.3.0-1.fc24 python2-ipatests = 4.3.0-1.fc24 sh$ rpm --eval "%{?python_provide:%python_provide python2-ipatests}" Provides: python-ipatests = %{version}-%{release} Obsoletes: python-ipatests < %{version}-%{release} So better workaround could be to replace macro "%python_provide" with manually generated "Provides" and "Obsoletes" It's up to you and discussion with python experts :-) LS -------------- next part -------------- >From 0674e1e6aae2423c050be520b9c1b13f8feeb3d8 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Mon, 4 Jan 2016 19:02:24 +0100 Subject: [PATCH 1/2] Remove _isa from requires and provides --- freeipa.spec | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/freeipa.spec b/freeipa.spec index 9c32876a0faa45dbe6aac49551264c0366777b03..a1de4dc5dd2442899c6a36cb48a732fd49ad7909 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -365,7 +365,7 @@ BuildArch: noarch %{?python_provide:%python_provide python2-ipaclient} Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} -Requires: python2-ipalib%{?_isa} = %{version}-%{release} +Requires: python2-ipalib = %{version}-%{release} Requires: python-dns >= 1.11.1 %description -n python2-ipaclient @@ -402,7 +402,7 @@ Summary: IPA administrative tools Group: System Environment/Base BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} -Requires: python2-ipalib%{?_isa} = %{version}-%{release} +Requires: python2-ipalib = %{version}-%{release} Requires: python-ldap Provides: %{alt_name}-admintools = %{version} @@ -425,7 +425,7 @@ BuildArch: noarch Obsoletes: %{name}-python < 4.2.91 Provides: %{name}-python = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} -Requires: python2-ipalib%{?_isa} = %{version}-%{release} +Requires: python2-ipalib = %{version}-%{release} Provides: %{alt_name}-python-compat = %{version} Conflicts: %{alt_name}-python-compat @@ -561,10 +561,10 @@ If you are using IPA, you need to install this package. Summary: IPA tests and test tools BuildArch: noarch Obsoletes: %{name}-tests < 4.2.91 -Provides: %{name}-tests%{?_isa} = %{version}-%{release} +Provides: %{name}-tests = %{version}-%{release} %{?python_provide:%python_provide python2-ipatests} Requires: %{name}-client-common = %{version}-%{release} -Requires: python2-ipalib%{?_isa} = %{version}-%{release} +Requires: python2-ipalib = %{version}-%{release} Requires: tar Requires: xz Requires: python-nose @@ -575,7 +575,7 @@ Requires: python-polib Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder -Provides: %{alt_name}-tests%{?_isa} = %{version} +Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests Obsoletes: %{alt_name}-tests < %{version} @@ -595,7 +595,7 @@ Summary: IPA tests and test tools BuildArch: noarch %{?python_provide:%python_provide python3-ipatests} Requires: %{name}-client-common = %{version}-%{release} -Requires: python3-ipalib%{?_isa} = %{version}-%{release} +Requires: python3-ipalib = %{version}-%{release} Requires: tar Requires: xz Requires: python3-nose -- 2.5.0 -------------- next part -------------- >From 797d5a5d0811dcca1afab7abe8222b2c3c1da494 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Tue, 5 Jan 2016 10:22:18 +0100 Subject: [PATCH 2/2] Disable provides with hardcoded architecture The macro %python_provide should not generate provides with hardcoded architecture The output should be the same as with following eval sh$ rpm --eval "%{?python_provide:%python_provide python2-ipaclient}" Provides: python-ipaclient = %{version}-%{release} Obsoletes: python-ipaclient < %{version}-%{release} --- freeipa.spec | 6 ------ 1 file changed, 6 deletions(-) diff --git a/freeipa.spec b/freeipa.spec index a1de4dc5dd2442899c6a36cb48a732fd49ad7909..f059b257b1b3e3e82c71026e395d9945b9dbb3ea 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -210,7 +210,6 @@ If you are installing an IPA server, you need to install this package. Summary: Python libraries used by IPA server Group: System Environment/Libraries BuildArch: noarch -%{?python_provide:%python_provide python2-ipaserver} Requires: %{name}-server-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipaclient = %{version}-%{release} @@ -362,7 +361,6 @@ installed on every client machine. Summary: Python libraries used by IPA client Group: System Environment/Libraries BuildArch: noarch -%{?python_provide:%python_provide python2-ipaclient} Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipalib = %{version}-%{release} @@ -451,7 +449,6 @@ Summary: Python libraries used by IPA Group: System Environment/Libraries Conflicts: %{name}-python < %{version}-%{release} %{?python_provide:%python_provide python2-ipalib} -%{?python_provide:%{?_isa:%python_provide python2-ipalib%{_isa}}} Provides: python2-ipapython = %{version}-%{release} %{?python_provide:%python_provide python2-ipapython} Provides: python2-ipaplatform = %{version}-%{release} @@ -496,7 +493,6 @@ If you are using IPA, you need to install this package. Summary: Python3 libraries used by IPA Group: System Environment/Libraries %{?python_provide:%python_provide python3-ipalib} -%{?python_provide:%{?_isa:%python_provide python3-ipalib%{_isa}}} Provides: python3-ipapython = %{version}-%{release} %{?python_provide:%python_provide python3-ipapython} Provides: python3-ipaplatform = %{version}-%{release} @@ -562,7 +558,6 @@ Summary: IPA tests and test tools BuildArch: noarch Obsoletes: %{name}-tests < 4.2.91 Provides: %{name}-tests = %{version}-%{release} -%{?python_provide:%python_provide python2-ipatests} Requires: %{name}-client-common = %{version}-%{release} Requires: python2-ipalib = %{version}-%{release} Requires: tar @@ -593,7 +588,6 @@ This package contains tests that verify IPA functionality. %package -n python3-ipatests Summary: IPA tests and test tools BuildArch: noarch -%{?python_provide:%python_provide python3-ipatests} Requires: %{name}-client-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} Requires: tar -- 2.5.0 From lslebodn at redhat.com Tue Jan 5 09:55:48 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 5 Jan 2016 10:55:48 +0100 Subject: [Freeipa-devel] 4.3 on rawhide build task fail In-Reply-To: <20160105093721.GA6431@mail.corp.redhat.com> References: <56796CD0.5010905@redhat.com> <20160105093721.GA6431@mail.corp.redhat.com> Message-ID: <20160105095547.GB6431@mail.corp.redhat.com> On (05/01/16 10:37), Lukas Slebodnik wrote: >On (22/12/15 16:31), Petr Vobornik wrote: >>Build of 4.3 on Fedora rawhide failed at the end on rpmdiff check. Builds for >>all arches were successful and also works in COPR. >> 0 free 1 open 4 done 0 failed >>12284450 build (rawhide, /freeipa:b2442d51ba3f2a5f907f72e9bd90c5889bd89c0e): >>open (buildppcle-07.phx2.fedoraproject.org) -> FAILED: BuildError: mismatch >>when analyzing python3-ipatests-4.3.0-1.fc24.noarch.rpm, rpmdiff output was: >>error: cannot open Packages index using db5 - Permission denied (13) >>error: cannot open Packages database in /var/lib/rpm >>error: cannot open Packages database in /var/lib/rpm >>removed REQUIRES python3-ipalib(armv7hl-32) = 4.3.0-1.fc24 >>added REQUIRES python3-ipalib(x86-64) = 4.3.0-1.fc24 >>0 free 0 open 4 done 1 failed >I think that log file is crystal clear. > >The noarch package "python3-ipatests-4.3.0-1.fc24.noarch.rpm" >requires packages with strict architecture. > >sh$ wget https://kojipkgs.fedoraproject.org//work/tasks/4513/12284513/python3-ipatests-4.3.0-1.fc24.noarch.rpm > >sh $rpm -qp --requires python3-ipatests-4.3.0-1.fc24.noarch.rpm >/usr/bin/python3 >freeipa-client-common = 4.3.0-1.fc24 >python(abi) = 3.5 >python3-coverage >python3-ipalib(x86-64) = 4.3.0-1.fc24 >python3-nose >python3-polib >python3-pytest >= 2.6 >python3-pytest-multihost >= 0.5 >python3-pytest-sourceorder >rpmlib(CompressedFileNames) <= 3.0.4-1 >rpmlib(FileDigests) <= 4.6.0-1 >rpmlib(PayloadFilesHavePrefix) <= 4.0-1 >rpmlib(PayloadIsXz) <= 5.2-1 >tar >xz > >noarch pacakges are build for each architecture: armv7hl-32, x86-64, i686 >But the same package should be built on each platform. > >In your case requires, provides are different. This is a reason >why rpmdiff failed for some noarch packages. > >Attached are two patches which fix issues with build in koji. >The 1st patch removes usage of %{_isa} in noarch packages. > >The second one violates python packaging guidelines >http://fedoraproject.org/wiki/Packaging:Python#Reviewer_checklist >But there seems to be bug (in rpmbuild???) because "rpm --eval" does not >generate provides with architecture. > >sh$ wget https://kojipkgs.fedoraproject.org//work/tasks/4513/12284513/python2-ipatests-4.3.0-1.fc24.noarch.rpm > >sh$ rpm -qp --provides python2-ipatests-4.3.0-1.fc24.noarch.rpm >freeipa-tests(x86-64) = 4.3.0-1.fc24 >ipa-tests(x86-64) = 4.3.0 >python-ipatests = 4.3.0-1.fc24 >python-ipatests(x86-64) = 4.3.0-1.fc24 >python2-ipatests = 4.3.0-1.fc24 > >sh$ rpm --eval "%{?python_provide:%python_provide python2-ipatests}" >Provides: python-ipatests = %{version}-%{release} >Obsoletes: python-ipatests < %{version}-%{release} > >So better workaround could be to replace macro "%python_provide" >with manually generated "Provides" and "Obsoletes" >It's up to you and discussion with python experts :-) > >LS >>From 0674e1e6aae2423c050be520b9c1b13f8feeb3d8 Mon Sep 17 00:00:00 2001 >From: Lukas Slebodnik >Date: Mon, 4 Jan 2016 19:02:24 +0100 >Subject: [PATCH 1/2] Remove _isa from requires and provides > And here is a link to koji build with the patches http://koji.fedoraproject.org/koji/taskinfo?taskID=12405513 LS From tbabej at redhat.com Tue Jan 5 10:30:21 2016 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 5 Jan 2016 11:30:21 +0100 Subject: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8 In-Reply-To: <568B76A0.7010009@redhat.com> References: <568B76A0.7010009@redhat.com> Message-ID: <568B9B3D.3030709@redhat.com> On 01/05/2016 08:54 AM, Jan Cholasta wrote: > Hi, > > the attached patch replaces the default_encoding_utf8 binary module with > 2 lines of equivalent Python code. > > Honza > > > This looks fine to me, however, I wonder, why this approach was ever taken? The sys.setdefaultencoding is available in all versions of Python ever supported by FreeIPA. Is it possible we're missing something here? Or was this option simply overlooked? Ccing Rob. Tomas From abokovoy at redhat.com Tue Jan 5 10:54:31 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 5 Jan 2016 12:54:31 +0200 Subject: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8 In-Reply-To: <568B9B3D.3030709@redhat.com> References: <568B76A0.7010009@redhat.com> <568B9B3D.3030709@redhat.com> Message-ID: <20160105105431.GS4316@redhat.com> On Tue, 05 Jan 2016, Tomas Babej wrote: > > >On 01/05/2016 08:54 AM, Jan Cholasta wrote: >> Hi, >> >> the attached patch replaces the default_encoding_utf8 binary module with >> 2 lines of equivalent Python code. >> >> Honza >> >> >> > >This looks fine to me, however, I wonder, why this approach was ever >taken? The sys.setdefaultencoding is available in all versions of Python >ever supported by FreeIPA. > >Is it possible we're missing something here? Or was this option simply >overlooked? There is more history to it and it is mostly ugly: https://bugzilla.redhat.com/show_bug.cgi?id=243541 -- / Alexander Bokovoy From pvoborni at redhat.com Tue Jan 5 11:11:21 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 5 Jan 2016 12:11:21 +0100 Subject: [Freeipa-devel] 4.3 on rawhide build task fail In-Reply-To: <20160105095547.GB6431@mail.corp.redhat.com> References: <56796CD0.5010905@redhat.com> <20160105093721.GA6431@mail.corp.redhat.com> <20160105095547.GB6431@mail.corp.redhat.com> Message-ID: <568BA4D9.6000208@redhat.com> On 01/05/2016 10:55 AM, Lukas Slebodnik wrote: > On (05/01/16 10:37), Lukas Slebodnik wrote: >> On (22/12/15 16:31), Petr Vobornik wrote: >>> Build of 4.3 on Fedora rawhide failed at the end on rpmdiff check. Builds for >>> all arches were successful and also works in COPR. >>> 0 free 1 open 4 done 0 failed >>> 12284450 build (rawhide, /freeipa:b2442d51ba3f2a5f907f72e9bd90c5889bd89c0e): >>> open (buildppcle-07.phx2.fedoraproject.org) -> FAILED: BuildError: mismatch >>> when analyzing python3-ipatests-4.3.0-1.fc24.noarch.rpm, rpmdiff output was: >>> error: cannot open Packages index using db5 - Permission denied (13) >>> error: cannot open Packages database in /var/lib/rpm >>> error: cannot open Packages database in /var/lib/rpm >>> removed REQUIRES python3-ipalib(armv7hl-32) = 4.3.0-1.fc24 >>> added REQUIRES python3-ipalib(x86-64) = 4.3.0-1.fc24 >>> 0 free 0 open 4 done 1 failed >> I think that log file is crystal clear. >> >> The noarch package "python3-ipatests-4.3.0-1.fc24.noarch.rpm" >> requires packages with strict architecture. >> >> sh$ wget https://kojipkgs.fedoraproject.org//work/tasks/4513/12284513/python3-ipatests-4.3.0-1.fc24.noarch.rpm >> >> sh $rpm -qp --requires python3-ipatests-4.3.0-1.fc24.noarch.rpm >> /usr/bin/python3 >> freeipa-client-common = 4.3.0-1.fc24 >> python(abi) = 3.5 >> python3-coverage >> python3-ipalib(x86-64) = 4.3.0-1.fc24 >> python3-nose >> python3-polib >> python3-pytest >= 2.6 >> python3-pytest-multihost >= 0.5 >> python3-pytest-sourceorder >> rpmlib(CompressedFileNames) <= 3.0.4-1 >> rpmlib(FileDigests) <= 4.6.0-1 >> rpmlib(PayloadFilesHavePrefix) <= 4.0-1 >> rpmlib(PayloadIsXz) <= 5.2-1 >> tar >> xz >> >> noarch pacakges are build for each architecture: armv7hl-32, x86-64, i686 >> But the same package should be built on each platform. >> >> In your case requires, provides are different. This is a reason >> why rpmdiff failed for some noarch packages. >> >> Attached are two patches which fix issues with build in koji. >> The 1st patch removes usage of %{_isa} in noarch packages. >> >> The second one violates python packaging guidelines >> http://fedoraproject.org/wiki/Packaging:Python#Reviewer_checklist >> But there seems to be bug (in rpmbuild???) because "rpm --eval" does not >> generate provides with architecture. >> >> sh$ wget https://kojipkgs.fedoraproject.org//work/tasks/4513/12284513/python2-ipatests-4.3.0-1.fc24.noarch.rpm >> >> sh$ rpm -qp --provides python2-ipatests-4.3.0-1.fc24.noarch.rpm >> freeipa-tests(x86-64) = 4.3.0-1.fc24 >> ipa-tests(x86-64) = 4.3.0 >> python-ipatests = 4.3.0-1.fc24 >> python-ipatests(x86-64) = 4.3.0-1.fc24 >> python2-ipatests = 4.3.0-1.fc24 >> >> sh$ rpm --eval "%{?python_provide:%python_provide python2-ipatests}" >> Provides: python-ipatests = %{version}-%{release} >> Obsoletes: python-ipatests < %{version}-%{release} >> >> So better workaround could be to replace macro "%python_provide" >> with manually generated "Provides" and "Obsoletes" >> It's up to you and discussion with python experts :-) >> >> LS > >> >From 0674e1e6aae2423c050be520b9c1b13f8feeb3d8 Mon Sep 17 00:00:00 2001 >> From: Lukas Slebodnik >> Date: Mon, 4 Jan 2016 19:02:24 +0100 >> Subject: [PATCH 1/2] Remove _isa from requires and provides >> > And here is a link to koji build with the patches > http://koji.fedoraproject.org/koji/taskinfo?taskID=12405513 > > LS > Thanks Lukas, especially for the second part. I found out the first part yesterday [1]. I'm still not sure if it wouldn't be better to change the noarch packages to arch specific. We wouldn't have to use the workaround and we could keep the arch specific requires. [1] https://fedorahosted.org/freeipa/ticket/5568 -- Petr Vobornik From cheimes at redhat.com Tue Jan 5 11:22:45 2016 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 5 Jan 2016 12:22:45 +0100 Subject: [Freeipa-devel] Added kpasswd_server directive in client krb5.conf In-Reply-To: <20160104223802.GB21493@redhat.com> References: <5677A06C.3080708@redhat.com> <20160104223802.GB21493@redhat.com> Message-ID: <568BA785.4080108@redhat.com> On 2016-01-04 23:38, Nalin Dahyabhai wrote: > On Mon, Dec 21, 2015 at 12:17:08PM +0530, Abhijeet Kasurde wrote: >> Hi All, >> >> Please review patches attached. > > The port number should probably be changed from 749 to 464. Nalin is correct. kpasswd and admin server use different ports: $ getent services kpasswd kpasswd 464/tcp kpwd $ getent services kerberos-adm kerberos-adm 749/tcp Except for the port number, the patch looks good to me. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Tue Jan 5 11:24:43 2016 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 5 Jan 2016 12:24:43 +0100 Subject: [Freeipa-devel] [PATCH 027] Require Dogtag 10.2.6-13 to fix KRA uninstall Message-ID: <568BA7FB.8040300@redhat.com> The combination of a bug in Dogtag's sslget command and a new feature in mod_nss causes an incomplete uninstallation of KRA. The bug has been fixed in Dogtag 10.2.6-13. https://fedorahosted.org/freeipa/ticket/5469 https://fedorahosted.org/pki/ticket/1704 Signed-off-by: Christian Heimes -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0027-Require-Dogtag-10.2.6-13-to-fix-KRA-uninstall.patch Type: text/x-patch Size: 1228 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From lslebodn at redhat.com Tue Jan 5 12:49:20 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 5 Jan 2016 13:49:20 +0100 Subject: [Freeipa-devel] [PATCH 027] Require Dogtag 10.2.6-13 to fix KRA uninstall In-Reply-To: <568BA7FB.8040300@redhat.com> References: <568BA7FB.8040300@redhat.com> Message-ID: <20160105124919.GE6431@mail.corp.redhat.com> On (05/01/16 12:24), Christian Heimes wrote: >The combination of a bug in Dogtag's sslget command and a new feature >in mod_nss causes an incomplete uninstallation of KRA. The bug has been >fixed in Dogtag 10.2.6-13. > and it ins in fedora 23 stable for a week https://bodhi.fedoraproject.org/updates/FEDORA-2015-c7dd78ac78 LS >https://fedorahosted.org/freeipa/ticket/5469 >https://fedorahosted.org/pki/ticket/1704 > >Signed-off-by: Christian Heimes From jcholast at redhat.com Tue Jan 5 13:42:26 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 5 Jan 2016 14:42:26 +0100 Subject: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8 In-Reply-To: <20160105105431.GS4316@redhat.com> References: <568B76A0.7010009@redhat.com> <568B9B3D.3030709@redhat.com> <20160105105431.GS4316@redhat.com> Message-ID: <568BC842.8060500@redhat.com> On 5.1.2016 11:54, Alexander Bokovoy wrote: > On Tue, 05 Jan 2016, Tomas Babej wrote: >> >> >> On 01/05/2016 08:54 AM, Jan Cholasta wrote: >>> Hi, >>> >>> the attached patch replaces the default_encoding_utf8 binary module with >>> 2 lines of equivalent Python code. >>> >>> Honza >>> >>> >>> >> >> This looks fine to me, however, I wonder, why this approach was ever >> taken? The sys.setdefaultencoding is available in all versions of Python >> ever supported by FreeIPA. >> >> Is it possible we're missing something here? Or was this option simply >> overlooked? > There is more history to it and it is mostly ugly: > https://bugzilla.redhat.com/show_bug.cgi?id=243541 What is actually ugly is badly written code which assumes a specific encoding anywhere instead of using an encoding appropriate in the given context. Rather than working around it using hacks such as changing the default encoding, the preferrable solution should be to fix the badly written code itself (which is not always easy, as is the case with IPA). -- Jan Cholasta From mbabinsk at redhat.com Tue Jan 5 14:49:57 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 5 Jan 2016 15:49:57 +0100 Subject: [Freeipa-devel] [PATCH 0120] prevent crash of CA-less server upgrade due to absent certmonger Message-ID: <568BD815.2030000@redhat.com> fixes https://fedorahosted.org/freeipa/ticket/5519 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0120-prevent-crash-of-CA-less-server-upgrade-due-to-absen.patch Type: text/x-patch Size: 2570 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-2-mbabinsk-0120-prevent-crash-of-CA-less-server-upgrade-due-to-absen.patch Type: text/x-patch Size: 2530 bytes Desc: not available URL: From sbose at redhat.com Tue Jan 5 18:55:33 2016 From: sbose at redhat.com (Sumit Bose) Date: Tue, 5 Jan 2016 19:55:33 +0100 Subject: [Freeipa-devel] [PATCH 154] ipa-kdb: map_groups() consider all results Message-ID: <20160105185533.GK6480@p.redhat.com> Hi, to find out to which local group a external user is mapped we do a dereference search over the external groups with the SIDs related to the external user. If a SID is mapped to more than one external group we currently consider only the first returned match. With this patch all results are taken into account. This makes sure all expected local group memberships are added to the PAC which resolves https://fedorahosted.org/freeipa/ticket/5573. bye, Sumit -------------- next part -------------- From 60748d2da05261df937eba85cee27c2ea0d7e893 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 16 Dec 2015 12:38:16 +0100 Subject: [PATCH] ipa-kdb: map_groups() consider all results Resolves https://fedorahosted.org/freeipa/ticket/5573 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 118 +++++++++++++++++++++------------------- 1 file changed, 61 insertions(+), 57 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index daa42e369014f2ed401742474453ebb1aadef07c..45721f0dc06d90479f8fc2858c462c3647f7a3c6 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1082,68 +1082,72 @@ static int map_groups(TALLOC_CTX *memctx, krb5_context kcontext, continue; } - ldap_derefresponse_free(deref_results); - ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results); - switch (ret) { - case ENOENT: - /* No entry found, try next SID */ - break; - case 0: - if (deref_results == NULL) { - krb5_klog_syslog(LOG_ERR, "No results."); + do { + ldap_derefresponse_free(deref_results); + ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results); + switch (ret) { + case ENOENT: + /* No entry found, try next SID */ break; - } + case 0: + if (deref_results == NULL) { + krb5_klog_syslog(LOG_ERR, "No results."); + break; + } - for (dres = deref_results; dres; dres = dres->next) { - count++; - } + for (dres = deref_results; dres; dres = dres->next) { + count++; + } - sids = talloc_realloc(memctx, sids, struct dom_sid, count); - if (sids == NULL) { - krb5_klog_syslog(LOG_ERR, "talloc_realloc failed."); - kerr = ENOMEM; + sids = talloc_realloc(memctx, sids, struct dom_sid, count); + if (sids == NULL) { + krb5_klog_syslog(LOG_ERR, "talloc_realloc failed."); + kerr = ENOMEM; + goto done; + } + + for (dres = deref_results; dres; dres = dres->next) { + gid = 0; + memset(&sid, '\0', sizeof(struct dom_sid)); + for (dval = dres->attrVals; dval; dval = dval->next) { + if (strcasecmp(dval->type, "gidNumber") == 0) { + errno = 0; + gid = strtoul((char *)dval->vals[0].bv_val, + &endptr,10); + if (gid == 0 || gid >= UINT32_MAX || errno != 0 || + *endptr != '\0') { + continue; + } + } + if (strcasecmp(dval->type, + "ipaNTSecurityIdentifier") == 0) { + kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid); + if (kerr != 0) { + continue; + } + } + } + if (gid != 0 && sid.sid_rev_num != 0) { + /* TODO: check if gid maps to sid */ + if (sid_index >= count) { + krb5_klog_syslog(LOG_ERR, "Index larger than " + "array, this shoould " + "never happen."); + kerr = EFAULT; + goto done; + } + memcpy(&sids[sid_index], &sid, sizeof(struct dom_sid)); + sid_index++; + } + } + + break; + default: goto done; - } + } - for (dres = deref_results; dres; dres = dres->next) { - gid = 0; - memset(&sid, '\0', sizeof(struct dom_sid)); - for (dval = dres->attrVals; dval; dval = dval->next) { - if (strcasecmp(dval->type, "gidNumber") == 0) { - errno = 0; - gid = strtoul((char *)dval->vals[0].bv_val, - &endptr,10); - if (gid == 0 || gid >= UINT32_MAX || errno != 0 || - *endptr != '\0') { - continue; - } - } - if (strcasecmp(dval->type, - "ipaNTSecurityIdentifier") == 0) { - kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid); - if (kerr != 0) { - continue; - } - } - } - if (gid != 0 && sid.sid_rev_num != 0) { - /* TODO: check if gid maps to sid */ - if (sid_index >= count) { - krb5_klog_syslog(LOG_ERR, "Index larger than " - "array, this shoould " - "never happen."); - kerr = EFAULT; - goto done; - } - memcpy(&sids[sid_index], &sid, sizeof(struct dom_sid)); - sid_index++; - } - } - - break; - default: - goto done; - } + lentry = ldap_next_entry(ipactx->lcontext, lentry); + } while (lentry != NULL); } *_ipa_group_sids_count = sid_index; -- 2.4.3 From abokovoy at redhat.com Tue Jan 5 19:02:15 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 5 Jan 2016 21:02:15 +0200 Subject: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8 In-Reply-To: <568BC842.8060500@redhat.com> References: <568B76A0.7010009@redhat.com> <568B9B3D.3030709@redhat.com> <20160105105431.GS4316@redhat.com> <568BC842.8060500@redhat.com> Message-ID: <20160105190215.GW4316@redhat.com> On Tue, 05 Jan 2016, Jan Cholasta wrote: >On 5.1.2016 11:54, Alexander Bokovoy wrote: >>On Tue, 05 Jan 2016, Tomas Babej wrote: >>> >>> >>>On 01/05/2016 08:54 AM, Jan Cholasta wrote: >>>>Hi, >>>> >>>>the attached patch replaces the default_encoding_utf8 binary module with >>>>2 lines of equivalent Python code. >>>> >>>>Honza >>>> >>>> >>>> >>> >>>This looks fine to me, however, I wonder, why this approach was ever >>>taken? The sys.setdefaultencoding is available in all versions of Python >>>ever supported by FreeIPA. >>> >>>Is it possible we're missing something here? Or was this option simply >>>overlooked? >>There is more history to it and it is mostly ugly: >>https://bugzilla.redhat.com/show_bug.cgi?id=243541 > >What is actually ugly is badly written code which assumes a specific >encoding anywhere instead of using an encoding appropriate in the >given context. Rather than working around it using hacks such as >changing the default encoding, the preferrable solution should be to >fix the badly written code itself (which is not always easy, as is the >case with IPA). I do agree with you in general but this case is sufficiently different enough to warrant what we have in place. -- / Alexander Bokovoy From simo at redhat.com Tue Jan 5 21:15:01 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 05 Jan 2016 16:15:01 -0500 Subject: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver Message-ID: <1452028501.3830.45.camel@redhat.com> The LDAP context was not checked on the first api call and a context may be null on some error conditions (LDAP server unreachable). Always check that we have a valid context before calling the ldap API. Builds abut it is untested. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-565-1-Always-verify-we-have-a-valid-ldap-context.patch Type: text/x-patch Size: 3133 bytes Desc: not available URL: From simo at redhat.com Tue Jan 5 22:19:09 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 05 Jan 2016 17:19:09 -0500 Subject: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver In-Reply-To: <1452028501.3830.45.camel@redhat.com> References: <1452028501.3830.45.camel@redhat.com> Message-ID: <1452032349.3830.46.camel@redhat.com> On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: > The LDAP context was not checked on the first api call and a context may > be null on some error conditions (LDAP server unreachable). > > Always check that we have a valid context before calling the ldap API. > > Builds abut it is untested. Forgot to mention that this bug affects all 4.x versions and should probably be backported on all maintained branches. I opened a bug to track it too: https://fedorahosted.org/freeipa/ticket/5577 Simo. -- Simo Sorce * Red Hat, Inc * New York From ftweedal at redhat.com Wed Jan 6 04:26:31 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 6 Jan 2016 14:26:31 +1000 Subject: [Freeipa-devel] [PATCH] 0048 Decode HTTP reason phrase as iso-8859-1 Message-ID: <20160106042631.GJ31821@dhcp-40-8.bne.redhat.com> Happy new year, all. The attached patch fixes a unicode decode error triggered in some locales, which causes failure of installation (and probably other oprations, if locale is changed under an existing server). https://fedorahosted.org/freeipa/ticket/5578 Cheers, Fraser -------------- next part -------------- From 9fb59b95553d3f02aa401142a87723e5d0fb2b8a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 6 Jan 2016 14:50:42 +1100 Subject: [PATCH] Decode HTTP reason phrase as iso-8859-1 The HTTP reason phrase sent by Dogtag is encoded in iso-8859-1; use this charset instead of utf8 when decoding it to avoid decoding errors when characters > 127 appear. Fixes: https://fedorahosted.org/freeipa/ticket/5578 --- ipapython/dogtag.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 010e49652687680444d18e2e8f784fb6167a0df5..c99847013c70c7e82796a99234c1e684f32ddfac 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -219,7 +219,7 @@ def _httplib_request( res = conn.getresponse() http_status = res.status - http_reason_phrase = unicode(res.reason, 'utf-8') + http_reason_phrase = unicode(res.reason, 'iso-8859-1') http_headers = res.msg.dict http_body = res.read() conn.close() -- 2.5.0 From akasurde at redhat.com Wed Jan 6 05:07:31 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Wed, 6 Jan 2016 10:37:31 +0530 Subject: [Freeipa-devel] [PATCH] Added kpasswd_server directive in client krb5.conf In-Reply-To: <568BA785.4080108@redhat.com> References: <5677A06C.3080708@redhat.com> <20160104223802.GB21493@redhat.com> <568BA785.4080108@redhat.com> Message-ID: <568CA113.1050507@redhat.com> Hi All, On 01/05/2016 04:52 PM, Christian Heimes wrote: > On 2016-01-04 23:38, Nalin Dahyabhai wrote: >> On Mon, Dec 21, 2015 at 12:17:08PM +0530, Abhijeet Kasurde wrote: >>> Hi All, >>> >>> Please review patches attached. >> The port number should probably be changed from 749 to 464. > Nalin is correct. kpasswd and admin server use different ports: > > $ getent services kpasswd > kpasswd 464/tcp kpwd > $ getent services kerberos-adm > kerberos-adm 749/tcp > > Except for the port number, the patch looks good to me. Changed port number from 749 to 464. Thanks Nalin and Christian. Please review patches attached. > Christian > Thanks, Abhijeet Kasurde -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akasurde-0001-2-Added-kpasswd_server-directive-in-client-krb5.conf-ipa-4-2.patch Type: text/x-patch Size: 1723 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akasurde-0001-2-Added-kpasswd_server-directive-in-client-krb5.conf.patch Type: text/x-patch Size: 1723 bytes Desc: not available URL: From akasurde at redhat.com Wed Jan 6 06:36:44 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Wed, 6 Jan 2016 12:06:44 +0530 Subject: [Freeipa-devel] [pytest-multihost-devel][PATCH] Warn user about missing multihost conf file Message-ID: <568CB5FC.4030008@redhat.com> Hi All, Please review attached patch Fixes : https://fedorahosted.org/python-pytest-multihost/ticket/3 Thanks, Abhijeet Kasurde -------------- next part -------------- A non-text attachment was scrubbed... Name: pytest-multihost-akasurde-0002-Added-error-handling-in-config-file-handling.patch Type: text/x-patch Size: 2432 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jan 6 07:37:19 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 6 Jan 2016 08:37:19 +0100 Subject: [Freeipa-devel] [PATCH 559] Fix kadmin for new users In-Reply-To: <5655C87D.3000802@redhat.com> References: <1448404347.29102.23.camel@redhat.com> <5655B100.90403@redhat.com> <5655B3E1.4050107@redhat.com> <5655B3FC.6060707@redhat.com> <1448461948.29102.41.camel@redhat.com> <5655C87D.3000802@redhat.com> Message-ID: <568CC42F.4060106@redhat.com> On 11/25/2015 03:41 PM, Martin Kosek wrote: > On 11/25/2015 03:32 PM, Simo Sorce wrote: >> On Wed, 2015-11-25 at 14:13 +0100, Tomas Babej wrote: >>> >>> On 11/25/2015 02:13 PM, Tomas Babej wrote: >>>> >>>> >>>> On 11/25/2015 02:00 PM, Martin Babinsky wrote: >>>>> On 11/24/2015 11:32 PM, Simo Sorce wrote: >>>>>> Ticket #937 was reopened a while ago because one corner case, new users >>>>>> that have never been assigned a password cause kadmin/kadmin.local to >>>>>> throw a fit when they try to visualize information about those user's >>>>>> principals. >>>>>> >>>>>> This patch fakes up modification information when no krbExtraData is >>>>>> available for the principal so that kadmin is happy. >>>>>> >>>>>> Tested and working as designed. >>>>>> >>>>>> Simo. >>>>>> >>>>>> >>>>>> >>>>> ACK >>>>> >>>> >>>> Pushed to master: 0f52eddd1d2781ccc1941c191e9ab6e3ccf6919d >>>> >>> >>> On a related note, should we backport this to later branches? >> >> It wouldn't hurt, it should apply straight to any 4.x and probably >> latest 3.x branches too. > > I would not fix anything older than FreeIPA 4.1.x which is in F22, which is the > oldest supported Fedora (or rather fill be, one month after F23 GA). > https://fedorahosted.org/freeipa/ticket/937 is included in 4.2.4 milestone with priority critical. Shouldn't we backport the patch to ipa-4-2 branch? -- Martin^3 Babinsky From mkosek at redhat.com Wed Jan 6 07:42:18 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 6 Jan 2016 08:42:18 +0100 Subject: [Freeipa-devel] [PATCH 559] Fix kadmin for new users In-Reply-To: <568CC42F.4060106@redhat.com> References: <1448404347.29102.23.camel@redhat.com> <5655B100.90403@redhat.com> <5655B3E1.4050107@redhat.com> <5655B3FC.6060707@redhat.com> <1448461948.29102.41.camel@redhat.com> <5655C87D.3000802@redhat.com> <568CC42F.4060106@redhat.com> Message-ID: <568CC55A.5060308@redhat.com> On 01/06/2016 08:37 AM, Martin Babinsky wrote: > On 11/25/2015 03:41 PM, Martin Kosek wrote: >> On 11/25/2015 03:32 PM, Simo Sorce wrote: >>> On Wed, 2015-11-25 at 14:13 +0100, Tomas Babej wrote: >>>> >>>> On 11/25/2015 02:13 PM, Tomas Babej wrote: >>>>> >>>>> >>>>> On 11/25/2015 02:00 PM, Martin Babinsky wrote: >>>>>> On 11/24/2015 11:32 PM, Simo Sorce wrote: >>>>>>> Ticket #937 was reopened a while ago because one corner case, new users >>>>>>> that have never been assigned a password cause kadmin/kadmin.local to >>>>>>> throw a fit when they try to visualize information about those user's >>>>>>> principals. >>>>>>> >>>>>>> This patch fakes up modification information when no krbExtraData is >>>>>>> available for the principal so that kadmin is happy. >>>>>>> >>>>>>> Tested and working as designed. >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>>> >>>>>>> >>>>>> ACK >>>>>> >>>>> >>>>> Pushed to master: 0f52eddd1d2781ccc1941c191e9ab6e3ccf6919d >>>>> >>>> >>>> On a related note, should we backport this to later branches? >>> >>> It wouldn't hurt, it should apply straight to any 4.x and probably >>> latest 3.x branches too. >> >> I would not fix anything older than FreeIPA 4.1.x which is in F22, which is the >> oldest supported Fedora (or rather fill be, one month after F23 GA). >> > > https://fedorahosted.org/freeipa/ticket/937 is included in 4.2.4 milestone with > priority critical. Shouldn't we backport the patch to ipa-4-2 branch? We should... Petr? From pvoborni at redhat.com Wed Jan 6 08:49:19 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 6 Jan 2016 09:49:19 +0100 Subject: [Freeipa-devel] [PATCH 559] Fix kadmin for new users In-Reply-To: <568CC55A.5060308@redhat.com> References: <1448404347.29102.23.camel@redhat.com> <5655B100.90403@redhat.com> <5655B3E1.4050107@redhat.com> <5655B3FC.6060707@redhat.com> <1448461948.29102.41.camel@redhat.com> <5655C87D.3000802@redhat.com> <568CC42F.4060106@redhat.com> <568CC55A.5060308@redhat.com> Message-ID: <568CD50F.3030709@redhat.com> On 01/06/2016 08:42 AM, Martin Kosek wrote: > On 01/06/2016 08:37 AM, Martin Babinsky wrote: >> On 11/25/2015 03:41 PM, Martin Kosek wrote: >>> On 11/25/2015 03:32 PM, Simo Sorce wrote: >>>> On Wed, 2015-11-25 at 14:13 +0100, Tomas Babej wrote: >>>>> >>>>> On 11/25/2015 02:13 PM, Tomas Babej wrote: >>>>>> >>>>>> >>>>>> On 11/25/2015 02:00 PM, Martin Babinsky wrote: >>>>>>> On 11/24/2015 11:32 PM, Simo Sorce wrote: >>>>>>>> Ticket #937 was reopened a while ago because one corner case, new users >>>>>>>> that have never been assigned a password cause kadmin/kadmin.local to >>>>>>>> throw a fit when they try to visualize information about those user's >>>>>>>> principals. >>>>>>>> >>>>>>>> This patch fakes up modification information when no krbExtraData is >>>>>>>> available for the principal so that kadmin is happy. >>>>>>>> >>>>>>>> Tested and working as designed. >>>>>>>> >>>>>>>> Simo. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> ACK >>>>>>> >>>>>> >>>>>> Pushed to master: 0f52eddd1d2781ccc1941c191e9ab6e3ccf6919d >>>>>> >>>>> >>>>> On a related note, should we backport this to later branches? >>>> >>>> It wouldn't hurt, it should apply straight to any 4.x and probably >>>> latest 3.x branches too. >>> >>> I would not fix anything older than FreeIPA 4.1.x which is in F22, which is the >>> oldest supported Fedora (or rather fill be, one month after F23 GA). >>> >> >> https://fedorahosted.org/freeipa/ticket/937 is included in 4.2.4 milestone with >> priority critical. Shouldn't we backport the patch to ipa-4-2 branch? > > We should... Petr? > Right, that's why it is in 4.2.4. -- Petr Vobornik From mbabinsk at redhat.com Wed Jan 6 10:21:18 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 6 Jan 2016 11:21:18 +0100 Subject: [Freeipa-devel] [PATCH 027] Require Dogtag 10.2.6-13 to fix KRA uninstall In-Reply-To: <20160105124919.GE6431@mail.corp.redhat.com> References: <568BA7FB.8040300@redhat.com> <20160105124919.GE6431@mail.corp.redhat.com> Message-ID: <568CEA9E.5090106@redhat.com> On 01/05/2016 01:49 PM, Lukas Slebodnik wrote: > On (05/01/16 12:24), Christian Heimes wrote: >> The combination of a bug in Dogtag's sslget command and a new feature >> in mod_nss causes an incomplete uninstallation of KRA. The bug has been >> fixed in Dogtag 10.2.6-13. >> > and it ins in fedora 23 stable for a week > https://bodhi.fedoraproject.org/updates/FEDORA-2015-c7dd78ac78 > > LS > >> https://fedorahosted.org/freeipa/ticket/5469 >> https://fedorahosted.org/pki/ticket/1704 >> >> Signed-off-by: Christian Heimes > ipa-kra-install can be uninstalled and XMLRPC tests are also happy. ACK. -- Martin^3 Babinsky From ofayans at redhat.com Wed Jan 6 10:47:40 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 6 Jan 2016 11:47:40 +0100 Subject: [Freeipa-devel] [PATCH 0018] Fixed install_ca and install_kra failures at domain level 0 In-Reply-To: <566EBF53.3030608@redhat.com> References: <566AF99A.4060604@redhat.com> <566B00CE.4040408@redhat.com> <566EBF53.3030608@redhat.com> Message-ID: <568CF0CC.1020605@redhat.com> Any chance this patch can be merged this week? On 12/14/2015 02:08 PM, Oleg Fayans wrote: > Hi Martin, > > On 12/11/2015 05:58 PM, Martin Basti wrote: >> >> >> On 11.12.2015 17:28, Oleg Fayans wrote: >>> + myre = re.compile(".*Backed up to (?P.*?)\n.*") >> >> IMO this regexp is not good. >> >> 1) >> please name it better than "myre" > > Done > >> >> 2) >> initial '.*' is not needed because regexp does not start with '^' and >> you use search() later >> >> 3) >> >> trailing '.*' is not needed as well, because it does not end with '$' >> >> 4) >> You can use re.MULTILINE that will parse string per lines >> >> path_re = re.compile("^Backed up to (?P.*)$", re.MULTILINE) > > Used it, thanks! > >> >> 5) >> + matched = myre.search(result.stdout_text + result.stderr_text) >> Why do you need search in both stderr and stdout? > > Because of this bug: https://fedorahosted.org/freeipa/ticket/5484 > >> >> Martin^2 >> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ofayans at redhat.com Wed Jan 6 10:53:27 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 6 Jan 2016 11:53:27 +0100 Subject: [Freeipa-devel] replica promotion testplan review Message-ID: <568CF227.1000209@redhat.com> Hi! Could you guys take a look at http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan once again to see if it lacks something important -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From sbose at redhat.com Wed Jan 6 11:15:10 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 6 Jan 2016 12:15:10 +0100 Subject: [Freeipa-devel] [PATCH 155] ipa-kdb: get_authz_data_types() make sure entry can be NULL Message-ID: <20160106111510.GO6480@p.redhat.com> Hi, this patch fixes and issue found by Simo when he called get_authz_data_types() with the second argument being NULL. This function determines which type of authorization data should be added to the Kerberos ticket. There are global default and it is possible to configure this per service as well. The second argument is the data base entry of a service. If no service is given it makes sens to return the global defaults and most parts of get_authz_data_types() handle this case well and this patch fixes the remain issue and adds a test for this as well. Please note that currently get_authz_data_types() is used in a code path where the service entry is expected to be not NULL and it turned out that in Simo's case it will be non-NULL as well. Nevertheless the patch makes the code more robust and makes the future use of get_authz_data_types() more safe. bye, Sumit -------------- next part -------------- From ac3468375a71da08d1437362caabae4504c87386 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 16 Dec 2015 12:37:50 +0100 Subject: [PATCH] ipa-kdb: get_authz_data_types() make sure entry can be NULL --- daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 8594309dbd27b45abda68de5f7ebf0c31e16904d..daa42e369014f2ed401742474453ebb1aadef07c 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2005,7 +2005,7 @@ void get_authz_data_types(krb5_context context, krb5_db_entry *entry, service_specific = false; authz_data_type = authz_data_list[c]; sep = strchr(authz_data_list[c], ':'); - if (sep != NULL) { + if (sep != NULL && entry != NULL) { if (entry->princ == NULL) { krb5_klog_syslog(LOG_ERR, "Missing principal in database " "entry, no authorization data will " \ diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index 0811972d3bb306e86a97d3c979a8e5cd0182cadd..1220d889ef76929161846dd41fa49df79b7b46f3 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -410,6 +410,14 @@ void test_get_authz_data_types(void **state) get_authz_data_types(test_ctx->krb5_ctx, entry, &with_pac, &with_pad); assert_true(with_pad == test_set[c].exp_with_pad); assert_true(with_pac == test_set[c].exp_with_pac); + + /* test if global default are returned if there is no server entry */ + if (test_set[c].authz_data == NULL && test_set[c].princ == NULL) { + get_authz_data_types(test_ctx->krb5_ctx, NULL, &with_pac, + &with_pad); + assert_true(with_pad == test_set[c].exp_with_pad); + assert_true(with_pac == test_set[c].exp_with_pac); + } } free(ied); -- 2.4.3 From cheimes at redhat.com Wed Jan 6 11:33:28 2016 From: cheimes at redhat.com (Christian Heimes) Date: Wed, 6 Jan 2016 12:33:28 +0100 Subject: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8 In-Reply-To: <568B9B3D.3030709@redhat.com> References: <568B76A0.7010009@redhat.com> <568B9B3D.3030709@redhat.com> Message-ID: <568CFB88.7020007@redhat.com> On 2016-01-05 11:30, Tomas Babej wrote: > > > On 01/05/2016 08:54 AM, Jan Cholasta wrote: >> Hi, >> >> the attached patch replaces the default_encoding_utf8 binary module with >> 2 lines of equivalent Python code. >> >> Honza >> >> >> > > This looks fine to me, however, I wonder, why this approach was ever > taken? The sys.setdefaultencoding is available in all versions of Python > ever supported by FreeIPA. > > Is it possible we're missing something here? Or was this option simply > overlooked? sys.setdefaultencoding() is not available unless you use a hack and reload the sys module. The function is hidden for a very good reason. It can and will break internal assumption as well as libraries in bad, hard to detect ways. For example it wreaks havoc on hashing for dicts and sets. The blog posting https://anonbadger.wordpress.com/2015/06/16/why-sys-setdefaultencoding-will-break-code/ explains the problem in much greater detail. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From pspacek at redhat.com Wed Jan 6 12:37:18 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 6 Jan 2016 13:37:18 +0100 Subject: [Freeipa-devel] [PATCH 155] ipa-kdb: get_authz_data_types() make sure entry can be NULL In-Reply-To: <20160106111510.GO6480@p.redhat.com> References: <20160106111510.GO6480@p.redhat.com> Message-ID: <568D0A7E.2030405@redhat.com> On 6.1.2016 12:15, Sumit Bose wrote: > Hi, > > this patch fixes and issue found by Simo when he called > get_authz_data_types() with the second argument being NULL. > This function determines which type of authorization data should be > added to the Kerberos ticket. There are global default and it is > possible to configure this per service as well. The second argument is > the data base entry of a service. If no service is given it makes sens > to return the global defaults and most parts of get_authz_data_types() > handle this case well and this patch fixes the remain issue and adds a > test for this as well. > > Please note that currently get_authz_data_types() is used in a code path > where the service entry is expected to be not NULL and it turned out > that in Simo's case it will be non-NULL as well. Nevertheless the patch > makes the code more robust and makes the future use of > get_authz_data_types() more safe. > > bye, > Sumit Nitpick without looking at the code: It would be good to include the text above (or a variant of it) in the commit message. The person doing software archaeology some years from now will appreciate it :-) -- Petr^2 Spacek From jcholast at redhat.com Wed Jan 6 13:20:19 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 6 Jan 2016 14:20:19 +0100 Subject: [Freeipa-devel] certmonger everywhere In-Reply-To: <568AC0A2.6020202@redhat.com> References: <566FC72B.3050406@redhat.com> <56703075.7040108@redhat.com> <20151216004006.GK23644@dhcp-40-8.bne.redhat.com> <56710E17.9060706@redhat.com> <568AC0A2.6020202@redhat.com> Message-ID: <568D1493.3070903@redhat.com> On 4.1.2016 19:57, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 16.12.2015 01:40, Fraser Tweedale wrote: >> >> I'm not proposing to change cert-request to a client side command - I'm >> proposing to change the way cert-request is handled *on the server*. >> This way we can keep all the configuration on the server and make >> changes to it without having to reconfigure all clients. >> >> This is how I envision the workflow: >> >> 1. client requests a certificate with "getcert request", using "IPA" as >> the CA and, optionally, a string identifying the sub-CA (for the lack of >> better term) >> >> 2. "getcert request" forwards the request to certmonger over D-Bus and >> exits >> >> 3. certmonger creates CSR for the request >> >> 4. certmonger executes the IPA CA helper to handle the request >> >> 5. the IPA CA helper calls the cert-request command on the server over >> RPC, using local host credentials for authentication >> >> 6. cert-request on the server validates the request >> >> 7. cert-request fetches the configuration for the specified sub-CA, or >> the default sub-CA if none was specified, from LDAP >> >> 8. cert-request forwards the request to the certmonger CA helper >> specified in the LDAP configuration over D-Bus (this is the D-Bus method >> that currently does not exist and needs to be implemented) >> >> 9. certmonger executes the specified CA helper to handle the request >> >> 10. the CA helper requests the certificate from the CA and returns >> either the certificate, wait delay or error >> >> 11. certmonger returns the result back to cert-request >> >> 12. cert-request returns the result back to IPA CA helper on the client >> >> 13. the IPA CA helper on the client returns the result back to certmonger >> >> 14. if the result was wait delay, certmonger waits and then retries the >> request from step 4, otherwise it stores the certificate or sets error >> status >> > > I guess this would work but I think you'd have quite a difficult time > returning usable error messages to a user (and they are pretty bad now > in cert-request). I don't see why, error messages can be easily passed between all the involved interfaces. > > I assume that a CSR can be seeded into the certmonger request process > but I've never tried it myself. Do you know if it works? > > I really wonder how the case of delayed issuance would be handled. Would > you leave the server-side certmonger request to idle until the second > step was handled? Wouldn't this have the potential to have an > unmanageable number of certmonger requests? It gets confusing enough for > users for the 8 typical tracked certs, what about hundreds? See step 8: there won't be any new certmonger requests, everything will be forwarded directly to the proper certmonger CA helper using a new D-Bus call. > > If you want to eventually use the requestors credentials won't this > require a pretty big change in certmonger to be able to use passed-in > credentials? Yes, I guess. However, we can use the current Dogtag backed for our CA and certmonger for other CAs until that is implemented. > How will those work in the two-step case? What do you mean? -- Jan Cholasta From mbasti at redhat.com Wed Jan 6 14:06:32 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 6 Jan 2016 15:06:32 +0100 Subject: [Freeipa-devel] [PATCH 0018] Fixed install_ca and install_kra failures at domain level 0 In-Reply-To: <568CF0CC.1020605@redhat.com> References: <566AF99A.4060604@redhat.com> <566B00CE.4040408@redhat.com> <566EBF53.3030608@redhat.com> <568CF0CC.1020605@redhat.com> Message-ID: <568D1F68.5060505@redhat.com> I cannot apply your patch on master branch, missing blobs, can you rebase please? On 06.01.2016 11:47, Oleg Fayans wrote: > Any chance this patch can be merged this week? > > On 12/14/2015 02:08 PM, Oleg Fayans wrote: >> Hi Martin, >> >> On 12/11/2015 05:58 PM, Martin Basti wrote: >>> >>> On 11.12.2015 17:28, Oleg Fayans wrote: >>>> + myre = re.compile(".*Backed up to (?P.*?)\n.*") >>> IMO this regexp is not good. >>> >>> 1) >>> please name it better than "myre" >> Done >> >>> 2) >>> initial '.*' is not needed because regexp does not start with '^' and >>> you use search() later >>> >>> 3) >>> >>> trailing '.*' is not needed as well, because it does not end with '$' >>> >>> 4) >>> You can use re.MULTILINE that will parse string per lines >>> >>> path_re = re.compile("^Backed up to (?P.*)$", re.MULTILINE) >> Used it, thanks! >> >>> 5) >>> + matched = myre.search(result.stdout_text + result.stderr_text) >>> Why do you need search in both stderr and stdout? >> Because of this bug: https://fedorahosted.org/freeipa/ticket/5484 >> >>> Martin^2 >>> >>> >> >> From pviktori at redhat.com Wed Jan 6 14:28:36 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 6 Jan 2016 15:28:36 +0100 Subject: [Freeipa-devel] [PATCHES] 0753-0759 Message-ID: <568D2494.9080602@redhat.com> Hello, Patches 0753-0757 fix remaining warnings from `pylint --py3k`, except "no-absolute-import" (which seems redundant to me) and the ones in contrib/RHEL4. As for contrib/RHEL4, I found a mail [0] from 2013 saying it hasn't been used for a long time and probably doesn't work. Since then it's for example been changed to use ipapython.dn, which I'd bet no one checks for Python 2.5 compatibility. Since this seems to be untested and non-working code, so I'm sending a patch to remove it. But if that's not wanted tell me, and I'll skip pylint --py3k checks there instead. The last patch adds py3k lint check to make-lint. It's a bit cumbersome, since pylint doesn't allow running regular checkers and the py3k ones at the same time, but it allows you to run the check. As for whether to enable --py3k by default, or run it on every package build, I'd like to defer the decision to core devs. (Is CI good enough nowadays to only run it there?) [0] https://www.redhat.com/archives/freeipa-users/2013-July/msg00055.html -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0753-Don-t-index-exceptions-directly.patch Type: text/x-patch Size: 2547 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0754-Use-print_function-future-definition-wherever-print-.patch Type: text/x-patch Size: 1399 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0755-Alias-unicode-to-str-under-Python-3.patch Type: text/x-patch Size: 5479 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0756-Avoid-builtins-that-were-removed-in-Python-3.patch Type: text/x-patch Size: 2493 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0757-dnsutil-Rename-__nonzero__-to-__bool__.patch Type: text/x-patch Size: 1052 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0758-Remove-contrib-RHEL4.patch Type: text/x-patch Size: 37343 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0759-make-lint-Allow-running-pylint-py3k-to-detect-Python.patch Type: text/x-patch Size: 4062 bytes Desc: not available URL: From rcritten at redhat.com Wed Jan 6 14:47:57 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 6 Jan 2016 09:47:57 -0500 Subject: [Freeipa-devel] [PATCHES] 0753-0759 In-Reply-To: <568D2494.9080602@redhat.com> References: <568D2494.9080602@redhat.com> Message-ID: <568D291D.5020709@redhat.com> Petr Viktorin wrote: > Hello, > > Patches 0753-0757 fix remaining warnings from `pylint --py3k`, except > "no-absolute-import" (which seems redundant to me) and the ones in > contrib/RHEL4. > > As for contrib/RHEL4, I found a mail [0] from 2013 saying it hasn't been > used for a long time and probably doesn't work. Since then it's for > example been changed to use ipapython.dn, which I'd bet no one checks > for Python 2.5 compatibility. Since this seems to be untested and > non-working code, so I'm sending a patch to remove it. But if that's not > wanted tell me, and I'll skip pylint --py3k checks there instead. > > The last patch adds py3k lint check to make-lint. It's a bit > cumbersome, since pylint doesn't allow running regular checkers and the > py3k ones at the same time, but it allows you to run the check. As for > whether to enable --py3k by default, or run it on every package build, > I'd like to defer the decision to core devs. (Is CI good enough nowadays > to only run it there?) > > > [0] https://www.redhat.com/archives/freeipa-users/2013-July/msg00055.html > > > My only nit would be to remove contrib/RHEL4 as being deprecated rather than lack of testing against some old version. It just configures ldap and Kerberos via authconfig so unless the discovery failed it would likely still work fairly well, but clearly it isn't being maintained so I'd remove it for that reason for historical purposes. rob From rcritten at redhat.com Wed Jan 6 14:56:10 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 6 Jan 2016 09:56:10 -0500 Subject: [Freeipa-devel] certmonger everywhere In-Reply-To: <568D1493.3070903@redhat.com> References: <566FC72B.3050406@redhat.com> <56703075.7040108@redhat.com> <20151216004006.GK23644@dhcp-40-8.bne.redhat.com> <56710E17.9060706@redhat.com> <568AC0A2.6020202@redhat.com> <568D1493.3070903@redhat.com> Message-ID: <568D2B0A.9010309@redhat.com> Jan Cholasta wrote: > On 4.1.2016 19:57, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 16.12.2015 01:40, Fraser Tweedale wrote: >>> >>> I'm not proposing to change cert-request to a client side command - I'm >>> proposing to change the way cert-request is handled *on the server*. >>> This way we can keep all the configuration on the server and make >>> changes to it without having to reconfigure all clients. >>> >>> This is how I envision the workflow: >>> >>> 1. client requests a certificate with "getcert request", using >>> "IPA" as >>> the CA and, optionally, a string identifying the sub-CA (for the lack of >>> better term) >>> >>> 2. "getcert request" forwards the request to certmonger over D-Bus and >>> exits >>> >>> 3. certmonger creates CSR for the request >>> >>> 4. certmonger executes the IPA CA helper to handle the request >>> >>> 5. the IPA CA helper calls the cert-request command on the server over >>> RPC, using local host credentials for authentication >>> >>> 6. cert-request on the server validates the request >>> >>> 7. cert-request fetches the configuration for the specified sub-CA, or >>> the default sub-CA if none was specified, from LDAP >>> >>> 8. cert-request forwards the request to the certmonger CA helper >>> specified in the LDAP configuration over D-Bus (this is the D-Bus method >>> that currently does not exist and needs to be implemented) >>> >>> 9. certmonger executes the specified CA helper to handle the request >>> >>> 10. the CA helper requests the certificate from the CA and returns >>> either the certificate, wait delay or error >>> >>> 11. certmonger returns the result back to cert-request >>> >>> 12. cert-request returns the result back to IPA CA helper on the >>> client >>> >>> 13. the IPA CA helper on the client returns the result back to >>> certmonger >>> >>> 14. if the result was wait delay, certmonger waits and then retries >>> the >>> request from step 4, otherwise it stores the certificate or sets error >>> status >>> >> >> I guess this would work but I think you'd have quite a difficult time >> returning usable error messages to a user (and they are pretty bad now >> in cert-request). > > I don't see why, error messages can be easily passed between all the > involved interfaces. The current messages aren't great but at least with some amount of google-fu one can discover what the current ones mean. The certmonger messages tend to be just "can't talk to http://...:9180/... and a semi-documented status code. >> I assume that a CSR can be seeded into the certmonger request process >> but I've never tried it myself. Do you know if it works? >> >> I really wonder how the case of delayed issuance would be handled. Would >> you leave the server-side certmonger request to idle until the second >> step was handled? Wouldn't this have the potential to have an >> unmanageable number of certmonger requests? It gets confusing enough for >> users for the 8 typical tracked certs, what about hundreds? > > See step 8: there won't be any new certmonger requests, everything will > be forwarded directly to the proper certmonger CA helper using a new > D-Bus call. Ok, I read it as creating a request via the D-Bus call. Makes me wonder what this means for masters that don't run CA. >> >> If you want to eventually use the requestors credentials won't this >> require a pretty big change in certmonger to be able to use passed-in >> credentials? > > Yes, I guess. However, we can use the current Dogtag backed for our CA > and certmonger for other CAs until that is implemented. > >> How will those work in the two-step case? > > What do you mean? This question was based on my misunderstanding how certmonger would be called via D-Bus. You'd have had to correlate a status request with an existing certmonger request in some way, but since you aren't creating one it's a no-op. I think this is interesting in theory but I fear it is going to make a complex process even more complex. It does raise the interesting possibility of removing the need to store the RA credentials in the Apache NSS database and to me that is the bigger win. rob From mbasti at redhat.com Wed Jan 6 17:05:39 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 6 Jan 2016 18:05:39 +0100 Subject: [Freeipa-devel] [PATCHES 0396-0397] DNSSEC CI: fix tests Message-ID: <568D4963.1000305@redhat.com> Patches attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0396-DNSSEC-test-fix-adding-zones-with-skip-overlap-check.patch Type: text/x-patch Size: 3050 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0397-DNSSEC-CI-add-missing-ldns-utils-dependency.patch Type: text/x-patch Size: 1011 bytes Desc: not available URL: From mbasti at redhat.com Wed Jan 6 17:49:14 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 6 Jan 2016 18:49:14 +0100 Subject: [Freeipa-devel] [PATCH 0072-0081] DNSSEC: fixes In-Reply-To: <567950DB.7050708@redhat.com> References: <56780DBA.60703@redhat.com> <56781085.4070106@redhat.com> <56783D51.3070005@redhat.com> <567950DB.7050708@redhat.com> Message-ID: <568D539A.6030107@redhat.com> On 22.12.2015 14:32, Petr Spacek wrote: > On 21.12.2015 18:56, Martin Basti wrote: >> >> On 21.12.2015 15:45, Martin Basti wrote: >>> >>> On 21.12.2015 15:33, Petr Spacek wrote: >>>> Hello, >>>> >>>> this patch set fixes key rotation in DNSSEC. >>>> >>>> You can use attached template files for OpenDNSSEC config to shorten time >>>> intervals between key rotations. >>>> >>>> Please let me know if you have any questions, I'm all ears! >>>> >>> Please fix whitespace error: >>> >>> Applying: DNSSEC: logging improvements in ldapkeydb.py >>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:14: trailing >>> whitespace. >>> >>> warning: 1 line adds whitespace errors. >>> >> *) DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal >> >> Is is safe to do not use try - except with ipatuil.run()? What if ods-signer >> command failed? > That is intentional. The call should never fail, so if it fails there is no > way how to recover cleanly except restarting the daemon. > > The unhandled exception will kill the daemon and systemd will restart it later on. > > >> *) DNSSEC: Improve error reporting from ipa-ods-exporter >> IMO log.exception(ex) is enough, do we need to add traceback to msg? > msg is sent over socket to another process (see send_systemd_reply(conn, msg) > call in finally: block). Without this the remote party would not receive the > error information. > > >> *) DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP >> I think this is okay because we want to use KSK instantly, but just to be >> sure, is Publish->Activate okay? >> + bind_times['idnsSecKeyActivate'] = ods_times['idnsSecKeyPublish'] >> >> Just to be sure how this will be handle during KSK key rotation? > We have to copy semantics from OpenDNSSEC. Please see design page > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates > , it describes in detail why I done it this way. > > >> *) DNSSEC: Make sure that current key state in LDAP matches key state in BIND >> LGTM >> >> *) DNSSEC: remove obsolete TODO note >> ACK >> >> *) DNSSEC: add debug mode to ldapkeydb.py >> A) >> You can remove __str__ method, python will use __repr__ as default > Done. > > >> B) >> for attr in ['ipaPrivateKey', 'ipaPublicKey', 'ipk11publickeyinfo']: >> Do we need to sanitize *public*Key and publicKeyinfo? > Yes, we need it. The output with any of ['ipaPrivateKey', 'ipaPublicKey', > 'ipk11publickeyinfo'] is huge blob and printing it does not help readability. > Purpose of the patch is to make it easy to read and debug so printing useless > blobs would go directly against the purpose :-) > > >> C) >> in odsmgr.py is used ipa_log_manager, can we use the same for consistency? > Fixed, thanks. > > >> D) >> Do we need logging there, everything is printed via print except debug info >> about connecting, can you just redirect it to stderr, and usable data leave in >> stdout? > Yes, we need it because it eases debugging. print() prints useful information > to stdout. 'Garbage' about connecting to LDAP, IPA framework initialization > and so on does via logger to stderr, so it can be easily separated from useful > information using redirection in BASH. > > I've added a comment right below if __name__ == '__main__': to make it clear > why we do not use logger in there. > > >> *) DNSSEC: logging improvements in ldapkeydb.py >> IMO commit message should be: ".... in ipa-ods-exporter" >> >> Otherwise LGTM > Fixed, thanks. > > >> *) DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP >> >> A) coding style: please use (), instead of "\" >> assert set(pubkeys_local) == set(privkeys_local), ( >> "IDs of private and public keys for DNS zones in local HSM does " >> "not match to key pairs: %s vs. %s" % >> (hex_set(pubkeys_local), hex_set(privkeys_local)) >> ) > Fixed. > > >> B) coding style >> assert not matched_already, ( >> "key %s is in more than one keyset" % hexlify(keyid) >> ) > Not relevant anymore, see below. > > >> C) schedule_key_deletion() >> how about case when keyid is not in any keyset, then keyid will not be >> replaced by object and it blow up somewhere else > Not relevant anymore, see below. > > >> D) +class KeyDeleter(object): >> I would like to have a check there which blows up nicely if _update_key() is >> called twice on the same object. With current implementation you will get >> NoneType has no delete_entry method. > Not relevant anymore, see below. > > >> E) >> I somehow does not like the placeholder object. Could we just extend Key >> object with attribute "to_be_deleted" or something similar, and if this >> attribute is set to True, Key._update_key() can remove, instead of creation a >> new object. >> Key.prepare_deletion() can set the value "to_be_deleted" to True. > Main purpose of the KeyDeleter object was to be incompatible the Key object. I > want to be 100 % that is not possible to call schedule_delete() and > subsequenty modify the Key object. > > I've reworked the Key object so it has schedule_deletion() method and that all > other methods call __assert_not_deleted() to make sure that the object was not > deleted. > > Is it better? > > >> *) DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP >> How often is keysyncer initialized? Might happen the case where one of >> dnssec_zones has been disabled and keysyncer is not aware of this change? > KeySyncer is SyncReplConsumer, so it gets constant stream of updates from > LDAP. IMHO the answer is no, it cannot miss the update. > > >> You may want to use DNSName from ipapython.dnsutil instead of pure dns.name > Other places in daemons are using dns.name too, so I will keep it that way. > For this particular case there would be no advantage anyway. > > >> *) DNSSEC: ipa-ods-exporter: add ldap-cleanup command >> LGTM > Old and new version of patches can be found on Github: > * old: https://github.com/pspacek/freeipa/tree/dnssec_fixes > * new: https://github.com/pspacek/freeipa/tree/dnssec_fixes2 > > Fixed patched (+1 new) are attached. > It works for me, except one case (I will try to reproduce it) Keys were rotated on master and new KSK had not been marked as ds-seen. When I installed replica, dig +dnssec did not show any RRSIG records (ipa-dnskeysyncd showed that keys were there). After I marked KSK key as ds-seen on master, replica start to sing DNS records. ZSK key rotation works on master and replica just fine. Just note, the previous KSK has been still in active state when replica did not sign records. From mbasti at redhat.com Wed Jan 6 18:08:35 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 6 Jan 2016 19:08:35 +0100 Subject: [Freeipa-devel] [PATCH 0398] Allow to use mixed case for sysrestore Message-ID: <568D5823.40200@redhat.com> https://fedorahosted.org/freeipa/ticket/5574 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0398-Allow-to-used-mixed-case-for-sysrestore.patch Type: text/x-patch Size: 2767 bytes Desc: not available URL: From mbasti at redhat.com Wed Jan 6 19:22:53 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 6 Jan 2016 20:22:53 +0100 Subject: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration Message-ID: <568D698D.3040004@redhat.com> https://fedorahosted.org/freeipa/ticket/5507 Patch attached. Is proposed workaround in ticket enough or should I also prepare a update that will fix missing maps? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0399-Upgrade-Fix-upgrade-of-NIS-Server-configuration.patch Type: text/x-patch Size: 14169 bytes Desc: not available URL: From mbasti at redhat.com Wed Jan 6 19:32:41 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 6 Jan 2016 20:32:41 +0100 Subject: [Freeipa-devel] [PATCH 0400] update_uniqueness plugin: fix possible referenced before assignment error Message-ID: <568D6BD9.8080004@redhat.com> Variable 'update' might be undefined if a plugin configuration cannot be migrated to new format. Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0400-update_uniqueness-plugin-fix-referenced-before-assig.patch Type: text/x-patch Size: 1184 bytes Desc: not available URL: From mbasti at redhat.com Wed Jan 6 19:37:23 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 6 Jan 2016 20:37:23 +0100 Subject: [Freeipa-devel] [PATCH 027] Require Dogtag 10.2.6-13 to fix KRA uninstall In-Reply-To: <568CEA9E.5090106@redhat.com> References: <568BA7FB.8040300@redhat.com> <20160105124919.GE6431@mail.corp.redhat.com> <568CEA9E.5090106@redhat.com> Message-ID: <568D6CF3.1090407@redhat.com> On 06.01.2016 11:21, Martin Babinsky wrote: > On 01/05/2016 01:49 PM, Lukas Slebodnik wrote: >> On (05/01/16 12:24), Christian Heimes wrote: >>> The combination of a bug in Dogtag's sslget command and a new feature >>> in mod_nss causes an incomplete uninstallation of KRA. The bug has been >>> fixed in Dogtag 10.2.6-13. >>> >> and it ins in fedora 23 stable for a week >> https://bodhi.fedoraproject.org/updates/FEDORA-2015-c7dd78ac78 >> >> LS >> >>> https://fedorahosted.org/freeipa/ticket/5469 >>> https://fedorahosted.org/pki/ticket/1704 >>> >>> Signed-off-by: Christian Heimes >> > > ipa-kra-install can be uninstalled and XMLRPC tests are also happy. > > ACK. > Pushed to: master: 6ac3553dde63f7d2dfab5f0118ca833b049f734b ipa-4-3: be18b70fe2b3b08fc4bd8ea1f5058128125d1f76 From jcholast at redhat.com Thu Jan 7 06:37:48 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 7 Jan 2016 07:37:48 +0100 Subject: [Freeipa-devel] [PATCH 027] Require Dogtag 10.2.6-13 to fix KRA uninstall In-Reply-To: <568D6CF3.1090407@redhat.com> References: <568BA7FB.8040300@redhat.com> <20160105124919.GE6431@mail.corp.redhat.com> <568CEA9E.5090106@redhat.com> <568D6CF3.1090407@redhat.com> Message-ID: <568E07BC.9030701@redhat.com> On 6.1.2016 20:37, Martin Basti wrote: > > > On 06.01.2016 11:21, Martin Babinsky wrote: >> On 01/05/2016 01:49 PM, Lukas Slebodnik wrote: >>> On (05/01/16 12:24), Christian Heimes wrote: >>>> The combination of a bug in Dogtag's sslget command and a new feature >>>> in mod_nss causes an incomplete uninstallation of KRA. The bug has been >>>> fixed in Dogtag 10.2.6-13. >>>> >>> and it ins in fedora 23 stable for a week >>> https://bodhi.fedoraproject.org/updates/FEDORA-2015-c7dd78ac78 >>> >>> LS >>> >>>> https://fedorahosted.org/freeipa/ticket/5469 >>>> https://fedorahosted.org/pki/ticket/1704 >>>> >>>> Signed-off-by: Christian Heimes >>> >> >> ipa-kra-install can be uninstalled and XMLRPC tests are also happy. >> >> ACK. >> > Pushed to: > master: 6ac3553dde63f7d2dfab5f0118ca833b049f734b > ipa-4-3: be18b70fe2b3b08fc4bd8ea1f5058128125d1f76 > This is supposed to go into 4.2.4 as well, as per the last ticket triage (the ticket was not updated yet). -- Jan Cholasta From jcholast at redhat.com Thu Jan 7 06:56:15 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 7 Jan 2016 07:56:15 +0100 Subject: [Freeipa-devel] [PATCH] 0048 Decode HTTP reason phrase as iso-8859-1 In-Reply-To: <20160106042631.GJ31821@dhcp-40-8.bne.redhat.com> References: <20160106042631.GJ31821@dhcp-40-8.bne.redhat.com> Message-ID: <568E0C0F.9060401@redhat.com> Hi, On 6.1.2016 05:26, Fraser Tweedale wrote: > Happy new year, all. > > The attached patch fixes a unicode decode error triggered in some > locales, which causes failure of installation (and probably other > oprations, if locale is changed under an existing server). > > https://fedorahosted.org/freeipa/ticket/5578 It seems like this fixes only part of the issue - the installer won't crash anymore. But what happens if the reason phrase uses characters which are not in iso-8859-1 (e.g. "?", a character commonly used in Czech)? Shouldn't we always specify the encoding in requests, so that Dogtag does not have to guess? Honza -- Jan Cholasta From ofayans at redhat.com Thu Jan 7 07:53:10 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 7 Jan 2016 08:53:10 +0100 Subject: [Freeipa-devel] [PATCH 0018] Fixed install_ca and install_kra failures at domain level 0 In-Reply-To: <568D1F68.5060505@redhat.com> References: <566AF99A.4060604@redhat.com> <566B00CE.4040408@redhat.com> <566EBF53.3030608@redhat.com> <568CF0CC.1020605@redhat.com> <568D1F68.5060505@redhat.com> Message-ID: <568E1966.8080604@redhat.com> On 01/06/2016 03:06 PM, Martin Basti wrote: > I cannot apply your patch on master branch, missing blobs, can you > rebase please? Done > > On 06.01.2016 11:47, Oleg Fayans wrote: >> Any chance this patch can be merged this week? >> >> On 12/14/2015 02:08 PM, Oleg Fayans wrote: >>> Hi Martin, >>> >>> On 12/11/2015 05:58 PM, Martin Basti wrote: >>>> >>>> On 11.12.2015 17:28, Oleg Fayans wrote: >>>>> + myre = re.compile(".*Backed up to (?P.*?)\n.*") >>>> IMO this regexp is not good. >>>> >>>> 1) >>>> please name it better than "myre" >>> Done >>> >>>> 2) >>>> initial '.*' is not needed because regexp does not start with '^' and >>>> you use search() later >>>> >>>> 3) >>>> >>>> trailing '.*' is not needed as well, because it does not end with '$' >>>> >>>> 4) >>>> You can use re.MULTILINE that will parse string per lines >>>> >>>> path_re = re.compile("^Backed up to (?P.*)$", re.MULTILINE) >>> Used it, thanks! >>> >>>> 5) >>>> + matched = myre.search(result.stdout_text + result.stderr_text) >>>> Why do you need search in both stderr and stdout? >>> Because of this bug: https://fedorahosted.org/freeipa/ticket/5484 >>> >>>> Martin^2 >>>> >>>> >>> >>> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0018.2-Fixed-install_ca-and-install_kra-domainlevel-0.patch Type: text/x-patch Size: 2568 bytes Desc: not available URL: From mkubik at redhat.com Thu Jan 7 08:26:00 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Thu, 7 Jan 2016 09:26:00 +0100 Subject: [Freeipa-devel] [patch 0028] ipatests: Fix configuration problems in dns tests Message-ID: <568E2118.5060108@redhat.com> Fixes problems in tests uncovered by dns check introduced in ipa 4.3 -- Milan Kubik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0028-ipatests-Fix-configuration-problems-in-dns-tests.patch Type: text/x-patch Size: 1496 bytes Desc: not available URL: From ofayans at redhat.com Thu Jan 7 08:31:48 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 7 Jan 2016 09:31:48 +0100 Subject: [Freeipa-devel] [patch 0028] ipatests: Fix configuration problems in dns tests In-Reply-To: <568E2118.5060108@redhat.com> References: <568E2118.5060108@redhat.com> Message-ID: <568E2274.7020407@redhat.com> Hi Milan, As we are eventialy going to move to python3, I would make the code python3-compatible: 1. from __future__ import unicode_literals 2. get rid of all u's in front of the strings On the other hand, we can make a separate commit with only py3-related changes. On 01/07/2016 09:26 AM, Milan Kub?k wrote: > Fixes problems in tests uncovered by dns check introduced in ipa 4.3 > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From mbabinsk at redhat.com Thu Jan 7 08:31:57 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 7 Jan 2016 09:31:57 +0100 Subject: [Freeipa-devel] [PATCH 0120] prevent crash of CA-less server upgrade due to absent certmonger In-Reply-To: <568BD815.2030000@redhat.com> References: <568BD815.2030000@redhat.com> Message-ID: <568E227D.4030409@redhat.com> On 01/05/2016 03:49 PM, Martin Babinsky wrote: > fixes https://fedorahosted.org/freeipa/ticket/5519 > > > Bump for review. -- Martin^3 Babinsky From mkubik at redhat.com Thu Jan 7 08:36:30 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Thu, 7 Jan 2016 09:36:30 +0100 Subject: [Freeipa-devel] [patch 0029, 0030] fixes for install tasks in integration tests Message-ID: <568E238E.8010809@redhat.com> 0029: Add 10.in-addr.arpa. zone to ipa 0030: If the IP addresses in the topology are resolvable, do not add them to master. -- Milan Kubik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0029-ipatests-add-10.in-addr.arpa.-to-master-if-it-does-n.patch Type: text/x-patch Size: 1309 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0030-ipatests-Make-the-A-record-for-hosts-in-topology-con.patch Type: text/x-patch Size: 1738 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Jan 7 08:39:07 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 7 Jan 2016 09:39:07 +0100 Subject: [Freeipa-devel] [PATCH 0400] update_uniqueness plugin: fix possible referenced before assignment error In-Reply-To: <568D6BD9.8080004@redhat.com> References: <568D6BD9.8080004@redhat.com> Message-ID: <568E242B.5040204@redhat.com> On 01/06/2016 08:32 PM, Martin Basti wrote: > Variable 'update' might be undefined if a plugin configuration cannot be > migrated to new format. > > Patch attached. > > ACK -- Martin^3 Babinsky From jcholast at redhat.com Thu Jan 7 08:50:39 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 7 Jan 2016 09:50:39 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python Message-ID: <568E26DF.6090507@redhat.com> Hi, the attached patch ports the _ipap11helper module to python-cffi. Combined with my patch 536 [1], this makes ipapython architecture independent. Honza [1] https://www.redhat.com/archives/freeipa-devel/2016-January/msg00011.html -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-537-ipapython-port-p11helper-C-code-to-Python.patch Type: text/x-patch Size: 163217 bytes Desc: not available URL: From ofayans at redhat.com Thu Jan 7 09:03:13 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 7 Jan 2016 10:03:13 +0100 Subject: [Freeipa-devel] [patch 0029, 0030] fixes for install tasks in integration tests In-Reply-To: <568E238E.8010809@redhat.com> References: <568E238E.8010809@redhat.com> Message-ID: <568E29D1.3010907@redhat.com> Hi Milan, There is already a more generic method in tasks.py, that does the same: prepare_reverse_zone You can just call it from apply_common_fixes. That way, it will work not only in 10.0.0.0/16 networks. On 01/07/2016 09:36 AM, Milan Kub?k wrote: > 0029: Add 10.in-addr.arpa. zone to ipa > 0030: If the IP addresses in the topology are resolvable, do not add > them to master. > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From mbasti at redhat.com Thu Jan 7 09:12:04 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 7 Jan 2016 10:12:04 +0100 Subject: [Freeipa-devel] [patch 0029, 0030] fixes for install tasks in integration tests In-Reply-To: <568E29D1.3010907@redhat.com> References: <568E238E.8010809@redhat.com> <568E29D1.3010907@redhat.com> Message-ID: <568E2BE4.2000108@redhat.com> On 07.01.2016 10:03, Oleg Fayans wrote: > Hi Milan, > > There is already a more generic method in tasks.py, that does the same: > prepare_reverse_zone > You can just call it from apply_common_fixes. That way, it will work not > only in 10.0.0.0/16 networks. > > On 01/07/2016 09:36 AM, Milan Kub?k wrote: >> 0029: Add 10.in-addr.arpa. zone to ipa >> 0030: If the IP addresses in the topology are resolvable, do not add >> them to master. >> >> >> How about other private subnets? What if I run test under 172.16.1.0/24 range, or 192.168.1.0/24? From mkubik at redhat.com Thu Jan 7 09:21:03 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Thu, 7 Jan 2016 10:21:03 +0100 Subject: [Freeipa-devel] [patch 0029, 0030] fixes for install tasks in integration tests In-Reply-To: <568E2BE4.2000108@redhat.com> References: <568E238E.8010809@redhat.com> <568E29D1.3010907@redhat.com> <568E2BE4.2000108@redhat.com> Message-ID: <568E2DFF.4010209@redhat.com> On 01/07/2016 10:12 AM, Martin Basti wrote: > > > On 07.01.2016 10:03, Oleg Fayans wrote: >> Hi Milan, >> >> There is already a more generic method in tasks.py, that does the same: >> prepare_reverse_zone >> You can just call it from apply_common_fixes. That way, it will work not >> only in 10.0.0.0/16 networks. >> I'll use this one then. >> On 01/07/2016 09:36 AM, Milan Kub?k wrote: >>> 0029: Add 10.in-addr.arpa. zone to ipa >>> 0030: If the IP addresses in the topology are resolvable, do not add >>> them to master. >>> >>> >>> > How about other private subnets? What if I run test under > 172.16.1.0/24 range, or 192.168.1.0/24? > Good point. Would introducing a new option into config be a good idea? -- Milan Kubik From mkubik at redhat.com Thu Jan 7 09:23:42 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Thu, 7 Jan 2016 10:23:42 +0100 Subject: [Freeipa-devel] [patch 0028] ipatests: Fix configuration problems in dns tests In-Reply-To: <568E2274.7020407@redhat.com> References: <568E2118.5060108@redhat.com> <568E2274.7020407@redhat.com> Message-ID: <568E2E9E.7080300@redhat.com> On 01/07/2016 09:31 AM, Oleg Fayans wrote: > Hi Milan, > > As we are eventialy going to move to python3, I would make the code > python3-compatible: > > 1. from __future__ import unicode_literals > 2. get rid of all u's in front of the strings > > On the other hand, we can make a separate commit with only py3-related > changes. > > On 01/07/2016 09:26 AM, Milan Kub?k wrote: >> Fixes problems in tests uncovered by dns check introduced in ipa 4.3 >> >> >> I don't think this patch is the right one to do this. I'd rather convert the whole module in a separate patch. -- Milan Kubik From mbasti at redhat.com Thu Jan 7 09:33:16 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 7 Jan 2016 10:33:16 +0100 Subject: [Freeipa-devel] [patch 0029, 0030] fixes for install tasks in integration tests In-Reply-To: <568E2DFF.4010209@redhat.com> References: <568E238E.8010809@redhat.com> <568E29D1.3010907@redhat.com> <568E2BE4.2000108@redhat.com> <568E2DFF.4010209@redhat.com> Message-ID: <568E30DC.8020101@redhat.com> On 07.01.2016 10:21, Milan Kub?k wrote: > On 01/07/2016 10:12 AM, Martin Basti wrote: >> >> >> On 07.01.2016 10:03, Oleg Fayans wrote: >>> Hi Milan, >>> >>> There is already a more generic method in tasks.py, that does the same: >>> prepare_reverse_zone >>> You can just call it from apply_common_fixes. That way, it will work >>> not >>> only in 10.0.0.0/16 networks. >>> > I'll use this one then. >>> On 01/07/2016 09:36 AM, Milan Kub?k wrote: >>>> 0029: Add 10.in-addr.arpa. zone to ipa >>>> 0030: If the IP addresses in the topology are resolvable, do not add >>>> them to master. >>>> >>>> >>>> >> How about other private subnets? What if I run test under >> 172.16.1.0/24 range, or 192.168.1.0/24? >> > Good point. Would introducing a new option into config be a good idea? > Or you can detect which forward zone should be added from IP address :) From mbasti at redhat.com Thu Jan 7 09:37:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 7 Jan 2016 10:37:50 +0100 Subject: [Freeipa-devel] [patch 0028] ipatests: Fix configuration problems in dns tests In-Reply-To: <568E2E9E.7080300@redhat.com> References: <568E2118.5060108@redhat.com> <568E2274.7020407@redhat.com> <568E2E9E.7080300@redhat.com> Message-ID: <568E31EE.20405@redhat.com> On 07.01.2016 10:23, Milan Kub?k wrote: > On 01/07/2016 09:31 AM, Oleg Fayans wrote: >> Hi Milan, >> >> As we are eventialy going to move to python3, I would make the code >> python3-compatible: >> >> 1. from __future__ import unicode_literals >> 2. get rid of all u's in front of the strings >> >> On the other hand, we can make a separate commit with only py3-related >> changes. >> >> On 01/07/2016 09:26 AM, Milan Kub?k wrote: >>> Fixes problems in tests uncovered by dns check introduced in ipa 4.3 >>> >>> >>> > I don't think this patch is the right one to do this. I'd rather > convert the whole module in a separate patch. > Python 3.3+ support 'u' literals again https://docs.python.org/3.3/whatsnew/3.3.html From ftweedal at redhat.com Thu Jan 7 10:00:51 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 7 Jan 2016 20:00:51 +1000 Subject: [Freeipa-devel] [PATCH] 0048 Decode HTTP reason phrase as iso-8859-1 In-Reply-To: <568E0C0F.9060401@redhat.com> References: <20160106042631.GJ31821@dhcp-40-8.bne.redhat.com> <568E0C0F.9060401@redhat.com> Message-ID: <20160107100051.GS31821@dhcp-40-8.bne.redhat.com> On Thu, Jan 07, 2016 at 07:56:15AM +0100, Jan Cholasta wrote: > Hi, > > On 6.1.2016 05:26, Fraser Tweedale wrote: > >Happy new year, all. > > > >The attached patch fixes a unicode decode error triggered in some > >locales, which causes failure of installation (and probably other > >oprations, if locale is changed under an existing server). > > > >https://fedorahosted.org/freeipa/ticket/5578 > > It seems like this fixes only part of the issue - the installer won't crash > anymore. But what happens if the reason phrase uses characters which are not > in iso-8859-1 (e.g. "?", a character commonly used in Czech)? Shouldn't we > always specify the encoding in requests, so that Dogtag does not have to > guess? > In this case it will not throw an exception, but it will decode nonsense. However, in my investigation just now of how Tomcat decides what to send in the reason phrase, it turns out that in future releases they will not send a reason phrase[1] at all! [1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37 (Nice to know about this in advance - I will not be surprised if some clients break) I'll cut a new patch tomorrow that just ignores the reason phrase rather than trying to decode and log it. All the info is in the status code, after all. Thanks for reviewing, Fraser > Honza > > -- > Jan Cholasta From pviktori at redhat.com Thu Jan 7 10:17:29 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 7 Jan 2016 11:17:29 +0100 Subject: [Freeipa-devel] [PATCHES] 0753-0759 In-Reply-To: <568D291D.5020709@redhat.com> References: <568D2494.9080602@redhat.com> <568D291D.5020709@redhat.com> Message-ID: <568E3B39.1090309@redhat.com> On 01/06/2016 03:47 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> Hello, >> >> Patches 0753-0757 fix remaining warnings from `pylint --py3k`, except >> "no-absolute-import" (which seems redundant to me) and the ones in >> contrib/RHEL4. >> >> As for contrib/RHEL4, I found a mail [0] from 2013 saying it hasn't been >> used for a long time and probably doesn't work. Since then it's for >> example been changed to use ipapython.dn, which I'd bet no one checks >> for Python 2.5 compatibility. Since this seems to be untested and >> non-working code, so I'm sending a patch to remove it. But if that's not >> wanted tell me, and I'll skip pylint --py3k checks there instead. >> >> The last patch adds py3k lint check to make-lint. It's a bit >> cumbersome, since pylint doesn't allow running regular checkers and the >> py3k ones at the same time, but it allows you to run the check. As for >> whether to enable --py3k by default, or run it on every package build, >> I'd like to defer the decision to core devs. (Is CI good enough nowadays >> to only run it there?) >> >> >> [0] https://www.redhat.com/archives/freeipa-users/2013-July/msg00055.html >> >> >> > > My only nit would be to remove contrib/RHEL4 as being deprecated rather > than lack of testing against some old version. It just configures ldap > and Kerberos via authconfig so unless the discovery failed it would > likely still work fairly well, but clearly it isn't being maintained so > I'd remove it for that reason for historical purposes. It uses ipapython (ipapython.dn and the log manager, specifically), which don't maintain compatibility with old Python versions. I don't have old Python versions around to check empirically, but a quick look at ipapython.dn says it won't import on anything lower than 2.6 nowadays. -- Petr Viktorin From pspacek at redhat.com Thu Jan 7 10:25:12 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 7 Jan 2016 11:25:12 +0100 Subject: [Freeipa-devel] [PATCH 0082] Fix --auto-reverse option in --unattended mode Message-ID: <568E3D08.6020206@redhat.com> Hello, Fix --auto-reverse option in --unattended mode. Oleg, this should fix your particular environment. Unfortunately it is not a complete fix for https://fedorahosted.org/freeipa/ticket/5559 , stay tuned - I will send other patches related to this. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0082-Fix-auto-reverse-option-in-unattended-mode.patch Type: text/x-patch Size: 1332 bytes Desc: not available URL: From mbasti at redhat.com Thu Jan 7 11:19:20 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 7 Jan 2016 12:19:20 +0100 Subject: [Freeipa-devel] [PATCH 0072-0081] DNSSEC: fixes In-Reply-To: <568D539A.6030107@redhat.com> References: <56780DBA.60703@redhat.com> <56781085.4070106@redhat.com> <56783D51.3070005@redhat.com> <567950DB.7050708@redhat.com> <568D539A.6030107@redhat.com> Message-ID: <568E49B8.4040700@redhat.com> On 06.01.2016 18:49, Martin Basti wrote: > > > On 22.12.2015 14:32, Petr Spacek wrote: >> On 21.12.2015 18:56, Martin Basti wrote: >>> >>> On 21.12.2015 15:45, Martin Basti wrote: >>>> >>>> On 21.12.2015 15:33, Petr Spacek wrote: >>>>> Hello, >>>>> >>>>> this patch set fixes key rotation in DNSSEC. >>>>> >>>>> You can use attached template files for OpenDNSSEC config to >>>>> shorten time >>>>> intervals between key rotations. >>>>> >>>>> Please let me know if you have any questions, I'm all ears! >>>>> >>>> Please fix whitespace error: >>>> >>>> Applying: DNSSEC: logging improvements in ldapkeydb.py >>>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:14: trailing >>>> whitespace. >>>> >>>> warning: 1 line adds whitespace errors. >>>> >>> *) DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone >>> removal >>> >>> Is is safe to do not use try - except with ipatuil.run()? What if >>> ods-signer >>> command failed? >> That is intentional. The call should never fail, so if it fails there >> is no >> way how to recover cleanly except restarting the daemon. >> >> The unhandled exception will kill the daemon and systemd will restart >> it later on. >> >> >>> *) DNSSEC: Improve error reporting from ipa-ods-exporter >>> IMO log.exception(ex) is enough, do we need to add traceback to msg? >> msg is sent over socket to another process (see >> send_systemd_reply(conn, msg) >> call in finally: block). Without this the remote party would not >> receive the >> error information. >> >> >>> *) DNSSEC: Make sure that current state in OpenDNSSEC matches key >>> state in LDAP >>> I think this is okay because we want to use KSK instantly, but just >>> to be >>> sure, is Publish->Activate okay? >>> + bind_times['idnsSecKeyActivate'] = >>> ods_times['idnsSecKeyPublish'] >>> >>> Just to be sure how this will be handle during KSK key rotation? >> We have to copy semantics from OpenDNSSEC. Please see design page >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates >> >> , it describes in detail why I done it this way. >> >> >>> *) DNSSEC: Make sure that current key state in LDAP matches key >>> state in BIND >>> LGTM >>> >>> *) DNSSEC: remove obsolete TODO note >>> ACK >>> >>> *) DNSSEC: add debug mode to ldapkeydb.py >>> A) >>> You can remove __str__ method, python will use __repr__ as default >> Done. >> >> >>> B) >>> for attr in ['ipaPrivateKey', 'ipaPublicKey', 'ipk11publickeyinfo']: >>> Do we need to sanitize *public*Key and publicKeyinfo? >> Yes, we need it. The output with any of ['ipaPrivateKey', >> 'ipaPublicKey', >> 'ipk11publickeyinfo'] is huge blob and printing it does not help >> readability. >> Purpose of the patch is to make it easy to read and debug so printing >> useless >> blobs would go directly against the purpose :-) >> >> >>> C) >>> in odsmgr.py is used ipa_log_manager, can we use the same for >>> consistency? >> Fixed, thanks. >> >> >>> D) >>> Do we need logging there, everything is printed via print except >>> debug info >>> about connecting, can you just redirect it to stderr, and usable >>> data leave in >>> stdout? >> Yes, we need it because it eases debugging. print() prints useful >> information >> to stdout. 'Garbage' about connecting to LDAP, IPA framework >> initialization >> and so on does via logger to stderr, so it can be easily separated >> from useful >> information using redirection in BASH. >> >> I've added a comment right below if __name__ == '__main__': to make >> it clear >> why we do not use logger in there. >> >> >>> *) DNSSEC: logging improvements in ldapkeydb.py >>> IMO commit message should be: ".... in ipa-ods-exporter" >>> >>> Otherwise LGTM >> Fixed, thanks. >> >> >>> *) DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP >>> >>> A) coding style: please use (), instead of "\" >>> assert set(pubkeys_local) == set(privkeys_local), ( >>> "IDs of private and public keys for DNS zones in local >>> HSM does " >>> "not match to key pairs: %s vs. %s" % >>> (hex_set(pubkeys_local), hex_set(privkeys_local)) >>> ) >> Fixed. >> >> >>> B) coding style >>> assert not matched_already, ( >>> "key %s is in more than one keyset" % >>> hexlify(keyid) >>> ) >> Not relevant anymore, see below. >> >> >>> C) schedule_key_deletion() >>> how about case when keyid is not in any keyset, then keyid will not be >>> replaced by object and it blow up somewhere else >> Not relevant anymore, see below. >> >> >>> D) +class KeyDeleter(object): >>> I would like to have a check there which blows up nicely if >>> _update_key() is >>> called twice on the same object. With current implementation you >>> will get >>> NoneType has no delete_entry method. >> Not relevant anymore, see below. >> >> >>> E) >>> I somehow does not like the placeholder object. Could we just >>> extend Key >>> object with attribute "to_be_deleted" or something similar, and if this >>> attribute is set to True, Key._update_key() can remove, instead of >>> creation a >>> new object. >>> Key.prepare_deletion() can set the value "to_be_deleted" to True. >> Main purpose of the KeyDeleter object was to be incompatible the Key >> object. I >> want to be 100 % that is not possible to call schedule_delete() and >> subsequenty modify the Key object. >> >> I've reworked the Key object so it has schedule_deletion() method and >> that all >> other methods call __assert_not_deleted() to make sure that the >> object was not >> deleted. >> >> Is it better? >> >> >>> *) DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP >>> How often is keysyncer initialized? Might happen the case where one of >>> dnssec_zones has been disabled and keysyncer is not aware of this >>> change? >> KeySyncer is SyncReplConsumer, so it gets constant stream of updates >> from >> LDAP. IMHO the answer is no, it cannot miss the update. >> >> >>> You may want to use DNSName from ipapython.dnsutil instead of pure >>> dns.name >> Other places in daemons are using dns.name too, so I will keep it >> that way. >> For this particular case there would be no advantage anyway. >> >> >>> *) DNSSEC: ipa-ods-exporter: add ldap-cleanup command >>> LGTM >> Old and new version of patches can be found on Github: >> * old: https://github.com/pspacek/freeipa/tree/dnssec_fixes >> * new: https://github.com/pspacek/freeipa/tree/dnssec_fixes2 >> >> Fixed patched (+1 new) are attached. >> > It works for me, except one case (I will try to reproduce it) > > Keys were rotated on master and new KSK had not been marked as ds-seen. > When I installed replica, dig +dnssec did not show any RRSIG records > (ipa-dnskeysyncd showed that keys were there). > After I marked KSK key as ds-seen on master, replica start to sing DNS > records. > ZSK key rotation works on master and replica just fine. > > Just note, the previous KSK has been still in active state when > replica did not sign records. > ACK I cannot reproduce it again, it is probably caused by https://fedorahosted.org/freeipa/ticket/5348 From jcholast at redhat.com Thu Jan 7 13:13:16 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 7 Jan 2016 14:13:16 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <568E26DF.6090507@redhat.com> References: <568E26DF.6090507@redhat.com> Message-ID: <568E646C.6070003@redhat.com> On 7.1.2016 09:50, Jan Cholasta wrote: > Hi, > > the attached patch ports the _ipap11helper module to python-cffi. > > Combined with my patch 536 [1], this makes ipapython architecture > independent. Updated patch attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-537.1-ipapython-port-p11helper-C-code-to-Python.patch Type: text/x-patch Size: 163219 bytes Desc: not available URL: From mbasti at redhat.com Thu Jan 7 13:38:27 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 7 Jan 2016 14:38:27 +0100 Subject: [Freeipa-devel] [PATCH 0072-0081] DNSSEC: fixes In-Reply-To: <568E49B8.4040700@redhat.com> References: <56780DBA.60703@redhat.com> <56781085.4070106@redhat.com> <56783D51.3070005@redhat.com> <567950DB.7050708@redhat.com> <568D539A.6030107@redhat.com> <568E49B8.4040700@redhat.com> Message-ID: <568E6A53.6090202@redhat.com> On 07.01.2016 12:19, Martin Basti wrote: > > > On 06.01.2016 18:49, Martin Basti wrote: >> >> >> On 22.12.2015 14:32, Petr Spacek wrote: >>> On 21.12.2015 18:56, Martin Basti wrote: >>>> >>>> On 21.12.2015 15:45, Martin Basti wrote: >>>>> >>>>> On 21.12.2015 15:33, Petr Spacek wrote: >>>>>> Hello, >>>>>> >>>>>> this patch set fixes key rotation in DNSSEC. >>>>>> >>>>>> You can use attached template files for OpenDNSSEC config to >>>>>> shorten time >>>>>> intervals between key rotations. >>>>>> >>>>>> Please let me know if you have any questions, I'm all ears! >>>>>> >>>>> Please fix whitespace error: >>>>> >>>>> Applying: DNSSEC: logging improvements in ldapkeydb.py >>>>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:14: trailing >>>>> whitespace. >>>>> >>>>> warning: 1 line adds whitespace errors. >>>>> >>>> *) DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone >>>> removal >>>> >>>> Is is safe to do not use try - except with ipatuil.run()? What if >>>> ods-signer >>>> command failed? >>> That is intentional. The call should never fail, so if it fails >>> there is no >>> way how to recover cleanly except restarting the daemon. >>> >>> The unhandled exception will kill the daemon and systemd will >>> restart it later on. >>> >>> >>>> *) DNSSEC: Improve error reporting from ipa-ods-exporter >>>> IMO log.exception(ex) is enough, do we need to add traceback to msg? >>> msg is sent over socket to another process (see >>> send_systemd_reply(conn, msg) >>> call in finally: block). Without this the remote party would not >>> receive the >>> error information. >>> >>> >>>> *) DNSSEC: Make sure that current state in OpenDNSSEC matches key >>>> state in LDAP >>>> I think this is okay because we want to use KSK instantly, but just >>>> to be >>>> sure, is Publish->Activate okay? >>>> + bind_times['idnsSecKeyActivate'] = >>>> ods_times['idnsSecKeyPublish'] >>>> >>>> Just to be sure how this will be handle during KSK key rotation? >>> We have to copy semantics from OpenDNSSEC. Please see design page >>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates >>> >>> , it describes in detail why I done it this way. >>> >>> >>>> *) DNSSEC: Make sure that current key state in LDAP matches key >>>> state in BIND >>>> LGTM >>>> >>>> *) DNSSEC: remove obsolete TODO note >>>> ACK >>>> >>>> *) DNSSEC: add debug mode to ldapkeydb.py >>>> A) >>>> You can remove __str__ method, python will use __repr__ as default >>> Done. >>> >>> >>>> B) >>>> for attr in ['ipaPrivateKey', 'ipaPublicKey', 'ipk11publickeyinfo']: >>>> Do we need to sanitize *public*Key and publicKeyinfo? >>> Yes, we need it. The output with any of ['ipaPrivateKey', >>> 'ipaPublicKey', >>> 'ipk11publickeyinfo'] is huge blob and printing it does not help >>> readability. >>> Purpose of the patch is to make it easy to read and debug so >>> printing useless >>> blobs would go directly against the purpose :-) >>> >>> >>>> C) >>>> in odsmgr.py is used ipa_log_manager, can we use the same for >>>> consistency? >>> Fixed, thanks. >>> >>> >>>> D) >>>> Do we need logging there, everything is printed via print except >>>> debug info >>>> about connecting, can you just redirect it to stderr, and usable >>>> data leave in >>>> stdout? >>> Yes, we need it because it eases debugging. print() prints useful >>> information >>> to stdout. 'Garbage' about connecting to LDAP, IPA framework >>> initialization >>> and so on does via logger to stderr, so it can be easily separated >>> from useful >>> information using redirection in BASH. >>> >>> I've added a comment right below if __name__ == '__main__': to make >>> it clear >>> why we do not use logger in there. >>> >>> >>>> *) DNSSEC: logging improvements in ldapkeydb.py >>>> IMO commit message should be: ".... in ipa-ods-exporter" >>>> >>>> Otherwise LGTM >>> Fixed, thanks. >>> >>> >>>> *) DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP >>>> >>>> A) coding style: please use (), instead of "\" >>>> assert set(pubkeys_local) == set(privkeys_local), ( >>>> "IDs of private and public keys for DNS zones in local >>>> HSM does " >>>> "not match to key pairs: %s vs. %s" % >>>> (hex_set(pubkeys_local), hex_set(privkeys_local)) >>>> ) >>> Fixed. >>> >>> >>>> B) coding style >>>> assert not matched_already, ( >>>> "key %s is in more than one keyset" % >>>> hexlify(keyid) >>>> ) >>> Not relevant anymore, see below. >>> >>> >>>> C) schedule_key_deletion() >>>> how about case when keyid is not in any keyset, then keyid will not be >>>> replaced by object and it blow up somewhere else >>> Not relevant anymore, see below. >>> >>> >>>> D) +class KeyDeleter(object): >>>> I would like to have a check there which blows up nicely if >>>> _update_key() is >>>> called twice on the same object. With current implementation you >>>> will get >>>> NoneType has no delete_entry method. >>> Not relevant anymore, see below. >>> >>> >>>> E) >>>> I somehow does not like the placeholder object. Could we just >>>> extend Key >>>> object with attribute "to_be_deleted" or something similar, and if >>>> this >>>> attribute is set to True, Key._update_key() can remove, instead of >>>> creation a >>>> new object. >>>> Key.prepare_deletion() can set the value "to_be_deleted" to True. >>> Main purpose of the KeyDeleter object was to be incompatible the Key >>> object. I >>> want to be 100 % that is not possible to call schedule_delete() and >>> subsequenty modify the Key object. >>> >>> I've reworked the Key object so it has schedule_deletion() method >>> and that all >>> other methods call __assert_not_deleted() to make sure that the >>> object was not >>> deleted. >>> >>> Is it better? >>> >>> >>>> *) DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in >>>> LDAP >>>> How often is keysyncer initialized? Might happen the case where one of >>>> dnssec_zones has been disabled and keysyncer is not aware of this >>>> change? >>> KeySyncer is SyncReplConsumer, so it gets constant stream of updates >>> from >>> LDAP. IMHO the answer is no, it cannot miss the update. >>> >>> >>>> You may want to use DNSName from ipapython.dnsutil instead of pure >>>> dns.name >>> Other places in daemons are using dns.name too, so I will keep it >>> that way. >>> For this particular case there would be no advantage anyway. >>> >>> >>>> *) DNSSEC: ipa-ods-exporter: add ldap-cleanup command >>>> LGTM >>> Old and new version of patches can be found on Github: >>> * old: https://github.com/pspacek/freeipa/tree/dnssec_fixes >>> * new: https://github.com/pspacek/freeipa/tree/dnssec_fixes2 >>> >>> Fixed patched (+1 new) are attached. >>> >> It works for me, except one case (I will try to reproduce it) >> >> Keys were rotated on master and new KSK had not been marked as ds-seen. >> When I installed replica, dig +dnssec did not show any RRSIG records >> (ipa-dnskeysyncd showed that keys were there). >> After I marked KSK key as ds-seen on master, replica start to sing >> DNS records. >> ZSK key rotation works on master and replica just fine. >> >> Just note, the previous KSK has been still in active state when >> replica did not sign records. >> > ACK > > I cannot reproduce it again, it is probably caused by > https://fedorahosted.org/freeipa/ticket/5348 > Pushed to master: ae2462738b47c0f00133ae377854b31ddcb912a2 Pushed to ipa-4-3: 2e85644ab29720b07d766532d3838e08034495d8 ipa-4-2 needs rebase From rcritten at redhat.com Thu Jan 7 14:55:52 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 7 Jan 2016 09:55:52 -0500 Subject: [Freeipa-devel] [PATCHES] 0753-0759 In-Reply-To: <568E3B39.1090309@redhat.com> References: <568D2494.9080602@redhat.com> <568D291D.5020709@redhat.com> <568E3B39.1090309@redhat.com> Message-ID: <568E7C78.2040205@redhat.com> Petr Viktorin wrote: > On 01/06/2016 03:47 PM, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> Hello, >>> >>> Patches 0753-0757 fix remaining warnings from `pylint --py3k`, except >>> "no-absolute-import" (which seems redundant to me) and the ones in >>> contrib/RHEL4. >>> >>> As for contrib/RHEL4, I found a mail [0] from 2013 saying it hasn't been >>> used for a long time and probably doesn't work. Since then it's for >>> example been changed to use ipapython.dn, which I'd bet no one checks >>> for Python 2.5 compatibility. Since this seems to be untested and >>> non-working code, so I'm sending a patch to remove it. But if that's not >>> wanted tell me, and I'll skip pylint --py3k checks there instead. >>> >>> The last patch adds py3k lint check to make-lint. It's a bit >>> cumbersome, since pylint doesn't allow running regular checkers and the >>> py3k ones at the same time, but it allows you to run the check. As for >>> whether to enable --py3k by default, or run it on every package build, >>> I'd like to defer the decision to core devs. (Is CI good enough nowadays >>> to only run it there?) >>> >>> >>> [0] https://www.redhat.com/archives/freeipa-users/2013-July/msg00055.html >>> >>> >>> >> >> My only nit would be to remove contrib/RHEL4 as being deprecated rather >> than lack of testing against some old version. It just configures ldap >> and Kerberos via authconfig so unless the discovery failed it would >> likely still work fairly well, but clearly it isn't being maintained so >> I'd remove it for that reason for historical purposes. > > It uses ipapython (ipapython.dn and the log manager, specifically), > which don't maintain compatibility with old Python versions. I don't > have old Python versions around to check empirically, but a quick look > at ipapython.dn says it won't import on anything lower than 2.6 nowadays. > Sure, kill it. Please just change the commit message. rob From mbasti at redhat.com Thu Jan 7 15:26:07 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 7 Jan 2016 16:26:07 +0100 Subject: [Freeipa-devel] [PATCH 0072-0081] DNSSEC: fixes In-Reply-To: <568E6A53.6090202@redhat.com> References: <56780DBA.60703@redhat.com> <56781085.4070106@redhat.com> <56783D51.3070005@redhat.com> <567950DB.7050708@redhat.com> <568D539A.6030107@redhat.com> <568E49B8.4040700@redhat.com> <568E6A53.6090202@redhat.com> Message-ID: <568E838F.70309@redhat.com> On 07.01.2016 14:38, Martin Basti wrote: > > > On 07.01.2016 12:19, Martin Basti wrote: >> >> >> On 06.01.2016 18:49, Martin Basti wrote: >>> >>> >>> On 22.12.2015 14:32, Petr Spacek wrote: >>>> On 21.12.2015 18:56, Martin Basti wrote: >>>>> >>>>> On 21.12.2015 15:45, Martin Basti wrote: >>>>>> >>>>>> On 21.12.2015 15:33, Petr Spacek wrote: >>>>>>> Hello, >>>>>>> >>>>>>> this patch set fixes key rotation in DNSSEC. >>>>>>> >>>>>>> You can use attached template files for OpenDNSSEC config to >>>>>>> shorten time >>>>>>> intervals between key rotations. >>>>>>> >>>>>>> Please let me know if you have any questions, I'm all ears! >>>>>>> >>>>>> Please fix whitespace error: >>>>>> >>>>>> Applying: DNSSEC: logging improvements in ldapkeydb.py >>>>>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:14: trailing >>>>>> whitespace. >>>>>> >>>>>> warning: 1 line adds whitespace errors. >>>>>> >>>>> *) DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone >>>>> removal >>>>> >>>>> Is is safe to do not use try - except with ipatuil.run()? What if >>>>> ods-signer >>>>> command failed? >>>> That is intentional. The call should never fail, so if it fails >>>> there is no >>>> way how to recover cleanly except restarting the daemon. >>>> >>>> The unhandled exception will kill the daemon and systemd will >>>> restart it later on. >>>> >>>> >>>>> *) DNSSEC: Improve error reporting from ipa-ods-exporter >>>>> IMO log.exception(ex) is enough, do we need to add traceback to msg? >>>> msg is sent over socket to another process (see >>>> send_systemd_reply(conn, msg) >>>> call in finally: block). Without this the remote party would not >>>> receive the >>>> error information. >>>> >>>> >>>>> *) DNSSEC: Make sure that current state in OpenDNSSEC matches key >>>>> state in LDAP >>>>> I think this is okay because we want to use KSK instantly, but >>>>> just to be >>>>> sure, is Publish->Activate okay? >>>>> + bind_times['idnsSecKeyActivate'] = >>>>> ods_times['idnsSecKeyPublish'] >>>>> >>>>> Just to be sure how this will be handle during KSK key rotation? >>>> We have to copy semantics from OpenDNSSEC. Please see design page >>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates >>>> >>>> , it describes in detail why I done it this way. >>>> >>>> >>>>> *) DNSSEC: Make sure that current key state in LDAP matches key >>>>> state in BIND >>>>> LGTM >>>>> >>>>> *) DNSSEC: remove obsolete TODO note >>>>> ACK >>>>> >>>>> *) DNSSEC: add debug mode to ldapkeydb.py >>>>> A) >>>>> You can remove __str__ method, python will use __repr__ as default >>>> Done. >>>> >>>> >>>>> B) >>>>> for attr in ['ipaPrivateKey', 'ipaPublicKey', 'ipk11publickeyinfo']: >>>>> Do we need to sanitize *public*Key and publicKeyinfo? >>>> Yes, we need it. The output with any of ['ipaPrivateKey', >>>> 'ipaPublicKey', >>>> 'ipk11publickeyinfo'] is huge blob and printing it does not help >>>> readability. >>>> Purpose of the patch is to make it easy to read and debug so >>>> printing useless >>>> blobs would go directly against the purpose :-) >>>> >>>> >>>>> C) >>>>> in odsmgr.py is used ipa_log_manager, can we use the same for >>>>> consistency? >>>> Fixed, thanks. >>>> >>>> >>>>> D) >>>>> Do we need logging there, everything is printed via print except >>>>> debug info >>>>> about connecting, can you just redirect it to stderr, and usable >>>>> data leave in >>>>> stdout? >>>> Yes, we need it because it eases debugging. print() prints useful >>>> information >>>> to stdout. 'Garbage' about connecting to LDAP, IPA framework >>>> initialization >>>> and so on does via logger to stderr, so it can be easily separated >>>> from useful >>>> information using redirection in BASH. >>>> >>>> I've added a comment right below if __name__ == '__main__': to make >>>> it clear >>>> why we do not use logger in there. >>>> >>>> >>>>> *) DNSSEC: logging improvements in ldapkeydb.py >>>>> IMO commit message should be: ".... in ipa-ods-exporter" >>>>> >>>>> Otherwise LGTM >>>> Fixed, thanks. >>>> >>>> >>>>> *) DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP >>>>> >>>>> A) coding style: please use (), instead of "\" >>>>> assert set(pubkeys_local) == set(privkeys_local), ( >>>>> "IDs of private and public keys for DNS zones in >>>>> local HSM does " >>>>> "not match to key pairs: %s vs. %s" % >>>>> (hex_set(pubkeys_local), hex_set(privkeys_local)) >>>>> ) >>>> Fixed. >>>> >>>> >>>>> B) coding style >>>>> assert not matched_already, ( >>>>> "key %s is in more than one keyset" % >>>>> hexlify(keyid) >>>>> ) >>>> Not relevant anymore, see below. >>>> >>>> >>>>> C) schedule_key_deletion() >>>>> how about case when keyid is not in any keyset, then keyid will >>>>> not be >>>>> replaced by object and it blow up somewhere else >>>> Not relevant anymore, see below. >>>> >>>> >>>>> D) +class KeyDeleter(object): >>>>> I would like to have a check there which blows up nicely if >>>>> _update_key() is >>>>> called twice on the same object. With current implementation you >>>>> will get >>>>> NoneType has no delete_entry method. >>>> Not relevant anymore, see below. >>>> >>>> >>>>> E) >>>>> I somehow does not like the placeholder object. Could we just >>>>> extend Key >>>>> object with attribute "to_be_deleted" or something similar, and if >>>>> this >>>>> attribute is set to True, Key._update_key() can remove, instead of >>>>> creation a >>>>> new object. >>>>> Key.prepare_deletion() can set the value "to_be_deleted" to True. >>>> Main purpose of the KeyDeleter object was to be incompatible the >>>> Key object. I >>>> want to be 100 % that is not possible to call schedule_delete() and >>>> subsequenty modify the Key object. >>>> >>>> I've reworked the Key object so it has schedule_deletion() method >>>> and that all >>>> other methods call __assert_not_deleted() to make sure that the >>>> object was not >>>> deleted. >>>> >>>> Is it better? >>>> >>>> >>>>> *) DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in >>>>> LDAP >>>>> How often is keysyncer initialized? Might happen the case where >>>>> one of >>>>> dnssec_zones has been disabled and keysyncer is not aware of this >>>>> change? >>>> KeySyncer is SyncReplConsumer, so it gets constant stream of >>>> updates from >>>> LDAP. IMHO the answer is no, it cannot miss the update. >>>> >>>> >>>>> You may want to use DNSName from ipapython.dnsutil instead of pure >>>>> dns.name >>>> Other places in daemons are using dns.name too, so I will keep it >>>> that way. >>>> For this particular case there would be no advantage anyway. >>>> >>>> >>>>> *) DNSSEC: ipa-ods-exporter: add ldap-cleanup command >>>>> LGTM >>>> Old and new version of patches can be found on Github: >>>> * old: https://github.com/pspacek/freeipa/tree/dnssec_fixes >>>> * new: https://github.com/pspacek/freeipa/tree/dnssec_fixes2 >>>> >>>> Fixed patched (+1 new) are attached. >>>> >>> It works for me, except one case (I will try to reproduce it) >>> >>> Keys were rotated on master and new KSK had not been marked as ds-seen. >>> When I installed replica, dig +dnssec did not show any RRSIG records >>> (ipa-dnskeysyncd showed that keys were there). >>> After I marked KSK key as ds-seen on master, replica start to sing >>> DNS records. >>> ZSK key rotation works on master and replica just fine. >>> >>> Just note, the previous KSK has been still in active state when >>> replica did not sign records. >>> >> ACK >> >> I cannot reproduce it again, it is probably caused by >> https://fedorahosted.org/freeipa/ticket/5348 >> > Pushed to master: ae2462738b47c0f00133ae377854b31ddcb912a2 > Pushed to ipa-4-3: 2e85644ab29720b07d766532d3838e08034495d8 > > ipa-4-2 needs rebase > Rebased Pushed to ipa-4-2: 614d9affb339020485e45b229c5431279763bfc6 From pspacek at redhat.com Thu Jan 7 15:26:23 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 7 Jan 2016 16:26:23 +0100 Subject: [Freeipa-devel] [PATCH 0083-0084] Fix DNS zone overlap check to allow ipa-replica-install to worFix dns_is_enabled() API command to throw exceptions as appropriat Message-ID: <568E839F.5070702@redhat.com> Hello, Fix DNS zone overlap check to allow ipa-replica-install to work. My review script claims that "No problems detected using lint, pep8, ./make{api,aci}, and VERSION" Please review. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0083-Fix-dns_is_enabled-API-command-to-throw-exceptions-a.patch Type: text/x-patch Size: 1352 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0084-Fix-DNS-zone-overlap-check-to-allow-ipa-replica-inst.patch Type: text/x-patch Size: 3098 bytes Desc: not available URL: From mbasti at redhat.com Thu Jan 7 15:28:08 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 7 Jan 2016 16:28:08 +0100 Subject: [Freeipa-devel] [PATCH 027] Require Dogtag 10.2.6-13 to fix KRA uninstall In-Reply-To: <568E07BC.9030701@redhat.com> References: <568BA7FB.8040300@redhat.com> <20160105124919.GE6431@mail.corp.redhat.com> <568CEA9E.5090106@redhat.com> <568D6CF3.1090407@redhat.com> <568E07BC.9030701@redhat.com> Message-ID: <568E8408.7020900@redhat.com> On 07.01.2016 07:37, Jan Cholasta wrote: > On 6.1.2016 20:37, Martin Basti wrote: >> >> >> On 06.01.2016 11:21, Martin Babinsky wrote: >>> On 01/05/2016 01:49 PM, Lukas Slebodnik wrote: >>>> On (05/01/16 12:24), Christian Heimes wrote: >>>>> The combination of a bug in Dogtag's sslget command and a new feature >>>>> in mod_nss causes an incomplete uninstallation of KRA. The bug has >>>>> been >>>>> fixed in Dogtag 10.2.6-13. >>>>> >>>> and it ins in fedora 23 stable for a week >>>> https://bodhi.fedoraproject.org/updates/FEDORA-2015-c7dd78ac78 >>>> >>>> LS >>>> >>>>> https://fedorahosted.org/freeipa/ticket/5469 >>>>> https://fedorahosted.org/pki/ticket/1704 >>>>> >>>>> Signed-off-by: Christian Heimes >>>> >>> >>> ipa-kra-install can be uninstalled and XMLRPC tests are also happy. >>> >>> ACK. >>> >> Pushed to: >> master: 6ac3553dde63f7d2dfab5f0118ca833b049f734b >> ipa-4-3: be18b70fe2b3b08fc4bd8ea1f5058128125d1f76 >> > > This is supposed to go into 4.2.4 as well, as per the last ticket > triage (the ticket was not updated yet). > Pushed to ipa-4-2: 848842694e888cf15df73aa2b05fa445f9f4bd9b From mbasti at redhat.com Thu Jan 7 15:36:45 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 7 Jan 2016 16:36:45 +0100 Subject: [Freeipa-devel] [PATCH 0400] update_uniqueness plugin: fix possible referenced before assignment error In-Reply-To: <568E242B.5040204@redhat.com> References: <568D6BD9.8080004@redhat.com> <568E242B.5040204@redhat.com> Message-ID: <568E860D.9060507@redhat.com> On 07.01.2016 09:39, Martin Babinsky wrote: > On 01/06/2016 08:32 PM, Martin Basti wrote: >> Variable 'update' might be undefined if a plugin configuration cannot be >> migrated to new format. >> >> Patch attached. >> >> > ACK > Pushed to master: 8f09499ee02d4bb3ae924a7606ed38458cc1b5b4 From mbasti at redhat.com Thu Jan 7 15:43:52 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 7 Jan 2016 16:43:52 +0100 Subject: [Freeipa-devel] [PATCH 559] Fix kadmin for new users In-Reply-To: <568CD50F.3030709@redhat.com> References: <1448404347.29102.23.camel@redhat.com> <5655B100.90403@redhat.com> <5655B3E1.4050107@redhat.com> <5655B3FC.6060707@redhat.com> <1448461948.29102.41.camel@redhat.com> <5655C87D.3000802@redhat.com> <568CC42F.4060106@redhat.com> <568CC55A.5060308@redhat.com> <568CD50F.3030709@redhat.com> Message-ID: <568E87B8.3040304@redhat.com> On 06.01.2016 09:49, Petr Vobornik wrote: > On 01/06/2016 08:42 AM, Martin Kosek wrote: >> On 01/06/2016 08:37 AM, Martin Babinsky wrote: >>> On 11/25/2015 03:41 PM, Martin Kosek wrote: >>>> On 11/25/2015 03:32 PM, Simo Sorce wrote: >>>>> On Wed, 2015-11-25 at 14:13 +0100, Tomas Babej wrote: >>>>>> >>>>>> On 11/25/2015 02:13 PM, Tomas Babej wrote: >>>>>>> >>>>>>> >>>>>>> On 11/25/2015 02:00 PM, Martin Babinsky wrote: >>>>>>>> On 11/24/2015 11:32 PM, Simo Sorce wrote: >>>>>>>>> Ticket #937 was reopened a while ago because one corner case, >>>>>>>>> new users >>>>>>>>> that have never been assigned a password cause >>>>>>>>> kadmin/kadmin.local to >>>>>>>>> throw a fit when they try to visualize information about those >>>>>>>>> user's >>>>>>>>> principals. >>>>>>>>> >>>>>>>>> This patch fakes up modification information when no >>>>>>>>> krbExtraData is >>>>>>>>> available for the principal so that kadmin is happy. >>>>>>>>> >>>>>>>>> Tested and working as designed. >>>>>>>>> >>>>>>>>> Simo. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> ACK >>>>>>>> >>>>>>> >>>>>>> Pushed to master: 0f52eddd1d2781ccc1941c191e9ab6e3ccf6919d >>>>>>> >>>>>> >>>>>> On a related note, should we backport this to later branches? >>>>> >>>>> It wouldn't hurt, it should apply straight to any 4.x and probably >>>>> latest 3.x branches too. >>>> >>>> I would not fix anything older than FreeIPA 4.1.x which is in F22, >>>> which is the >>>> oldest supported Fedora (or rather fill be, one month after F23 GA). >>>> >>> >>> https://fedorahosted.org/freeipa/ticket/937 is included in 4.2.4 >>> milestone with >>> priority critical. Shouldn't we backport the patch to ipa-4-2 branch? >> >> We should... Petr? >> > > Right, that's why it is in 4.2.4. Pushed to ipa-4-2: fec0f4621bd21c9a0f2f6cda11ade96271a10f5a From mbabinsk at redhat.com Thu Jan 7 16:37:51 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 7 Jan 2016 17:37:51 +0100 Subject: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails Message-ID: <568E945F.3030605@redhat.com> https://fedorahosted.org/freeipa/ticket/5584 -- Martin^3 Babinsky From mbabinsk at redhat.com Thu Jan 7 16:38:51 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 7 Jan 2016 17:38:51 +0100 Subject: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails In-Reply-To: <568E945F.3030605@redhat.com> References: <568E945F.3030605@redhat.com> Message-ID: <568E949B.1090300@redhat.com> On 01/07/2016 05:37 PM, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/5584 > And the patch is here. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0121-consider-IPA-master-removed-from-topology-when-reque.patch Type: text/x-patch Size: 1788 bytes Desc: not available URL: From mbasti at redhat.com Thu Jan 7 16:55:13 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 7 Jan 2016 17:55:13 +0100 Subject: [Freeipa-devel] [PATCH 0398] Allow to use mixed case for sysrestore In-Reply-To: <568D5823.40200@redhat.com> References: <568D5823.40200@redhat.com> Message-ID: <568E9871.6020108@redhat.com> On 06.01.2016 19:08, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5574 > > Patch attached. > > > > > I missed one occurrence, updated patch attached. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0398.2-Allow-to-used-mixed-case-for-sysrestore.patch Type: text/x-patch Size: 2962 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Jan 7 16:56:28 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 7 Jan 2016 17:56:28 +0100 Subject: [Freeipa-devel] [PATCH 0118] fix Py3 incompatible exception instantiation in replica install code In-Reply-To: <568A272A.5060805@redhat.com> References: <568A272A.5060805@redhat.com> Message-ID: <568E98BC.9080000@redhat.com> On 01/04/2016 09:02 AM, Martin Babinsky wrote: > > > I have created ticket to patch and added it to commit message: https://fedorahosted.org/freeipa/ticket/5585 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0118.1-fix-Py3-incompatible-exception-instantiation-in-repl.patch Type: text/x-patch Size: 1882 bytes Desc: not available URL: From mbasti at redhat.com Thu Jan 7 17:17:58 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 7 Jan 2016 18:17:58 +0100 Subject: [Freeipa-devel] [PATCH 0086] Migrate OTP import script to python-cryptography In-Reply-To: <560A6125.9090506@redhat.com> References: <1441033728.7711.15.camel@redhat.com> <1443192785.10697.135.camel@redhat.com> <5605767F.3080906@redhat.com> <1443200711.10697.142.camel@redhat.com> <560A6125.9090506@redhat.com> Message-ID: <568E9DC6.10908@redhat.com> On 29.09.2015 12:00, Martin Babinsky wrote: > On 09/25/2015 07:05 PM, Nathaniel McCallum wrote: >> On Fri, 2015-09-25 at 18:29 +0200, Martin Babinsky wrote: >>> On 09/25/2015 04:53 PM, Nathaniel McCallum wrote: >>>> On Mon, 2015-08-31 at 11:08 -0400, Nathaniel McCallum wrote: >>>>> https://fedorahosted.org/freeipa/ticket/5192 >>>>> -- >>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Cod >>>>> e >>>> >>>> Attached patch rebases the previous patch for master. >>>> >>>> Nathaniel >>>> >>>> >>>> >>> Hi Nathaniel, >>> >>> pylint is not happy with your patches: >>> >>> """ >>> ************* Module ipaserver.install.ipa_otptoken_import >>> ipaserver/install/ipa_otptoken_import.py:189: >>> [E1120(no-value-for-parameter), PBKDF2KeyDerivation.__init__] No >>> value >>> for argument 'backend' in constructor call) >>> ipaserver/install/ipa_otptoken_import.py:235: >>> [E1120(no-value-for-parameter), XMLDecryptor.__call__] No value for >>> argument 'backend' in constructor call) >>> """ >>> >>> This is probably the reason for 2 of the otptoken_import tests to >>> fail >>> with TypeError, see http://fpaste.org/271526/31985721/ >> >> Fixed. >> > > Nathaniel, > > I still get two failing tests (see http://fpaste.org/272526/14435143/). > > I also noticed some other issues with OTP importing code, but those > are probably beyond the scope of your patch: > > ipa-otptoken-import prints the following error when attempting to add > token to IPA: > > Error adding token: no context.ldap2_140453224789456 in thread > 'MainThread' > > This is caused by incorrect creation of ldap2 connection in the > 'run()' method of 'ipa_otptoken_import.py'. I think we should connect > to LDAP directly using api.Backend.ldap2: > > @@ -510,9 +510,8 @@ class OTPTokenImport(admintool.AdminTool): > api.bootstrap(in_server=True) > api.finalize() > > - conn = ldap2(api) > try: > - conn.connect() > + api.Backend.ldap2.connect() > except (gssapi.exceptions.GSSError, errors.ACIError): > raise admintool.ScriptError("Unable to connect to LDAP! > Did you kinit?") > > @@ -527,7 +526,7 @@ class OTPTokenImport(admintool.AdminTool): > self.log.info("Added token: %s", keypkg.id) > keypkg.remove() > finally: > - conn.disconnect() > + api.Backend.ldap2.disconnect() > > # Write out the XML file without the tokens that succeeded. > self.doc.save(self.output) > > However, this approach doesn't work when 'ipa-otptoken-import' is run > as root on IPA master: in this case ldap2 connects using autobind and > does not set principal in the context. This causes the logic which > guesses the token owner in 'otptoken_add' to explode violently > (http://fpaste.org/272543/35164611/). > > Should I file a separate ticket for this issue? > bump, these thread seems to be unfinished From mbasti at redhat.com Thu Jan 7 17:28:55 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 7 Jan 2016 18:28:55 +0100 Subject: [Freeipa-devel] [PATCH 0018] Fixed install_ca and install_kra failures at domain level 0 In-Reply-To: <568E1966.8080604@redhat.com> References: <566AF99A.4060604@redhat.com> <566B00CE.4040408@redhat.com> <566EBF53.3030608@redhat.com> <568CF0CC.1020605@redhat.com> <568D1F68.5060505@redhat.com> <568E1966.8080604@redhat.com> Message-ID: <568EA057.8090106@redhat.com> On 07.01.2016 08:53, Oleg Fayans wrote: > > On 01/06/2016 03:06 PM, Martin Basti wrote: >> I cannot apply your patch on master branch, missing blobs, can you >> rebase please? > Done > >> On 06.01.2016 11:47, Oleg Fayans wrote: >>> Any chance this patch can be merged this week? >>> >>> On 12/14/2015 02:08 PM, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> On 12/11/2015 05:58 PM, Martin Basti wrote: >>>>> On 11.12.2015 17:28, Oleg Fayans wrote: >>>>>> + myre = re.compile(".*Backed up to (?P.*?)\n.*") >>>>> IMO this regexp is not good. >>>>> >>>>> 1) >>>>> please name it better than "myre" >>>> Done >>>> >>>>> 2) >>>>> initial '.*' is not needed because regexp does not start with '^' and >>>>> you use search() later >>>>> >>>>> 3) >>>>> >>>>> trailing '.*' is not needed as well, because it does not end with '$' >>>>> >>>>> 4) >>>>> You can use re.MULTILINE that will parse string per lines >>>>> >>>>> path_re = re.compile("^Backed up to (?P.*)$", re.MULTILINE) >>>> Used it, thanks! >>>> >>>>> 5) >>>>> + matched = myre.search(result.stdout_text + result.stderr_text) >>>>> Why do you need search in both stderr and stdout? >>>> Because of this bug: https://fedorahosted.org/freeipa/ticket/5484 >>>> >>>>> Martin^2 >>>>> >>>>> >>>> ACK Pushed to: master: 3b39d8b6de3e9e3551c2c413db1fe8260979c593 ipa-4-3: 67727a2864a8a0997cfa71d7a36618a4dc741ed8 From mbasti at redhat.com Fri Jan 8 08:58:59 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 8 Jan 2016 09:58:59 +0100 Subject: [Freeipa-devel] [PATCH] 942 webui: add examples to network address validator error message In-Reply-To: References: <56794AC0.4030605@redhat.com> Message-ID: <568F7A53.7010404@redhat.com> On 22.12.2015 14:33, Gabe Alford wrote: > LGTM. > > Gabe > > On Tue, Dec 22, 2015 at 6:06 AM, Petr Vobornik > wrote: > > https://fedorahosted.org/freeipa/ticket/5532 > -- > Petr Vobornik > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > > > ACK Pushed to: master: a291ca87803c1cbaeaba60006b52596ad77b7f4b ipa-4-3: 77f9a3a669d109a54eaee896c7fc2ebe741c81cd -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Fri Jan 8 08:59:37 2016 From: dkupka at redhat.com (David Kupka) Date: Fri, 8 Jan 2016 09:59:37 +0100 Subject: [Freeipa-devel] [PATCH 0082] Fix --auto-reverse option in --unattended mode In-Reply-To: <568E3D08.6020206@redhat.com> References: <568E3D08.6020206@redhat.com> Message-ID: <568F7A79.6060205@redhat.com> On 07/01/16 11:25, Petr Spacek wrote: > Hello, > > Fix --auto-reverse option in --unattended mode. > > Oleg, this should fix your particular environment. > > Unfortunately it is not a complete fix for > https://fedorahosted.org/freeipa/ticket/5559 , stay tuned - I will send other > patches related to this. > Thanks, looks good and works as expected for me, ACK. -- David Kupka From dkupka at redhat.com Fri Jan 8 08:59:54 2016 From: dkupka at redhat.com (David Kupka) Date: Fri, 8 Jan 2016 09:59:54 +0100 Subject: [Freeipa-devel] [PATCH 0083-0084] Fix DNS zone overlap check to allow ipa-replica-install to worFix dns_is_enabled() API command to throw exceptions as appropriat In-Reply-To: <568E839F.5070702@redhat.com> References: <568E839F.5070702@redhat.com> Message-ID: <568F7A8A.10406@redhat.com> On 07/01/16 16:26, Petr Spacek wrote: > Hello, > > Fix DNS zone overlap check to allow ipa-replica-install to work. > > My review script claims that > "No problems detected using lint, pep8, ./make{api,aci}, and VERSION" > > Please review. > Thanks, looks good and works as expected for me, ACK. -- David Kupka From mbasti at redhat.com Fri Jan 8 09:09:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 8 Jan 2016 10:09:49 +0100 Subject: [Freeipa-devel] [PATCH] 943 webui: pwpolicy cospriority field was marked as required In-Reply-To: <56794EC6.8040302@redhat.com> References: <56794EC6.8040302@redhat.com> Message-ID: <568F7CDD.4070008@redhat.com> On 22.12.2015 14:23, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/5553 > > Pushed to: master: af0e0e5153afdcdf5b8165162ae4ef5d60ecbe0b ipa-4-3: 574a637c730e62b741c9f901e51ff324b57bb781 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Jan 8 09:10:17 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 8 Jan 2016 10:10:17 +0100 Subject: [Freeipa-devel] [PATCH] 943 webui: pwpolicy cospriority field was marked as required In-Reply-To: <568F7CDD.4070008@redhat.com> References: <56794EC6.8040302@redhat.com> <568F7CDD.4070008@redhat.com> Message-ID: <568F7CF9.5080104@redhat.com> On 08.01.2016 10:09, Martin Basti wrote: > > > On 22.12.2015 14:23, Petr Vobornik wrote: >> https://fedorahosted.org/freeipa/ticket/5553 >> >> > Pushed to: > master: af0e0e5153afdcdf5b8165162ae4ef5d60ecbe0b > ipa-4-3: 574a637c730e62b741c9f901e51ff324b57bb781 > > > ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From ofayans at redhat.com Fri Jan 8 09:12:21 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 8 Jan 2016 10:12:21 +0100 Subject: [Freeipa-devel] [TEST] Workaround for ticket N 5559 Message-ID: <568F7D75.2010404@redhat.com> Passes lint, fixes an issue with replica installation failures due to absence of corresponding reverse zone on master. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0019-A-workaround-for-ticket-5559.patch Type: text/x-patch Size: 3153 bytes Desc: not available URL: From mbasti at redhat.com Fri Jan 8 09:14:01 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 8 Jan 2016 10:14:01 +0100 Subject: [Freeipa-devel] [PATCH 0082] Fix --auto-reverse option in --unattended mode In-Reply-To: <568F7A79.6060205@redhat.com> References: <568E3D08.6020206@redhat.com> <568F7A79.6060205@redhat.com> Message-ID: <568F7DD9.7000209@redhat.com> On 08.01.2016 09:59, David Kupka wrote: > On 07/01/16 11:25, Petr Spacek wrote: >> Hello, >> >> Fix --auto-reverse option in --unattended mode. >> >> Oleg, this should fix your particular environment. >> >> Unfortunately it is not a complete fix for >> https://fedorahosted.org/freeipa/ticket/5559 , stay tuned - I will >> send other >> patches related to this. >> > Thanks, looks good and works as expected for me, ACK. > Pushed to: master: aab190cc5d38edf3f4fbf0a6c12911dfc8f37fd3 ipa-4-3: 2c0dc779f5d92dd21912868b243f64a23dddd936 From mbasti at redhat.com Fri Jan 8 09:17:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 8 Jan 2016 10:17:10 +0100 Subject: [Freeipa-devel] [PATCH 0083-0084] Fix DNS zone overlap check to allow ipa-replica-install to worFix dns_is_enabled() API command to throw exceptions as appropriat In-Reply-To: <568F7A8A.10406@redhat.com> References: <568E839F.5070702@redhat.com> <568F7A8A.10406@redhat.com> Message-ID: <568F7E96.3070405@redhat.com> On 08.01.2016 09:59, David Kupka wrote: > On 07/01/16 16:26, Petr Spacek wrote: >> Hello, >> >> Fix DNS zone overlap check to allow ipa-replica-install to work. >> >> My review script claims that >> "No problems detected using lint, pep8, ./make{api,aci}, and VERSION" >> >> Please review. >> > Thanks, looks good and works as expected for me, ACK. > Pushed to: master: 3d1a8d31343ce0a71d3236e9d8457a06e12c07a9 ipa-4-3: b9f2a7c523f27c09ef31573d174cdb6f3456a23b From pviktori at redhat.com Fri Jan 8 09:27:35 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 8 Jan 2016 10:27:35 +0100 Subject: [Freeipa-devel] [PATCH] 0758 In-Reply-To: <568E7C78.2040205@redhat.com> References: <568D2494.9080602@redhat.com> <568D291D.5020709@redhat.com> <568E3B39.1090309@redhat.com> <568E7C78.2040205@redhat.com> Message-ID: <568F8107.3080803@redhat.com> On 01/07/2016 03:55 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> On 01/06/2016 03:47 PM, Rob Crittenden wrote: >>> Petr Viktorin wrote: >>>> Hello, >>>> >>>> Patches 0753-0757 fix remaining warnings from `pylint --py3k`, except >>>> "no-absolute-import" (which seems redundant to me) and the ones in >>>> contrib/RHEL4. >>>> >>>> As for contrib/RHEL4, I found a mail [0] from 2013 saying it hasn't been >>>> used for a long time and probably doesn't work. Since then it's for >>>> example been changed to use ipapython.dn, which I'd bet no one checks >>>> for Python 2.5 compatibility. Since this seems to be untested and >>>> non-working code, so I'm sending a patch to remove it. But if that's not >>>> wanted tell me, and I'll skip pylint --py3k checks there instead. >>>> >>>> The last patch adds py3k lint check to make-lint. It's a bit >>>> cumbersome, since pylint doesn't allow running regular checkers and the >>>> py3k ones at the same time, but it allows you to run the check. As for >>>> whether to enable --py3k by default, or run it on every package build, >>>> I'd like to defer the decision to core devs. (Is CI good enough nowadays >>>> to only run it there?) >>>> >>>> >>>> [0] https://www.redhat.com/archives/freeipa-users/2013-July/msg00055.html >>>> >>>> >>>> >>> >>> My only nit would be to remove contrib/RHEL4 as being deprecated rather >>> than lack of testing against some old version. It just configures ldap >>> and Kerberos via authconfig so unless the discovery failed it would >>> likely still work fairly well, but clearly it isn't being maintained so >>> I'd remove it for that reason for historical purposes. >> >> It uses ipapython (ipapython.dn and the log manager, specifically), >> which don't maintain compatibility with old Python versions. I don't >> have old Python versions around to check empirically, but a quick look >> at ipapython.dn says it won't import on anything lower than 2.6 nowadays. >> > > Sure, kill it. Please just change the commit message. A patch with an changed commit message is attached. It can be reviewed/pushed before the others. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0758.2-Remove-deprecated-contrib-RHEL4.patch Type: text/x-patch Size: 37336 bytes Desc: not available URL: From ftweedal at redhat.com Fri Jan 8 10:56:16 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 8 Jan 2016 20:56:16 +1000 Subject: [Freeipa-devel] [PATCH] 0048 Decode HTTP reason phrase as iso-8859-1 In-Reply-To: <20160107100051.GS31821@dhcp-40-8.bne.redhat.com> References: <20160106042631.GJ31821@dhcp-40-8.bne.redhat.com> <568E0C0F.9060401@redhat.com> <20160107100051.GS31821@dhcp-40-8.bne.redhat.com> Message-ID: <20160108105616.GZ31821@dhcp-40-8.bne.redhat.com> On Thu, Jan 07, 2016 at 08:00:51PM +1000, Fraser Tweedale wrote: > On Thu, Jan 07, 2016 at 07:56:15AM +0100, Jan Cholasta wrote: > > Hi, > > > > On 6.1.2016 05:26, Fraser Tweedale wrote: > > >Happy new year, all. > > > > > >The attached patch fixes a unicode decode error triggered in some > > >locales, which causes failure of installation (and probably other > > >oprations, if locale is changed under an existing server). > > > > > >https://fedorahosted.org/freeipa/ticket/5578 > > > > It seems like this fixes only part of the issue - the installer won't crash > > anymore. But what happens if the reason phrase uses characters which are not > > in iso-8859-1 (e.g. "?", a character commonly used in Czech)? Shouldn't we > > always specify the encoding in requests, so that Dogtag does not have to > > guess? > > > In this case it will not throw an exception, but it will decode > nonsense. However, in my investigation just now of how Tomcat > decides what to send in the reason phrase, it turns out that in > future releases they will not send a reason phrase[1] at all! > > [1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37 > > (Nice to know about this in advance - I will not be surprised if > some clients break) > > I'll cut a new patch tomorrow that just ignores the reason phrase > rather than trying to decode and log it. All the info is in the > status code, after all. > > Thanks for reviewing, > Fraser > Promised new patch attached - removes the reason phrase and updates call sites accordingly. Cheers, Fraser > > > Honza > > > > -- > > Jan Cholasta > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -------------- next part -------------- From 3d860dbb660844b76b9343d3c0908af89f0327ac Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 6 Jan 2016 14:50:42 +1100 Subject: [PATCH] Do not decode HTTP reason phrase from Dogtag The HTTP reason phrase sent by Dogtag is assumed to be encoded in UTF-8, but the encoding used by Tomcat is dependent on system locale, causing decode errors in some locales. The reason phrase is optional and will not be sent in a future version of Tomcat[1], so do not bother decoding and returning it. [1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37 Fixes: https://fedorahosted.org/freeipa/ticket/5578 --- ipapython/dogtag.py | 23 +++++++++++------------ ipaserver/install/certs.py | 7 +++---- ipaserver/plugins/dogtag.py | 44 ++++++++++++++++++++++---------------------- 3 files changed, 36 insertions(+), 38 deletions(-) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 010e49652687680444d18e2e8f784fb6167a0df5..1cb74719c4ce2cc97c54dc7bebfa4b32ceee14a1 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -118,14 +118,14 @@ def ca_status(ca_host=None, use_proxy=True): ca_port = 443 else: ca_port = 8443 - status, reason, headers, body = unauthenticated_https_request( + status, headers, body = unauthenticated_https_request( ca_host, ca_port, '/ca/admin/ca/getStatus') if status == 503: # Service temporarily unavailable - return reason + return status elif status != 200: raise errors.RemoteRetrieveError( - reason=_("Retrieving CA status failed: %s") % reason) + reason=_("Retrieving CA status failed with status %d") % status) return _parse_ca_status(body) @@ -136,8 +136,8 @@ def https_request(host, port, url, secdir, password, nickname, :param url: The path (not complete URL!) to post to. :param body: The request body (encodes kw if None) :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_reason_phrase, http_headers, http_body) - as (integer, unicode, dict, str) + :return: (http_status, http_headers, http_body) + as (integer, dict, str) Perform a client authenticated HTTPS request """ @@ -165,8 +165,8 @@ def http_request(host, port, url, **kw): """ :param url: The path (not complete URL!) to post to. :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_reason_phrase, http_headers, http_body) - as (integer, unicode, dict, str) + :return: (http_status, http_headers, http_body) + as (integer, dict, str) Perform an HTTP request. """ @@ -179,8 +179,8 @@ def unauthenticated_https_request(host, port, url, **kw): """ :param url: The path (not complete URL!) to post to. :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_reason_phrase, http_headers, http_body) - as (integer, unicode, dict, str) + :return: (http_status, http_headers, http_body) + as (integer, dict, str) Perform an unauthenticated HTTPS request. """ @@ -219,15 +219,14 @@ def _httplib_request( res = conn.getresponse() http_status = res.status - http_reason_phrase = unicode(res.reason, 'utf-8') http_headers = res.msg.dict http_body = res.read() conn.close() except Exception as e: raise NetworkError(uri=uri, error=str(e)) - root_logger.debug('response status %d %s', http_status, http_reason_phrase) + root_logger.debug('response status %d', http_status) root_logger.debug('response headers %s', http_headers) root_logger.debug('response body %r', http_body) - return http_status, http_reason_phrase, http_headers, http_body + return http_status, http_headers, http_body diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 1591362b4b37946aa390a8a5bfd455419382a199..f74b76090bfe2670a998373e3c7cdc3c5727c465 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -403,12 +403,11 @@ class CertDB(object): result = dogtag.https_request( self.host_name, 8443, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) - http_status, http_reason_phrase, http_headers, http_body = result + http_status, http_headers, http_body = result if http_status != 200: raise CertificateOperationError( - error=_('Unable to communicate with CMS (%s)') % - http_reason_phrase) + error=_('Unable to communicate with CMS (status %d)') % http_status) # The result is an XML blob. Pull the certificate out of that doc = xml.dom.minidom.parseString(http_body) @@ -457,7 +456,7 @@ class CertDB(object): result = dogtag.https_request( self.host_name, 8443, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) - http_status, http_reason_phrase, http_headers, http_body = result + http_status, http_headers, http_body = result if http_status != 200: raise RuntimeError("Unable to submit cert request") diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 1a1172a3807fe2585d15cb2363e68318e83cb09f..2549aae3d7d99364cc78f44bd96897e3738ef00d 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1351,8 +1351,8 @@ class ra(rabase.rabase): """ :param url: The URL to post to. :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_reason_phrase, http_headers, http_body) - as (integer, unicode, dict, str) + :return: (http_status, http_headers, http_body) + as (integer, dict, str) Perform an HTTP request. """ @@ -1362,8 +1362,8 @@ class ra(rabase.rabase): """ :param url: The URL to post to. :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_reason_phrase, http_headers, http_body) - as (integer, unicode, dict, str) + :return: (http_status, http_headers, http_body) + as (integer, dict, str) Perform an HTTPS request """ @@ -1423,7 +1423,7 @@ class ra(rabase.rabase): self.debug('%s.check_request_status()', self.fullname) # Call CMS - http_status, http_reason_phrase, http_headers, http_body = \ + http_status, http_headers, http_body = \ self._request('/ca/ee/ca/checkRequest', self.env.ca_port, requestId=request_id, @@ -1432,7 +1432,7 @@ class ra(rabase.rabase): # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('check_request_status', - detail=http_reason_phrase) + detail=http_status) parse_result = self.get_parse_result_xml(http_body, parse_check_request_result_xml) request_status = parse_result['request_status'] @@ -1508,7 +1508,7 @@ class ra(rabase.rabase): serial_number = int(serial_number, 0) # Call CMS - http_status, http_reason_phrase, http_headers, http_body = \ + http_status, http_headers, http_body = \ self._sslget('/ca/agent/ca/displayBySerial', self.env.ca_agent_port, serialNumber=str(serial_number), @@ -1518,7 +1518,7 @@ class ra(rabase.rabase): # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('get_certificate', - detail=http_reason_phrase) + detail=http_status) parse_result = self.get_parse_result_xml(http_body, parse_display_cert_xml) request_status = parse_result['request_status'] @@ -1576,7 +1576,7 @@ class ra(rabase.rabase): self.debug('%s.request_certificate()', self.fullname) # Call CMS - http_status, http_reason_phrase, http_headers, http_body = \ + http_status, http_headers, http_body = \ self._sslget('/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, profileId=profile_id, @@ -1586,7 +1586,7 @@ class ra(rabase.rabase): # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('request_certificate', - detail=http_reason_phrase) + detail=http_status) parse_result = self.get_parse_result_xml(http_body, parse_profile_submit_result_xml) # Note different status return, it's not request_status, it's error_code @@ -1655,7 +1655,7 @@ class ra(rabase.rabase): serial_number = int(serial_number, 0) # Call CMS - http_status, http_reason_phrase, http_headers, http_body = \ + http_status, http_headers, http_body = \ self._sslget('/ca/agent/ca/doRevoke', self.env.ca_agent_port, op='revoke', @@ -1667,7 +1667,7 @@ class ra(rabase.rabase): # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('revoke_certificate', - detail=http_reason_phrase) + detail=http_status) parse_result = self.get_parse_result_xml(http_body, parse_revoke_cert_xml) request_status = parse_result['request_status'] @@ -1718,7 +1718,7 @@ class ra(rabase.rabase): serial_number = int(serial_number, 0) # Call CMS - http_status, http_reason_phrase, http_headers, http_body = \ + http_status, http_headers, http_body = \ self._sslget('/ca/agent/ca/doUnrevoke', self.env.ca_agent_port, serialNumber=str(serial_number), @@ -1727,7 +1727,7 @@ class ra(rabase.rabase): # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('take_certificate_off_hold', - detail=http_reason_phrase) + detail=http_status) parse_result = self.get_parse_result_xml(http_body, parse_unrevoke_cert_xml) @@ -2030,7 +2030,7 @@ class RestClient(Backend): """Log into the REST API""" if self.cookie is not None: return - status, status_text, resp_headers, resp_body = dogtag.https_request( + status, resp_headers, resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, '/ca/rest/account/login', self.sec_dir, self.password, self.ipa_certificate_nickname, @@ -2056,8 +2056,8 @@ class RestClient(Backend): """ :param url: The URL to post to. :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_reason_phrase, http_headers, http_body) - as (integer, unicode, dict, str) + :return: (http_status, http_headers, http_body) + as (integer, dict, str) Perform an HTTPS request """ @@ -2071,7 +2071,7 @@ class RestClient(Backend): resource = os.path.join('/ca/rest', self.path, path) # perform main request - status, status_text, resp_headers, resp_body = dogtag.https_request( + status, resp_headers, resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, resource, self.sec_dir, self.password, self.ipa_certificate_nickname, @@ -2080,10 +2080,10 @@ class RestClient(Backend): if status < 200 or status >= 300: explanation = self._parse_dogtag_error(resp_body) or '' raise errors.RemoteRetrieveError( - reason=_('Non-2xx response from CA REST API: %(status)d %(status_text)s. %(explanation)s') - % {'status': status, 'status_text': status_text, 'explanation': explanation} + reason=_('Non-2xx response from CA REST API: %(status)d. %(explanation)s') + % {'status': status, 'explanation': explanation} ) - return (status, status_text, resp_headers, resp_body) + return (status, resp_headers, resp_body) class ra_certprofile(RestClient): @@ -2108,7 +2108,7 @@ class ra_certprofile(RestClient): """ Read the profile configuration from Dogtag """ - status, status_text, resp_headers, resp_body = self._ssldo( + status, resp_headers, resp_body = self._ssldo( 'GET', profile_id + '/raw') return resp_body -- 2.5.0 From mkosek at redhat.com Fri Jan 8 11:15:17 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 8 Jan 2016 12:15:17 +0100 Subject: [Freeipa-devel] [PATCH 0373] Upgrade: Fix IPA version comparison In-Reply-To: <566A8B22.5020101@redhat.com> References: <56687174.8000305@redhat.com> <20151210081357.GB21550@mail.corp.redhat.com> <56695291.5090705@redhat.com> <566990E3.2080903@redhat.com> <5669A3D3.7050608@redhat.com> <566A8B22.5020101@redhat.com> Message-ID: <568F9A45.9080109@redhat.com> On 12/11/2015 09:36 AM, Martin Kosek wrote: > On 12/10/2015 05:09 PM, Martin Basti wrote: >> >> >> On 10.12.2015 15:49, Tomas Babej wrote: >>> >>> On 12/10/2015 11:23 AM, Martin Basti wrote: >>>> >>>> On 10.12.2015 09:13, Lukas Slebodnik wrote: >>>>> On (09/12/15 19:22), Martin Basti wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/5535 >>>>>> >>>>>> Patch attached. >>>>> >From 8ef93485d61e8732166fb0c5b6c4559209740f3e Mon Sep 17 00:00:00 2001 >>>>>> From: Martin Basti >>>>>> Date: Wed, 9 Dec 2015 18:53:35 +0100 >>>>>> Subject: [PATCH] Fix version comparison >>>>>> >>>>>> Use RPM library to compare vendor versions of IPA for redhat platform >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5535 >>>>>> --- >>>>>> freeipa.spec.in | 2 ++ >>>>>> ipaplatform/redhat/tasks.py | 19 +++++++++++++++++++ >>>>>> 2 files changed, 21 insertions(+) >>>>>> >>>>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>>>> index >>>>>> 9f82b3695fb10c4db65cc31278364b3b34e26098..09feba7b8324f5e645da3e8010de86b6c3ee5ab9 >>>>>> >>>>>> >>>>>> 100644 >>>>>> --- a/freeipa.spec.in >>>>>> +++ b/freeipa.spec.in >>>>>> @@ -166,6 +166,8 @@ Requires: %{etc_systemd_dir} >>>>>> Requires: gzip >>>>>> Requires: python-gssapi >= 1.1.0 >>>>>> Requires: custodia >>>>>> +Requires: rpm-python >>>>>> +Requires: rpmdevtools >>>>> Could you explain why do you need the 2nd package? >>>>> It does not contains any python modules >>>>> and I cannot see usage of any binary in this patch >>>>> >>>>> LS >>>> Thanks for this catch, it is actually located in yum package, I rather >>>> copy stringToVersion function from there to IPA, to avoid dependency hell >>>> >>>> Updated patch attached. >>>> >>>> >>> Looking good. The __cmp__ function, however, is not available in Python >>> 3. As we will eventually support python3 in RHEL as well, maybe we >>> should make sure even platform-dependent parts are python3 compatible? >>> For the future's sake. >>> >>> Tomas >>> >> Thanks, >> >> python 3 compatible patch attached. > > I wonder why we have to add so much code here and reimplement RPM version > checking if it is already provided by rpmdevtools: > > ~~~ > $ /usr/bin/rpmdev-vercmp ipa-4.2.0-15.el7 4.2.0-15.el7_2.3; echo $? > WARNING: hyphen in release1: 4.2.0-15.el7 > > rpmdev-vercmp > rpmdev-vercmp > rpmdev-vercmp # with no arguments, prompt > > Exit status is 0 if the EVR's are equal, 11 if EVR1 is newer, and 12 if EVR2 > is newer. Other exit statuses indicate problems. > > ipa-4.2.0-15.el7 < 4.2.0-15.el7_2.3 > 12 > ~~~ > > which could be directly called from __eq__ or __lt__, since we are in platform > specific code anyway already. > > Martin The version comparing was discussed again as current way causes some issues. JFTR, the example above is not correct, this is the right way of calling it: $ rpmdev-vercmp 4.2.0-15.el7 4.2.0-15.el7_2.3; echo $? 4.2.0-15.el7 < 4.2.0-15.el7_2.3 12 One thing discussed is that rpmdevtools require Perl. Looking at currenet FreeIPA dependencies, we do require it already, but in general, it would be nice to get rid of it. But as for now, we did not come up with a better idea for above other than reimplementing it all in FreeIPA python code. Martin From pviktori at redhat.com Fri Jan 8 11:45:45 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 8 Jan 2016 12:45:45 +0100 Subject: [Freeipa-devel] [PATCHES] 0752-0757, 0759 Enable pylint --py3k In-Reply-To: <568D2494.9080602@redhat.com> References: <568D2494.9080602@redhat.com> Message-ID: <568FA169.4030900@redhat.com> On 01/06/2016 03:28 PM, Petr Viktorin wrote: > Hello, > > Patches 0753-0757 fix remaining warnings from `pylint --py3k`, except > "no-absolute-import" (which seems redundant to me) and the ones in > contrib/RHEL4. > The last patch adds py3k lint check to make-lint. It's a bit > cumbersome, since pylint doesn't allow running regular checkers and the > py3k ones at the same time, but it allows you to run the check. As for > whether to enable --py3k by default, or run it on every package build, > I'd like to defer the decision to core devs. (Is CI good enough nowadays > to only run it there?) > > > [0] https://www.redhat.com/archives/freeipa-users/2013-July/msg00055.html Here's a new version of the patchset, updated to current master. The last patch requires 0758 (removing contrib/RHEL4) which is being reviewed in another thread. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0752.2-Use-explicit-truncating-division.patch Type: text/x-patch Size: 4884 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0753.2-Don-t-index-exceptions-directly.patch Type: text/x-patch Size: 2547 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0754.2-Use-print_function-future-definition-wherever-print-.patch Type: text/x-patch Size: 1892 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0755.2-Alias-unicode-to-str-under-Python-3.patch Type: text/x-patch Size: 5479 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0756.2-Avoid-builtins-that-were-removed-in-Python-3.patch Type: text/x-patch Size: 2493 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0757.2-dnsutil-Rename-__nonzero__-to-__bool__.patch Type: text/x-patch Size: 1052 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0759.2-make-lint-Allow-running-pylint-py3k-to-detect-Python.patch Type: text/x-patch Size: 4062 bytes Desc: not available URL: From dkupka at redhat.com Fri Jan 8 11:55:53 2016 From: dkupka at redhat.com (David Kupka) Date: Fri, 8 Jan 2016 12:55:53 +0100 Subject: [Freeipa-devel] Fix ipa-replica-prepare after DNS check patches Message-ID: <568FA3C9.1060508@redhat.com> https://fedorahosted.org/freeipa/ticket/5563 -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0078.0-ipa-replica-prepare-Add-auto-reverse-and-allow-zone-.patch Type: text/x-patch Size: 1459 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0079.0-installer-Change-reverse-zones-question-to-better-re.patch Type: text/x-patch Size: 918 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0080.0-Fix-Use-unattended-parameter-instead-of-options.unat.patch Type: text/x-patch Size: 1104 bytes Desc: not available URL: From mkosek at redhat.com Fri Jan 8 12:26:57 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 8 Jan 2016 13:26:57 +0100 Subject: [Freeipa-devel] FreeIPA and modern requirements on certificates Message-ID: <568FAB11.4070406@redhat.com> Hi Fraser and other X.509 SMEs, I wanted to check with you on what we have or plan to have with respect to certificate/cipher strength in FreeIPA. When I visit the FreeIPA public demo for example, I usually see following errors with recent browsers: * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher suite. - The connection uses TLS 1.2 - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message authentication and RSA as the key exchange mechanism I usually do not see the common * Certificate chain contains a certificate signed with SHA-1 error, but I am not sure if we are covered for this one. When I tested the FreeIPA demo with https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org (and ignore the trust issues), we get the mark B with following warnings: * This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B. * The server does not support Forward Secrecy with the reference browsers. What do we miss to turn out Grade A, which is obviously something expected from security solution like FreeIPA? Is it just about ECC support (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some change to our default certificate profiles? Thanks! -- Martin Kosek Manager, Software Engineering - Identity Management Team Red Hat, Inc. From mbasti at redhat.com Fri Jan 8 12:45:30 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 8 Jan 2016 13:45:30 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install Message-ID: <568FAF6A.3070008@redhat.com> Hello all, fix for ticket https://fedorahosted.org/freeipa/ticket/5535 requires to import rpm module This import somehow breaks nsslib in IPA https://fedorahosted.org/freeipa/ticket/5572 We have 2 ways how to fix it: 1) move import rpm to body of methods (attached patch) We are not sure how stable is this solution. 2) use solution with rpmdevtools proposed here: https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html This should be rock stable but it needs many dependencies (rpm-python too, perl) The second way looks safer, so I would like to reimplement it, do you all agree or do you have better idea? Feedback welcome, please ASAP. Martin^2 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0000-fix-rpm-import.patch Type: text/x-patch Size: 1189 bytes Desc: not available URL: From tbabej at redhat.com Fri Jan 8 12:54:44 2016 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 8 Jan 2016 13:54:44 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FAF6A.3070008@redhat.com> References: <568FAF6A.3070008@redhat.com> Message-ID: <568FB194.3030804@redhat.com> On 01/08/2016 01:45 PM, Martin Basti wrote: > Hello all, > > fix for ticket https://fedorahosted.org/freeipa/ticket/5535 > requires to import rpm module > > This import somehow breaks nsslib in IPA > https://fedorahosted.org/freeipa/ticket/5572 > > > We have 2 ways how to fix it: > > 1) move import rpm to body of methods (attached patch) > We are not sure how stable is this solution. > > 2) use solution with rpmdevtools proposed here: > https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html > This should be rock stable but it needs many dependencies (rpm-python > too, perl) > > The second way looks safer, so I would like to reimplement it, do you > all agree or do you have better idea? > Feedback welcome, please ASAP. > > Martin^2 > > I guess this needs to be fixed on the RPM side, so we should file a ticket there, referencing ours. As we discussed, this is most likely insufficient cleanup performed on their side. As far as the fix goes, I'd leverage the external tool in this situation. Tomas From ftweedal at redhat.com Fri Jan 8 12:56:19 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 8 Jan 2016 22:56:19 +1000 Subject: [Freeipa-devel] FreeIPA and modern requirements on certificates In-Reply-To: <568FAB11.4070406@redhat.com> References: <568FAB11.4070406@redhat.com> Message-ID: <20160108125619.GA31821@dhcp-40-8.bne.redhat.com> On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote: > Hi Fraser and other X.509 SMEs, > > I wanted to check with you on what we have or plan to have with respect to > certificate/cipher strength in FreeIPA. > > When I visit the FreeIPA public demo for example, I usually see following > errors with recent browsers: > > * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher > suite. > - The connection uses TLS 1.2 > - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message > authentication and RSA as the key exchange mechanism > This is a cipher suite / ordering issue, not related to certificate. > I usually do not see the common > * Certificate chain contains a certificate signed with SHA-1 > error, but I am not sure if we are covered for this one. > We are using sha256 for IPA CA and default profiles. Customers could still modify the profile or add profiles to sign using an obsolete hash, if they wanted to, but our default is good. > > When I tested the FreeIPA demo with > https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org > (and ignore the trust issues), we get the mark B with following warnings: > > * This server accepts RC4 cipher, but only with older protocol versions. Grade > capped to B. > > * The server does not support Forward Secrecy with the reference browsers. > Again a cipher suite tweak will address this. > > What do we miss to turn out Grade A, which is obviously something expected from > security solution like FreeIPA? Is it just about ECC support > (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some change to our > default certificate profiles? > Based on what you've written, it is just the cipher suite that needs changing, and maybe a setting about favouring server cipher order over client order. ECC certificate support is not needed (yet) and the default profile is fine, w.r.t. hash used for signing. One important modern certificate requirement is to always include a SAN dnsName for the subject, as required by RFC 2818; this is ticket #4970 and it is on my radar. Cheers, Fraser > Thanks! > > -- > Martin Kosek > Manager, Software Engineering - Identity Management Team > Red Hat, Inc. From mkosek at redhat.com Fri Jan 8 13:00:04 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 8 Jan 2016 14:00:04 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FAF6A.3070008@redhat.com> References: <568FAF6A.3070008@redhat.com> Message-ID: <568FB2D4.4040407@redhat.com> On 01/08/2016 01:45 PM, Martin Basti wrote: > Hello all, > > fix for ticket https://fedorahosted.org/freeipa/ticket/5535 > requires to import rpm module > > This import somehow breaks nsslib in IPA > https://fedorahosted.org/freeipa/ticket/5572 > > > We have 2 ways how to fix it: > > 1) move import rpm to body of methods (attached patch) > We are not sure how stable is this solution. > > 2) use solution with rpmdevtools proposed here: > https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html > This should be rock stable but it needs many dependencies (rpm-python too, perl) > > The second way looks safer, so I would like to reimplement it, do you all agree > or do you have better idea? > Feedback welcome, please ASAP. > > Martin^2 Since it's Friday, I invested 15 minutes to practice my C skills and use the python-cffi library to call rpm rpmvercmp library call directly (attached): $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 4.2.0-15.el7 < 4.2.0-15.el7_2.3 This would not introduce any additional dependency besides rpm-devel, right? :-) -------------- next part -------------- A non-text attachment was scrubbed... Name: rpm.py Type: text/x-python Size: 405 bytes Desc: not available URL: From mkosek at redhat.com Fri Jan 8 13:02:07 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 8 Jan 2016 14:02:07 +0100 Subject: [Freeipa-devel] FreeIPA and modern requirements on certificates In-Reply-To: <20160108125619.GA31821@dhcp-40-8.bne.redhat.com> References: <568FAB11.4070406@redhat.com> <20160108125619.GA31821@dhcp-40-8.bne.redhat.com> Message-ID: <568FB34F.1000008@redhat.com> On 01/08/2016 01:56 PM, Fraser Tweedale wrote: > On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote: >> Hi Fraser and other X.509 SMEs, >> >> I wanted to check with you on what we have or plan to have with respect to >> certificate/cipher strength in FreeIPA. >> >> When I visit the FreeIPA public demo for example, I usually see following >> errors with recent browsers: >> >> * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher >> suite. >> - The connection uses TLS 1.2 >> - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message >> authentication and RSA as the key exchange mechanism >> > This is a cipher suite / ordering issue, not related to certificate. > >> I usually do not see the common >> * Certificate chain contains a certificate signed with SHA-1 >> error, but I am not sure if we are covered for this one. >> > We are using sha256 for IPA CA and default profiles. Customers > could still modify the profile or add profiles to sign using an > obsolete hash, if they wanted to, but our default is good. > >> >> When I tested the FreeIPA demo with >> https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org >> (and ignore the trust issues), we get the mark B with following warnings: >> >> * This server accepts RC4 cipher, but only with older protocol versions. Grade >> capped to B. >> >> * The server does not support Forward Secrecy with the reference browsers. >> > Again a cipher suite tweak will address this. > >> >> What do we miss to turn out Grade A, which is obviously something expected from >> security solution like FreeIPA? Is it just about ECC support >> (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some change to our >> default certificate profiles? >> > Based on what you've written, it is just the cipher suite that needs > changing, and maybe a setting about favouring server cipher order > over client order. ECC certificate support is not needed (yet) and > the default profile is fine, w.r.t. hash used for signing. > > One important modern certificate requirement is to always include a > SAN dnsName for the subject, as required by RFC 2818; this is ticket > #4970 and it is on my radar. > > Cheers, > Fraser Should I then file a ticket to fix the cipher suite? (I did not fully understand the specifics though). From abokovoy at redhat.com Fri Jan 8 13:08:56 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 8 Jan 2016 15:08:56 +0200 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB194.3030804@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB194.3030804@redhat.com> Message-ID: <20160108130856.GI4316@redhat.com> On Fri, 08 Jan 2016, Tomas Babej wrote: > > >On 01/08/2016 01:45 PM, Martin Basti wrote: >> Hello all, >> >> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >> requires to import rpm module >> >> This import somehow breaks nsslib in IPA >> https://fedorahosted.org/freeipa/ticket/5572 >> >> >> We have 2 ways how to fix it: >> >> 1) move import rpm to body of methods (attached patch) >> We are not sure how stable is this solution. >> >> 2) use solution with rpmdevtools proposed here: >> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >> This should be rock stable but it needs many dependencies (rpm-python >> too, perl) >> >> The second way looks safer, so I would like to reimplement it, do you >> all agree or do you have better idea? >> Feedback welcome, please ASAP. >> >> Martin^2 >> >> > >I guess this needs to be fixed on the RPM side, so we should file a >ticket there, referencing ours. As we discussed, this is most likely >insufficient cleanup performed on their side. It will not be fixed on RPM side because they need access to certificate's store and NSS library is just not designed to be a library with multiple uncoordinated users inside the same application. >As far as the fix goes, I'd leverage the external tool in this situation. Yes, go with external tool, really. -- / Alexander Bokovoy From mbasti at redhat.com Fri Jan 8 13:09:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 8 Jan 2016 14:09:50 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB2D4.4040407@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> Message-ID: <568FB51E.2030608@redhat.com> On 08.01.2016 14:00, Martin Kosek wrote: > On 01/08/2016 01:45 PM, Martin Basti wrote: >> Hello all, >> >> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >> requires to import rpm module >> >> This import somehow breaks nsslib in IPA >> https://fedorahosted.org/freeipa/ticket/5572 >> >> >> We have 2 ways how to fix it: >> >> 1) move import rpm to body of methods (attached patch) >> We are not sure how stable is this solution. >> >> 2) use solution with rpmdevtools proposed here: >> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >> This should be rock stable but it needs many dependencies (rpm-python too, perl) >> >> The second way looks safer, so I would like to reimplement it, do you all agree >> or do you have better idea? >> Feedback welcome, please ASAP. >> >> Martin^2 > Since it's Friday, I invested 15 minutes to practice my C skills and use the > python-cffi library to call rpm rpmvercmp library call directly (attached): > > $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 > 4.2.0-15.el7 < 4.2.0-15.el7_2.3 > > This would not introduce any additional dependency besides rpm-devel, right? :-) I'm afraid that this can cause the same issue as import rpm, because the nsslib is used from C library From mkosek at redhat.com Fri Jan 8 13:11:06 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 8 Jan 2016 14:11:06 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB51E.2030608@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> Message-ID: <568FB56A.80507@redhat.com> On 01/08/2016 02:09 PM, Martin Basti wrote: > > > On 08.01.2016 14:00, Martin Kosek wrote: >> On 01/08/2016 01:45 PM, Martin Basti wrote: >>> Hello all, >>> >>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>> requires to import rpm module >>> >>> This import somehow breaks nsslib in IPA >>> https://fedorahosted.org/freeipa/ticket/5572 >>> >>> >>> We have 2 ways how to fix it: >>> >>> 1) move import rpm to body of methods (attached patch) >>> We are not sure how stable is this solution. >>> >>> 2) use solution with rpmdevtools proposed here: >>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>> This should be rock stable but it needs many dependencies (rpm-python too, >>> perl) >>> >>> The second way looks safer, so I would like to reimplement it, do you all agree >>> or do you have better idea? >>> Feedback welcome, please ASAP. >>> >>> Martin^2 >> Since it's Friday, I invested 15 minutes to practice my C skills and use the >> python-cffi library to call rpm rpmvercmp library call directly (attached): >> >> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >> >> This would not introduce any additional dependency besides rpm-devel, right? :-) > I'm afraid that this can cause the same issue as import rpm, because the nsslib > is used from C library This would need to be tested/figured out, I do not know the exact details of how the NSS issue is triggered. From jcholast at redhat.com Fri Jan 8 13:14:13 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 8 Jan 2016 14:14:13 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB51E.2030608@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> Message-ID: <568FB625.6060807@redhat.com> On 8.1.2016 14:09, Martin Basti wrote: > > > On 08.01.2016 14:00, Martin Kosek wrote: >> On 01/08/2016 01:45 PM, Martin Basti wrote: >>> Hello all, >>> >>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>> requires to import rpm module >>> >>> This import somehow breaks nsslib in IPA >>> https://fedorahosted.org/freeipa/ticket/5572 >>> >>> >>> We have 2 ways how to fix it: >>> >>> 1) move import rpm to body of methods (attached patch) >>> We are not sure how stable is this solution. >>> >>> 2) use solution with rpmdevtools proposed here: >>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>> This should be rock stable but it needs many dependencies (rpm-python >>> too, perl) >>> >>> The second way looks safer, so I would like to reimplement it, do you >>> all agree >>> or do you have better idea? >>> Feedback welcome, please ASAP. >>> >>> Martin^2 >> Since it's Friday, I invested 15 minutes to practice my C skills and >> use the >> python-cffi library to call rpm rpmvercmp library call directly >> (attached): >> >> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >> >> This would not introduce any additional dependency besides rpm-devel, >> right? :-) Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). > I'm afraid that this can cause the same issue as import rpm, because the > nsslib is used from C library I would be surprised if NSS was used in this particular function. -- Jan Cholasta From mbasti at redhat.com Fri Jan 8 13:13:41 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 8 Jan 2016 14:13:41 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB625.6060807@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> Message-ID: <568FB605.3070909@redhat.com> On 08.01.2016 14:14, Jan Cholasta wrote: > On 8.1.2016 14:09, Martin Basti wrote: >> >> >> On 08.01.2016 14:00, Martin Kosek wrote: >>> On 01/08/2016 01:45 PM, Martin Basti wrote: >>>> Hello all, >>>> >>>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>> requires to import rpm module >>>> >>>> This import somehow breaks nsslib in IPA >>>> https://fedorahosted.org/freeipa/ticket/5572 >>>> >>>> >>>> We have 2 ways how to fix it: >>>> >>>> 1) move import rpm to body of methods (attached patch) >>>> We are not sure how stable is this solution. >>>> >>>> 2) use solution with rpmdevtools proposed here: >>>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>> >>>> This should be rock stable but it needs many dependencies (rpm-python >>>> too, perl) >>>> >>>> The second way looks safer, so I would like to reimplement it, do you >>>> all agree >>>> or do you have better idea? >>>> Feedback welcome, please ASAP. >>>> >>>> Martin^2 >>> Since it's Friday, I invested 15 minutes to practice my C skills and >>> use the >>> python-cffi library to call rpm rpmvercmp library call directly >>> (attached): >>> >>> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>> >>> This would not introduce any additional dependency besides rpm-devel, >>> right? :-) > > Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). > >> I'm afraid that this can cause the same issue as import rpm, because the >> nsslib is used from C library > > I would be surprised if NSS was used in this particular function. > I will try it From ftweedal at redhat.com Fri Jan 8 13:17:55 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 8 Jan 2016 23:17:55 +1000 Subject: [Freeipa-devel] FreeIPA and modern requirements on certificates In-Reply-To: <568FB34F.1000008@redhat.com> References: <568FAB11.4070406@redhat.com> <20160108125619.GA31821@dhcp-40-8.bne.redhat.com> <568FB34F.1000008@redhat.com> Message-ID: <20160108131755.GC31821@dhcp-40-8.bne.redhat.com> On Fri, Jan 08, 2016 at 02:02:07PM +0100, Martin Kosek wrote: > On 01/08/2016 01:56 PM, Fraser Tweedale wrote: > > On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote: > >> Hi Fraser and other X.509 SMEs, > >> > >> I wanted to check with you on what we have or plan to have with respect to > >> certificate/cipher strength in FreeIPA. > >> > >> When I visit the FreeIPA public demo for example, I usually see following > >> errors with recent browsers: > >> > >> * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher > >> suite. > >> - The connection uses TLS 1.2 > >> - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message > >> authentication and RSA as the key exchange mechanism > >> > > This is a cipher suite / ordering issue, not related to certificate. > > > >> I usually do not see the common > >> * Certificate chain contains a certificate signed with SHA-1 > >> error, but I am not sure if we are covered for this one. > >> > > We are using sha256 for IPA CA and default profiles. Customers > > could still modify the profile or add profiles to sign using an > > obsolete hash, if they wanted to, but our default is good. > > > >> > >> When I tested the FreeIPA demo with > >> https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org > >> (and ignore the trust issues), we get the mark B with following warnings: > >> > >> * This server accepts RC4 cipher, but only with older protocol versions. Grade > >> capped to B. > >> > >> * The server does not support Forward Secrecy with the reference browsers. > >> > > Again a cipher suite tweak will address this. > > > >> > >> What do we miss to turn out Grade A, which is obviously something expected from > >> security solution like FreeIPA? Is it just about ECC support > >> (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some change to our > >> default certificate profiles? > >> > > Based on what you've written, it is just the cipher suite that needs > > changing, and maybe a setting about favouring server cipher order > > over client order. ECC certificate support is not needed (yet) and > > the default profile is fine, w.r.t. hash used for signing. > > > > One important modern certificate requirement is to always include a > > SAN dnsName for the subject, as required by RFC 2818; this is ticket > > #4970 and it is on my radar. > > > > Cheers, > > Fraser > > Should I then file a ticket to fix the cipher suite? (I did not fully > understand the specifics though). > Yes. I have not checked yet, but we are possibly using stock-standard mod_nss configuration (as shipped by the RPM). If so, we should file a ticket against mod_nss to improve their defaults. Cheers, Fraser From mbabinsk at redhat.com Fri Jan 8 13:18:54 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 8 Jan 2016 14:18:54 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB625.6060807@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> Message-ID: <568FB73E.3000403@redhat.com> On 01/08/2016 02:14 PM, Jan Cholasta wrote: > On 8.1.2016 14:09, Martin Basti wrote: >> >> >> On 08.01.2016 14:00, Martin Kosek wrote: >>> On 01/08/2016 01:45 PM, Martin Basti wrote: >>>> Hello all, >>>> >>>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>> requires to import rpm module >>>> >>>> This import somehow breaks nsslib in IPA >>>> https://fedorahosted.org/freeipa/ticket/5572 >>>> >>>> >>>> We have 2 ways how to fix it: >>>> >>>> 1) move import rpm to body of methods (attached patch) >>>> We are not sure how stable is this solution. >>>> >>>> 2) use solution with rpmdevtools proposed here: >>>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>> >>>> This should be rock stable but it needs many dependencies (rpm-python >>>> too, perl) >>>> >>>> The second way looks safer, so I would like to reimplement it, do you >>>> all agree >>>> or do you have better idea? >>>> Feedback welcome, please ASAP. >>>> >>>> Martin^2 >>> Since it's Friday, I invested 15 minutes to practice my C skills and >>> use the >>> python-cffi library to call rpm rpmvercmp library call directly >>> (attached): >>> >>> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>> >>> This would not introduce any additional dependency besides rpm-devel, >>> right? :-) > > Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). > >> I'm afraid that this can cause the same issue as import rpm, because the >> nsslib is used from C library > > I would be surprised if NSS was used in this particular function. > If it would work then we could compare version like in this quickly hacked and untested patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-use-rpmvercmp-via-python-cffi-for-version-comparison.patch Type: text/x-patch Size: 2803 bytes Desc: not available URL: From jcholast at redhat.com Fri Jan 8 13:22:47 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 8 Jan 2016 14:22:47 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB605.3070909@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <568FB605.3070909@redhat.com> Message-ID: <568FB827.1010208@redhat.com> On 8.1.2016 14:13, Martin Basti wrote: > > > On 08.01.2016 14:14, Jan Cholasta wrote: >> On 8.1.2016 14:09, Martin Basti wrote: >>> >>> >>> On 08.01.2016 14:00, Martin Kosek wrote: >>>> On 01/08/2016 01:45 PM, Martin Basti wrote: >>>>> Hello all, >>>>> >>>>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>>> requires to import rpm module >>>>> >>>>> This import somehow breaks nsslib in IPA >>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>> >>>>> >>>>> We have 2 ways how to fix it: >>>>> >>>>> 1) move import rpm to body of methods (attached patch) >>>>> We are not sure how stable is this solution. >>>>> >>>>> 2) use solution with rpmdevtools proposed here: >>>>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>>> >>>>> This should be rock stable but it needs many dependencies (rpm-python >>>>> too, perl) >>>>> >>>>> The second way looks safer, so I would like to reimplement it, do you >>>>> all agree >>>>> or do you have better idea? >>>>> Feedback welcome, please ASAP. >>>>> >>>>> Martin^2 >>>> Since it's Friday, I invested 15 minutes to practice my C skills and >>>> use the >>>> python-cffi library to call rpm rpmvercmp library call directly >>>> (attached): >>>> >>>> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>>> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>>> >>>> This would not introduce any additional dependency besides rpm-devel, >>>> right? :-) >> >> Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). >> >>> I'm afraid that this can cause the same issue as import rpm, because the >>> nsslib is used from C library >> >> I would be surprised if NSS was used in this particular function. >> > I will try it No NSS here: Anyway, the function looks simple, so it might be safer to just rewrite it to Python, with no new dependencies. -- Jan Cholasta From abokovoy at redhat.com Fri Jan 8 13:21:49 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 8 Jan 2016 15:21:49 +0200 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB625.6060807@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> Message-ID: <20160108132149.GK4316@redhat.com> On Fri, 08 Jan 2016, Jan Cholasta wrote: >On 8.1.2016 14:09, Martin Basti wrote: >> >> >>On 08.01.2016 14:00, Martin Kosek wrote: >>>On 01/08/2016 01:45 PM, Martin Basti wrote: >>>>Hello all, >>>> >>>>fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>>requires to import rpm module >>>> >>>>This import somehow breaks nsslib in IPA >>>>https://fedorahosted.org/freeipa/ticket/5572 >>>> >>>> >>>>We have 2 ways how to fix it: >>>> >>>>1) move import rpm to body of methods (attached patch) >>>>We are not sure how stable is this solution. >>>> >>>>2) use solution with rpmdevtools proposed here: >>>>https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>>This should be rock stable but it needs many dependencies (rpm-python >>>>too, perl) >>>> >>>>The second way looks safer, so I would like to reimplement it, do you >>>>all agree >>>>or do you have better idea? >>>>Feedback welcome, please ASAP. >>>> >>>>Martin^2 >>>Since it's Friday, I invested 15 minutes to practice my C skills and >>>use the >>>python-cffi library to call rpm rpmvercmp library call directly >>>(attached): >>> >>>$ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>>4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>> >>>This would not introduce any additional dependency besides rpm-devel, >>>right? :-) > >Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). > >>I'm afraid that this can cause the same issue as import rpm, because the >>nsslib is used from C library > >I would be surprised if NSS was used in this particular function. This function does not use NSS so it should be fine. python-rpm, on other side, initializes itself with access to NSS database on mere import of 'rpm' module. -- / Alexander Bokovoy From cheimes at redhat.com Fri Jan 8 13:24:26 2016 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 8 Jan 2016 14:24:26 +0100 Subject: [Freeipa-devel] FreeIPA and modern requirements on certificates In-Reply-To: <568FAB11.4070406@redhat.com> References: <568FAB11.4070406@redhat.com> Message-ID: <568FB88A.9080102@redhat.com> On 2016-01-08 13:26, Martin Kosek wrote: > Hi Fraser and other X.509 SMEs, > > I wanted to check with you on what we have or plan to have with respect to > certificate/cipher strength in FreeIPA. > > When I visit the FreeIPA public demo for example, I usually see following > errors with recent browsers: > > * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher > suite. > - The connection uses TLS 1.2 > - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message > authentication and RSA as the key exchange mechanism > > I usually do not see the common > * Certificate chain contains a certificate signed with SHA-1 > error, but I am not sure if we are covered for this one. > > > When I tested the FreeIPA demo with > https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org > (and ignore the trust issues), we get the mark B with following warnings: > > * This server accepts RC4 cipher, but only with older protocol versions. Grade > capped to B. > > * The server does not support Forward Secrecy with the reference browsers. > > > What do we miss to turn out Grade A, which is obviously something expected from > security solution like FreeIPA? Is it just about ECC support > (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some change to our > default certificate profiles? The cert has another issue. It relies on Subject CN for host name verification. This feature has been deprecated by RFC 2818 more than a decade ago. Instead of Subject CN modern certs should use dNSName in SubjectAltName x509v3 extension. https://fedorahosted.org/pki/ticket/1464 https://github.com/shazow/urllib3/issues/497 Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mkosek at redhat.com Fri Jan 8 13:25:13 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 8 Jan 2016 14:25:13 +0100 Subject: [Freeipa-devel] FreeIPA and modern requirements on certificates In-Reply-To: <20160108131755.GC31821@dhcp-40-8.bne.redhat.com> References: <568FAB11.4070406@redhat.com> <20160108125619.GA31821@dhcp-40-8.bne.redhat.com> <568FB34F.1000008@redhat.com> <20160108131755.GC31821@dhcp-40-8.bne.redhat.com> Message-ID: <568FB8B9.20105@redhat.com> On 01/08/2016 02:17 PM, Fraser Tweedale wrote: > On Fri, Jan 08, 2016 at 02:02:07PM +0100, Martin Kosek wrote: >> On 01/08/2016 01:56 PM, Fraser Tweedale wrote: >>> On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote: >>>> Hi Fraser and other X.509 SMEs, >>>> >>>> I wanted to check with you on what we have or plan to have with respect to >>>> certificate/cipher strength in FreeIPA. >>>> >>>> When I visit the FreeIPA public demo for example, I usually see following >>>> errors with recent browsers: >>>> >>>> * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher >>>> suite. >>>> - The connection uses TLS 1.2 >>>> - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message >>>> authentication and RSA as the key exchange mechanism >>>> >>> This is a cipher suite / ordering issue, not related to certificate. >>> >>>> I usually do not see the common >>>> * Certificate chain contains a certificate signed with SHA-1 >>>> error, but I am not sure if we are covered for this one. >>>> >>> We are using sha256 for IPA CA and default profiles. Customers >>> could still modify the profile or add profiles to sign using an >>> obsolete hash, if they wanted to, but our default is good. >>> >>>> >>>> When I tested the FreeIPA demo with >>>> https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org >>>> (and ignore the trust issues), we get the mark B with following warnings: >>>> >>>> * This server accepts RC4 cipher, but only with older protocol versions. Grade >>>> capped to B. >>>> >>>> * The server does not support Forward Secrecy with the reference browsers. >>>> >>> Again a cipher suite tweak will address this. >>> >>>> >>>> What do we miss to turn out Grade A, which is obviously something expected from >>>> security solution like FreeIPA? Is it just about ECC support >>>> (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some change to our >>>> default certificate profiles? >>>> >>> Based on what you've written, it is just the cipher suite that needs >>> changing, and maybe a setting about favouring server cipher order >>> over client order. ECC certificate support is not needed (yet) and >>> the default profile is fine, w.r.t. hash used for signing. >>> >>> One important modern certificate requirement is to always include a >>> SAN dnsName for the subject, as required by RFC 2818; this is ticket >>> #4970 and it is on my radar. >>> >>> Cheers, >>> Fraser >> >> Should I then file a ticket to fix the cipher suite? (I did not fully >> understand the specifics though). >> > Yes. I have not checked yet, but we are possibly using > stock-standard mod_nss configuration (as shipped by the RPM). If > so, we should file a ticket against mod_nss to improve their > defaults. Right. In nss.conf, I see this default cipher suite: NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,- rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha It certainly makes me little nervous. In 389-ds-base case, we had a similar list and solved it my using the list directly from NSS: https://fedorahosted.org/389/ticket/47838 https://fedorahosted.org/freeipa/ticket/4395 CCing Rob here. From abokovoy at redhat.com Fri Jan 8 13:28:38 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 8 Jan 2016 15:28:38 +0200 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB827.1010208@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <568FB605.3070909@redhat.com> <568FB827.1010208@redhat.com> Message-ID: <20160108132838.GL4316@redhat.com> On Fri, 08 Jan 2016, Jan Cholasta wrote: >>>I would be surprised if NSS was used in this particular function. >>> >>I will try it > >No NSS here: > >Anyway, the function looks simple, so it might be safer to just >rewrite it to Python, with no new dependencies. Still, we need to be careful in a case where RPM team would decide to upgrade rpm version comparison algorithm. It has been fixed for quite some years (the core wasn't changed since 2008) but occasionally there are additions that expand supported formats like addition of dpkg-style versions in 2012. -- / Alexander Bokovoy From mkosek at redhat.com Fri Jan 8 13:32:10 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 8 Jan 2016 14:32:10 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB827.1010208@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <568FB605.3070909@redhat.com> <568FB827.1010208@redhat.com> Message-ID: <568FBA5A.4060905@redhat.com> On 01/08/2016 02:22 PM, Jan Cholasta wrote: > On 8.1.2016 14:13, Martin Basti wrote: >> >> >> On 08.01.2016 14:14, Jan Cholasta wrote: >>> On 8.1.2016 14:09, Martin Basti wrote: >>>> >>>> >>>> On 08.01.2016 14:00, Martin Kosek wrote: >>>>> On 01/08/2016 01:45 PM, Martin Basti wrote: >>>>>> Hello all, >>>>>> >>>>>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>>>> requires to import rpm module >>>>>> >>>>>> This import somehow breaks nsslib in IPA >>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>> >>>>>> >>>>>> We have 2 ways how to fix it: >>>>>> >>>>>> 1) move import rpm to body of methods (attached patch) >>>>>> We are not sure how stable is this solution. >>>>>> >>>>>> 2) use solution with rpmdevtools proposed here: >>>>>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>>>> >>>>>> This should be rock stable but it needs many dependencies (rpm-python >>>>>> too, perl) >>>>>> >>>>>> The second way looks safer, so I would like to reimplement it, do you >>>>>> all agree >>>>>> or do you have better idea? >>>>>> Feedback welcome, please ASAP. >>>>>> >>>>>> Martin^2 >>>>> Since it's Friday, I invested 15 minutes to practice my C skills and >>>>> use the >>>>> python-cffi library to call rpm rpmvercmp library call directly >>>>> (attached): >>>>> >>>>> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>>>> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>>>> >>>>> This would not introduce any additional dependency besides rpm-devel, >>>>> right? :-) >>> >>> Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). >>> >>>> I'm afraid that this can cause the same issue as import rpm, because the >>>> nsslib is used from C library >>> >>> I would be surprised if NSS was used in this particular function. >>> >> I will try it > > No NSS here: > What line? I must miss something... > Anyway, the function looks simple, so it might be safer to just rewrite it to > Python, with no new dependencies. I would personally rather use the first proposal of rpmdevtools, rather than rewriting it ourselves. IMO, rewriting the function is the worst option actually. From mkosek at redhat.com Fri Jan 8 13:34:31 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 8 Jan 2016 14:34:31 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FBA5A.4060905@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <568FB605.3070909@redhat.com> <568FB827.1010208@redhat.com> <568FBA5A.4060905@redhat.com> Message-ID: <568FBAE7.2010307@redhat.com> On 01/08/2016 02:32 PM, Martin Kosek wrote: > On 01/08/2016 02:22 PM, Jan Cholasta wrote: >> On 8.1.2016 14:13, Martin Basti wrote: >>> >>> >>> On 08.01.2016 14:14, Jan Cholasta wrote: >>>> On 8.1.2016 14:09, Martin Basti wrote: >>>>> >>>>> >>>>> On 08.01.2016 14:00, Martin Kosek wrote: >>>>>> On 01/08/2016 01:45 PM, Martin Basti wrote: >>>>>>> Hello all, >>>>>>> >>>>>>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>>>>> requires to import rpm module >>>>>>> >>>>>>> This import somehow breaks nsslib in IPA >>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>> >>>>>>> >>>>>>> We have 2 ways how to fix it: >>>>>>> >>>>>>> 1) move import rpm to body of methods (attached patch) >>>>>>> We are not sure how stable is this solution. >>>>>>> >>>>>>> 2) use solution with rpmdevtools proposed here: >>>>>>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>>>>> >>>>>>> This should be rock stable but it needs many dependencies (rpm-python >>>>>>> too, perl) >>>>>>> >>>>>>> The second way looks safer, so I would like to reimplement it, do you >>>>>>> all agree >>>>>>> or do you have better idea? >>>>>>> Feedback welcome, please ASAP. >>>>>>> >>>>>>> Martin^2 >>>>>> Since it's Friday, I invested 15 minutes to practice my C skills and >>>>>> use the >>>>>> python-cffi library to call rpm rpmvercmp library call directly >>>>>> (attached): >>>>>> >>>>>> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>>>>> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>>>>> >>>>>> This would not introduce any additional dependency besides rpm-devel, >>>>>> right? :-) >>>> >>>> Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). >>>> >>>>> I'm afraid that this can cause the same issue as import rpm, because the >>>>> nsslib is used from C library >>>> >>>> I would be surprised if NSS was used in this particular function. >>>> >>> I will try it >> >> No NSS here: >> > > What line? I must miss something... Please ignore the above, I somehow read it as "No, NSS here" :-) > >> Anyway, the function looks simple, so it might be safer to just rewrite it to >> Python, with no new dependencies. > > I would personally rather use the first proposal of rpmdevtools, rather than > rewriting it ourselves. IMO, rewriting the function is the worst option actually. Still, how is reimplementing NSS function safer than calling their library function? I checked that rpm-devel is not required, BTW. From abokovoy at redhat.com Fri Jan 8 13:35:39 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 8 Jan 2016 15:35:39 +0200 Subject: [Freeipa-devel] FreeIPA and modern requirements on certificates In-Reply-To: <568FB8B9.20105@redhat.com> References: <568FAB11.4070406@redhat.com> <20160108125619.GA31821@dhcp-40-8.bne.redhat.com> <568FB34F.1000008@redhat.com> <20160108131755.GC31821@dhcp-40-8.bne.redhat.com> <568FB8B9.20105@redhat.com> Message-ID: <20160108133539.GM4316@redhat.com> On Fri, 08 Jan 2016, Martin Kosek wrote: >On 01/08/2016 02:17 PM, Fraser Tweedale wrote: >> On Fri, Jan 08, 2016 at 02:02:07PM +0100, Martin Kosek wrote: >>> On 01/08/2016 01:56 PM, Fraser Tweedale wrote: >>>> On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote: >>>>> Hi Fraser and other X.509 SMEs, >>>>> >>>>> I wanted to check with you on what we have or plan to have with respect to >>>>> certificate/cipher strength in FreeIPA. >>>>> >>>>> When I visit the FreeIPA public demo for example, I usually see following >>>>> errors with recent browsers: >>>>> >>>>> * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher >>>>> suite. >>>>> - The connection uses TLS 1.2 >>>>> - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message >>>>> authentication and RSA as the key exchange mechanism >>>>> >>>> This is a cipher suite / ordering issue, not related to certificate. >>>> >>>>> I usually do not see the common >>>>> * Certificate chain contains a certificate signed with SHA-1 >>>>> error, but I am not sure if we are covered for this one. >>>>> >>>> We are using sha256 for IPA CA and default profiles. Customers >>>> could still modify the profile or add profiles to sign using an >>>> obsolete hash, if they wanted to, but our default is good. >>>> >>>>> >>>>> When I tested the FreeIPA demo with >>>>> https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org >>>>> (and ignore the trust issues), we get the mark B with following warnings: >>>>> >>>>> * This server accepts RC4 cipher, but only with older protocol versions. Grade >>>>> capped to B. >>>>> >>>>> * The server does not support Forward Secrecy with the reference browsers. >>>>> >>>> Again a cipher suite tweak will address this. >>>> >>>>> >>>>> What do we miss to turn out Grade A, which is obviously something expected from >>>>> security solution like FreeIPA? Is it just about ECC support >>>>> (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some change to our >>>>> default certificate profiles? >>>>> >>>> Based on what you've written, it is just the cipher suite that needs >>>> changing, and maybe a setting about favouring server cipher order >>>> over client order. ECC certificate support is not needed (yet) and >>>> the default profile is fine, w.r.t. hash used for signing. >>>> >>>> One important modern certificate requirement is to always include a >>>> SAN dnsName for the subject, as required by RFC 2818; this is ticket >>>> #4970 and it is on my radar. >>>> >>>> Cheers, >>>> Fraser >>> >>> Should I then file a ticket to fix the cipher suite? (I did not fully >>> understand the specifics though). >>> >> Yes. I have not checked yet, but we are possibly using >> stock-standard mod_nss configuration (as shipped by the RPM). If >> so, we should file a ticket against mod_nss to improve their >> defaults. > >Right. In nss.conf, I see this default cipher suite: > >NSSCipherSuite >+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,- > >rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > >It certainly makes me little nervous. In 389-ds-base case, we had a similar >list and solved it my using the list directly from NSS: > >https://fedorahosted.org/389/ticket/47838 >https://fedorahosted.org/freeipa/ticket/4395 > >CCing Rob here. Here is what I have in my setup that goes to A- according to ssllabs: NSSCipherSuite -rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 This gets A- due to lack of forward secrecy support. -- / Alexander Bokovoy From mkosek at redhat.com Fri Jan 8 13:36:57 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 8 Jan 2016 14:36:57 +0100 Subject: [Freeipa-devel] FreeIPA and modern requirements on certificates In-Reply-To: <568FB88A.9080102@redhat.com> References: <568FAB11.4070406@redhat.com> <568FB88A.9080102@redhat.com> Message-ID: <568FBB79.5030600@redhat.com> On 01/08/2016 02:24 PM, Christian Heimes wrote: > On 2016-01-08 13:26, Martin Kosek wrote: >> Hi Fraser and other X.509 SMEs, >> >> I wanted to check with you on what we have or plan to have with respect to >> certificate/cipher strength in FreeIPA. >> >> When I visit the FreeIPA public demo for example, I usually see following >> errors with recent browsers: >> >> * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher >> suite. >> - The connection uses TLS 1.2 >> - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message >> authentication and RSA as the key exchange mechanism >> >> I usually do not see the common >> * Certificate chain contains a certificate signed with SHA-1 >> error, but I am not sure if we are covered for this one. >> >> >> When I tested the FreeIPA demo with >> https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org >> (and ignore the trust issues), we get the mark B with following warnings: >> >> * This server accepts RC4 cipher, but only with older protocol versions. Grade >> capped to B. >> >> * The server does not support Forward Secrecy with the reference browsers. >> >> >> What do we miss to turn out Grade A, which is obviously something expected from >> security solution like FreeIPA? Is it just about ECC support >> (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some change to our >> default certificate profiles? > > The cert has another issue. It relies on Subject CN for host name > verification. This feature has been deprecated by RFC 2818 more than a > decade ago. Instead of Subject CN modern certs should use dNSName in > SubjectAltName x509v3 extension. > > https://fedorahosted.org/pki/ticket/1464 > https://github.com/shazow/urllib3/issues/497 Right. Fraser should have it in his queue already: https://fedorahosted.org/freeipa/ticket/4970 Martin From mbabinsk at redhat.com Fri Jan 8 13:37:27 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 8 Jan 2016 14:37:27 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB625.6060807@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> Message-ID: <568FBB97.5020809@redhat.com> On 01/08/2016 02:14 PM, Jan Cholasta wrote: > On 8.1.2016 14:09, Martin Basti wrote: >> >> >> On 08.01.2016 14:00, Martin Kosek wrote: >>> On 01/08/2016 01:45 PM, Martin Basti wrote: >>>> Hello all, >>>> >>>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>> requires to import rpm module >>>> >>>> This import somehow breaks nsslib in IPA >>>> https://fedorahosted.org/freeipa/ticket/5572 >>>> >>>> >>>> We have 2 ways how to fix it: >>>> >>>> 1) move import rpm to body of methods (attached patch) >>>> We are not sure how stable is this solution. >>>> >>>> 2) use solution with rpmdevtools proposed here: >>>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>> >>>> This should be rock stable but it needs many dependencies (rpm-python >>>> too, perl) >>>> >>>> The second way looks safer, so I would like to reimplement it, do you >>>> all agree >>>> or do you have better idea? >>>> Feedback welcome, please ASAP. >>>> >>>> Martin^2 >>> Since it's Friday, I invested 15 minutes to practice my C skills and >>> use the >>> python-cffi library to call rpm rpmvercmp library call directly >>> (attached): >>> >>> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>> >>> This would not introduce any additional dependency besides rpm-devel, >>> right? :-) > > Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). > >> I'm afraid that this can cause the same issue as import rpm, because the >> nsslib is used from C library > > I would be surprised if NSS was used in this particular function. > It is not and the version comparison using rpmvercmp call through CFFI makes CA-less install and replica prepare work again. -- Martin^3 Babinsky From mkosek at redhat.com Fri Jan 8 13:40:32 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 8 Jan 2016 14:40:32 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB73E.3000403@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <568FB73E.3000403@redhat.com> Message-ID: <568FBC50.1020009@redhat.com> On 01/08/2016 02:18 PM, Martin Babinsky wrote: > On 01/08/2016 02:14 PM, Jan Cholasta wrote: >> On 8.1.2016 14:09, Martin Basti wrote: >>> >>> >>> On 08.01.2016 14:00, Martin Kosek wrote: >>>> On 01/08/2016 01:45 PM, Martin Basti wrote: >>>>> Hello all, >>>>> >>>>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>>> requires to import rpm module >>>>> >>>>> This import somehow breaks nsslib in IPA >>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>> >>>>> >>>>> We have 2 ways how to fix it: >>>>> >>>>> 1) move import rpm to body of methods (attached patch) >>>>> We are not sure how stable is this solution. >>>>> >>>>> 2) use solution with rpmdevtools proposed here: >>>>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>>> >>>>> This should be rock stable but it needs many dependencies (rpm-python >>>>> too, perl) >>>>> >>>>> The second way looks safer, so I would like to reimplement it, do you >>>>> all agree >>>>> or do you have better idea? >>>>> Feedback welcome, please ASAP. >>>>> >>>>> Martin^2 >>>> Since it's Friday, I invested 15 minutes to practice my C skills and >>>> use the >>>> python-cffi library to call rpm rpmvercmp library call directly >>>> (attached): >>>> >>>> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>>> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>>> >>>> This would not introduce any additional dependency besides rpm-devel, >>>> right? :-) >> >> Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). >> >>> I'm afraid that this can cause the same issue as import rpm, because the >>> nsslib is used from C library >> >> I would be surprised if NSS was used in this particular function. >> > > If it would work then we could compare version like in this quickly hacked and > untested patch. BTW, I demand Acknowledgment statement for my Friday Idea in the patch description, if this approach is used ;-) From jcholast at redhat.com Fri Jan 8 13:48:48 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 8 Jan 2016 14:48:48 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FBAE7.2010307@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <568FB605.3070909@redhat.com> <568FB827.1010208@redhat.com> <568FBA5A.4060905@redhat.com> <568FBAE7.2010307@redhat.com> Message-ID: <568FBE40.3090001@redhat.com> On 8.1.2016 14:34, Martin Kosek wrote: > On 01/08/2016 02:32 PM, Martin Kosek wrote: >> On 01/08/2016 02:22 PM, Jan Cholasta wrote: >>> On 8.1.2016 14:13, Martin Basti wrote: >>>> >>>> >>>> On 08.01.2016 14:14, Jan Cholasta wrote: >>>>> On 8.1.2016 14:09, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 08.01.2016 14:00, Martin Kosek wrote: >>>>>>> On 01/08/2016 01:45 PM, Martin Basti wrote: >>>>>>>> Hello all, >>>>>>>> >>>>>>>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>>>>>> requires to import rpm module >>>>>>>> >>>>>>>> This import somehow breaks nsslib in IPA >>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>> >>>>>>>> >>>>>>>> We have 2 ways how to fix it: >>>>>>>> >>>>>>>> 1) move import rpm to body of methods (attached patch) >>>>>>>> We are not sure how stable is this solution. >>>>>>>> >>>>>>>> 2) use solution with rpmdevtools proposed here: >>>>>>>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>>>>>> >>>>>>>> This should be rock stable but it needs many dependencies (rpm-python >>>>>>>> too, perl) >>>>>>>> >>>>>>>> The second way looks safer, so I would like to reimplement it, do you >>>>>>>> all agree >>>>>>>> or do you have better idea? >>>>>>>> Feedback welcome, please ASAP. >>>>>>>> >>>>>>>> Martin^2 >>>>>>> Since it's Friday, I invested 15 minutes to practice my C skills and >>>>>>> use the >>>>>>> python-cffi library to call rpm rpmvercmp library call directly >>>>>>> (attached): >>>>>>> >>>>>>> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>>>>>> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>>>>>> >>>>>>> This would not introduce any additional dependency besides rpm-devel, >>>>>>> right? :-) >>>>> >>>>> Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). >>>>> >>>>>> I'm afraid that this can cause the same issue as import rpm, because the >>>>>> nsslib is used from C library >>>>> >>>>> I would be surprised if NSS was used in this particular function. >>>>> >>>> I will try it >>> >>> No NSS here: >>> >> >> What line? I must miss something... > > Please ignore the above, I somehow read it as "No, NSS here" :-) > >> >>> Anyway, the function looks simple, so it might be safer to just rewrite it to >>> Python, with no new dependencies. >> >> I would personally rather use the first proposal of rpmdevtools, rather than >> rewriting it ourselves. IMO, rewriting the function is the worst option actually. > > Still, how is reimplementing NSS function safer than calling their library > function? I checked that rpm-devel is not required, BTW. Loading a library and going through cffi just to call ~20 lines of code seems like an overkill to me. (TBH I don't care how this is implemented, relying on linear versioning is broken by design, one way or another.) -- Jan Cholasta From mbabinsk at redhat.com Fri Jan 8 13:48:21 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 8 Jan 2016 14:48:21 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FBC50.1020009@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <568FB73E.3000403@redhat.com> <568FBC50.1020009@redhat.com> Message-ID: <568FBE25.9080808@redhat.com> On 01/08/2016 02:40 PM, Martin Kosek wrote: > On 01/08/2016 02:18 PM, Martin Babinsky wrote: >> On 01/08/2016 02:14 PM, Jan Cholasta wrote: >>> On 8.1.2016 14:09, Martin Basti wrote: >>>> >>>> >>>> On 08.01.2016 14:00, Martin Kosek wrote: >>>>> On 01/08/2016 01:45 PM, Martin Basti wrote: >>>>>> Hello all, >>>>>> >>>>>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>>>> requires to import rpm module >>>>>> >>>>>> This import somehow breaks nsslib in IPA >>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>> >>>>>> >>>>>> We have 2 ways how to fix it: >>>>>> >>>>>> 1) move import rpm to body of methods (attached patch) >>>>>> We are not sure how stable is this solution. >>>>>> >>>>>> 2) use solution with rpmdevtools proposed here: >>>>>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>>>> >>>>>> This should be rock stable but it needs many dependencies (rpm-python >>>>>> too, perl) >>>>>> >>>>>> The second way looks safer, so I would like to reimplement it, do you >>>>>> all agree >>>>>> or do you have better idea? >>>>>> Feedback welcome, please ASAP. >>>>>> >>>>>> Martin^2 >>>>> Since it's Friday, I invested 15 minutes to practice my C skills and >>>>> use the >>>>> python-cffi library to call rpm rpmvercmp library call directly >>>>> (attached): >>>>> >>>>> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>>>> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>>>> >>>>> This would not introduce any additional dependency besides rpm-devel, >>>>> right? :-) >>> >>> Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). >>> >>>> I'm afraid that this can cause the same issue as import rpm, because the >>>> nsslib is used from C library >>> >>> I would be surprised if NSS was used in this particular function. >>> >> >> If it would work then we could compare version like in this quickly hacked and >> untested patch. > > BTW, I demand Acknowledgment statement for my Friday Idea in the patch > description, if this approach is used ;-) > No problem, we can even send it as two authors (http://stackoverflow.com/questions/7442112/attributing-a-single-commit-to-multiple-developers). You would be the second one, as ideamakers usually are in academic papers :). -- Martin^3 Babinsky From abokovoy at redhat.com Fri Jan 8 13:54:59 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 8 Jan 2016 15:54:59 +0200 Subject: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration In-Reply-To: <568D698D.3040004@redhat.com> References: <568D698D.3040004@redhat.com> Message-ID: <20160108135459.GP4316@redhat.com> On Wed, 06 Jan 2016, Martin Basti wrote: >https://fedorahosted.org/freeipa/ticket/5507 > >Patch attached. > >Is proposed workaround in ticket enough or should I also prepare a >update that will fix missing maps? The update you have is good but we need to recover missing maps. Given that we know which maps exist in the broken setup (those from 50-nis.update), it would make sense to check if only those CNs exist and then remove them and fire recovery. -- / Alexander Bokovoy From rcritten at redhat.com Fri Jan 8 14:02:26 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 8 Jan 2016 09:02:26 -0500 Subject: [Freeipa-devel] FreeIPA and modern requirements on certificates In-Reply-To: <20160108133539.GM4316@redhat.com> References: <568FAB11.4070406@redhat.com> <20160108125619.GA31821@dhcp-40-8.bne.redhat.com> <568FB34F.1000008@redhat.com> <20160108131755.GC31821@dhcp-40-8.bne.redhat.com> <568FB8B9.20105@redhat.com> <20160108133539.GM4316@redhat.com> Message-ID: <568FC172.8020505@redhat.com> Alexander Bokovoy wrote: > On Fri, 08 Jan 2016, Martin Kosek wrote: >> On 01/08/2016 02:17 PM, Fraser Tweedale wrote: >>> On Fri, Jan 08, 2016 at 02:02:07PM +0100, Martin Kosek wrote: >>>> On 01/08/2016 01:56 PM, Fraser Tweedale wrote: >>>>> On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote: >>>>>> Hi Fraser and other X.509 SMEs, >>>>>> >>>>>> I wanted to check with you on what we have or plan to have with >>>>>> respect to >>>>>> certificate/cipher strength in FreeIPA. >>>>>> >>>>>> When I visit the FreeIPA public demo for example, I usually see >>>>>> following >>>>>> errors with recent browsers: >>>>>> >>>>>> * Your connection to ipa.demo1.freeipa.org is encrypted using >>>>>> obsolete cypher >>>>>> suite. >>>>>> - The connection uses TLS 1.2 >>>>>> - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 >>>>>> for message >>>>>> authentication and RSA as the key exchange mechanism >>>>>> >>>>> This is a cipher suite / ordering issue, not related to certificate. >>>>> >>>>>> I usually do not see the common >>>>>> * Certificate chain contains a certificate signed with SHA-1 >>>>>> error, but I am not sure if we are covered for this one. >>>>>> >>>>> We are using sha256 for IPA CA and default profiles. Customers >>>>> could still modify the profile or add profiles to sign using an >>>>> obsolete hash, if they wanted to, but our default is good. >>>>> >>>>>> >>>>>> When I tested the FreeIPA demo with >>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org >>>>>> (and ignore the trust issues), we get the mark B with following >>>>>> warnings: >>>>>> >>>>>> * This server accepts RC4 cipher, but only with older protocol >>>>>> versions. Grade >>>>>> capped to B. >>>>>> >>>>>> * The server does not support Forward Secrecy with the reference >>>>>> browsers. >>>>>> >>>>> Again a cipher suite tweak will address this. >>>>> >>>>>> >>>>>> What do we miss to turn out Grade A, which is obviously something >>>>>> expected from >>>>>> security solution like FreeIPA? Is it just about ECC support >>>>>> (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some >>>>>> change to our >>>>>> default certificate profiles? >>>>>> >>>>> Based on what you've written, it is just the cipher suite that needs >>>>> changing, and maybe a setting about favouring server cipher order >>>>> over client order. ECC certificate support is not needed (yet) and >>>>> the default profile is fine, w.r.t. hash used for signing. >>>>> >>>>> One important modern certificate requirement is to always include a >>>>> SAN dnsName for the subject, as required by RFC 2818; this is ticket >>>>> #4970 and it is on my radar. >>>>> >>>>> Cheers, >>>>> Fraser >>>> >>>> Should I then file a ticket to fix the cipher suite? (I did not fully >>>> understand the specifics though). >>>> >>> Yes. I have not checked yet, but we are possibly using >>> stock-standard mod_nss configuration (as shipped by the RPM). If >>> so, we should file a ticket against mod_nss to improve their >>> defaults. >> >> Right. In nss.conf, I see this default cipher suite: >> >> NSSCipherSuite >> +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,- >> >> >> rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha >> >> >> It certainly makes me little nervous. In 389-ds-base case, we had a >> similar >> list and solved it my using the list directly from NSS: >> >> https://fedorahosted.org/389/ticket/47838 >> https://fedorahosted.org/freeipa/ticket/4395 >> >> CCing Rob here. > Here is what I have in my setup that goes to A- according to ssllabs: > NSSCipherSuite > -rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > This gets A- due to lack of forward secrecy support. > An IPA ticket for this exists, https://fedorahosted.org/freeipa/ticket/4431 For mod_nss I was going to do this as part of https://fedorahosted.org/mod_nss/ticket/5 If you add in some EC ciphers you'd probably get PFS too. DH ciphers aren't supported yet. rob From lslebodn at redhat.com Fri Jan 8 14:31:59 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 8 Jan 2016 15:31:59 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB625.6060807@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> Message-ID: <20160108143157.GH28363@mail.corp.redhat.com> On (08/01/16 14:14), Jan Cholasta wrote: >On 8.1.2016 14:09, Martin Basti wrote: >> >> >>On 08.01.2016 14:00, Martin Kosek wrote: >>>On 01/08/2016 01:45 PM, Martin Basti wrote: >>>>Hello all, >>>> >>>>fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>>requires to import rpm module >>>> >>>>This import somehow breaks nsslib in IPA >>>>https://fedorahosted.org/freeipa/ticket/5572 >>>> >>>> >>>>We have 2 ways how to fix it: >>>> >>>>1) move import rpm to body of methods (attached patch) >>>>We are not sure how stable is this solution. >>>> >>>>2) use solution with rpmdevtools proposed here: >>>>https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>>This should be rock stable but it needs many dependencies (rpm-python >>>>too, perl) >>>> >>>>The second way looks safer, so I would like to reimplement it, do you >>>>all agree >>>>or do you have better idea? >>>>Feedback welcome, please ASAP. >>>> >>>>Martin^2 >>>Since it's Friday, I invested 15 minutes to practice my C skills and >>>use the >>>python-cffi library to call rpm rpmvercmp library call directly >>>(attached): >>> >>>$ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>>4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>> >>>This would not introduce any additional dependency besides rpm-devel, >>>right? :-) > >Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). > CentOS 7 has librpm.so.3 but fedora 23+ has librpm.so.7 So if it is possible it will be good to avoid using specific vertsion. LS From tbabej at redhat.com Fri Jan 8 14:44:49 2016 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 8 Jan 2016 15:44:49 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <20160108143157.GH28363@mail.corp.redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <20160108143157.GH28363@mail.corp.redhat.com> Message-ID: <568FCB61.3090404@redhat.com> On 01/08/2016 03:31 PM, Lukas Slebodnik wrote: > On (08/01/16 14:14), Jan Cholasta wrote: >> On 8.1.2016 14:09, Martin Basti wrote: >>> >>> >>> On 08.01.2016 14:00, Martin Kosek wrote: >>>> On 01/08/2016 01:45 PM, Martin Basti wrote: >>>>> Hello all, >>>>> >>>>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>>> requires to import rpm module >>>>> >>>>> This import somehow breaks nsslib in IPA >>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>> >>>>> >>>>> We have 2 ways how to fix it: >>>>> >>>>> 1) move import rpm to body of methods (attached patch) >>>>> We are not sure how stable is this solution. >>>>> >>>>> 2) use solution with rpmdevtools proposed here: >>>>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>>> This should be rock stable but it needs many dependencies (rpm-python >>>>> too, perl) >>>>> >>>>> The second way looks safer, so I would like to reimplement it, do you >>>>> all agree >>>>> or do you have better idea? >>>>> Feedback welcome, please ASAP. >>>>> >>>>> Martin^2 >>>> Since it's Friday, I invested 15 minutes to practice my C skills and >>>> use the >>>> python-cffi library to call rpm rpmvercmp library call directly >>>> (attached): >>>> >>>> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>>> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>>> >>>> This would not introduce any additional dependency besides rpm-devel, >>>> right? :-) >> >> Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). >> > CentOS 7 has librpm.so.3 > but fedora 23+ has librpm.so.7 > > So if it is possible it will be good to avoid using specific vertsion. > > LS > Yes. I think it should be quite possible to not use specific version, the interface signature itself is not likely to change. Even if it did, the problem would be detected immediately with the most basic of tests ()installation&run). Tomas From lslebodn at redhat.com Fri Jan 8 15:10:47 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 8 Jan 2016 16:10:47 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB73E.3000403@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <568FB73E.3000403@redhat.com> Message-ID: <20160108151046.GK28363@mail.corp.redhat.com> On (08/01/16 14:18), Martin Babinsky wrote: >On 01/08/2016 02:14 PM, Jan Cholasta wrote: >>On 8.1.2016 14:09, Martin Basti wrote: >>> >>> >>>On 08.01.2016 14:00, Martin Kosek wrote: >>>>On 01/08/2016 01:45 PM, Martin Basti wrote: >>>>>Hello all, >>>>> >>>>>fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>>>requires to import rpm module >>>>> >>>>>This import somehow breaks nsslib in IPA >>>>>https://fedorahosted.org/freeipa/ticket/5572 >>>>> >>>>> >>>>>We have 2 ways how to fix it: >>>>> >>>>>1) move import rpm to body of methods (attached patch) >>>>>We are not sure how stable is this solution. >>>>> >>>>>2) use solution with rpmdevtools proposed here: >>>>>https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>>> >>>>>This should be rock stable but it needs many dependencies (rpm-python >>>>>too, perl) >>>>> >>>>>The second way looks safer, so I would like to reimplement it, do you >>>>>all agree >>>>>or do you have better idea? >>>>>Feedback welcome, please ASAP. >>>>> >>>>>Martin^2 >>>>Since it's Friday, I invested 15 minutes to practice my C skills and >>>>use the >>>>python-cffi library to call rpm rpmvercmp library call directly >>>>(attached): >>>> >>>>$ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>>>4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>>> >>>>This would not introduce any additional dependency besides rpm-devel, >>>>right? :-) >> >>Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). >> >>>I'm afraid that this can cause the same issue as import rpm, because the >>>nsslib is used from C library >> >>I would be surprised if NSS was used in this particular function. >> > >If it would work then we could compare version like in this quickly hacked >and untested patch. > >-- >Martin^3 Babinsky >From 32ebf02d38b7174816f81579aab6ebbe26e80f64 Mon Sep 17 00:00:00 2001 >From: Martin Babinsky >Date: Fri, 8 Jan 2016 14:17:14 +0100 >Subject: [PATCH] use rpmvercmp via python-cffi for version comparison > >--- > ipaplatform/redhat/tasks.py | 45 ++++++++++++++------------------------------- > 1 file changed, 14 insertions(+), 31 deletions(-) > >diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py >index a0b4060..66ca3ad 100644 >--- a/ipaplatform/redhat/tasks.py >+++ b/ipaplatform/redhat/tasks.py >@@ -36,7 +36,7 @@ from subprocess import CalledProcessError > from nss.error import NSPRError > from pyasn1.error import PyAsn1Error > from six.moves import urllib >-import rpm >+from cffi import FFI > > from ipapython.ipa_log_manager import root_logger, log_mgr > from ipapython import ipautil >@@ -49,33 +49,16 @@ from ipaplatform.redhat.authconfig import RedHatAuthConfig > from ipaplatform.base.tasks import BaseTaskNamespace > > >-# copied from rpmUtils/miscutils.py >-def stringToVersion(verstring): >- if verstring in [None, '']: >- return (None, None, None) >- i = verstring.find(':') >- if i != -1: >- try: >- epoch = str(long(verstring[:i])) >- except ValueError: >- # look, garbage in the epoch field, how fun, kill it >- epoch = '0' # this is our fallback, deal >- else: >- epoch = '0' >- j = verstring.find('-') >- if j != -1: >- if verstring[i + 1:j] == '': >- version = None >- else: >- version = verstring[i + 1:j] >- release = verstring[j + 1:] >- else: >- if verstring[i + 1:] == '': >- version = None >- else: >- version = verstring[i + 1:] >- release = None >- return (epoch, version, release) >+def compare_rpm_versions(ver1, ver2): >+ ffi = FFI() >+ ffi.cdef(""" >+int rpmvercmp (const char *a, const char *b); >+""") >+ C = ffi.dlopen("rpmlib.so.3") rpmlib.so.3 does not exist. It is is librpm.so.3 But as I mentioned in different mail. The soname was bumped in fedora 23. So please use only 'ffi.dlopen("rpm")' It would be also good to write unit test for this function. So you can detect issues with cffi is any. a = '4.2.0-15.el7' b = '4.2.0-15.el7_2.3' c = '4.2.0-16.el7' compare_rpm_versions(a, b) compare_rpm_versions(b, b) compare_rpm_versions(c, b) LS From pvoborni at redhat.com Fri Jan 8 15:19:12 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 8 Jan 2016 16:19:12 +0100 Subject: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration In-Reply-To: <20160108135459.GP4316@redhat.com> References: <568D698D.3040004@redhat.com> <20160108135459.GP4316@redhat.com> Message-ID: <568FD370.6030809@redhat.com> On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: > On Wed, 06 Jan 2016, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5507 >> >> Patch attached. >> >> Is proposed workaround in ticket enough or should I also prepare a >> update that will fix missing maps? > The update you have is good but we need to recover missing maps. > Given that we know which maps exist in the broken setup (those from > 50-nis.update), it would make sense to check if only those CNs exist and > then remove them and fire recovery. > Could there be a situation where such state would be desired and the update would actually break user's setup? -- Petr Vobornik From mbasti at redhat.com Fri Jan 8 15:22:25 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 8 Jan 2016 16:22:25 +0100 Subject: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration In-Reply-To: <568FD370.6030809@redhat.com> References: <568D698D.3040004@redhat.com> <20160108135459.GP4316@redhat.com> <568FD370.6030809@redhat.com> Message-ID: <568FD431.70308@redhat.com> On 08.01.2016 16:19, Petr Vobornik wrote: > On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: >> On Wed, 06 Jan 2016, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5507 >>> >>> Patch attached. >>> >>> Is proposed workaround in ticket enough or should I also prepare a >>> update that will fix missing maps? >> The update you have is good but we need to recover missing maps. >> Given that we know which maps exist in the broken setup (those from >> 50-nis.update), it would make sense to check if only those CNs exist and >> then remove them and fire recovery. >> > > Could there be a situation where such state would be desired and the > update would actually break user's setup? Only if user removed all these maps: "nis-domain={domain}+nis-map=passwd.byname,{suffix}", "nis-domain={domain}+nis-map=passwd.byuid,{suffix}", "nis-domain={domain}+nis-map=group.byname,{suffix}", "nis-domain={domain}+nis-map=group.bygid,{suffix}", "nis-domain={domain}+nis-map=netid.byname,{suffix}", "nis-domain={domain}+nis-map=netgroup,{suffix}", -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jan 8 15:22:37 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 8 Jan 2016 17:22:37 +0200 Subject: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration In-Reply-To: <568FD370.6030809@redhat.com> References: <568D698D.3040004@redhat.com> <20160108135459.GP4316@redhat.com> <568FD370.6030809@redhat.com> Message-ID: <20160108152237.GR4316@redhat.com> On Fri, 08 Jan 2016, Petr Vobornik wrote: >On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: >>On Wed, 06 Jan 2016, Martin Basti wrote: >>>https://fedorahosted.org/freeipa/ticket/5507 >>> >>>Patch attached. >>> >>>Is proposed workaround in ticket enough or should I also prepare a >>>update that will fix missing maps? >>The update you have is good but we need to recover missing maps. >>Given that we know which maps exist in the broken setup (those from >>50-nis.update), it would make sense to check if only those CNs exist and >>then remove them and fire recovery. >> > >Could there be a situation where such state would be desired and the >update would actually break user's setup? It is highly unlikely someone would want to remove all maps but ethers.byaddr and ethers.byname. That's our bug right now. -- / Alexander Bokovoy From mkosek at redhat.com Fri Jan 8 15:27:45 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 8 Jan 2016 16:27:45 +0100 Subject: [Freeipa-devel] FreeIPA and modern requirements on certificates In-Reply-To: <568FC172.8020505@redhat.com> References: <568FAB11.4070406@redhat.com> <20160108125619.GA31821@dhcp-40-8.bne.redhat.com> <568FB34F.1000008@redhat.com> <20160108131755.GC31821@dhcp-40-8.bne.redhat.com> <568FB8B9.20105@redhat.com> <20160108133539.GM4316@redhat.com> <568FC172.8020505@redhat.com> Message-ID: <568FD571.7010002@redhat.com> On 01/08/2016 03:02 PM, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> On Fri, 08 Jan 2016, Martin Kosek wrote: >>> On 01/08/2016 02:17 PM, Fraser Tweedale wrote: >>>> On Fri, Jan 08, 2016 at 02:02:07PM +0100, Martin Kosek wrote: >>>>> On 01/08/2016 01:56 PM, Fraser Tweedale wrote: >>>>>> On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote: >>>>>>> Hi Fraser and other X.509 SMEs, >>>>>>> >>>>>>> I wanted to check with you on what we have or plan to have with >>>>>>> respect to >>>>>>> certificate/cipher strength in FreeIPA. >>>>>>> >>>>>>> When I visit the FreeIPA public demo for example, I usually see >>>>>>> following >>>>>>> errors with recent browsers: >>>>>>> >>>>>>> * Your connection to ipa.demo1.freeipa.org is encrypted using >>>>>>> obsolete cypher >>>>>>> suite. >>>>>>> - The connection uses TLS 1.2 >>>>>>> - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 >>>>>>> for message >>>>>>> authentication and RSA as the key exchange mechanism >>>>>>> >>>>>> This is a cipher suite / ordering issue, not related to certificate. >>>>>> >>>>>>> I usually do not see the common >>>>>>> * Certificate chain contains a certificate signed with SHA-1 >>>>>>> error, but I am not sure if we are covered for this one. >>>>>>> >>>>>> We are using sha256 for IPA CA and default profiles. Customers >>>>>> could still modify the profile or add profiles to sign using an >>>>>> obsolete hash, if they wanted to, but our default is good. >>>>>> >>>>>>> >>>>>>> When I tested the FreeIPA demo with >>>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org >>>>>>> (and ignore the trust issues), we get the mark B with following >>>>>>> warnings: >>>>>>> >>>>>>> * This server accepts RC4 cipher, but only with older protocol >>>>>>> versions. Grade >>>>>>> capped to B. >>>>>>> >>>>>>> * The server does not support Forward Secrecy with the reference >>>>>>> browsers. >>>>>>> >>>>>> Again a cipher suite tweak will address this. >>>>>> >>>>>>> >>>>>>> What do we miss to turn out Grade A, which is obviously something >>>>>>> expected from >>>>>>> security solution like FreeIPA? Is it just about ECC support >>>>>>> (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some >>>>>>> change to our >>>>>>> default certificate profiles? >>>>>>> >>>>>> Based on what you've written, it is just the cipher suite that needs >>>>>> changing, and maybe a setting about favouring server cipher order >>>>>> over client order. ECC certificate support is not needed (yet) and >>>>>> the default profile is fine, w.r.t. hash used for signing. >>>>>> >>>>>> One important modern certificate requirement is to always include a >>>>>> SAN dnsName for the subject, as required by RFC 2818; this is ticket >>>>>> #4970 and it is on my radar. >>>>>> >>>>>> Cheers, >>>>>> Fraser >>>>> >>>>> Should I then file a ticket to fix the cipher suite? (I did not fully >>>>> understand the specifics though). >>>>> >>>> Yes. I have not checked yet, but we are possibly using >>>> stock-standard mod_nss configuration (as shipped by the RPM). If >>>> so, we should file a ticket against mod_nss to improve their >>>> defaults. >>> >>> Right. In nss.conf, I see this default cipher suite: >>> >>> NSSCipherSuite >>> +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,- >>> >>> >>> rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha >>> >>> >>> It certainly makes me little nervous. In 389-ds-base case, we had a >>> similar >>> list and solved it my using the list directly from NSS: >>> >>> https://fedorahosted.org/389/ticket/47838 >>> https://fedorahosted.org/freeipa/ticket/4395 >>> >>> CCing Rob here. >> Here is what I have in my setup that goes to A- according to ssllabs: >> NSSCipherSuite >> -rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha >> >> >> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >> >> This gets A- due to lack of forward secrecy support. >> > > An IPA ticket for this exists, https://fedorahosted.org/freeipa/ticket/4431 This is a refactoring type of a ticket, it may not be done fast enough. I created a smaller task in new ticket: https://fedorahosted.org/freeipa/ticket/5589 > For mod_nss I was going to do this as part of > https://fedorahosted.org/mod_nss/ticket/5 > > If you add in some EC ciphers you'd probably get PFS too. DH ciphers > aren't supported yet. > > rob > From mbabinsk at redhat.com Fri Jan 8 15:29:21 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 8 Jan 2016 16:29:21 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <20160108151046.GK28363@mail.corp.redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <568FB73E.3000403@redhat.com> <20160108151046.GK28363@mail.corp.redhat.com> Message-ID: <568FD5D1.2040109@redhat.com> On 01/08/2016 04:10 PM, Lukas Slebodnik wrote: > On (08/01/16 14:18), Martin Babinsky wrote: >> On 01/08/2016 02:14 PM, Jan Cholasta wrote: >>> On 8.1.2016 14:09, Martin Basti wrote: >>>> >>>> >>>> On 08.01.2016 14:00, Martin Kosek wrote: >>>>> On 01/08/2016 01:45 PM, Martin Basti wrote: >>>>>> Hello all, >>>>>> >>>>>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>>>> requires to import rpm module >>>>>> >>>>>> This import somehow breaks nsslib in IPA >>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>> >>>>>> >>>>>> We have 2 ways how to fix it: >>>>>> >>>>>> 1) move import rpm to body of methods (attached patch) >>>>>> We are not sure how stable is this solution. >>>>>> >>>>>> 2) use solution with rpmdevtools proposed here: >>>>>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>>>> >>>>>> This should be rock stable but it needs many dependencies (rpm-python >>>>>> too, perl) >>>>>> >>>>>> The second way looks safer, so I would like to reimplement it, do you >>>>>> all agree >>>>>> or do you have better idea? >>>>>> Feedback welcome, please ASAP. >>>>>> >>>>>> Martin^2 >>>>> Since it's Friday, I invested 15 minutes to practice my C skills and >>>>> use the >>>>> python-cffi library to call rpm rpmvercmp library call directly >>>>> (attached): >>>>> >>>>> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>>>> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>>>> >>>>> This would not introduce any additional dependency besides rpm-devel, >>>>> right? :-) >>> >>> Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). >>> >>>> I'm afraid that this can cause the same issue as import rpm, because the >>>> nsslib is used from C library >>> >>> I would be surprised if NSS was used in this particular function. >>> >> >> If it would work then we could compare version like in this quickly hacked >> and untested patch. >> >> -- >> Martin^3 Babinsky > >>From 32ebf02d38b7174816f81579aab6ebbe26e80f64 Mon Sep 17 00:00:00 2001 >> From: Martin Babinsky >> Date: Fri, 8 Jan 2016 14:17:14 +0100 >> Subject: [PATCH] use rpmvercmp via python-cffi for version comparison >> >> --- >> ipaplatform/redhat/tasks.py | 45 ++++++++++++++------------------------------- >> 1 file changed, 14 insertions(+), 31 deletions(-) >> >> diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py >> index a0b4060..66ca3ad 100644 >> --- a/ipaplatform/redhat/tasks.py >> +++ b/ipaplatform/redhat/tasks.py >> @@ -36,7 +36,7 @@ from subprocess import CalledProcessError >> from nss.error import NSPRError >> from pyasn1.error import PyAsn1Error >> from six.moves import urllib >> -import rpm >> +from cffi import FFI >> >> from ipapython.ipa_log_manager import root_logger, log_mgr >> from ipapython import ipautil >> @@ -49,33 +49,16 @@ from ipaplatform.redhat.authconfig import RedHatAuthConfig >> from ipaplatform.base.tasks import BaseTaskNamespace >> >> >> -# copied from rpmUtils/miscutils.py >> -def stringToVersion(verstring): >> - if verstring in [None, '']: >> - return (None, None, None) >> - i = verstring.find(':') >> - if i != -1: >> - try: >> - epoch = str(long(verstring[:i])) >> - except ValueError: >> - # look, garbage in the epoch field, how fun, kill it >> - epoch = '0' # this is our fallback, deal >> - else: >> - epoch = '0' >> - j = verstring.find('-') >> - if j != -1: >> - if verstring[i + 1:j] == '': >> - version = None >> - else: >> - version = verstring[i + 1:j] >> - release = verstring[j + 1:] >> - else: >> - if verstring[i + 1:] == '': >> - version = None >> - else: >> - version = verstring[i + 1:] >> - release = None >> - return (epoch, version, release) >> +def compare_rpm_versions(ver1, ver2): >> + ffi = FFI() >> + ffi.cdef(""" >> +int rpmvercmp (const char *a, const char *b); >> +""") >> + C = ffi.dlopen("rpmlib.so.3") > rpmlib.so.3 does not exist. > > It is is librpm.so.3 > But as I mentioned in different mail. The soname was bumped in fedora 23. > > So please use only 'ffi.dlopen("rpm")' > > It would be also good to write unit test for this function. > So you can detect issues with cffi is any. > > > a = '4.2.0-15.el7' > b = '4.2.0-15.el7_2.3' > c = '4.2.0-16.el7' > compare_rpm_versions(a, b) > compare_rpm_versions(b, b) > compare_rpm_versions(c, b) > > LS > Thank you for suggestions Lukas, I have patch and unit tests ready. They will land on the list shortly. -- Martin^3 Babinsky From mbabinsk at redhat.com Fri Jan 8 15:48:52 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 8 Jan 2016 16:48:52 +0100 Subject: [Freeipa-devel] [PATCH 0398] Allow to use mixed case for sysrestore In-Reply-To: <568E9871.6020108@redhat.com> References: <568D5823.40200@redhat.com> <568E9871.6020108@redhat.com> Message-ID: <568FDA64.80006@redhat.com> On 01/07/2016 05:55 PM, Martin Basti wrote: > > > On 06.01.2016 19:08, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5574 >> >> Patch attached. >> >> >> >> >> > I missed one occurrence, updated patch attached. > > ACK (also the reason why Martin^2 didn't do it the nice way by subclassing SafeConfigParser and overriding optionxform method in the subclass was that such approach with combination of imports through six made pylint panic massively) -- Martin^3 Babinsky From pspacek at redhat.com Fri Jan 8 15:49:12 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 8 Jan 2016 16:49:12 +0100 Subject: [Freeipa-devel] FreeIPA and modern requirements on certificates In-Reply-To: <20160108125619.GA31821@dhcp-40-8.bne.redhat.com> References: <568FAB11.4070406@redhat.com> <20160108125619.GA31821@dhcp-40-8.bne.redhat.com> Message-ID: <568FDA78.6070404@redhat.com> On 8.1.2016 13:56, Fraser Tweedale wrote: > On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote: >> > Hi Fraser and other X.509 SMEs, >> > >> > I wanted to check with you on what we have or plan to have with respect to >> > certificate/cipher strength in FreeIPA. >> > >> > When I visit the FreeIPA public demo for example, I usually see following >> > errors with recent browsers: >> > >> > * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher >> > suite. >> > - The connection uses TLS 1.2 >> > - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message >> > authentication and RSA as the key exchange mechanism HMAC-SHA1 reminded me recently published paper: http://www.mitls.org/pages/attacks/SLOTH It claims that all MD5 and SHA1 uses should be eliminated if feasible. > TL;DR > ... So, if you can afford to do so, get rid of MD5 and SHA1 in all your protocol configurations. I have no idea if we can do that, but we should at least try ... -- Petr^2 Spacek From pspacek at redhat.com Fri Jan 8 15:57:06 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 8 Jan 2016 16:57:06 +0100 Subject: [Freeipa-devel] Design: Automatic Empty Zone handling in bind-dyndb-ldap Message-ID: <568FDC52.4050704@redhat.com> Hello, recent improvements in FreeIPA 4.3.0 (finally) prevent FreeIPA installer from creating made-up DNS reverse zones, which already exist on some other DNS server. This change uncovered a well-hidden automatic empty zones in BIND 9.9+, which is now causing problem to users. It seems that this can be fixed by change to the code which handles forward DNS zones. Short design document with necessary background is available on: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/AutomaticEmptyZones Please be so kind and review it ASAP, so I can write the patch quickly and make life of our QE guys easier. Have a nice Friday. -- Petr^2 Spacek From cheimes at redhat.com Fri Jan 8 15:57:06 2016 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 8 Jan 2016 16:57:06 +0100 Subject: [Freeipa-devel] FreeIPA and modern requirements on certificates In-Reply-To: <568FDA78.6070404@redhat.com> References: <568FAB11.4070406@redhat.com> <20160108125619.GA31821@dhcp-40-8.bne.redhat.com> <568FDA78.6070404@redhat.com> Message-ID: <568FDC52.2070207@redhat.com> On 2016-01-08 16:49, Petr Spacek wrote: > On 8.1.2016 13:56, Fraser Tweedale wrote: >> On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote: >>>> Hi Fraser and other X.509 SMEs, >>>> >>>> I wanted to check with you on what we have or plan to have with respect to >>>> certificate/cipher strength in FreeIPA. >>>> >>>> When I visit the FreeIPA public demo for example, I usually see following >>>> errors with recent browsers: >>>> >>>> * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher >>>> suite. >>>> - The connection uses TLS 1.2 >>>> - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message >>>> authentication and RSA as the key exchange mechanism > > HMAC-SHA1 reminded me recently published paper: > http://www.mitls.org/pages/attacks/SLOTH > > It claims that all MD5 and SHA1 uses should be eliminated if feasible. MD5 and SHA-1 should no longer be used for signatures. MACs are a completely different story. HMAC-SHA1 and even HMAC-MD5 are still fine and believed to be secure. https://en.wikipedia.org/wiki/Hash-based_message_authentication_code#Security -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mbabinsk at redhat.com Fri Jan 8 15:59:33 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 8 Jan 2016 16:59:33 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code Message-ID: <568FDCE5.2090701@redhat.com> Patch 0122 reimplements version checking and fixes https://fedorahosted.org/freeipa/ticket/5572 Patch 0123 contains unit test for version checking code. Thanks to Martin^1 for the idea of using CFFI for calling rpm C-API directly. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0123-tests-for-package-version-comparison.patch Type: text/x-patch Size: 2415 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0122-use-FFI-call-to-rpmvercmp-function-for-version-compa.patch Type: text/x-patch Size: 4402 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-2-mbabinsk-0122-use-FFI-call-to-rpmvercmp-function-for-version-compa.patch Type: text/x-patch Size: 4144 bytes Desc: not available URL: From pspacek at redhat.com Fri Jan 8 16:08:33 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 8 Jan 2016 17:08:33 +0100 Subject: [Freeipa-devel] FreeIPA and modern requirements on certificates In-Reply-To: <568FDC52.2070207@redhat.com> References: <568FAB11.4070406@redhat.com> <20160108125619.GA31821@dhcp-40-8.bne.redhat.com> <568FDA78.6070404@redhat.com> <568FDC52.2070207@redhat.com> Message-ID: <568FDF01.4040603@redhat.com> On 8.1.2016 16:57, Christian Heimes wrote: > On 2016-01-08 16:49, Petr Spacek wrote: >> On 8.1.2016 13:56, Fraser Tweedale wrote: >>> On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote: >>>>> Hi Fraser and other X.509 SMEs, >>>>> >>>>> I wanted to check with you on what we have or plan to have with respect to >>>>> certificate/cipher strength in FreeIPA. >>>>> >>>>> When I visit the FreeIPA public demo for example, I usually see following >>>>> errors with recent browsers: >>>>> >>>>> * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher >>>>> suite. >>>>> - The connection uses TLS 1.2 >>>>> - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message >>>>> authentication and RSA as the key exchange mechanism >> >> HMAC-SHA1 reminded me recently published paper: >> http://www.mitls.org/pages/attacks/SLOTH >> >> It claims that all MD5 and SHA1 uses should be eliminated if feasible. > > MD5 and SHA-1 should no longer be used for signatures. MACs are a > completely different story. HMAC-SHA1 and even HMAC-MD5 are still fine > and believed to be secure. > > https://en.wikipedia.org/wiki/Hash-based_message_authentication_code#Security Christian, have you read the page (or even better the paper) I linked above? The page starts with this: > Introduction > > In response to recent high-profile attacks that exploit hash function collisions, software vendors have started to phase out the use of MD5 and SHA1 in third-party digital signature applications such as X.509 certificates. However, weak hash functions continue to be used in various cryptographic constructions within mainstream protocols such as TLS, IKE, and SSH, because practitioners argue that their use in these protocols relies only on second preimage resistance, and hence is unaffected by collisions. We systematically investigate and debunk this argument. > > We identify a new class of transcript collision attacks on popular cryptographic protocols such as TLS, IKE, and SSH, that significantly reduce their expected security. Our attacks rely on the use of obsolete hash constructions in these protocols. If you open the paper, it has this on the very first page: [...] > This leaves open the question of what to do about > other uses of MD5 and SHA-1 in popular crypto- > graphic protocols. Practitioners commonly believe that > collisions only affect non-repudiable signatures (like > certificates), but that signatures and MACs used within > protocols are safe as long as they include unpredictable > contents, such as nonces [16], [15].In these cases, > protocol folklore says that a second preimage attack > would be required to break these protocols, and such > attacks are still considered hard, even for MD5. > Conversely, theoretical cryptographers routinely as- > sume collision-resistance in proofs of security for > these protocols. For example, various recent proofs of > > TLS [17], [22], [11] assume collision-resistance even > though the most popular hash functions used in TLS > are MD5 and SHA-1. Whom shall we believe? Either it > is the case that cryptographic proofs of these protocols > are based on too-strong (i.e. false) assumptions that > should be weakened, or that practitioners are wrong and > collision resistance is required for protocol security. > This paper seeks to clarify this situation by systemat- > ically investigating the use of hash functions in the key > exchanges underlying various versions of TLS, IPsec, > and SSH. We demonstrate that, contrary to common > belief, collisions can be used to break fundamental secu- > rity guarantees of these protocols. One thing I remember from my cryptography courses I had on university is that I should not try to outsmart professional cryptographers when it comes to assessing security properties :-D Judging from this: Claims on the Wikipedia page are not sufficient guarantee for me, sorry. -- Petr^2 Spacek From mbabinsk at redhat.com Fri Jan 8 16:18:09 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 8 Jan 2016 17:18:09 +0100 Subject: [Freeipa-devel] [PATCH 0124] ipa-csreplica-manage: remove extraneous ldap2 connection Message-ID: <568FE141.4060200@redhat.com> fixes ipa-csreplica-manage del blowing up due https://fedorahosted.org/freeipa/ticket/5583 for master and ipa-4-3 only. -- Martin^3 Babinsky From lslebodn at redhat.com Fri Jan 8 16:23:13 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 8 Jan 2016 17:23:13 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <568FDCE5.2090701@redhat.com> References: <568FDCE5.2090701@redhat.com> Message-ID: <20160108162312.GN28363@mail.corp.redhat.com> On (08/01/16 16:59), Martin Babinsky wrote: >Patch 0122 reimplements version checking and fixes >https://fedorahosted.org/freeipa/ticket/5572 > >Patch 0123 contains unit test for version checking code. > >Thanks to Martin^1 for the idea of using CFFI for calling rpm C-API directly. > >-- >Martin^3 Babinsky >From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 00:00:00 2001 >From: Martin Babinsky >Date: Fri, 8 Jan 2016 15:54:00 +0100 >Subject: [PATCH 2/3] tests for package version comparison > >These tests will ensure that our package version handling code can correctly >decide when to upgrade IPA master. > >https://fedorahosted.org/freeipa/ticket/5572 >--- > ipatests/test_ipaserver/test_version_comparsion.py | 47 ++++++++++++++++++++++ > 1 file changed, 47 insertions(+) > create mode 100644 ipatests/test_ipaserver/test_version_comparsion.py > >diff --git a/ipatests/test_ipaserver/test_version_comparsion.py b/ipatests/test_ipaserver/test_version_comparsion.py >new file mode 100644 >index 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >--- /dev/null >+++ b/ipatests/test_ipaserver/test_version_comparsion.py >@@ -0,0 +1,47 @@ >+# >+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license >+# >+ >+""" >+tests for correct RPM version comparison >+""" >+ >+from ipaplatform.tasks import tasks >+import pytest >+ >+version_strings = [ >+ ("3.0.el6", "3.0.0.el6", "older"), >+ ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >+ ("3.0.0-42.el6", "3.0.0.el6", "newer"), >+ ("3.0.0-1", "3.0.0-42", "older"), >+ ("3.0.0-42.el6", "3.3.3.fc20", "older"), >+ ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >+ ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >+ ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >+ ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # numeric version elements have >+ # precedence over letters >+ ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", "newer") >+] >+ >+ >+ at pytest.fixture(params=version_strings) >+def versions(request): >+ return request.param >+ >+class TestVersionComparsion(object): >+ >+ def test_versions(self, versions): >+ version_string1, version_string2, expected_comparison = versions >+ >+ ver1 = tasks.parse_ipa_version(version_string1) >+ ver2 = tasks.parse_ipa_version(version_string2) >+ >+ if expected_comparison == "newer": >+ assert ver1 > ver2 >+ elif expected_comparison == "older": >+ assert ver1 < ver2 >+ elif expected_comparison == "equal": >+ assert ver1 == ver2 >+ else: >+ raise TypeError( >+ "Unexpected comparison string: {}", expected_comparison) >-- >2.5.0 > >From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 00:00:00 2001 >From: Martin Babinsky >Date: Fri, 8 Jan 2016 14:17:14 +0100 >Subject: [PATCH 1/3] use FFI call to rpmvercmp function for version comparison > >Stop using rpm-python to compare package versions since the implicit NSS >initialization upon the module import breaks NSS handling in IPA code. Call >rpm-libs C-API function via CFFI instead. > >Big thanks to Martin Kosek for sharing the code snippet >that spurred this patch. > >https://fedorahosted.org/freeipa/ticket/5572 >--- > freeipa.spec.in | 2 +- > ipaplatform/redhat/tasks.py | 59 +++++++++++++++++++++------------------------ > 2 files changed, 29 insertions(+), 32 deletions(-) > >diff --git a/freeipa.spec.in b/freeipa.spec.in >index 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 100644 >--- a/freeipa.spec.in >+++ b/freeipa.spec.in >@@ -214,7 +214,7 @@ Requires: python-pyasn1 > Requires: dbus-python > Requires: python-dns >= 1.11.1 > Requires: python-kdcproxy >= 0.3 >-Requires: rpm-python >+Requires: rpm-devel /usr/lib64/librpm.so.7 is provided by package rpm-libs sh$ rpm -qf /usr/lib64/librpm.so.7 rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 It's not very common to depend on devel packages. LS From mbasti at redhat.com Fri Jan 8 16:48:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 8 Jan 2016 17:48:33 +0100 Subject: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration In-Reply-To: <568FD431.70308@redhat.com> References: <568D698D.3040004@redhat.com> <20160108135459.GP4316@redhat.com> <568FD370.6030809@redhat.com> <568FD431.70308@redhat.com> Message-ID: <568FE861.2090307@redhat.com> On 08.01.2016 16:22, Martin Basti wrote: > > > On 08.01.2016 16:19, Petr Vobornik wrote: >> On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: >>> On Wed, 06 Jan 2016, Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/5507 >>>> >>>> Patch attached. >>>> >>>> Is proposed workaround in ticket enough or should I also prepare a >>>> update that will fix missing maps? >>> The update you have is good but we need to recover missing maps. >>> Given that we know which maps exist in the broken setup (those from >>> 50-nis.update), it would make sense to check if only those CNs exist >>> and >>> then remove them and fire recovery. >>> >> >> Could there be a situation where such state would be desired and the >> update would actually break user's setup? > Only if user removed all these maps: > > "nis-domain={domain}+nis-map=passwd.byname,{suffix}", > "nis-domain={domain}+nis-map=passwd.byuid,{suffix}", > "nis-domain={domain}+nis-map=group.byname,{suffix}", > "nis-domain={domain}+nis-map=group.bygid,{suffix}", > "nis-domain={domain}+nis-map=netid.byname,{suffix}", > "nis-domain={domain}+nis-map=netgroup,{suffix}", > > > Updated patch attached. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0399.2-Upgrade-Fix-upgrade-of-NIS-Server-configuration.patch Type: text/x-patch Size: 16283 bytes Desc: not available URL: From mbabinsk at redhat.com Fri Jan 8 16:56:50 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 8 Jan 2016 17:56:50 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <20160108162312.GN28363@mail.corp.redhat.com> References: <568FDCE5.2090701@redhat.com> <20160108162312.GN28363@mail.corp.redhat.com> Message-ID: <568FEA52.2040200@redhat.com> On 01/08/2016 05:23 PM, Lukas Slebodnik wrote: > On (08/01/16 16:59), Martin Babinsky wrote: >> Patch 0122 reimplements version checking and fixes >> https://fedorahosted.org/freeipa/ticket/5572 >> >> Patch 0123 contains unit test for version checking code. >> >> Thanks to Martin^1 for the idea of using CFFI for calling rpm C-API directly. >> >> -- >> Martin^3 Babinsky > >>From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 00:00:00 2001 >> From: Martin Babinsky >> Date: Fri, 8 Jan 2016 15:54:00 +0100 >> Subject: [PATCH 2/3] tests for package version comparison >> >> These tests will ensure that our package version handling code can correctly >> decide when to upgrade IPA master. >> >> https://fedorahosted.org/freeipa/ticket/5572 >> --- >> ipatests/test_ipaserver/test_version_comparsion.py | 47 ++++++++++++++++++++++ >> 1 file changed, 47 insertions(+) >> create mode 100644 ipatests/test_ipaserver/test_version_comparsion.py >> >> diff --git a/ipatests/test_ipaserver/test_version_comparsion.py b/ipatests/test_ipaserver/test_version_comparsion.py >> new file mode 100644 >> index 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >> --- /dev/null >> +++ b/ipatests/test_ipaserver/test_version_comparsion.py >> @@ -0,0 +1,47 @@ >> +# >> +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license >> +# >> + >> +""" >> +tests for correct RPM version comparison >> +""" >> + >> +from ipaplatform.tasks import tasks >> +import pytest >> + >> +version_strings = [ >> + ("3.0.el6", "3.0.0.el6", "older"), >> + ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >> + ("3.0.0-42.el6", "3.0.0.el6", "newer"), >> + ("3.0.0-1", "3.0.0-42", "older"), >> + ("3.0.0-42.el6", "3.3.3.fc20", "older"), >> + ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >> + ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >> + ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >> + ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # numeric version elements have >> + # precedence over letters >> + ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", "newer") >> +] >> + >> + >> + at pytest.fixture(params=version_strings) >> +def versions(request): >> + return request.param >> + >> +class TestVersionComparsion(object): >> + >> + def test_versions(self, versions): >> + version_string1, version_string2, expected_comparison = versions >> + >> + ver1 = tasks.parse_ipa_version(version_string1) >> + ver2 = tasks.parse_ipa_version(version_string2) >> + >> + if expected_comparison == "newer": >> + assert ver1 > ver2 >> + elif expected_comparison == "older": >> + assert ver1 < ver2 >> + elif expected_comparison == "equal": >> + assert ver1 == ver2 >> + else: >> + raise TypeError( >> + "Unexpected comparison string: {}", expected_comparison) >> -- >> 2.5.0 >> > >>From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 00:00:00 2001 >> From: Martin Babinsky >> Date: Fri, 8 Jan 2016 14:17:14 +0100 >> Subject: [PATCH 1/3] use FFI call to rpmvercmp function for version comparison >> >> Stop using rpm-python to compare package versions since the implicit NSS >> initialization upon the module import breaks NSS handling in IPA code. Call >> rpm-libs C-API function via CFFI instead. >> >> Big thanks to Martin Kosek for sharing the code snippet >> that spurred this patch. >> >> https://fedorahosted.org/freeipa/ticket/5572 >> --- >> freeipa.spec.in | 2 +- >> ipaplatform/redhat/tasks.py | 59 +++++++++++++++++++++------------------------ >> 2 files changed, 29 insertions(+), 32 deletions(-) >> >> diff --git a/freeipa.spec.in b/freeipa.spec.in >> index 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 100644 >> --- a/freeipa.spec.in >> +++ b/freeipa.spec.in >> @@ -214,7 +214,7 @@ Requires: python-pyasn1 >> Requires: dbus-python >> Requires: python-dns >= 1.11.1 >> Requires: python-kdcproxy >= 0.3 >> -Requires: rpm-python >> +Requires: rpm-devel > /usr/lib64/librpm.so.7 is provided by package rpm-libs > > > sh$ rpm -qf /usr/lib64/librpm.so.7 > rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 > > It's not very common to depend on devel packages. > > LS > I was basically trying workaround this http://fpaste.org/308652/22677521/ librpm.so.7 belongs to rpm-libs and librpm.so to rpm-devel and I was lazy (hey it's friday) to add path to librpm.so.7 to paths and use it i LD loader. If you think that it is not optimal I will fix it, but let's wait for some more feedback. -- Martin^3 Babinsky From mbasti at redhat.com Fri Jan 8 17:14:14 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 8 Jan 2016 18:14:14 +0100 Subject: [Freeipa-devel] Design: Automatic Empty Zone handling in bind-dyndb-ldap In-Reply-To: <568FDC52.4050704@redhat.com> References: <568FDC52.4050704@redhat.com> Message-ID: <568FEE66.8010600@redhat.com> On 08.01.2016 16:57, Petr Spacek wrote: > Hello, > > recent improvements in FreeIPA 4.3.0 (finally) prevent FreeIPA installer from > creating made-up DNS reverse zones, which already exist on some other DNS server. > > This change uncovered a well-hidden automatic empty zones in BIND 9.9+, which > is now causing problem to users. > > It seems that this can be fixed by change to the code which handles forward > DNS zones. Short design document with necessary background is available on: > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/AutomaticEmptyZones > > Please be so kind and review it ASAP, so I can write the patch quickly and > make life of our QE guys easier. > > Have a nice Friday. > Hello, IIUC, the differences between default bind behaviour and bind-dyndb-ldap behaviour are: * disable automatic empty zone when policy is 'first' or 'only', instead of just 'only' I liked it more than default behaviour of named, but could be this somehow unexpected by users, or they will be happy that it works better (?) than in named? * bind-dyndb-ldap will not recreate automate empty zone IMO this should not harm at all so design LGTM, I will thinking about it over this weekend From mbasti at redhat.com Fri Jan 8 17:17:04 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 8 Jan 2016 18:17:04 +0100 Subject: [Freeipa-devel] [PATCH 0124] ipa-csreplica-manage: remove extraneous ldap2 connection In-Reply-To: <568FE141.4060200@redhat.com> References: <568FE141.4060200@redhat.com> Message-ID: <568FEF10.4030608@redhat.com> On 08.01.2016 17:18, Martin Babinsky wrote: > fixes ipa-csreplica-manage del blowing up due > > https://fedorahosted.org/freeipa/ticket/5583 > > for master and ipa-4-3 only. > Give me patch pleaaaaaaaaaaaaaaaaaaaaaaaase!! From tbabej at redhat.com Fri Jan 8 17:26:07 2016 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 8 Jan 2016 18:26:07 +0100 Subject: [Freeipa-devel] [PATCH 0118] fix Py3 incompatible exception instantiation in replica install code In-Reply-To: <568E98BC.9080000@redhat.com> References: <568A272A.5060805@redhat.com> <568E98BC.9080000@redhat.com> Message-ID: <568FF12F.6060007@redhat.com> On 01/07/2016 05:56 PM, Martin Babinsky wrote: > On 01/04/2016 09:02 AM, Martin Babinsky wrote: >> >> >> > I have created ticket to patch and added it to commit message: > > https://fedorahosted.org/freeipa/ticket/5585 > > > ACK for these changes, however, there are additional occurrences in the code base, attaching a patch. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0396-py3-Remove-py3-incompatible-exception-handling.patch Type: text/x-patch Size: 2687 bytes Desc: not available URL: From lslebodn at redhat.com Fri Jan 8 17:30:55 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 8 Jan 2016 18:30:55 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <568FEA52.2040200@redhat.com> References: <568FDCE5.2090701@redhat.com> <20160108162312.GN28363@mail.corp.redhat.com> <568FEA52.2040200@redhat.com> Message-ID: <20160108173053.GP28363@mail.corp.redhat.com> On (08/01/16 17:56), Martin Babinsky wrote: >On 01/08/2016 05:23 PM, Lukas Slebodnik wrote: >>On (08/01/16 16:59), Martin Babinsky wrote: >>>Patch 0122 reimplements version checking and fixes >>>https://fedorahosted.org/freeipa/ticket/5572 >>> >>>Patch 0123 contains unit test for version checking code. >>> >>>Thanks to Martin^1 for the idea of using CFFI for calling rpm C-API directly. >>> >>>-- >>>Martin^3 Babinsky >> >>>From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 00:00:00 2001 >>>From: Martin Babinsky >>>Date: Fri, 8 Jan 2016 15:54:00 +0100 >>>Subject: [PATCH 2/3] tests for package version comparison >>> >>>These tests will ensure that our package version handling code can correctly >>>decide when to upgrade IPA master. >>> >>>https://fedorahosted.org/freeipa/ticket/5572 >>>--- >>>ipatests/test_ipaserver/test_version_comparsion.py | 47 ++++++++++++++++++++++ >>>1 file changed, 47 insertions(+) >>>create mode 100644 ipatests/test_ipaserver/test_version_comparsion.py >>> >>>diff --git a/ipatests/test_ipaserver/test_version_comparsion.py b/ipatests/test_ipaserver/test_version_comparsion.py >>>new file mode 100644 >>>index 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >>>--- /dev/null >>>+++ b/ipatests/test_ipaserver/test_version_comparsion.py >>>@@ -0,0 +1,47 @@ >>>+# >>>+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>>+# >>>+ >>>+""" >>>+tests for correct RPM version comparison >>>+""" >>>+ >>>+from ipaplatform.tasks import tasks >>>+import pytest >>>+ >>>+version_strings = [ >>>+ ("3.0.el6", "3.0.0.el6", "older"), >>>+ ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >>>+ ("3.0.0-42.el6", "3.0.0.el6", "newer"), >>>+ ("3.0.0-1", "3.0.0-42", "older"), >>>+ ("3.0.0-42.el6", "3.3.3.fc20", "older"), >>>+ ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >>>+ ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >>>+ ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >>>+ ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # numeric version elements have >>>+ # precedence over letters >>>+ ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", "newer") >>>+] >>>+ >>>+ >>>+ at pytest.fixture(params=version_strings) >>>+def versions(request): >>>+ return request.param >>>+ >>>+class TestVersionComparsion(object): >>>+ >>>+ def test_versions(self, versions): >>>+ version_string1, version_string2, expected_comparison = versions >>>+ >>>+ ver1 = tasks.parse_ipa_version(version_string1) >>>+ ver2 = tasks.parse_ipa_version(version_string2) >>>+ >>>+ if expected_comparison == "newer": >>>+ assert ver1 > ver2 >>>+ elif expected_comparison == "older": >>>+ assert ver1 < ver2 >>>+ elif expected_comparison == "equal": >>>+ assert ver1 == ver2 >>>+ else: >>>+ raise TypeError( >>>+ "Unexpected comparison string: {}", expected_comparison) >>>-- >>>2.5.0 >>> >> >>>From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 00:00:00 2001 >>>From: Martin Babinsky >>>Date: Fri, 8 Jan 2016 14:17:14 +0100 >>>Subject: [PATCH 1/3] use FFI call to rpmvercmp function for version comparison >>> >>>Stop using rpm-python to compare package versions since the implicit NSS >>>initialization upon the module import breaks NSS handling in IPA code. Call >>>rpm-libs C-API function via CFFI instead. >>> >>>Big thanks to Martin Kosek for sharing the code snippet >>>that spurred this patch. >>> >>>https://fedorahosted.org/freeipa/ticket/5572 >>>--- >>>freeipa.spec.in | 2 +- >>>ipaplatform/redhat/tasks.py | 59 +++++++++++++++++++++------------------------ >>>2 files changed, 29 insertions(+), 32 deletions(-) >>> >>>diff --git a/freeipa.spec.in b/freeipa.spec.in >>>index 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 100644 >>>--- a/freeipa.spec.in >>>+++ b/freeipa.spec.in >>>@@ -214,7 +214,7 @@ Requires: python-pyasn1 >>>Requires: dbus-python >>>Requires: python-dns >= 1.11.1 >>>Requires: python-kdcproxy >= 0.3 >>>-Requires: rpm-python >>>+Requires: rpm-devel >>/usr/lib64/librpm.so.7 is provided by package rpm-libs >> >> >>sh$ rpm -qf /usr/lib64/librpm.so.7 >>rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 >> >>It's not very common to depend on devel packages. >> >>LS >> > >I was basically trying workaround this http://fpaste.org/308652/22677521/ > rpm-libs contains librpm.so.* and cffi is smart enough to load right library with C = ffi.dlopen("rpm") So it's enough to add "Requires: rpm-libs" but it would be almost noop because rpm-libs is everytime available od fedora/rhel :-) "Requires: rpm-devel" add unnecessary additional runtime dependencies on pkgconfig, popt-devel >librpm.so.7 belongs to rpm-libs and librpm.so to rpm-devel and I was lazy >(hey it's friday) to add path to librpm.so.7 to paths and use it i LD loader. >If you think that it is not optimal I will fix it, but let's wait for some >more feedback. Sure wait for another python related comments. just my 2 cents :-) LS BTW thank you very much for unit tests. From mbabinsk at redhat.com Fri Jan 8 17:31:16 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 8 Jan 2016 18:31:16 +0100 Subject: [Freeipa-devel] [PATCH 0124] ipa-csreplica-manage: remove extraneous ldap2 connection In-Reply-To: <568FEF10.4030608@redhat.com> References: <568FE141.4060200@redhat.com> <568FEF10.4030608@redhat.com> Message-ID: <568FF264.7070708@redhat.com> On 01/08/2016 06:17 PM, Martin Basti wrote: > > > On 08.01.2016 17:18, Martin Babinsky wrote: >> fixes ipa-csreplica-manage del blowing up due >> >> https://fedorahosted.org/freeipa/ticket/5583 >> >> for master and ipa-4-3 only. >> > Give me patch pleaaaaaaaaaaaaaaaaaaaaaaaase!! Auto-attach plugin would be most welcome.. here's the patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0124-ipa-csreplica-manage-remove-extraneous-ldap2-connect.patch Type: text/x-patch Size: 1151 bytes Desc: not available URL: From mbasti at redhat.com Fri Jan 8 17:32:35 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 8 Jan 2016 18:32:35 +0100 Subject: [Freeipa-devel] [PATCH 0398] Allow to use mixed case for sysrestore In-Reply-To: <568FDA64.80006@redhat.com> References: <568D5823.40200@redhat.com> <568E9871.6020108@redhat.com> <568FDA64.80006@redhat.com> Message-ID: <568FF2B3.7050704@redhat.com> On 08.01.2016 16:48, Martin Babinsky wrote: > On 01/07/2016 05:55 PM, Martin Basti wrote: >> >> >> On 06.01.2016 19:08, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5574 >>> >>> Patch attached. >>> >>> >>> >>> >>> >> I missed one occurrence, updated patch attached. >> >> > ACK > > (also the reason why Martin^2 didn't do it the nice way by subclassing > SafeConfigParser and overriding optionxform method in the subclass was > that such approach with combination of imports through six made pylint > panic massively) > Pushed to master: 129d97c10be570c3327445337c534e57a8c12ef6 Pushed to ipa-4-3: 44796fd275f9a1e577ce62a3fa557ace15ce4d88 Pushed to ipa-4-2: 2fce8fdc0dbb017eeda6bc3986472142cd712fe9 I did rebase for ipa-4-2, please check if I did not break it, also please note I had to backport following line to ipa-4-2 otherwise it will not work @@ -373,6 +373,8 @@ class OpenDNSSECInstance(service.Service): root_logger.debug(error) pass + self.restore_state("kasp_db_configured") # just eat state + # disabled by default, by ldap_enable() if enabled: self.enable() From jdennis at redhat.com Fri Jan 8 17:39:40 2016 From: jdennis at redhat.com (John Dennis) Date: Fri, 8 Jan 2016 12:39:40 -0500 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FB827.1010208@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <568FB605.3070909@redhat.com> <568FB827.1010208@redhat.com> Message-ID: <568FF45C.1010008@redhat.com> On 01/08/2016 08:22 AM, Jan Cholasta wrote: > On 8.1.2016 14:13, Martin Basti wrote: >> >> >> On 08.01.2016 14:14, Jan Cholasta wrote: >>> On 8.1.2016 14:09, Martin Basti wrote: >>>> >>>> >>>> On 08.01.2016 14:00, Martin Kosek wrote: >>>>> On 01/08/2016 01:45 PM, Martin Basti wrote: >>>>>> Hello all, >>>>>> >>>>>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>>>> requires to import rpm module >>>>>> >>>>>> This import somehow breaks nsslib in IPA >>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>> >>>>>> >>>>>> We have 2 ways how to fix it: >>>>>> >>>>>> 1) move import rpm to body of methods (attached patch) >>>>>> We are not sure how stable is this solution. >>>>>> >>>>>> 2) use solution with rpmdevtools proposed here: >>>>>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>>>> >>>>>> >>>>>> This should be rock stable but it needs many dependencies (rpm-python >>>>>> too, perl) >>>>>> >>>>>> The second way looks safer, so I would like to reimplement it, do you >>>>>> all agree >>>>>> or do you have better idea? >>>>>> Feedback welcome, please ASAP. >>>>>> >>>>>> Martin^2 >>>>> Since it's Friday, I invested 15 minutes to practice my C skills and >>>>> use the >>>>> python-cffi library to call rpm rpmvercmp library call directly >>>>> (attached): >>>>> >>>>> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>>>> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>>>> >>>>> This would not introduce any additional dependency besides rpm-devel, >>>>> right? :-) >>> >>> Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). >>> >>>> I'm afraid that this can cause the same issue as import rpm, because >>>> the >>>> nsslib is used from C library >>> >>> I would be surprised if NSS was used in this particular function. >>> >> I will try it > > No NSS here: > > > > Anyway, the function looks simple, so it might be safer to just rewrite > it to Python, with no new dependencies. > Leaving aside the whole question of whether re-implementing rpmvercmp in Python is a good idea or not because of possible divergence from RPM I offer to you an implementation of rpmvercmp written in Python I did years ago. It was written based on the published documentation of how RPM version comparison is implemented (as close to a spec as I was able to find). I believe I also used the C implementation as a guide but my memory is fuzzy on that point. I've used it a lot and I've also cross checked it's results with librpm and I've never seen a differing result. Use at your pleasure or displeasure :-) HTH, John -- John -------------- next part -------------- A non-text attachment was scrubbed... Name: rpmvercmp.py Type: text/x-python Size: 6057 bytes Desc: not available URL: From jcholast at redhat.com Mon Jan 11 06:47:00 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 11 Jan 2016 07:47:00 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <20160108173053.GP28363@mail.corp.redhat.com> References: <568FDCE5.2090701@redhat.com> <20160108162312.GN28363@mail.corp.redhat.com> <568FEA52.2040200@redhat.com> <20160108173053.GP28363@mail.corp.redhat.com> Message-ID: <56934FE4.6080006@redhat.com> On 8.1.2016 18:30, Lukas Slebodnik wrote: > On (08/01/16 17:56), Martin Babinsky wrote: >> On 01/08/2016 05:23 PM, Lukas Slebodnik wrote: >>> On (08/01/16 16:59), Martin Babinsky wrote: >>>> Patch 0122 reimplements version checking and fixes >>>> https://fedorahosted.org/freeipa/ticket/5572 >>>> >>>> Patch 0123 contains unit test for version checking code. >>>> >>>> Thanks to Martin^1 for the idea of using CFFI for calling rpm C-API directly. >>>> >>>> -- >>>> Martin^3 Babinsky >>> >>> >From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 00:00:00 2001 >>>> From: Martin Babinsky >>>> Date: Fri, 8 Jan 2016 15:54:00 +0100 >>>> Subject: [PATCH 2/3] tests for package version comparison >>>> >>>> These tests will ensure that our package version handling code can correctly >>>> decide when to upgrade IPA master. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5572 >>>> --- >>>> ipatests/test_ipaserver/test_version_comparsion.py | 47 ++++++++++++++++++++++ >>>> 1 file changed, 47 insertions(+) >>>> create mode 100644 ipatests/test_ipaserver/test_version_comparsion.py >>>> >>>> diff --git a/ipatests/test_ipaserver/test_version_comparsion.py b/ipatests/test_ipaserver/test_version_comparsion.py >>>> new file mode 100644 >>>> index 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >>>> --- /dev/null >>>> +++ b/ipatests/test_ipaserver/test_version_comparsion.py >>>> @@ -0,0 +1,47 @@ >>>> +# >>>> +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>>> +# >>>> + >>>> +""" >>>> +tests for correct RPM version comparison >>>> +""" >>>> + >>>> +from ipaplatform.tasks import tasks >>>> +import pytest >>>> + >>>> +version_strings = [ >>>> + ("3.0.el6", "3.0.0.el6", "older"), >>>> + ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >>>> + ("3.0.0-42.el6", "3.0.0.el6", "newer"), >>>> + ("3.0.0-1", "3.0.0-42", "older"), >>>> + ("3.0.0-42.el6", "3.3.3.fc20", "older"), >>>> + ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >>>> + ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >>>> + ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >>>> + ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # numeric version elements have >>>> + # precedence over letters >>>> + ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", "newer") >>>> +] >>>> + >>>> + >>>> + at pytest.fixture(params=version_strings) >>>> +def versions(request): >>>> + return request.param >>>> + >>>> +class TestVersionComparsion(object): >>>> + >>>> + def test_versions(self, versions): >>>> + version_string1, version_string2, expected_comparison = versions >>>> + >>>> + ver1 = tasks.parse_ipa_version(version_string1) >>>> + ver2 = tasks.parse_ipa_version(version_string2) >>>> + >>>> + if expected_comparison == "newer": >>>> + assert ver1 > ver2 >>>> + elif expected_comparison == "older": >>>> + assert ver1 < ver2 >>>> + elif expected_comparison == "equal": >>>> + assert ver1 == ver2 >>>> + else: >>>> + raise TypeError( >>>> + "Unexpected comparison string: {}", expected_comparison) >>>> -- >>>> 2.5.0 >>>> >>> >>> >From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 00:00:00 2001 >>>> From: Martin Babinsky >>>> Date: Fri, 8 Jan 2016 14:17:14 +0100 >>>> Subject: [PATCH 1/3] use FFI call to rpmvercmp function for version comparison >>>> >>>> Stop using rpm-python to compare package versions since the implicit NSS >>>> initialization upon the module import breaks NSS handling in IPA code. Call >>>> rpm-libs C-API function via CFFI instead. >>>> >>>> Big thanks to Martin Kosek for sharing the code snippet >>>> that spurred this patch. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5572 >>>> --- >>>> freeipa.spec.in | 2 +- >>>> ipaplatform/redhat/tasks.py | 59 +++++++++++++++++++++------------------------ >>>> 2 files changed, 29 insertions(+), 32 deletions(-) >>>> >>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>> index 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 100644 >>>> --- a/freeipa.spec.in >>>> +++ b/freeipa.spec.in >>>> @@ -214,7 +214,7 @@ Requires: python-pyasn1 >>>> Requires: dbus-python >>>> Requires: python-dns >= 1.11.1 >>>> Requires: python-kdcproxy >= 0.3 >>>> -Requires: rpm-python >>>> +Requires: rpm-devel >>> /usr/lib64/librpm.so.7 is provided by package rpm-libs >>> >>> >>> sh$ rpm -qf /usr/lib64/librpm.so.7 >>> rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 >>> >>> It's not very common to depend on devel packages. >>> >>> LS >>> >> >> I was basically trying workaround this http://fpaste.org/308652/22677521/ >> > rpm-libs contains librpm.so.* > and cffi is smart enough to load right library with > C = ffi.dlopen("rpm") This likely won't be an issue here, but in general, we should use the versioned library name to have at least some API/ABI guarantee. If for example a function we depend on changed signature between versions, we would crash *hard* when it's called. > So it's enough to add "Requires: rpm-libs" > but it would be almost noop because rpm-libs is everytime available > od fedora/rhel :-) > > "Requires: rpm-devel" > add unnecessary additional runtime dependencies on pkgconfig, popt-devel > > >> librpm.so.7 belongs to rpm-libs and librpm.so to rpm-devel and I was lazy >> (hey it's friday) to add path to librpm.so.7 to paths and use it i LD loader. >> If you think that it is not optimal I will fix it, but let's wait for some >> more feedback. > Sure wait for another python related comments. NACK. The ffi.cdef() and ffi.dlopen() should be in the module scope, and the ffi.new() calls are unnecessary. -- Jan Cholasta From jcholast at redhat.com Mon Jan 11 06:47:45 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 11 Jan 2016 07:47:45 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <20160108132838.GL4316@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <568FB605.3070909@redhat.com> <568FB827.1010208@redhat.com> <20160108132838.GL4316@redhat.com> Message-ID: <56935011.2030303@redhat.com> On 8.1.2016 14:28, Alexander Bokovoy wrote: > On Fri, 08 Jan 2016, Jan Cholasta wrote: >>>> I would be surprised if NSS was used in this particular function. >>>> >>> I will try it >> >> No NSS here: >> >> >> >> Anyway, the function looks simple, so it might be safer to just >> rewrite it to Python, with no new dependencies. > Still, we need to be careful in a case where RPM team would decide to > upgrade rpm version comparison algorithm. It has been fixed for quite > some years (the core wasn't changed since 2008) but occasionally there > are additions that expand supported formats like addition of dpkg-style > versions in 2012. I don't think we need to care about that, as we use versioning scheme compatible with the original comparison algorithm on "our" platforms. -- Jan Cholasta From jcholast at redhat.com Mon Jan 11 06:51:17 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 11 Jan 2016 07:51:17 +0100 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <568FCB61.3090404@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <20160108143157.GH28363@mail.corp.redhat.com> <568FCB61.3090404@redhat.com> Message-ID: <569350E5.10501@redhat.com> On 8.1.2016 15:44, Tomas Babej wrote: > > > On 01/08/2016 03:31 PM, Lukas Slebodnik wrote: >> On (08/01/16 14:14), Jan Cholasta wrote: >>> On 8.1.2016 14:09, Martin Basti wrote: >>>> >>>> >>>> On 08.01.2016 14:00, Martin Kosek wrote: >>>>> On 01/08/2016 01:45 PM, Martin Basti wrote: >>>>>> Hello all, >>>>>> >>>>>> fix for ticket https://fedorahosted.org/freeipa/ticket/5535 >>>>>> requires to import rpm module >>>>>> >>>>>> This import somehow breaks nsslib in IPA >>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>> >>>>>> >>>>>> We have 2 ways how to fix it: >>>>>> >>>>>> 1) move import rpm to body of methods (attached patch) >>>>>> We are not sure how stable is this solution. >>>>>> >>>>>> 2) use solution with rpmdevtools proposed here: >>>>>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00092.html >>>>>> This should be rock stable but it needs many dependencies (rpm-python >>>>>> too, perl) >>>>>> >>>>>> The second way looks safer, so I would like to reimplement it, do you >>>>>> all agree >>>>>> or do you have better idea? >>>>>> Feedback welcome, please ASAP. >>>>>> >>>>>> Martin^2 >>>>> Since it's Friday, I invested 15 minutes to practice my C skills and >>>>> use the >>>>> python-cffi library to call rpm rpmvercmp library call directly >>>>> (attached): >>>>> >>>>> $ python rpm.py 4.2.0-15.el7 4.2.0-15.el7_2.3 >>>>> 4.2.0-15.el7 < 4.2.0-15.el7_2.3 >>>>> >>>>> This would not introduce any additional dependency besides rpm-devel, >>>>> right? :-) >>> >>> Not rpm-devel, but rpm-libs (you should dlopen "librpm.so.3"). >>> >> CentOS 7 has librpm.so.3 >> but fedora 23+ has librpm.so.7 >> >> So if it is possible it will be good to avoid using specific vertsion. >> >> LS >> > > Yes. > > I think it should be quite possible to not use specific version, the > interface signature itself is not likely to change. > > Even if it did, the problem would be detected immediately with the most > basic of tests ()installation&run). If by "detect" you mean "SEGFAULT", then yes. But I don't think this is very nice way of detecting an issue. -- Jan Cholasta From abokovoy at redhat.com Mon Jan 11 06:50:22 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 11 Jan 2016 08:50:22 +0200 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <56935011.2030303@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <568FB605.3070909@redhat.com> <568FB827.1010208@redhat.com> <20160108132838.GL4316@redhat.com> <56935011.2030303@redhat.com> Message-ID: <20160111065022.GW4316@redhat.com> On Mon, 11 Jan 2016, Jan Cholasta wrote: >On 8.1.2016 14:28, Alexander Bokovoy wrote: >>On Fri, 08 Jan 2016, Jan Cholasta wrote: >>>>>I would be surprised if NSS was used in this particular function. >>>>> >>>>I will try it >>> >>>No NSS here: >>> >>> >>> >>>Anyway, the function looks simple, so it might be safer to just >>>rewrite it to Python, with no new dependencies. >>Still, we need to be careful in a case where RPM team would decide to >>upgrade rpm version comparison algorithm. It has been fixed for quite >>some years (the core wasn't changed since 2008) but occasionally there >>are additions that expand supported formats like addition of dpkg-style >>versions in 2012. > >I don't think we need to care about that, as we use versioning scheme >compatible with the original comparison algorithm on "our" platforms. In that case I'd prefer John's code as it is pure Python and doesn't have any other dependencies. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Jan 11 07:34:31 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 11 Jan 2016 09:34:31 +0200 Subject: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration In-Reply-To: <568FE861.2090307@redhat.com> References: <568D698D.3040004@redhat.com> <20160108135459.GP4316@redhat.com> <568FD370.6030809@redhat.com> <568FD431.70308@redhat.com> <568FE861.2090307@redhat.com> Message-ID: <20160111073431.GX4316@redhat.com> On Fri, 08 Jan 2016, Martin Basti wrote: > > > On 08.01.2016 16:22, Martin Basti wrote: >> >> >> On 08.01.2016 16:19, Petr Vobornik wrote: >>> On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: >>>> On Wed, 06 Jan 2016, Martin Basti wrote: >>>>> https://fedorahosted.org/freeipa/ticket/5507 >>>>> >>>>> Patch attached. >>>>> >>>>> Is proposed workaround in ticket enough or should I also prepare a >>>>> update that will fix missing maps? >>>> The update you have is good but we need to recover missing maps. >>>> Given that we know which maps exist in the broken setup (those from >>>> 50-nis.update), it would make sense to check if only those CNs exist >>>> and >>>> then remove them and fire recovery. >>>> >>> >>> Could there be a situation where such state would be desired and the >>> update would actually break user's setup? >> Only if user removed all these maps: >> >> "nis-domain={domain}+nis-map=passwd.byname,{suffix}", >> "nis-domain={domain}+nis-map=passwd.byuid,{suffix}", >> "nis-domain={domain}+nis-map=group.byname,{suffix}", >> "nis-domain={domain}+nis-map=group.bygid,{suffix}", >> "nis-domain={domain}+nis-map=netid.byname,{suffix}", >> "nis-domain={domain}+nis-map=netgroup,{suffix}", >> >> >> > Updated patch attached. ACK: I did upgrade of an install were NIS was enabled last December and it had broken records as can be seen by CreateTimestamp. During upgrade new entries were added, restoring the proper configuration: # ldapsearch -LLL -H ldapi://%2fvar%2frun%2fslapd-RH-VDA-LI.socket -b cn=config '(nis-domain=*)' dn CreateTimestamp ModifyTimestamp SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: nis-domain=rh.vda.li+nis-map=ethers.byaddr,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20151202162357Z ModifyTimestamp: 20151202162357Z dn: nis-domain=rh.vda.li+nis-map=ethers.byname,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20151202162357Z ModifyTimestamp: 20151202162357Z dn: nis-domain=rh.vda.li+nis-map=group.bygid,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071241Z ModifyTimestamp: 20160111071241Z dn: nis-domain=rh.vda.li+nis-map=group.byname,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071241Z ModifyTimestamp: 20160111071241Z dn: nis-domain=rh.vda.li+nis-map=netgroup,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071242Z ModifyTimestamp: 20160111071242Z dn: nis-domain=rh.vda.li+nis-map=netid.byname,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071242Z ModifyTimestamp: 20160111071242Z dn: nis-domain=rh.vda.li+nis-map=passwd.byname,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071240Z ModifyTimestamp: 20160111071240Z dn: nis-domain=rh.vda.li+nis-map=passwd.byuid,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071240Z ModifyTimestamp: 20160111071240Z -- / Alexander Bokovoy From jcholast at redhat.com Mon Jan 11 08:09:59 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 11 Jan 2016 09:09:59 +0100 Subject: [Freeipa-devel] [PATCH 0120] prevent crash of CA-less server upgrade due to absent certmonger In-Reply-To: <568E227D.4030409@redhat.com> References: <568BD815.2030000@redhat.com> <568E227D.4030409@redhat.com> Message-ID: <56936357.9080809@redhat.com> On 7.1.2016 09:31, Martin Babinsky wrote: > On 01/05/2016 03:49 PM, Martin Babinsky wrote: >> fixes https://fedorahosted.org/freeipa/ticket/5519 >> >> >> > Bump for review. Works for me, ACK. Pushed to: master: bef0f4c5c38e7ff6415e8f8c96dc306ef7f0ce56 ipa-4-2: f55a228f5ddab45fdea884eee93eac9890cf093d ipa-4-3: 0097558d3f5b56c7db930fc951bbdb6b46abbcc5 -- Jan Cholasta From mbasti at redhat.com Mon Jan 11 08:51:32 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 11 Jan 2016 09:51:32 +0100 Subject: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration In-Reply-To: <20160111073431.GX4316@redhat.com> References: <568D698D.3040004@redhat.com> <20160108135459.GP4316@redhat.com> <568FD370.6030809@redhat.com> <568FD431.70308@redhat.com> <568FE861.2090307@redhat.com> <20160111073431.GX4316@redhat.com> Message-ID: <56936D14.1070906@redhat.com> On 11.01.2016 08:34, Alexander Bokovoy wrote: > On Fri, 08 Jan 2016, Martin Basti wrote: >> >> >> On 08.01.2016 16:22, Martin Basti wrote: >>> >>> >>> On 08.01.2016 16:19, Petr Vobornik wrote: >>>> On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: >>>>> On Wed, 06 Jan 2016, Martin Basti wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/5507 >>>>>> >>>>>> Patch attached. >>>>>> >>>>>> Is proposed workaround in ticket enough or should I also prepare a >>>>>> update that will fix missing maps? >>>>> The update you have is good but we need to recover missing maps. >>>>> Given that we know which maps exist in the broken setup (those from >>>>> 50-nis.update), it would make sense to check if only those CNs >>>>> exist and >>>>> then remove them and fire recovery. >>>>> >>>> >>>> Could there be a situation where such state would be desired and >>>> the update would actually break user's setup? >>> Only if user removed all these maps: >>> >>> "nis-domain={domain}+nis-map=passwd.byname,{suffix}", >>> "nis-domain={domain}+nis-map=passwd.byuid,{suffix}", >>> "nis-domain={domain}+nis-map=group.byname,{suffix}", >>> "nis-domain={domain}+nis-map=group.bygid,{suffix}", >>> "nis-domain={domain}+nis-map=netid.byname,{suffix}", >>> "nis-domain={domain}+nis-map=netgroup,{suffix}", >>> >>> >>> >> Updated patch attached. > ACK: I did upgrade of an install were NIS was enabled last December and > it had broken records as can be seen by CreateTimestamp. During upgrade > new entries were added, restoring the proper configuration: > > # ldapsearch -LLL -H ldapi://%2fvar%2frun%2fslapd-RH-VDA-LI.socket -b > cn=config '(nis-domain=*)' dn CreateTimestamp ModifyTimestamp > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > dn: nis-domain=rh.vda.li+nis-map=ethers.byaddr,cn=NIS > Server,cn=plugins,cn=config > CreateTimestamp: 20151202162357Z > ModifyTimestamp: 20151202162357Z > > dn: nis-domain=rh.vda.li+nis-map=ethers.byname,cn=NIS > Server,cn=plugins,cn=config > CreateTimestamp: 20151202162357Z > ModifyTimestamp: 20151202162357Z > > dn: nis-domain=rh.vda.li+nis-map=group.bygid,cn=NIS > Server,cn=plugins,cn=config > CreateTimestamp: 20160111071241Z > ModifyTimestamp: 20160111071241Z > > dn: nis-domain=rh.vda.li+nis-map=group.byname,cn=NIS > Server,cn=plugins,cn=config > CreateTimestamp: 20160111071241Z > ModifyTimestamp: 20160111071241Z > > dn: nis-domain=rh.vda.li+nis-map=netgroup,cn=NIS > Server,cn=plugins,cn=config > CreateTimestamp: 20160111071242Z > ModifyTimestamp: 20160111071242Z > > dn: nis-domain=rh.vda.li+nis-map=netid.byname,cn=NIS > Server,cn=plugins,cn=config > CreateTimestamp: 20160111071242Z > ModifyTimestamp: 20160111071242Z > > dn: nis-domain=rh.vda.li+nis-map=passwd.byname,cn=NIS > Server,cn=plugins,cn=config > CreateTimestamp: 20160111071240Z > ModifyTimestamp: 20160111071240Z > > dn: nis-domain=rh.vda.li+nis-map=passwd.byuid,cn=NIS > Server,cn=plugins,cn=config > CreateTimestamp: 20160111071240Z > ModifyTimestamp: 20160111071240Z > > > Pushed to: master: 1d56665fd2ed7025131793bb4b0cda35b12bba9f ipa-4-3: aeafae40084798725b7ea99c86497c13567e10e8 ipa-4-2: 98a86d0efb5e3ecdc38eb51bf0e64dda52365a6d From mkubik at redhat.com Mon Jan 11 10:59:21 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Mon, 11 Jan 2016 11:59:21 +0100 Subject: [Freeipa-devel] [patch 0029, 0030] fixes for install tasks in integration tests In-Reply-To: <568E238E.8010809@redhat.com> References: <568E238E.8010809@redhat.com> Message-ID: <56938B09.2000003@redhat.com> On 01/07/2016 09:36 AM, Milan Kub?k wrote: > 0029: Add 10.in-addr.arpa. zone to ipa > 0030: If the IP addresses in the topology are resolvable, do not add > them to master. > > > Hi. I'm dropping 0029 for now. 0030 gets an update. -- Milan Kubik -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0030-1-ipatests-Make-the-A-record-for-hosts-in-topology-con.patch Type: text/x-patch Size: 1732 bytes Desc: not available URL: From mkubik at redhat.com Mon Jan 11 11:01:00 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Mon, 11 Jan 2016 12:01:00 +0100 Subject: [Freeipa-devel] [patch 0028] ipatests: Fix configuration problems in dns tests In-Reply-To: <568E31EE.20405@redhat.com> References: <568E2118.5060108@redhat.com> <568E2274.7020407@redhat.com> <568E2E9E.7080300@redhat.com> <568E31EE.20405@redhat.com> Message-ID: <56938B6C.5010804@redhat.com> On 01/07/2016 10:37 AM, Martin Basti wrote: > > > On 07.01.2016 10:23, Milan Kub?k wrote: >> On 01/07/2016 09:31 AM, Oleg Fayans wrote: >>> Hi Milan, >>> >>> As we are eventialy going to move to python3, I would make the code >>> python3-compatible: >>> >>> 1. from __future__ import unicode_literals >>> 2. get rid of all u's in front of the strings >>> >>> On the other hand, we can make a separate commit with only py3-related >>> changes. >>> >>> On 01/07/2016 09:26 AM, Milan Kub?k wrote: >>>> Fixes problems in tests uncovered by dns check introduced in ipa 4.3 >>>> >>>> >>>> >> I don't think this patch is the right one to do this. I'd rather >> convert the whole module in a separate patch. >> > Python 3.3+ support 'u' literals again > https://docs.python.org/3.3/whatsnew/3.3.html So the best course of action here is? -- Milan Kubik From mkosek at redhat.com Mon Jan 11 11:34:08 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 11 Jan 2016 12:34:08 +0100 Subject: [Freeipa-devel] [PATCH 0124] ipa-csreplica-manage: remove extraneous ldap2 connection In-Reply-To: <568FF264.7070708@redhat.com> References: <568FE141.4060200@redhat.com> <568FEF10.4030608@redhat.com> <568FF264.7070708@redhat.com> Message-ID: <56939330.6080906@redhat.com> On 01/08/2016 06:31 PM, Martin Babinsky wrote: > On 01/08/2016 06:17 PM, Martin Basti wrote: >> >> >> On 08.01.2016 17:18, Martin Babinsky wrote: >>> fixes ipa-csreplica-manage del blowing up due >>> >>> https://fedorahosted.org/freeipa/ticket/5583 >>> >>> for master and ipa-4-3 only. >>> >> Give me patch pleaaaaaaaaaaaaaaaaaaaaaaaase!! > > Auto-attach plugin would be most welcome.. here's the patch. Back my developer days, I used this script for sending patches :-) https://github.com/freeipa/freeipa-tools/blob/master/sendpatch.py This let me (almost never) forget attaching the file(s) in the right format. From mbasti at redhat.com Mon Jan 11 11:38:07 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 11 Jan 2016 12:38:07 +0100 Subject: [Freeipa-devel] [patch 0028] ipatests: Fix configuration problems in dns tests In-Reply-To: <56938B6C.5010804@redhat.com> References: <568E2118.5060108@redhat.com> <568E2274.7020407@redhat.com> <568E2E9E.7080300@redhat.com> <568E31EE.20405@redhat.com> <56938B6C.5010804@redhat.com> Message-ID: <5693941F.5050609@redhat.com> On 11.01.2016 12:01, Milan Kub?k wrote: > On 01/07/2016 10:37 AM, Martin Basti wrote: >> >> >> On 07.01.2016 10:23, Milan Kub?k wrote: >>> On 01/07/2016 09:31 AM, Oleg Fayans wrote: >>>> Hi Milan, >>>> >>>> As we are eventialy going to move to python3, I would make the code >>>> python3-compatible: >>>> >>>> 1. from __future__ import unicode_literals >>>> 2. get rid of all u's in front of the strings >>>> >>>> On the other hand, we can make a separate commit with only py3-related >>>> changes. >>>> >>>> On 01/07/2016 09:26 AM, Milan Kub?k wrote: >>>>> Fixes problems in tests uncovered by dns check introduced in ipa 4.3 >>>>> >>>>> >>>>> >>> I don't think this patch is the right one to do this. I'd rather >>> convert the whole module in a separate patch. >>> >> Python 3.3+ support 'u' literals again >> https://docs.python.org/3.3/whatsnew/3.3.html > So the best course of action here is? > Leave the patch as it is now, LGTM. I just need to run tests if it really works. From ldoudova at redhat.com Mon Jan 11 11:47:13 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Mon, 11 Jan 2016 12:47:13 +0100 Subject: [Freeipa-devel] [TESTS][PATCH 0007] Multiple managers per user In-Reply-To: <566FFCA2.2060801@redhat.com> References: <566FFCA2.2060801@redhat.com> Message-ID: <56939641.20207@redhat.com> Hi, everyone having time to take a look at this? It's been hanging for a few weeks. Thanks, Lenka On 12/15/2015 12:42 PM, Lenka Doudova wrote: > Hi, > > I updated the (stage)user tests to reflect the multiple managers per > user feature. > Corresponding ticket: https://fedorahosted.org/freeipa/ticket/5344 > > Lenka > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon Jan 11 12:11:16 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 11 Jan 2016 13:11:16 +0100 Subject: [Freeipa-devel] FreeIPA github mirror/repo (Fwd: [SSSD] The mirror at https://github.com/SSSD/sssd is now automatically updated) In-Reply-To: <20160111103306.GI3583@hendrix.arn.redhat.com> References: <20160111103306.GI3583@hendrix.arn.redhat.com> Message-ID: <56939BE4.7070608@redhat.com> FIY, I suspect FreeIPA will want follow the same approach for https://github.com/freeipa/freeipa (to be created) :-) Martin -------- Forwarded Message -------- Subject: [SSSD] The mirror at https://github.com/SSSD/sssd is now automatically updated Date: Mon, 11 Jan 2016 11:33:06 +0100 From: Jakub Hrozek Reply-To: Development of the System Security Services Daemon To: sssd-devel at lists.fedorahosted.org Hi, with the help of Patrick from the Fedora Infra team, our github repo: https://github.com/SSSD/sssd is now receiving automatic updates after patches are pushed to the fedorahosted.org repo. Since the push is implemented as a git hook which pushes with "--force --mirror", you'll see a message in the git push output. oh and Patrick managed to lock down the private key to the members of the fedora 'sssdgit' group.. _______________________________________________ sssd-devel mailing list sssd-devel at lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel at lists.fedorahosted.org From mbabinsk at redhat.com Mon Jan 11 12:14:51 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 11 Jan 2016 13:14:51 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <56934FE4.6080006@redhat.com> References: <568FDCE5.2090701@redhat.com> <20160108162312.GN28363@mail.corp.redhat.com> <568FEA52.2040200@redhat.com> <20160108173053.GP28363@mail.corp.redhat.com> <56934FE4.6080006@redhat.com> Message-ID: <56939CBB.4020905@redhat.com> On 01/11/2016 07:47 AM, Jan Cholasta wrote: > On 8.1.2016 18:30, Lukas Slebodnik wrote: >> On (08/01/16 17:56), Martin Babinsky wrote: >>> On 01/08/2016 05:23 PM, Lukas Slebodnik wrote: >>>> On (08/01/16 16:59), Martin Babinsky wrote: >>>>> Patch 0122 reimplements version checking and fixes >>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>> >>>>> Patch 0123 contains unit test for version checking code. >>>>> >>>>> Thanks to Martin^1 for the idea of using CFFI for calling rpm C-API >>>>> directly. >>>>> >>>>> -- >>>>> Martin^3 Babinsky >>>> >>>> >From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 00:00:00 2001 >>>>> From: Martin Babinsky >>>>> Date: Fri, 8 Jan 2016 15:54:00 +0100 >>>>> Subject: [PATCH 2/3] tests for package version comparison >>>>> >>>>> These tests will ensure that our package version handling code can >>>>> correctly >>>>> decide when to upgrade IPA master. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>> --- >>>>> ipatests/test_ipaserver/test_version_comparsion.py | 47 >>>>> ++++++++++++++++++++++ >>>>> 1 file changed, 47 insertions(+) >>>>> create mode 100644 ipatests/test_ipaserver/test_version_comparsion.py >>>>> >>>>> diff --git a/ipatests/test_ipaserver/test_version_comparsion.py >>>>> b/ipatests/test_ipaserver/test_version_comparsion.py >>>>> new file mode 100644 >>>>> index >>>>> 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >>>>> >>>>> --- /dev/null >>>>> +++ b/ipatests/test_ipaserver/test_version_comparsion.py >>>>> @@ -0,0 +1,47 @@ >>>>> +# >>>>> +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>>>> +# >>>>> + >>>>> +""" >>>>> +tests for correct RPM version comparison >>>>> +""" >>>>> + >>>>> +from ipaplatform.tasks import tasks >>>>> +import pytest >>>>> + >>>>> +version_strings = [ >>>>> + ("3.0.el6", "3.0.0.el6", "older"), >>>>> + ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >>>>> + ("3.0.0-42.el6", "3.0.0.el6", "newer"), >>>>> + ("3.0.0-1", "3.0.0-42", "older"), >>>>> + ("3.0.0-42.el6", "3.3.3.fc20", "older"), >>>>> + ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >>>>> + ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >>>>> + ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >>>>> + ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # numeric >>>>> version elements have >>>>> + # precedence over >>>>> letters >>>>> + ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", "newer") >>>>> +] >>>>> + >>>>> + >>>>> + at pytest.fixture(params=version_strings) >>>>> +def versions(request): >>>>> + return request.param >>>>> + >>>>> +class TestVersionComparsion(object): >>>>> + >>>>> + def test_versions(self, versions): >>>>> + version_string1, version_string2, expected_comparison = >>>>> versions >>>>> + >>>>> + ver1 = tasks.parse_ipa_version(version_string1) >>>>> + ver2 = tasks.parse_ipa_version(version_string2) >>>>> + >>>>> + if expected_comparison == "newer": >>>>> + assert ver1 > ver2 >>>>> + elif expected_comparison == "older": >>>>> + assert ver1 < ver2 >>>>> + elif expected_comparison == "equal": >>>>> + assert ver1 == ver2 >>>>> + else: >>>>> + raise TypeError( >>>>> + "Unexpected comparison string: {}", >>>>> expected_comparison) >>>>> -- >>>>> 2.5.0 >>>>> >>>> >>>> >From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 00:00:00 2001 >>>>> From: Martin Babinsky >>>>> Date: Fri, 8 Jan 2016 14:17:14 +0100 >>>>> Subject: [PATCH 1/3] use FFI call to rpmvercmp function for version >>>>> comparison >>>>> >>>>> Stop using rpm-python to compare package versions since the >>>>> implicit NSS >>>>> initialization upon the module import breaks NSS handling in IPA >>>>> code. Call >>>>> rpm-libs C-API function via CFFI instead. >>>>> >>>>> Big thanks to Martin Kosek for sharing the code >>>>> snippet >>>>> that spurred this patch. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>> --- >>>>> freeipa.spec.in | 2 +- >>>>> ipaplatform/redhat/tasks.py | 59 >>>>> +++++++++++++++++++++------------------------ >>>>> 2 files changed, 29 insertions(+), 32 deletions(-) >>>>> >>>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>>> index >>>>> 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 >>>>> 100644 >>>>> --- a/freeipa.spec.in >>>>> +++ b/freeipa.spec.in >>>>> @@ -214,7 +214,7 @@ Requires: python-pyasn1 >>>>> Requires: dbus-python >>>>> Requires: python-dns >= 1.11.1 >>>>> Requires: python-kdcproxy >= 0.3 >>>>> -Requires: rpm-python >>>>> +Requires: rpm-devel >>>> /usr/lib64/librpm.so.7 is provided by package rpm-libs >>>> >>>> >>>> sh$ rpm -qf /usr/lib64/librpm.so.7 >>>> rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 >>>> >>>> It's not very common to depend on devel packages. >>>> >>>> LS >>>> >>> >>> I was basically trying workaround this >>> http://fpaste.org/308652/22677521/ >>> >> rpm-libs contains librpm.so.* >> and cffi is smart enough to load right library with >> C = ffi.dlopen("rpm") > > This likely won't be an issue here, but in general, we should use the > versioned library name to have at least some API/ABI guarantee. If for > example a function we depend on changed signature between versions, we > would crash *hard* when it's called. > >> So it's enough to add "Requires: rpm-libs" >> but it would be almost noop because rpm-libs is everytime available >> od fedora/rhel :-) >> >> "Requires: rpm-devel" >> add unnecessary additional runtime dependencies on pkgconfig, popt-devel >> >> >>> librpm.so.7 belongs to rpm-libs and librpm.so to rpm-devel and I was >>> lazy >>> (hey it's friday) to add path to librpm.so.7 to paths and use it i LD >>> loader. >>> If you think that it is not optimal I will fix it, but let's wait for >>> some >>> more feedback. >> Sure wait for another python related comments. > > NACK. The ffi.cdef() and ffi.dlopen() should be in the module scope, and > the ffi.new() calls are unnecessary. > Attaching updated patches. I have added specific versions of librpm shared lib to platform specific namespaces. Both of them were tested and work. I have also change dependency to rpm-libs. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0123.1-tests-for-package-version-comparison.patch Type: text/x-patch Size: 2622 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0122.1-use-FFI-call-to-rpmvercmp-function-for-version-compa.patch Type: text/x-patch Size: 5457 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-2-mbabinsk-0122.1-use-FFI-call-to-rpmvercmp-function-for-version-compa.patch Type: text/x-patch Size: 5199 bytes Desc: not available URL: From mbabinsk at redhat.com Mon Jan 11 12:30:48 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 11 Jan 2016 13:30:48 +0100 Subject: [Freeipa-devel] [PATCH 0118] fix Py3 incompatible exception instantiation in replica install code In-Reply-To: <568FF12F.6060007@redhat.com> References: <568A272A.5060805@redhat.com> <568E98BC.9080000@redhat.com> <568FF12F.6060007@redhat.com> Message-ID: <5693A078.3030509@redhat.com> On 01/08/2016 06:26 PM, Tomas Babej wrote: > > > On 01/07/2016 05:56 PM, Martin Babinsky wrote: >> On 01/04/2016 09:02 AM, Martin Babinsky wrote: >>> >>> >>> >> I have created ticket to patch and added it to commit message: >> >> https://fedorahosted.org/freeipa/ticket/5585 >> >> >> > > ACK for these changes, however, there are additional occurrences in the > code base, attaching a patch. > > Tomas > > > ACK -- Martin^3 Babinsky From pviktori at redhat.com Mon Jan 11 12:44:52 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 11 Jan 2016 13:44:52 +0100 Subject: [Freeipa-devel] FreeIPA github mirror/repo (Fwd: [SSSD] The mirror at https://github.com/SSSD/sssd is now automatically updated) In-Reply-To: <56939BE4.7070608@redhat.com> References: <20160111103306.GI3583@hendrix.arn.redhat.com> <56939BE4.7070608@redhat.com> Message-ID: <5693A3C4.6080100@redhat.com> On 01/11/2016 01:11 PM, Martin Kosek wrote: > FIY, I suspect FreeIPA will want follow the same approach for > > https://github.com/freeipa/freeipa > > (to be created) :-) > > Martin Let me know when you're ready to start setting this up. I can transfer https://github.com/encukou/freeipa there so all the forks will be based on the "official" mirror. > > -------- Forwarded Message -------- > Subject: [SSSD] The mirror at https://github.com/SSSD/sssd is now automatically > updated > Date: Mon, 11 Jan 2016 11:33:06 +0100 > From: Jakub Hrozek > Reply-To: Development of the System Security Services Daemon > > To: sssd-devel at lists.fedorahosted.org > > Hi, > > with the help of Patrick from the Fedora Infra team, our github repo: > https://github.com/SSSD/sssd > is now receiving automatic updates after patches are pushed to the > fedorahosted.org repo. > > Since the push is implemented as a git hook which pushes with "--force > --mirror", you'll see a message in the git push output. > > oh and Patrick managed to lock down the private key to the members of > the fedora 'sssdgit' group.. > _______________________________________________ > sssd-devel mailing list > sssd-devel at lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd-devel at lists.fedorahosted.org > > -- Petr Viktorin From mbasti at redhat.com Mon Jan 11 12:45:36 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 11 Jan 2016 13:45:36 +0100 Subject: [Freeipa-devel] [TESTS][PATCH 0007] Multiple managers per user In-Reply-To: <56939641.20207@redhat.com> References: <566FFCA2.2060801@redhat.com> <56939641.20207@redhat.com> Message-ID: <5693A3F0.80809@redhat.com> On 11.01.2016 12:47, Lenka Doudova wrote: > Hi, > > everyone having time to take a look at this? It's been hanging for a > few weeks. > Thanks, > Lenka > > On 12/15/2015 12:42 PM, Lenka Doudova wrote: >> Hi, >> >> I updated the (stage)user tests to reflect the multiple managers per >> user feature. >> Corresponding ticket: https://fedorahosted.org/freeipa/ticket/5344 >> >> Lenka >> >> > > > We enabled more checks in pylint recently, your patch currently does not pass on master. ./make-lint ************* Module ipatests.test_xmlrpc.tracker.user_plugin ipatests/test_xmlrpc/tracker/user_plugin.py:380: [W0106(expression-not-assigned), UserTracker.track_add_manager] Expression "[self.attrs[u'manager'].append(item) for item in managers]" is assigned to nothing) ************* Module ipatests.test_xmlrpc.tracker.stageuser_plugin ipatests/test_xmlrpc/tracker/stageuser_plugin.py:248: [W0106(expression-not-assigned), StageUserTracker.track_add_manager] Expression "[self.attrs[u'manager'].append(item) for item in managers]" is assigned to nothing) 1) I suggest to use self.attrs[u'manager'].extend(managers) instead of list comprehension (lint errors) 2) if self.attrs[u'manager'] == []: I suggest to use if not self.attrs[u'manager']: this is proper python usage. *on several places in code 3) + def test_delete_all_managers(self, stageduser, manager1, manager2): ... + + updates = {u'manager': ""} + expected_updates = {u'manager': ""} ... + stageduser.attrs.update(updates) + stageduser.attrs.update(expected_updates) I do not understand this, you have 2 dictionaries that are the same, and you twice update stageuser object with the same value, What did I miss? 4) + self.attrs[u'managers_failed'][key] =\ + u'This entry is already a member' Please try to avoid '\' in code if possible self.attrs[u'managers_failed'][key] = ( u'This entry is already a member') *on several places in code 5) I do not have a feeling that the following code is right: if u'nsaccountlock' in expected: if expected[u'nsaccountlock'] == [u'true']: expected[u'nsaccountlock'] = True elif expected[u'nsaccountlock'] == [u'false']: expected[u'nsaccountlock'] = False + else: + expected[u'nsaccountlock'] = False Why is there added 'nsaccountlock' into dictionary when it is not expected to be in results? Shouldn't be 'nsaccountlock' added to expected when needed? 6) - expected['result']['manager'] = [ - unicode(get_user_dn(expected['result']['manager'][0]))] + for i, item in enumerate(expected['result']['manager']): + expected['result'][u'manager'][i] = unicode(get_user_dn(item) Please use list comprehension, it is safer than changing list that is being iterated. expected['result']['manager'] = [unicode(get_user_dn(mgr)) for mgr in expected['result']['manager']] 7) + if len(self.attrs[u'managers_failed']) != 0: This should be rewritten to if self.attrs[u'managers_failed']: *on several places in code 8) + if u'manager' in self.attrs and self.attrs[u'manager'] == []: + del self.attrs[u'manager'] IMO list == [] is bad, this can be rewritten to: if u'manager' in self.attrs and not self.attrs[u'manager']: -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Mon Jan 11 13:01:02 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 11 Jan 2016 14:01:02 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <56939CBB.4020905@redhat.com> References: <568FDCE5.2090701@redhat.com> <20160108162312.GN28363@mail.corp.redhat.com> <568FEA52.2040200@redhat.com> <20160108173053.GP28363@mail.corp.redhat.com> <56934FE4.6080006@redhat.com> <56939CBB.4020905@redhat.com> Message-ID: <5693A78E.4050608@redhat.com> On 11.1.2016 13:14, Martin Babinsky wrote: > On 01/11/2016 07:47 AM, Jan Cholasta wrote: >> On 8.1.2016 18:30, Lukas Slebodnik wrote: >>> On (08/01/16 17:56), Martin Babinsky wrote: >>>> On 01/08/2016 05:23 PM, Lukas Slebodnik wrote: >>>>> On (08/01/16 16:59), Martin Babinsky wrote: >>>>>> Patch 0122 reimplements version checking and fixes >>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>> >>>>>> Patch 0123 contains unit test for version checking code. >>>>>> >>>>>> Thanks to Martin^1 for the idea of using CFFI for calling rpm C-API >>>>>> directly. >>>>>> >>>>>> -- >>>>>> Martin^3 Babinsky >>>>> >>>>> >From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 00:00:00 >>>>> 2001 >>>>>> From: Martin Babinsky >>>>>> Date: Fri, 8 Jan 2016 15:54:00 +0100 >>>>>> Subject: [PATCH 2/3] tests for package version comparison >>>>>> >>>>>> These tests will ensure that our package version handling code can >>>>>> correctly >>>>>> decide when to upgrade IPA master. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>> --- >>>>>> ipatests/test_ipaserver/test_version_comparsion.py | 47 >>>>>> ++++++++++++++++++++++ >>>>>> 1 file changed, 47 insertions(+) >>>>>> create mode 100644 ipatests/test_ipaserver/test_version_comparsion.py >>>>>> >>>>>> diff --git a/ipatests/test_ipaserver/test_version_comparsion.py >>>>>> b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>> new file mode 100644 >>>>>> index >>>>>> 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >>>>>> >>>>>> >>>>>> --- /dev/null >>>>>> +++ b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>> @@ -0,0 +1,47 @@ >>>>>> +# >>>>>> +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>>>>> +# >>>>>> + >>>>>> +""" >>>>>> +tests for correct RPM version comparison >>>>>> +""" >>>>>> + >>>>>> +from ipaplatform.tasks import tasks >>>>>> +import pytest >>>>>> + >>>>>> +version_strings = [ >>>>>> + ("3.0.el6", "3.0.0.el6", "older"), >>>>>> + ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >>>>>> + ("3.0.0-42.el6", "3.0.0.el6", "newer"), >>>>>> + ("3.0.0-1", "3.0.0-42", "older"), >>>>>> + ("3.0.0-42.el6", "3.3.3.fc20", "older"), >>>>>> + ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >>>>>> + ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >>>>>> + ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >>>>>> + ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # numeric >>>>>> version elements have >>>>>> + # precedence over >>>>>> letters >>>>>> + ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", >>>>>> "newer") >>>>>> +] >>>>>> + >>>>>> + >>>>>> + at pytest.fixture(params=version_strings) >>>>>> +def versions(request): >>>>>> + return request.param >>>>>> + >>>>>> +class TestVersionComparsion(object): >>>>>> + >>>>>> + def test_versions(self, versions): >>>>>> + version_string1, version_string2, expected_comparison = >>>>>> versions >>>>>> + >>>>>> + ver1 = tasks.parse_ipa_version(version_string1) >>>>>> + ver2 = tasks.parse_ipa_version(version_string2) >>>>>> + >>>>>> + if expected_comparison == "newer": >>>>>> + assert ver1 > ver2 >>>>>> + elif expected_comparison == "older": >>>>>> + assert ver1 < ver2 >>>>>> + elif expected_comparison == "equal": >>>>>> + assert ver1 == ver2 >>>>>> + else: >>>>>> + raise TypeError( >>>>>> + "Unexpected comparison string: {}", >>>>>> expected_comparison) >>>>>> -- >>>>>> 2.5.0 >>>>>> >>>>> >>>>> >From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 00:00:00 >>>>> 2001 >>>>>> From: Martin Babinsky >>>>>> Date: Fri, 8 Jan 2016 14:17:14 +0100 >>>>>> Subject: [PATCH 1/3] use FFI call to rpmvercmp function for version >>>>>> comparison >>>>>> >>>>>> Stop using rpm-python to compare package versions since the >>>>>> implicit NSS >>>>>> initialization upon the module import breaks NSS handling in IPA >>>>>> code. Call >>>>>> rpm-libs C-API function via CFFI instead. >>>>>> >>>>>> Big thanks to Martin Kosek for sharing the code >>>>>> snippet >>>>>> that spurred this patch. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>> --- >>>>>> freeipa.spec.in | 2 +- >>>>>> ipaplatform/redhat/tasks.py | 59 >>>>>> +++++++++++++++++++++------------------------ >>>>>> 2 files changed, 29 insertions(+), 32 deletions(-) >>>>>> >>>>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>>>> index >>>>>> 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 >>>>>> >>>>>> 100644 >>>>>> --- a/freeipa.spec.in >>>>>> +++ b/freeipa.spec.in >>>>>> @@ -214,7 +214,7 @@ Requires: python-pyasn1 >>>>>> Requires: dbus-python >>>>>> Requires: python-dns >= 1.11.1 >>>>>> Requires: python-kdcproxy >= 0.3 >>>>>> -Requires: rpm-python >>>>>> +Requires: rpm-devel >>>>> /usr/lib64/librpm.so.7 is provided by package rpm-libs >>>>> >>>>> >>>>> sh$ rpm -qf /usr/lib64/librpm.so.7 >>>>> rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 >>>>> >>>>> It's not very common to depend on devel packages. >>>>> >>>>> LS >>>>> >>>> >>>> I was basically trying workaround this >>>> http://fpaste.org/308652/22677521/ >>>> >>> rpm-libs contains librpm.so.* >>> and cffi is smart enough to load right library with >>> C = ffi.dlopen("rpm") >> >> This likely won't be an issue here, but in general, we should use the >> versioned library name to have at least some API/ABI guarantee. If for >> example a function we depend on changed signature between versions, we >> would crash *hard* when it's called. >> >>> So it's enough to add "Requires: rpm-libs" >>> but it would be almost noop because rpm-libs is everytime available >>> od fedora/rhel :-) >>> >>> "Requires: rpm-devel" >>> add unnecessary additional runtime dependencies on pkgconfig, popt-devel >>> >>> >>>> librpm.so.7 belongs to rpm-libs and librpm.so to rpm-devel and I was >>>> lazy >>>> (hey it's friday) to add path to librpm.so.7 to paths and use it i LD >>>> loader. >>>> If you think that it is not optimal I will fix it, but let's wait for >>>> some >>>> more feedback. >>> Sure wait for another python related comments. >> >> NACK. The ffi.cdef() and ffi.dlopen() should be in the module scope, and >> the ffi.new() calls are unnecessary. >> > > Attaching updated patches. I have added specific versions of librpm > shared lib to platform specific namespaces. Both of them were tested and > work. You haven't tested on any 32 bit architecture, have you? I'm sure /lib64 will not work there. Note that when you dlopen just "librpm.so.$N", the correct path according to dynamic linker configuration will be used. > I have also change dependency to rpm-libs. Given librpm is dlopened by full path, I think we should depend directly on the "librpm.so.$N()" soname rather than rpm-libs. -- Jan Cholasta From mbabinsk at redhat.com Mon Jan 11 13:27:11 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 11 Jan 2016 14:27:11 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <5693A78E.4050608@redhat.com> References: <568FDCE5.2090701@redhat.com> <20160108162312.GN28363@mail.corp.redhat.com> <568FEA52.2040200@redhat.com> <20160108173053.GP28363@mail.corp.redhat.com> <56934FE4.6080006@redhat.com> <56939CBB.4020905@redhat.com> <5693A78E.4050608@redhat.com> Message-ID: <5693ADAF.2030707@redhat.com> On 01/11/2016 02:01 PM, Jan Cholasta wrote: > On 11.1.2016 13:14, Martin Babinsky wrote: >> On 01/11/2016 07:47 AM, Jan Cholasta wrote: >>> On 8.1.2016 18:30, Lukas Slebodnik wrote: >>>> On (08/01/16 17:56), Martin Babinsky wrote: >>>>> On 01/08/2016 05:23 PM, Lukas Slebodnik wrote: >>>>>> On (08/01/16 16:59), Martin Babinsky wrote: >>>>>>> Patch 0122 reimplements version checking and fixes >>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>> >>>>>>> Patch 0123 contains unit test for version checking code. >>>>>>> >>>>>>> Thanks to Martin^1 for the idea of using CFFI for calling rpm C-API >>>>>>> directly. >>>>>>> >>>>>>> -- >>>>>>> Martin^3 Babinsky >>>>>> >>>>>> >From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 00:00:00 >>>>>> 2001 >>>>>>> From: Martin Babinsky >>>>>>> Date: Fri, 8 Jan 2016 15:54:00 +0100 >>>>>>> Subject: [PATCH 2/3] tests for package version comparison >>>>>>> >>>>>>> These tests will ensure that our package version handling code can >>>>>>> correctly >>>>>>> decide when to upgrade IPA master. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>> --- >>>>>>> ipatests/test_ipaserver/test_version_comparsion.py | 47 >>>>>>> ++++++++++++++++++++++ >>>>>>> 1 file changed, 47 insertions(+) >>>>>>> create mode 100644 >>>>>>> ipatests/test_ipaserver/test_version_comparsion.py >>>>>>> >>>>>>> diff --git a/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>> b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>> new file mode 100644 >>>>>>> index >>>>>>> 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >>>>>>> >>>>>>> >>>>>>> >>>>>>> --- /dev/null >>>>>>> +++ b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>> @@ -0,0 +1,47 @@ >>>>>>> +# >>>>>>> +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>>>>>> +# >>>>>>> + >>>>>>> +""" >>>>>>> +tests for correct RPM version comparison >>>>>>> +""" >>>>>>> + >>>>>>> +from ipaplatform.tasks import tasks >>>>>>> +import pytest >>>>>>> + >>>>>>> +version_strings = [ >>>>>>> + ("3.0.el6", "3.0.0.el6", "older"), >>>>>>> + ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >>>>>>> + ("3.0.0-42.el6", "3.0.0.el6", "newer"), >>>>>>> + ("3.0.0-1", "3.0.0-42", "older"), >>>>>>> + ("3.0.0-42.el6", "3.3.3.fc20", "older"), >>>>>>> + ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >>>>>>> + ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >>>>>>> + ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >>>>>>> + ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # numeric >>>>>>> version elements have >>>>>>> + # precedence over >>>>>>> letters >>>>>>> + ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", >>>>>>> "newer") >>>>>>> +] >>>>>>> + >>>>>>> + >>>>>>> + at pytest.fixture(params=version_strings) >>>>>>> +def versions(request): >>>>>>> + return request.param >>>>>>> + >>>>>>> +class TestVersionComparsion(object): >>>>>>> + >>>>>>> + def test_versions(self, versions): >>>>>>> + version_string1, version_string2, expected_comparison = >>>>>>> versions >>>>>>> + >>>>>>> + ver1 = tasks.parse_ipa_version(version_string1) >>>>>>> + ver2 = tasks.parse_ipa_version(version_string2) >>>>>>> + >>>>>>> + if expected_comparison == "newer": >>>>>>> + assert ver1 > ver2 >>>>>>> + elif expected_comparison == "older": >>>>>>> + assert ver1 < ver2 >>>>>>> + elif expected_comparison == "equal": >>>>>>> + assert ver1 == ver2 >>>>>>> + else: >>>>>>> + raise TypeError( >>>>>>> + "Unexpected comparison string: {}", >>>>>>> expected_comparison) >>>>>>> -- >>>>>>> 2.5.0 >>>>>>> >>>>>> >>>>>> >From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 00:00:00 >>>>>> 2001 >>>>>>> From: Martin Babinsky >>>>>>> Date: Fri, 8 Jan 2016 14:17:14 +0100 >>>>>>> Subject: [PATCH 1/3] use FFI call to rpmvercmp function for version >>>>>>> comparison >>>>>>> >>>>>>> Stop using rpm-python to compare package versions since the >>>>>>> implicit NSS >>>>>>> initialization upon the module import breaks NSS handling in IPA >>>>>>> code. Call >>>>>>> rpm-libs C-API function via CFFI instead. >>>>>>> >>>>>>> Big thanks to Martin Kosek for sharing the code >>>>>>> snippet >>>>>>> that spurred this patch. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>> --- >>>>>>> freeipa.spec.in | 2 +- >>>>>>> ipaplatform/redhat/tasks.py | 59 >>>>>>> +++++++++++++++++++++------------------------ >>>>>>> 2 files changed, 29 insertions(+), 32 deletions(-) >>>>>>> >>>>>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>>>>> index >>>>>>> 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 >>>>>>> >>>>>>> >>>>>>> 100644 >>>>>>> --- a/freeipa.spec.in >>>>>>> +++ b/freeipa.spec.in >>>>>>> @@ -214,7 +214,7 @@ Requires: python-pyasn1 >>>>>>> Requires: dbus-python >>>>>>> Requires: python-dns >= 1.11.1 >>>>>>> Requires: python-kdcproxy >= 0.3 >>>>>>> -Requires: rpm-python >>>>>>> +Requires: rpm-devel >>>>>> /usr/lib64/librpm.so.7 is provided by package rpm-libs >>>>>> >>>>>> >>>>>> sh$ rpm -qf /usr/lib64/librpm.so.7 >>>>>> rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 >>>>>> >>>>>> It's not very common to depend on devel packages. >>>>>> >>>>>> LS >>>>>> >>>>> >>>>> I was basically trying workaround this >>>>> http://fpaste.org/308652/22677521/ >>>>> >>>> rpm-libs contains librpm.so.* >>>> and cffi is smart enough to load right library with >>>> C = ffi.dlopen("rpm") >>> >>> This likely won't be an issue here, but in general, we should use the >>> versioned library name to have at least some API/ABI guarantee. If for >>> example a function we depend on changed signature between versions, we >>> would crash *hard* when it's called. >>> >>>> So it's enough to add "Requires: rpm-libs" >>>> but it would be almost noop because rpm-libs is everytime available >>>> od fedora/rhel :-) >>>> >>>> "Requires: rpm-devel" >>>> add unnecessary additional runtime dependencies on pkgconfig, >>>> popt-devel >>>> >>>> >>>>> librpm.so.7 belongs to rpm-libs and librpm.so to rpm-devel and I was >>>>> lazy >>>>> (hey it's friday) to add path to librpm.so.7 to paths and use it i LD >>>>> loader. >>>>> If you think that it is not optimal I will fix it, but let's wait for >>>>> some >>>>> more feedback. >>>> Sure wait for another python related comments. >>> >>> NACK. The ffi.cdef() and ffi.dlopen() should be in the module scope, and >>> the ffi.new() calls are unnecessary. >>> >> >> Attaching updated patches. I have added specific versions of librpm >> shared lib to platform specific namespaces. Both of them were tested and >> work. > > You haven't tested on any 32 bit architecture, have you? I'm sure /lib64 > will not work there. > > Note that when you dlopen just "librpm.so.$N", the correct path > according to dynamic linker configuration will be used. > >> I have also change dependency to rpm-libs. > > Given librpm is dlopened by full path, I think we should depend directly > on the "librpm.so.$N()" soname rather than rpm-libs. > Updated patches attached. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0123.1-tests-for-package-version-comparison.patch Type: text/x-patch Size: 2622 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0122.2-use-FFI-call-to-rpmvercmp-function-for-version-compa.patch Type: text/x-patch Size: 4369 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-2-mbabinsk-0122.2-use-FFI-call-to-rpmvercmp-function-for-version-compa.patch Type: text/x-patch Size: 4111 bytes Desc: not available URL: From mbasti at redhat.com Mon Jan 11 13:48:55 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 11 Jan 2016 14:48:55 +0100 Subject: [Freeipa-devel] [patch 0028] ipatests: Fix configuration problems in dns tests In-Reply-To: <5693941F.5050609@redhat.com> References: <568E2118.5060108@redhat.com> <568E2274.7020407@redhat.com> <568E2E9E.7080300@redhat.com> <568E31EE.20405@redhat.com> <56938B6C.5010804@redhat.com> <5693941F.5050609@redhat.com> Message-ID: <5693B2C7.2070308@redhat.com> On 11.01.2016 12:38, Martin Basti wrote: > > > On 11.01.2016 12:01, Milan Kub?k wrote: >> On 01/07/2016 10:37 AM, Martin Basti wrote: >>> >>> >>> On 07.01.2016 10:23, Milan Kub?k wrote: >>>> On 01/07/2016 09:31 AM, Oleg Fayans wrote: >>>>> Hi Milan, >>>>> >>>>> As we are eventialy going to move to python3, I would make the code >>>>> python3-compatible: >>>>> >>>>> 1. from __future__ import unicode_literals >>>>> 2. get rid of all u's in front of the strings >>>>> >>>>> On the other hand, we can make a separate commit with only >>>>> py3-related >>>>> changes. >>>>> >>>>> On 01/07/2016 09:26 AM, Milan Kub?k wrote: >>>>>> Fixes problems in tests uncovered by dns check introduced in ipa 4.3 >>>>>> >>>>>> >>>>>> >>>> I don't think this patch is the right one to do this. I'd rather >>>> convert the whole module in a separate patch. >>>> >>> Python 3.3+ support 'u' literals again >>> https://docs.python.org/3.3/whatsnew/3.3.html >> So the best course of action here is? >> > Leave the patch as it is now, LGTM. > I just need to run tests if it really works. > ACK Pushed to: master: 1995997071f82509ca4b7e3daca244c49db42208 ipa-4-3: bb81bd06ab423f8e47f4d2dd7a723bf3c914bf9e From mbasti at redhat.com Mon Jan 11 13:49:44 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 11 Jan 2016 14:49:44 +0100 Subject: [Freeipa-devel] [PATCHES] 0752-0757, 0759 Enable pylint --py3k In-Reply-To: <568FA169.4030900@redhat.com> References: <568D2494.9080602@redhat.com> <568FA169.4030900@redhat.com> Message-ID: <5693B2F8.1060905@redhat.com> On 08.01.2016 12:45, Petr Viktorin wrote: > On 01/06/2016 03:28 PM, Petr Viktorin wrote: >> Hello, >> >> Patches 0753-0757 fix remaining warnings from `pylint --py3k`, except >> "no-absolute-import" (which seems redundant to me) and the ones in >> contrib/RHEL4. >> The last patch adds py3k lint check to make-lint. It's a bit >> cumbersome, since pylint doesn't allow running regular checkers and the >> py3k ones at the same time, but it allows you to run the check. As for >> whether to enable --py3k by default, or run it on every package build, >> I'd like to defer the decision to core devs. (Is CI good enough nowadays >> to only run it there?) >> >> >> [0] https://www.redhat.com/archives/freeipa-users/2013-July/msg00055.html > Here's a new version of the patchset, updated to current master. > The last patch requires 0758 (removing contrib/RHEL4) which is being > reviewed in another thread. > > > Hello I tried --py3k option and it doesn't print any error, can we enable that check by default to prevent python3 regressions? # ./make-lint --py3k No config file found, using default configuration Otherwise code LGTM and works for me, Honza will give you the final ack. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Mon Jan 11 14:33:14 2016 From: jdennis at redhat.com (John Dennis) Date: Mon, 11 Jan 2016 09:33:14 -0500 Subject: [Freeipa-devel] import rpm causes failure during IPA caless install In-Reply-To: <20160111065022.GW4316@redhat.com> References: <568FAF6A.3070008@redhat.com> <568FB2D4.4040407@redhat.com> <568FB51E.2030608@redhat.com> <568FB625.6060807@redhat.com> <568FB605.3070909@redhat.com> <568FB827.1010208@redhat.com> <20160108132838.GL4316@redhat.com> <56935011.2030303@redhat.com> <20160111065022.GW4316@redhat.com> Message-ID: <5693BD2A.7090607@redhat.com> On 01/11/2016 01:50 AM, Alexander Bokovoy wrote: > On Mon, 11 Jan 2016, Jan Cholasta wrote: >> On 8.1.2016 14:28, Alexander Bokovoy wrote: >>> On Fri, 08 Jan 2016, Jan Cholasta wrote: >>>>>> I would be surprised if NSS was used in this particular function. >>>>>> >>>>> I will try it >>>> >>>> No NSS here: >>>> >>>> >>>> >>>> >>>> Anyway, the function looks simple, so it might be safer to just >>>> rewrite it to Python, with no new dependencies. >>> Still, we need to be careful in a case where RPM team would decide to >>> upgrade rpm version comparison algorithm. It has been fixed for quite >>> some years (the core wasn't changed since 2008) but occasionally there >>> are additions that expand supported formats like addition of dpkg-style >>> versions in 2012. >> >> I don't think we need to care about that, as we use versioning scheme >> compatible with the original comparison algorithm on "our" platforms. > In that case I'd prefer John's code as it is pure Python and doesn't > have any other dependencies. If you do use it I just noticed a couple of places which do not use good Python style and isn't Py2/Py3 safe (I wrote this shortly after having learned Python many years ago). The following lines if type(component1) in (int, long): if type(component2) in (int, long): if type(component2) is str: should be changed to import six if isinstance(component1, six.integer_types) if isinstance(component2, six.integer_types) if isinstance(component2, six.string_types) -- John From mbabinsk at redhat.com Mon Jan 11 15:29:58 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 11 Jan 2016 16:29:58 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <5693ADAF.2030707@redhat.com> References: <568FDCE5.2090701@redhat.com> <20160108162312.GN28363@mail.corp.redhat.com> <568FEA52.2040200@redhat.com> <20160108173053.GP28363@mail.corp.redhat.com> <56934FE4.6080006@redhat.com> <56939CBB.4020905@redhat.com> <5693A78E.4050608@redhat.com> <5693ADAF.2030707@redhat.com> Message-ID: <5693CA76.7050301@redhat.com> On 01/11/2016 02:27 PM, Martin Babinsky wrote: > On 01/11/2016 02:01 PM, Jan Cholasta wrote: >> On 11.1.2016 13:14, Martin Babinsky wrote: >>> On 01/11/2016 07:47 AM, Jan Cholasta wrote: >>>> On 8.1.2016 18:30, Lukas Slebodnik wrote: >>>>> On (08/01/16 17:56), Martin Babinsky wrote: >>>>>> On 01/08/2016 05:23 PM, Lukas Slebodnik wrote: >>>>>>> On (08/01/16 16:59), Martin Babinsky wrote: >>>>>>>> Patch 0122 reimplements version checking and fixes >>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>> >>>>>>>> Patch 0123 contains unit test for version checking code. >>>>>>>> >>>>>>>> Thanks to Martin^1 for the idea of using CFFI for calling rpm C-API >>>>>>>> directly. >>>>>>>> >>>>>>>> -- >>>>>>>> Martin^3 Babinsky >>>>>>> >>>>>>> >From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 00:00:00 >>>>>>> 2001 >>>>>>>> From: Martin Babinsky >>>>>>>> Date: Fri, 8 Jan 2016 15:54:00 +0100 >>>>>>>> Subject: [PATCH 2/3] tests for package version comparison >>>>>>>> >>>>>>>> These tests will ensure that our package version handling code can >>>>>>>> correctly >>>>>>>> decide when to upgrade IPA master. >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>> --- >>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py | 47 >>>>>>>> ++++++++++++++++++++++ >>>>>>>> 1 file changed, 47 insertions(+) >>>>>>>> create mode 100644 >>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>> >>>>>>>> diff --git a/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>> b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>> new file mode 100644 >>>>>>>> index >>>>>>>> 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> --- /dev/null >>>>>>>> +++ b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>> @@ -0,0 +1,47 @@ >>>>>>>> +# >>>>>>>> +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license >>>>>>>> +# >>>>>>>> + >>>>>>>> +""" >>>>>>>> +tests for correct RPM version comparison >>>>>>>> +""" >>>>>>>> + >>>>>>>> +from ipaplatform.tasks import tasks >>>>>>>> +import pytest >>>>>>>> + >>>>>>>> +version_strings = [ >>>>>>>> + ("3.0.el6", "3.0.0.el6", "older"), >>>>>>>> + ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >>>>>>>> + ("3.0.0-42.el6", "3.0.0.el6", "newer"), >>>>>>>> + ("3.0.0-1", "3.0.0-42", "older"), >>>>>>>> + ("3.0.0-42.el6", "3.3.3.fc20", "older"), >>>>>>>> + ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >>>>>>>> + ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >>>>>>>> + ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >>>>>>>> + ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # numeric >>>>>>>> version elements have >>>>>>>> + # precedence over >>>>>>>> letters >>>>>>>> + ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", >>>>>>>> "newer") >>>>>>>> +] >>>>>>>> + >>>>>>>> + >>>>>>>> + at pytest.fixture(params=version_strings) >>>>>>>> +def versions(request): >>>>>>>> + return request.param >>>>>>>> + >>>>>>>> +class TestVersionComparsion(object): >>>>>>>> + >>>>>>>> + def test_versions(self, versions): >>>>>>>> + version_string1, version_string2, expected_comparison = >>>>>>>> versions >>>>>>>> + >>>>>>>> + ver1 = tasks.parse_ipa_version(version_string1) >>>>>>>> + ver2 = tasks.parse_ipa_version(version_string2) >>>>>>>> + >>>>>>>> + if expected_comparison == "newer": >>>>>>>> + assert ver1 > ver2 >>>>>>>> + elif expected_comparison == "older": >>>>>>>> + assert ver1 < ver2 >>>>>>>> + elif expected_comparison == "equal": >>>>>>>> + assert ver1 == ver2 >>>>>>>> + else: >>>>>>>> + raise TypeError( >>>>>>>> + "Unexpected comparison string: {}", >>>>>>>> expected_comparison) >>>>>>>> -- >>>>>>>> 2.5.0 >>>>>>>> >>>>>>> >>>>>>> >From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 00:00:00 >>>>>>> 2001 >>>>>>>> From: Martin Babinsky >>>>>>>> Date: Fri, 8 Jan 2016 14:17:14 +0100 >>>>>>>> Subject: [PATCH 1/3] use FFI call to rpmvercmp function for version >>>>>>>> comparison >>>>>>>> >>>>>>>> Stop using rpm-python to compare package versions since the >>>>>>>> implicit NSS >>>>>>>> initialization upon the module import breaks NSS handling in IPA >>>>>>>> code. Call >>>>>>>> rpm-libs C-API function via CFFI instead. >>>>>>>> >>>>>>>> Big thanks to Martin Kosek for sharing the code >>>>>>>> snippet >>>>>>>> that spurred this patch. >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>> --- >>>>>>>> freeipa.spec.in | 2 +- >>>>>>>> ipaplatform/redhat/tasks.py | 59 >>>>>>>> +++++++++++++++++++++------------------------ >>>>>>>> 2 files changed, 29 insertions(+), 32 deletions(-) >>>>>>>> >>>>>>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>>>>>> index >>>>>>>> 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 100644 >>>>>>>> --- a/freeipa.spec.in >>>>>>>> +++ b/freeipa.spec.in >>>>>>>> @@ -214,7 +214,7 @@ Requires: python-pyasn1 >>>>>>>> Requires: dbus-python >>>>>>>> Requires: python-dns >= 1.11.1 >>>>>>>> Requires: python-kdcproxy >= 0.3 >>>>>>>> -Requires: rpm-python >>>>>>>> +Requires: rpm-devel >>>>>>> /usr/lib64/librpm.so.7 is provided by package rpm-libs >>>>>>> >>>>>>> >>>>>>> sh$ rpm -qf /usr/lib64/librpm.so.7 >>>>>>> rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 >>>>>>> >>>>>>> It's not very common to depend on devel packages. >>>>>>> >>>>>>> LS >>>>>>> >>>>>> >>>>>> I was basically trying workaround this >>>>>> http://fpaste.org/308652/22677521/ >>>>>> >>>>> rpm-libs contains librpm.so.* >>>>> and cffi is smart enough to load right library with >>>>> C = ffi.dlopen("rpm") >>>> >>>> This likely won't be an issue here, but in general, we should use the >>>> versioned library name to have at least some API/ABI guarantee. If for >>>> example a function we depend on changed signature between versions, we >>>> would crash *hard* when it's called. >>>> >>>>> So it's enough to add "Requires: rpm-libs" >>>>> but it would be almost noop because rpm-libs is everytime available >>>>> od fedora/rhel :-) >>>>> >>>>> "Requires: rpm-devel" >>>>> add unnecessary additional runtime dependencies on pkgconfig, >>>>> popt-devel >>>>> >>>>> >>>>>> librpm.so.7 belongs to rpm-libs and librpm.so to rpm-devel and I was >>>>>> lazy >>>>>> (hey it's friday) to add path to librpm.so.7 to paths and use it i LD >>>>>> loader. >>>>>> If you think that it is not optimal I will fix it, but let's wait for >>>>>> some >>>>>> more feedback. >>>>> Sure wait for another python related comments. >>>> >>>> NACK. The ffi.cdef() and ffi.dlopen() should be in the module scope, >>>> and >>>> the ffi.new() calls are unnecessary. >>>> >>> >>> Attaching updated patches. I have added specific versions of librpm >>> shared lib to platform specific namespaces. Both of them were tested and >>> work. >> >> You haven't tested on any 32 bit architecture, have you? I'm sure /lib64 >> will not work there. >> >> Note that when you dlopen just "librpm.so.$N", the correct path >> according to dynamic linker configuration will be used. >> >>> I have also change dependency to rpm-libs. >> >> Given librpm is dlopened by full path, I think we should depend directly >> on the "librpm.so.$N()" soname rather than rpm-libs. >> > > Updated patches attached. > > > Attaching another version. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0123.1-tests-for-package-version-comparison.patch Type: text/x-patch Size: 2622 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0122.3-use-FFI-call-to-rpmvercmp-function-for-version-compa.patch Type: text/x-patch Size: 3887 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-2-mbabinsk-0122.3-use-FFI-call-to-rpmvercmp-function-for-version-compa.patch Type: text/x-patch Size: 3629 bytes Desc: not available URL: From mbasti at redhat.com Mon Jan 11 15:36:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 11 Jan 2016 16:36:50 +0100 Subject: [Freeipa-devel] Fix ipa-replica-prepare after DNS check patches In-Reply-To: <568FA3C9.1060508@redhat.com> References: <568FA3C9.1060508@redhat.com> Message-ID: <5693CC12.8010307@redhat.com> On 08.01.2016 12:55, David Kupka wrote: > https://fedorahosted.org/freeipa/ticket/5563 > > ACK Pushed to: master: bc6543efae9bb1bf7c5e792e30b1ea396607f57e ipa-4-3: 5e2abd332b1292504dcdcd41972db888eff7296c -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jan 11 15:47:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 11 Jan 2016 16:47:50 +0100 Subject: [Freeipa-devel] [PATCH 0124] ipa-csreplica-manage: remove extraneous ldap2 connection In-Reply-To: <56939330.6080906@redhat.com> References: <568FE141.4060200@redhat.com> <568FEF10.4030608@redhat.com> <568FF264.7070708@redhat.com> <56939330.6080906@redhat.com> Message-ID: <5693CEA6.3050808@redhat.com> On 11.01.2016 12:34, Martin Kosek wrote: > On 01/08/2016 06:31 PM, Martin Babinsky wrote: >> On 01/08/2016 06:17 PM, Martin Basti wrote: >>> >>> On 08.01.2016 17:18, Martin Babinsky wrote: >>>> fixes ipa-csreplica-manage del blowing up due >>>> >>>> https://fedorahosted.org/freeipa/ticket/5583 >>>> >>>> for master and ipa-4-3 only. >>>> >>> Give me patch pleaaaaaaaaaaaaaaaaaaaaaaaase!! >> Auto-attach plugin would be most welcome.. here's the patch. > Back my developer days, I used this script for sending patches :-) > > https://github.com/freeipa/freeipa-tools/blob/master/sendpatch.py > > This let me (almost never) forget attaching the file(s) in the right format. > ACK From mbasti at redhat.com Mon Jan 11 16:36:16 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 11 Jan 2016 17:36:16 +0100 Subject: [Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes In-Reply-To: <1448304575.7892.27.camel@redhat.com> References: <1448304575.7892.27.camel@redhat.com> Message-ID: <5693DA00.1060100@redhat.com> On 23.11.2015 19:49, Simo Sorce wrote: > Note, this does not touch the trust code because apparently we use only > arcfour there. > > CCing Alexander to give me a comment about that, probably worth opening > a ticket specific to trusts. > > Otherwise addresses #4740 > > Simo. > > > Patch works for me, if Alexander agree, I can push it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jan 11 16:45:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 11 Jan 2016 17:45:10 +0100 Subject: [Freeipa-devel] [PATCH 0088] Don't error when find_base() fails if a base is not required In-Reply-To: <1450106558.23069.29.camel@redhat.com> References: <1450106558.23069.29.camel@redhat.com> Message-ID: <5693DC16.4050600@redhat.com> On 14.12.2015 16:22, Nathaniel McCallum wrote: > We always have to call find_base() in order to force libldap to open > the socket. However, if no base is actually required then there is > no reason to error out if find_base() fails. This condition can arise > when anonymous binds are disabled. > > Hello, IMO this code may result into free(NULL); /* Always find the base since this forces open the socket. */ basetmp = find_base(ldp); if (base != NULL) { if (basetmp == NULL) return ENOTCONN; *base = basetmp; } else { free(basetmp); <-- here, if both base and basetmp are NULL } -------------- next part -------------- An HTML attachment was scrubbed... URL: From npmccallum at redhat.com Mon Jan 11 16:52:02 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Mon, 11 Jan 2016 11:52:02 -0500 Subject: [Freeipa-devel] [PATCH 0088] Don't error when find_base() fails if a base is not required In-Reply-To: <5693DC16.4050600@redhat.com> References: <1450106558.23069.29.camel@redhat.com> <5693DC16.4050600@redhat.com> Message-ID: <1452531122.3827.33.camel@redhat.com> On Mon, 2016-01-11 at 17:45 +0100, Martin Basti wrote: > > > On 14.12.2015 16:22, Nathaniel McCallum wrote: > > We always have to call find_base() in order to force libldap to > > open > > the socket. However, if no base is actually required then there is > > no reason to error out if find_base() fails. This condition can > > arise > > when anonymous binds are disabled. > > > > > Hello, > > IMO this code may result into free(NULL); > > ??? /* Always find the base since this forces open the socket. */ > ??? basetmp = find_base(ldp); > ??? if (base != NULL) { > ??????? if (basetmp == NULL) > ??????????? return ENOTCONN; > ??????? *base = basetmp; > ??? } else { > ??????? free(basetmp);? <-- here, if both base and basetmp are NULL > ??? } >From the man page for free(): "If ptr is NULL, no operation is performed." Nathaniel From jcholast at redhat.com Mon Jan 11 16:58:28 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 11 Jan 2016 17:58:28 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <5693CA76.7050301@redhat.com> References: <568FDCE5.2090701@redhat.com> <20160108162312.GN28363@mail.corp.redhat.com> <568FEA52.2040200@redhat.com> <20160108173053.GP28363@mail.corp.redhat.com> <56934FE4.6080006@redhat.com> <56939CBB.4020905@redhat.com> <5693A78E.4050608@redhat.com> <5693ADAF.2030707@redhat.com> <5693CA76.7050301@redhat.com> Message-ID: <5693DF34.1080505@redhat.com> On 11.1.2016 16:29, Martin Babinsky wrote: > On 01/11/2016 02:27 PM, Martin Babinsky wrote: >> On 01/11/2016 02:01 PM, Jan Cholasta wrote: >>> On 11.1.2016 13:14, Martin Babinsky wrote: >>>> On 01/11/2016 07:47 AM, Jan Cholasta wrote: >>>>> On 8.1.2016 18:30, Lukas Slebodnik wrote: >>>>>> On (08/01/16 17:56), Martin Babinsky wrote: >>>>>>> On 01/08/2016 05:23 PM, Lukas Slebodnik wrote: >>>>>>>> On (08/01/16 16:59), Martin Babinsky wrote: >>>>>>>>> Patch 0122 reimplements version checking and fixes >>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>> >>>>>>>>> Patch 0123 contains unit test for version checking code. >>>>>>>>> >>>>>>>>> Thanks to Martin^1 for the idea of using CFFI for calling rpm >>>>>>>>> C-API >>>>>>>>> directly. >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Martin^3 Babinsky >>>>>>>> >>>>>>>> >From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 00:00:00 >>>>>>>> 2001 >>>>>>>>> From: Martin Babinsky >>>>>>>>> Date: Fri, 8 Jan 2016 15:54:00 +0100 >>>>>>>>> Subject: [PATCH 2/3] tests for package version comparison >>>>>>>>> >>>>>>>>> These tests will ensure that our package version handling code can >>>>>>>>> correctly >>>>>>>>> decide when to upgrade IPA master. >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>> --- >>>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py | 47 >>>>>>>>> ++++++++++++++++++++++ >>>>>>>>> 1 file changed, 47 insertions(+) >>>>>>>>> create mode 100644 >>>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>> >>>>>>>>> diff --git a/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>> b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>> new file mode 100644 >>>>>>>>> index >>>>>>>>> 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> --- /dev/null >>>>>>>>> +++ b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>> @@ -0,0 +1,47 @@ >>>>>>>>> +# >>>>>>>>> +# Copyright (C) 2015 FreeIPA Contributors see COPYING for >>>>>>>>> license >>>>>>>>> +# >>>>>>>>> + >>>>>>>>> +""" >>>>>>>>> +tests for correct RPM version comparison >>>>>>>>> +""" >>>>>>>>> + >>>>>>>>> +from ipaplatform.tasks import tasks >>>>>>>>> +import pytest >>>>>>>>> + >>>>>>>>> +version_strings = [ >>>>>>>>> + ("3.0.el6", "3.0.0.el6", "older"), >>>>>>>>> + ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >>>>>>>>> + ("3.0.0-42.el6", "3.0.0.el6", "newer"), >>>>>>>>> + ("3.0.0-1", "3.0.0-42", "older"), >>>>>>>>> + ("3.0.0-42.el6", "3.3.3.fc20", "older"), >>>>>>>>> + ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >>>>>>>>> + ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >>>>>>>>> + ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >>>>>>>>> + ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # numeric >>>>>>>>> version elements have >>>>>>>>> + # precedence over >>>>>>>>> letters >>>>>>>>> + ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", >>>>>>>>> "newer") >>>>>>>>> +] >>>>>>>>> + >>>>>>>>> + >>>>>>>>> + at pytest.fixture(params=version_strings) >>>>>>>>> +def versions(request): >>>>>>>>> + return request.param >>>>>>>>> + >>>>>>>>> +class TestVersionComparsion(object): >>>>>>>>> + >>>>>>>>> + def test_versions(self, versions): >>>>>>>>> + version_string1, version_string2, expected_comparison = >>>>>>>>> versions >>>>>>>>> + >>>>>>>>> + ver1 = tasks.parse_ipa_version(version_string1) >>>>>>>>> + ver2 = tasks.parse_ipa_version(version_string2) >>>>>>>>> + >>>>>>>>> + if expected_comparison == "newer": >>>>>>>>> + assert ver1 > ver2 >>>>>>>>> + elif expected_comparison == "older": >>>>>>>>> + assert ver1 < ver2 >>>>>>>>> + elif expected_comparison == "equal": >>>>>>>>> + assert ver1 == ver2 >>>>>>>>> + else: >>>>>>>>> + raise TypeError( >>>>>>>>> + "Unexpected comparison string: {}", >>>>>>>>> expected_comparison) >>>>>>>>> -- >>>>>>>>> 2.5.0 >>>>>>>>> >>>>>>>> >>>>>>>> >From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 00:00:00 >>>>>>>> 2001 >>>>>>>>> From: Martin Babinsky >>>>>>>>> Date: Fri, 8 Jan 2016 14:17:14 +0100 >>>>>>>>> Subject: [PATCH 1/3] use FFI call to rpmvercmp function for >>>>>>>>> version >>>>>>>>> comparison >>>>>>>>> >>>>>>>>> Stop using rpm-python to compare package versions since the >>>>>>>>> implicit NSS >>>>>>>>> initialization upon the module import breaks NSS handling in IPA >>>>>>>>> code. Call >>>>>>>>> rpm-libs C-API function via CFFI instead. >>>>>>>>> >>>>>>>>> Big thanks to Martin Kosek for sharing the >>>>>>>>> code >>>>>>>>> snippet >>>>>>>>> that spurred this patch. >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>> --- >>>>>>>>> freeipa.spec.in | 2 +- >>>>>>>>> ipaplatform/redhat/tasks.py | 59 >>>>>>>>> +++++++++++++++++++++------------------------ >>>>>>>>> 2 files changed, 29 insertions(+), 32 deletions(-) >>>>>>>>> >>>>>>>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>>>>>>> index >>>>>>>>> 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 100644 >>>>>>>>> --- a/freeipa.spec.in >>>>>>>>> +++ b/freeipa.spec.in >>>>>>>>> @@ -214,7 +214,7 @@ Requires: python-pyasn1 >>>>>>>>> Requires: dbus-python >>>>>>>>> Requires: python-dns >= 1.11.1 >>>>>>>>> Requires: python-kdcproxy >= 0.3 >>>>>>>>> -Requires: rpm-python >>>>>>>>> +Requires: rpm-devel >>>>>>>> /usr/lib64/librpm.so.7 is provided by package rpm-libs >>>>>>>> >>>>>>>> >>>>>>>> sh$ rpm -qf /usr/lib64/librpm.so.7 >>>>>>>> rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 >>>>>>>> >>>>>>>> It's not very common to depend on devel packages. >>>>>>>> >>>>>>>> LS >>>>>>>> >>>>>>> >>>>>>> I was basically trying workaround this >>>>>>> http://fpaste.org/308652/22677521/ >>>>>>> >>>>>> rpm-libs contains librpm.so.* >>>>>> and cffi is smart enough to load right library with >>>>>> C = ffi.dlopen("rpm") >>>>> >>>>> This likely won't be an issue here, but in general, we should use the >>>>> versioned library name to have at least some API/ABI guarantee. If for >>>>> example a function we depend on changed signature between versions, we >>>>> would crash *hard* when it's called. >>>>> >>>>>> So it's enough to add "Requires: rpm-libs" >>>>>> but it would be almost noop because rpm-libs is everytime available >>>>>> od fedora/rhel :-) >>>>>> >>>>>> "Requires: rpm-devel" >>>>>> add unnecessary additional runtime dependencies on pkgconfig, >>>>>> popt-devel >>>>>> >>>>>> >>>>>>> librpm.so.7 belongs to rpm-libs and librpm.so to rpm-devel and I was >>>>>>> lazy >>>>>>> (hey it's friday) to add path to librpm.so.7 to paths and use it >>>>>>> i LD >>>>>>> loader. >>>>>>> If you think that it is not optimal I will fix it, but let's wait >>>>>>> for >>>>>>> some >>>>>>> more feedback. >>>>>> Sure wait for another python related comments. >>>>> >>>>> NACK. The ffi.cdef() and ffi.dlopen() should be in the module scope, >>>>> and >>>>> the ffi.new() calls are unnecessary. >>>>> >>>> >>>> Attaching updated patches. I have added specific versions of librpm >>>> shared lib to platform specific namespaces. Both of them were tested >>>> and >>>> work. >>> >>> You haven't tested on any 32 bit architecture, have you? I'm sure /lib64 >>> will not work there. >>> >>> Note that when you dlopen just "librpm.so.$N", the correct path >>> according to dynamic linker configuration will be used. >>> >>>> I have also change dependency to rpm-libs. >>> >>> Given librpm is dlopened by full path, I think we should depend directly >>> on the "librpm.so.$N()" soname rather than rpm-libs. >>> >> >> Updated patches attached. >> >> >> > Attaching another version. Patch 0122: ACK Pushed to: master: 7cd99e852053710c64dcb66cd5b15fc8ed4da5de ipa-4-2: be9af721536b7c05e2ba5ffd7d72cc3727d64ff5 ipa-4-3: 6b6a11fda76e70d390d5c55f3aaeba8f455458c0 Patch 0123: LGTM -- Jan Cholasta From mbasti at redhat.com Mon Jan 11 17:05:39 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 11 Jan 2016 18:05:39 +0100 Subject: [Freeipa-devel] [PATCH 0088] Don't error when find_base() fails if a base is not required In-Reply-To: <1452531122.3827.33.camel@redhat.com> References: <1450106558.23069.29.camel@redhat.com> <5693DC16.4050600@redhat.com> <1452531122.3827.33.camel@redhat.com> Message-ID: <5693E0E3.3070909@redhat.com> On 11.01.2016 17:52, Nathaniel McCallum wrote: > On Mon, 2016-01-11 at 17:45 +0100, Martin Basti wrote: >> >> On 14.12.2015 16:22, Nathaniel McCallum wrote: >>> We always have to call find_base() in order to force libldap to >>> open >>> the socket. However, if no base is actually required then there is >>> no reason to error out if find_base() fails. This condition can >>> arise >>> when anonymous binds are disabled. >>> >>> >> Hello, >> >> IMO this code may result into free(NULL); >> >> /* Always find the base since this forces open the socket. */ >> basetmp = find_base(ldp); >> if (base != NULL) { >> if (basetmp == NULL) >> return ENOTCONN; >> *base = basetmp; >> } else { >> free(basetmp); <-- here, if both base and basetmp are NULL >> } > From the man page for free(): "If ptr is NULL, no operation is > performed." > > Nathaniel Sorry, my bad. ACK From mbasti at redhat.com Mon Jan 11 17:38:44 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 11 Jan 2016 18:38:44 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <5693DF34.1080505@redhat.com> References: <568FDCE5.2090701@redhat.com> <20160108162312.GN28363@mail.corp.redhat.com> <568FEA52.2040200@redhat.com> <20160108173053.GP28363@mail.corp.redhat.com> <56934FE4.6080006@redhat.com> <56939CBB.4020905@redhat.com> <5693A78E.4050608@redhat.com> <5693ADAF.2030707@redhat.com> <5693CA76.7050301@redhat.com> <5693DF34.1080505@redhat.com> Message-ID: <5693E8A4.20901@redhat.com> On 11.01.2016 17:58, Jan Cholasta wrote: > On 11.1.2016 16:29, Martin Babinsky wrote: >> On 01/11/2016 02:27 PM, Martin Babinsky wrote: >>> On 01/11/2016 02:01 PM, Jan Cholasta wrote: >>>> On 11.1.2016 13:14, Martin Babinsky wrote: >>>>> On 01/11/2016 07:47 AM, Jan Cholasta wrote: >>>>>> On 8.1.2016 18:30, Lukas Slebodnik wrote: >>>>>>> On (08/01/16 17:56), Martin Babinsky wrote: >>>>>>>> On 01/08/2016 05:23 PM, Lukas Slebodnik wrote: >>>>>>>>> On (08/01/16 16:59), Martin Babinsky wrote: >>>>>>>>>> Patch 0122 reimplements version checking and fixes >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>> >>>>>>>>>> Patch 0123 contains unit test for version checking code. >>>>>>>>>> >>>>>>>>>> Thanks to Martin^1 for the idea of using CFFI for calling rpm >>>>>>>>>> C-API >>>>>>>>>> directly. >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Martin^3 Babinsky >>>>>>>>> >>>>>>>>> >From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 >>>>>>>>> 00:00:00 >>>>>>>>> 2001 >>>>>>>>>> From: Martin Babinsky >>>>>>>>>> Date: Fri, 8 Jan 2016 15:54:00 +0100 >>>>>>>>>> Subject: [PATCH 2/3] tests for package version comparison >>>>>>>>>> >>>>>>>>>> These tests will ensure that our package version handling >>>>>>>>>> code can >>>>>>>>>> correctly >>>>>>>>>> decide when to upgrade IPA master. >>>>>>>>>> >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>> --- >>>>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py | 47 >>>>>>>>>> ++++++++++++++++++++++ >>>>>>>>>> 1 file changed, 47 insertions(+) >>>>>>>>>> create mode 100644 >>>>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>> >>>>>>>>>> diff --git a/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>> b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>> new file mode 100644 >>>>>>>>>> index >>>>>>>>>> 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> --- /dev/null >>>>>>>>>> +++ b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>> @@ -0,0 +1,47 @@ >>>>>>>>>> +# >>>>>>>>>> +# Copyright (C) 2015 FreeIPA Contributors see COPYING for >>>>>>>>>> license >>>>>>>>>> +# >>>>>>>>>> + >>>>>>>>>> +""" >>>>>>>>>> +tests for correct RPM version comparison >>>>>>>>>> +""" >>>>>>>>>> + >>>>>>>>>> +from ipaplatform.tasks import tasks >>>>>>>>>> +import pytest >>>>>>>>>> + >>>>>>>>>> +version_strings = [ >>>>>>>>>> + ("3.0.el6", "3.0.0.el6", "older"), >>>>>>>>>> + ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >>>>>>>>>> + ("3.0.0-42.el6", "3.0.0.el6", "newer"), >>>>>>>>>> + ("3.0.0-1", "3.0.0-42", "older"), >>>>>>>>>> + ("3.0.0-42.el6", "3.3.3.fc20", "older"), >>>>>>>>>> + ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >>>>>>>>>> + ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >>>>>>>>>> + ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >>>>>>>>>> + ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # numeric >>>>>>>>>> version elements have >>>>>>>>>> + # precedence over >>>>>>>>>> letters >>>>>>>>>> + ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", >>>>>>>>>> "newer") >>>>>>>>>> +] >>>>>>>>>> + >>>>>>>>>> + >>>>>>>>>> + at pytest.fixture(params=version_strings) >>>>>>>>>> +def versions(request): >>>>>>>>>> + return request.param >>>>>>>>>> + >>>>>>>>>> +class TestVersionComparsion(object): >>>>>>>>>> + >>>>>>>>>> + def test_versions(self, versions): >>>>>>>>>> + version_string1, version_string2, expected_comparison = >>>>>>>>>> versions >>>>>>>>>> + >>>>>>>>>> + ver1 = tasks.parse_ipa_version(version_string1) >>>>>>>>>> + ver2 = tasks.parse_ipa_version(version_string2) >>>>>>>>>> + >>>>>>>>>> + if expected_comparison == "newer": >>>>>>>>>> + assert ver1 > ver2 >>>>>>>>>> + elif expected_comparison == "older": >>>>>>>>>> + assert ver1 < ver2 >>>>>>>>>> + elif expected_comparison == "equal": >>>>>>>>>> + assert ver1 == ver2 >>>>>>>>>> + else: >>>>>>>>>> + raise TypeError( >>>>>>>>>> + "Unexpected comparison string: {}", >>>>>>>>>> expected_comparison) >>>>>>>>>> -- >>>>>>>>>> 2.5.0 >>>>>>>>>> >>>>>>>>> >>>>>>>>> >From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 >>>>>>>>> 00:00:00 >>>>>>>>> 2001 >>>>>>>>>> From: Martin Babinsky >>>>>>>>>> Date: Fri, 8 Jan 2016 14:17:14 +0100 >>>>>>>>>> Subject: [PATCH 1/3] use FFI call to rpmvercmp function for >>>>>>>>>> version >>>>>>>>>> comparison >>>>>>>>>> >>>>>>>>>> Stop using rpm-python to compare package versions since the >>>>>>>>>> implicit NSS >>>>>>>>>> initialization upon the module import breaks NSS handling in >>>>>>>>>> IPA >>>>>>>>>> code. Call >>>>>>>>>> rpm-libs C-API function via CFFI instead. >>>>>>>>>> >>>>>>>>>> Big thanks to Martin Kosek for sharing the >>>>>>>>>> code >>>>>>>>>> snippet >>>>>>>>>> that spurred this patch. >>>>>>>>>> >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>> --- >>>>>>>>>> freeipa.spec.in | 2 +- >>>>>>>>>> ipaplatform/redhat/tasks.py | 59 >>>>>>>>>> +++++++++++++++++++++------------------------ >>>>>>>>>> 2 files changed, 29 insertions(+), 32 deletions(-) >>>>>>>>>> >>>>>>>>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>>>>>>>> index >>>>>>>>>> 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 100644 >>>>>>>>>> --- a/freeipa.spec.in >>>>>>>>>> +++ b/freeipa.spec.in >>>>>>>>>> @@ -214,7 +214,7 @@ Requires: python-pyasn1 >>>>>>>>>> Requires: dbus-python >>>>>>>>>> Requires: python-dns >= 1.11.1 >>>>>>>>>> Requires: python-kdcproxy >= 0.3 >>>>>>>>>> -Requires: rpm-python >>>>>>>>>> +Requires: rpm-devel >>>>>>>>> /usr/lib64/librpm.so.7 is provided by package rpm-libs >>>>>>>>> >>>>>>>>> >>>>>>>>> sh$ rpm -qf /usr/lib64/librpm.so.7 >>>>>>>>> rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 >>>>>>>>> >>>>>>>>> It's not very common to depend on devel packages. >>>>>>>>> >>>>>>>>> LS >>>>>>>>> >>>>>>>> >>>>>>>> I was basically trying workaround this >>>>>>>> http://fpaste.org/308652/22677521/ >>>>>>>> >>>>>>> rpm-libs contains librpm.so.* >>>>>>> and cffi is smart enough to load right library with >>>>>>> C = ffi.dlopen("rpm") >>>>>> >>>>>> This likely won't be an issue here, but in general, we should use >>>>>> the >>>>>> versioned library name to have at least some API/ABI guarantee. >>>>>> If for >>>>>> example a function we depend on changed signature between >>>>>> versions, we >>>>>> would crash *hard* when it's called. >>>>>> >>>>>>> So it's enough to add "Requires: rpm-libs" >>>>>>> but it would be almost noop because rpm-libs is everytime available >>>>>>> od fedora/rhel :-) >>>>>>> >>>>>>> "Requires: rpm-devel" >>>>>>> add unnecessary additional runtime dependencies on pkgconfig, >>>>>>> popt-devel >>>>>>> >>>>>>> >>>>>>>> librpm.so.7 belongs to rpm-libs and librpm.so to rpm-devel and >>>>>>>> I was >>>>>>>> lazy >>>>>>>> (hey it's friday) to add path to librpm.so.7 to paths and use it >>>>>>>> i LD >>>>>>>> loader. >>>>>>>> If you think that it is not optimal I will fix it, but let's wait >>>>>>>> for >>>>>>>> some >>>>>>>> more feedback. >>>>>>> Sure wait for another python related comments. >>>>>> >>>>>> NACK. The ffi.cdef() and ffi.dlopen() should be in the module scope, >>>>>> and >>>>>> the ffi.new() calls are unnecessary. >>>>>> >>>>> >>>>> Attaching updated patches. I have added specific versions of librpm >>>>> shared lib to platform specific namespaces. Both of them were tested >>>>> and >>>>> work. >>>> >>>> You haven't tested on any 32 bit architecture, have you? I'm sure >>>> /lib64 >>>> will not work there. >>>> >>>> Note that when you dlopen just "librpm.so.$N", the correct path >>>> according to dynamic linker configuration will be used. >>>> >>>>> I have also change dependency to rpm-libs. >>>> >>>> Given librpm is dlopened by full path, I think we should depend >>>> directly >>>> on the "librpm.so.$N()" soname rather than rpm-libs. >>>> >>> >>> Updated patches attached. >>> >>> >>> >> Attaching another version. > > Patch 0122: ACK > > Pushed to: > master: 7cd99e852053710c64dcb66cd5b15fc8ed4da5de > ipa-4-2: be9af721536b7c05e2ba5ffd7d72cc3727d64ff5 > ipa-4-3: 6b6a11fda76e70d390d5c55f3aaeba8f455458c0 > > Patch 0123: LGTM > Patch 0123: + raise TypeError( + "Unexpected comparison string: {}", expected_comparison) Did you mean: raise TypeError( "Unexpected comparison string: {}".format(expected_comparison)) ? From jcholast at redhat.com Tue Jan 12 06:49:15 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 12 Jan 2016 07:49:15 +0100 Subject: [Freeipa-devel] certmonger everywhere In-Reply-To: <568D2B0A.9010309@redhat.com> References: <566FC72B.3050406@redhat.com> <56703075.7040108@redhat.com> <20151216004006.GK23644@dhcp-40-8.bne.redhat.com> <56710E17.9060706@redhat.com> <568AC0A2.6020202@redhat.com> <568D1493.3070903@redhat.com> <568D2B0A.9010309@redhat.com> Message-ID: <5694A1EB.7070301@redhat.com> On 6.1.2016 15:56, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 4.1.2016 19:57, Rob Crittenden wrote: >>> I guess this would work but I think you'd have quite a difficult time >>> returning usable error messages to a user (and they are pretty bad now >>> in cert-request). >> >> I don't see why, error messages can be easily passed between all the >> involved interfaces. > > The current messages aren't great but at least with some amount of > google-fu one can discover what the current ones mean. The certmonger > messages tend to be just "can't talk to http://...:9180/... and a > semi-documented status code. I agree bad error messages should be improved, but that's completely orthogonal to my proposal. > >>> I assume that a CSR can be seeded into the certmonger request process >>> but I've never tried it myself. Do you know if it works? >>> >>> I really wonder how the case of delayed issuance would be handled. Would >>> you leave the server-side certmonger request to idle until the second >>> step was handled? Wouldn't this have the potential to have an >>> unmanageable number of certmonger requests? It gets confusing enough for >>> users for the 8 typical tracked certs, what about hundreds? >> >> See step 8: there won't be any new certmonger requests, everything will >> be forwarded directly to the proper certmonger CA helper using a new >> D-Bus call. > > Ok, I read it as creating a request via the D-Bus call. Makes me wonder > what this means for masters that don't run CA. I don't think there are any behavior changes needed for masters without CA. > >>> >>> If you want to eventually use the requestors credentials won't this >>> require a pretty big change in certmonger to be able to use passed-in >>> credentials? >> >> Yes, I guess. However, we can use the current Dogtag backed for our CA >> and certmonger for other CAs until that is implemented. >> >>> How will those work in the two-step case? >> >> What do you mean? > > This question was based on my misunderstanding how certmonger would be > called via D-Bus. You'd have had to correlate a status request with an > existing certmonger request in some way, but since you aren't creating > one it's a no-op. Right. > > I think this is interesting in theory but I fear it is going to make a > complex process even more complex. It will add some complexity wrt credential forwarding to certmonger, but besides that, it should actually reduce complexity - the goal of this is to maximize code reuse, to the point where there is only *one* code path for requesting certificates. > > It does raise the interesting possibility of removing the need to store > the RA credentials in the Apache NSS database and to me that is the > bigger win. This will be done one way or another, see . -- Jan Cholasta From mbasti at redhat.com Tue Jan 12 08:32:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Jan 2016 09:32:49 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <568E646C.6070003@redhat.com> References: <568E26DF.6090507@redhat.com> <568E646C.6070003@redhat.com> Message-ID: <5694BA31.8010804@redhat.com> On 07.01.2016 14:13, Jan Cholasta wrote: > On 7.1.2016 09:50, Jan Cholasta wrote: >> Hi, >> >> the attached patch ports the _ipap11helper module to python-cffi. >> >> Combined with my patch 536 [1], this makes ipapython architecture >> independent. > > Updated patch attached. > > > I tried to run DNSSEC tests and it failed unexpectedly: Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: Connected Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: replica pub keys in LDAP: set(['0x51df7c70b9869a7dd2bbd27335dba3f8', '0xd8538e634797420ca86cda420234443c']) Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: replica pub keys in SoftHSM: set(['0x51df7c70b9869a7dd2bbd27335dba3f8', '0x1f7241a64d69ced6c0a14f6999410c59']) Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: new replica keys in LDAP: set(['0xd8538e634797420ca86cda420234443c']) Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: label=dnssec-replica:replica1.ipa.test., id=d8538e634797420ca86cda420234443c, data=30820122300d06092a864886f70d01010105 Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback (most recent call last): Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File "/usr/libexec/ipa/ipa-ods-exporter", line 664, in Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File "/usr/libexec/ipa/ipa-ods-exporter", line 313, in ldap2master_replica_keys_sync Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey']) Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line 173, in import_public_key Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h = self.p11.import_public_key(**params) Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 1498, in import_public_key Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey = d2i_PUBKEY(NULL, data_ptr, data_length) Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError: 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3 Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: Main process exited, code=exited, status=1/FAILURE Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: Unit entered failed state. Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: Failed with result 'exit-code'. I haven't seen any other errors -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Tue Jan 12 09:19:28 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 12 Jan 2016 10:19:28 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <5694BA31.8010804@redhat.com> References: <568E26DF.6090507@redhat.com> <568E646C.6070003@redhat.com> <5694BA31.8010804@redhat.com> Message-ID: <5694C520.2060905@redhat.com> On 12.1.2016 09:32, Martin Basti wrote: > > > On 07.01.2016 14:13, Jan Cholasta wrote: >> On 7.1.2016 09:50, Jan Cholasta wrote: >>> Hi, >>> >>> the attached patch ports the _ipap11helper module to python-cffi. >>> >>> Combined with my patch 536 [1], this makes ipapython architecture >>> independent. >> >> Updated patch attached. >> >> >> > I tried to run DNSSEC tests and it failed unexpectedly: > > Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: > Connected > Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: > replica pub keys in LDAP: set(['0x51df7c70b9869a7dd2bbd27335dba3f8', > '0xd8538e634797420ca86cda420234443c']) > Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: > replica pub keys in SoftHSM: set(['0x51df7c70b9869a7dd2bbd27335dba3f8', > '0x1f7241a64d69ced6c0a14f6999410c59']) > Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: > new replica keys in LDAP: set(['0xd8538e634797420ca86cda420234443c']) > Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: > label=dnssec-replica:replica1.ipa.test., > id=d8538e634797420ca86cda420234443c, > data=30820122300d06092a864886f70d01010105 > Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback (most > recent call last): > Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File > "/usr/libexec/ipa/ipa-ods-exporter", line 664, in > Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: > ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) > Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File > "/usr/libexec/ipa/ipa-ods-exporter", line 313, in > ldap2master_replica_keys_sync > Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: > localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey']) > Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File > "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line > 173, in import_public_key > Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h = > self.p11.import_public_key(**params) > Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File > "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 1498, in > import_public_key > Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey = > d2i_PUBKEY(NULL, data_ptr, data_length) > Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError: > 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3 > Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: > Main process exited, code=exited, status=1/FAILURE > Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: > Unit entered failed state. > Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: > Failed with result 'exit-code'. > > I haven't seen any other errors Updated patch attached. Added a patch which replaces calls to libcrypto with calls to python-cryptography. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-537.2-ipapython-port-p11helper-C-code-to-Python.patch Type: text/x-patch Size: 163318 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-538-ipapython-use-python-cryptography-instead-of-libcryp.patch Type: text/x-patch Size: 15038 bytes Desc: not available URL: From jcholast at redhat.com Tue Jan 12 09:24:25 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 12 Jan 2016 10:24:25 +0100 Subject: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8 In-Reply-To: <568CFB88.7020007@redhat.com> References: <568B76A0.7010009@redhat.com> <568B9B3D.3030709@redhat.com> <568CFB88.7020007@redhat.com> Message-ID: <5694C649.8060503@redhat.com> On 6.1.2016 12:33, Christian Heimes wrote: > On 2016-01-05 11:30, Tomas Babej wrote: >> >> >> On 01/05/2016 08:54 AM, Jan Cholasta wrote: >>> Hi, >>> >>> the attached patch replaces the default_encoding_utf8 binary module with >>> 2 lines of equivalent Python code. >>> >>> Honza >>> >>> >>> >> >> This looks fine to me, however, I wonder, why this approach was ever >> taken? The sys.setdefaultencoding is available in all versions of Python >> ever supported by FreeIPA. >> >> Is it possible we're missing something here? Or was this option simply >> overlooked? > > sys.setdefaultencoding() is not available unless you use a hack and > reload the sys module. The function is hidden for a very good reason. It > can and will break internal assumption as well as libraries in bad, hard > to detect ways. For example it wreaks havoc on hashing for dicts and sets. > > The blog posting > https://anonbadger.wordpress.com/2015/06/16/why-sys-setdefaultencoding-will-break-code/ > explains the problem in much greater detail. Tom??i, does this answer your question? Updated patch attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-536.1-ipapython-remove-default_encoding_utf8.patch Type: text/x-patch Size: 8696 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Jan 12 09:23:09 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 12 Jan 2016 10:23:09 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <5693E8A4.20901@redhat.com> References: <568FDCE5.2090701@redhat.com> <20160108162312.GN28363@mail.corp.redhat.com> <568FEA52.2040200@redhat.com> <20160108173053.GP28363@mail.corp.redhat.com> <56934FE4.6080006@redhat.com> <56939CBB.4020905@redhat.com> <5693A78E.4050608@redhat.com> <5693ADAF.2030707@redhat.com> <5693CA76.7050301@redhat.com> <5693DF34.1080505@redhat.com> <5693E8A4.20901@redhat.com> Message-ID: <5694C5FD.1070604@redhat.com> On 01/11/2016 06:38 PM, Martin Basti wrote: > > > On 11.01.2016 17:58, Jan Cholasta wrote: >> On 11.1.2016 16:29, Martin Babinsky wrote: >>> On 01/11/2016 02:27 PM, Martin Babinsky wrote: >>>> On 01/11/2016 02:01 PM, Jan Cholasta wrote: >>>>> On 11.1.2016 13:14, Martin Babinsky wrote: >>>>>> On 01/11/2016 07:47 AM, Jan Cholasta wrote: >>>>>>> On 8.1.2016 18:30, Lukas Slebodnik wrote: >>>>>>>> On (08/01/16 17:56), Martin Babinsky wrote: >>>>>>>>> On 01/08/2016 05:23 PM, Lukas Slebodnik wrote: >>>>>>>>>> On (08/01/16 16:59), Martin Babinsky wrote: >>>>>>>>>>> Patch 0122 reimplements version checking and fixes >>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>>> >>>>>>>>>>> Patch 0123 contains unit test for version checking code. >>>>>>>>>>> >>>>>>>>>>> Thanks to Martin^1 for the idea of using CFFI for calling rpm >>>>>>>>>>> C-API >>>>>>>>>>> directly. >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Martin^3 Babinsky >>>>>>>>>> >>>>>>>>>> >From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 >>>>>>>>>> 00:00:00 >>>>>>>>>> 2001 >>>>>>>>>>> From: Martin Babinsky >>>>>>>>>>> Date: Fri, 8 Jan 2016 15:54:00 +0100 >>>>>>>>>>> Subject: [PATCH 2/3] tests for package version comparison >>>>>>>>>>> >>>>>>>>>>> These tests will ensure that our package version handling >>>>>>>>>>> code can >>>>>>>>>>> correctly >>>>>>>>>>> decide when to upgrade IPA master. >>>>>>>>>>> >>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>>> --- >>>>>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py | 47 >>>>>>>>>>> ++++++++++++++++++++++ >>>>>>>>>>> 1 file changed, 47 insertions(+) >>>>>>>>>>> create mode 100644 >>>>>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>> >>>>>>>>>>> diff --git a/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>> b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>> new file mode 100644 >>>>>>>>>>> index >>>>>>>>>>> 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> --- /dev/null >>>>>>>>>>> +++ b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>> @@ -0,0 +1,47 @@ >>>>>>>>>>> +# >>>>>>>>>>> +# Copyright (C) 2015 FreeIPA Contributors see COPYING for >>>>>>>>>>> license >>>>>>>>>>> +# >>>>>>>>>>> + >>>>>>>>>>> +""" >>>>>>>>>>> +tests for correct RPM version comparison >>>>>>>>>>> +""" >>>>>>>>>>> + >>>>>>>>>>> +from ipaplatform.tasks import tasks >>>>>>>>>>> +import pytest >>>>>>>>>>> + >>>>>>>>>>> +version_strings = [ >>>>>>>>>>> + ("3.0.el6", "3.0.0.el6", "older"), >>>>>>>>>>> + ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >>>>>>>>>>> + ("3.0.0-42.el6", "3.0.0.el6", "newer"), >>>>>>>>>>> + ("3.0.0-1", "3.0.0-42", "older"), >>>>>>>>>>> + ("3.0.0-42.el6", "3.3.3.fc20", "older"), >>>>>>>>>>> + ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >>>>>>>>>>> + ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >>>>>>>>>>> + ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >>>>>>>>>>> + ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # numeric >>>>>>>>>>> version elements have >>>>>>>>>>> + # precedence over >>>>>>>>>>> letters >>>>>>>>>>> + ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", >>>>>>>>>>> "newer") >>>>>>>>>>> +] >>>>>>>>>>> + >>>>>>>>>>> + >>>>>>>>>>> + at pytest.fixture(params=version_strings) >>>>>>>>>>> +def versions(request): >>>>>>>>>>> + return request.param >>>>>>>>>>> + >>>>>>>>>>> +class TestVersionComparsion(object): >>>>>>>>>>> + >>>>>>>>>>> + def test_versions(self, versions): >>>>>>>>>>> + version_string1, version_string2, expected_comparison = >>>>>>>>>>> versions >>>>>>>>>>> + >>>>>>>>>>> + ver1 = tasks.parse_ipa_version(version_string1) >>>>>>>>>>> + ver2 = tasks.parse_ipa_version(version_string2) >>>>>>>>>>> + >>>>>>>>>>> + if expected_comparison == "newer": >>>>>>>>>>> + assert ver1 > ver2 >>>>>>>>>>> + elif expected_comparison == "older": >>>>>>>>>>> + assert ver1 < ver2 >>>>>>>>>>> + elif expected_comparison == "equal": >>>>>>>>>>> + assert ver1 == ver2 >>>>>>>>>>> + else: >>>>>>>>>>> + raise TypeError( >>>>>>>>>>> + "Unexpected comparison string: {}", >>>>>>>>>>> expected_comparison) >>>>>>>>>>> -- >>>>>>>>>>> 2.5.0 >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 >>>>>>>>>> 00:00:00 >>>>>>>>>> 2001 >>>>>>>>>>> From: Martin Babinsky >>>>>>>>>>> Date: Fri, 8 Jan 2016 14:17:14 +0100 >>>>>>>>>>> Subject: [PATCH 1/3] use FFI call to rpmvercmp function for >>>>>>>>>>> version >>>>>>>>>>> comparison >>>>>>>>>>> >>>>>>>>>>> Stop using rpm-python to compare package versions since the >>>>>>>>>>> implicit NSS >>>>>>>>>>> initialization upon the module import breaks NSS handling in >>>>>>>>>>> IPA >>>>>>>>>>> code. Call >>>>>>>>>>> rpm-libs C-API function via CFFI instead. >>>>>>>>>>> >>>>>>>>>>> Big thanks to Martin Kosek for sharing the >>>>>>>>>>> code >>>>>>>>>>> snippet >>>>>>>>>>> that spurred this patch. >>>>>>>>>>> >>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>>> --- >>>>>>>>>>> freeipa.spec.in | 2 +- >>>>>>>>>>> ipaplatform/redhat/tasks.py | 59 >>>>>>>>>>> +++++++++++++++++++++------------------------ >>>>>>>>>>> 2 files changed, 29 insertions(+), 32 deletions(-) >>>>>>>>>>> >>>>>>>>>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>>>>>>>>> index >>>>>>>>>>> 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 100644 >>>>>>>>>>> --- a/freeipa.spec.in >>>>>>>>>>> +++ b/freeipa.spec.in >>>>>>>>>>> @@ -214,7 +214,7 @@ Requires: python-pyasn1 >>>>>>>>>>> Requires: dbus-python >>>>>>>>>>> Requires: python-dns >= 1.11.1 >>>>>>>>>>> Requires: python-kdcproxy >= 0.3 >>>>>>>>>>> -Requires: rpm-python >>>>>>>>>>> +Requires: rpm-devel >>>>>>>>>> /usr/lib64/librpm.so.7 is provided by package rpm-libs >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> sh$ rpm -qf /usr/lib64/librpm.so.7 >>>>>>>>>> rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 >>>>>>>>>> >>>>>>>>>> It's not very common to depend on devel packages. >>>>>>>>>> >>>>>>>>>> LS >>>>>>>>>> >>>>>>>>> >>>>>>>>> I was basically trying workaround this >>>>>>>>> http://fpaste.org/308652/22677521/ >>>>>>>>> >>>>>>>> rpm-libs contains librpm.so.* >>>>>>>> and cffi is smart enough to load right library with >>>>>>>> C = ffi.dlopen("rpm") >>>>>>> >>>>>>> This likely won't be an issue here, but in general, we should use >>>>>>> the >>>>>>> versioned library name to have at least some API/ABI guarantee. >>>>>>> If for >>>>>>> example a function we depend on changed signature between >>>>>>> versions, we >>>>>>> would crash *hard* when it's called. >>>>>>> >>>>>>>> So it's enough to add "Requires: rpm-libs" >>>>>>>> but it would be almost noop because rpm-libs is everytime available >>>>>>>> od fedora/rhel :-) >>>>>>>> >>>>>>>> "Requires: rpm-devel" >>>>>>>> add unnecessary additional runtime dependencies on pkgconfig, >>>>>>>> popt-devel >>>>>>>> >>>>>>>> >>>>>>>>> librpm.so.7 belongs to rpm-libs and librpm.so to rpm-devel and >>>>>>>>> I was >>>>>>>>> lazy >>>>>>>>> (hey it's friday) to add path to librpm.so.7 to paths and use it >>>>>>>>> i LD >>>>>>>>> loader. >>>>>>>>> If you think that it is not optimal I will fix it, but let's wait >>>>>>>>> for >>>>>>>>> some >>>>>>>>> more feedback. >>>>>>>> Sure wait for another python related comments. >>>>>>> >>>>>>> NACK. The ffi.cdef() and ffi.dlopen() should be in the module scope, >>>>>>> and >>>>>>> the ffi.new() calls are unnecessary. >>>>>>> >>>>>> >>>>>> Attaching updated patches. I have added specific versions of librpm >>>>>> shared lib to platform specific namespaces. Both of them were tested >>>>>> and >>>>>> work. >>>>> >>>>> You haven't tested on any 32 bit architecture, have you? I'm sure >>>>> /lib64 >>>>> will not work there. >>>>> >>>>> Note that when you dlopen just "librpm.so.$N", the correct path >>>>> according to dynamic linker configuration will be used. >>>>> >>>>>> I have also change dependency to rpm-libs. >>>>> >>>>> Given librpm is dlopened by full path, I think we should depend >>>>> directly >>>>> on the "librpm.so.$N()" soname rather than rpm-libs. >>>>> >>>> >>>> Updated patches attached. >>>> >>>> >>>> >>> Attaching another version. >> >> Patch 0122: ACK >> >> Pushed to: >> master: 7cd99e852053710c64dcb66cd5b15fc8ed4da5de >> ipa-4-2: be9af721536b7c05e2ba5ffd7d72cc3727d64ff5 >> ipa-4-3: 6b6a11fda76e70d390d5c55f3aaeba8f455458c0 >> >> Patch 0123: LGTM >> > Patch 0123: > > + raise TypeError( > + "Unexpected comparison string: {}", expected_comparison) > > Did you mean: > raise TypeError( > "Unexpected comparison string: {}".format(expected_comparison)) > ? Sorry I temporarily forgot how to python over there. Attaching updated patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0123.2-tests-for-package-version-comparison.patch Type: text/x-patch Size: 2640 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Jan 12 09:44:06 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 12 Jan 2016 10:44:06 +0100 Subject: [Freeipa-devel] [PATCHES 0396-0397] DNSSEC CI: fix tests In-Reply-To: <568D4963.1000305@redhat.com> References: <568D4963.1000305@redhat.com> Message-ID: <5694CAE6.9000308@redhat.com> On 01/06/2016 06:05 PM, Martin Basti wrote: > Patches attached. > > ACK -- Martin^3 Babinsky From mbasti at redhat.com Tue Jan 12 09:45:31 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Jan 2016 10:45:31 +0100 Subject: [Freeipa-devel] [PATCHES 0396-0397] DNSSEC CI: fix tests In-Reply-To: <5694CAE6.9000308@redhat.com> References: <568D4963.1000305@redhat.com> <5694CAE6.9000308@redhat.com> Message-ID: <5694CB3B.10100@redhat.com> On 12.01.2016 10:44, Martin Babinsky wrote: > On 01/06/2016 06:05 PM, Martin Basti wrote: >> Patches attached. >> >> > ACK > Pushed to: master: 34b197afa4beb0a84ca01cb594c39859abdc4706 ipa-4-3: d2c103df5d3bec3fbaafb854291a5ab245c436f8 From mbasti at redhat.com Tue Jan 12 09:50:29 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Jan 2016 10:50:29 +0100 Subject: [Freeipa-devel] [PATCH 0077-8] ipa-replica-prepare: Add '--auto-reverse' and, '--allow-zone-overlap' options In-Reply-To: <567969EE.3000001@redhat.com> References: <56795AD3.7010102@redhat.com> <567969EE.3000001@redhat.com> Message-ID: <5694CC65.4050605@redhat.com> On 22.12.2015 16:19, Petr Spacek wrote: > On 22.12.2015 15:14, David Kupka wrote: >> https://fedorahosted.org/freeipa/ticket/5563 > NACK: > > $ ipa-replica-prepare vm-058-106.abc.idm.lab.eng.brq.redhat.com > --ip-address=10.34.58.106 --reverse-zone=58.34.10.in-addr.arpa. > Directory Manager (existing master) password: > > Checking DNS domain 58.34.10.in-addr.arpa., please wait ... > Values instance has no attribute 'unattended' > The ipa-replica-prepare command failed. > Petr please accept my apologize, I ACKed and pushed these patches, because somebody (David :-) ) sent updated patches to a new thread. Pushed to: * master: f05bea5a12da1db6628d84dab6c99c6610c433d8 ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options da1b119663daa8a24d68b799cb97552924beac4b installer: Change reverse zones question to better reflect reality. bc6543efae9bb1bf7c5e792e30b1ea396607f57e Fix: Use unattended parameter instead of options.unattended * ipa-4-3: 9b02f86dc3fad75fa3b353b2a6c0a20c19cbc2ae ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options bad5c2b185b42b013db2a7c267a1ff471930ae85 installer: Change reverse zones question to better reflect reality. 5e2abd332b1292504dcdcd41972db888eff7296c Fix: Use unattended parameter instead of options.unattended From mbasti at redhat.com Tue Jan 12 11:17:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Jan 2016 12:17:49 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <5694C520.2060905@redhat.com> References: <568E26DF.6090507@redhat.com> <568E646C.6070003@redhat.com> <5694BA31.8010804@redhat.com> <5694C520.2060905@redhat.com> Message-ID: <5694E0DD.40905@redhat.com> On 12.01.2016 10:19, Jan Cholasta wrote: > On 12.1.2016 09:32, Martin Basti wrote: >> >> >> On 07.01.2016 14:13, Jan Cholasta wrote: >>> On 7.1.2016 09:50, Jan Cholasta wrote: >>>> Hi, >>>> >>>> the attached patch ports the _ipap11helper module to python-cffi. >>>> >>>> Combined with my patch 536 [1], this makes ipapython architecture >>>> independent. >>> >>> Updated patch attached. >>> >>> >>> >> I tried to run DNSSEC tests and it failed unexpectedly: >> >> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: >> Connected >> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: >> replica pub keys in LDAP: set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >> '0xd8538e634797420ca86cda420234443c']) >> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: >> replica pub keys in SoftHSM: set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >> '0x1f7241a64d69ced6c0a14f6999410c59']) >> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: >> new replica keys in LDAP: set(['0xd8538e634797420ca86cda420234443c']) >> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: >> label=dnssec-replica:replica1.ipa.test., >> id=d8538e634797420ca86cda420234443c, >> data=30820122300d06092a864886f70d01010105 >> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback (most >> recent call last): >> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >> "/usr/libexec/ipa/ipa-ods-exporter", line 313, in >> ldap2master_replica_keys_sync >> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >> localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey']) >> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line >> 173, in import_public_key >> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h = >> self.p11.import_public_key(**params) >> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 1498, in >> import_public_key >> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey = >> d2i_PUBKEY(NULL, data_ptr, data_length) >> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError: >> 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3 >> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: >> Main process exited, code=exited, status=1/FAILURE >> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: >> Unit entered failed state. >> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: >> Failed with result 'exit-code'. >> >> I haven't seen any other errors > > Updated patch attached. Added a patch which replaces calls to > libcrypto with calls to python-cryptography. > [ipa.ipatests.test_integration.host.Host.master.cmd10] Done configuring DNS (named). [ipa.ipatests.test_integration.host.Host.master.cmd10] Configuring DNS key synchronization service (ipa-dnskeysyncd) [ipa.ipatests.test_integration.host.Host.master.cmd10] [1/7]: checking status [ipa.ipatests.test_integration.host.Host.master.cmd10] [2/7]: setting up bind-dyndb-ldap working directory [ipa.ipatests.test_integration.host.Host.master.cmd10] [3/7]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.master.cmd10] [4/7]: setting up SoftHSM [ipa.ipatests.test_integration.host.Host.master.cmd10] [5/7]: adding DNSSEC containers [ipa.ipatests.test_integration.host.Host.master.cmd10] [6/7]: creating replica keys [ipa.ipatests.test_integration.host.Host.master.cmd10] [error] Error: export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed [ipa.ipatests.test_integration.host.Host.master.cmd10] ipa.ipapython.install.cli.install_tool(Server): ERROR export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed [ipa.ipatests.test_integration.host.Host.master.cmd10] ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information [ipa.ipatests.test_integration.host.Host.master.cmd10] Exit code: 1 ipa-server-install.log .... File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 436, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", line 342, in __setup_replica_keys public_key_blob = p11.export_public_key(public_key_handle) File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 1275, in export_public_key return self._export_RSA_public_key(object) File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 1240, in _export_RSA_public_key raise Error("export_RSA_public_key: internal error: " 2016-01-12T11:00:29Z DEBUG The ipa-server-install command failed, exception: Error: export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed 2016-01-12T11:00:29Z ERROR export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed From jcholast at redhat.com Tue Jan 12 11:24:13 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 12 Jan 2016 12:24:13 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <5694E0DD.40905@redhat.com> References: <568E26DF.6090507@redhat.com> <568E646C.6070003@redhat.com> <5694BA31.8010804@redhat.com> <5694C520.2060905@redhat.com> <5694E0DD.40905@redhat.com> Message-ID: <5694E25D.6060203@redhat.com> On 12.1.2016 12:17, Martin Basti wrote: > > > On 12.01.2016 10:19, Jan Cholasta wrote: >> On 12.1.2016 09:32, Martin Basti wrote: >>> >>> >>> On 07.01.2016 14:13, Jan Cholasta wrote: >>>> On 7.1.2016 09:50, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> the attached patch ports the _ipap11helper module to python-cffi. >>>>> >>>>> Combined with my patch 536 [1], this makes ipapython architecture >>>>> independent. >>>> >>>> Updated patch attached. >>>> >>>> >>>> >>> I tried to run DNSSEC tests and it failed unexpectedly: >>> >>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: >>> Connected >>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: >>> replica pub keys in LDAP: set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>> '0xd8538e634797420ca86cda420234443c']) >>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: >>> replica pub keys in SoftHSM: set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>> '0x1f7241a64d69ced6c0a14f6999410c59']) >>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: >>> new replica keys in LDAP: set(['0xd8538e634797420ca86cda420234443c']) >>> Jan 12 08:28:06 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[8667]: >>> label=dnssec-replica:replica1.ipa.test., >>> id=d8538e634797420ca86cda420234443c, >>> data=30820122300d06092a864886f70d01010105 >>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback (most >>> recent call last): >>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>> "/usr/libexec/ipa/ipa-ods-exporter", line 313, in >>> ldap2master_replica_keys_sync >>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>> localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey']) >>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line >>> 173, in import_public_key >>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h = >>> self.p11.import_public_key(**params) >>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 1498, in >>> import_public_key >>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey = >>> d2i_PUBKEY(NULL, data_ptr, data_length) >>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError: >>> 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3 >>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>> Main process exited, code=exited, status=1/FAILURE >>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>> Unit entered failed state. >>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>> Failed with result 'exit-code'. >>> >>> I haven't seen any other errors >> >> Updated patch attached. Added a patch which replaces calls to >> libcrypto with calls to python-cryptography. >> > > [ipa.ipatests.test_integration.host.Host.master.cmd10] Done configuring > DNS (named). > [ipa.ipatests.test_integration.host.Host.master.cmd10] Configuring DNS > key synchronization service (ipa-dnskeysyncd) > [ipa.ipatests.test_integration.host.Host.master.cmd10] [1/7]: checking > status > [ipa.ipatests.test_integration.host.Host.master.cmd10] [2/7]: setting > up bind-dyndb-ldap working directory > [ipa.ipatests.test_integration.host.Host.master.cmd10] [3/7]: setting > up kerberos principal > [ipa.ipatests.test_integration.host.Host.master.cmd10] [4/7]: setting > up SoftHSM > [ipa.ipatests.test_integration.host.Host.master.cmd10] [5/7]: adding > DNSSEC containers > [ipa.ipatests.test_integration.host.Host.master.cmd10] [6/7]: creating > replica keys > [ipa.ipatests.test_integration.host.Host.master.cmd10] [error] Error: > export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed > [ipa.ipatests.test_integration.host.Host.master.cmd10] > ipa.ipapython.install.cli.install_tool(Server): ERROR > export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed > [ipa.ipatests.test_integration.host.Host.master.cmd10] > ipa.ipapython.install.cli.install_tool(Server): ERROR The > ipa-server-install command failed. See /var/log/ipaserver-install.log > for more information > [ipa.ipatests.test_integration.host.Host.master.cmd10] Exit code: 1 > > ipa-server-install.log > .... > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 436, in run_step > method() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", > line 342, in __setup_replica_keys > public_key_blob = p11.export_public_key(public_key_handle) > File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line > 1275, in export_public_key > return self._export_RSA_public_key(object) > File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line > 1240, in _export_RSA_public_key > raise Error("export_RSA_public_key: internal error: " > > 2016-01-12T11:00:29Z DEBUG The ipa-server-install command failed, > exception: Error: export_RSA_public_key: internal error: > EVP_PKEY_set1_RSA failed > 2016-01-12T11:00:29Z ERROR export_RSA_public_key: internal error: > EVP_PKEY_set1_RSA failed Updated patch 538 attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-537.2-ipapython-port-p11helper-C-code-to-Python.patch Type: text/x-patch Size: 163318 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-538.1-ipapython-use-python-cryptography-instead-of-libcryp.patch Type: text/x-patch Size: 15038 bytes Desc: not available URL: From mbasti at redhat.com Tue Jan 12 11:29:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Jan 2016 12:29:12 +0100 Subject: [Freeipa-devel] [PATCH 0088] Don't error when find_base() fails if a base is not required In-Reply-To: <5693E0E3.3070909@redhat.com> References: <1450106558.23069.29.camel@redhat.com> <5693DC16.4050600@redhat.com> <1452531122.3827.33.camel@redhat.com> <5693E0E3.3070909@redhat.com> Message-ID: <5694E388.3090102@redhat.com> On 11.01.2016 18:05, Martin Basti wrote: > > > On 11.01.2016 17:52, Nathaniel McCallum wrote: >> On Mon, 2016-01-11 at 17:45 +0100, Martin Basti wrote: >>> >>> On 14.12.2015 16:22, Nathaniel McCallum wrote: >>>> We always have to call find_base() in order to force libldap to >>>> open >>>> the socket. However, if no base is actually required then there is >>>> no reason to error out if find_base() fails. This condition can >>>> arise >>>> when anonymous binds are disabled. >>>> >>>> >>> Hello, >>> >>> IMO this code may result into free(NULL); >>> >>> /* Always find the base since this forces open the socket. */ >>> basetmp = find_base(ldp); >>> if (base != NULL) { >>> if (basetmp == NULL) >>> return ENOTCONN; >>> *base = basetmp; >>> } else { >>> free(basetmp); <-- here, if both base and basetmp are NULL >>> } >> From the man page for free(): "If ptr is NULL, no operation is >> performed." >> >> Nathaniel > Sorry, my bad. > > ACK > Pushed to master: 563bddce6d0c3e31f4858edb25f1260af8cc3c44 From mbasti at redhat.com Tue Jan 12 12:03:18 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Jan 2016 13:03:18 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <5694C5FD.1070604@redhat.com> References: <568FDCE5.2090701@redhat.com> <20160108162312.GN28363@mail.corp.redhat.com> <568FEA52.2040200@redhat.com> <20160108173053.GP28363@mail.corp.redhat.com> <56934FE4.6080006@redhat.com> <56939CBB.4020905@redhat.com> <5693A78E.4050608@redhat.com> <5693ADAF.2030707@redhat.com> <5693CA76.7050301@redhat.com> <5693DF34.1080505@redhat.com> <5693E8A4.20901@redhat.com> <5694C5FD.1070604@redhat.com> Message-ID: <5694EB86.7030205@redhat.com> On 12.01.2016 10:23, Martin Babinsky wrote: > On 01/11/2016 06:38 PM, Martin Basti wrote: >> >> >> On 11.01.2016 17:58, Jan Cholasta wrote: >>> On 11.1.2016 16:29, Martin Babinsky wrote: >>>> On 01/11/2016 02:27 PM, Martin Babinsky wrote: >>>>> On 01/11/2016 02:01 PM, Jan Cholasta wrote: >>>>>> On 11.1.2016 13:14, Martin Babinsky wrote: >>>>>>> On 01/11/2016 07:47 AM, Jan Cholasta wrote: >>>>>>>> On 8.1.2016 18:30, Lukas Slebodnik wrote: >>>>>>>>> On (08/01/16 17:56), Martin Babinsky wrote: >>>>>>>>>> On 01/08/2016 05:23 PM, Lukas Slebodnik wrote: >>>>>>>>>>> On (08/01/16 16:59), Martin Babinsky wrote: >>>>>>>>>>>> Patch 0122 reimplements version checking and fixes >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>>>> >>>>>>>>>>>> Patch 0123 contains unit test for version checking code. >>>>>>>>>>>> >>>>>>>>>>>> Thanks to Martin^1 for the idea of using CFFI for calling rpm >>>>>>>>>>>> C-API >>>>>>>>>>>> directly. >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Martin^3 Babinsky >>>>>>>>>>> >>>>>>>>>>> >From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 >>>>>>>>>>> 00:00:00 >>>>>>>>>>> 2001 >>>>>>>>>>>> From: Martin Babinsky >>>>>>>>>>>> Date: Fri, 8 Jan 2016 15:54:00 +0100 >>>>>>>>>>>> Subject: [PATCH 2/3] tests for package version comparison >>>>>>>>>>>> >>>>>>>>>>>> These tests will ensure that our package version handling >>>>>>>>>>>> code can >>>>>>>>>>>> correctly >>>>>>>>>>>> decide when to upgrade IPA master. >>>>>>>>>>>> >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>>>> --- >>>>>>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py | 47 >>>>>>>>>>>> ++++++++++++++++++++++ >>>>>>>>>>>> 1 file changed, 47 insertions(+) >>>>>>>>>>>> create mode 100644 >>>>>>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>>> >>>>>>>>>>>> diff --git >>>>>>>>>>>> a/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>>> b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>> index >>>>>>>>>>>> 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> --- /dev/null >>>>>>>>>>>> +++ b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>>> @@ -0,0 +1,47 @@ >>>>>>>>>>>> +# >>>>>>>>>>>> +# Copyright (C) 2015 FreeIPA Contributors see COPYING for >>>>>>>>>>>> license >>>>>>>>>>>> +# >>>>>>>>>>>> + >>>>>>>>>>>> +""" >>>>>>>>>>>> +tests for correct RPM version comparison >>>>>>>>>>>> +""" >>>>>>>>>>>> + >>>>>>>>>>>> +from ipaplatform.tasks import tasks >>>>>>>>>>>> +import pytest >>>>>>>>>>>> + >>>>>>>>>>>> +version_strings = [ >>>>>>>>>>>> + ("3.0.el6", "3.0.0.el6", "older"), >>>>>>>>>>>> + ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >>>>>>>>>>>> + ("3.0.0-42.el6", "3.0.0.el6", "newer"), >>>>>>>>>>>> + ("3.0.0-1", "3.0.0-42", "older"), >>>>>>>>>>>> + ("3.0.0-42.el6", "3.3.3.fc20", "older"), >>>>>>>>>>>> + ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >>>>>>>>>>>> + ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >>>>>>>>>>>> + ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >>>>>>>>>>>> + ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # numeric >>>>>>>>>>>> version elements have >>>>>>>>>>>> + # precedence over >>>>>>>>>>>> letters >>>>>>>>>>>> + ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", >>>>>>>>>>>> "newer") >>>>>>>>>>>> +] >>>>>>>>>>>> + >>>>>>>>>>>> + >>>>>>>>>>>> + at pytest.fixture(params=version_strings) >>>>>>>>>>>> +def versions(request): >>>>>>>>>>>> + return request.param >>>>>>>>>>>> + >>>>>>>>>>>> +class TestVersionComparsion(object): >>>>>>>>>>>> + >>>>>>>>>>>> + def test_versions(self, versions): >>>>>>>>>>>> + version_string1, version_string2, >>>>>>>>>>>> expected_comparison = >>>>>>>>>>>> versions >>>>>>>>>>>> + >>>>>>>>>>>> + ver1 = tasks.parse_ipa_version(version_string1) >>>>>>>>>>>> + ver2 = tasks.parse_ipa_version(version_string2) >>>>>>>>>>>> + >>>>>>>>>>>> + if expected_comparison == "newer": >>>>>>>>>>>> + assert ver1 > ver2 >>>>>>>>>>>> + elif expected_comparison == "older": >>>>>>>>>>>> + assert ver1 < ver2 >>>>>>>>>>>> + elif expected_comparison == "equal": >>>>>>>>>>>> + assert ver1 == ver2 >>>>>>>>>>>> + else: >>>>>>>>>>>> + raise TypeError( >>>>>>>>>>>> + "Unexpected comparison string: {}", >>>>>>>>>>>> expected_comparison) >>>>>>>>>>>> -- >>>>>>>>>>>> 2.5.0 >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 >>>>>>>>>>> 00:00:00 >>>>>>>>>>> 2001 >>>>>>>>>>>> From: Martin Babinsky >>>>>>>>>>>> Date: Fri, 8 Jan 2016 14:17:14 +0100 >>>>>>>>>>>> Subject: [PATCH 1/3] use FFI call to rpmvercmp function for >>>>>>>>>>>> version >>>>>>>>>>>> comparison >>>>>>>>>>>> >>>>>>>>>>>> Stop using rpm-python to compare package versions since the >>>>>>>>>>>> implicit NSS >>>>>>>>>>>> initialization upon the module import breaks NSS handling in >>>>>>>>>>>> IPA >>>>>>>>>>>> code. Call >>>>>>>>>>>> rpm-libs C-API function via CFFI instead. >>>>>>>>>>>> >>>>>>>>>>>> Big thanks to Martin Kosek for sharing the >>>>>>>>>>>> code >>>>>>>>>>>> snippet >>>>>>>>>>>> that spurred this patch. >>>>>>>>>>>> >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>>>> --- >>>>>>>>>>>> freeipa.spec.in | 2 +- >>>>>>>>>>>> ipaplatform/redhat/tasks.py | 59 >>>>>>>>>>>> +++++++++++++++++++++------------------------ >>>>>>>>>>>> 2 files changed, 29 insertions(+), 32 deletions(-) >>>>>>>>>>>> >>>>>>>>>>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>>>>>>>>>> index >>>>>>>>>>>> 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 100644 >>>>>>>>>>>> --- a/freeipa.spec.in >>>>>>>>>>>> +++ b/freeipa.spec.in >>>>>>>>>>>> @@ -214,7 +214,7 @@ Requires: python-pyasn1 >>>>>>>>>>>> Requires: dbus-python >>>>>>>>>>>> Requires: python-dns >= 1.11.1 >>>>>>>>>>>> Requires: python-kdcproxy >= 0.3 >>>>>>>>>>>> -Requires: rpm-python >>>>>>>>>>>> +Requires: rpm-devel >>>>>>>>>>> /usr/lib64/librpm.so.7 is provided by package rpm-libs >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> sh$ rpm -qf /usr/lib64/librpm.so.7 >>>>>>>>>>> rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 >>>>>>>>>>> >>>>>>>>>>> It's not very common to depend on devel packages. >>>>>>>>>>> >>>>>>>>>>> LS >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I was basically trying workaround this >>>>>>>>>> http://fpaste.org/308652/22677521/ >>>>>>>>>> >>>>>>>>> rpm-libs contains librpm.so.* >>>>>>>>> and cffi is smart enough to load right library with >>>>>>>>> C = ffi.dlopen("rpm") >>>>>>>> >>>>>>>> This likely won't be an issue here, but in general, we should use >>>>>>>> the >>>>>>>> versioned library name to have at least some API/ABI guarantee. >>>>>>>> If for >>>>>>>> example a function we depend on changed signature between >>>>>>>> versions, we >>>>>>>> would crash *hard* when it's called. >>>>>>>> >>>>>>>>> So it's enough to add "Requires: rpm-libs" >>>>>>>>> but it would be almost noop because rpm-libs is everytime >>>>>>>>> available >>>>>>>>> od fedora/rhel :-) >>>>>>>>> >>>>>>>>> "Requires: rpm-devel" >>>>>>>>> add unnecessary additional runtime dependencies on pkgconfig, >>>>>>>>> popt-devel >>>>>>>>> >>>>>>>>> >>>>>>>>>> librpm.so.7 belongs to rpm-libs and librpm.so to rpm-devel and >>>>>>>>>> I was >>>>>>>>>> lazy >>>>>>>>>> (hey it's friday) to add path to librpm.so.7 to paths and use it >>>>>>>>>> i LD >>>>>>>>>> loader. >>>>>>>>>> If you think that it is not optimal I will fix it, but let's >>>>>>>>>> wait >>>>>>>>>> for >>>>>>>>>> some >>>>>>>>>> more feedback. >>>>>>>>> Sure wait for another python related comments. >>>>>>>> >>>>>>>> NACK. The ffi.cdef() and ffi.dlopen() should be in the module >>>>>>>> scope, >>>>>>>> and >>>>>>>> the ffi.new() calls are unnecessary. >>>>>>>> >>>>>>> >>>>>>> Attaching updated patches. I have added specific versions of librpm >>>>>>> shared lib to platform specific namespaces. Both of them were >>>>>>> tested >>>>>>> and >>>>>>> work. >>>>>> >>>>>> You haven't tested on any 32 bit architecture, have you? I'm sure >>>>>> /lib64 >>>>>> will not work there. >>>>>> >>>>>> Note that when you dlopen just "librpm.so.$N", the correct path >>>>>> according to dynamic linker configuration will be used. >>>>>> >>>>>>> I have also change dependency to rpm-libs. >>>>>> >>>>>> Given librpm is dlopened by full path, I think we should depend >>>>>> directly >>>>>> on the "librpm.so.$N()" soname rather than rpm-libs. >>>>>> >>>>> >>>>> Updated patches attached. >>>>> >>>>> >>>>> >>>> Attaching another version. >>> >>> Patch 0122: ACK >>> >>> Pushed to: >>> master: 7cd99e852053710c64dcb66cd5b15fc8ed4da5de >>> ipa-4-2: be9af721536b7c05e2ba5ffd7d72cc3727d64ff5 >>> ipa-4-3: 6b6a11fda76e70d390d5c55f3aaeba8f455458c0 >>> >>> Patch 0123: LGTM >>> >> Patch 0123: >> >> + raise TypeError( >> + "Unexpected comparison string: {}", >> expected_comparison) >> >> Did you mean: >> raise TypeError( >> "Unexpected comparison string: {}".format(expected_comparison)) >> ? > > Sorry I temporarily forgot how to python over there. Attaching updated > patch. > Works for me, but shouldn't be the file named test_version_compaRISOn.py instead of test_version_compaRSIOn.py? From mbasti at redhat.com Tue Jan 12 12:09:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Jan 2016 13:09:48 +0100 Subject: [Freeipa-devel] [PATCH 0401] Pylint enable unbalanced tuple unpacking check Message-ID: <5694ED0C.9050705@redhat.com> Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0401-Enable-pylint-unbalanced-tuple-unpacking-check.patch Type: text/x-patch Size: 1712 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Jan 12 12:14:38 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 12 Jan 2016 13:14:38 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <5694EB86.7030205@redhat.com> References: <568FDCE5.2090701@redhat.com> <20160108162312.GN28363@mail.corp.redhat.com> <568FEA52.2040200@redhat.com> <20160108173053.GP28363@mail.corp.redhat.com> <56934FE4.6080006@redhat.com> <56939CBB.4020905@redhat.com> <5693A78E.4050608@redhat.com> <5693ADAF.2030707@redhat.com> <5693CA76.7050301@redhat.com> <5693DF34.1080505@redhat.com> <5693E8A4.20901@redhat.com> <5694C5FD.1070604@redhat.com> <5694EB86.7030205@redhat.com> Message-ID: <5694EE2E.80002@redhat.com> On 01/12/2016 01:03 PM, Martin Basti wrote: > > > On 12.01.2016 10:23, Martin Babinsky wrote: >> On 01/11/2016 06:38 PM, Martin Basti wrote: >>> >>> >>> On 11.01.2016 17:58, Jan Cholasta wrote: >>>> On 11.1.2016 16:29, Martin Babinsky wrote: >>>>> On 01/11/2016 02:27 PM, Martin Babinsky wrote: >>>>>> On 01/11/2016 02:01 PM, Jan Cholasta wrote: >>>>>>> On 11.1.2016 13:14, Martin Babinsky wrote: >>>>>>>> On 01/11/2016 07:47 AM, Jan Cholasta wrote: >>>>>>>>> On 8.1.2016 18:30, Lukas Slebodnik wrote: >>>>>>>>>> On (08/01/16 17:56), Martin Babinsky wrote: >>>>>>>>>>> On 01/08/2016 05:23 PM, Lukas Slebodnik wrote: >>>>>>>>>>>> On (08/01/16 16:59), Martin Babinsky wrote: >>>>>>>>>>>>> Patch 0122 reimplements version checking and fixes >>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>>>>> >>>>>>>>>>>>> Patch 0123 contains unit test for version checking code. >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks to Martin^1 for the idea of using CFFI for calling rpm >>>>>>>>>>>>> C-API >>>>>>>>>>>>> directly. >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Martin^3 Babinsky >>>>>>>>>>>> >>>>>>>>>>>> >From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 >>>>>>>>>>>> 00:00:00 >>>>>>>>>>>> 2001 >>>>>>>>>>>>> From: Martin Babinsky >>>>>>>>>>>>> Date: Fri, 8 Jan 2016 15:54:00 +0100 >>>>>>>>>>>>> Subject: [PATCH 2/3] tests for package version comparison >>>>>>>>>>>>> >>>>>>>>>>>>> These tests will ensure that our package version handling >>>>>>>>>>>>> code can >>>>>>>>>>>>> correctly >>>>>>>>>>>>> decide when to upgrade IPA master. >>>>>>>>>>>>> >>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>>>>> --- >>>>>>>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py | 47 >>>>>>>>>>>>> ++++++++++++++++++++++ >>>>>>>>>>>>> 1 file changed, 47 insertions(+) >>>>>>>>>>>>> create mode 100644 >>>>>>>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>>>> >>>>>>>>>>>>> diff --git >>>>>>>>>>>>> a/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>>>> b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>> index >>>>>>>>>>>>> 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>> +++ b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>>>> @@ -0,0 +1,47 @@ >>>>>>>>>>>>> +# >>>>>>>>>>>>> +# Copyright (C) 2015 FreeIPA Contributors see COPYING for >>>>>>>>>>>>> license >>>>>>>>>>>>> +# >>>>>>>>>>>>> + >>>>>>>>>>>>> +""" >>>>>>>>>>>>> +tests for correct RPM version comparison >>>>>>>>>>>>> +""" >>>>>>>>>>>>> + >>>>>>>>>>>>> +from ipaplatform.tasks import tasks >>>>>>>>>>>>> +import pytest >>>>>>>>>>>>> + >>>>>>>>>>>>> +version_strings = [ >>>>>>>>>>>>> + ("3.0.el6", "3.0.0.el6", "older"), >>>>>>>>>>>>> + ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >>>>>>>>>>>>> + ("3.0.0-42.el6", "3.0.0.el6", "newer"), >>>>>>>>>>>>> + ("3.0.0-1", "3.0.0-42", "older"), >>>>>>>>>>>>> + ("3.0.0-42.el6", "3.3.3.fc20", "older"), >>>>>>>>>>>>> + ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >>>>>>>>>>>>> + ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >>>>>>>>>>>>> + ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >>>>>>>>>>>>> + ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # numeric >>>>>>>>>>>>> version elements have >>>>>>>>>>>>> + # precedence over >>>>>>>>>>>>> letters >>>>>>>>>>>>> + ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", >>>>>>>>>>>>> "newer") >>>>>>>>>>>>> +] >>>>>>>>>>>>> + >>>>>>>>>>>>> + >>>>>>>>>>>>> + at pytest.fixture(params=version_strings) >>>>>>>>>>>>> +def versions(request): >>>>>>>>>>>>> + return request.param >>>>>>>>>>>>> + >>>>>>>>>>>>> +class TestVersionComparsion(object): >>>>>>>>>>>>> + >>>>>>>>>>>>> + def test_versions(self, versions): >>>>>>>>>>>>> + version_string1, version_string2, >>>>>>>>>>>>> expected_comparison = >>>>>>>>>>>>> versions >>>>>>>>>>>>> + >>>>>>>>>>>>> + ver1 = tasks.parse_ipa_version(version_string1) >>>>>>>>>>>>> + ver2 = tasks.parse_ipa_version(version_string2) >>>>>>>>>>>>> + >>>>>>>>>>>>> + if expected_comparison == "newer": >>>>>>>>>>>>> + assert ver1 > ver2 >>>>>>>>>>>>> + elif expected_comparison == "older": >>>>>>>>>>>>> + assert ver1 < ver2 >>>>>>>>>>>>> + elif expected_comparison == "equal": >>>>>>>>>>>>> + assert ver1 == ver2 >>>>>>>>>>>>> + else: >>>>>>>>>>>>> + raise TypeError( >>>>>>>>>>>>> + "Unexpected comparison string: {}", >>>>>>>>>>>>> expected_comparison) >>>>>>>>>>>>> -- >>>>>>>>>>>>> 2.5.0 >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 >>>>>>>>>>>> 00:00:00 >>>>>>>>>>>> 2001 >>>>>>>>>>>>> From: Martin Babinsky >>>>>>>>>>>>> Date: Fri, 8 Jan 2016 14:17:14 +0100 >>>>>>>>>>>>> Subject: [PATCH 1/3] use FFI call to rpmvercmp function for >>>>>>>>>>>>> version >>>>>>>>>>>>> comparison >>>>>>>>>>>>> >>>>>>>>>>>>> Stop using rpm-python to compare package versions since the >>>>>>>>>>>>> implicit NSS >>>>>>>>>>>>> initialization upon the module import breaks NSS handling in >>>>>>>>>>>>> IPA >>>>>>>>>>>>> code. Call >>>>>>>>>>>>> rpm-libs C-API function via CFFI instead. >>>>>>>>>>>>> >>>>>>>>>>>>> Big thanks to Martin Kosek for sharing the >>>>>>>>>>>>> code >>>>>>>>>>>>> snippet >>>>>>>>>>>>> that spurred this patch. >>>>>>>>>>>>> >>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>>>>> --- >>>>>>>>>>>>> freeipa.spec.in | 2 +- >>>>>>>>>>>>> ipaplatform/redhat/tasks.py | 59 >>>>>>>>>>>>> +++++++++++++++++++++------------------------ >>>>>>>>>>>>> 2 files changed, 29 insertions(+), 32 deletions(-) >>>>>>>>>>>>> >>>>>>>>>>>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>>>>>>>>>>> index >>>>>>>>>>>>> 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 100644 >>>>>>>>>>>>> --- a/freeipa.spec.in >>>>>>>>>>>>> +++ b/freeipa.spec.in >>>>>>>>>>>>> @@ -214,7 +214,7 @@ Requires: python-pyasn1 >>>>>>>>>>>>> Requires: dbus-python >>>>>>>>>>>>> Requires: python-dns >= 1.11.1 >>>>>>>>>>>>> Requires: python-kdcproxy >= 0.3 >>>>>>>>>>>>> -Requires: rpm-python >>>>>>>>>>>>> +Requires: rpm-devel >>>>>>>>>>>> /usr/lib64/librpm.so.7 is provided by package rpm-libs >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> sh$ rpm -qf /usr/lib64/librpm.so.7 >>>>>>>>>>>> rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 >>>>>>>>>>>> >>>>>>>>>>>> It's not very common to depend on devel packages. >>>>>>>>>>>> >>>>>>>>>>>> LS >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I was basically trying workaround this >>>>>>>>>>> http://fpaste.org/308652/22677521/ >>>>>>>>>>> >>>>>>>>>> rpm-libs contains librpm.so.* >>>>>>>>>> and cffi is smart enough to load right library with >>>>>>>>>> C = ffi.dlopen("rpm") >>>>>>>>> >>>>>>>>> This likely won't be an issue here, but in general, we should use >>>>>>>>> the >>>>>>>>> versioned library name to have at least some API/ABI guarantee. >>>>>>>>> If for >>>>>>>>> example a function we depend on changed signature between >>>>>>>>> versions, we >>>>>>>>> would crash *hard* when it's called. >>>>>>>>> >>>>>>>>>> So it's enough to add "Requires: rpm-libs" >>>>>>>>>> but it would be almost noop because rpm-libs is everytime >>>>>>>>>> available >>>>>>>>>> od fedora/rhel :-) >>>>>>>>>> >>>>>>>>>> "Requires: rpm-devel" >>>>>>>>>> add unnecessary additional runtime dependencies on pkgconfig, >>>>>>>>>> popt-devel >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> librpm.so.7 belongs to rpm-libs and librpm.so to rpm-devel and >>>>>>>>>>> I was >>>>>>>>>>> lazy >>>>>>>>>>> (hey it's friday) to add path to librpm.so.7 to paths and use it >>>>>>>>>>> i LD >>>>>>>>>>> loader. >>>>>>>>>>> If you think that it is not optimal I will fix it, but let's >>>>>>>>>>> wait >>>>>>>>>>> for >>>>>>>>>>> some >>>>>>>>>>> more feedback. >>>>>>>>>> Sure wait for another python related comments. >>>>>>>>> >>>>>>>>> NACK. The ffi.cdef() and ffi.dlopen() should be in the module >>>>>>>>> scope, >>>>>>>>> and >>>>>>>>> the ffi.new() calls are unnecessary. >>>>>>>>> >>>>>>>> >>>>>>>> Attaching updated patches. I have added specific versions of librpm >>>>>>>> shared lib to platform specific namespaces. Both of them were >>>>>>>> tested >>>>>>>> and >>>>>>>> work. >>>>>>> >>>>>>> You haven't tested on any 32 bit architecture, have you? I'm sure >>>>>>> /lib64 >>>>>>> will not work there. >>>>>>> >>>>>>> Note that when you dlopen just "librpm.so.$N", the correct path >>>>>>> according to dynamic linker configuration will be used. >>>>>>> >>>>>>>> I have also change dependency to rpm-libs. >>>>>>> >>>>>>> Given librpm is dlopened by full path, I think we should depend >>>>>>> directly >>>>>>> on the "librpm.so.$N()" soname rather than rpm-libs. >>>>>>> >>>>>> >>>>>> Updated patches attached. >>>>>> >>>>>> >>>>>> >>>>> Attaching another version. >>>> >>>> Patch 0122: ACK >>>> >>>> Pushed to: >>>> master: 7cd99e852053710c64dcb66cd5b15fc8ed4da5de >>>> ipa-4-2: be9af721536b7c05e2ba5ffd7d72cc3727d64ff5 >>>> ipa-4-3: 6b6a11fda76e70d390d5c55f3aaeba8f455458c0 >>>> >>>> Patch 0123: LGTM >>>> >>> Patch 0123: >>> >>> + raise TypeError( >>> + "Unexpected comparison string: {}", >>> expected_comparison) >>> >>> Did you mean: >>> raise TypeError( >>> "Unexpected comparison string: {}".format(expected_comparison)) >>> ? >> >> Sorry I temporarily forgot how to python over there. Attaching updated >> patch. >> > > Works for me, but shouldn't be the file named test_version_compaRISOn.py > instead of test_version_compaRSIOn.py? > Seems like I forgot how to english as well. Attaching updated patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0123.3-tests-for-package-version-comparison.patch Type: text/x-patch Size: 2640 bytes Desc: not available URL: From mbasti at redhat.com Tue Jan 12 12:32:52 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Jan 2016 13:32:52 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <5694E25D.6060203@redhat.com> References: <568E26DF.6090507@redhat.com> <568E646C.6070003@redhat.com> <5694BA31.8010804@redhat.com> <5694C520.2060905@redhat.com> <5694E0DD.40905@redhat.com> <5694E25D.6060203@redhat.com> Message-ID: <5694F274.1040002@redhat.com> On 12.01.2016 12:24, Jan Cholasta wrote: > On 12.1.2016 12:17, Martin Basti wrote: >> >> >> On 12.01.2016 10:19, Jan Cholasta wrote: >>> On 12.1.2016 09:32, Martin Basti wrote: >>>> >>>> >>>> On 07.01.2016 14:13, Jan Cholasta wrote: >>>>> On 7.1.2016 09:50, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> the attached patch ports the _ipap11helper module to python-cffi. >>>>>> >>>>>> Combined with my patch 536 [1], this makes ipapython architecture >>>>>> independent. >>>>> >>>>> Updated patch attached. >>>>> >>>>> >>>>> >>>> I tried to run DNSSEC tests and it failed unexpectedly: >>>> >>>> Jan 12 08:28:06 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>> Connected >>>> Jan 12 08:28:06 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>> replica pub keys in LDAP: set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>> '0xd8538e634797420ca86cda420234443c']) >>>> Jan 12 08:28:06 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>> replica pub keys in SoftHSM: >>>> set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>> '0x1f7241a64d69ced6c0a14f6999410c59']) >>>> Jan 12 08:28:06 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>> new replica keys in LDAP: set(['0xd8538e634797420ca86cda420234443c']) >>>> Jan 12 08:28:06 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>> label=dnssec-replica:replica1.ipa.test., >>>> id=d8538e634797420ca86cda420234443c, >>>> data=30820122300d06092a864886f70d01010105 >>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback >>>> (most >>>> recent call last): >>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>> "/usr/libexec/ipa/ipa-ods-exporter", line 313, in >>>> ldap2master_replica_keys_sync >>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>> localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey']) >>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line >>>> 173, in import_public_key >>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h = >>>> self.p11.import_public_key(**params) >>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >>>> 1498, in >>>> import_public_key >>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey = >>>> d2i_PUBKEY(NULL, data_ptr, data_length) >>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError: >>>> 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3 >>>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>>> Main process exited, code=exited, status=1/FAILURE >>>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>>> Unit entered failed state. >>>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>>> Failed with result 'exit-code'. >>>> >>>> I haven't seen any other errors >>> >>> Updated patch attached. Added a patch which replaces calls to >>> libcrypto with calls to python-cryptography. >>> >> >> [ipa.ipatests.test_integration.host.Host.master.cmd10] Done configuring >> DNS (named). >> [ipa.ipatests.test_integration.host.Host.master.cmd10] Configuring DNS >> key synchronization service (ipa-dnskeysyncd) >> [ipa.ipatests.test_integration.host.Host.master.cmd10] [1/7]: checking >> status >> [ipa.ipatests.test_integration.host.Host.master.cmd10] [2/7]: setting >> up bind-dyndb-ldap working directory >> [ipa.ipatests.test_integration.host.Host.master.cmd10] [3/7]: setting >> up kerberos principal >> [ipa.ipatests.test_integration.host.Host.master.cmd10] [4/7]: setting >> up SoftHSM >> [ipa.ipatests.test_integration.host.Host.master.cmd10] [5/7]: adding >> DNSSEC containers >> [ipa.ipatests.test_integration.host.Host.master.cmd10] [6/7]: creating >> replica keys >> [ipa.ipatests.test_integration.host.Host.master.cmd10] [error] Error: >> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >> [ipa.ipatests.test_integration.host.Host.master.cmd10] >> ipa.ipapython.install.cli.install_tool(Server): ERROR >> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >> [ipa.ipatests.test_integration.host.Host.master.cmd10] >> ipa.ipapython.install.cli.install_tool(Server): ERROR The >> ipa-server-install command failed. See /var/log/ipaserver-install.log >> for more information >> [ipa.ipatests.test_integration.host.Host.master.cmd10] Exit code: 1 >> >> ipa-server-install.log >> .... >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 436, in run_step >> method() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", >> >> line 342, in __setup_replica_keys >> public_key_blob = p11.export_public_key(public_key_handle) >> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >> 1275, in export_public_key >> return self._export_RSA_public_key(object) >> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >> 1240, in _export_RSA_public_key >> raise Error("export_RSA_public_key: internal error: " >> >> 2016-01-12T11:00:29Z DEBUG The ipa-server-install command failed, >> exception: Error: export_RSA_public_key: internal error: >> EVP_PKEY_set1_RSA failed >> 2016-01-12T11:00:29Z ERROR export_RSA_public_key: internal error: >> EVP_PKEY_set1_RSA failed > > Updated patch 538 attached. > Jan 12 12:31:43 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[31178]: Connected Jan 12 12:31:44 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in LDAP: set(['0xf5edad67436d0ed36b75c3a70216fa43', '0x7164a931484d505f1e249e3dcbc313e2']) Jan 12 12:31:44 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in SoftHSM: set(['0xf5edad67436d0ed36b75c3a70216fa43', '0x7164a931484d505f1e249e3dcbc313e2', '0x28e302ae6b6ee7e9284cd5f6 Jan 12 12:31:44 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[31178]: new replica keys in LDAP: set([]) Jan 12 12:31:44 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[31178]: obsolete replica keys in local HSM: set(['0x28e302ae6b6ee7e9284cd5f61aadbbe7']) Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: Traceback (most recent call last): Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File "/usr/libexec/ipa/ipa-ods-exporter", line 664, in Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File "/usr/libexec/ipa/ipa-ods-exporter", line 321, in ldap2master_replica_keys_sync Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: localhsm.replica_pubkeys_wrap[key_id]['ipk11wrap'] = False Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line 65, in __setitem__ Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: return self.p11.set_attribute(self.handle, attrs_name2id[key], value) Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 1661, in set_attribute Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: sizeof(CK_ATTRIBUTE))) Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: TypeError: an integer is required Jan 12 12:31:44 master.ipa.test systemd[1]: ipa-ods-exporter.service: Main process exited, code=exited, status=1/FAILURE From mkubik at redhat.com Tue Jan 12 12:45:33 2016 From: mkubik at redhat.com (Milan Kubik) Date: Tue, 12 Jan 2016 07:45:33 -0500 (EST) Subject: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin In-Reply-To: <20151209190102.1bb8fc07@vor2.netbox.priv> References: <20151120135636.71171d5c@vor2.netbox.priv> <20151123145934.36901470@dhcp-25-21.brq.redhat.com> <20151123164249.4a576706@dhcp-25-21.brq.redhat.com> <565C76D6.3010406@redhat.com> <20151203201556.4ff69dba@vor2.netbox.priv> <5665B88E.4000507@redhat.com> <20151209190102.1bb8fc07@vor2.netbox.priv> Message-ID: <1914334378.4564827.1452602733244.JavaMail.zimbra@redhat.com> Hello, sorry for delays. The patch no longer applies to master. Rebase it, please. Milan ----- Original Message ----- From: "Filip ?kola" To: "Milan Kub?k" Cc: freeipa-devel at redhat.com Sent: Wednesday, 9 December, 2015 7:01:02 PM Subject: Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin On Mon, 7 Dec 2015 17:49:18 +0100 Milan Kub?k wrote: > On 12/03/2015 08:15 PM, Filip ?kola wrote: > > On Mon, 30 Nov 2015 17:18:30 +0100 > > Milan Kub?k wrote: > > > >> On 11/23/2015 04:42 PM, Filip ?kola wrote: > >>> Sending updated patch. > >>> > >>> F. > >>> > >>> On Mon, 23 Nov 2015 14:59:34 +0100 > >>> Filip ?kola wrote: > >>> > >>>> Found couple of issues (broke some dependencies). > >>>> > >>>> NACK > >>>> > >>>> F. > >>>> > >>>> On Fri, 20 Nov 2015 13:56:36 +0100 > >>>> Filip ?kola wrote: > >>>> > >>>>> Another one. > >>>>> > >>>>> F. > >>> > >> Hi, the tests look good. Few remarks, though. > >> > >> 1. Please, use the shortes copyright notice in new modules. > >> > >> # > >> # Copyright (C) 2015 FreeIPA Contributors see COPYING for > >> license # > >> > >> 2. The tests `test_group_remove_group_from_protected_group` and > >> `test_group_full_set_of_objectclass_not_available_post_detach` > >> were not ported. Please, include them in the patch. > >> > >> Also, for less hassle, please rebase your patches on top of > >> freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch > >> Which changes the location of tracker implementations and prevents > >> circular imports. > >> > >> Thanks. > >> > > > > > > Hi, > > > > these cases are there, in corresponding classes. They are marked > > with the original comments. (However I can move them to separate > > class if desirable.) > > > > The copyright notice is changed. Also included a few changes in the > > test with user without private group. > > > > Filip > NACK > > linter: > ************* Module tracker.group_plugin > ipatests/test_xmlrpc/tracker/group_plugin.py:257: > [E0102(function-redefined), GroupTracker.check_remove_member] method > already defined line 253) > > Probably a leftover after the rebase made on top of my patch. Please > fix it. You can check youch changes by make-lint script before > sending them. > > Thanks > Hi, I learned to use make-lint! Thanks, F. From mkubik at redhat.com Tue Jan 12 12:48:07 2016 From: mkubik at redhat.com (Milan Kubik) Date: Tue, 12 Jan 2016 07:48:07 -0500 (EST) Subject: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker In-Reply-To: <2134068455.1326509.1450781775764.JavaMail.zimbra@redhat.com> References: <2134068455.1326509.1450781775764.JavaMail.zimbra@redhat.com> Message-ID: <1902672460.4566340.1452602887525.JavaMail.zimbra@redhat.com> Hi, the patch no longer applies to master. Please rebase it. Thanks, Milan ----- Original Message ----- From: "Filip Skola" To: freeipa-devel at redhat.com Cc: "Milan Kub?k" , "Ale? Mare?ek" Sent: Tuesday, 22 December, 2015 11:56:15 AM Subject: [PATCH 0005] Refactor test_nesting, create HostGroupTracker Hi, another patch from refactoring-test_xmlrpc series. Filip From jcholast at redhat.com Tue Jan 12 13:44:05 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 12 Jan 2016 14:44:05 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <5694F274.1040002@redhat.com> References: <568E26DF.6090507@redhat.com> <568E646C.6070003@redhat.com> <5694BA31.8010804@redhat.com> <5694C520.2060905@redhat.com> <5694E0DD.40905@redhat.com> <5694E25D.6060203@redhat.com> <5694F274.1040002@redhat.com> Message-ID: <56950325.80907@redhat.com> On 12.1.2016 13:32, Martin Basti wrote: > > > On 12.01.2016 12:24, Jan Cholasta wrote: >> On 12.1.2016 12:17, Martin Basti wrote: >>> >>> >>> On 12.01.2016 10:19, Jan Cholasta wrote: >>>> On 12.1.2016 09:32, Martin Basti wrote: >>>>> >>>>> >>>>> On 07.01.2016 14:13, Jan Cholasta wrote: >>>>>> On 7.1.2016 09:50, Jan Cholasta wrote: >>>>>>> Hi, >>>>>>> >>>>>>> the attached patch ports the _ipap11helper module to python-cffi. >>>>>>> >>>>>>> Combined with my patch 536 [1], this makes ipapython architecture >>>>>>> independent. >>>>>> >>>>>> Updated patch attached. >>>>>> >>>>>> >>>>>> >>>>> I tried to run DNSSEC tests and it failed unexpectedly: >>>>> >>>>> Jan 12 08:28:06 master.ipa.test >>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>> Connected >>>>> Jan 12 08:28:06 master.ipa.test >>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>> replica pub keys in LDAP: set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>>> '0xd8538e634797420ca86cda420234443c']) >>>>> Jan 12 08:28:06 master.ipa.test >>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>> replica pub keys in SoftHSM: >>>>> set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>>> '0x1f7241a64d69ced6c0a14f6999410c59']) >>>>> Jan 12 08:28:06 master.ipa.test >>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>> new replica keys in LDAP: set(['0xd8538e634797420ca86cda420234443c']) >>>>> Jan 12 08:28:06 master.ipa.test >>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>> label=dnssec-replica:replica1.ipa.test., >>>>> id=d8538e634797420ca86cda420234443c, >>>>> data=30820122300d06092a864886f70d01010105 >>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback >>>>> (most >>>>> recent call last): >>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 313, in >>>>> ldap2master_replica_keys_sync >>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>> localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey']) >>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line >>>>> 173, in import_public_key >>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h = >>>>> self.p11.import_public_key(**params) >>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >>>>> 1498, in >>>>> import_public_key >>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey = >>>>> d2i_PUBKEY(NULL, data_ptr, data_length) >>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError: >>>>> 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3 >>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>>>> Main process exited, code=exited, status=1/FAILURE >>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>>>> Unit entered failed state. >>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>>>> Failed with result 'exit-code'. >>>>> >>>>> I haven't seen any other errors >>>> >>>> Updated patch attached. Added a patch which replaces calls to >>>> libcrypto with calls to python-cryptography. >>>> >>> >>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Done configuring >>> DNS (named). >>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Configuring DNS >>> key synchronization service (ipa-dnskeysyncd) >>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [1/7]: checking >>> status >>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [2/7]: setting >>> up bind-dyndb-ldap working directory >>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [3/7]: setting >>> up kerberos principal >>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [4/7]: setting >>> up SoftHSM >>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [5/7]: adding >>> DNSSEC containers >>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [6/7]: creating >>> replica keys >>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [error] Error: >>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>> ipa.ipapython.install.cli.install_tool(Server): ERROR The >>> ipa-server-install command failed. See /var/log/ipaserver-install.log >>> for more information >>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Exit code: 1 >>> >>> ipa-server-install.log >>> .... >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 436, in run_step >>> method() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", >>> >>> line 342, in __setup_replica_keys >>> public_key_blob = p11.export_public_key(public_key_handle) >>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >>> 1275, in export_public_key >>> return self._export_RSA_public_key(object) >>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >>> 1240, in _export_RSA_public_key >>> raise Error("export_RSA_public_key: internal error: " >>> >>> 2016-01-12T11:00:29Z DEBUG The ipa-server-install command failed, >>> exception: Error: export_RSA_public_key: internal error: >>> EVP_PKEY_set1_RSA failed >>> 2016-01-12T11:00:29Z ERROR export_RSA_public_key: internal error: >>> EVP_PKEY_set1_RSA failed >> >> Updated patch 538 attached. >> > Jan 12 12:31:43 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[31178]: Connected > Jan 12 12:31:44 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in LDAP: > set(['0xf5edad67436d0ed36b75c3a70216fa43', > '0x7164a931484d505f1e249e3dcbc313e2']) > Jan 12 12:31:44 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in SoftHSM: > set(['0xf5edad67436d0ed36b75c3a70216fa43', > '0x7164a931484d505f1e249e3dcbc313e2', '0x28e302ae6b6ee7e9284cd5f6 > Jan 12 12:31:44 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[31178]: new replica keys in LDAP: set([]) > Jan 12 12:31:44 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[31178]: obsolete replica keys in local > HSM: set(['0x28e302ae6b6ee7e9284cd5f61aadbbe7']) > Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: Traceback (most > recent call last): > Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File > "/usr/libexec/ipa/ipa-ods-exporter", line 664, in > Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: > ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) > Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File > "/usr/libexec/ipa/ipa-ods-exporter", line 321, in > ldap2master_replica_keys_sync > Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: > localhsm.replica_pubkeys_wrap[key_id]['ipk11wrap'] = False > Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File > "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line > 65, in __setitem__ > Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: return > self.p11.set_attribute(self.handle, attrs_name2id[key], value) > Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File > "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 1661, in > set_attribute > Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: > sizeof(CK_ATTRIBUTE))) > Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: TypeError: an > integer is required > Jan 12 12:31:44 master.ipa.test systemd[1]: ipa-ods-exporter.service: > Main process exited, code=exited, status=1/FAILURE > Updated patch 537 attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-537.3-ipapython-port-p11helper-C-code-to-Python.patch Type: text/x-patch Size: 163347 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-538.1-ipapython-use-python-cryptography-instead-of-libcryp.patch Type: text/x-patch Size: 15038 bytes Desc: not available URL: From pviktori at redhat.com Tue Jan 12 13:57:39 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 12 Jan 2016 14:57:39 +0100 Subject: [Freeipa-devel] [PATCHES] 0752-0757, 0759 Enable pylint --py3k In-Reply-To: <5693B2F8.1060905@redhat.com> References: <568D2494.9080602@redhat.com> <568FA169.4030900@redhat.com> <5693B2F8.1060905@redhat.com> Message-ID: <56950653.8060406@redhat.com> On 01/11/2016 02:49 PM, Martin Basti wrote: > > > On 08.01.2016 12:45, Petr Viktorin wrote: >> On 01/06/2016 03:28 PM, Petr Viktorin wrote: >>> Hello, >>> >>> Patches 0753-0757 fix remaining warnings from `pylint --py3k`, except >>> "no-absolute-import" (which seems redundant to me) and the ones in >>> contrib/RHEL4. >>> The last patch adds py3k lint check to make-lint. It's a bit >>> cumbersome, since pylint doesn't allow running regular checkers and the >>> py3k ones at the same time, but it allows you to run the check. As for >>> whether to enable --py3k by default, or run it on every package build, >>> I'd like to defer the decision to core devs. (Is CI good enough nowadays >>> to only run it there?) >>> >>> >>> [0] https://www.redhat.com/archives/freeipa-users/2013-July/msg00055.html >> Here's a new version of the patchset, updated to current master. >> The last patch requires 0758 (removing contrib/RHEL4) which is being >> reviewed in another thread. Rebased to current master. > Hello I tried --py3k option and it doesn't print any error, can we > enable that check by default to prevent python3 regressions? > > # ./make-lint --py3k > No config file found, using default configuration Squash in the other attached patch to enable it by default. > Otherwise code LGTM and works for me, Honza will give you the final ack. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0752.3-Use-explicit-truncating-division.patch Type: text/x-patch Size: 4884 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0753.3-Don-t-index-exceptions-directly.patch Type: text/x-patch Size: 2547 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0754.3-Use-print_function-future-definition-wherever-print-.patch Type: text/x-patch Size: 1892 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0755.3-Alias-unicode-to-str-under-Python-3.patch Type: text/x-patch Size: 5479 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0756.3-Avoid-builtins-that-were-removed-in-Python-3.patch Type: text/x-patch Size: 1743 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0757.3-dnsutil-Rename-__nonzero__-to-__bool__.patch Type: text/x-patch Size: 1052 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0759.3-make-lint-Allow-running-pylint-py3k-to-detect-Python.patch Type: text/x-patch Size: 4062 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: SQUASH-Run-pylint-py3k-by-default.patch Type: text/x-patch Size: 1131 bytes Desc: not available URL: From mkubik at redhat.com Tue Jan 12 14:03:45 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 12 Jan 2016 15:03:45 +0100 Subject: [Freeipa-devel] [PATCH 0004] Refactor test_attr In-Reply-To: <20151207132527.7963c5ae@dhcp-24-120.brq.redhat.com> References: <20151204162416.28170b8e@vor2.netbox.priv> <20151207130041.409f5022@dhcp-24-120.brq.redhat.com> <20151207132527.7963c5ae@dhcp-24-120.brq.redhat.com> Message-ID: <569507C1.1080307@redhat.com> On 12/07/2015 01:25 PM, Filip ?kola wrote: > Now the tier marker have lost somewhere on the way... which is > corrected in this patch. > > /me apologizes for the noise > > F. > > On Mon, 7 Dec 2015 13:00:41 +0100 > Filip ?kola wrote: > >> Self-NACK, resubmitting with the last commit which includes >> UserTracker from the right location... >> >> F. >> >> On Fri, 4 Dec 2015 16:24:16 +0100 >> Filip ?kola wrote: >> >>> Hi, >>> >>> sending a new version of test_attr. >>> >>> F. Hello, tha patch doesn't work. The tests fail on mismatches in expected and actual result. NACK. -- Milan Kubik From mkubik at redhat.com Tue Jan 12 14:04:36 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 12 Jan 2016 15:04:36 +0100 Subject: [Freeipa-devel] [PATCH 0003] Refactor test_replace In-Reply-To: <20151204112955.51b5c72f@vor2.netbox.priv> References: <20151204100402.0474eeaf@vor2.netbox.priv> <56615818.6060402@redhat.com> <20151204112955.51b5c72f@vor2.netbox.priv> Message-ID: <569507F4.6070604@redhat.com> On 12/04/2015 11:29 AM, Filip ?kola wrote: > On Fri, 4 Dec 2015 10:08:40 +0100 > Milan Kub?k wrote: > >> On 12/04/2015 10:04 AM, Filip ?kola wrote: >>> Hi, >>> >>> sending rather short one this time. >>> >>> F. >> NACK, UserTracker is implemented in >> ipatests.test_xmlrpc.tracker.user_plugin. >> > Ah, sorry for this. > > > F. Hi, the tests do not work. Similar problems to test_attr. There are some problems with the expected and actual results. NACK. -- Milan Kubik From pspacek at redhat.com Tue Jan 12 14:06:51 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 12 Jan 2016 15:06:51 +0100 Subject: [Freeipa-devel] Design: Automatic Empty Zone handling in bind-dyndb-ldap In-Reply-To: <568FEE66.8010600@redhat.com> References: <568FDC52.4050704@redhat.com> <568FEE66.8010600@redhat.com> Message-ID: <5695087B.5010408@redhat.com> On 8.1.2016 18:14, Martin Basti wrote: > > > On 08.01.2016 16:57, Petr Spacek wrote: >> Hello, >> >> recent improvements in FreeIPA 4.3.0 (finally) prevent FreeIPA installer from >> creating made-up DNS reverse zones, which already exist on some other DNS >> server. >> >> This change uncovered a well-hidden automatic empty zones in BIND 9.9+, which >> is now causing problem to users. >> >> It seems that this can be fixed by change to the code which handles forward >> DNS zones. Short design document with necessary background is available on: >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/AutomaticEmptyZones >> >> Please be so kind and review it ASAP, so I can write the patch quickly and >> make life of our QE guys easier. >> >> Have a nice Friday. >> > Hello, > > IIUC, the differences between default bind behaviour and bind-dyndb-ldap > behaviour are: > > * disable automatic empty zone when policy is 'first' or 'only', instead of > just 'only' > I liked it more than default behaviour of named, but could be this somehow > unexpected by users, or they will be happy that it works better (?) than in > named? I hope users will appreciate it :-) > > * bind-dyndb-ldap will not recreate automate empty zone > IMO this should not harm at all > > so design LGTM, I will thinking about it over this weekend Did you find any problem? Petr^2 Spacek From mbasti at redhat.com Tue Jan 12 14:10:14 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Jan 2016 15:10:14 +0100 Subject: [Freeipa-devel] Design: Automatic Empty Zone handling in bind-dyndb-ldap In-Reply-To: <5695087B.5010408@redhat.com> References: <568FDC52.4050704@redhat.com> <568FEE66.8010600@redhat.com> <5695087B.5010408@redhat.com> Message-ID: <56950946.9030703@redhat.com> On 12.01.2016 15:06, Petr Spacek wrote: > On 8.1.2016 18:14, Martin Basti wrote: >> >> On 08.01.2016 16:57, Petr Spacek wrote: >>> Hello, >>> >>> recent improvements in FreeIPA 4.3.0 (finally) prevent FreeIPA installer from >>> creating made-up DNS reverse zones, which already exist on some other DNS >>> server. >>> >>> This change uncovered a well-hidden automatic empty zones in BIND 9.9+, which >>> is now causing problem to users. >>> >>> It seems that this can be fixed by change to the code which handles forward >>> DNS zones. Short design document with necessary background is available on: >>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/AutomaticEmptyZones >>> >>> Please be so kind and review it ASAP, so I can write the patch quickly and >>> make life of our QE guys easier. >>> >>> Have a nice Friday. >>> >> Hello, >> >> IIUC, the differences between default bind behaviour and bind-dyndb-ldap >> behaviour are: >> >> * disable automatic empty zone when policy is 'first' or 'only', instead of >> just 'only' >> I liked it more than default behaviour of named, but could be this somehow >> unexpected by users, or they will be happy that it works better (?) than in >> named? > I hope users will appreciate it :-) > >> * bind-dyndb-ldap will not recreate automate empty zone >> IMO this should not harm at all >> >> so design LGTM, I will thinking about it over this weekend > Did you find any problem? > > > Petr^2 Spacek My mind did not pop out any issue during weekend. It should work :) From mbasti at redhat.com Tue Jan 12 14:34:17 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Jan 2016 15:34:17 +0100 Subject: [Freeipa-devel] [PATCH 0122-0123] reimplementation of package version comparison code In-Reply-To: <5694EE2E.80002@redhat.com> References: <568FDCE5.2090701@redhat.com> <20160108162312.GN28363@mail.corp.redhat.com> <568FEA52.2040200@redhat.com> <20160108173053.GP28363@mail.corp.redhat.com> <56934FE4.6080006@redhat.com> <56939CBB.4020905@redhat.com> <5693A78E.4050608@redhat.com> <5693ADAF.2030707@redhat.com> <5693CA76.7050301@redhat.com> <5693DF34.1080505@redhat.com> <5693E8A4.20901@redhat.com> <5694C5FD.1070604@redhat.com> <5694EB86.7030205@redhat.com> <5694EE2E.80002@redhat.com> Message-ID: <56950EE9.6020204@redhat.com> On 12.01.2016 13:14, Martin Babinsky wrote: > On 01/12/2016 01:03 PM, Martin Basti wrote: >> >> >> On 12.01.2016 10:23, Martin Babinsky wrote: >>> On 01/11/2016 06:38 PM, Martin Basti wrote: >>>> >>>> >>>> On 11.01.2016 17:58, Jan Cholasta wrote: >>>>> On 11.1.2016 16:29, Martin Babinsky wrote: >>>>>> On 01/11/2016 02:27 PM, Martin Babinsky wrote: >>>>>>> On 01/11/2016 02:01 PM, Jan Cholasta wrote: >>>>>>>> On 11.1.2016 13:14, Martin Babinsky wrote: >>>>>>>>> On 01/11/2016 07:47 AM, Jan Cholasta wrote: >>>>>>>>>> On 8.1.2016 18:30, Lukas Slebodnik wrote: >>>>>>>>>>> On (08/01/16 17:56), Martin Babinsky wrote: >>>>>>>>>>>> On 01/08/2016 05:23 PM, Lukas Slebodnik wrote: >>>>>>>>>>>>> On (08/01/16 16:59), Martin Babinsky wrote: >>>>>>>>>>>>>> Patch 0122 reimplements version checking and fixes >>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Patch 0123 contains unit test for version checking code. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks to Martin^1 for the idea of using CFFI for calling >>>>>>>>>>>>>> rpm >>>>>>>>>>>>>> C-API >>>>>>>>>>>>>> directly. >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Martin^3 Babinsky >>>>>>>>>>>>> >>>>>>>>>>>>> >From c7a5d8970d100d071597b4e1d7cef8a27b8cd485 Mon Sep 17 >>>>>>>>>>>>> 00:00:00 >>>>>>>>>>>>> 2001 >>>>>>>>>>>>>> From: Martin Babinsky >>>>>>>>>>>>>> Date: Fri, 8 Jan 2016 15:54:00 +0100 >>>>>>>>>>>>>> Subject: [PATCH 2/3] tests for package version comparison >>>>>>>>>>>>>> >>>>>>>>>>>>>> These tests will ensure that our package version handling >>>>>>>>>>>>>> code can >>>>>>>>>>>>>> correctly >>>>>>>>>>>>>> decide when to upgrade IPA master. >>>>>>>>>>>>>> >>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>>>>>> --- >>>>>>>>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py | 47 >>>>>>>>>>>>>> ++++++++++++++++++++++ >>>>>>>>>>>>>> 1 file changed, 47 insertions(+) >>>>>>>>>>>>>> create mode 100644 >>>>>>>>>>>>>> ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>>>>> >>>>>>>>>>>>>> diff --git >>>>>>>>>>>>>> a/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>>>>> b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>>>>> new file mode 100644 >>>>>>>>>>>>>> index >>>>>>>>>>>>>> 0000000000000000000000000000000000000000..51d069b23ba389ffce39e948cdbc7a1faaa84563 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> --- /dev/null >>>>>>>>>>>>>> +++ b/ipatests/test_ipaserver/test_version_comparsion.py >>>>>>>>>>>>>> @@ -0,0 +1,47 @@ >>>>>>>>>>>>>> +# >>>>>>>>>>>>>> +# Copyright (C) 2015 FreeIPA Contributors see COPYING for >>>>>>>>>>>>>> license >>>>>>>>>>>>>> +# >>>>>>>>>>>>>> + >>>>>>>>>>>>>> +""" >>>>>>>>>>>>>> +tests for correct RPM version comparison >>>>>>>>>>>>>> +""" >>>>>>>>>>>>>> + >>>>>>>>>>>>>> +from ipaplatform.tasks import tasks >>>>>>>>>>>>>> +import pytest >>>>>>>>>>>>>> + >>>>>>>>>>>>>> +version_strings = [ >>>>>>>>>>>>>> + ("3.0.el6", "3.0.0.el6", "older"), >>>>>>>>>>>>>> + ("3.0.0.el6", "3.0.0.el6_8.2", "older"), >>>>>>>>>>>>>> + ("3.0.0-42.el6", "3.0.0.el6", "newer"), >>>>>>>>>>>>>> + ("3.0.0-1", "3.0.0-42", "older"), >>>>>>>>>>>>>> + ("3.0.0-42.el6", "3.3.3.fc20", "older"), >>>>>>>>>>>>>> + ("4.2.0-15.el7", "4.2.0-15.el7_2.3", "older"), >>>>>>>>>>>>>> + ("4.2.0-15.el7_2.3", "4.2.0-15.el7_2.3", "equal"), >>>>>>>>>>>>>> + ("4.2.0-1.fc23", "4.2.1.fc23", "older"), >>>>>>>>>>>>>> + ("4.2.3-alpha.fc23", "4.2.3-2.fc23", "older"), # >>>>>>>>>>>>>> numeric >>>>>>>>>>>>>> version elements have >>>>>>>>>>>>>> + # precedence over >>>>>>>>>>>>>> letters >>>>>>>>>>>>>> + ("4.3.90.201601080923GIT55aeea7-0.fc23", "4.3.0-1.fc23", >>>>>>>>>>>>>> "newer") >>>>>>>>>>>>>> +] >>>>>>>>>>>>>> + >>>>>>>>>>>>>> + >>>>>>>>>>>>>> + at pytest.fixture(params=version_strings) >>>>>>>>>>>>>> +def versions(request): >>>>>>>>>>>>>> + return request.param >>>>>>>>>>>>>> + >>>>>>>>>>>>>> +class TestVersionComparsion(object): >>>>>>>>>>>>>> + >>>>>>>>>>>>>> + def test_versions(self, versions): >>>>>>>>>>>>>> + version_string1, version_string2, >>>>>>>>>>>>>> expected_comparison = >>>>>>>>>>>>>> versions >>>>>>>>>>>>>> + >>>>>>>>>>>>>> + ver1 = tasks.parse_ipa_version(version_string1) >>>>>>>>>>>>>> + ver2 = tasks.parse_ipa_version(version_string2) >>>>>>>>>>>>>> + >>>>>>>>>>>>>> + if expected_comparison == "newer": >>>>>>>>>>>>>> + assert ver1 > ver2 >>>>>>>>>>>>>> + elif expected_comparison == "older": >>>>>>>>>>>>>> + assert ver1 < ver2 >>>>>>>>>>>>>> + elif expected_comparison == "equal": >>>>>>>>>>>>>> + assert ver1 == ver2 >>>>>>>>>>>>>> + else: >>>>>>>>>>>>>> + raise TypeError( >>>>>>>>>>>>>> + "Unexpected comparison string: {}", >>>>>>>>>>>>>> expected_comparison) >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> 2.5.0 >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >From 9677e1a3ca2f5837f1b779780127adf27efa81df Mon Sep 17 >>>>>>>>>>>>> 00:00:00 >>>>>>>>>>>>> 2001 >>>>>>>>>>>>>> From: Martin Babinsky >>>>>>>>>>>>>> Date: Fri, 8 Jan 2016 14:17:14 +0100 >>>>>>>>>>>>>> Subject: [PATCH 1/3] use FFI call to rpmvercmp function for >>>>>>>>>>>>>> version >>>>>>>>>>>>>> comparison >>>>>>>>>>>>>> >>>>>>>>>>>>>> Stop using rpm-python to compare package versions since the >>>>>>>>>>>>>> implicit NSS >>>>>>>>>>>>>> initialization upon the module import breaks NSS >>>>>>>>>>>>>> handling in >>>>>>>>>>>>>> IPA >>>>>>>>>>>>>> code. Call >>>>>>>>>>>>>> rpm-libs C-API function via CFFI instead. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Big thanks to Martin Kosek for >>>>>>>>>>>>>> sharing the >>>>>>>>>>>>>> code >>>>>>>>>>>>>> snippet >>>>>>>>>>>>>> that spurred this patch. >>>>>>>>>>>>>> >>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5572 >>>>>>>>>>>>>> --- >>>>>>>>>>>>>> freeipa.spec.in | 2 +- >>>>>>>>>>>>>> ipaplatform/redhat/tasks.py | 59 >>>>>>>>>>>>>> +++++++++++++++++++++------------------------ >>>>>>>>>>>>>> 2 files changed, 29 insertions(+), 32 deletions(-) >>>>>>>>>>>>>> >>>>>>>>>>>>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>>>>>>>>>>>> index >>>>>>>>>>>>>> 7e956538d0f6c24bab636579303e0c7b5eeec199..7f31d41d16b2a26b404c277595f0994a21123f80 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 100644 >>>>>>>>>>>>>> --- a/freeipa.spec.in >>>>>>>>>>>>>> +++ b/freeipa.spec.in >>>>>>>>>>>>>> @@ -214,7 +214,7 @@ Requires: python-pyasn1 >>>>>>>>>>>>>> Requires: dbus-python >>>>>>>>>>>>>> Requires: python-dns >= 1.11.1 >>>>>>>>>>>>>> Requires: python-kdcproxy >= 0.3 >>>>>>>>>>>>>> -Requires: rpm-python >>>>>>>>>>>>>> +Requires: rpm-devel >>>>>>>>>>>>> /usr/lib64/librpm.so.7 is provided by package rpm-libs >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> sh$ rpm -qf /usr/lib64/librpm.so.7 >>>>>>>>>>>>> rpm-libs-4.13.0-0.rc1.7.fc23.x86_64 >>>>>>>>>>>>> >>>>>>>>>>>>> It's not very common to depend on devel packages. >>>>>>>>>>>>> >>>>>>>>>>>>> LS >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I was basically trying workaround this >>>>>>>>>>>> http://fpaste.org/308652/22677521/ >>>>>>>>>>>> >>>>>>>>>>> rpm-libs contains librpm.so.* >>>>>>>>>>> and cffi is smart enough to load right library with >>>>>>>>>>> C = ffi.dlopen("rpm") >>>>>>>>>> >>>>>>>>>> This likely won't be an issue here, but in general, we should >>>>>>>>>> use >>>>>>>>>> the >>>>>>>>>> versioned library name to have at least some API/ABI guarantee. >>>>>>>>>> If for >>>>>>>>>> example a function we depend on changed signature between >>>>>>>>>> versions, we >>>>>>>>>> would crash *hard* when it's called. >>>>>>>>>> >>>>>>>>>>> So it's enough to add "Requires: rpm-libs" >>>>>>>>>>> but it would be almost noop because rpm-libs is everytime >>>>>>>>>>> available >>>>>>>>>>> od fedora/rhel :-) >>>>>>>>>>> >>>>>>>>>>> "Requires: rpm-devel" >>>>>>>>>>> add unnecessary additional runtime dependencies on pkgconfig, >>>>>>>>>>> popt-devel >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> librpm.so.7 belongs to rpm-libs and librpm.so to rpm-devel and >>>>>>>>>>>> I was >>>>>>>>>>>> lazy >>>>>>>>>>>> (hey it's friday) to add path to librpm.so.7 to paths and >>>>>>>>>>>> use it >>>>>>>>>>>> i LD >>>>>>>>>>>> loader. >>>>>>>>>>>> If you think that it is not optimal I will fix it, but let's >>>>>>>>>>>> wait >>>>>>>>>>>> for >>>>>>>>>>>> some >>>>>>>>>>>> more feedback. >>>>>>>>>>> Sure wait for another python related comments. >>>>>>>>>> >>>>>>>>>> NACK. The ffi.cdef() and ffi.dlopen() should be in the module >>>>>>>>>> scope, >>>>>>>>>> and >>>>>>>>>> the ffi.new() calls are unnecessary. >>>>>>>>>> >>>>>>>>> >>>>>>>>> Attaching updated patches. I have added specific versions of >>>>>>>>> librpm >>>>>>>>> shared lib to platform specific namespaces. Both of them were >>>>>>>>> tested >>>>>>>>> and >>>>>>>>> work. >>>>>>>> >>>>>>>> You haven't tested on any 32 bit architecture, have you? I'm sure >>>>>>>> /lib64 >>>>>>>> will not work there. >>>>>>>> >>>>>>>> Note that when you dlopen just "librpm.so.$N", the correct path >>>>>>>> according to dynamic linker configuration will be used. >>>>>>>> >>>>>>>>> I have also change dependency to rpm-libs. >>>>>>>> >>>>>>>> Given librpm is dlopened by full path, I think we should depend >>>>>>>> directly >>>>>>>> on the "librpm.so.$N()" soname rather than rpm-libs. >>>>>>>> >>>>>>> >>>>>>> Updated patches attached. >>>>>>> >>>>>>> >>>>>>> >>>>>> Attaching another version. >>>>> >>>>> Patch 0122: ACK >>>>> >>>>> Pushed to: >>>>> master: 7cd99e852053710c64dcb66cd5b15fc8ed4da5de >>>>> ipa-4-2: be9af721536b7c05e2ba5ffd7d72cc3727d64ff5 >>>>> ipa-4-3: 6b6a11fda76e70d390d5c55f3aaeba8f455458c0 >>>>> >>>>> Patch 0123: LGTM >>>>> >>>> Patch 0123: >>>> >>>> + raise TypeError( >>>> + "Unexpected comparison string: {}", >>>> expected_comparison) >>>> >>>> Did you mean: >>>> raise TypeError( >>>> "Unexpected comparison string: {}".format(expected_comparison)) >>>> ? >>> >>> Sorry I temporarily forgot how to python over there. Attaching updated >>> patch. >>> >> >> Works for me, but shouldn't be the file named test_version_compaRISOn.py >> instead of test_version_compaRSIOn.py? >> > > Seems like I forgot how to english as well. Attaching updated patch. > ACK Pushed to: master: ac76644ff6507d6eb792d54148ec8716303774ce ipa-4-3: e3970bf4ff4af80fb4164cff11a2973c1c951ad8 From pviktori at redhat.com Tue Jan 12 14:44:27 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 12 Jan 2016 15:44:27 +0100 Subject: [Freeipa-devel] [PATCHES] 0752-0757, 0759 Enable pylint --py3k In-Reply-To: <56950653.8060406@redhat.com> References: <568D2494.9080602@redhat.com> <568FA169.4030900@redhat.com> <5693B2F8.1060905@redhat.com> <56950653.8060406@redhat.com> Message-ID: <5695114B.3070807@redhat.com> >> Hello I tried --py3k option and it doesn't print any error, can we >> enable that check by default to prevent python3 regressions? >> >> # ./make-lint --py3k >> No config file found, using default configuration > > Squash in the other attached patch to enable it by default. Sorry, please ignore the squash patch -- if --py3k is to be on by default, I'll also need to add all needed packages to BuildRequires. -- Petr Viktorin From jcholast at redhat.com Tue Jan 12 14:46:16 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 12 Jan 2016 15:46:16 +0100 Subject: [Freeipa-devel] [PATCH 539] ipalib: assume version 2.0 when skip_version_check is enabled Message-ID: <569511B8.20605@redhat.com> Hi, the attached patch fixes . Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-539-ipalib-assume-version-2.0-when-skip_version_check-is.patch Type: text/x-patch Size: 1270 bytes Desc: not available URL: From mkosek at redhat.com Tue Jan 12 14:58:49 2016 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 12 Jan 2016 15:58:49 +0100 Subject: [Freeipa-devel] [PATCH 539] ipalib: assume version 2.0 when skip_version_check is enabled In-Reply-To: <569511B8.20605@redhat.com> References: <569511B8.20605@redhat.com> Message-ID: <569514A9.0@redhat.com> On 01/12/2016 03:46 PM, Jan Cholasta wrote: > Hi, > > the attached patch fixes . > > Honza I see you set the version to 2.0. As I am reading https://bugzilla.redhat.com/show_bug.cgi?id=1297811#c1 , shouldn't the minimal version be set to something higher than 2.49? From jpazdziora at redhat.com Tue Jan 12 15:04:03 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 12 Jan 2016 16:04:03 +0100 Subject: [Freeipa-devel] [PATCH 539] ipalib: assume version 2.0 when skip_version_check is enabled In-Reply-To: <569514A9.0@redhat.com> References: <569511B8.20605@redhat.com> <569514A9.0@redhat.com> Message-ID: <20160112150403.GC27136@redhat.com> On Tue, Jan 12, 2016 at 03:58:49PM +0100, Martin Kosek wrote: > On 01/12/2016 03:46 PM, Jan Cholasta wrote: > > Hi, > > > > the attached patch fixes . > > > > Honza > > I see you set the version to 2.0. As I am reading > https://bugzilla.redhat.com/show_bug.cgi?id=1297811#c1 > , shouldn't the minimal version be set to something higher than 2.49? No. We set it to 2.51 and that fails with RHEL 6 installation. That's why we have the bugzilla 1297811. I cannot comment on the suitability of the 2.0 value in particular -- not sure who and where checks that value. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From jcholast at redhat.com Tue Jan 12 15:07:10 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 12 Jan 2016 16:07:10 +0100 Subject: [Freeipa-devel] [PATCH 539] ipalib: assume version 2.0 when skip_version_check is enabled In-Reply-To: <569514A9.0@redhat.com> References: <569511B8.20605@redhat.com> <569514A9.0@redhat.com> Message-ID: <5695169E.3080202@redhat.com> On 12.1.2016 15:58, Martin Kosek wrote: > On 01/12/2016 03:46 PM, Jan Cholasta wrote: >> Hi, >> >> the attached patch fixes . >> >> Honza > > I see you set the version to 2.0. As I am reading > https://bugzilla.redhat.com/show_bug.cgi?id=1297811#c1 > , shouldn't the minimal version be set to something higher than 2.49? It shouldn't, as that would not fix the issue, there would still be versions where skip_version_check is ineffective. Something higher than 2.49 is what we have right now - 2.51. Failures are expected, the documentation for skip_version_check clearly states that "Can lead to errors/strange behavior when newer clients talk to older servers. Use with caution." -- Jan Cholasta From mbasti at redhat.com Tue Jan 12 15:06:22 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Jan 2016 16:06:22 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <56950325.80907@redhat.com> References: <568E26DF.6090507@redhat.com> <568E646C.6070003@redhat.com> <5694BA31.8010804@redhat.com> <5694C520.2060905@redhat.com> <5694E0DD.40905@redhat.com> <5694E25D.6060203@redhat.com> <5694F274.1040002@redhat.com> <56950325.80907@redhat.com> Message-ID: <5695166E.40608@redhat.com> On 12.01.2016 14:44, Jan Cholasta wrote: > On 12.1.2016 13:32, Martin Basti wrote: >> >> >> On 12.01.2016 12:24, Jan Cholasta wrote: >>> On 12.1.2016 12:17, Martin Basti wrote: >>>> >>>> >>>> On 12.01.2016 10:19, Jan Cholasta wrote: >>>>> On 12.1.2016 09:32, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 07.01.2016 14:13, Jan Cholasta wrote: >>>>>>> On 7.1.2016 09:50, Jan Cholasta wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> the attached patch ports the _ipap11helper module to python-cffi. >>>>>>>> >>>>>>>> Combined with my patch 536 [1], this makes ipapython architecture >>>>>>>> independent. >>>>>>> >>>>>>> Updated patch attached. >>>>>>> >>>>>>> >>>>>>> >>>>>> I tried to run DNSSEC tests and it failed unexpectedly: >>>>>> >>>>>> Jan 12 08:28:06 master.ipa.test >>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>> Connected >>>>>> Jan 12 08:28:06 master.ipa.test >>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>> replica pub keys in LDAP: set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>>>> '0xd8538e634797420ca86cda420234443c']) >>>>>> Jan 12 08:28:06 master.ipa.test >>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>> replica pub keys in SoftHSM: >>>>>> set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>>>> '0x1f7241a64d69ced6c0a14f6999410c59']) >>>>>> Jan 12 08:28:06 master.ipa.test >>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>> new replica keys in LDAP: >>>>>> set(['0xd8538e634797420ca86cda420234443c']) >>>>>> Jan 12 08:28:06 master.ipa.test >>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>> label=dnssec-replica:replica1.ipa.test., >>>>>> id=d8538e634797420ca86cda420234443c, >>>>>> data=30820122300d06092a864886f70d01010105 >>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback >>>>>> (most >>>>>> recent call last): >>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 313, in >>>>>> ldap2master_replica_keys_sync >>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>>> localhsm.import_public_key(new_key_ldap, >>>>>> new_key_ldap['ipapublickey']) >>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", >>>>>> line >>>>>> 173, in import_public_key >>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h = >>>>>> self.p11.import_public_key(**params) >>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >>>>>> 1498, in >>>>>> import_public_key >>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey = >>>>>> d2i_PUBKEY(NULL, data_ptr, data_length) >>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError: >>>>>> 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3 >>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>> ipa-ods-exporter.service: >>>>>> Main process exited, code=exited, status=1/FAILURE >>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>> ipa-ods-exporter.service: >>>>>> Unit entered failed state. >>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>> ipa-ods-exporter.service: >>>>>> Failed with result 'exit-code'. >>>>>> >>>>>> I haven't seen any other errors >>>>> >>>>> Updated patch attached. Added a patch which replaces calls to >>>>> libcrypto with calls to python-cryptography. >>>>> >>>> >>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Done >>>> configuring >>>> DNS (named). >>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Configuring DNS >>>> key synchronization service (ipa-dnskeysyncd) >>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [1/7]: checking >>>> status >>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [2/7]: setting >>>> up bind-dyndb-ldap working directory >>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [3/7]: setting >>>> up kerberos principal >>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [4/7]: setting >>>> up SoftHSM >>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [5/7]: adding >>>> DNSSEC containers >>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [6/7]: creating >>>> replica keys >>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [error] Error: >>>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>>> ipa.ipapython.install.cli.install_tool(Server): ERROR The >>>> ipa-server-install command failed. See /var/log/ipaserver-install.log >>>> for more information >>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Exit code: 1 >>>> >>>> ipa-server-install.log >>>> .... >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 436, in run_step >>>> method() >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", >>>> >>>> >>>> line 342, in __setup_replica_keys >>>> public_key_blob = p11.export_public_key(public_key_handle) >>>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", >>>> line >>>> 1275, in export_public_key >>>> return self._export_RSA_public_key(object) >>>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", >>>> line >>>> 1240, in _export_RSA_public_key >>>> raise Error("export_RSA_public_key: internal error: " >>>> >>>> 2016-01-12T11:00:29Z DEBUG The ipa-server-install command failed, >>>> exception: Error: export_RSA_public_key: internal error: >>>> EVP_PKEY_set1_RSA failed >>>> 2016-01-12T11:00:29Z ERROR export_RSA_public_key: internal error: >>>> EVP_PKEY_set1_RSA failed >>> >>> Updated patch 538 attached. >>> >> Jan 12 12:31:43 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[31178]: Connected >> Jan 12 12:31:44 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in LDAP: >> set(['0xf5edad67436d0ed36b75c3a70216fa43', >> '0x7164a931484d505f1e249e3dcbc313e2']) >> Jan 12 12:31:44 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in SoftHSM: >> set(['0xf5edad67436d0ed36b75c3a70216fa43', >> '0x7164a931484d505f1e249e3dcbc313e2', '0x28e302ae6b6ee7e9284cd5f6 >> Jan 12 12:31:44 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[31178]: new replica keys in LDAP: >> set([]) >> Jan 12 12:31:44 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[31178]: obsolete replica keys in local >> HSM: set(['0x28e302ae6b6ee7e9284cd5f61aadbbe7']) >> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: Traceback (most >> recent call last): >> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >> "/usr/libexec/ipa/ipa-ods-exporter", line 321, in >> ldap2master_replica_keys_sync >> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >> localhsm.replica_pubkeys_wrap[key_id]['ipk11wrap'] = False >> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line >> 65, in __setitem__ >> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: return >> self.p11.set_attribute(self.handle, attrs_name2id[key], value) >> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 1661, in >> set_attribute >> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >> sizeof(CK_ATTRIBUTE))) >> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: TypeError: an >> integer is required >> Jan 12 12:31:44 master.ipa.test systemd[1]: ipa-ods-exporter.service: >> Main process exited, code=exited, status=1/FAILURE >> > > Updated patch 537 attached. > Jan 12 15:04:10 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[20652]: Connected Jan 12 15:04:11 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[20652]: replica pub keys in LDAP: set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) Jan 12 15:04:11 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[20652]: replica pub keys in SoftHSM: set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) Jan 12 15:04:11 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[20652]: new replica keys in LDAP: set([]) Jan 12 15:04:11 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[20652]: obsolete replica keys in local HSM: set([]) Jan 12 15:04:11 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[20652]: keys in local HSM & LDAP: set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) Jan 12 15:04:11 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[20652]: Updating attribute ipk11verifyrecover from "1" to "False" Jan 12 15:04:11 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[20652]: master keys in local HSM: set([]) Jan 12 15:04:11 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[20652]: master keys in LDAP HSM: set([]) Jan 12 15:04:11 master.ipa.test /usr/libexec/ipa/ipa-ods-exporter[20652]: new master keys in local HSM: set([]) Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: Traceback (most recent call last): Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File "/usr/libexec/ipa/ipa-ods-exporter", line 665, in Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: master2ldap_master_keys_sync(log, ldapkeydb, localhsm) Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File "/usr/libexec/ipa/ipa-ods-exporter", line 340, in master2ldap_master_keys_sync Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: ldapkeydb.flush() Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line 311, in flush Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: self._update_keys() Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line 307, in _update_keys Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: key._update_key() Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line 179, in _update_key Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: self._cleanup_key() Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line 170, in _cleanup_key Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: if self.get(attr, empty) == default_attrs[attr]: Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File "/usr/lib64/python2.7/_abcoll.py", line 382, in get Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: return self[key] Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line 132, in __getitem__ Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: val = ldap_bool(val) Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line 39, in ldap_bool Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: raise AssertionError('invalid LDAP boolean "%s"' % val) Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: AssertionError: invalid LDAP boolean "1" Jan 12 15:04:11 master.ipa.test systemd[1]: ipa-ods-exporter.service: Main process exited, code=exited, status=1/FAILURE You can run the dnssec test, it has been fixed. From mbasti at redhat.com Tue Jan 12 15:44:04 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Jan 2016 16:44:04 +0100 Subject: [Freeipa-devel] [PATCH 539] ipalib: assume version 2.0 when skip_version_check is enabled In-Reply-To: <5695169E.3080202@redhat.com> References: <569511B8.20605@redhat.com> <569514A9.0@redhat.com> <5695169E.3080202@redhat.com> Message-ID: <56951F44.6020609@redhat.com> On 12.01.2016 16:07, Jan Cholasta wrote: > On 12.1.2016 15:58, Martin Kosek wrote: >> On 01/12/2016 03:46 PM, Jan Cholasta wrote: >>> Hi, >>> >>> the attached patch fixes >>> . >>> >>> Honza >> >> I see you set the version to 2.0. As I am reading >> https://bugzilla.redhat.com/show_bug.cgi?id=1297811#c1 >> , shouldn't the minimal version be set to something higher than 2.49? > > It shouldn't, as that would not fix the issue, there would still be > versions where skip_version_check is ineffective. Something higher > than 2.49 is what we have right now - 2.51. > > Failures are expected, the documentation for skip_version_check > clearly states that "Can lead to errors/strange behavior when newer > clients talk to older servers. Use with caution." > ACK Pushed to: master: 6b2b173a4d6b1cd8789e87d0392dd86c980f858a ipalib: assume version 2.0 when skip_version_check is enabled ipa-4-3: 51d5150b9b5ffe6ff5f77230a389a9091f28ce48 ipalib: assume version 2.0 when skip_version_check is enabled ipa-4-2: 7a4a3b099e82fc566d3f353d42009a5f0ef6be18 ipalib: assume version 2.0 when skip_version_check is enabled From mbabinsk at redhat.com Tue Jan 12 18:13:04 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 12 Jan 2016 19:13:04 +0100 Subject: [Freeipa-devel] [PATCH 0125] IPA upgrade: move replication ACIs to the mapping tree entry Message-ID: <56954230.7080005@redhat.com> commit 6ea868e172738bdd6a8fae34e65126cdd134bbbe broke replica install and management on IPA servers upgraded from pre-4.3 version. The attached patch fixes this. https://fedorahosted.org/freeipa/ticket/5575 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0125-IPA-upgrade-move-replication-ACIs-to-the-mapping-tre.patch Type: text/x-patch Size: 3075 bytes Desc: not available URL: From jcholast at redhat.com Wed Jan 13 06:18:21 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 13 Jan 2016 07:18:21 +0100 Subject: [Freeipa-devel] [PATCH 0125] IPA upgrade: move replication ACIs to the mapping tree entry In-Reply-To: <56954230.7080005@redhat.com> References: <56954230.7080005@redhat.com> Message-ID: <5695EC2D.1000302@redhat.com> On 12.1.2016 19:13, Martin Babinsky wrote: > commit 6ea868e172738bdd6a8fae34e65126cdd134bbbe broke replica install > and management on IPA servers upgraded from pre-4.3 version. The > attached patch fixes this. > > https://fedorahosted.org/freeipa/ticket/5575 Any reason to repeat the DN 3 times? Besides that LGTM. -- Jan Cholasta From jcholast at redhat.com Wed Jan 13 06:47:13 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 13 Jan 2016 07:47:13 +0100 Subject: [Freeipa-devel] [PATCH 0001] ipa-server-certinstall should not tell certmonger to track 3rd party certificates In-Reply-To: <20151215132144.GI25566@tscherf.redhat.com> References: <20151215132144.GI25566@tscherf.redhat.com> Message-ID: <5695F2F1.7030307@redhat.com> Hi Thorsten, thanks for the patch, but unfortunately it isn't as simple as this - if the provided certificate was issued by our CA, we should still track it. As part of installer improvements in 4.4, we plan to always track all certificates, even 3rd party ones (this way we can have the same certmonger configuration everywhere, plus the user will be at least warned when the certificate is about to expire), which will also fix this issue. Does that sound OK? Honza -- Jan Cholasta From jcholast at redhat.com Wed Jan 13 07:12:59 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 13 Jan 2016 08:12:59 +0100 Subject: [Freeipa-devel] [PATCH] 0048 Decode HTTP reason phrase as iso-8859-1 In-Reply-To: <20160108105616.GZ31821@dhcp-40-8.bne.redhat.com> References: <20160106042631.GJ31821@dhcp-40-8.bne.redhat.com> <568E0C0F.9060401@redhat.com> <20160107100051.GS31821@dhcp-40-8.bne.redhat.com> <20160108105616.GZ31821@dhcp-40-8.bne.redhat.com> Message-ID: <5695F8FB.80801@redhat.com> On 8.1.2016 11:56, Fraser Tweedale wrote: > On Thu, Jan 07, 2016 at 08:00:51PM +1000, Fraser Tweedale wrote: >> On Thu, Jan 07, 2016 at 07:56:15AM +0100, Jan Cholasta wrote: >>> Hi, >>> >>> On 6.1.2016 05:26, Fraser Tweedale wrote: >>>> Happy new year, all. >>>> >>>> The attached patch fixes a unicode decode error triggered in some >>>> locales, which causes failure of installation (and probably other >>>> oprations, if locale is changed under an existing server). >>>> >>>> https://fedorahosted.org/freeipa/ticket/5578 >>> >>> It seems like this fixes only part of the issue - the installer won't crash >>> anymore. But what happens if the reason phrase uses characters which are not >>> in iso-8859-1 (e.g. "?", a character commonly used in Czech)? Shouldn't we >>> always specify the encoding in requests, so that Dogtag does not have to >>> guess? >>> >> In this case it will not throw an exception, but it will decode >> nonsense. However, in my investigation just now of how Tomcat >> decides what to send in the reason phrase, it turns out that in >> future releases they will not send a reason phrase[1] at all! >> >> [1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37 >> >> (Nice to know about this in advance - I will not be surprised if >> some clients break) >> >> I'll cut a new patch tomorrow that just ignores the reason phrase >> rather than trying to decode and log it. All the info is in the >> status code, after all. >> >> Thanks for reviewing, >> Fraser >> > Promised new patch attached - removes the reason phrase and updates > call sites accordingly. Thanks, ACK. Pushed to master: fe94222873c4df5118e93cebe7e9d69439266ba0 -- Jan Cholasta From mbabinsk at redhat.com Wed Jan 13 08:30:05 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 13 Jan 2016 09:30:05 +0100 Subject: [Freeipa-devel] [PATCH 0125] IPA upgrade: move replication ACIs to the mapping tree entry In-Reply-To: <5695EC2D.1000302@redhat.com> References: <56954230.7080005@redhat.com> <5695EC2D.1000302@redhat.com> Message-ID: <56960B0D.30500@redhat.com> On 01/13/2016 07:18 AM, Jan Cholasta wrote: > On 12.1.2016 19:13, Martin Babinsky wrote: >> commit 6ea868e172738bdd6a8fae34e65126cdd134bbbe broke replica install >> and management on IPA servers upgraded from pre-4.3 version. The >> attached patch fixes this. >> >> https://fedorahosted.org/freeipa/ticket/5575 > > Any reason to repeat the DN 3 times? > > Besides that LGTM. > No other reason than not using brain during copy-pasting ACIs. Attaching updated patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0125.1-IPA-upgrade-move-replication-ACIs-to-the-mapping-tre.patch Type: text/x-patch Size: 2766 bytes Desc: not available URL: From mbasti at redhat.com Wed Jan 13 08:57:09 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 13 Jan 2016 09:57:09 +0100 Subject: [Freeipa-devel] [PATCH 0118] fix Py3 incompatible exception instantiation in replica install code In-Reply-To: <5693A078.3030509@redhat.com> References: <568A272A.5060805@redhat.com> <568E98BC.9080000@redhat.com> <568FF12F.6060007@redhat.com> <5693A078.3030509@redhat.com> Message-ID: <56961165.2080503@redhat.com> On 11.01.2016 13:30, Martin Babinsky wrote: > On 01/08/2016 06:26 PM, Tomas Babej wrote: >> >> >> On 01/07/2016 05:56 PM, Martin Babinsky wrote: >>> On 01/04/2016 09:02 AM, Martin Babinsky wrote: >>>> >>>> >>>> >>> I have created ticket to patch and added it to commit message: >>> >>> https://fedorahosted.org/freeipa/ticket/5585 >>> >>> >>> >> >> ACK for these changes, however, there are additional occurrences in the >> code base, attaching a patch. >> >> Tomas >> >> >> > ACK > Pushed to: master: 50627004b83fe155767fb02b51099eba612a5855 ipa-4-3: 1181926c970e71cec728bed9ac4b16a2664ef97d From mbasti at redhat.com Wed Jan 13 09:00:14 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 13 Jan 2016 10:00:14 +0100 Subject: [Freeipa-devel] [PATCH 0124] ipa-csreplica-manage: remove extraneous ldap2 connection In-Reply-To: <5693CEA6.3050808@redhat.com> References: <568FE141.4060200@redhat.com> <568FEF10.4030608@redhat.com> <568FF264.7070708@redhat.com> <56939330.6080906@redhat.com> <5693CEA6.3050808@redhat.com> Message-ID: <5696121E.6030806@redhat.com> On 11.01.2016 16:47, Martin Basti wrote: > > > On 11.01.2016 12:34, Martin Kosek wrote: >> On 01/08/2016 06:31 PM, Martin Babinsky wrote: >>> On 01/08/2016 06:17 PM, Martin Basti wrote: >>>> >>>> On 08.01.2016 17:18, Martin Babinsky wrote: >>>>> fixes ipa-csreplica-manage del blowing up due >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5583 >>>>> >>>>> for master and ipa-4-3 only. >>>>> >>>> Give me patch pleaaaaaaaaaaaaaaaaaaaaaaaase!! >>> Auto-attach plugin would be most welcome.. here's the patch. >> Back my developer days, I used this script for sending patches :-) >> >> https://github.com/freeipa/freeipa-tools/blob/master/sendpatch.py >> >> This let me (almost never) forget attaching the file(s) in the right >> format. >> > ACK > Pushed to: master: a81e69a796fee2405252838d512e5b950f3be5d8 ipa-4-3: 6ef4bfb7b422af4e487043cdfec88845c3644d6a From mbasti at redhat.com Wed Jan 13 09:08:11 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 13 Jan 2016 10:08:11 +0100 Subject: [Freeipa-devel] [patch 0029, 0030] fixes for install tasks in integration tests In-Reply-To: <56938B09.2000003@redhat.com> References: <568E238E.8010809@redhat.com> <56938B09.2000003@redhat.com> Message-ID: <569613FB.3050703@redhat.com> On 11.01.2016 11:59, Milan Kub?k wrote: > On 01/07/2016 09:36 AM, Milan Kub?k wrote: >> 0029: Add 10.in-addr.arpa. zone to ipa >> 0030: If the IP addresses in the topology are resolvable, do not add >> them to master. >> >> >> > Hi. I'm dropping 0029 for now. 0030 gets an update. > > -- > Milan Kubik > > ACK Pushed to: master: c0133778ae6ea207aa3b184af54fea5803e2ac23 ipa-4-3: 850ea4cc8fa25c85c5a6869481c311b1f10611cc -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Wed Jan 13 09:31:17 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 13 Jan 2016 10:31:17 +0100 Subject: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails In-Reply-To: <568E949B.1090300@redhat.com> References: <568E945F.3030605@redhat.com> <568E949B.1090300@redhat.com> Message-ID: <56961965.9050309@redhat.com> On 01/07/2016 05:38 PM, Martin Babinsky wrote: > On 01/07/2016 05:37 PM, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/5584 >> > And the patch is here. > > > self-NACK, there may be a better way to handle this. I will do some investigation and send updated patch. -- Martin^3 Babinsky From pviktori at redhat.com Wed Jan 13 10:34:14 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 13 Jan 2016 11:34:14 +0100 Subject: [Freeipa-devel] Should we split up ipa-client? Message-ID: <56962826.10404@redhat.com> Hello, I'm planning to port the ipa-client to Python 3, and I'm likely to end up shaking out some dusty corners of the codebase, rather than doing the minimal amount of work :) So I'd like to get your opinions before I commit significant time to this. I think it would be beneficial to split ipa-client to better match both how it's put in the RPMs these days, and how the rest of IPA is organized. (And, to stop using autotools to "build" Python libraries...) The resulting structure could look like this: ipaclient/ - *.py - setup.py client-tools/ - man/* - *.c - *.h - all the automake stuff - current contents of ipa-install (Python scripts that go in /usr/sbin) Removed: - ipa-client.spec.in (included in freeipa.spec.in) - NEWS (empty) - README (entirely outdated) Does this look like a reasonable direction to explore? -- Petr Viktorin From mbabinsk at redhat.com Wed Jan 13 12:03:29 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 13 Jan 2016 13:03:29 +0100 Subject: [Freeipa-devel] Should we split up ipa-client? In-Reply-To: <56962826.10404@redhat.com> References: <56962826.10404@redhat.com> Message-ID: <56963D11.3050600@redhat.com> On 01/13/2016 11:34 AM, Petr Viktorin wrote: > Hello, > I'm planning to port the ipa-client to Python 3, and I'm likely to end > up shaking out some dusty corners of the codebase, rather than doing the > minimal amount of work :) > So I'd like to get your opinions before I commit significant time to this. > > I think it would be beneficial to split ipa-client to better match both > how it's put in the RPMs these days, and how the rest of IPA is > organized. (And, to stop using autotools to "build" Python libraries...) > > The resulting structure could look like this: > > ipaclient/ > - *.py > - setup.py > > client-tools/ > - man/* > - *.c > - *.h > - all the automake stuff > - current contents of ipa-install (Python scripts that go in /usr/sbin) > > Removed: > - ipa-client.spec.in (included in freeipa.spec.in) > - NEWS (empty) > - README (entirely outdated) > > > Does this look like a reasonable direction to explore? > Makes sense to me, this kind of work would be needed during client installer refactoring anyway (also, using autotools for python module installation hurts my brain a lot). -- Martin^3 Babinsky From mbasti at redhat.com Wed Jan 13 13:01:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 13 Jan 2016 14:01:37 +0100 Subject: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs In-Reply-To: <5673F1F9.2030403@redhat.com> References: <5673F1F9.2030403@redhat.com> Message-ID: <56964AB1.1010902@redhat.com> On 18.12.2015 12:46, Stanislav Laznicka wrote: > Hi, > > Attached are the patches for auto-find and clean of dangling (cs)ruvs. > Currently, the cleaning of an RUV waits for all replicas to be online, > even on --force. If that were an issue, I can make the command fail > before trying to clean any of RUVs. However, the user is shown a > replica is offline and is prompted to confirm the cleaning so the > possible wait should not be a problem I believe. > > Standa L. > > Hello, patches needs rebase, I cannot apply them. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Wed Jan 13 13:02:17 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 13 Jan 2016 14:02:17 +0100 Subject: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver In-Reply-To: <1452032349.3830.46.camel@redhat.com> References: <1452028501.3830.45.camel@redhat.com> <1452032349.3830.46.camel@redhat.com> Message-ID: <56964AD9.7030604@redhat.com> On 01/05/2016 11:19 PM, Simo Sorce wrote: > On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: >> The LDAP context was not checked on the first api call and a context may >> be null on some error conditions (LDAP server unreachable). >> >> Always check that we have a valid context before calling the ldap API. >> >> Builds abut it is untested. > > Forgot to mention that this bug affects all 4.x versions and should > probably be backported on all maintained branches. > > I opened a bug to track it too: > https://fedorahosted.org/freeipa/ticket/5577 > > Simo. > ACK. Please include the ticket URL in the commit message. -- Martin^3 Babinsky From abokovoy at redhat.com Wed Jan 13 14:06:50 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 13 Jan 2016 16:06:50 +0200 Subject: [Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes In-Reply-To: <1448304575.7892.27.camel@redhat.com> References: <1448304575.7892.27.camel@redhat.com> Message-ID: <20160113140650.GG4316@redhat.com> On Mon, 23 Nov 2015, Simo Sorce wrote: >Note, this does not touch the trust code because apparently we use only >arcfour there. > >CCing Alexander to give me a comment about that, probably worth opening >a ticket specific to trusts. > >Otherwise addresses #4740 > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York >From 70b4c8971ca623aa51e8e7d1f0e5d245a05c7396 Mon Sep 17 00:00:00 2001 >From: Simo Sorce >Date: Mon, 23 Nov 2015 13:40:42 -0500 >Subject: [PATCH] Use only AES enctypes by default > >Remove des3 and arcfour from the defaults for new installs. > >NOTE: the ipasam/dcerpc code sill uses arcfour > >Signed-off-by: Simo Sorce > >Ticket: https://fedorahosted.org/freeipa/ticket/4740 >--- > daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +++----------- > install/share/kerberos.ldif | 2 -- > 2 files changed, 3 insertions(+), 13 deletions(-) > >diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c >index 1a8ef47b0fc6a932a4115dfa05ecf1a39c8e762f..5dc606d22305cf63a16feca30aab2728bb20b80d 100644 >--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c >+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c >@@ -55,18 +55,10 @@ extern const char *ipa_realm_dn; > extern const char *ipa_etc_config_dn; > extern const char *ipa_pwd_config_dn; > >-/* These are the default enc:salt types if nothing is defined. >- * TODO: retrieve the configure set of ecntypes either from the >- * kfc.conf file or by synchronizing the file content into >- * the directory */ >+/* These are the default enc:salt types if nothing is defined in LDAP */ > static const char *ipapwd_def_encsalts[] = { >- "des3-hmac-sha1:normal", >-/* "arcfour-hmac:normal", >- "des-hmac-sha1:normal", >- "des-cbc-md5:normal", */ >- "des-cbc-crc:normal", >-/* "des-cbc-crc:v4", >- "des-cbc-crc:afs3", */ >+ "aes256-cts:special", >+ "aes128-cts:special", > NULL > }; > >diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif >index 41e77952adafaf28bfaa96b4c1f1a81ef96348be..1f556382e262ec1b71eb0f4267de0a987952d84d 100644 >--- a/install/share/kerberos.ldif >+++ b/install/share/kerberos.ldif >@@ -30,8 +30,6 @@ krbMaxTicketLife: 86400 > krbMaxRenewableAge: 604800 > krbDefaultEncSaltTypes: aes256-cts:special > krbDefaultEncSaltTypes: aes128-cts:special >-krbDefaultEncSaltTypes: des3-hmac-sha1:special >-krbDefaultEncSaltTypes: arcfour-hmac:special > > # Default password Policy > dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX >-- >2.5.0 > ACK. -- / Alexander Bokovoy From mbasti at redhat.com Wed Jan 13 14:25:51 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 13 Jan 2016 15:25:51 +0100 Subject: [Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes In-Reply-To: <20160113140650.GG4316@redhat.com> References: <1448304575.7892.27.camel@redhat.com> <20160113140650.GG4316@redhat.com> Message-ID: <56965E6F.4070008@redhat.com> On 13.01.2016 15:06, Alexander Bokovoy wrote: > On Mon, 23 Nov 2015, Simo Sorce wrote: >> Note, this does not touch the trust code because apparently we use only >> arcfour there. >> >> CCing Alexander to give me a comment about that, probably worth opening >> a ticket specific to trusts. >> >> Otherwise addresses #4740 >> >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York > >> From 70b4c8971ca623aa51e8e7d1f0e5d245a05c7396 Mon Sep 17 00:00:00 2001 >> From: Simo Sorce >> Date: Mon, 23 Nov 2015 13:40:42 -0500 >> Subject: [PATCH] Use only AES enctypes by default >> >> Remove des3 and arcfour from the defaults for new installs. >> >> NOTE: the ipasam/dcerpc code sill uses arcfour >> >> Signed-off-by: Simo Sorce >> >> Ticket: https://fedorahosted.org/freeipa/ticket/4740 >> --- >> daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +++----------- >> install/share/kerberos.ldif | 2 -- >> 2 files changed, 3 insertions(+), 13 deletions(-) >> >> diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c >> b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c >> index >> 1a8ef47b0fc6a932a4115dfa05ecf1a39c8e762f..5dc606d22305cf63a16feca30aab2728bb20b80d >> 100644 >> --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c >> +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c >> @@ -55,18 +55,10 @@ extern const char *ipa_realm_dn; >> extern const char *ipa_etc_config_dn; >> extern const char *ipa_pwd_config_dn; >> >> -/* These are the default enc:salt types if nothing is defined. >> - * TODO: retrieve the configure set of ecntypes either from the >> - * kfc.conf file or by synchronizing the file content into >> - * the directory */ >> +/* These are the default enc:salt types if nothing is defined in >> LDAP */ >> static const char *ipapwd_def_encsalts[] = { >> - "des3-hmac-sha1:normal", >> -/* "arcfour-hmac:normal", >> - "des-hmac-sha1:normal", >> - "des-cbc-md5:normal", */ >> - "des-cbc-crc:normal", >> -/* "des-cbc-crc:v4", >> - "des-cbc-crc:afs3", */ >> + "aes256-cts:special", >> + "aes128-cts:special", >> NULL >> }; >> >> diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif >> index >> 41e77952adafaf28bfaa96b4c1f1a81ef96348be..1f556382e262ec1b71eb0f4267de0a987952d84d >> 100644 >> --- a/install/share/kerberos.ldif >> +++ b/install/share/kerberos.ldif >> @@ -30,8 +30,6 @@ krbMaxTicketLife: 86400 >> krbMaxRenewableAge: 604800 >> krbDefaultEncSaltTypes: aes256-cts:special >> krbDefaultEncSaltTypes: aes128-cts:special >> -krbDefaultEncSaltTypes: des3-hmac-sha1:special >> -krbDefaultEncSaltTypes: arcfour-hmac:special >> >> # Default password Policy >> dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX >> -- >> 2.5.0 >> > ACK. > Pushed to: master: 58ab032f1ae20454d4b9d760c7601fd8b44045f5 ipa-4-3: bad5b0247984635fe402283aee259f35a048df6b From simo at redhat.com Wed Jan 13 14:30:11 2016 From: simo at redhat.com (Simo Sorce) Date: Wed, 13 Jan 2016 09:30:11 -0500 Subject: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver In-Reply-To: <56964AD9.7030604@redhat.com> References: <1452028501.3830.45.camel@redhat.com> <1452032349.3830.46.camel@redhat.com> <56964AD9.7030604@redhat.com> Message-ID: <1452695411.3356.84.camel@redhat.com> On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote: > On 01/05/2016 11:19 PM, Simo Sorce wrote: > > On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: > >> The LDAP context was not checked on the first api call and a context may > >> be null on some error conditions (LDAP server unreachable). > >> > >> Always check that we have a valid context before calling the ldap API. > >> > >> Builds abut it is untested. > > > > Forgot to mention that this bug affects all 4.x versions and should > > probably be backported on all maintained branches. > > > > I opened a bug to track it too: > > https://fedorahosted.org/freeipa/ticket/5577 > > > > Simo. > > > ACK. Please include the ticket URL in the commit message. > Could you add it when pushing ? Unless you need some other change in the patch it will be less churn that way. Simo. -- Simo Sorce * Red Hat, Inc * New York From mbabinsk at redhat.com Wed Jan 13 14:31:26 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 13 Jan 2016 15:31:26 +0100 Subject: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver In-Reply-To: <1452695411.3356.84.camel@redhat.com> References: <1452028501.3830.45.camel@redhat.com> <1452032349.3830.46.camel@redhat.com> <56964AD9.7030604@redhat.com> <1452695411.3356.84.camel@redhat.com> Message-ID: <56965FBE.3010501@redhat.com> On 01/13/2016 03:30 PM, Simo Sorce wrote: > On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote: >> On 01/05/2016 11:19 PM, Simo Sorce wrote: >>> On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: >>>> The LDAP context was not checked on the first api call and a context may >>>> be null on some error conditions (LDAP server unreachable). >>>> >>>> Always check that we have a valid context before calling the ldap API. >>>> >>>> Builds abut it is untested. >>> >>> Forgot to mention that this bug affects all 4.x versions and should >>> probably be backported on all maintained branches. >>> >>> I opened a bug to track it too: >>> https://fedorahosted.org/freeipa/ticket/5577 >>> >>> Simo. >>> >> ACK. Please include the ticket URL in the commit message. >> > > Could you add it when pushing ? > > Unless you need some other change in the patch it will be less churn > that way. > > Simo. > Yes we could. I didn't realize that, sorry for the noise. -- Martin^3 Babinsky From mbasti at redhat.com Wed Jan 13 14:49:29 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 13 Jan 2016 15:49:29 +0100 Subject: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver In-Reply-To: <56965FBE.3010501@redhat.com> References: <1452028501.3830.45.camel@redhat.com> <1452032349.3830.46.camel@redhat.com> <56964AD9.7030604@redhat.com> <1452695411.3356.84.camel@redhat.com> <56965FBE.3010501@redhat.com> Message-ID: <569663F9.8000402@redhat.com> On 13.01.2016 15:31, Martin Babinsky wrote: > On 01/13/2016 03:30 PM, Simo Sorce wrote: >> On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote: >>> On 01/05/2016 11:19 PM, Simo Sorce wrote: >>>> On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: >>>>> The LDAP context was not checked on the first api call and a >>>>> context may >>>>> be null on some error conditions (LDAP server unreachable). >>>>> >>>>> Always check that we have a valid context before calling the ldap >>>>> API. >>>>> >>>>> Builds abut it is untested. >>>> >>>> Forgot to mention that this bug affects all 4.x versions and should >>>> probably be backported on all maintained branches. >>>> >>>> I opened a bug to track it too: >>>> https://fedorahosted.org/freeipa/ticket/5577 >>>> >>>> Simo. >>>> >>> ACK. Please include the ticket URL in the commit message. >>> >> >> Could you add it when pushing ? >> >> Unless you need some other change in the patch it will be less churn >> that way. >> >> Simo. >> > > Yes we could. I didn't realize that, sorry for the noise. > I do not know where to push it, ticket is still in needs triage, it has not been decided where it should go. From simo at redhat.com Wed Jan 13 15:03:50 2016 From: simo at redhat.com (Simo Sorce) Date: Wed, 13 Jan 2016 10:03:50 -0500 Subject: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver In-Reply-To: <569663F9.8000402@redhat.com> References: <1452028501.3830.45.camel@redhat.com> <1452032349.3830.46.camel@redhat.com> <56964AD9.7030604@redhat.com> <1452695411.3356.84.camel@redhat.com> <56965FBE.3010501@redhat.com> <569663F9.8000402@redhat.com> Message-ID: <1452697430.3356.86.camel@redhat.com> On Wed, 2016-01-13 at 15:49 +0100, Martin Basti wrote: > > On 13.01.2016 15:31, Martin Babinsky wrote: > > On 01/13/2016 03:30 PM, Simo Sorce wrote: > >> On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote: > >>> On 01/05/2016 11:19 PM, Simo Sorce wrote: > >>>> On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: > >>>>> The LDAP context was not checked on the first api call and a > >>>>> context may > >>>>> be null on some error conditions (LDAP server unreachable). > >>>>> > >>>>> Always check that we have a valid context before calling the ldap > >>>>> API. > >>>>> > >>>>> Builds abut it is untested. > >>>> > >>>> Forgot to mention that this bug affects all 4.x versions and should > >>>> probably be backported on all maintained branches. > >>>> > >>>> I opened a bug to track it too: > >>>> https://fedorahosted.org/freeipa/ticket/5577 > >>>> > >>>> Simo. > >>>> > >>> ACK. Please include the ticket URL in the commit message. > >>> > >> > >> Could you add it when pushing ? > >> > >> Unless you need some other change in the patch it will be less churn > >> that way. > >> > >> Simo. > >> > > > > Yes we could. I didn't realize that, sorry for the noise. > > > I do not know where to push it, ticket is still in needs triage, it has > not been decided where it should go. It definitely goes in master. You can push elsewhere as well later. Simo. -- Simo Sorce * Red Hat, Inc * New York From mbasti at redhat.com Wed Jan 13 15:13:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 13 Jan 2016 16:13:48 +0100 Subject: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver In-Reply-To: <1452697430.3356.86.camel@redhat.com> References: <1452028501.3830.45.camel@redhat.com> <1452032349.3830.46.camel@redhat.com> <56964AD9.7030604@redhat.com> <1452695411.3356.84.camel@redhat.com> <56965FBE.3010501@redhat.com> <569663F9.8000402@redhat.com> <1452697430.3356.86.camel@redhat.com> Message-ID: <569669AC.4060605@redhat.com> On 13.01.2016 16:03, Simo Sorce wrote: > On Wed, 2016-01-13 at 15:49 +0100, Martin Basti wrote: >> On 13.01.2016 15:31, Martin Babinsky wrote: >>> On 01/13/2016 03:30 PM, Simo Sorce wrote: >>>> On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote: >>>>> On 01/05/2016 11:19 PM, Simo Sorce wrote: >>>>>> On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: >>>>>>> The LDAP context was not checked on the first api call and a >>>>>>> context may >>>>>>> be null on some error conditions (LDAP server unreachable). >>>>>>> >>>>>>> Always check that we have a valid context before calling the ldap >>>>>>> API. >>>>>>> >>>>>>> Builds abut it is untested. >>>>>> Forgot to mention that this bug affects all 4.x versions and should >>>>>> probably be backported on all maintained branches. >>>>>> >>>>>> I opened a bug to track it too: >>>>>> https://fedorahosted.org/freeipa/ticket/5577 >>>>>> >>>>>> Simo. >>>>>> >>>>> ACK. Please include the ticket URL in the commit message. >>>>> >>>> Could you add it when pushing ? >>>> >>>> Unless you need some other change in the patch it will be less churn >>>> that way. >>>> >>>> Simo. >>>> >>> Yes we could. I didn't realize that, sorry for the noise. >>> >> I do not know where to push it, ticket is still in needs triage, it has >> not been decided where it should go. > It definitely goes in master. You can push elsewhere as well later. > > Simo. > Pushed to master: 2144b1eeb789639b8a3df287b580aeb6196188a8 From mbabinsk at redhat.com Wed Jan 13 16:31:20 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 13 Jan 2016 17:31:20 +0100 Subject: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails In-Reply-To: <56961965.9050309@redhat.com> References: <568E945F.3030605@redhat.com> <568E949B.1090300@redhat.com> <56961965.9050309@redhat.com> Message-ID: <56967BD8.1000109@redhat.com> On 01/13/2016 10:31 AM, Martin Babinsky wrote: > On 01/07/2016 05:38 PM, Martin Babinsky wrote: >> On 01/07/2016 05:37 PM, Martin Babinsky wrote: >>> https://fedorahosted.org/freeipa/ticket/5584 >>> >> And the patch is here. >> >> >> > self-NACK, there may be a better way to handle this. I will do some > investigation and send updated patch. > Attaching updated patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0121.1-uninstallation-more-robust-check-for-master-removal-.patch Type: text/x-patch Size: 3378 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jan 13 16:42:31 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 13 Jan 2016 17:42:31 +0100 Subject: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica Message-ID: <56967E77.8000604@redhat.com> fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0127-reset-ldap.conf-to-point-to-newly-installer-replica-.patch Type: text/x-patch Size: 2197 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0126-ipa-client-move-configure_openldap_conf-to-ipapython.patch Type: text/x-patch Size: 7697 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jan 13 16:43:40 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 13 Jan 2016 17:43:40 +0100 Subject: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica In-Reply-To: <56967E77.8000604@redhat.com> References: <56967E77.8000604@redhat.com> Message-ID: <56967EBC.6030100@redhat.com> On 01/13/2016 05:42 PM, Martin Babinsky wrote: > fixes https://fedorahosted.org/freeipa/ticket/5584 > > In order to ensure consistent behavior with ipa-client-install, I opted > to reuse the configure_openldap_conf() function and restoring the config > from client sysrestore before modifying it. > > If you think this approach is not optimal please propose an alternative > solution. > > > messed up the mail again oh well. This is the correct ticket URL: https://fedorahosted.org/freeipa/ticket/5488 -- Martin^3 Babinsky From rcritten at redhat.com Wed Jan 13 16:59:24 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Jan 2016 11:59:24 -0500 Subject: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica In-Reply-To: <56967E77.8000604@redhat.com> References: <56967E77.8000604@redhat.com> Message-ID: <5696826C.2050300@redhat.com> Martin Babinsky wrote: > fixes https://fedorahosted.org/freeipa/ticket/5584 > > In order to ensure consistent behavior with ipa-client-install, I opted > to reuse the configure_openldap_conf() function and restoring the config > from client sysrestore before modifying it. > > If you think this approach is not optimal please propose an alternative > solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob From mbasti at redhat.com Wed Jan 13 17:13:17 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 13 Jan 2016 18:13:17 +0100 Subject: [Freeipa-devel] [TEST] Workaround for ticket N 5559 In-Reply-To: <568F7D75.2010404@redhat.com> References: <568F7D75.2010404@redhat.com> Message-ID: <569685AD.6050202@redhat.com> On 08.01.2016 10:12, Oleg Fayans wrote: > Passes lint, fixes an issue with replica installation failures due to > absence of corresponding reverse zone on master. > > > NACK [ipa.ipatests.test_integration.host.Host.master.ParamikoTransport] RUN ['ipa', 'dnsrecord-add', '129.168.192.in-addr.arpa.', '101', '--ptr-hostname=master.ipa.test.'] [ipa.ipatests.test_integration.host.Host.master.cmd21] RUN ['ipa', 'dnsrecord-add', '129.168.192.in-addr.arpa.', '101', '--ptr-hostname=master.ipa.test.'] [ipa.ipatests.test_integration.host.Host.master.cmd21] ipa: ERROR: DNS is not configured [ipa.ipatests.test_integration.host.Host.master.cmd21] Exit code: 2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jan 13 17:16:28 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 13 Jan 2016 18:16:28 +0100 Subject: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica In-Reply-To: <5696826C.2050300@redhat.com> References: <56967E77.8000604@redhat.com> <5696826C.2050300@redhat.com> Message-ID: <5696866C.5060500@redhat.com> On 13.01.2016 17:59, Rob Crittenden wrote: > Martin Babinsky wrote: >> fixes https://fedorahosted.org/freeipa/ticket/5584 >> >> In order to ensure consistent behavior with ipa-client-install, I opted >> to reuse the configure_openldap_conf() function and restoring the config >> from client sysrestore before modifying it. >> >> If you think this approach is not optimal please propose an alternative >> solution. > You could also just do an action set on URI to change the value, right? > It would need a new function but it would be very small. > > If you do end up keeping this I'd want a new commit message for moving > the code to include why you're moving it (to avoid the need to deference > the ticket). > > rob > NACK Traceback (most recent call last): File "./makeapi", line 459, in sys.exit(main()) File "./makeapi", line 430, in main api.finalize() File "/root/freeipa/ipalib/plugable.py", line 658, in finalize self.__do_if_not_done('load_plugins') File "/root/freeipa/ipalib/plugable.py", line 372, in __do_if_not_done getattr(self, name)() File "/root/freeipa/ipalib/plugable.py", line 536, in load_plugins self.import_plugins(module) File "/root/freeipa/ipalib/plugable.py", line 574, in import_plugins module = importlib.import_module(name) File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/root/freeipa/ipalib/plugins/baseuser.py", line 33, in from ipapython.ipautil import ipa_generate_password File "/root/freeipa/ipapython/ipautil.py", line 49, in from ipaclient.ipachangeconf import IPAChangeConf ImportError: No module named ipaclient.ipachangeconf Traceback (most recent call last): File "./makeaci", line 35, in from ipapython.ipaldap import LDAPClient File "/root/freeipa/ipapython/ipaldap.py", line 41, in from ipapython.ipautil import ( File "/root/freeipa/ipapython/ipautil.py", line 49, in from ipaclient.ipachangeconf import IPAChangeConf ImportError: No module named ipaclient.ipachangeconf Makefile:138: recipe for target 'version-update' failed From mbasti at redhat.com Wed Jan 13 17:18:43 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 13 Jan 2016 18:18:43 +0100 Subject: [Freeipa-devel] [PATCH 0402] Warn user about possibility to loss CA, KRA, DNSSEC master during uninstall Message-ID: <569686F3.5020505@redhat.com> https://fedorahosted.org/freeipa/ticket/5544 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0402-Warn-about-potential-loss-of-CA-KRA-DNSSEC-during-un.patch Type: text/x-patch Size: 1764 bytes Desc: not available URL: From pspacek at redhat.com Thu Jan 14 06:51:58 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 14 Jan 2016 07:51:58 +0100 Subject: [Freeipa-devel] [TEST] Workaround for ticket N 5559 In-Reply-To: <569685AD.6050202@redhat.com> References: <568F7D75.2010404@redhat.com> <569685AD.6050202@redhat.com> Message-ID: <5697458E.3010309@redhat.com> On 13.1.2016 18:13, Martin Basti wrote: > > > On 08.01.2016 10:12, Oleg Fayans wrote: >> Passes lint, fixes an issue with replica installation failures due to >> absence of corresponding reverse zone on master. >> >> >> > NACK > > [ipa.ipatests.test_integration.host.Host.master.ParamikoTransport] RUN ['ipa', > 'dnsrecord-add', '129.168.192.in-addr.arpa.', '101', > '--ptr-hostname=master.ipa.test.'] > [ipa.ipatests.test_integration.host.Host.master.cmd21] RUN ['ipa', > 'dnsrecord-add', '129.168.192.in-addr.arpa.', '101', > '--ptr-hostname=master.ipa.test.'] > [ipa.ipatests.test_integration.host.Host.master.cmd21] ipa: ERROR: DNS is not > configured > [ipa.ipatests.test_integration.host.Host.master.cmd21] Exit code: 2 Also, we did not manage to reproduce the problem described in ticket #5559 with latest master for IPA and bind-dyndb-ldap devel branch, so it might not be necessary to spend more time on this. -- Petr^2 Spacek From jcholast at redhat.com Thu Jan 14 06:55:03 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 14 Jan 2016 07:55:03 +0100 Subject: [Freeipa-devel] Should we split up ipa-client? In-Reply-To: <56963D11.3050600@redhat.com> References: <56962826.10404@redhat.com> <56963D11.3050600@redhat.com> Message-ID: <56974647.1010408@redhat.com> Hi, On 13.1.2016 13:03, Martin Babinsky wrote: > On 01/13/2016 11:34 AM, Petr Viktorin wrote: >> Hello, >> I'm planning to port the ipa-client to Python 3, and I'm likely to end >> up shaking out some dusty corners of the codebase, rather than doing the >> minimal amount of work :) >> So I'd like to get your opinions before I commit significant time to >> this. >> >> I think it would be beneficial to split ipa-client to better match both >> how it's put in the RPMs these days, and how the rest of IPA is >> organized. (And, to stop using autotools to "build" Python libraries...) >> >> The resulting structure could look like this: >> >> ipaclient/ >> - *.py >> - setup.py +1 >> >> client-tools/ >> - man/* >> - *.c >> - *.h >> - all the automake stuff >> - current contents of ipa-install (Python scripts that go in /usr/sbin) I would rather s/client-tools/client/, as this stuff goes into the freeipa-*client* subpackage. I'm not sure if this is what you are suggesting or not, but I would like the man page files to be in the same directory as the corresponding source code files. >> >> Removed: >> - ipa-client.spec.in (included in freeipa.spec.in) >> - NEWS (empty) >> - README (entirely outdated) +1 >> >> >> Does this look like a reasonable direction to explore? >> > > Makes sense to me, this kind of work would be needed during client > installer refactoring anyway (also, using autotools for python module > installation hurts my brain a lot). Honza -- Jan Cholasta From abokovoy at redhat.com Thu Jan 14 07:24:22 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 14 Jan 2016 09:24:22 +0200 Subject: [Freeipa-devel] [PATCH 562-563] Fix ipa-sam to use the getkeytab control instead of the setkeytab control In-Reply-To: <1449162855.3445.3.camel@redhat.com> References: <1449162855.3445.3.camel@redhat.com> Message-ID: <20160114072422.GS4316@redhat.com> On Thu, 03 Dec 2015, Simo Sorce wrote: >The first patch is preparatory and is needed in general now that we want >top allow alias and use krbCanonicalName as the canonical name when >multiple values are avilable in krbPrincipalName. > >The second patch changes slightly how the interdomain trust account is >created so that the getkeytab control can generate the proper key (with >the right salt) for interop reasons with AD. The change should be >upgrade safe because keys are generate at account creation so older >accounts lacking the alias won't be a problem. > >Fixes ##5495 This patchset seems to fall through cracks -- it was ACKed but not committed. -- / Alexander Bokovoy From slaznick at redhat.com Thu Jan 14 08:17:24 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 14 Jan 2016 09:17:24 +0100 Subject: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs In-Reply-To: <56964AB1.1010902@redhat.com> References: <5673F1F9.2030403@redhat.com> <56964AB1.1010902@redhat.com> Message-ID: <56975994.6040604@redhat.com> Please see the rebased patches attached. On 01/13/2016 02:01 PM, Martin Basti wrote: > > > On 18.12.2015 12:46, Stanislav Laznicka wrote: >> Hi, >> >> Attached are the patches for auto-find and clean of dangling >> (cs)ruvs. Currently, the cleaning of an RUV waits for all replicas to >> be online, even on --force. If that were an issue, I can make the >> command fail before trying to clean any of RUVs. However, the user is >> shown a replica is offline and is prompted to confirm the cleaning so >> the possible wait should not be a problem I believe. >> >> Standa L. >> >> > Hello, > > patches needs rebase, I cannot apply them. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0011-Listing-and-cleaning-RUV-extended-for-CA-suffix.patch Type: text/x-patch Size: 4787 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0012-1-Automatically-detect-and-remove-dangling-RUVs.patch Type: text/x-patch Size: 7602 bytes Desc: not available URL: From mbasti at redhat.com Thu Jan 14 08:54:47 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 14 Jan 2016 09:54:47 +0100 Subject: [Freeipa-devel] [PATCH 562-563] Fix ipa-sam to use the getkeytab control instead of the setkeytab control In-Reply-To: <20160114072422.GS4316@redhat.com> References: <1449162855.3445.3.camel@redhat.com> <20160114072422.GS4316@redhat.com> Message-ID: <56976257.3040002@redhat.com> On 14.01.2016 08:24, Alexander Bokovoy wrote: > On Thu, 03 Dec 2015, Simo Sorce wrote: >> The first patch is preparatory and is needed in general now that we want >> top allow alias and use krbCanonicalName as the canonical name when >> multiple values are avilable in krbPrincipalName. >> >> The second patch changes slightly how the interdomain trust account is >> created so that the getkeytab control can generate the proper key (with >> the right salt) for interop reasons with AD. The change should be >> upgrade safe because keys are generate at account creation so older >> accounts lacking the alias won't be a problem. >> >> Fixes ##5495 > This patchset seems to fall through cracks -- it was ACKed but not > committed. IIRC all simo's ACKed patches which haven't been pushed depend on simo's patch 560, which has no ACK If not then, patches need rebase, they have missing blobs From abokovoy at redhat.com Thu Jan 14 09:01:27 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 14 Jan 2016 11:01:27 +0200 Subject: [Freeipa-devel] [PATCH 562-563] Fix ipa-sam to use the getkeytab control instead of the setkeytab control In-Reply-To: <56976257.3040002@redhat.com> References: <1449162855.3445.3.camel@redhat.com> <20160114072422.GS4316@redhat.com> <56976257.3040002@redhat.com> Message-ID: <20160114090127.GV4316@redhat.com> On Thu, 14 Jan 2016, Martin Basti wrote: > > >On 14.01.2016 08:24, Alexander Bokovoy wrote: >>On Thu, 03 Dec 2015, Simo Sorce wrote: >>>The first patch is preparatory and is needed in general now that we want >>>top allow alias and use krbCanonicalName as the canonical name when >>>multiple values are avilable in krbPrincipalName. >>> >>>The second patch changes slightly how the interdomain trust account is >>>created so that the getkeytab control can generate the proper key (with >>>the right salt) for interop reasons with AD. The change should be >>>upgrade safe because keys are generate at account creation so older >>>accounts lacking the alias won't be a problem. >>> >>>Fixes ##5495 >>This patchset seems to fall through cracks -- it was ACKed but not >>committed. >IIRC all simo's ACKed patches which haven't been pushed depend on >simo's patch 560, which has no ACK > >If not then, patches need rebase, they have missing blobs no, 560 is unrelated. -- / Alexander Bokovoy From pviktori at redhat.com Thu Jan 14 09:48:37 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 14 Jan 2016 10:48:37 +0100 Subject: [Freeipa-devel] Should we split up ipa-client? In-Reply-To: <56974647.1010408@redhat.com> References: <56962826.10404@redhat.com> <56963D11.3050600@redhat.com> <56974647.1010408@redhat.com> Message-ID: <56976EF5.8080601@redhat.com> On 01/14/2016 07:55 AM, Jan Cholasta wrote: > Hi, > > On 13.1.2016 13:03, Martin Babinsky wrote: >> On 01/13/2016 11:34 AM, Petr Viktorin wrote: >>> Hello, >>> I'm planning to port the ipa-client to Python 3, and I'm likely to end >>> up shaking out some dusty corners of the codebase, rather than doing the >>> minimal amount of work :) >>> So I'd like to get your opinions before I commit significant time to >>> this. [...] >>> client-tools/ >>> - man/* >>> - *.c >>> - *.h >>> - all the automake stuff >>> - current contents of ipa-install (Python scripts that go in /usr/sbin) > > I would rather s/client-tools/client/, as this stuff goes into the > freeipa-*client* subpackage. OK. It's just that there's no admintools/ or server/ either. Putting the scripts into install/tools/ (or install/client/) is another possibility. > I'm not sure if this is what you are suggesting or not, but I would like > the man page files to be in the same directory as the corresponding > source code files. Do you mean not having the man/ subdirectory? -- Petr Viktorin From mbabinsk at redhat.com Thu Jan 14 09:58:12 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 14 Jan 2016 10:58:12 +0100 Subject: [Freeipa-devel] [PATCH 0125] IPA upgrade: move replication ACIs to the mapping tree entry In-Reply-To: <56960B0D.30500@redhat.com> References: <56954230.7080005@redhat.com> <5695EC2D.1000302@redhat.com> <56960B0D.30500@redhat.com> Message-ID: <56977134.1010304@redhat.com> On 01/13/2016 09:30 AM, Martin Babinsky wrote: > On 01/13/2016 07:18 AM, Jan Cholasta wrote: >> On 12.1.2016 19:13, Martin Babinsky wrote: >>> commit 6ea868e172738bdd6a8fae34e65126cdd134bbbe broke replica install >>> and management on IPA servers upgraded from pre-4.3 version. The >>> attached patch fixes this. >>> >>> https://fedorahosted.org/freeipa/ticket/5575 >> >> Any reason to repeat the DN 3 times? >> >> Besides that LGTM. >> > > No other reason than not using brain during copy-pasting ACIs. > > Attaching updated patch. > > > Attaching updated patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0125.2-IPA-upgrade-move-replication-ACIs-to-the-mapping-tre.patch Type: text/x-patch Size: 3857 bytes Desc: not available URL: From mbasti at redhat.com Thu Jan 14 10:02:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 14 Jan 2016 11:02:49 +0100 Subject: [Freeipa-devel] [PATCH 0404] Pylint: enable unpacking-non-sequence check Message-ID: <56977249.2030204@redhat.com> Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0404-Enable-pylint-unpacking-non-sequence-check.patch Type: text/x-patch Size: 4063 bytes Desc: not available URL: From jcholast at redhat.com Thu Jan 14 10:09:32 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 14 Jan 2016 11:09:32 +0100 Subject: [Freeipa-devel] Should we split up ipa-client? In-Reply-To: <56976EF5.8080601@redhat.com> References: <56962826.10404@redhat.com> <56963D11.3050600@redhat.com> <56974647.1010408@redhat.com> <56976EF5.8080601@redhat.com> Message-ID: <569773DC.80808@redhat.com> On 14.1.2016 10:48, Petr Viktorin wrote: > On 01/14/2016 07:55 AM, Jan Cholasta wrote: >> Hi, >> >> On 13.1.2016 13:03, Martin Babinsky wrote: >>> On 01/13/2016 11:34 AM, Petr Viktorin wrote: >>>> Hello, >>>> I'm planning to port the ipa-client to Python 3, and I'm likely to end >>>> up shaking out some dusty corners of the codebase, rather than doing the >>>> minimal amount of work :) >>>> So I'd like to get your opinions before I commit significant time to >>>> this. > > [...] >>>> client-tools/ >>>> - man/* >>>> - *.c >>>> - *.h >>>> - all the automake stuff >>>> - current contents of ipa-install (Python scripts that go in /usr/sbin) >> >> I would rather s/client-tools/client/, as this stuff goes into the >> freeipa-*client* subpackage. > > OK. It's just that there's no admintools/ or server/ either. > > Putting the scripts into install/tools/ (or install/client/) is another > possibility. Right. I guess we have to decide whether we want a directory layout based on the component/subpackage or not. install/tools/ works for me equally well. > >> I'm not sure if this is what you are suggesting or not, but I would like >> the man page files to be in the same directory as the corresponding >> source code files. > > Do you mean not having the man/ subdirectory? Yes. (I don't insist though.) -- Jan Cholasta From mbabinsk at redhat.com Thu Jan 14 10:22:59 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 14 Jan 2016 11:22:59 +0100 Subject: [Freeipa-devel] [PATCH 0404] Pylint: enable unpacking-non-sequence check In-Reply-To: <56977249.2030204@redhat.com> References: <56977249.2030204@redhat.com> Message-ID: <56977703.4030907@redhat.com> On 01/14/2016 11:02 AM, Martin Basti wrote: > Patch attached. > > ACK. -- Martin^3 Babinsky From mbabinsk at redhat.com Thu Jan 14 10:23:34 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 14 Jan 2016 11:23:34 +0100 Subject: [Freeipa-devel] [PATCH 0401] Pylint enable unbalanced tuple unpacking check In-Reply-To: <5694ED0C.9050705@redhat.com> References: <5694ED0C.9050705@redhat.com> Message-ID: <56977726.6000202@redhat.com> On 01/12/2016 01:09 PM, Martin Basti wrote: > Patch attached. > > ACK. -- Martin^3 Babinsky From mbasti at redhat.com Thu Jan 14 12:15:06 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 14 Jan 2016 13:15:06 +0100 Subject: [Freeipa-devel] [PATCH 0404] Pylint: enable unpacking-non-sequence check In-Reply-To: <56977703.4030907@redhat.com> References: <56977249.2030204@redhat.com> <56977703.4030907@redhat.com> Message-ID: <5697914A.6090309@redhat.com> On 14.01.2016 11:22, Martin Babinsky wrote: > On 01/14/2016 11:02 AM, Martin Basti wrote: >> Patch attached. >> >> > ACK. > Pushed to master: 267bad10a81f101db8b645abf01b2cdd62c91775 From mbasti at redhat.com Thu Jan 14 12:15:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 14 Jan 2016 13:15:48 +0100 Subject: [Freeipa-devel] [PATCH 0401] Pylint enable unbalanced tuple unpacking check In-Reply-To: <56977726.6000202@redhat.com> References: <5694ED0C.9050705@redhat.com> <56977726.6000202@redhat.com> Message-ID: <56979174.4050203@redhat.com> On 14.01.2016 11:23, Martin Babinsky wrote: > On 01/12/2016 01:09 PM, Martin Basti wrote: >> Patch attached. >> >> > ACK. > Pushed to master: 2320be18a34628fa6d05ffc42e695da5dd6dab6e From mbasti at redhat.com Thu Jan 14 12:23:05 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 14 Jan 2016 13:23:05 +0100 Subject: [Freeipa-devel] [PATCH 0403][test] CI: fix regression in task.install_kra Message-ID: <56979329.2020303@redhat.com> Regression caused by commit c4b9b295d8184694c50c0d56051e0273445c98ec Patch attached. One-liner rule applied. Pushed to: master: 26899c91afd36b39908a3a73363aff1787c9dc07 ipa-4-3: f3c1856d566cdcce0d411bc59efc63ddd42e5d07 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0403-CI-test-fix-regression-in-task.install_kra.patch Type: text/x-patch Size: 1172 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Jan 14 13:10:58 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 14 Jan 2016 14:10:58 +0100 Subject: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica In-Reply-To: <5696826C.2050300@redhat.com> References: <56967E77.8000604@redhat.com> <5696826C.2050300@redhat.com> Message-ID: <56979E62.3020004@redhat.com> On 01/13/2016 05:59 PM, Rob Crittenden wrote: > Martin Babinsky wrote: >> fixes https://fedorahosted.org/freeipa/ticket/5584 >> >> In order to ensure consistent behavior with ipa-client-install, I opted >> to reuse the configure_openldap_conf() function and restoring the config >> from client sysrestore before modifying it. >> >> If you think this approach is not optimal please propose an alternative >> solution. > > You could also just do an action set on URI to change the value, right? > It would need a new function but it would be very small. > > If you do end up keeping this I'd want a new commit message for moving > the code to include why you're moving it (to avoid the need to deference > the ticket). > > rob > In the hindsight my approach is probably overkill for this case. I will rework the patches to only set the URI directive after promotion. -- Martin^3 Babinsky From dkupka at redhat.com Thu Jan 14 13:18:27 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 14 Jan 2016 14:18:27 +0100 Subject: [Freeipa-devel] [PATCH 0402] Warn user about possibility to loss CA, KRA, DNSSEC master during uninstall In-Reply-To: <569686F3.5020505@redhat.com> References: <569686F3.5020505@redhat.com> Message-ID: <5697A023.5060306@redhat.com> On 13/01/16 18:18, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5544 > > Patch attached. > > Thanks for the patch, works for me, ACK. -- David Kupka From mbasti at redhat.com Thu Jan 14 13:35:17 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 14 Jan 2016 14:35:17 +0100 Subject: [Freeipa-devel] [PATCH 0402] Warn user about possibility to loss CA, KRA, DNSSEC master during uninstall In-Reply-To: <5697A023.5060306@redhat.com> References: <569686F3.5020505@redhat.com> <5697A023.5060306@redhat.com> Message-ID: <5697A415.1030309@redhat.com> On 14.01.2016 14:18, David Kupka wrote: > On 13/01/16 18:18, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5544 >> >> Patch attached. >> >> > > Thanks for the patch, works for me, ACK. > Pushed to: master: 58c42ddac0964a8cce7c1e1faa7516da53f028ad ipa-4-3: 56d921f359a667fc3c5b33ccf6b3767da06f64ab From ofayans at redhat.com Thu Jan 14 14:05:17 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 14 Jan 2016 15:05:17 +0100 Subject: [Freeipa-devel] [TEST][PATCH 0019] A proper fix for reverse-zone creation in integration tests Message-ID: <5697AB1D.4040804@redhat.com> -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0019.1-A-proper-workaround-for-ticket-5559.patch Type: text/x-patch Size: 1593 bytes Desc: not available URL: From rcritten at redhat.com Thu Jan 14 14:21:58 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Jan 2016 09:21:58 -0500 Subject: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs In-Reply-To: <56975994.6040604@redhat.com> References: <5673F1F9.2030403@redhat.com> <56964AB1.1010902@redhat.com> <56975994.6040604@redhat.com> Message-ID: <5697AF06.3070805@redhat.com> Stanislav Laznicka wrote: > Please see the rebased patches attached. > > On 01/13/2016 02:01 PM, Martin Basti wrote: >> >> >> On 18.12.2015 12:46, Stanislav Laznicka wrote: >>> Hi, >>> >>> Attached are the patches for auto-find and clean of dangling >>> (cs)ruvs. Currently, the cleaning of an RUV waits for all replicas to >>> be online, even on --force. If that were an issue, I can make the >>> command fail before trying to clean any of RUVs. However, the user is >>> shown a replica is offline and is prompted to confirm the cleaning so >>> the possible wait should not be a problem I believe. >>> >>> Standa L. >>> >>> >> Hello, >> >> patches needs rebase, I cannot apply them. Will this confuse people? Currently, for good or bad, there are two commands for managing the two different topologies. This mixes some CA work into ipa-replica-manage. rob From slaznick at redhat.com Thu Jan 14 14:59:25 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 14 Jan 2016 15:59:25 +0100 Subject: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs In-Reply-To: <5697AF06.3070805@redhat.com> References: <5673F1F9.2030403@redhat.com> <56964AB1.1010902@redhat.com> <56975994.6040604@redhat.com> <5697AF06.3070805@redhat.com> Message-ID: <5697B7CD.6050607@redhat.com> On 01/14/2016 03:21 PM, Rob Crittenden wrote: > Stanislav Laznicka wrote: >> Please see the rebased patches attached. >> >> On 01/13/2016 02:01 PM, Martin Basti wrote: >>> >>> On 18.12.2015 12:46, Stanislav Laznicka wrote: >>>> Hi, >>>> >>>> Attached are the patches for auto-find and clean of dangling >>>> (cs)ruvs. Currently, the cleaning of an RUV waits for all replicas to >>>> be online, even on --force. If that were an issue, I can make the >>>> command fail before trying to clean any of RUVs. However, the user is >>>> shown a replica is offline and is prompted to confirm the cleaning so >>>> the possible wait should not be a problem I believe. >>>> >>>> Standa L. >>>> >>>> >>> Hello, >>> >>> patches needs rebase, I cannot apply them. > Will this confuse people? Currently, for good or bad, there are two > commands for managing the two different topologies. This mixes some CA > work into ipa-replica-manage. > > rob > Well, in the patch, I was just following the discussion at https://fedorahosted.org/freeipa/ticket/5411. Ludwig mentions that ipa-csreplica-manage should go deprecated and does not want to enhance it. Also, the only thing the code does is removing trash from the ds so it makes sense to me to do it in just one command, as well as the users might expect that, too. I guess it would be possible to add an option that would select which of the subtrees should be cleaned of RUVs. It should stay as one command nonetheless. Adding such an option for this command would then probably mean all the commands should have it as it would make more sense, though. Let me add Petr and Ludwig to CC: as they both had inputs on keeping the command in just ipa-replica-manage. From lkrispen at redhat.com Thu Jan 14 15:16:10 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 14 Jan 2016 16:16:10 +0100 Subject: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs In-Reply-To: <5697B7CD.6050607@redhat.com> References: <5673F1F9.2030403@redhat.com> <56964AB1.1010902@redhat.com> <56975994.6040604@redhat.com> <5697AF06.3070805@redhat.com> <5697B7CD.6050607@redhat.com> Message-ID: <5697BBBA.60503@redhat.com> On 01/14/2016 03:59 PM, Stanislav Laznicka wrote: > On 01/14/2016 03:21 PM, Rob Crittenden wrote: >> Stanislav Laznicka wrote: >>> Please see the rebased patches attached. >>> >>> On 01/13/2016 02:01 PM, Martin Basti wrote: >>>> >>>> On 18.12.2015 12:46, Stanislav Laznicka wrote: >>>>> Hi, >>>>> >>>>> Attached are the patches for auto-find and clean of dangling >>>>> (cs)ruvs. Currently, the cleaning of an RUV waits for all replicas to >>>>> be online, even on --force. If that were an issue, I can make the >>>>> command fail before trying to clean any of RUVs. However, the user is >>>>> shown a replica is offline and is prompted to confirm the cleaning so >>>>> the possible wait should not be a problem I believe. >>>>> >>>>> Standa L. >>>>> >>>>> >>>> Hello, >>>> >>>> patches needs rebase, I cannot apply them. >> Will this confuse people? Currently, for good or bad, there are two >> commands for managing the two different topologies. This mixes some CA >> work into ipa-replica-manage. >> >> rob >> > Well, in the patch, I was just following the discussion at > https://fedorahosted.org/freeipa/ticket/5411. Ludwig mentions that > ipa-csreplica-manage should go deprecated and does not want to enhance > it. Also, the only thing the code does is removing trash from the ds > so it makes sense to me to do it in just one command, as well as the > users might expect that, too. > > I guess it would be possible to add an option that would select which > of the subtrees should be cleaned of RUVs. It should stay as one > command nonetheless. Adding such an option for this command would then > probably mean all the commands should have it as it would make more > sense, though. > > Let me add Petr and Ludwig to CC: as they both had inputs on keeping > the command in just ipa-replica-manage. yes, that was the idea to keep ipa-csreplica-manage (which does not have clean-ruv,..) for domain-level 0, but not add new features. Also "ipa-replica-manage del" now triggers the ruv cleaning of ipaca From pvoborni at redhat.com Thu Jan 14 15:59:31 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 14 Jan 2016 16:59:31 +0100 Subject: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs In-Reply-To: <5697BBBA.60503@redhat.com> References: <5673F1F9.2030403@redhat.com> <56964AB1.1010902@redhat.com> <56975994.6040604@redhat.com> <5697AF06.3070805@redhat.com> <5697B7CD.6050607@redhat.com> <5697BBBA.60503@redhat.com> Message-ID: <5697C5E3.2010307@redhat.com> On 01/14/2016 04:16 PM, Ludwig Krispenz wrote: > > On 01/14/2016 03:59 PM, Stanislav Laznicka wrote: >> On 01/14/2016 03:21 PM, Rob Crittenden wrote: >>> Stanislav Laznicka wrote: >>>> Please see the rebased patches attached. >>>> >>>> On 01/13/2016 02:01 PM, Martin Basti wrote: >>>>> >>>>> On 18.12.2015 12:46, Stanislav Laznicka wrote: >>>>>> Hi, >>>>>> >>>>>> Attached are the patches for auto-find and clean of dangling >>>>>> (cs)ruvs. Currently, the cleaning of an RUV waits for all replicas to >>>>>> be online, even on --force. If that were an issue, I can make the >>>>>> command fail before trying to clean any of RUVs. However, the user is >>>>>> shown a replica is offline and is prompted to confirm the cleaning so >>>>>> the possible wait should not be a problem I believe. >>>>>> >>>>>> Standa L. >>>>>> >>>>>> >>>>> Hello, >>>>> >>>>> patches needs rebase, I cannot apply them. >>> Will this confuse people? Currently, for good or bad, there are two >>> commands for managing the two different topologies. This mixes some CA >>> work into ipa-replica-manage. >>> >>> rob >>> >> Well, in the patch, I was just following the discussion at >> https://fedorahosted.org/freeipa/ticket/5411. Ludwig mentions that >> ipa-csreplica-manage should go deprecated and does not want to enhance >> it. Also, the only thing the code does is removing trash from the ds >> so it makes sense to me to do it in just one command, as well as the >> users might expect that, too. >> >> I guess it would be possible to add an option that would select which >> of the subtrees should be cleaned of RUVs. It should stay as one >> command nonetheless. Adding such an option for this command would then >> probably mean all the commands should have it as it would make more >> sense, though. >> >> Let me add Petr and Ludwig to CC: as they both had inputs on keeping >> the command in just ipa-replica-manage. > yes, that was the idea to keep ipa-csreplica-manage (which does not have > clean-ruv,..) for domain-level 0, but not add new features. Also > "ipa-replica-manage del" now triggers the ruv cleaning of ipaca > Yes, ipa-csreplica-manage should be deprecated. I think that one of the reasons why dangling CA RUVs are not uncommon is that users forget about `ipa-csreplica-manage del` command when removing a replica. New `ipa-replica-manage del` also removes replication agreements and therefore cleans RUVs of CA suffix (on domain level 1). In this context it is not inconsistent. Btw, one of the good example why this commands will be helpful is following bz, especially a sentence in: https://bugzilla.redhat.com/show_bug.cgi?id=1295971#c5 """ I had some mistakes to clean some valid RUV, for example, 52 for eupre1 """ We should think about list-clean-ruv and abort-clean-ruv commands. There is no counterpart for CA suffix now. Could be in different patch. With clean-dangling-ruvs command it would be good to deprecate clean-ruv command of ipa-replica-manage - should be different patch. I'm not sure if it should abort if some replica is down. Maybe yes until https://fedorahosted.org/freeipa/ticket/5396 is fixed. The path set misses update of man page. -- Petr Vobornik From mbabinsk at redhat.com Thu Jan 14 16:29:56 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 14 Jan 2016 17:29:56 +0100 Subject: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica In-Reply-To: <5696826C.2050300@redhat.com> References: <56967E77.8000604@redhat.com> <5696826C.2050300@redhat.com> Message-ID: <5697CD04.3010709@redhat.com> On 01/13/2016 05:59 PM, Rob Crittenden wrote: > Martin Babinsky wrote: >> fixes https://fedorahosted.org/freeipa/ticket/5584 >> >> In order to ensure consistent behavior with ipa-client-install, I opted >> to reuse the configure_openldap_conf() function and restoring the config >> from client sysrestore before modifying it. >> >> If you think this approach is not optimal please propose an alternative >> solution. > > You could also just do an action set on URI to change the value, right? > It would need a new function but it would be very small. > > If you do end up keeping this I'd want a new commit message for moving > the code to include why you're moving it (to avoid the need to deference > the ticket). > > rob > Here's the patch that implements the change in URI directive. Please keep in mind that we not only have to change the URI to point to ourselves, we also have to do it in a way consistent with ipa-client-install, i.e. leave a comment with new URI if it was already set by third party. Plain 'addifnotset' directive will not do, however, because then we end up with two comments, one original, and one pointing to ourselves. Plain 'set' may rewrite the URI set by user and thus we would have to test its value anyway. The correct handling of these cases coupled with a way IPAChangeConf is written results in a solution presented here. The fact that it is not much shorter than configure_openldap_conf and is additionally pretty ugly (a fact at least partially caused by me not being very fluent in IPAChangeConf usage) led me to the conclusion that restoring original ldap.conf and reusing already wirrten code for reediting it anew with replica as URI is actually not that bad idea. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0127.1-reset-ldap.conf-to-point-to-newly-installer-replica-.patch Type: text/x-patch Size: 2876 bytes Desc: not available URL: From pviktori at redhat.com Thu Jan 14 16:49:19 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 14 Jan 2016 17:49:19 +0100 Subject: [Freeipa-devel] [PATCH] 0760 - Split ipa-client/ into ipaclient/ and client/ In-Reply-To: <569773DC.80808@redhat.com> References: <56962826.10404@redhat.com> <56963D11.3050600@redhat.com> <56974647.1010408@redhat.com> <56976EF5.8080601@redhat.com> <569773DC.80808@redhat.com> Message-ID: <5697D18F.8010105@redhat.com> On 01/14/2016 11:09 AM, Jan Cholasta wrote: > On 14.1.2016 10:48, Petr Viktorin wrote: >> On 01/14/2016 07:55 AM, Jan Cholasta wrote: >>> Hi, >>> >>> On 13.1.2016 13:03, Martin Babinsky wrote: >>>> On 01/13/2016 11:34 AM, Petr Viktorin wrote: >>>>> Hello, >>>>> I'm planning to port the ipa-client to Python 3, and I'm likely to end >>>>> up shaking out some dusty corners of the codebase, rather than >>>>> doing the >>>>> minimal amount of work :) >>>>> So I'd like to get your opinions before I commit significant time to >>>>> this. Here's a patch for review. (I'm sending the full diff for applying; the result is nicer to look at with `git show -C`) >> [...] >>>>> client-tools/ >>>>> - man/* >>>>> - *.c >>>>> - *.h >>>>> - all the automake stuff >>>>> - current contents of ipa-install (Python scripts that go in >>>>> /usr/sbin) >>> >>> I would rather s/client-tools/client/, as this stuff goes into the >>> freeipa-*client* subpackage. >> >> OK. It's just that there's no admintools/ or server/ either. >> >> Putting the scripts into install/tools/ (or install/client/) is another >> possibility. > > Right. I guess we have to decide whether we want a directory layout > based on the component/subpackage or not. install/tools/ works for me > equally well. I put the scripts in client/. IPA supports building just the client bits, and that's easier if the server and client scripts are separate. >>> I'm not sure if this is what you are suggesting or not, but I would like >>> the man page files to be in the same directory as the corresponding >>> source code files. >> >> Do you mean not having the man/ subdirectory? > > Yes. (I don't insist though.) Even if you did insist, I think it would be better to ditch install/tools/man/ and ipatests/man/ at the same time as client/man/, so I'm leaving this for a potential future patch. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0760-Split-ipa-client-into-ipaclient-Python-library-and-c.patch Type: text/x-patch Size: 714244 bytes Desc: not available URL: From pviktori at redhat.com Thu Jan 14 17:29:33 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 14 Jan 2016 18:29:33 +0100 Subject: [Freeipa-devel] [PATCHES] 0752-0757, 0759 Enable pylint --py3k In-Reply-To: <5695114B.3070807@redhat.com> References: <568D2494.9080602@redhat.com> <568FA169.4030900@redhat.com> <5693B2F8.1060905@redhat.com> <56950653.8060406@redhat.com> <5695114B.3070807@redhat.com> Message-ID: <5697DAFD.50603@redhat.com> On 01/12/2016 03:44 PM, Petr Viktorin wrote: > >>> Hello I tried --py3k option and it doesn't print any error, can we >>> enable that check by default to prevent python3 regressions? >>> >>> # ./make-lint --py3k >>> No config file found, using default configuration >> >> Squash in the other attached patch to enable it by default. > > Sorry, please ignore the squash patch -- if --py3k is to be on by > default, I'll also need to add all needed packages to BuildRequires. Actually, after all, that's not true -- the py3 libraries aren't needed for pylint --py3k. So, patches are ready for review as they are (with your choice of what the default should be). -- Petr Viktorin From simo at redhat.com Thu Jan 14 21:31:36 2016 From: simo at redhat.com (Simo Sorce) Date: Thu, 14 Jan 2016 16:31:36 -0500 Subject: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails In-Reply-To: <56967BD8.1000109@redhat.com> References: <568E945F.3030605@redhat.com> <568E949B.1090300@redhat.com> <56961965.9050309@redhat.com> <56967BD8.1000109@redhat.com> Message-ID: <1452807096.3356.182.camel@redhat.com> On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote: > On 01/13/2016 10:31 AM, Martin Babinsky wrote: > > On 01/07/2016 05:38 PM, Martin Babinsky wrote: > >> On 01/07/2016 05:37 PM, Martin Babinsky wrote: > >>> https://fedorahosted.org/freeipa/ticket/5584 > >>> > >> And the patch is here. > >> > >> > >> > > self-NACK, there may be a better way to handle this. I will do some > > investigation and send updated patch. > > > Attaching updated patch. A failure to obtain a tgt may be due to other reasons (for example the KDC crashed), why are you trying to use this test ? Isn't it sufficient to see there is no host entry in the directory ? Simo. -- Simo Sorce * Red Hat, Inc * New York From mbasti at redhat.com Fri Jan 15 09:10:25 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 15 Jan 2016 10:10:25 +0100 Subject: [Freeipa-devel] [PATCH 0405] Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter Message-ID: <5698B781.50209@redhat.com> https://fedorahosted.org/freeipa/ticket/5262 Patch attached, detailed description in the commit message. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0405-Fix-uninstall-does-not-stop-named-pkcs11-and-ipa-ods.patch Type: text/x-patch Size: 1668 bytes Desc: not available URL: From mbabinsk at redhat.com Fri Jan 15 12:35:31 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 15 Jan 2016 13:35:31 +0100 Subject: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails In-Reply-To: <1452807096.3356.182.camel@redhat.com> References: <568E945F.3030605@redhat.com> <568E949B.1090300@redhat.com> <56961965.9050309@redhat.com> <56967BD8.1000109@redhat.com> <1452807096.3356.182.camel@redhat.com> Message-ID: <5698E793.9090400@redhat.com> On 01/14/2016 10:31 PM, Simo Sorce wrote: > On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote: >> On 01/13/2016 10:31 AM, Martin Babinsky wrote: >>> On 01/07/2016 05:38 PM, Martin Babinsky wrote: >>>> On 01/07/2016 05:37 PM, Martin Babinsky wrote: >>>>> https://fedorahosted.org/freeipa/ticket/5584 >>>>> >>>> And the patch is here. >>>> >>>> >>>> >>> self-NACK, there may be a better way to handle this. I will do some >>> investigation and send updated patch. >>> >> Attaching updated patch. > > A failure to obtain a tgt may be due to other reasons (for example the > KDC crashed), why are you trying to use this test ? > Isn't it sufficient to see there is no host entry in the directory ? > > Simo. > There were some corner cases I encountered, mostly concerning a cleanup after unsuccessful replica promotion. You may sometimes end up in a state where local DS is working, but KDC crashed and the krb5.conf is still pointing at a remote one. In that case "malformed" replica's local host entry exist, but when such host tries to get TGT, the AS-REQ goes to remote KDC from other master. However, if the admin had in the mean time cleaned up this host's kerberos principals/keys, the crashed replica gets one of the following errors: Client not found in Kerberos database Client credentials have been revoked Generic preauthentication failure These were printed out as errors during uninstall, but were actually expected in situation like this. It is true that the code should check and ignore these specific errors. -- Martin^3 Babinsky From tbabej at redhat.com Fri Jan 15 12:43:35 2016 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 15 Jan 2016 13:43:35 +0100 Subject: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8 In-Reply-To: <5694C649.8060503@redhat.com> References: <568B76A0.7010009@redhat.com> <568B9B3D.3030709@redhat.com> <568CFB88.7020007@redhat.com> <5694C649.8060503@redhat.com> Message-ID: <5698E977.1070308@redhat.com> On 01/12/2016 10:24 AM, Jan Cholasta wrote: > On 6.1.2016 12:33, Christian Heimes wrote: >> On 2016-01-05 11:30, Tomas Babej wrote: >>> >>> >>> On 01/05/2016 08:54 AM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> the attached patch replaces the default_encoding_utf8 binary module >>>> with >>>> 2 lines of equivalent Python code. >>>> >>>> Honza >>>> >>>> >>>> >>> >>> This looks fine to me, however, I wonder, why this approach was ever >>> taken? The sys.setdefaultencoding is available in all versions of Python >>> ever supported by FreeIPA. >>> >>> Is it possible we're missing something here? Or was this option simply >>> overlooked? >> >> sys.setdefaultencoding() is not available unless you use a hack and >> reload the sys module. The function is hidden for a very good reason. It >> can and will break internal assumption as well as libraries in bad, hard >> to detect ways. For example it wreaks havoc on hashing for dicts and >> sets. >> >> The blog posting >> https://anonbadger.wordpress.com/2015/06/16/why-sys-setdefaultencoding-will-break-code/ >> >> explains the problem in much greater detail. > > Tom??i, does this answer your question? > Not really, I was more curious as to why the current, more complex solution using the C extension was ever preferred over pure python version. > Updated patch attached. Patch works fine, ACK. Pushed to master: 7e56b4bbd79d9d42af23babc7496dd15d85d28ea Tomas From tbabej at redhat.com Fri Jan 15 12:44:54 2016 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 15 Jan 2016 13:44:54 +0100 Subject: [Freeipa-devel] [PATCH 0397] ipapython: Use custom datetime to LDAP generalized time Message-ID: <5698E9C6.2080105@redhat.com> Hi, For the dates older than 1900, Python is unable to convert the datetime representation to string using strftime: https://bugs.python.org/issue1777412 Work around the issue adding a custom method to convert the datetime objects to LDAP generalized time strings. https://fedorahosted.org/freeipa/ticket/5579 Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0397-ipapython-Use-custom-datetime-to-LDAP-generalized-ti.patch Type: text/x-patch Size: 7492 bytes Desc: not available URL: From slaznick at redhat.com Fri Jan 15 12:47:45 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 15 Jan 2016 13:47:45 +0100 Subject: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs In-Reply-To: <5697C5E3.2010307@redhat.com> References: <5673F1F9.2030403@redhat.com> <56964AB1.1010902@redhat.com> <56975994.6040604@redhat.com> <5697AF06.3070805@redhat.com> <5697B7CD.6050607@redhat.com> <5697BBBA.60503@redhat.com> <5697C5E3.2010307@redhat.com> Message-ID: <5698EA71.2040105@redhat.com> On 01/14/2016 04:59 PM, Petr Vobornik wrote: > On 01/14/2016 04:16 PM, Ludwig Krispenz wrote: >> >> On 01/14/2016 03:59 PM, Stanislav Laznicka wrote: >>> On 01/14/2016 03:21 PM, Rob Crittenden wrote: >>>> Stanislav Laznicka wrote: >>>>> Please see the rebased patches attached. >>>>> >>>>> On 01/13/2016 02:01 PM, Martin Basti wrote: >>>>>> >>>>>> On 18.12.2015 12:46, Stanislav Laznicka wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Attached are the patches for auto-find and clean of dangling >>>>>>> (cs)ruvs. Currently, the cleaning of an RUV waits for all >>>>>>> replicas to >>>>>>> be online, even on --force. If that were an issue, I can make the >>>>>>> command fail before trying to clean any of RUVs. However, the >>>>>>> user is >>>>>>> shown a replica is offline and is prompted to confirm the >>>>>>> cleaning so >>>>>>> the possible wait should not be a problem I believe. >>>>>>> >>>>>>> Standa L. >>>>>>> >>>>>>> >>>>>> Hello, >>>>>> >>>>>> patches needs rebase, I cannot apply them. >>>> Will this confuse people? Currently, for good or bad, there are two >>>> commands for managing the two different topologies. This mixes some CA >>>> work into ipa-replica-manage. >>>> >>>> rob >>>> >>> Well, in the patch, I was just following the discussion at >>> https://fedorahosted.org/freeipa/ticket/5411. Ludwig mentions that >>> ipa-csreplica-manage should go deprecated and does not want to enhance >>> it. Also, the only thing the code does is removing trash from the ds >>> so it makes sense to me to do it in just one command, as well as the >>> users might expect that, too. >>> >>> I guess it would be possible to add an option that would select which >>> of the subtrees should be cleaned of RUVs. It should stay as one >>> command nonetheless. Adding such an option for this command would then >>> probably mean all the commands should have it as it would make more >>> sense, though. >>> >>> Let me add Petr and Ludwig to CC: as they both had inputs on keeping >>> the command in just ipa-replica-manage. >> yes, that was the idea to keep ipa-csreplica-manage (which does not have >> clean-ruv,..) for domain-level 0, but not add new features. Also >> "ipa-replica-manage del" now triggers the ruv cleaning of ipaca >> > > Yes, ipa-csreplica-manage should be deprecated. > > I think that one of the reasons why dangling CA RUVs are not uncommon > is that users forget about `ipa-csreplica-manage del` command when > removing a replica. > > New `ipa-replica-manage del` also removes replication agreements and > therefore cleans RUVs of CA suffix (on domain level 1). In this > context it is not inconsistent. > > Btw, one of the good example why this commands will be helpful is > following bz, especially a sentence in: > https://bugzilla.redhat.com/show_bug.cgi?id=1295971#c5 > """ > I had some mistakes to clean some valid RUV, for example, 52 for eupre1 > """ > > We should think about list-clean-ruv and abort-clean-ruv commands. > There is no counterpart for CA suffix now. Could be in different patch. > > With clean-dangling-ruvs command it would be good to deprecate > clean-ruv command of ipa-replica-manage - should be different patch. > > I'm not sure if it should abort if some replica is down. Maybe yes > until https://fedorahosted.org/freeipa/ticket/5396 is fixed. > > The path set misses update of man page. Attached are the patches with the description for the man page. Abort of the clean-dangling-ruv operation on any replica offline status was also added. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0011-Listing-and-cleaning-RUV-extended-for-CA-suffix.patch Type: text/x-patch Size: 4787 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0012-2-Automatically-detect-and-remove-dangling-RUVs.patch Type: text/x-patch Size: 8575 bytes Desc: not available URL: From fskola at redhat.com Fri Jan 15 14:37:15 2016 From: fskola at redhat.com (Filip Skola) Date: Fri, 15 Jan 2016 09:37:15 -0500 (EST) Subject: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker In-Reply-To: <1902672460.4566340.1452602887525.JavaMail.zimbra@redhat.com> References: <2134068455.1326509.1450781775764.JavaMail.zimbra@redhat.com> <1902672460.4566340.1452602887525.JavaMail.zimbra@redhat.com> Message-ID: <1118746236.11920442.1452868635399.JavaMail.zimbra@redhat.com> Hi, sending rebased patch. F. ----- Original Message ----- > Hi, > > the patch no longer applies to master. Please rebase it. > > Thanks, > Milan > > ----- Original Message ----- > From: "Filip Skola" > To: freeipa-devel at redhat.com > Cc: "Milan Kub?k" , "Ale? Mare?ek" > Sent: Tuesday, 22 December, 2015 11:56:15 AM > Subject: [PATCH 0005] Refactor test_nesting, create HostGroupTracker > > Hi, > > another patch from refactoring-test_xmlrpc series. > > Filip > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-fskola-0005-2-Refactor-test_nesting-create-HostGroupTracker.patch Type: text/x-patch Size: 44380 bytes Desc: not available URL: From fskola at redhat.com Fri Jan 15 14:38:27 2016 From: fskola at redhat.com (Filip Skola) Date: Fri, 15 Jan 2016 09:38:27 -0500 (EST) Subject: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin In-Reply-To: <1914334378.4564827.1452602733244.JavaMail.zimbra@redhat.com> References: <20151120135636.71171d5c@vor2.netbox.priv> <20151123145934.36901470@dhcp-25-21.brq.redhat.com> <20151123164249.4a576706@dhcp-25-21.brq.redhat.com> <565C76D6.3010406@redhat.com> <20151203201556.4ff69dba@vor2.netbox.priv> <5665B88E.4000507@redhat.com> <20151209190102.1bb8fc07@vor2.netbox.priv> <1914334378.4564827.1452602733244.JavaMail.zimbra@redhat.com> Message-ID: <1760221088.11921867.1452868707220.JavaMail.zimbra@redhat.com> Hi, sending rebased patch. F. ----- Original Message ----- > Hello, > > sorry for delays. The patch no longer applies to master. Rebase it, please. > > Milan > > ----- Original Message ----- > From: "Filip ?kola" > To: "Milan Kub?k" > Cc: freeipa-devel at redhat.com > Sent: Wednesday, 9 December, 2015 7:01:02 PM > Subject: Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin > > On Mon, 7 Dec 2015 17:49:18 +0100 > Milan Kub?k wrote: > > > On 12/03/2015 08:15 PM, Filip ?kola wrote: > > > On Mon, 30 Nov 2015 17:18:30 +0100 > > > Milan Kub?k wrote: > > > > > >> On 11/23/2015 04:42 PM, Filip ?kola wrote: > > >>> Sending updated patch. > > >>> > > >>> F. > > >>> > > >>> On Mon, 23 Nov 2015 14:59:34 +0100 > > >>> Filip ?kola wrote: > > >>> > > >>>> Found couple of issues (broke some dependencies). > > >>>> > > >>>> NACK > > >>>> > > >>>> F. > > >>>> > > >>>> On Fri, 20 Nov 2015 13:56:36 +0100 > > >>>> Filip ?kola wrote: > > >>>> > > >>>>> Another one. > > >>>>> > > >>>>> F. > > >>> > > >> Hi, the tests look good. Few remarks, though. > > >> > > >> 1. Please, use the shortes copyright notice in new modules. > > >> > > >> # > > >> # Copyright (C) 2015 FreeIPA Contributors see COPYING for > > >> license # > > >> > > >> 2. The tests `test_group_remove_group_from_protected_group` and > > >> `test_group_full_set_of_objectclass_not_available_post_detach` > > >> were not ported. Please, include them in the patch. > > >> > > >> Also, for less hassle, please rebase your patches on top of > > >> freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch > > >> Which changes the location of tracker implementations and prevents > > >> circular imports. > > >> > > >> Thanks. > > >> > > > > > > > > > Hi, > > > > > > these cases are there, in corresponding classes. They are marked > > > with the original comments. (However I can move them to separate > > > class if desirable.) > > > > > > The copyright notice is changed. Also included a few changes in the > > > test with user without private group. > > > > > > Filip > > NACK > > > > linter: > > ************* Module tracker.group_plugin > > ipatests/test_xmlrpc/tracker/group_plugin.py:257: > > [E0102(function-redefined), GroupTracker.check_remove_member] method > > already defined line 253) > > > > Probably a leftover after the rebase made on top of my patch. Please > > fix it. You can check youch changes by make-lint script before > > sending them. > > > > Thanks > > > > > Hi, > > I learned to use make-lint! > > Thanks, > F. > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-fskola-0002-5-Refactor-test_group_plugin.patch Type: text/x-patch Size: 74135 bytes Desc: not available URL: From fskola at redhat.com Fri Jan 15 14:41:52 2016 From: fskola at redhat.com (Filip Skola) Date: Fri, 15 Jan 2016 09:41:52 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin In-Reply-To: <184590988.47122995.1450007607203.JavaMail.zimbra@redhat.com> References: <20151106113201.5e6a7042@dhcp-24-123.brq.redhat.com> <56448E17.2010409@redhat.com> <20151203173843.37179230@vor2.netbox.priv> <869710129.24860544.1449498571599.JavaMail.zimbra@redhat.com> <20151210112952.3ddb7136@vor2.netbox.priv> <964966782.26674717.1449760307850.JavaMail.zimbra@redhat.com> <273613290.27075436.1449834011983.JavaMail.zimbra@redhat.com> <184590988.47122995.1450007607203.JavaMail.zimbra@redhat.com> Message-ID: <81340538.11928726.1452868912243.JavaMail.zimbra@redhat.com> Hi, sending rebased patch on top of 58c42ddac0964a8cce7c1e1faa7516da53f028ad. Includes a "fix" for the rename-to-invalid-username issue for the new version. F. ----- Original Message ----- > Hi, > > I don't know what is causing the \r\n issue. I use vim and than send each > email with claws-mail. Didn't spot this issue when trying emailing the patch > to my other address. I'm trying to send it from zimbra now, let me know if > that helped pls. > > Fix for the stageuser plugin issues caused by this patch should have been > included in the last update; I think the remaining issue is not caused by > UserTracker changes. Please correct me, if I'm wrong. > > > There is some issue with "test_rename_to_too_long_login" test. It fails but > > actually this is false positive because it is possible to create login upto > > 255 characters. I don't know why test mentions 32 characters without any > > other modified setup. > > NACK for now. > > - alich - > > This has been changed. This test still fails, though. > > Filip > > > > > > > ----- Original Message ----- > > > From: "Ale? Mare?ek" > > > To: "Filip ?kola" > > > Cc: freeipa-devel at redhat.com, "Milan Kub?k" > > > Sent: Thursday, December 10, 2015 4:11:47 PM > > > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > > > > > > Ah, sorry, haven't realized there had been devel list attached. > > > Ok, there is some problem with \r\n in the patch. > > > Filip, please take a look at it... > > > Thanks... > > > - alich - > > > > > > ----- Original Message ----- > > > > From: "Filip ?kola" > > > > To: "Ale? Mare?ek" > > > > Cc: freeipa-devel at redhat.com, "Milan Kub?k" > > > > Sent: Thursday, December 10, 2015 11:29:52 AM > > > > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > > > > > > > > Hi, > > > > > > > > this if fixed. Also issues with test_stageuser_plugin caused by > > > > UserTracker changes should be fixed here. > > > > > > > > Filip > > > > > > > > > > > > On Mon, 7 Dec 2015 09:29:31 -0500 (EST) > > > > Ale? Mare?ek wrote: > > > > > > > > > NACK. > > > > > > > > > > $ ./make-lint > > > > > ************* Module ipatests.test_xmlrpc.test_user_plugin > > > > > ipatests/test_xmlrpc/test_user_plugin.py:42: > > > > > [E0611(no-name-in-module), ] No name 'ldaptracker' in module > > > > > 'ipatests.test_xmlrpc') > > > > > > > > > > $ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py > > > > > from ipatests.test_xmlrpc.ldaptracker import Tracker > > > > > $ ls ipatests/test_xmlrpc/ldaptracker* > > > > > ls: cannot access ipatests/test_xmlrpc/ldaptracker*: No such file or > > > > > directory > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Filip ?kola" > > > > > > To: "Milan Kub?k" > > > > > > Cc: freeipa-devel at redhat.com > > > > > > Sent: Thursday, December 3, 2015 5:38:43 PM > > > > > > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > > > > > > > > > > > > Hi, > > > > > > > > > > > > sending corrected version. > > > > > > > > > > > > F. > > > > > > > > > > > > On Thu, 12 Nov 2015 14:03:19 +0100 > > > > > > Milan Kub?k wrote: > > > > > > > > > > > > > On 11/10/2015 12:13 PM, Filip ?kola wrote: > > > > > > > > Hi, > > > > > > > > > > > > > > > > fixed. > > > > > > > > > > > > > > > > F. > > > > > > > > > > > > > > > > On Tue, 10 Nov 2015 10:52:45 +0100 > > > > > > > > Milan Kub?k wrote: > > > > > > > > > > > > > > > >> On 11/09/2015 04:35 PM, Filip ?kola wrote: > > > > > > > >>> Another patch was applied in the meantime. > > > > > > > >>> > > > > > > > >>> Attaching an updated version. > > > > > > > >>> > > > > > > > >>> F. > > > > > > > >>> > > > > > > > >>> On Mon, 9 Nov 2015 13:35:02 +0100 > > > > > > > >>> Milan Kub?k wrote: > > > > > > > >>> > > > > > > > >>>> On 11/06/2015 11:32 AM, Filip ?kola wrote: > > > > > > > >>>> Hi, > > > > > > > >>>> the patch doesn't apply. > > > > > > > >>>> > > > > > > > >> Please fix this. > > > > > > > >> > > > > > > > >> ipatests/test_xmlrpc/test_user_plugin.py:1419: > > > > > > > >> [E0602(undefined-variable), > > > > > > > >> TestDeniedBindWithExpiredPrincipal.teardown_class] Undefined > > > > > > > >> variable 'user1') > > > > > > > >> > > > > > > > >> Also, use the version numbers for your changed patches. > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > Thanks for the patch. Several issues: > > > > > > > > > > > > > > 1. Use dict.items instead of dict.iteritems, for python3 > > > > > > > compatibility > > > > > > > > > > > > > > 2. What is the purpose of TestPrepare class? The 'purge' methods > > > > > > > do not call any ipa commands. > > > > > > > Tracker.make_fixture should be used to make the Tracked resources > > > > > > > clean themselves up when they're out of scope. > > > > > > > > > > > > > > 3. Why reference the resources by hardcoded name if they have a > > > > > > > fixture representation? > > > > > > > > > > > > > > 4. Rewrite {create,delete}_test_group to a fixture. You may want > > > > > > > to use different scope (or not). > > > > > > > > > > > > > > 5. In `def atest_rename_to_invalid_login(self, user):` - use > > > > > > > pytest.skipif decorator and provide a reason if you must, > > > > > > > do not obfuscate method name in order not to run it. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Manage your subscription for the Freeipa-devel mailing list: > > > > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > > > > > > > > > > > > > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-fskola-0001-6-Refactor-test_user_plugin.patch Type: text/x-patch Size: 98434 bytes Desc: not available URL: From tbabej at redhat.com Fri Jan 15 15:27:03 2016 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 15 Jan 2016 16:27:03 +0100 Subject: [Freeipa-devel] [PATCH 0398] logger: Use warning instead of warn Message-ID: <56990FC7.4090603@redhat.com> Hi, this should build up to another pylint-related patch Martin^2 has in works. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0398-logger-Use-warning-instead-of-warn.patch Type: text/x-patch Size: 14007 bytes Desc: not available URL: From simo at redhat.com Fri Jan 15 15:57:05 2016 From: simo at redhat.com (Simo Sorce) Date: Fri, 15 Jan 2016 10:57:05 -0500 Subject: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails In-Reply-To: <5698E793.9090400@redhat.com> References: <568E945F.3030605@redhat.com> <568E949B.1090300@redhat.com> <56961965.9050309@redhat.com> <56967BD8.1000109@redhat.com> <1452807096.3356.182.camel@redhat.com> <5698E793.9090400@redhat.com> Message-ID: <1452873425.3356.192.camel@redhat.com> On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote: > On 01/14/2016 10:31 PM, Simo Sorce wrote: > > On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote: > >> On 01/13/2016 10:31 AM, Martin Babinsky wrote: > >>> On 01/07/2016 05:38 PM, Martin Babinsky wrote: > >>>> On 01/07/2016 05:37 PM, Martin Babinsky wrote: > >>>>> https://fedorahosted.org/freeipa/ticket/5584 > >>>>> > >>>> And the patch is here. > >>>> > >>>> > >>>> > >>> self-NACK, there may be a better way to handle this. I will do some > >>> investigation and send updated patch. > >>> > >> Attaching updated patch. > > > > A failure to obtain a tgt may be due to other reasons (for example the > > KDC crashed), why are you trying to use this test ? > > Isn't it sufficient to see there is no host entry in the directory ? > > > > Simo. > > > There were some corner cases I encountered, mostly concerning a cleanup > after unsuccessful replica promotion. > > You may sometimes end up in a state where local DS is working, but KDC > crashed and the krb5.conf is still pointing at a remote one. In that > case "malformed" replica's local host entry exist, but when such host > tries to get TGT, the AS-REQ goes to remote KDC from other master. > > However, if the admin had in the mean time cleaned up this host's > kerberos principals/keys, the crashed replica gets one of the following > errors: > > Client not found in Kerberos database > Client credentials have been revoked > Generic preauthentication failure > > These were printed out as errors during uninstall, but were actually > expected in situation like this. It is true that the code should check > and ignore these specific errors. Only the first id valid for your case, the others may be transient errors. Simo. -- Simo Sorce * Red Hat, Inc * New York From mbasti at redhat.com Fri Jan 15 16:12:20 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 15 Jan 2016 17:12:20 +0100 Subject: [Freeipa-devel] [PATCH 0398] logger: Use warning instead of warn In-Reply-To: <56990FC7.4090603@redhat.com> References: <56990FC7.4090603@redhat.com> Message-ID: <56991A64.1050803@redhat.com> On 15.01.2016 16:27, Tomas Babej wrote: > Hi, > > this should build up to another pylint-related patch Martin^2 has in works. > > Tomas > > > NACK :) ************* Module ipalib.plugins.dns ipalib/plugins/dns.py:3441: [E1101(no-member), dnsrecord.wait_for_modified_attr] Class 'log' has no 'warn' member) -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbabej at redhat.com Fri Jan 15 16:15:43 2016 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 15 Jan 2016 17:15:43 +0100 Subject: [Freeipa-devel] [PATCH 0398] logger: Use warning instead of warn In-Reply-To: <56991A64.1050803@redhat.com> References: <56990FC7.4090603@redhat.com> <56991A64.1050803@redhat.com> Message-ID: <56991B2F.70304@redhat.com> On 01/15/2016 05:12 PM, Martin Basti wrote: > > > On 15.01.2016 16:27, Tomas Babej wrote: >> Hi, >> >> this should build up to another pylint-related patch Martin^2 has in works. >> >> Tomas >> >> >> > NACK :) > > ************* Module ipalib.plugins.dns > ipalib/plugins/dns.py:3441: [E1101(no-member), > dnsrecord.wait_for_modified_attr] Class 'log' has no 'warn' member) > My regexp was too strict, it seems :) Updated patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0398-2-logger-Use-warning-instead-of-warn.patch Type: text/x-patch Size: 14333 bytes Desc: not available URL: From mbabinsk at redhat.com Fri Jan 15 17:29:14 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 15 Jan 2016 18:29:14 +0100 Subject: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails In-Reply-To: <1452873425.3356.192.camel@redhat.com> References: <568E945F.3030605@redhat.com> <568E949B.1090300@redhat.com> <56961965.9050309@redhat.com> <56967BD8.1000109@redhat.com> <1452807096.3356.182.camel@redhat.com> <5698E793.9090400@redhat.com> <1452873425.3356.192.camel@redhat.com> Message-ID: <56992C6A.7060106@redhat.com> On 01/15/2016 04:57 PM, Simo Sorce wrote: > On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote: >> On 01/14/2016 10:31 PM, Simo Sorce wrote: >>> On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote: >>>> On 01/13/2016 10:31 AM, Martin Babinsky wrote: >>>>> On 01/07/2016 05:38 PM, Martin Babinsky wrote: >>>>>> On 01/07/2016 05:37 PM, Martin Babinsky wrote: >>>>>>> https://fedorahosted.org/freeipa/ticket/5584 >>>>>>> >>>>>> And the patch is here. >>>>>> >>>>>> >>>>>> >>>>> self-NACK, there may be a better way to handle this. I will do some >>>>> investigation and send updated patch. >>>>> >>>> Attaching updated patch. >>> >>> A failure to obtain a tgt may be due to other reasons (for example the >>> KDC crashed), why are you trying to use this test ? >>> Isn't it sufficient to see there is no host entry in the directory ? >>> >>> Simo. >>> >> There were some corner cases I encountered, mostly concerning a cleanup >> after unsuccessful replica promotion. >> >> You may sometimes end up in a state where local DS is working, but KDC >> crashed and the krb5.conf is still pointing at a remote one. In that >> case "malformed" replica's local host entry exist, but when such host >> tries to get TGT, the AS-REQ goes to remote KDC from other master. >> >> However, if the admin had in the mean time cleaned up this host's >> kerberos principals/keys, the crashed replica gets one of the following >> errors: >> >> Client not found in Kerberos database >> Client credentials have been revoked >> Generic preauthentication failure >> >> These were printed out as errors during uninstall, but were actually >> expected in situation like this. It is true that the code should check >> and ignore these specific errors. > > Only the first id valid for your case, the others may be transient > errors. > > Simo. > > True, attaching updated patch. The other errors will now pop out in the output and the warning will be displayed. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0121.2-uninstallation-more-robust-check-for-master-removal-.patch Type: text/x-patch Size: 4688 bytes Desc: not available URL: From cheimes at redhat.com Mon Jan 18 07:06:53 2016 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 18 Jan 2016 08:06:53 +0100 Subject: [Freeipa-devel] [PATCH 0397] ipapython: Use custom datetime to LDAP generalized time In-Reply-To: <5698E9C6.2080105@redhat.com> References: <5698E9C6.2080105@redhat.com> Message-ID: <569C8F0D.7030506@redhat.com> On 2016-01-15 13:44, Tomas Babej wrote: > Hi, > > For the dates older than 1900, Python is unable to convert the datetime > representation to string using strftime: > > https://bugs.python.org/issue1777412 > > Work around the issue adding a custom method to convert the datetime > objects to LDAP generalized time strings. > > https://fedorahosted.org/freeipa/ticket/5579 I noticed that all previous strftime() calls and the new code ignore any time zone information. This isn't an issue for tz-naive datetime object that don't have any time zone information attached. You can't fix them anyway and just hope they are always UTC. For tz-aware datetime object your approach returns the wrong value. You can use datetime.utctimetuple() instead. The method returns a time tuple in UTC. >>> value datetime.datetime(2016, 1, 18, 8, 2, 49, 646270) >>> '{0.tm_year:4d}{0.tm_mon:02d}{0.tm_mday:02d}{0.tm_hour:02d}{0.tm_min:02d}{0.tm_sec:02d}Z'.format(value.utctimetuple()) '20160118080249Z' https://docs.python.org/2/library/datetime.html#datetime.datetime.utctimetuple -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From dkupka at redhat.com Mon Jan 18 09:10:17 2016 From: dkupka at redhat.com (David Kupka) Date: Mon, 18 Jan 2016 10:10:17 +0100 Subject: [Freeipa-devel] [PATCH 0405] Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter In-Reply-To: <5698B781.50209@redhat.com> References: <5698B781.50209@redhat.com> Message-ID: <569CABF9.6090905@redhat.com> On 15/01/16 10:10, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5262 > > Patch attached, detailed description in the commit message. > > Works for me, ACK. -- David Kupka From pspacek at redhat.com Mon Jan 18 09:30:30 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 18 Jan 2016 10:30:30 +0100 Subject: [Freeipa-devel] [TEST][PATCH 0019] A proper fix for reverse-zone creation in integration tests In-Reply-To: <5697AB1D.4040804@redhat.com> References: <5697AB1D.4040804@redhat.com> Message-ID: <569CB0B6.3080609@redhat.com> On 14.1.2016 15:05, Oleg Fayans wrote: > Date: Thu, 14 Jan 2016 14:59:37 +0100 > Subject: [PATCH] fixed an issue with master installation not creating reverse > zone > > When resolv.conf is set to point to the master's ip before installation, the > ipa-server-install does not create a reverse zone for it's ip even despite > --auto-reverse option provided. The fix is not to mess around with resolv.conf > before master installation. > --- > ipatests/test_integration/tasks.py | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) This is reasonable fix. ACK if it passes your functional tests. -- Petr^2 Spacek From mbasti at redhat.com Mon Jan 18 11:49:59 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 18 Jan 2016 12:49:59 +0100 Subject: [Freeipa-devel] [PATCH 0405] Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter In-Reply-To: <569CABF9.6090905@redhat.com> References: <5698B781.50209@redhat.com> <569CABF9.6090905@redhat.com> Message-ID: <569CD167.1040304@redhat.com> On 18.01.2016 10:10, David Kupka wrote: > On 15/01/16 10:10, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5262 >> >> Patch attached, detailed description in the commit message. >> >> > Works for me, ACK. > Pushed to: master: 7baa675947f012f36376811e2e1f47ff4779cfe3 ipa-4-3: 0978c3d0c409f49139fd6e178255f9f6697fc2ea From ofayans at redhat.com Mon Jan 18 11:51:40 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 18 Jan 2016 12:51:40 +0100 Subject: [Freeipa-devel] [TEST][PATCH 0019] A proper fix for reverse-zone creation in integration tests In-Reply-To: <569CB0B6.3080609@redhat.com> References: <5697AB1D.4040804@redhat.com> <569CB0B6.3080609@redhat.com> Message-ID: <569CD1CC.7020405@redhat.com> On 01/18/2016 10:30 AM, Petr Spacek wrote: > On 14.1.2016 15:05, Oleg Fayans wrote: >> Date: Thu, 14 Jan 2016 14:59:37 +0100 >> Subject: [PATCH] fixed an issue with master installation not creating reverse >> zone >> >> When resolv.conf is set to point to the master's ip before installation, the >> ipa-server-install does not create a reverse zone for it's ip even despite >> --auto-reverse option provided. The fix is not to mess around with resolv.conf >> before master installation. >> --- >> ipatests/test_integration/tasks.py | 7 ++++--- >> 1 file changed, 4 insertions(+), 3 deletions(-) > > This is reasonable fix. ACK if it passes your functional tests. It does :) > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From mkubik at redhat.com Mon Jan 18 12:09:38 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Mon, 18 Jan 2016 13:09:38 +0100 Subject: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin In-Reply-To: <1760221088.11921867.1452868707220.JavaMail.zimbra@redhat.com> References: <20151120135636.71171d5c@vor2.netbox.priv> <20151123145934.36901470@dhcp-25-21.brq.redhat.com> <20151123164249.4a576706@dhcp-25-21.brq.redhat.com> <565C76D6.3010406@redhat.com> <20151203201556.4ff69dba@vor2.netbox.priv> <5665B88E.4000507@redhat.com> <20151209190102.1bb8fc07@vor2.netbox.priv> <1914334378.4564827.1452602733244.JavaMail.zimbra@redhat.com> <1760221088.11921867.1452868707220.JavaMail.zimbra@redhat.com> Message-ID: <569CD602.1030604@redhat.com> On 01/15/2016 03:38 PM, Filip Skola wrote: > Hi, > > sending rebased patch. > > F. > > ----- Original Message ----- >> Hello, >> >> sorry for delays. The patch no longer applies to master. Rebase it, please. >> >> Milan >> >> ----- Original Message ----- >> From: "Filip ?kola" >> To: "Milan Kub?k" >> Cc: freeipa-devel at redhat.com >> Sent: Wednesday, 9 December, 2015 7:01:02 PM >> Subject: Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin >> >> On Mon, 7 Dec 2015 17:49:18 +0100 >> Milan Kub?k wrote: >> >>> On 12/03/2015 08:15 PM, Filip ?kola wrote: >>>> On Mon, 30 Nov 2015 17:18:30 +0100 >>>> Milan Kub?k wrote: >>>> >>>>> On 11/23/2015 04:42 PM, Filip ?kola wrote: >>>>>> Sending updated patch. >>>>>> >>>>>> F. >>>>>> >>>>>> On Mon, 23 Nov 2015 14:59:34 +0100 >>>>>> Filip ?kola wrote: >>>>>> >>>>>>> Found couple of issues (broke some dependencies). >>>>>>> >>>>>>> NACK >>>>>>> >>>>>>> F. >>>>>>> >>>>>>> On Fri, 20 Nov 2015 13:56:36 +0100 >>>>>>> Filip ?kola wrote: >>>>>>> >>>>>>>> Another one. >>>>>>>> >>>>>>>> F. >>>>> Hi, the tests look good. Few remarks, though. >>>>> >>>>> 1. Please, use the shortes copyright notice in new modules. >>>>> >>>>> # >>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for >>>>> license # >>>>> >>>>> 2. The tests `test_group_remove_group_from_protected_group` and >>>>> `test_group_full_set_of_objectclass_not_available_post_detach` >>>>> were not ported. Please, include them in the patch. >>>>> >>>>> Also, for less hassle, please rebase your patches on top of >>>>> freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch >>>>> Which changes the location of tracker implementations and prevents >>>>> circular imports. >>>>> >>>>> Thanks. >>>>> >>>> >>>> Hi, >>>> >>>> these cases are there, in corresponding classes. They are marked >>>> with the original comments. (However I can move them to separate >>>> class if desirable.) >>>> >>>> The copyright notice is changed. Also included a few changes in the >>>> test with user without private group. >>>> >>>> Filip >>> NACK >>> >>> linter: >>> ************* Module tracker.group_plugin >>> ipatests/test_xmlrpc/tracker/group_plugin.py:257: >>> [E0102(function-redefined), GroupTracker.check_remove_member] method >>> already defined line 253) >>> >>> Probably a leftover after the rebase made on top of my patch. Please >>> fix it. You can check youch changes by make-lint script before >>> sending them. >>> >>> Thanks >>> >> >> Hi, >> >> I learned to use make-lint! >> >> Thanks, >> F. >> Hello, NACK, pylint doesn't seem to like the way the fixtures are imported (pytest does a lot of runtime magic) [1]. One possible solution would be [2]. Though, I don't think this would be a good idea in our environment. I suggest to create the fixtures on per module basis. [1]: http://fpaste.org/311949/53118942/ [2]: https://pytest.org/latest/fixture.html#using-fixtures-from-classes-modules-or-projects -- Milan Kubik From mkubik at redhat.com Mon Jan 18 12:12:08 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Mon, 18 Jan 2016 13:12:08 +0100 Subject: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker In-Reply-To: <1118746236.11920442.1452868635399.JavaMail.zimbra@redhat.com> References: <2134068455.1326509.1450781775764.JavaMail.zimbra@redhat.com> <1902672460.4566340.1452602887525.JavaMail.zimbra@redhat.com> <1118746236.11920442.1452868635399.JavaMail.zimbra@redhat.com> Message-ID: <569CD698.4020900@redhat.com> On 01/15/2016 03:37 PM, Filip Skola wrote: > Hi, > > sending rebased patch. > > F. > > ----- Original Message ----- >> Hi, >> >> the patch no longer applies to master. Please rebase it. >> >> Thanks, >> Milan >> >> ----- Original Message ----- >> From: "Filip Skola" >> To: freeipa-devel at redhat.com >> Cc: "Milan Kub?k" , "Ale? Mare?ek" >> Sent: Tuesday, 22 December, 2015 11:56:15 AM >> Subject: [PATCH 0005] Refactor test_nesting, create HostGroupTracker >> >> Hi, >> >> another patch from refactoring-test_xmlrpc series. >> >> Filip >> NACK, something seems to be missing in the patch ************* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin ipatests/test_xmlrpc/tracker/hostgroup_plugin.py:222: [E1101(no-member), HostGroupTracker.check_add_member_negative] Instance of 'HostGroupTracker' has no 'adds' member) -- Milan Kubik From mbabinsk at redhat.com Mon Jan 18 12:57:50 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 18 Jan 2016 13:57:50 +0100 Subject: [Freeipa-devel] [PATCH 0125] IPA upgrade: move replication ACIs to the mapping tree entry In-Reply-To: <56977134.1010304@redhat.com> References: <56954230.7080005@redhat.com> <5695EC2D.1000302@redhat.com> <56960B0D.30500@redhat.com> <56977134.1010304@redhat.com> Message-ID: <569CE14E.8060805@redhat.com> On 01/14/2016 10:58 AM, Martin Babinsky wrote: > On 01/13/2016 09:30 AM, Martin Babinsky wrote: >> On 01/13/2016 07:18 AM, Jan Cholasta wrote: >>> On 12.1.2016 19:13, Martin Babinsky wrote: >>>> commit 6ea868e172738bdd6a8fae34e65126cdd134bbbe broke replica install >>>> and management on IPA servers upgraded from pre-4.3 version. The >>>> attached patch fixes this. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5575 >>> >>> Any reason to repeat the DN 3 times? >>> >>> Besides that LGTM. >>> >> >> No other reason than not using brain during copy-pasting ACIs. >> >> Attaching updated patch. >> >> >> > Attaching updated patch. > > > Attaching updated patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0125.3-IPA-upgrade-move-replication-ACIs-to-the-mapping-tre.patch Type: text/x-patch Size: 4512 bytes Desc: not available URL: From jcholast at redhat.com Mon Jan 18 13:10:44 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 18 Jan 2016 14:10:44 +0100 Subject: [Freeipa-devel] [PATCH 0125] IPA upgrade: move replication ACIs to the mapping tree entry In-Reply-To: <569CE14E.8060805@redhat.com> References: <56954230.7080005@redhat.com> <5695EC2D.1000302@redhat.com> <56960B0D.30500@redhat.com> <56977134.1010304@redhat.com> <569CE14E.8060805@redhat.com> Message-ID: <569CE454.2000809@redhat.com> On 18.1.2016 13:57, Martin Babinsky wrote: > On 01/14/2016 10:58 AM, Martin Babinsky wrote: >> On 01/13/2016 09:30 AM, Martin Babinsky wrote: >>> On 01/13/2016 07:18 AM, Jan Cholasta wrote: >>>> On 12.1.2016 19:13, Martin Babinsky wrote: >>>>> commit 6ea868e172738bdd6a8fae34e65126cdd134bbbe broke replica install >>>>> and management on IPA servers upgraded from pre-4.3 version. The >>>>> attached patch fixes this. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5575 >>>> >>>> Any reason to repeat the DN 3 times? >>>> >>>> Besides that LGTM. >>>> >>> >>> No other reason than not using brain during copy-pasting ACIs. >>> >>> Attaching updated patch. >>> >>> >>> >> Attaching updated patch. >> >> >> > Attaching updated patch. Thanks, ACK. Pushed to: master: e7a4faab81dad6b77373d6f57f597c411a7557f4 ipa-4-3: c1faf721868015558ab608a72895a513cd1247d8 -- Jan Cholasta From fskola at redhat.com Mon Jan 18 13:26:31 2016 From: fskola at redhat.com (Filip Skola) Date: Mon, 18 Jan 2016 08:26:31 -0500 (EST) Subject: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker In-Reply-To: <569CD698.4020900@redhat.com> References: <2134068455.1326509.1450781775764.JavaMail.zimbra@redhat.com> <1902672460.4566340.1452602887525.JavaMail.zimbra@redhat.com> <1118746236.11920442.1452868635399.JavaMail.zimbra@redhat.com> <569CD698.4020900@redhat.com> Message-ID: <1592657483.12984474.1453123591078.JavaMail.zimbra@redhat.com> Hi, this should be fixed in this patch. F. ----- Original Message ----- > On 01/15/2016 03:37 PM, Filip Skola wrote: > > Hi, > > > > sending rebased patch. > > > > F. > > > > ----- Original Message ----- > >> Hi, > >> > >> the patch no longer applies to master. Please rebase it. > >> > >> Thanks, > >> Milan > >> > >> ----- Original Message ----- > >> From: "Filip Skola" > >> To: freeipa-devel at redhat.com > >> Cc: "Milan Kub?k" , "Ale? Mare?ek" > >> > >> Sent: Tuesday, 22 December, 2015 11:56:15 AM > >> Subject: [PATCH 0005] Refactor test_nesting, create HostGroupTracker > >> > >> Hi, > >> > >> another patch from refactoring-test_xmlrpc series. > >> > >> Filip > >> > NACK, something seems to be missing in the patch > > > ************* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin > ipatests/test_xmlrpc/tracker/hostgroup_plugin.py:222: [E1101(no-member), > HostGroupTracker.check_add_member_negative] Instance of > 'HostGroupTracker' has no 'adds' member) > > -- > Milan Kubik > > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-fskola-0005-3-Refactor-test_nesting-create-HostGroupTracker.patch Type: text/x-patch Size: 44406 bytes Desc: not available URL: From mbasti at redhat.com Mon Jan 18 16:28:59 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 18 Jan 2016 17:28:59 +0100 Subject: [Freeipa-devel] [PATCH 0406] Exclude o=ipaca from syncrepl Message-ID: <569D12CB.6010907@redhat.com> https://fedorahosted.org/freeipa/ticket/5538 Patch attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0406-Exclude-o-ipaca-subtree-from-Retro-Changelog-syncrep.patch Type: text/x-patch Size: 1167 bytes Desc: not available URL: From mbasti at redhat.com Mon Jan 18 16:49:36 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 18 Jan 2016 17:49:36 +0100 Subject: [Freeipa-devel] [PATCH 0398] logger: Use warning instead of warn In-Reply-To: <56991B2F.70304@redhat.com> References: <56990FC7.4090603@redhat.com> <56991A64.1050803@redhat.com> <56991B2F.70304@redhat.com> Message-ID: <569D17A0.5040906@redhat.com> On 15.01.2016 17:15, Tomas Babej wrote: > > On 01/15/2016 05:12 PM, Martin Basti wrote: >> >> On 15.01.2016 16:27, Tomas Babej wrote: >>> Hi, >>> >>> this should build up to another pylint-related patch Martin^2 has in works. >>> >>> Tomas >>> >>> >>> >> NACK :) >> >> ************* Module ipalib.plugins.dns >> ipalib/plugins/dns.py:3441: [E1101(no-member), >> dnsrecord.wait_for_modified_attr] Class 'log' has no 'warn' member) >> > My regexp was too strict, it seems :) > > Updated patch attached. ACK log.warn() is deprecated https://docs.python.org/3/library/logging.html#logging.Logger.warning From mbasti at redhat.com Mon Jan 18 16:50:42 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 18 Jan 2016 17:50:42 +0100 Subject: [Freeipa-devel] [PATCH 0398] logger: Use warning instead of warn In-Reply-To: <569D17A0.5040906@redhat.com> References: <56990FC7.4090603@redhat.com> <56991A64.1050803@redhat.com> <56991B2F.70304@redhat.com> <569D17A0.5040906@redhat.com> Message-ID: <569D17E2.5090005@redhat.com> On 18.01.2016 17:49, Martin Basti wrote: > > > On 15.01.2016 17:15, Tomas Babej wrote: >> >> On 01/15/2016 05:12 PM, Martin Basti wrote: >>> >>> On 15.01.2016 16:27, Tomas Babej wrote: >>>> Hi, >>>> >>>> this should build up to another pylint-related patch Martin^2 has >>>> in works. >>>> >>>> Tomas >>>> >>>> >>>> >>> NACK :) >>> >>> ************* Module ipalib.plugins.dns >>> ipalib/plugins/dns.py:3441: [E1101(no-member), >>> dnsrecord.wait_for_modified_attr] Class 'log' has no 'warn' member) >>> >> My regexp was too strict, it seems :) >> >> Updated patch attached. > ACK > log.warn() is deprecated > https://docs.python.org/3/library/logging.html#logging.Logger.warning > Pushed to master: 78c5bf9f8e85b4c6c9b67b4a26acedfd45a2c86f From cheimes at redhat.com Mon Jan 18 16:55:43 2016 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 18 Jan 2016 17:55:43 +0100 Subject: [Freeipa-devel] [PATCH 0406] Exclude o=ipaca from syncrepl In-Reply-To: <569D12CB.6010907@redhat.com> References: <569D12CB.6010907@redhat.com> Message-ID: <569D190F.1070107@redhat.com> On 2016-01-18 17:28, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5538 > > Patch attached ACK -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mbabinsk at redhat.com Mon Jan 18 17:43:08 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 18 Jan 2016 18:43:08 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipalib/cli.py: pythonify Collector class Message-ID: <569D242C.2030903@redhat.com> A little patch that should make some future pylint errors disappear. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0128-ipalib-cli.py-pythonify-Collector-class.patch Type: text/x-patch Size: 1615 bytes Desc: not available URL: From jcholast at redhat.com Tue Jan 19 07:45:23 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 19 Jan 2016 08:45:23 +0100 Subject: [Freeipa-devel] [PATCHES] 0752-0757, 0759 Enable pylint --py3k In-Reply-To: <5697DAFD.50603@redhat.com> References: <568D2494.9080602@redhat.com> <568FA169.4030900@redhat.com> <5693B2F8.1060905@redhat.com> <56950653.8060406@redhat.com> <5695114B.3070807@redhat.com> <5697DAFD.50603@redhat.com> Message-ID: <569DE993.30002@redhat.com> On 14.1.2016 18:29, Petr Viktorin wrote: > On 01/12/2016 03:44 PM, Petr Viktorin wrote: >> >>>> Hello I tried --py3k option and it doesn't print any error, can we >>>> enable that check by default to prevent python3 regressions? >>>> >>>> # ./make-lint --py3k >>>> No config file found, using default configuration >>> >>> Squash in the other attached patch to enable it by default. >> >> Sorry, please ignore the squash patch -- if --py3k is to be on by >> default, I'll also need to add all needed packages to BuildRequires. > > Actually, after all, that's not true -- the py3 libraries aren't needed > for pylint --py3k. > So, patches are ready for review as they are (with your choice of what > the default should be). Patch 759: 1) Typo: 'Skil the main lint check'. 2) Why the indentation change in output? Regarding --(no-)py3k, do we even need the option? I would just enable the checks and not add the option unless someone specifically asked for it. Otherwise LGTM, including patch 758. -- Jan Cholasta From pspacek at redhat.com Tue Jan 19 10:26:41 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 19 Jan 2016 11:26:41 +0100 Subject: [Freeipa-devel] [PATCH 0397] ipapython: Use custom datetime to LDAP generalized time In-Reply-To: <569C8F0D.7030506@redhat.com> References: <5698E9C6.2080105@redhat.com> <569C8F0D.7030506@redhat.com> Message-ID: <569E0F61.6040702@redhat.com> On 18.1.2016 08:06, Christian Heimes wrote: > On 2016-01-15 13:44, Tomas Babej wrote: >> Hi, >> >> For the dates older than 1900, Python is unable to convert the datetime >> representation to string using strftime: >> >> https://bugs.python.org/issue1777412 >> >> Work around the issue adding a custom method to convert the datetime >> objects to LDAP generalized time strings. >> >> https://fedorahosted.org/freeipa/ticket/5579 Dates before 1900? Seriously? This is a bad idea. I would rather catch ValueError and inform the user. We seriously do not need more custom code! Petr^2 Spacek > I noticed that all previous strftime() calls and the new code ignore any > time zone information. This isn't an issue for tz-naive datetime object > that don't have any time zone information attached. You can't fix them > anyway and just hope they are always UTC. For tz-aware datetime object > your approach returns the wrong value. > > You can use datetime.utctimetuple() instead. The method returns a time > tuple in UTC. > >>>> value > datetime.datetime(2016, 1, 18, 8, 2, 49, 646270) >>>> > '{0.tm_year:4d}{0.tm_mon:02d}{0.tm_mday:02d}{0.tm_hour:02d}{0.tm_min:02d}{0.tm_sec:02d}Z'.format(value.utctimetuple()) > '20160118080249Z' > > https://docs.python.org/2/library/datetime.html#datetime.datetime.utctimetuple From jcholast at redhat.com Tue Jan 19 10:43:41 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 19 Jan 2016 11:43:41 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <5695166E.40608@redhat.com> References: <568E26DF.6090507@redhat.com> <568E646C.6070003@redhat.com> <5694BA31.8010804@redhat.com> <5694C520.2060905@redhat.com> <5694E0DD.40905@redhat.com> <5694E25D.6060203@redhat.com> <5694F274.1040002@redhat.com> <56950325.80907@redhat.com> <5695166E.40608@redhat.com> Message-ID: <569E135D.8010501@redhat.com> On 12.1.2016 16:06, Martin Basti wrote: > > > On 12.01.2016 14:44, Jan Cholasta wrote: >> On 12.1.2016 13:32, Martin Basti wrote: >>> >>> >>> On 12.01.2016 12:24, Jan Cholasta wrote: >>>> On 12.1.2016 12:17, Martin Basti wrote: >>>>> >>>>> >>>>> On 12.01.2016 10:19, Jan Cholasta wrote: >>>>>> On 12.1.2016 09:32, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> On 07.01.2016 14:13, Jan Cholasta wrote: >>>>>>>> On 7.1.2016 09:50, Jan Cholasta wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> the attached patch ports the _ipap11helper module to python-cffi. >>>>>>>>> >>>>>>>>> Combined with my patch 536 [1], this makes ipapython architecture >>>>>>>>> independent. >>>>>>>> >>>>>>>> Updated patch attached. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> I tried to run DNSSEC tests and it failed unexpectedly: >>>>>>> >>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>> Connected >>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>> replica pub keys in LDAP: set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>>>>> '0xd8538e634797420ca86cda420234443c']) >>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>> replica pub keys in SoftHSM: >>>>>>> set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>>>>> '0x1f7241a64d69ced6c0a14f6999410c59']) >>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>> new replica keys in LDAP: >>>>>>> set(['0xd8538e634797420ca86cda420234443c']) >>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>> label=dnssec-replica:replica1.ipa.test., >>>>>>> id=d8538e634797420ca86cda420234443c, >>>>>>> data=30820122300d06092a864886f70d01010105 >>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback >>>>>>> (most >>>>>>> recent call last): >>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>>>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 313, in >>>>>>> ldap2master_replica_keys_sync >>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>>>> localhsm.import_public_key(new_key_ldap, >>>>>>> new_key_ldap['ipapublickey']) >>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", >>>>>>> line >>>>>>> 173, in import_public_key >>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h = >>>>>>> self.p11.import_public_key(**params) >>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >>>>>>> 1498, in >>>>>>> import_public_key >>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey = >>>>>>> d2i_PUBKEY(NULL, data_ptr, data_length) >>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError: >>>>>>> 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3 >>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>>> ipa-ods-exporter.service: >>>>>>> Main process exited, code=exited, status=1/FAILURE >>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>>> ipa-ods-exporter.service: >>>>>>> Unit entered failed state. >>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>>> ipa-ods-exporter.service: >>>>>>> Failed with result 'exit-code'. >>>>>>> >>>>>>> I haven't seen any other errors >>>>>> >>>>>> Updated patch attached. Added a patch which replaces calls to >>>>>> libcrypto with calls to python-cryptography. >>>>>> >>>>> >>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Done >>>>> configuring >>>>> DNS (named). >>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Configuring DNS >>>>> key synchronization service (ipa-dnskeysyncd) >>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [1/7]: checking >>>>> status >>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [2/7]: setting >>>>> up bind-dyndb-ldap working directory >>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [3/7]: setting >>>>> up kerberos principal >>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [4/7]: setting >>>>> up SoftHSM >>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [5/7]: adding >>>>> DNSSEC containers >>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [6/7]: creating >>>>> replica keys >>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [error] Error: >>>>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>>>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>>>> ipa.ipapython.install.cli.install_tool(Server): ERROR The >>>>> ipa-server-install command failed. See /var/log/ipaserver-install.log >>>>> for more information >>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Exit code: 1 >>>>> >>>>> ipa-server-install.log >>>>> .... >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>> line 436, in run_step >>>>> method() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", >>>>> >>>>> >>>>> line 342, in __setup_replica_keys >>>>> public_key_blob = p11.export_public_key(public_key_handle) >>>>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", >>>>> line >>>>> 1275, in export_public_key >>>>> return self._export_RSA_public_key(object) >>>>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", >>>>> line >>>>> 1240, in _export_RSA_public_key >>>>> raise Error("export_RSA_public_key: internal error: " >>>>> >>>>> 2016-01-12T11:00:29Z DEBUG The ipa-server-install command failed, >>>>> exception: Error: export_RSA_public_key: internal error: >>>>> EVP_PKEY_set1_RSA failed >>>>> 2016-01-12T11:00:29Z ERROR export_RSA_public_key: internal error: >>>>> EVP_PKEY_set1_RSA failed >>>> >>>> Updated patch 538 attached. >>>> >>> Jan 12 12:31:43 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[31178]: Connected >>> Jan 12 12:31:44 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in LDAP: >>> set(['0xf5edad67436d0ed36b75c3a70216fa43', >>> '0x7164a931484d505f1e249e3dcbc313e2']) >>> Jan 12 12:31:44 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in SoftHSM: >>> set(['0xf5edad67436d0ed36b75c3a70216fa43', >>> '0x7164a931484d505f1e249e3dcbc313e2', '0x28e302ae6b6ee7e9284cd5f6 >>> Jan 12 12:31:44 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[31178]: new replica keys in LDAP: >>> set([]) >>> Jan 12 12:31:44 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[31178]: obsolete replica keys in local >>> HSM: set(['0x28e302ae6b6ee7e9284cd5f61aadbbe7']) >>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: Traceback (most >>> recent call last): >>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>> "/usr/libexec/ipa/ipa-ods-exporter", line 321, in >>> ldap2master_replica_keys_sync >>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >>> localhsm.replica_pubkeys_wrap[key_id]['ipk11wrap'] = False >>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line >>> 65, in __setitem__ >>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: return >>> self.p11.set_attribute(self.handle, attrs_name2id[key], value) >>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line 1661, in >>> set_attribute >>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >>> sizeof(CK_ATTRIBUTE))) >>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: TypeError: an >>> integer is required >>> Jan 12 12:31:44 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>> Main process exited, code=exited, status=1/FAILURE >>> >> >> Updated patch 537 attached. >> > Jan 12 15:04:10 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[20652]: Connected > Jan 12 15:04:11 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[20652]: replica pub keys in LDAP: > set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', > '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) > Jan 12 15:04:11 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[20652]: replica pub keys in SoftHSM: > set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', > '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) > Jan 12 15:04:11 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[20652]: new replica keys in LDAP: set([]) > Jan 12 15:04:11 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[20652]: obsolete replica keys in local > HSM: set([]) > Jan 12 15:04:11 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[20652]: keys in local HSM & LDAP: > set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', > '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) > Jan 12 15:04:11 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[20652]: Updating attribute > ipk11verifyrecover from "1" to "False" > Jan 12 15:04:11 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[20652]: master keys in local HSM: set([]) > Jan 12 15:04:11 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[20652]: master keys in LDAP HSM: set([]) > Jan 12 15:04:11 master.ipa.test > /usr/libexec/ipa/ipa-ods-exporter[20652]: new master keys in local HSM: > set([]) > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: Traceback (most > recent call last): > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File > "/usr/libexec/ipa/ipa-ods-exporter", line 665, in > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: > master2ldap_master_keys_sync(log, ldapkeydb, localhsm) > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File > "/usr/libexec/ipa/ipa-ods-exporter", line 340, in > master2ldap_master_keys_sync > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: ldapkeydb.flush() > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File > "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line > 311, in flush > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: > self._update_keys() > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File > "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line > 307, in _update_keys > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: key._update_key() > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File > "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line > 179, in _update_key > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: > self._cleanup_key() > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File > "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line > 170, in _cleanup_key > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: if > self.get(attr, empty) == default_attrs[attr]: > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File > "/usr/lib64/python2.7/_abcoll.py", line 382, in get > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: return self[key] > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File > "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line > 132, in __getitem__ > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: val = > ldap_bool(val) > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File > "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line > 39, in ldap_bool > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: raise > AssertionError('invalid LDAP boolean "%s"' % val) > Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: AssertionError: > invalid LDAP boolean "1" > Jan 12 15:04:11 master.ipa.test systemd[1]: ipa-ods-exporter.service: > Main process exited, code=exited, status=1/FAILURE > > > You can run the dnssec test, it has been fixed. Updated patches attached. The test now passes. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-537.5-ipapython-port-p11helper-C-code-to-Python.patch Type: text/x-patch Size: 163225 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-538.2-ipapython-use-python-cryptography-instead-of-libcryp.patch Type: text/x-patch Size: 15055 bytes Desc: not available URL: From mbasti at redhat.com Tue Jan 19 12:43:54 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 19 Jan 2016 13:43:54 +0100 Subject: [Freeipa-devel] [PATCH 0407] WIP: make-lint migration to config file and pylint plugin due pylint 1.5.2 Message-ID: <569E2F8A.5090905@redhat.com> New pylint version will broke our custom make-lint script again, attached patch migrates make-lint to: * config file * pylint plugin which are supported by pylint and should not have regular compatibility issues to test new approach run ./make-lint2 Advantages: * compatibility with pylint * works on both pylint-1.4.3-3.fc23.noarch and pylint-1.5.2-1.fc24.noarch * pylint plugin works in different way than the previous custom checker. Missing ("dynamic") attributes are added to abstract syntax tree instead of ignoring them and all their sub-members. This makes check better, pylint can detect more typos in tests configurations, api, env, etc.. Disadvantages: * any new attribute in api, test config, etc.. must be added to definition of missing members (pylint plugin) - this should not happen too often Q&TODO: * make-lint: should it be just bash script or rather python script? * add dynamic detection of python files to be checked * should I keep the current options from original make-lint? * several false positive errors I haven't been able to fix in plugin yet, in worst case they can be locally disabled: ************* Module ipalib.plugins.vault ipalib/plugins/vault.py:1654: [E1101(no-member), vault_archive.forward] Class 'subject_public_key_info' has no 'public_key' member) ipalib/plugins/vault.py:1858: [E1101(no-member), vault_retrieve.forward] Class 'subject_public_key_info' has no 'public_key' member) ************* Module ipatests.test_ipapython.test_ipautil ipatests/test_ipapython/test_ipautil.py:390: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'houroffset' member) ipatests/test_ipapython/test_ipautil.py:391: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'minoffset' member) ipatests/test_ipapython/test_ipautil.py:392: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'utcoffset' member) ipatests/test_ipapython/test_ipautil.py:392: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'dst' member) ipatests/test_ipapython/test_ipautil.py:398: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'houroffset' member) ipatests/test_ipapython/test_ipautil.py:399: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'minoffset' member) ipatests/test_ipapython/test_ipautil.py:400: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'utcoffset' member) ipatests/test_ipapython/test_ipautil.py:400: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'dst' member) ipatests/test_ipapython/test_ipautil.py:406: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'houroffset' member) ipatests/test_ipapython/test_ipautil.py:407: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'minoffset' member) ipatests/test_ipapython/test_ipautil.py:410: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'utcoffset' member) ipatests/test_ipapython/test_ipautil.py:410: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'dst' member) ipatests/test_ipapython/test_ipautil.py:416: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'houroffset' member) ipatests/test_ipapython/test_ipautil.py:417: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'minoffset' member) ipatests/test_ipapython/test_ipautil.py:418: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'utcoffset' member) ipatests/test_ipapython/test_ipautil.py:418: [E1101(no-member), TestTimeParser.test_time_zones] Class 'tzinfo' has no 'dst' member) -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0407-WIP-make-lint-use-config-file-and-plugin-for-pylint.patch Type: text/x-patch Size: 22082 bytes Desc: not available URL: From pviktori at redhat.com Tue Jan 19 12:45:25 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 19 Jan 2016 13:45:25 +0100 Subject: [Freeipa-devel] [PATCHES] 0752-0757, 0759 Enable pylint --py3k In-Reply-To: <569DE993.30002@redhat.com> References: <568D2494.9080602@redhat.com> <568FA169.4030900@redhat.com> <5693B2F8.1060905@redhat.com> <56950653.8060406@redhat.com> <5695114B.3070807@redhat.com> <5697DAFD.50603@redhat.com> <569DE993.30002@redhat.com> Message-ID: <569E2FE5.3010405@redhat.com> On 01/19/2016 08:45 AM, Jan Cholasta wrote: > On 14.1.2016 18:29, Petr Viktorin wrote: >> On 01/12/2016 03:44 PM, Petr Viktorin wrote: >>> >>>>> Hello I tried --py3k option and it doesn't print any error, can we >>>>> enable that check by default to prevent python3 regressions? >>>>> >>>>> # ./make-lint --py3k >>>>> No config file found, using default configuration >>>> >>>> Squash in the other attached patch to enable it by default. >>> >>> Sorry, please ignore the squash patch -- if --py3k is to be on by >>> default, I'll also need to add all needed packages to BuildRequires. >> >> Actually, after all, that's not true -- the py3 libraries aren't needed >> for pylint --py3k. >> So, patches are ready for review as they are (with your choice of what >> the default should be). > > Patch 759: > > 1) Typo: 'Skil the main lint check'. Will fix in the next patches. > 2) Why the indentation change in output? Fixed. I'm attaching the changed patch only. > Regarding --(no-)py3k, do we even need the option? I would just enable > the checks and not add the option unless someone specifically asked for it. Several times I was annoyed how hard it is to use IPA's make-lint if you need to do something other than lint the whole codebase with the default options. (Usually what I end up doing is copying make-lint and patching the copy to do what I want.) I don't want to add to the annoyance by making it impossible to run just one of the checks. So consider me asking for this :) > Otherwise LGTM, including patch 758. Attaching updated patches, with py3k check as as default squashed in. I also added a pylint exception for a new use of reload() in 0756. One more thing I did was disable pylint's long and uninteresting report, so now only the messages are shown. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0752.4-Use-explicit-truncating-division.patch Type: text/x-patch Size: 4884 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0753.4-Don-t-index-exceptions-directly.patch Type: text/x-patch Size: 2547 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0754.4-Use-print_function-future-definition-wherever-print-.patch Type: text/x-patch Size: 1892 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0755.4-Alias-unicode-to-str-under-Python-3.patch Type: text/x-patch Size: 5479 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0756.4-Avoid-builtins-that-were-removed-in-Python-3.patch Type: text/x-patch Size: 2269 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0757.4-dnsutil-Rename-__nonzero__-to-__bool__.patch Type: text/x-patch Size: 1052 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0758.4-Remove-deprecated-contrib-RHEL4.patch Type: text/x-patch Size: 37336 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0759.4-make-lint-Allow-running-pylint-py3k-to-detect-Python.patch Type: text/x-patch Size: 3714 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0760.4-Split-ipa-client-into-ipaclient-Python-library-and-c.patch Type: text/x-patch Size: 714262 bytes Desc: not available URL: From dkupka at redhat.com Tue Jan 19 12:47:56 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 19 Jan 2016 13:47:56 +0100 Subject: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir. Message-ID: <569E307C.20602@redhat.com> I've polished the patch attached to #5586 by Timo Aaltonen. Thanks for the patch. I've fixed the path in specfile and removed unused import but otherwise it works, ACK. https://fedorahosted.org/freeipa/ticket/5586 -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tjaalton-0011-Move-freeipa-certmonger-helpers-to-libexecdir.patch Type: text/x-patch Size: 4773 bytes Desc: not available URL: From dkupka at redhat.com Tue Jan 19 12:48:27 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 19 Jan 2016 13:48:27 +0100 Subject: [Freeipa-devel] [PATCH 0012] Use HTTPD_USER in dogtaginstance.py Message-ID: <569E309B.5090007@redhat.com> I've converted the diff attached to #5587 by Timo Aaltonen. Works for me, ACK. https://fedorahosted.org/freeipa/ticket/5587 -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tjaalton-0012-Use-HTTPD_USER-in-dogtaginstance.py.patch Type: text/x-patch Size: 1367 bytes Desc: not available URL: From cheimes at redhat.com Tue Jan 19 13:20:27 2016 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 19 Jan 2016 14:20:27 +0100 Subject: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform Message-ID: <569E381B.3040104@redhat.com> ipaplatform.constants has platform specific names for a couple of system users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, DS_USER and DS_GROUP are defined in other modules. Similar to #5587 the patch my patch moves the constants into the platform module. https://fedorahosted.org/freeipa/ticket/5619 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0029-Move-user-group-constants-for-PKI-and-DS-into-ipapla.patch Type: text/x-patch Size: 14461 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mkosek at redhat.com Tue Jan 19 13:26:07 2016 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 19 Jan 2016 14:26:07 +0100 Subject: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir. In-Reply-To: <569E307C.20602@redhat.com> References: <569E307C.20602@redhat.com> Message-ID: <569E396F.4000104@redhat.com> On 01/19/2016 01:47 PM, David Kupka wrote: > I've polished the patch attached to #5586 by Timo Aaltonen. > > Thanks for the patch. I've fixed the path in specfile and removed unused import > but otherwise it works, ACK. > > https://fedorahosted.org/freeipa/ticket/5586 Won't this break existing certmonger requests depending on the old path? # getcert list | grep '/usr/lib64/ipa/certmonger' pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72 post-save command: /usr/lib64/ipa/certmonger/restart_httpd From mbasti at redhat.com Tue Jan 19 13:27:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 19 Jan 2016 14:27:49 +0100 Subject: [Freeipa-devel] [PATCH 0398] logger: Use warning instead of warn In-Reply-To: <569D17E2.5090005@redhat.com> References: <56990FC7.4090603@redhat.com> <56991A64.1050803@redhat.com> <56991B2F.70304@redhat.com> <569D17A0.5040906@redhat.com> <569D17E2.5090005@redhat.com> Message-ID: <569E39D5.4090702@redhat.com> On 18.01.2016 17:50, Martin Basti wrote: > > > On 18.01.2016 17:49, Martin Basti wrote: >> >> >> On 15.01.2016 17:15, Tomas Babej wrote: >>> >>> On 01/15/2016 05:12 PM, Martin Basti wrote: >>>> >>>> On 15.01.2016 16:27, Tomas Babej wrote: >>>>> Hi, >>>>> >>>>> this should build up to another pylint-related patch Martin^2 has >>>>> in works. >>>>> >>>>> Tomas >>>>> >>>>> >>>>> >>>> NACK :) >>>> >>>> ************* Module ipalib.plugins.dns >>>> ipalib/plugins/dns.py:3441: [E1101(no-member), >>>> dnsrecord.wait_for_modified_attr] Class 'log' has no 'warn' member) >>>> >>> My regexp was too strict, it seems :) >>> >>> Updated patch attached. >> ACK >> log.warn() is deprecated >> https://docs.python.org/3/library/logging.html#logging.Logger.warning >> > Pushed to master: 78c5bf9f8e85b4c6c9b67b4a26acedfd45a2c86f > I accidentally pushed the first patch, so missing line is here Pushed to master: ddf2c813b453a85c22dbf278a575d3c6406b4471 From jcholast at redhat.com Tue Jan 19 13:38:27 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 19 Jan 2016 14:38:27 +0100 Subject: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir. In-Reply-To: <569E396F.4000104@redhat.com> References: <569E307C.20602@redhat.com> <569E396F.4000104@redhat.com> Message-ID: <569E3C53.9030100@redhat.com> On 19.1.2016 14:26, Martin Kosek wrote: > On 01/19/2016 01:47 PM, David Kupka wrote: >> I've polished the patch attached to #5586 by Timo Aaltonen. >> >> Thanks for the patch. I've fixed the path in specfile and removed unused import >> but otherwise it works, ACK. >> >> https://fedorahosted.org/freeipa/ticket/5586 > > Won't this break existing certmonger requests depending on the old path? It will, I don't see any upgrade code. > > # getcert list | grep '/usr/lib64/ipa/certmonger' > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert > cert-pki-ca" > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert > cert-pki-ca" > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert > cert-pki-ca" > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert > cert-pki-ca" > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert > cert-pki-ca" > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72 > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > -- Jan Cholasta From mkubik at redhat.com Tue Jan 19 14:49:31 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 19 Jan 2016 15:49:31 +0100 Subject: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin In-Reply-To: <81340538.11928726.1452868912243.JavaMail.zimbra@redhat.com> References: <20151106113201.5e6a7042@dhcp-24-123.brq.redhat.com> <56448E17.2010409@redhat.com> <20151203173843.37179230@vor2.netbox.priv> <869710129.24860544.1449498571599.JavaMail.zimbra@redhat.com> <20151210112952.3ddb7136@vor2.netbox.priv> <964966782.26674717.1449760307850.JavaMail.zimbra@redhat.com> <273613290.27075436.1449834011983.JavaMail.zimbra@redhat.com> <184590988.47122995.1450007607203.JavaMail.zimbra@redhat.com> <81340538.11928726.1452868912243.JavaMail.zimbra@redhat.com> Message-ID: <569E4CFB.8040808@redhat.com> On 01/15/2016 03:41 PM, Filip Skola wrote: > Hi, > > sending rebased patch on top of 58c42ddac0964a8cce7c1e1faa7516da53f028ad. > > Includes a "fix" for the rename-to-invalid-username issue for the new version. > > F. > > ----- Original Message ----- >> Hi, >> >> I don't know what is causing the \r\n issue. I use vim and than send each >> email with claws-mail. Didn't spot this issue when trying emailing the patch >> to my other address. I'm trying to send it from zimbra now, let me know if >> that helped pls. >> >> Fix for the stageuser plugin issues caused by this patch should have been >> included in the last update; I think the remaining issue is not caused by >> UserTracker changes. Please correct me, if I'm wrong. >> >>> There is some issue with "test_rename_to_too_long_login" test. It fails but >>> actually this is false positive because it is possible to create login upto >>> 255 characters. I don't know why test mentions 32 characters without any >>> other modified setup. >>> NACK for now. >>> - alich - >> This has been changed. This test still fails, though. >> >> Filip >> >>> >>> ----- Original Message ----- >>>> From: "Ale? Mare?ek" >>>> To: "Filip ?kola" >>>> Cc: freeipa-devel at redhat.com, "Milan Kub?k" >>>> Sent: Thursday, December 10, 2015 4:11:47 PM >>>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin >>>> >>>> Ah, sorry, haven't realized there had been devel list attached. >>>> Ok, there is some problem with \r\n in the patch. >>>> Filip, please take a look at it... >>>> Thanks... >>>> - alich - >>>> >>>> ----- Original Message ----- >>>>> From: "Filip ?kola" >>>>> To: "Ale? Mare?ek" >>>>> Cc: freeipa-devel at redhat.com, "Milan Kub?k" >>>>> Sent: Thursday, December 10, 2015 11:29:52 AM >>>>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin >>>>> >>>>> Hi, >>>>> >>>>> this if fixed. Also issues with test_stageuser_plugin caused by >>>>> UserTracker changes should be fixed here. >>>>> >>>>> Filip >>>>> >>>>> >>>>> On Mon, 7 Dec 2015 09:29:31 -0500 (EST) >>>>> Ale? Mare?ek wrote: >>>>> >>>>>> NACK. >>>>>> >>>>>> $ ./make-lint >>>>>> ************* Module ipatests.test_xmlrpc.test_user_plugin >>>>>> ipatests/test_xmlrpc/test_user_plugin.py:42: >>>>>> [E0611(no-name-in-module), ] No name 'ldaptracker' in module >>>>>> 'ipatests.test_xmlrpc') >>>>>> >>>>>> $ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py >>>>>> from ipatests.test_xmlrpc.ldaptracker import Tracker >>>>>> $ ls ipatests/test_xmlrpc/ldaptracker* >>>>>> ls: cannot access ipatests/test_xmlrpc/ldaptracker*: No such file or >>>>>> directory >>>>>> >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Filip ?kola" >>>>>>> To: "Milan Kub?k" >>>>>>> Cc: freeipa-devel at redhat.com >>>>>>> Sent: Thursday, December 3, 2015 5:38:43 PM >>>>>>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> sending corrected version. >>>>>>> >>>>>>> F. >>>>>>> >>>>>>> On Thu, 12 Nov 2015 14:03:19 +0100 >>>>>>> Milan Kub?k wrote: >>>>>>> >>>>>>>> On 11/10/2015 12:13 PM, Filip ?kola wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> fixed. >>>>>>>>> >>>>>>>>> F. >>>>>>>>> >>>>>>>>> On Tue, 10 Nov 2015 10:52:45 +0100 >>>>>>>>> Milan Kub?k wrote: >>>>>>>>> >>>>>>>>>> On 11/09/2015 04:35 PM, Filip ?kola wrote: >>>>>>>>>>> Another patch was applied in the meantime. >>>>>>>>>>> >>>>>>>>>>> Attaching an updated version. >>>>>>>>>>> >>>>>>>>>>> F. >>>>>>>>>>> >>>>>>>>>>> On Mon, 9 Nov 2015 13:35:02 +0100 >>>>>>>>>>> Milan Kub?k wrote: >>>>>>>>>>> >>>>>>>>>>>> On 11/06/2015 11:32 AM, Filip ?kola wrote: >>>>>>>>>>>> Hi, >>>>>>>>>>>> the patch doesn't apply. >>>>>>>>>>>> >>>>>>>>>> Please fix this. >>>>>>>>>> >>>>>>>>>> ipatests/test_xmlrpc/test_user_plugin.py:1419: >>>>>>>>>> [E0602(undefined-variable), >>>>>>>>>> TestDeniedBindWithExpiredPrincipal.teardown_class] Undefined >>>>>>>>>> variable 'user1') >>>>>>>>>> >>>>>>>>>> Also, use the version numbers for your changed patches. >>>>>>>>>> >>>>>>>>> >>>>>>>> Thanks for the patch. Several issues: >>>>>>>> >>>>>>>> 1. Use dict.items instead of dict.iteritems, for python3 >>>>>>>> compatibility >>>>>>>> >>>>>>>> 2. What is the purpose of TestPrepare class? The 'purge' methods >>>>>>>> do not call any ipa commands. >>>>>>>> Tracker.make_fixture should be used to make the Tracked resources >>>>>>>> clean themselves up when they're out of scope. >>>>>>>> >>>>>>>> 3. Why reference the resources by hardcoded name if they have a >>>>>>>> fixture representation? >>>>>>>> >>>>>>>> 4. Rewrite {create,delete}_test_group to a fixture. You may want >>>>>>>> to use different scope (or not). >>>>>>>> >>>>>>>> 5. In `def atest_rename_to_invalid_login(self, user):` - use >>>>>>>> pytest.skipif decorator and provide a reason if you must, >>>>>>>> do not obfuscate method name in order not to run it. >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >>>>> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code NACK, there are errors occuring that do not appear in the respective test cases in the declarative test. In the original module the ` Test a login name that is too long` and `Try to rename to a username that is too long` do not use {add,set}attr. Why do you use them? I'm also postponing the review of your other patches as they depend on changes in this one. -- Milan Kubik -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Tue Jan 19 15:10:30 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 19 Jan 2016 16:10:30 +0100 Subject: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir. In-Reply-To: <569E3C53.9030100@redhat.com> References: <569E307C.20602@redhat.com> <569E396F.4000104@redhat.com> <569E3C53.9030100@redhat.com> Message-ID: <569E51E6.6060005@redhat.com> On 19/01/16 14:38, Jan Cholasta wrote: > On 19.1.2016 14:26, Martin Kosek wrote: >> On 01/19/2016 01:47 PM, David Kupka wrote: >>> I've polished the patch attached to #5586 by Timo Aaltonen. >>> >>> Thanks for the patch. I've fixed the path in specfile and removed >>> unused import >>> but otherwise it works, ACK. >>> >>> https://fedorahosted.org/freeipa/ticket/5586 >> >> Won't this break existing certmonger requests depending on the old path? > > It will, I don't see any upgrade code. > >> >> # getcert list | grep '/usr/lib64/ipa/certmonger' >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "auditSigningCert >> cert-pki-ca" >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "ocspSigningCert >> cert-pki-ca" >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "subsystemCert >> cert-pki-ca" >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "caSigningCert >> cert-pki-ca" >> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "Server-Cert >> cert-pki-ca" >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72 >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> > > You're right it will break the upgrade. I haven't noticed that Server-Cert for DS and HTTPD are not handled by certificate_renewal_update (ipaserver.install.server.upgrade) where all the other trackings are stopped and then configured again with the paths.CERTMONGER_COMMAND_TEMPLATE already updated. Thanks for the catch. -- David Kupka From cheimes at redhat.com Tue Jan 19 15:34:24 2016 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 19 Jan 2016 16:34:24 +0100 Subject: [Freeipa-devel] [PATCH 0407] WIP: make-lint migration to config file and pylint plugin due pylint 1.5.2 In-Reply-To: <569E2F8A.5090905@redhat.com> References: <569E2F8A.5090905@redhat.com> Message-ID: <569E5780.6010209@redhat.com> On 2016-01-19 13:43, Martin Basti wrote: > + > +def fake_class(name_or_class_obj, members=[]): Please use a non-mutable argument here. members=() will do the job just fine. > + if isinstance(name_or_class_obj, scoped_nodes.Class): > + cl = name_or_class_obj > + else: > + cl = scoped_nodes.Class(name_or_class_obj, None) > + > + for m in members: > + if isinstance(m, str): > + if m in cl.locals: > + _warning_already_exists(cl, m) > + else: > + cl.locals[m] = [scoped_nodes.Class(m, None)] > + elif isinstance(m, dict): > + for key, val in m.items(): > + assert isinstance(key, str), "key must be string" > + if key in cl.locals: > + _warning_already_exists(cl, key) > + fake_class(cl.locals[key], val) > + else: > + cl.locals[key] = [fake_class(key, val)] > + else: > + # here can be used any astroid type > + if m.name in cl.locals: > + _warning_already_exists(cl, m.name) > + else: > + cl.locals[m.name] = [copy.copy(m)] > + return cl ... > +ipa_class_members = { > + # Python standard library & 3rd party classes > + 'socket._socketobject': ['sendall'], > +# !!! 'datetime.tzinfo': ['houroffset', 'minoffset', 'utcoffset', 'dst'], > +# !!! 'nss.nss.subject_public_key_info': ['public_key'], > + > + # IPA classes > + 'ipalib.base.NameSpace': [ > + 'add', > + 'mod', > + 'del', > + 'show', > + 'find' > + ], > + 'ipalib.cli.Collector': ['__options'], > + 'ipalib.config.Env': [ > + {'__d': ['get']}, > + {'__done': ['add']}, > + 'xmlrpc_uri', > + 'validate_api', > + 'startup_traceback', > + 'verbose' > + ] + LOGGING_ATTRS, The rules for __options, __d and __done may lead to false detection. Class member and attribute names with leading double underscore are mangled, so Collector.__options is turned into __Collector_options. self.__options works because it's also mangled. But from other classes, the attribute must be referred to as __Collector_options. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From jcholast at redhat.com Tue Jan 19 15:44:15 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 19 Jan 2016 16:44:15 +0100 Subject: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8 In-Reply-To: <5698E977.1070308@redhat.com> References: <568B76A0.7010009@redhat.com> <568B9B3D.3030709@redhat.com> <568CFB88.7020007@redhat.com> <5694C649.8060503@redhat.com> <5698E977.1070308@redhat.com> Message-ID: <569E59CF.8090303@redhat.com> On 15.1.2016 13:43, Tomas Babej wrote: > > > On 01/12/2016 10:24 AM, Jan Cholasta wrote: >> On 6.1.2016 12:33, Christian Heimes wrote: >>> On 2016-01-05 11:30, Tomas Babej wrote: >>>> >>>> >>>> On 01/05/2016 08:54 AM, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> the attached patch replaces the default_encoding_utf8 binary module >>>>> with >>>>> 2 lines of equivalent Python code. >>>>> >>>>> Honza >>>>> >>>>> >>>>> >>>> >>>> This looks fine to me, however, I wonder, why this approach was ever >>>> taken? The sys.setdefaultencoding is available in all versions of Python >>>> ever supported by FreeIPA. >>>> >>>> Is it possible we're missing something here? Or was this option simply >>>> overlooked? >>> >>> sys.setdefaultencoding() is not available unless you use a hack and >>> reload the sys module. The function is hidden for a very good reason. It >>> can and will break internal assumption as well as libraries in bad, hard >>> to detect ways. For example it wreaks havoc on hashing for dicts and >>> sets. >>> >>> The blog posting >>> https://anonbadger.wordpress.com/2015/06/16/why-sys-setdefaultencoding-will-break-code/ >>> >>> explains the problem in much greater detail. >> >> Tom??i, does this answer your question? >> > > Not really, I was more curious as to why the current, more complex > solution using the C extension was ever preferred over pure python version. > >> Updated patch attached. > > Patch works fine, ACK. > > Pushed to master: 7e56b4bbd79d9d42af23babc7496dd15d85d28ea ... and to ipa-4-3: 1cf005679d9c27e57ee3507e574f11b6a20f4450 -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-536.1.4_3-ipapython-remove-default_encoding_utf8.patch Type: text/x-patch Size: 8663 bytes Desc: not available URL: From jcholast at redhat.com Tue Jan 19 15:52:22 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 19 Jan 2016 16:52:22 +0100 Subject: [Freeipa-devel] [PATCHES] 0752-0757, 0759 Enable pylint --py3k In-Reply-To: <569E2FE5.3010405@redhat.com> References: <568D2494.9080602@redhat.com> <568FA169.4030900@redhat.com> <5693B2F8.1060905@redhat.com> <56950653.8060406@redhat.com> <5695114B.3070807@redhat.com> <5697DAFD.50603@redhat.com> <569DE993.30002@redhat.com> <569E2FE5.3010405@redhat.com> Message-ID: <569E5BB6.3070508@redhat.com> On 19.1.2016 13:45, Petr Viktorin wrote: > On 01/19/2016 08:45 AM, Jan Cholasta wrote: >> On 14.1.2016 18:29, Petr Viktorin wrote: >>> On 01/12/2016 03:44 PM, Petr Viktorin wrote: >>>> >>>>>> Hello I tried --py3k option and it doesn't print any error, can we >>>>>> enable that check by default to prevent python3 regressions? >>>>>> >>>>>> # ./make-lint --py3k >>>>>> No config file found, using default configuration >>>>> >>>>> Squash in the other attached patch to enable it by default. >>>> >>>> Sorry, please ignore the squash patch -- if --py3k is to be on by >>>> default, I'll also need to add all needed packages to BuildRequires. >>> >>> Actually, after all, that's not true -- the py3 libraries aren't needed >>> for pylint --py3k. >>> So, patches are ready for review as they are (with your choice of what >>> the default should be). >> >> Patch 759: >> >> 1) Typo: 'Skil the main lint check'. > > Will fix in the next patches. > >> 2) Why the indentation change in output? > > Fixed. I'm attaching the changed patch only. > >> Regarding --(no-)py3k, do we even need the option? I would just enable >> the checks and not add the option unless someone specifically asked for it. > > Several times I was annoyed how hard it is to use IPA's make-lint if you > need to do something other than lint the whole codebase with the default > options. (Usually what I end up doing is copying make-lint and patching > the copy to do what I want.) > > I don't want to add to the annoyance by making it impossible to run just > one of the checks. So consider me asking for this :) Works for me. > >> Otherwise LGTM, including patch 758. > > Attaching updated patches, with py3k check as as default squashed in. > I also added a pylint exception for a new use of reload() in 0756. > One more thing I did was disable pylint's long and uninteresting report, > so now only the messages are shown. Thanks, ACK. Could you please rebase the patches on top of ipa-4-3 so I can push them? -- Jan Cholasta From mbasti at redhat.com Tue Jan 19 16:01:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 19 Jan 2016 17:01:33 +0100 Subject: [Freeipa-devel] [PATCH 0407] WIP: make-lint migration to config file and pylint plugin due pylint 1.5.2 In-Reply-To: <569E5780.6010209@redhat.com> References: <569E2F8A.5090905@redhat.com> <569E5780.6010209@redhat.com> Message-ID: <569E5DDD.8090603@redhat.com> On 19.01.2016 16:34, Christian Heimes wrote: > On 2016-01-19 13:43, Martin Basti wrote: >> + >> +def fake_class(name_or_class_obj, members=[]): > Please use a non-mutable argument here. members=() will do the job just > fine. Fixed. >> + if isinstance(name_or_class_obj, scoped_nodes.Class): >> + cl = name_or_class_obj >> + else: >> + cl = scoped_nodes.Class(name_or_class_obj, None) >> + >> + for m in members: >> + if isinstance(m, str): >> + if m in cl.locals: >> + _warning_already_exists(cl, m) >> + else: >> + cl.locals[m] = [scoped_nodes.Class(m, None)] >> + elif isinstance(m, dict): >> + for key, val in m.items(): >> + assert isinstance(key, str), "key must be string" >> + if key in cl.locals: >> + _warning_already_exists(cl, key) >> + fake_class(cl.locals[key], val) >> + else: >> + cl.locals[key] = [fake_class(key, val)] >> + else: >> + # here can be used any astroid type >> + if m.name in cl.locals: >> + _warning_already_exists(cl, m.name) >> + else: >> + cl.locals[m.name] = [copy.copy(m)] >> + return cl > ... > >> +ipa_class_members = { >> + # Python standard library & 3rd party classes >> + 'socket._socketobject': ['sendall'], >> +# !!! 'datetime.tzinfo': ['houroffset', 'minoffset', 'utcoffset', 'dst'], >> +# !!! 'nss.nss.subject_public_key_info': ['public_key'], >> + >> + # IPA classes >> + 'ipalib.base.NameSpace': [ >> + 'add', >> + 'mod', >> + 'del', >> + 'show', >> + 'find' >> + ], >> + 'ipalib.cli.Collector': ['__options'], >> + 'ipalib.config.Env': [ >> + {'__d': ['get']}, >> + {'__done': ['add']}, >> + 'xmlrpc_uri', >> + 'validate_api', >> + 'startup_traceback', >> + 'verbose' >> + ] + LOGGING_ATTRS, > The rules for __options, __d and __done may lead to false detection. > Class member and attribute names with leading double underscore are > mangled, so Collector.__options is turned into __Collector_options. > self.__options works because it's also mangled. But from other classes, > the attribute must be referred to as __Collector_options. > > Christian > This doesn't work for pylint 'ipalib.config.Env': [ {'_Env__d': ['get']}, {'_Env__done': ['add']}, 'xmlrpc_uri', 'validate_api', 'startup_traceback', 'verbose' ] + LOGGING_ATTRS, ************* Module ipalib.config ipalib/config.py:240: [E1101(no-member), Env.__setitem__] Instance of 'Env' has no '__d' member) ipalib/config.py:242: [E1101(no-member), Env.__setitem__] Instance of 'Env' has no '__d' member) ipalib/config.py:263: [E1101(no-member), Env.__setitem__] Instance of 'Env' has no '__d' member) ipalib/config.py:269: [E1101(no-member), Env.__getitem__] Instance of 'Env' has no '__d' member) ipalib/config.py:292: [E1101(no-member), Env.__contains__] Instance of 'Env' has no '__d' member) ipalib/config.py:298: [E1101(no-member), Env.__len__] Instance of 'Env' has no '__d' member) ipalib/config.py:304: [E1101(no-member), Env.__iter__] Instance of 'Env' has no '__d' member) ipalib/config.py:408: [E1101(no-member), Env.__doing] Instance of 'Env' has no '__done' member) ipalib/config.py:412: [E1101(no-member), Env.__doing] Instance of 'Env' has no '__done' member) ipalib/config.py:415: [E1101(no-member), Env.__do_if_not_done] Instance of 'Env' has no '__done' member) ipalib/config.py:419: [E1101(no-member), Env._isdone] Instance of 'Env' has no '__done' member) ipalib/config.py:534: [E1101(no-member), Env._finalize_core] Instance of 'Env' has no '__d' member) From mkubik at redhat.com Tue Jan 19 16:31:31 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 19 Jan 2016 17:31:31 +0100 Subject: [Freeipa-devel] [PATCH 0031] ipatests: fix the install of external ca Message-ID: <569E64E3.4030406@redhat.com> Patch attached. -- Milan Kubik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0031-ipatests-fix-the-install-of-external-ca.patch Type: text/x-patch Size: 1229 bytes Desc: not available URL: From mbasti at redhat.com Tue Jan 19 16:47:51 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 19 Jan 2016 17:47:51 +0100 Subject: [Freeipa-devel] [TEST][PATCH 0019] A proper fix for reverse-zone creation in integration tests In-Reply-To: <569CD1CC.7020405@redhat.com> References: <5697AB1D.4040804@redhat.com> <569CB0B6.3080609@redhat.com> <569CD1CC.7020405@redhat.com> Message-ID: <569E68B7.70905@redhat.com> On 18.01.2016 12:51, Oleg Fayans wrote: > > On 01/18/2016 10:30 AM, Petr Spacek wrote: >> On 14.1.2016 15:05, Oleg Fayans wrote: >>> Date: Thu, 14 Jan 2016 14:59:37 +0100 >>> Subject: [PATCH] fixed an issue with master installation not creating reverse >>> zone >>> >>> When resolv.conf is set to point to the master's ip before installation, the >>> ipa-server-install does not create a reverse zone for it's ip even despite >>> --auto-reverse option provided. The fix is not to mess around with resolv.conf >>> before master installation. >>> --- >>> ipatests/test_integration/tasks.py | 7 ++++--- >>> 1 file changed, 4 insertions(+), 3 deletions(-) >> This is reasonable fix. ACK if it passes your functional tests. > It does :) > Pushed to: master: 7a742391c1558680900bcb130bbf3fe6790fc573 ipa-4-3: d27d2fd8691f37e9824c8367d7e636523006b5d6 From mkubik at redhat.com Tue Jan 19 16:56:06 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 19 Jan 2016 17:56:06 +0100 Subject: [Freeipa-devel] [PATCH 0031] ipatests: fix the install of external ca In-Reply-To: <569E64E3.4030406@redhat.com> References: <569E64E3.4030406@redhat.com> Message-ID: <569E6AA6.2070503@redhat.com> On 01/19/2016 05:31 PM, Milan Kub?k wrote: > Patch attached. > > > This actually has a ticket opened. Patch with fixed commit message. ;) -- Milan Kubik -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0031-1-ipatests-fix-the-install-of-external-ca.patch Type: text/x-patch Size: 1275 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Jan 19 17:04:42 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 19 Jan 2016 18:04:42 +0100 Subject: [Freeipa-devel] [PATCH 0129] correctly set LDAP bind related attributes when setting up replication Message-ID: <569E6CAA.7070301@redhat.com> Fixes https://fedorahosted.org/freeipa/ticket/5412 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0129-correctly-set-LDAP-bind-related-attributes-when-sett.patch Type: text/x-patch Size: 2280 bytes Desc: not available URL: From pvoborni at redhat.com Tue Jan 19 17:32:48 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 19 Jan 2016 18:32:48 +0100 Subject: [Freeipa-devel] [PATCH] 945 webui: dislay server suffixes in server search page Message-ID: <569E7340.4070505@redhat.com> [PATCH] webui: dislay server suffixes in server search page There was a change where suffixes in server are not longer returned as DNs but rather a cn of related topology suffix. I.e. they share "memberof" logic. This caused that search page doesn't get the data because it uses "no_member: true" option by default. This patch overrides the behavior because it is OK for server search page to fetch also member data - it is not so costly as e.g. in users. https://fedorahosted.org/freeipa/ticket/5609 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0945-webui-dislay-server-suffixes-in-server-search-page.patch Type: text/x-patch Size: 2646 bytes Desc: not available URL: From pvoborni at redhat.com Tue Jan 19 17:55:09 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 19 Jan 2016 18:55:09 +0100 Subject: [Freeipa-devel] [PATCH] 944 spec: do not require arch specific ipalib package from noarch packages Message-ID: <569E787D.80003@redhat.com> noarch packages should not contain: Requires: some-package-{?_isa} because then they are not the same for each arch - are not noarch https://fedorahosted.org/freeipa/ticket/5568 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0944-spec-do-not-require-arch-specific-ipalib-package-fro.patch Type: text/x-patch Size: 2977 bytes Desc: not available URL: From ftweedal at redhat.com Wed Jan 20 01:54:28 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 20 Jan 2016 11:54:28 +1000 Subject: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform In-Reply-To: <569E381B.3040104@redhat.com> References: <569E381B.3040104@redhat.com> Message-ID: <20160120015428.GJ31821@dhcp-40-8.bne.redhat.com> On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote: > ipaplatform.constants has platform specific names for a couple of system > users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, DS_USER > and DS_GROUP are defined in other modules. Similar to #5587 the patch my > patch moves the constants into the platform module. > > https://fedorahosted.org/freeipa/ticket/5619 I see a few remaining cases: ipaserver/install/dsinstance.py 712: pent = pwd.getpwnam("dirsrv") ipatests/test_integration/test_backup_and_restore.py 167: self.master.run_command(['userdel', 'dirsrv']) 168: self.master.run_command(['userdel', 'pkiuser']) ipaplatform/redhat/tasks.py 441: if name == 'pkiuser': When these are included, ACK. From ftweedal at redhat.com Wed Jan 20 04:04:09 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 20 Jan 2016 14:04:09 +1000 Subject: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname In-Reply-To: <20151208090638.GQ23644@dhcp-40-8.bne.redhat.com> References: <20151207052611.GG23644@dhcp-40-8.bne.redhat.com> <5665813B.90406@redhat.com> <20151207224639.GL23644@dhcp-40-8.bne.redhat.com> <56660D1D.6000109@redhat.com> <20151208090638.GQ23644@dhcp-40-8.bne.redhat.com> Message-ID: <20160120040409.GN31821@dhcp-40-8.bne.redhat.com> On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote: > On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote: > > Fraser Tweedale wrote: > > > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote: > > >> On 12/07/2015 06:26 AM, Fraser Tweedale wrote: > > >>> The attached patch fixes > > >>> https://fedorahosted.org/freeipa/ticket/4970. > > >>> > > >>> Note that the problem is addressed by adding the appropriate request > > >>> extension to the CSR; the fix does not involve changing the default > > >>> profile behaviour, which is complicated (see ticket for details). > > >> > > >> Thanks for the patch! This is something we should really fix, I already get > > >> warnings in my Python scripts when I hit sites protected by such HTTPS cert: > > >> > > >> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264: > > >> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no > > >> `subjectAltName`, falling back to check for a `commonName` for now. This > > >> feature is being removed by major browsers and deprecated by RFC 2818. (See > > >> https://github.com/shazow/urllib3/issues/497 for details.) > > >> > > >> Should we split ticket 4970, for the FreeIPA server part and then for cert > > >> profile part? As it looks like the FreeIPA server will be fixed even in FreeIPA > > >> 4.3.x and the other part later. > > >> > > >> How difficult do you see the general FreeIPA Certificate Profile part of this > > >> request? Is it a too big task to handle in 4.4 time frame? > > >> > > > I will split the ticket and would suggest 4.4 Backlog - it might be > > > doable but is a lower priority than e.g. Sub-CAs. > > > > If you are going to defer the profile part then you should probably > > update the client to also include a SAN if --request-cert is provided. > > > > rob > > > Yes, good idea. Updated patch attached. > > Cheers, > Fraser Bump, with rebased patch. -------------- next part -------------- From 51c59430905862ec586661f168ed2a36491d41d4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 7 Dec 2015 16:14:28 +1100 Subject: [PATCH] Create server and host certs with DNS altname Currently server (HTTP / LDAP) certs are created without a Subject Alternative Name extension during server install, replica prepare and host enrolment, a potentially problematic violation of RFC 2818. Add the hostname as a SAN dNSName when these certs are created. (Certmonger adds an appropriate request extension when renewing the certificate, so nothing needs to be done for renewal). Fixes: https://fedorahosted.org/freeipa/ticket/4970 --- ipa-client/ipa-install/ipa-client-install | 2 +- ipapython/certmonger.py | 9 ++++++++- ipaserver/install/certs.py | 8 ++++++-- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index af8d27bd0da9b847fef917d3bcc2ebd1837c5fb0..07334df1c00c55629a956af26075871d56a23550 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1167,7 +1167,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, try: certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR, nickname='Local IPA host', - subject=subject, + subject=subject, dns=[hostname], principal=principal, passwd_fname=passwd_fname) except Exception: diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index f89ca0b7a1cbb9d34b0c044e30e213e7aa1c74fd..06d9bcc151afafdb8d301b25a1893a1c7cf9b569 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -298,9 +298,14 @@ def add_subject(request_id, subject): add_request_value(request_id, 'template-subject', subject) -def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): +def request_cert( + nssdb, nickname, subject, principal, passwd_fname=None, + dns=None): """ Execute certmonger to request a server certificate. + + ``dns`` + A sequence of DNS names to appear in SAN request extension. """ cm = _certmonger() ca_path = cm.obj_if.find_ca_by_nickname('IPA') @@ -311,6 +316,8 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): KEY_LOCATION=nssdb, KEY_NICKNAME=nickname, SUBJECT=subject, PRINCIPAL=[principal], CA=ca_path) + if dns is not None and len(dns) > 0: + request_parameters['DNS'] = dns if passwd_fname: request_parameters['KEY_PIN_FILE'] = passwd_fname result = cm.obj_if.add_request(request_parameters) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index f74b76090bfe2670a998373e3c7cdc3c5727c465..8a229587bb537fc8912f3a1823c05ab6f962f45a 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -336,7 +336,7 @@ class CertDB(object): cdb = self if subject is None: subject=DN(('CN', hostname), self.subject_base) - self.request_cert(subject) + self.request_cert(subject, san_dnsnames=[hostname]) cdb.issue_server_cert(self.certreq_fname, self.certder_fname) self.import_cert(self.certder_fname, nickname) fd = open(self.certder_fname, "r") @@ -360,7 +360,9 @@ class CertDB(object): os.unlink(self.certreq_fname) os.unlink(self.certder_fname) - def request_cert(self, subject, certtype="rsa", keysize="2048"): + def request_cert( + self, subject, certtype="rsa", keysize="2048", + san_dnsnames=None): assert isinstance(subject, DN) self.create_noise_file() self.setup_cert_request() @@ -371,6 +373,8 @@ class CertDB(object): "-z", self.noise_fname, "-f", self.passwd_fname, "-a"] + if san_dnsnames is not None and len(san_dnsnames) > 0: + args += ['-8', ','.join(san_dnsnames)] result = self.run_certutil(args, capture_output=True, capture_error=True) os.remove(self.noise_fname) -- 2.5.0 From mbabinsk at redhat.com Wed Jan 20 07:21:45 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 20 Jan 2016 08:21:45 +0100 Subject: [Freeipa-devel] [PATCH] 945 webui: dislay server suffixes in server search page In-Reply-To: <569E7340.4070505@redhat.com> References: <569E7340.4070505@redhat.com> Message-ID: <569F3589.4070502@redhat.com> On 01/19/2016 06:32 PM, Petr Vobornik wrote: > [PATCH] webui: dislay server suffixes in server search page > > There was a change where suffixes in server are not longer returned as > DNs but rather a cn of related topology suffix. I.e. they share > "memberof" logic. This caused that search page doesn't get the data > because it uses "no_member: true" option by default. > > This patch overrides the behavior because it is OK for server search > page to fetch also member data - it is not so costly as e.g. in users. > > https://fedorahosted.org/freeipa/ticket/5609 > > ACK -- Martin^3 Babinsky From akasurde at redhat.com Wed Jan 20 07:30:35 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Wed, 20 Jan 2016 13:00:35 +0530 Subject: [Freeipa-devel] [PATCH] Fixed login error message box in LoginScreen page In-Reply-To: <5680DF64.4060808@redhat.com> References: <5680DF64.4060808@redhat.com> Message-ID: <569F379B.1000101@redhat.com> Ping for review request. On 12/28/2015 12:36 PM, Abhijeet Kasurde wrote: > Hi All, > > Please review patches attached. > > Thanks, > Abhijeet Kasurde > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From akasurde at redhat.com Wed Jan 20 07:30:57 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Wed, 20 Jan 2016 13:00:57 +0530 Subject: [Freeipa-devel] [PATCH] Added kpasswd_server directive in client krb5.conf In-Reply-To: <568CA113.1050507@redhat.com> References: <5677A06C.3080708@redhat.com> <20160104223802.GB21493@redhat.com> <568BA785.4080108@redhat.com> <568CA113.1050507@redhat.com> Message-ID: <569F37B1.7050503@redhat.com> Ping for review request. On 01/06/2016 10:37 AM, Abhijeet Kasurde wrote: > Hi All, > > On 01/05/2016 04:52 PM, Christian Heimes wrote: >> On 2016-01-04 23:38, Nalin Dahyabhai wrote: >>> On Mon, Dec 21, 2015 at 12:17:08PM +0530, Abhijeet Kasurde wrote: >>>> Hi All, >>>> >>>> Please review patches attached. >>> The port number should probably be changed from 749 to 464. >> Nalin is correct. kpasswd and admin server use different ports: >> >> $ getent services kpasswd >> kpasswd 464/tcp kpwd >> $ getent services kerberos-adm >> kerberos-adm 749/tcp >> >> Except for the port number, the patch looks good to me. > Changed port number from 749 to 464. Thanks Nalin and Christian. > > Please review patches attached. >> Christian >> > Thanks, > Abhijeet Kasurde > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Wed Jan 20 07:45:50 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 20 Jan 2016 17:45:50 +1000 Subject: [Freeipa-devel] [PATCH] 0049 Remove workaround for CA running check Message-ID: <20160120074550.GO31821@dhcp-40-8.bne.redhat.com> The attached patch removes a workaround introduced as part of https://fedorahosted.org/freeipa/ticket/4676. Alternatively, if we want to keep the "workaround" I will submit a different patch that removes unused code and FIXME comments :) Cheers, Fraser -------------- next part -------------- From df99d69569ddc173c7495eb5cd85133079a24ba9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 20 Jan 2016 18:35:15 +1100 Subject: [PATCH] Remove workaround for CA running check A workaround was introduced for ticket #4676 that used wget to perform an (unauthenticated) https request to check the CA status. Later, wget was changed to curl (the request remained unauthenticated). Remove the workaround and use an http request (no TLS) to check the CA status. Also remove the now-unused unauthenticated_http_request method. https://fedorahosted.org/freeipa/ticket/4676 --- ipaplatform/redhat/services.py | 25 +------------------------ ipapython/dogtag.py | 25 +++---------------------- 2 files changed, 4 insertions(+), 46 deletions(-) diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 11292fa4912844db78899d779b84104288e469dc..3c18dbc3c1274ef3852abef5f054b4e37e6b32fa 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -199,30 +199,7 @@ class RedHatCAService(RedHatService): op_timeout = time.time() + timeout while time.time() < op_timeout: try: - # FIXME https://fedorahosted.org/freeipa/ticket/4716 - # workaround - # - # status = dogtag.ca_status(use_proxy=use_proxy) - # - port = 8443 - - url = "https://%(host_port)s%(path)s" % { - "host_port": ipautil.format_netloc(api.env.ca_host, port), - "path": "/ca/admin/ca/getStatus" - } - - args = [ - paths.BIN_CURL, - '-o', '-', - '--connect-timeout', '30', - '-k', - url - ] - - result = ipautil.run(args, capture_output=True) - - status = dogtag._parse_ca_status(result.output) - # end of workaround + status = dogtag.ca_status() except Exception as e: status = 'check interrupted due to error: %s' % e root_logger.debug('The CA status is: %s' % status) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 1cb74719c4ce2cc97c54dc7bebfa4b32ceee14a1..6f13880026e9e6043649405245c9cd50a826f652 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -103,7 +103,7 @@ def _parse_ca_status(body): raise error_from_xml(doc, _("Retrieving CA status failed: %s")) -def ca_status(ca_host=None, use_proxy=True): +def ca_status(ca_host=None): """Return the status of the CA, and the httpd proxy in front of it The returned status can be: @@ -113,13 +113,8 @@ def ca_status(ca_host=None, use_proxy=True): """ if ca_host is None: ca_host = api.env.ca_host - if use_proxy: - # Use port 443 to test the proxy as well - ca_port = 443 - else: - ca_port = 8443 - status, headers, body = unauthenticated_https_request( - ca_host, ca_port, '/ca/admin/ca/getStatus') + status, headers, body = http_request( + ca_host, 8080, '/ca/admin/ca/getStatus') if status == 503: # Service temporarily unavailable return status @@ -175,20 +170,6 @@ def http_request(host, port, url, **kw): 'http', host, port, url, httplib.HTTPConnection, body) -def unauthenticated_https_request(host, port, url, **kw): - """ - :param url: The path (not complete URL!) to post to. - :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_headers, http_body) - as (integer, dict, str) - - Perform an unauthenticated HTTPS request. - """ - body = urlencode(kw) - return _httplib_request( - 'https', host, port, url, httplib.HTTPSConnection, body) - - def _httplib_request( protocol, host, port, path, connection_factory, request_body, method='POST', headers=None): -- 2.5.0 From mkosek at redhat.com Wed Jan 20 08:30:29 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 20 Jan 2016 09:30:29 +0100 Subject: [Freeipa-devel] [PATCH] 0049 Remove workaround for CA running check In-Reply-To: <20160120074550.GO31821@dhcp-40-8.bne.redhat.com> References: <20160120074550.GO31821@dhcp-40-8.bne.redhat.com> Message-ID: <569F45A5.1080408@redhat.com> On 01/20/2016 08:45 AM, Fraser Tweedale wrote: > The attached patch removes a workaround introduced as part of > https://fedorahosted.org/freeipa/ticket/4676. > > Alternatively, if we want to keep the "workaround" I will submit a > different patch that removes unused code and FIXME comments :) > > Cheers, > Fraser You may also want to check FreeIPA spec file, if there is now no extra curl dependency. I would leave it up to Martin Basti, to confirm that the original issue cannot appear again. It was a nightmare to troubleshoot, as I heard :) From mbabinsk at redhat.com Wed Jan 20 08:40:40 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 20 Jan 2016 09:40:40 +0100 Subject: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica In-Reply-To: <5697CD04.3010709@redhat.com> References: <56967E77.8000604@redhat.com> <5696826C.2050300@redhat.com> <5697CD04.3010709@redhat.com> Message-ID: <569F4808.8070100@redhat.com> On 01/14/2016 05:29 PM, Martin Babinsky wrote: > On 01/13/2016 05:59 PM, Rob Crittenden wrote: >> Martin Babinsky wrote: >>> fixes https://fedorahosted.org/freeipa/ticket/5584 >>> >>> In order to ensure consistent behavior with ipa-client-install, I opted >>> to reuse the configure_openldap_conf() function and restoring the config >>> from client sysrestore before modifying it. >>> >>> If you think this approach is not optimal please propose an alternative >>> solution. >> >> You could also just do an action set on URI to change the value, right? >> It would need a new function but it would be very small. >> >> If you do end up keeping this I'd want a new commit message for moving >> the code to include why you're moving it (to avoid the need to deference >> the ticket). >> >> rob >> > > Here's the patch that implements the change in URI directive. Please > keep in mind that we not only have to change the URI to point to > ourselves, we also have to do it in a way consistent with > ipa-client-install, i.e. leave a comment with new URI if it was already > set by third party. > > Plain 'addifnotset' directive will not do, however, because then we end > up with two comments, one original, and one pointing to ourselves. Plain > 'set' may rewrite the URI set by user and thus we would have to test its > value anyway. > > The correct handling of these cases coupled with a way IPAChangeConf is > written results in a solution presented here. > > The fact that it is not much shorter than configure_openldap_conf and is > additionally pretty ugly (a fact at least partially caused by me not > being very fluent in IPAChangeConf usage) led me to the conclusion that > restoring original ldap.conf and reusing already wirrten code for > reediting it anew with replica as URI is actually not that bad idea. > > > Bump for review/discussion. -- Martin^3 Babinsky From mbabinsk at redhat.com Wed Jan 20 08:42:10 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 20 Jan 2016 09:42:10 +0100 Subject: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails In-Reply-To: <56992C6A.7060106@redhat.com> References: <568E945F.3030605@redhat.com> <568E949B.1090300@redhat.com> <56961965.9050309@redhat.com> <56967BD8.1000109@redhat.com> <1452807096.3356.182.camel@redhat.com> <5698E793.9090400@redhat.com> <1452873425.3356.192.camel@redhat.com> <56992C6A.7060106@redhat.com> Message-ID: <569F4862.7010201@redhat.com> On 01/15/2016 06:29 PM, Martin Babinsky wrote: > On 01/15/2016 04:57 PM, Simo Sorce wrote: >> On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote: >>> On 01/14/2016 10:31 PM, Simo Sorce wrote: >>>> On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote: >>>>> On 01/13/2016 10:31 AM, Martin Babinsky wrote: >>>>>> On 01/07/2016 05:38 PM, Martin Babinsky wrote: >>>>>>> On 01/07/2016 05:37 PM, Martin Babinsky wrote: >>>>>>>> https://fedorahosted.org/freeipa/ticket/5584 >>>>>>>> >>>>>>> And the patch is here. >>>>>>> >>>>>>> >>>>>>> >>>>>> self-NACK, there may be a better way to handle this. I will do some >>>>>> investigation and send updated patch. >>>>>> >>>>> Attaching updated patch. >>>> >>>> A failure to obtain a tgt may be due to other reasons (for example the >>>> KDC crashed), why are you trying to use this test ? >>>> Isn't it sufficient to see there is no host entry in the directory ? >>>> >>>> Simo. >>>> >>> There were some corner cases I encountered, mostly concerning a cleanup >>> after unsuccessful replica promotion. >>> >>> You may sometimes end up in a state where local DS is working, but KDC >>> crashed and the krb5.conf is still pointing at a remote one. In that >>> case "malformed" replica's local host entry exist, but when such host >>> tries to get TGT, the AS-REQ goes to remote KDC from other master. >>> >>> However, if the admin had in the mean time cleaned up this host's >>> kerberos principals/keys, the crashed replica gets one of the following >>> errors: >>> >>> Client not found in Kerberos database >>> Client credentials have been revoked >>> Generic preauthentication failure >>> >>> These were printed out as errors during uninstall, but were actually >>> expected in situation like this. It is true that the code should check >>> and ignore these specific errors. >> >> Only the first id valid for your case, the others may be transient >> errors. >> >> Simo. >> >> > True, attaching updated patch. The other errors will now pop out in the > output and the warning will be displayed. > > > Bump for review. -- Martin^3 Babinsky From pspacek at redhat.com Wed Jan 20 09:05:50 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 20 Jan 2016 10:05:50 +0100 Subject: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir. In-Reply-To: <569E51E6.6060005@redhat.com> References: <569E307C.20602@redhat.com> <569E396F.4000104@redhat.com> <569E3C53.9030100@redhat.com> <569E51E6.6060005@redhat.com> Message-ID: <569F4DEE.70801@redhat.com> On 19.1.2016 16:10, David Kupka wrote: > On 19/01/16 14:38, Jan Cholasta wrote: >> On 19.1.2016 14:26, Martin Kosek wrote: >>> On 01/19/2016 01:47 PM, David Kupka wrote: >>>> I've polished the patch attached to #5586 by Timo Aaltonen. >>>> >>>> Thanks for the patch. I've fixed the path in specfile and removed >>>> unused import >>>> but otherwise it works, ACK. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5586 >>> >>> Won't this break existing certmonger requests depending on the old path? >> >> It will, I don't see any upgrade code. >> >>> >>> # getcert list | grep '/usr/lib64/ipa/certmonger' >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "auditSigningCert >>> cert-pki-ca" >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "ocspSigningCert >>> cert-pki-ca" >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "subsystemCert >>> cert-pki-ca" >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "caSigningCert >>> cert-pki-ca" >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "Server-Cert >>> cert-pki-ca" >>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72 >>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>> >> >> > > You're right it will break the upgrade. I haven't noticed that Server-Cert for > DS and HTTPD are not handled by certificate_renewal_update > (ipaserver.install.server.upgrade) where all the other trackings are stopped > and then configured again with the paths.CERTMONGER_COMMAND_TEMPLATE already > updated. LOL, one more reason to centralize the certificate madness to one place? :-) -- Petr^2 Spacek From jcholast at redhat.com Wed Jan 20 09:08:19 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 20 Jan 2016 10:08:19 +0100 Subject: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir. In-Reply-To: <569F4DEE.70801@redhat.com> References: <569E307C.20602@redhat.com> <569E396F.4000104@redhat.com> <569E3C53.9030100@redhat.com> <569E51E6.6060005@redhat.com> <569F4DEE.70801@redhat.com> Message-ID: <569F4E83.5070309@redhat.com> On 20.1.2016 10:05, Petr Spacek wrote: > On 19.1.2016 16:10, David Kupka wrote: >> On 19/01/16 14:38, Jan Cholasta wrote: >>> On 19.1.2016 14:26, Martin Kosek wrote: >>>> On 01/19/2016 01:47 PM, David Kupka wrote: >>>>> I've polished the patch attached to #5586 by Timo Aaltonen. >>>>> >>>>> Thanks for the patch. I've fixed the path in specfile and removed >>>>> unused import >>>>> but otherwise it works, ACK. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5586 >>>> >>>> Won't this break existing certmonger requests depending on the old path? >>> >>> It will, I don't see any upgrade code. >>> >>>> >>>> # getcert list | grep '/usr/lib64/ipa/certmonger' >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "auditSigningCert >>>> cert-pki-ca" >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "ocspSigningCert >>>> cert-pki-ca" >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "subsystemCert >>>> cert-pki-ca" >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "caSigningCert >>>> cert-pki-ca" >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "Server-Cert >>>> cert-pki-ca" >>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72 >>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>>> >>> >>> >> >> You're right it will break the upgrade. I haven't noticed that Server-Cert for >> DS and HTTPD are not handled by certificate_renewal_update >> (ipaserver.install.server.upgrade) where all the other trackings are stopped >> and then configured again with the paths.CERTMONGER_COMMAND_TEMPLATE already >> updated. > > LOL, one more reason to centralize the certificate madness to one place? :-) Definitely! -- Jan Cholasta From pviktori at redhat.com Wed Jan 20 09:15:34 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 20 Jan 2016 10:15:34 +0100 Subject: [Freeipa-devel] [PATCHES] 0752-0757, 0759 Enable pylint --py3k In-Reply-To: <569E5BB6.3070508@redhat.com> References: <568D2494.9080602@redhat.com> <568FA169.4030900@redhat.com> <5693B2F8.1060905@redhat.com> <56950653.8060406@redhat.com> <5695114B.3070807@redhat.com> <5697DAFD.50603@redhat.com> <569DE993.30002@redhat.com> <569E2FE5.3010405@redhat.com> <569E5BB6.3070508@redhat.com> Message-ID: <569F5036.1040903@redhat.com> On 01/19/2016 04:52 PM, Jan Cholasta wrote: > On 19.1.2016 13:45, Petr Viktorin wrote: [...] >>> Otherwise LGTM, including patch 758. >> >> Attaching updated patches, with py3k check as as default squashed in. >> I also added a pylint exception for a new use of reload() in 0756. >> One more thing I did was disable pylint's long and uninteresting report, >> so now only the messages are shown. > > Thanks, ACK. > > Could you please rebase the patches on top of ipa-4-3 so I can push them? Oh, they're going into an earlier release as well? Here is a patchset for ipa-4-3. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0752.4-Use-explicit-truncating-division.patch Type: text/x-patch Size: 4884 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0753.4-Don-t-index-exceptions-directly.patch Type: text/x-patch Size: 2547 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0754.4-Use-print_function-future-definition-wherever-print-.patch Type: text/x-patch Size: 1881 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0755.4-Alias-unicode-to-str-under-Python-3.patch Type: text/x-patch Size: 5597 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0756.4-Avoid-builtins-that-were-removed-in-Python-3.patch Type: text/x-patch Size: 2269 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0757.4-dnsutil-Rename-__nonzero__-to-__bool__.patch Type: text/x-patch Size: 1052 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0758.4-Remove-deprecated-contrib-RHEL4.patch Type: text/x-patch Size: 37393 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0759.4-make-lint-Allow-running-pylint-py3k-to-detect-Python.patch Type: text/x-patch Size: 3714 bytes Desc: not available URL: From ftweedal at redhat.com Wed Jan 20 09:52:32 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 20 Jan 2016 19:52:32 +1000 Subject: [Freeipa-devel] [PATCH] 0049 Remove workaround for CA running check In-Reply-To: <569F45A5.1080408@redhat.com> References: <20160120074550.GO31821@dhcp-40-8.bne.redhat.com> <569F45A5.1080408@redhat.com> Message-ID: <20160120095232.GP31821@dhcp-40-8.bne.redhat.com> On Wed, Jan 20, 2016 at 09:30:29AM +0100, Martin Kosek wrote: > On 01/20/2016 08:45 AM, Fraser Tweedale wrote: > > The attached patch removes a workaround introduced as part of > > https://fedorahosted.org/freeipa/ticket/4676. > > > > Alternatively, if we want to keep the "workaround" I will submit a > > different patch that removes unused code and FIXME comments :) > > > > Cheers, > > Fraser > > You may also want to check FreeIPA spec file, if there is now no extra curl > dependency. I would leave it up to Martin Basti, to confirm that the original > issue cannot appear again. It was a nightmare to troubleshoot, as I heard :) > Good pickup on the curl dependency; indeed it is no longer needed. Updated patch attached. -------------- next part -------------- From df99d69569ddc173c7495eb5cd85133079a24ba9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 20 Jan 2016 18:35:15 +1100 Subject: [PATCH] Remove workaround for CA running check A workaround was introduced for ticket #4676 that used wget to perform an (unauthenticated) https request to check the CA status. Later, wget was changed to curl (the request remained unauthenticated). Remove the workaround and use an http request (no TLS) to check the CA status. Also remove the now-unused unauthenticated_http_request method. https://fedorahosted.org/freeipa/ticket/4676 --- ipaplatform/redhat/services.py | 25 +------------------------ ipapython/dogtag.py | 25 +++---------------------- 2 files changed, 4 insertions(+), 46 deletions(-) diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 11292fa4912844db78899d779b84104288e469dc..3c18dbc3c1274ef3852abef5f054b4e37e6b32fa 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -199,30 +199,7 @@ class RedHatCAService(RedHatService): op_timeout = time.time() + timeout while time.time() < op_timeout: try: - # FIXME https://fedorahosted.org/freeipa/ticket/4716 - # workaround - # - # status = dogtag.ca_status(use_proxy=use_proxy) - # - port = 8443 - - url = "https://%(host_port)s%(path)s" % { - "host_port": ipautil.format_netloc(api.env.ca_host, port), - "path": "/ca/admin/ca/getStatus" - } - - args = [ - paths.BIN_CURL, - '-o', '-', - '--connect-timeout', '30', - '-k', - url - ] - - result = ipautil.run(args, capture_output=True) - - status = dogtag._parse_ca_status(result.output) - # end of workaround + status = dogtag.ca_status() except Exception as e: status = 'check interrupted due to error: %s' % e root_logger.debug('The CA status is: %s' % status) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 1cb74719c4ce2cc97c54dc7bebfa4b32ceee14a1..6f13880026e9e6043649405245c9cd50a826f652 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -103,7 +103,7 @@ def _parse_ca_status(body): raise error_from_xml(doc, _("Retrieving CA status failed: %s")) -def ca_status(ca_host=None, use_proxy=True): +def ca_status(ca_host=None): """Return the status of the CA, and the httpd proxy in front of it The returned status can be: @@ -113,13 +113,8 @@ def ca_status(ca_host=None, use_proxy=True): """ if ca_host is None: ca_host = api.env.ca_host - if use_proxy: - # Use port 443 to test the proxy as well - ca_port = 443 - else: - ca_port = 8443 - status, headers, body = unauthenticated_https_request( - ca_host, ca_port, '/ca/admin/ca/getStatus') + status, headers, body = http_request( + ca_host, 8080, '/ca/admin/ca/getStatus') if status == 503: # Service temporarily unavailable return status @@ -175,20 +170,6 @@ def http_request(host, port, url, **kw): 'http', host, port, url, httplib.HTTPConnection, body) -def unauthenticated_https_request(host, port, url, **kw): - """ - :param url: The path (not complete URL!) to post to. - :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_headers, http_body) - as (integer, dict, str) - - Perform an unauthenticated HTTPS request. - """ - body = urlencode(kw) - return _httplib_request( - 'https', host, port, url, httplib.HTTPSConnection, body) - - def _httplib_request( protocol, host, port, path, connection_factory, request_body, method='POST', headers=None): -- 2.5.0 From ftweedal at redhat.com Wed Jan 20 10:03:05 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 20 Jan 2016 20:03:05 +1000 Subject: [Freeipa-devel] [PATCH] 0049 Remove workaround for CA running check In-Reply-To: <20160120095232.GP31821@dhcp-40-8.bne.redhat.com> References: <20160120074550.GO31821@dhcp-40-8.bne.redhat.com> <569F45A5.1080408@redhat.com> <20160120095232.GP31821@dhcp-40-8.bne.redhat.com> Message-ID: <20160120100305.GQ31821@dhcp-40-8.bne.redhat.com> On Wed, Jan 20, 2016 at 07:52:32PM +1000, Fraser Tweedale wrote: > Good pickup on the curl dependency; indeed it is no longer needed. > Updated patch attached. > Whups, that was same patch, different name. *Here* is the new patch. -------------- next part -------------- From ba5750b7a805841abd8d4795d9c4bcec2a3518a0 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 20 Jan 2016 18:35:15 +1100 Subject: [PATCH] Remove workaround for CA running check A workaround was introduced for ticket #4676 that used wget to perform an (unauthenticated) https request to check the CA status. Later, wget was changed to curl (the request remained unauthenticated). Remove the workaround and use an http request (no TLS) to check the CA status. Also remove the now-unused unauthenticated_http_request method, and update specfile to remove ipalib dependency on curl. https://fedorahosted.org/freeipa/ticket/4676 --- freeipa.spec.in | 2 -- ipaplatform/redhat/services.py | 25 +------------------------ ipapython/dogtag.py | 25 +++---------------------- 3 files changed, 4 insertions(+), 48 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 961d8c38e0dd5f954bfca47e8209a5655eaacc86..ae0887390d623b035734dc5c8da703ba33a37e9f 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -466,7 +466,6 @@ Requires: python-pyasn1 Requires: python-dateutil Requires: python-yubico >= 1.2.3 Requires: python-sss-murmur -Requires: curl Requires: dbus-python Requires: python-setuptools Requires: python-six @@ -510,7 +509,6 @@ Requires: python3-pyasn1 Requires: python3-dateutil Requires: python3-yubico >= 1.2.3 Requires: python3-sss-murmur -Requires: curl Requires: python3-dbus Requires: python3-setuptools Requires: python3-six diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 11292fa4912844db78899d779b84104288e469dc..3c18dbc3c1274ef3852abef5f054b4e37e6b32fa 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -199,30 +199,7 @@ class RedHatCAService(RedHatService): op_timeout = time.time() + timeout while time.time() < op_timeout: try: - # FIXME https://fedorahosted.org/freeipa/ticket/4716 - # workaround - # - # status = dogtag.ca_status(use_proxy=use_proxy) - # - port = 8443 - - url = "https://%(host_port)s%(path)s" % { - "host_port": ipautil.format_netloc(api.env.ca_host, port), - "path": "/ca/admin/ca/getStatus" - } - - args = [ - paths.BIN_CURL, - '-o', '-', - '--connect-timeout', '30', - '-k', - url - ] - - result = ipautil.run(args, capture_output=True) - - status = dogtag._parse_ca_status(result.output) - # end of workaround + status = dogtag.ca_status() except Exception as e: status = 'check interrupted due to error: %s' % e root_logger.debug('The CA status is: %s' % status) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 1cb74719c4ce2cc97c54dc7bebfa4b32ceee14a1..6f13880026e9e6043649405245c9cd50a826f652 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -103,7 +103,7 @@ def _parse_ca_status(body): raise error_from_xml(doc, _("Retrieving CA status failed: %s")) -def ca_status(ca_host=None, use_proxy=True): +def ca_status(ca_host=None): """Return the status of the CA, and the httpd proxy in front of it The returned status can be: @@ -113,13 +113,8 @@ def ca_status(ca_host=None, use_proxy=True): """ if ca_host is None: ca_host = api.env.ca_host - if use_proxy: - # Use port 443 to test the proxy as well - ca_port = 443 - else: - ca_port = 8443 - status, headers, body = unauthenticated_https_request( - ca_host, ca_port, '/ca/admin/ca/getStatus') + status, headers, body = http_request( + ca_host, 8080, '/ca/admin/ca/getStatus') if status == 503: # Service temporarily unavailable return status @@ -175,20 +170,6 @@ def http_request(host, port, url, **kw): 'http', host, port, url, httplib.HTTPConnection, body) -def unauthenticated_https_request(host, port, url, **kw): - """ - :param url: The path (not complete URL!) to post to. - :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_headers, http_body) - as (integer, dict, str) - - Perform an unauthenticated HTTPS request. - """ - body = urlencode(kw) - return _httplib_request( - 'https', host, port, url, httplib.HTTPSConnection, body) - - def _httplib_request( protocol, host, port, path, connection_factory, request_body, method='POST', headers=None): -- 2.5.0 From cheimes at redhat.com Wed Jan 20 10:45:53 2016 From: cheimes at redhat.com (Christian Heimes) Date: Wed, 20 Jan 2016 11:45:53 +0100 Subject: [Freeipa-devel] [PATCH] Added kpasswd_server directive in client krb5.conf In-Reply-To: <569F37B1.7050503@redhat.com> References: <5677A06C.3080708@redhat.com> <20160104223802.GB21493@redhat.com> <568BA785.4080108@redhat.com> <568CA113.1050507@redhat.com> <569F37B1.7050503@redhat.com> Message-ID: <569F6561.1000001@redhat.com> On 2016-01-20 08:30, Abhijeet Kasurde wrote: > Ping for review request. Hi, your initial patch has a small problem. Please provide a new patch with port 464 instead of 749. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Wed Jan 20 10:57:42 2016 From: cheimes at redhat.com (Christian Heimes) Date: Wed, 20 Jan 2016 11:57:42 +0100 Subject: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform In-Reply-To: <20160120015428.GJ31821@dhcp-40-8.bne.redhat.com> References: <569E381B.3040104@redhat.com> <20160120015428.GJ31821@dhcp-40-8.bne.redhat.com> Message-ID: <569F6826.2060608@redhat.com> On 2016-01-20 02:54, Fraser Tweedale wrote: > On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote: >> ipaplatform.constants has platform specific names for a couple of system >> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, DS_USER >> and DS_GROUP are defined in other modules. Similar to #5587 the patch my >> patch moves the constants into the platform module. >> >> https://fedorahosted.org/freeipa/ticket/5619 > > I see a few remaining cases: > > ipaserver/install/dsinstance.py > 712: pent = pwd.getpwnam("dirsrv") > > ipatests/test_integration/test_backup_and_restore.py > 167: self.master.run_command(['userdel', 'dirsrv']) > 168: self.master.run_command(['userdel', 'pkiuser']) > > ipaplatform/redhat/tasks.py > 441: if name == 'pkiuser': > > When these are included, ACK. Good catch! My new patch takes care of remaining cases. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0029-2-Move-user-group-constants-for-PKI-and-DS-into-ipapla.patch Type: text/x-patch Size: 17425 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From jcholast at redhat.com Wed Jan 20 11:03:33 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 20 Jan 2016 12:03:33 +0100 Subject: [Freeipa-devel] [PATCHES] 0752-0757, 0759 Enable pylint --py3k In-Reply-To: <569F5036.1040903@redhat.com> References: <568D2494.9080602@redhat.com> <568FA169.4030900@redhat.com> <5693B2F8.1060905@redhat.com> <56950653.8060406@redhat.com> <5695114B.3070807@redhat.com> <5697DAFD.50603@redhat.com> <569DE993.30002@redhat.com> <569E2FE5.3010405@redhat.com> <569E5BB6.3070508@redhat.com> <569F5036.1040903@redhat.com> Message-ID: <569F6985.3050307@redhat.com> On 20.1.2016 10:15, Petr Viktorin wrote: > On 01/19/2016 04:52 PM, Jan Cholasta wrote: >> On 19.1.2016 13:45, Petr Viktorin wrote: > [...] >>>> Otherwise LGTM, including patch 758. >>> >>> Attaching updated patches, with py3k check as as default squashed in. >>> I also added a pylint exception for a new use of reload() in 0756. >>> One more thing I did was disable pylint's long and uninteresting report, >>> so now only the messages are shown. >> >> Thanks, ACK. >> >> Could you please rebase the patches on top of ipa-4-3 so I can push them? > > Oh, they're going into an earlier release as well? Yes, unless you want to wait for 4.4 / Fedora 25. I files a ticket for this: . > > Here is a patchset for ipa-4-3. Thanks. Pushed to: master: 5d8221478729db1b8c1c064e64ac4d18983ae98d ipa-4-3: b301aea7ca3e9bd33c3a02c00cccbf2dd3da9e65 -- Jan Cholasta From jcholast at redhat.com Wed Jan 20 11:17:16 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 20 Jan 2016 12:17:16 +0100 Subject: [Freeipa-devel] [PATCH] 944 spec: do not require arch specific ipalib package from noarch packages In-Reply-To: <569E787D.80003@redhat.com> References: <569E787D.80003@redhat.com> Message-ID: <569F6CBC.8020400@redhat.com> On 19.1.2016 18:55, Petr Vobornik wrote: > noarch packages should not contain: > Requires: some-package-{?_isa} > > because then they are not the same for each arch - are not noarch > > https://fedorahosted.org/freeipa/ticket/5568 Thanks, ACK. Pushed to: master: 3aef54d0c2b5a6fcb305e71530a850fedbb84cf8 ipa-4-3: 84bcdf27600e5eee10d230c7ea96b10aa064ff90 -- Jan Cholasta From akasurde at redhat.com Wed Jan 20 11:15:23 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Wed, 20 Jan 2016 16:45:23 +0530 Subject: [Freeipa-devel] [PATCH] Added kpasswd_server directive in client krb5.conf In-Reply-To: <569F6561.1000001@redhat.com> References: <5677A06C.3080708@redhat.com> <20160104223802.GB21493@redhat.com> <568BA785.4080108@redhat.com> <568CA113.1050507@redhat.com> <569F37B1.7050503@redhat.com> <569F6561.1000001@redhat.com> Message-ID: <569F6C4B.3020300@redhat.com> Hi Christian, On 01/20/2016 04:15 PM, Christian Heimes wrote: > On 2016-01-20 08:30, Abhijeet Kasurde wrote: >> Ping for review request. > Hi, > > your initial patch has a small problem. Please provide a new patch with > port 464 instead of 749. > > Christian > > Please find the patches for review. Thanks, Abhijeet -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akasurde-0001-2-Added-kpasswd_server-directive-in-client-krb5.conf.patch Type: text/x-patch Size: 1723 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akasurde-0001-2-Added-kpasswd_server-directive-in-client-krb5.conf-ipa-4-2.patch Type: text/x-patch Size: 1723 bytes Desc: not available URL: From cheimes at redhat.com Wed Jan 20 11:33:42 2016 From: cheimes at redhat.com (Christian Heimes) Date: Wed, 20 Jan 2016 12:33:42 +0100 Subject: [Freeipa-devel] [PATCH] Added kpasswd_server directive in client krb5.conf In-Reply-To: <569F6C4B.3020300@redhat.com> References: <5677A06C.3080708@redhat.com> <20160104223802.GB21493@redhat.com> <568BA785.4080108@redhat.com> <568CA113.1050507@redhat.com> <569F37B1.7050503@redhat.com> <569F6561.1000001@redhat.com> <569F6C4B.3020300@redhat.com> Message-ID: <569F7096.2080704@redhat.com> On 2016-01-20 12:15, Abhijeet Kasurde wrote: > Hi Christian, > > On 01/20/2016 04:15 PM, Christian Heimes wrote: >> On 2016-01-20 08:30, Abhijeet Kasurde wrote: >>> Ping for review request. >> Hi, >> >> your initial patch has a small problem. Please provide a new patch with >> port 464 instead of 749. >> >> Christian >> >> > Please find the patches for review. ACK -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mbasti at redhat.com Wed Jan 20 12:51:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 20 Jan 2016 13:51:37 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <569E135D.8010501@redhat.com> References: <568E26DF.6090507@redhat.com> <568E646C.6070003@redhat.com> <5694BA31.8010804@redhat.com> <5694C520.2060905@redhat.com> <5694E0DD.40905@redhat.com> <5694E25D.6060203@redhat.com> <5694F274.1040002@redhat.com> <56950325.80907@redhat.com> <5695166E.40608@redhat.com> <569E135D.8010501@redhat.com> Message-ID: <569F82D9.5000106@redhat.com> On 19.01.2016 11:43, Jan Cholasta wrote: > On 12.1.2016 16:06, Martin Basti wrote: >> >> >> On 12.01.2016 14:44, Jan Cholasta wrote: >>> On 12.1.2016 13:32, Martin Basti wrote: >>>> >>>> >>>> On 12.01.2016 12:24, Jan Cholasta wrote: >>>>> On 12.1.2016 12:17, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 12.01.2016 10:19, Jan Cholasta wrote: >>>>>>> On 12.1.2016 09:32, Martin Basti wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 07.01.2016 14:13, Jan Cholasta wrote: >>>>>>>>> On 7.1.2016 09:50, Jan Cholasta wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> the attached patch ports the _ipap11helper module to >>>>>>>>>> python-cffi. >>>>>>>>>> >>>>>>>>>> Combined with my patch 536 [1], this makes ipapython >>>>>>>>>> architecture >>>>>>>>>> independent. >>>>>>>>> >>>>>>>>> Updated patch attached. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> I tried to run DNSSEC tests and it failed unexpectedly: >>>>>>>> >>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>> Connected >>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>> replica pub keys in LDAP: >>>>>>>> set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>>>>>> '0xd8538e634797420ca86cda420234443c']) >>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>> replica pub keys in SoftHSM: >>>>>>>> set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>>>>>> '0x1f7241a64d69ced6c0a14f6999410c59']) >>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>> new replica keys in LDAP: >>>>>>>> set(['0xd8538e634797420ca86cda420234443c']) >>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>> label=dnssec-replica:replica1.ipa.test., >>>>>>>> id=d8538e634797420ca86cda420234443c, >>>>>>>> data=30820122300d06092a864886f70d01010105 >>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback >>>>>>>> (most >>>>>>>> recent call last): >>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>>>>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 313, in >>>>>>>> ldap2master_replica_keys_sync >>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>>>>> localhsm.import_public_key(new_key_ldap, >>>>>>>> new_key_ldap['ipapublickey']) >>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", >>>>>>>> line >>>>>>>> 173, in import_public_key >>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h = >>>>>>>> self.p11.import_public_key(**params) >>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >>>>>>>> 1498, in >>>>>>>> import_public_key >>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey = >>>>>>>> d2i_PUBKEY(NULL, data_ptr, data_length) >>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError: >>>>>>>> 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3 >>>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>>>> ipa-ods-exporter.service: >>>>>>>> Main process exited, code=exited, status=1/FAILURE >>>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>>>> ipa-ods-exporter.service: >>>>>>>> Unit entered failed state. >>>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>>>> ipa-ods-exporter.service: >>>>>>>> Failed with result 'exit-code'. >>>>>>>> >>>>>>>> I haven't seen any other errors >>>>>>> >>>>>>> Updated patch attached. Added a patch which replaces calls to >>>>>>> libcrypto with calls to python-cryptography. >>>>>>> >>>>>> >>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Done >>>>>> configuring >>>>>> DNS (named). >>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>>>>> Configuring DNS >>>>>> key synchronization service (ipa-dnskeysyncd) >>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [1/7]: >>>>>> checking >>>>>> status >>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [2/7]: >>>>>> setting >>>>>> up bind-dyndb-ldap working directory >>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [3/7]: >>>>>> setting >>>>>> up kerberos principal >>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [4/7]: >>>>>> setting >>>>>> up SoftHSM >>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [5/7]: adding >>>>>> DNSSEC containers >>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [6/7]: >>>>>> creating >>>>>> replica keys >>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [error] >>>>>> Error: >>>>>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>>>>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>>>>> ipa.ipapython.install.cli.install_tool(Server): ERROR The >>>>>> ipa-server-install command failed. See >>>>>> /var/log/ipaserver-install.log >>>>>> for more information >>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Exit code: 1 >>>>>> >>>>>> ipa-server-install.log >>>>>> .... >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>> line 436, in run_step >>>>>> method() >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", >>>>>> >>>>>> >>>>>> >>>>>> line 342, in __setup_replica_keys >>>>>> public_key_blob = p11.export_public_key(public_key_handle) >>>>>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", >>>>>> line >>>>>> 1275, in export_public_key >>>>>> return self._export_RSA_public_key(object) >>>>>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", >>>>>> line >>>>>> 1240, in _export_RSA_public_key >>>>>> raise Error("export_RSA_public_key: internal error: " >>>>>> >>>>>> 2016-01-12T11:00:29Z DEBUG The ipa-server-install command failed, >>>>>> exception: Error: export_RSA_public_key: internal error: >>>>>> EVP_PKEY_set1_RSA failed >>>>>> 2016-01-12T11:00:29Z ERROR export_RSA_public_key: internal error: >>>>>> EVP_PKEY_set1_RSA failed >>>>> >>>>> Updated patch 538 attached. >>>>> >>>> Jan 12 12:31:43 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: Connected >>>> Jan 12 12:31:44 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in LDAP: >>>> set(['0xf5edad67436d0ed36b75c3a70216fa43', >>>> '0x7164a931484d505f1e249e3dcbc313e2']) >>>> Jan 12 12:31:44 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in SoftHSM: >>>> set(['0xf5edad67436d0ed36b75c3a70216fa43', >>>> '0x7164a931484d505f1e249e3dcbc313e2', '0x28e302ae6b6ee7e9284cd5f6 >>>> Jan 12 12:31:44 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: new replica keys in LDAP: >>>> set([]) >>>> Jan 12 12:31:44 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: obsolete replica keys in >>>> local >>>> HSM: set(['0x28e302ae6b6ee7e9284cd5f61aadbbe7']) >>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: Traceback >>>> (most >>>> recent call last): >>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >>>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>>> "/usr/libexec/ipa/ipa-ods-exporter", line 321, in >>>> ldap2master_replica_keys_sync >>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >>>> localhsm.replica_pubkeys_wrap[key_id]['ipk11wrap'] = False >>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line >>>> 65, in __setitem__ >>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: return >>>> self.p11.set_attribute(self.handle, attrs_name2id[key], value) >>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >>>> 1661, in >>>> set_attribute >>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >>>> sizeof(CK_ATTRIBUTE))) >>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: TypeError: an >>>> integer is required >>>> Jan 12 12:31:44 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>>> Main process exited, code=exited, status=1/FAILURE >>>> >>> >>> Updated patch 537 attached. >>> >> Jan 12 15:04:10 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[20652]: Connected >> Jan 12 15:04:11 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[20652]: replica pub keys in LDAP: >> set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', >> '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) >> Jan 12 15:04:11 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[20652]: replica pub keys in SoftHSM: >> set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', >> '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) >> Jan 12 15:04:11 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[20652]: new replica keys in LDAP: >> set([]) >> Jan 12 15:04:11 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[20652]: obsolete replica keys in local >> HSM: set([]) >> Jan 12 15:04:11 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[20652]: keys in local HSM & LDAP: >> set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', >> '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) >> Jan 12 15:04:11 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[20652]: Updating attribute >> ipk11verifyrecover from "1" to "False" >> Jan 12 15:04:11 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[20652]: master keys in local HSM: >> set([]) >> Jan 12 15:04:11 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[20652]: master keys in LDAP HSM: >> set([]) >> Jan 12 15:04:11 master.ipa.test >> /usr/libexec/ipa/ipa-ods-exporter[20652]: new master keys in local HSM: >> set([]) >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: Traceback (most >> recent call last): >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >> "/usr/libexec/ipa/ipa-ods-exporter", line 665, in >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >> master2ldap_master_keys_sync(log, ldapkeydb, localhsm) >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >> "/usr/libexec/ipa/ipa-ods-exporter", line 340, in >> master2ldap_master_keys_sync >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >> ldapkeydb.flush() >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >> 311, in flush >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >> self._update_keys() >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >> 307, in _update_keys >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >> key._update_key() >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >> 179, in _update_key >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >> self._cleanup_key() >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >> 170, in _cleanup_key >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: if >> self.get(attr, empty) == default_attrs[attr]: >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >> "/usr/lib64/python2.7/_abcoll.py", line 382, in get >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: return >> self[key] >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >> 132, in __getitem__ >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: val = >> ldap_bool(val) >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >> 39, in ldap_bool >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: raise >> AssertionError('invalid LDAP boolean "%s"' % val) >> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: AssertionError: >> invalid LDAP boolean "1" >> Jan 12 15:04:11 master.ipa.test systemd[1]: ipa-ods-exporter.service: >> Main process exited, code=exited, status=1/FAILURE >> >> >> You can run the dnssec test, it has been fixed. > > Updated patches attached. The test now passes. > Hello, pkcs11helper tests passed DNSSEC tests passed 1) Slot is unused argument here: def __init__(self, slot, user_pin, library_path): self.p11_ptr = new_ptr(CK_FUNCTION_LIST_PTR) self.session_ptr = new_ptr(CK_SESSION_HANDLE) self.slot = 0 2) should't string_to_pybytes_or_none raise exception instead of returning None? In C extension returning NULL means error, and exception was raised by python itself when function ends with returning NULL. in export_wrapped_key method result = string_to_pybytes_or_none(wrapped_key, wrapped_key_len_ptr[0]) return result In this case method returns None instead of raising exception. Also I think that in _export_RSA_public_key method, string_to_pybytes_or_none should raise exception when it get NULL as string too 3) Is possible to remove build dependencies added in commit c909690c ? From mbasti at redhat.com Wed Jan 20 13:06:47 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 20 Jan 2016 14:06:47 +0100 Subject: [Freeipa-devel] [PATCH] Added kpasswd_server directive in client krb5.conf In-Reply-To: <569F7096.2080704@redhat.com> References: <5677A06C.3080708@redhat.com> <20160104223802.GB21493@redhat.com> <568BA785.4080108@redhat.com> <568CA113.1050507@redhat.com> <569F37B1.7050503@redhat.com> <569F6561.1000001@redhat.com> <569F6C4B.3020300@redhat.com> <569F7096.2080704@redhat.com> Message-ID: <569F8667.1080300@redhat.com> On 20.01.2016 12:33, Christian Heimes wrote: > On 2016-01-20 12:15, Abhijeet Kasurde wrote: >> Hi Christian, >> >> On 01/20/2016 04:15 PM, Christian Heimes wrote: >>> On 2016-01-20 08:30, Abhijeet Kasurde wrote: >>>> Ping for review request. >>> Hi, >>> >>> your initial patch has a small problem. Please provide a new patch with >>> port 464 instead of 749. >>> >>> Christian >>> >>> >> Please find the patches for review. > ACK > > > > > Pushed to master: e381d763fa99df80c326b7fa63469d3380b7f08e I didn't push it to ipa-4-2, ipa-4-3 because ticket is targeted to master only -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jan 20 13:10:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 20 Jan 2016 14:10:10 +0100 Subject: [Freeipa-devel] [PATCH] 945 webui: dislay server suffixes in server search page In-Reply-To: <569F3589.4070502@redhat.com> References: <569E7340.4070505@redhat.com> <569F3589.4070502@redhat.com> Message-ID: <569F8732.7040001@redhat.com> On 20.01.2016 08:21, Martin Babinsky wrote: > On 01/19/2016 06:32 PM, Petr Vobornik wrote: >> [PATCH] webui: dislay server suffixes in server search page >> >> There was a change where suffixes in server are not longer returned as >> DNs but rather a cn of related topology suffix. I.e. they share >> "memberof" logic. This caused that search page doesn't get the data >> because it uses "no_member: true" option by default. >> >> This patch overrides the behavior because it is OK for server search >> page to fetch also member data - it is not so costly as e.g. in users. >> >> https://fedorahosted.org/freeipa/ticket/5609 >> >> > ACK > Pushed to: master: 133b1327e2c6f78a2f8a6f482dbc9f6f66aace11 ipa-4-3: 5bf43edf19b69c1883aa3d55bf6e209f816fb3c1 From mbasti at redhat.com Wed Jan 20 13:19:13 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 20 Jan 2016 14:19:13 +0100 Subject: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver In-Reply-To: <569669AC.4060605@redhat.com> References: <1452028501.3830.45.camel@redhat.com> <1452032349.3830.46.camel@redhat.com> <56964AD9.7030604@redhat.com> <1452695411.3356.84.camel@redhat.com> <56965FBE.3010501@redhat.com> <569663F9.8000402@redhat.com> <1452697430.3356.86.camel@redhat.com> <569669AC.4060605@redhat.com> Message-ID: <569F8951.3080701@redhat.com> On 13.01.2016 16:13, Martin Basti wrote: > > > On 13.01.2016 16:03, Simo Sorce wrote: >> On Wed, 2016-01-13 at 15:49 +0100, Martin Basti wrote: >>> On 13.01.2016 15:31, Martin Babinsky wrote: >>>> On 01/13/2016 03:30 PM, Simo Sorce wrote: >>>>> On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote: >>>>>> On 01/05/2016 11:19 PM, Simo Sorce wrote: >>>>>>> On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: >>>>>>>> The LDAP context was not checked on the first api call and a >>>>>>>> context may >>>>>>>> be null on some error conditions (LDAP server unreachable). >>>>>>>> >>>>>>>> Always check that we have a valid context before calling the ldap >>>>>>>> API. >>>>>>>> >>>>>>>> Builds abut it is untested. >>>>>>> Forgot to mention that this bug affects all 4.x versions and should >>>>>>> probably be backported on all maintained branches. >>>>>>> >>>>>>> I opened a bug to track it too: >>>>>>> https://fedorahosted.org/freeipa/ticket/5577 >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>> ACK. Please include the ticket URL in the commit message. >>>>>> >>>>> Could you add it when pushing ? >>>>> >>>>> Unless you need some other change in the patch it will be less churn >>>>> that way. >>>>> >>>>> Simo. >>>>> >>>> Yes we could. I didn't realize that, sorry for the noise. >>>> >>> I do not know where to push it, ticket is still in needs triage, it has >>> not been decided where it should go. >> It definitely goes in master. You can push elsewhere as well later. >> >> Simo. >> > Pushed to master: 2144b1eeb789639b8a3df287b580aeb6196188a8 > Backported to ipa-4-3 Pushed to ipa-4-3: d622c71820809820a6c9bc206914e3e79249006a From jcholast at redhat.com Wed Jan 20 13:38:52 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 20 Jan 2016 14:38:52 +0100 Subject: [Freeipa-devel] [PATCH 0407] WIP: make-lint migration to config file and pylint plugin due pylint 1.5.2 In-Reply-To: <569E2F8A.5090905@redhat.com> References: <569E2F8A.5090905@redhat.com> Message-ID: <569F8DEC.6090701@redhat.com> Hi, On 19.1.2016 13:43, Martin Basti wrote: > New pylint version will broke our custom make-lint script again, > attached patch migrates make-lint to: > * config file > * pylint plugin > which are supported by pylint and should not have regular compatibility > issues > > to test new approach run ./make-lint2 > > Advantages: > * compatibility with pylint > * works on both pylint-1.4.3-3.fc23.noarch and pylint-1.5.2-1.fc24.noarch > * pylint plugin works in different way than the previous custom checker. > Missing ("dynamic") attributes are added to abstract syntax tree instead > of ignoring them and all their sub-members. This makes check better, > pylint can detect more typos in tests configurations, api, env, etc.. > > Disadvantages: > * any new attribute in api, test config, etc.. must be added to > definition of missing members (pylint plugin) - this should not happen > too often 1) Please "mv pylint_plugins/fix_ipa_members.py pylint_plugins.py" and "rm -rf pylint_plugins/", no need for this redundant directory structure. 2) Rename pylintrc to freeipa.pylintrc so you have to always specify it explicitly with --rcfile. 3) Use the load-plugins directive in freeipa.pylintrc to load the plugins rather than --load-plugins. 4) Instead of running pylint twice, run it only once with both normal and Python 3 checks enabled: [MESSAGE CONTROL] enable=all,python3 disable=...,no-absolute-import > > > Q&TODO: > * make-lint: should it be just bash script or rather python script? IMO neither, it should be a make target (make lint). > * add dynamic detection of python files to be checked You can use "find . -type f -executable ! -path \*/.\* ! -name \*.py\* -exec grep -lsm1 '^#!.*\bpython' \{\} \;". > * should I keep the current options from original make-lint? No, but allow pylint options to be overridable (make lint PYLINTFLAGS="--disable=python3") > * several false positive errors I haven't been able to fix in plugin > yet, in worst case they can be locally disabled: Disable them locally. Honza -- Jan Cholasta From jcholast at redhat.com Wed Jan 20 14:36:25 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 20 Jan 2016 15:36:25 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <569F82D9.5000106@redhat.com> References: <568E26DF.6090507@redhat.com> <568E646C.6070003@redhat.com> <5694BA31.8010804@redhat.com> <5694C520.2060905@redhat.com> <5694E0DD.40905@redhat.com> <5694E25D.6060203@redhat.com> <5694F274.1040002@redhat.com> <56950325.80907@redhat.com> <5695166E.40608@redhat.com> <569E135D.8010501@redhat.com> <569F82D9.5000106@redhat.com> Message-ID: <569F9B69.3060701@redhat.com> On 20.1.2016 13:51, Martin Basti wrote: > > > On 19.01.2016 11:43, Jan Cholasta wrote: >> On 12.1.2016 16:06, Martin Basti wrote: >>> >>> >>> On 12.01.2016 14:44, Jan Cholasta wrote: >>>> On 12.1.2016 13:32, Martin Basti wrote: >>>>> >>>>> >>>>> On 12.01.2016 12:24, Jan Cholasta wrote: >>>>>> On 12.1.2016 12:17, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> On 12.01.2016 10:19, Jan Cholasta wrote: >>>>>>>> On 12.1.2016 09:32, Martin Basti wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On 07.01.2016 14:13, Jan Cholasta wrote: >>>>>>>>>> On 7.1.2016 09:50, Jan Cholasta wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> the attached patch ports the _ipap11helper module to >>>>>>>>>>> python-cffi. >>>>>>>>>>> >>>>>>>>>>> Combined with my patch 536 [1], this makes ipapython >>>>>>>>>>> architecture >>>>>>>>>>> independent. >>>>>>>>>> >>>>>>>>>> Updated patch attached. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> I tried to run DNSSEC tests and it failed unexpectedly: >>>>>>>>> >>>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>>> Connected >>>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>>> replica pub keys in LDAP: >>>>>>>>> set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>>>>>>> '0xd8538e634797420ca86cda420234443c']) >>>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>>> replica pub keys in SoftHSM: >>>>>>>>> set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>>>>>>> '0x1f7241a64d69ced6c0a14f6999410c59']) >>>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>>> new replica keys in LDAP: >>>>>>>>> set(['0xd8538e634797420ca86cda420234443c']) >>>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>>> label=dnssec-replica:replica1.ipa.test., >>>>>>>>> id=d8538e634797420ca86cda420234443c, >>>>>>>>> data=30820122300d06092a864886f70d01010105 >>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback >>>>>>>>> (most >>>>>>>>> recent call last): >>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>>>>>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 313, in >>>>>>>>> ldap2master_replica_keys_sync >>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>>>>>> localhsm.import_public_key(new_key_ldap, >>>>>>>>> new_key_ldap['ipapublickey']) >>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", >>>>>>>>> line >>>>>>>>> 173, in import_public_key >>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h = >>>>>>>>> self.p11.import_public_key(**params) >>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >>>>>>>>> 1498, in >>>>>>>>> import_public_key >>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey = >>>>>>>>> d2i_PUBKEY(NULL, data_ptr, data_length) >>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError: >>>>>>>>> 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3 >>>>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>>>>> ipa-ods-exporter.service: >>>>>>>>> Main process exited, code=exited, status=1/FAILURE >>>>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>>>>> ipa-ods-exporter.service: >>>>>>>>> Unit entered failed state. >>>>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>>>>> ipa-ods-exporter.service: >>>>>>>>> Failed with result 'exit-code'. >>>>>>>>> >>>>>>>>> I haven't seen any other errors >>>>>>>> >>>>>>>> Updated patch attached. Added a patch which replaces calls to >>>>>>>> libcrypto with calls to python-cryptography. >>>>>>>> >>>>>>> >>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Done >>>>>>> configuring >>>>>>> DNS (named). >>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>>>>>> Configuring DNS >>>>>>> key synchronization service (ipa-dnskeysyncd) >>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [1/7]: >>>>>>> checking >>>>>>> status >>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [2/7]: >>>>>>> setting >>>>>>> up bind-dyndb-ldap working directory >>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [3/7]: >>>>>>> setting >>>>>>> up kerberos principal >>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [4/7]: >>>>>>> setting >>>>>>> up SoftHSM >>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [5/7]: adding >>>>>>> DNSSEC containers >>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [6/7]: >>>>>>> creating >>>>>>> replica keys >>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [error] >>>>>>> Error: >>>>>>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>>>>>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>>>>>> ipa.ipapython.install.cli.install_tool(Server): ERROR The >>>>>>> ipa-server-install command failed. See >>>>>>> /var/log/ipaserver-install.log >>>>>>> for more information >>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Exit code: 1 >>>>>>> >>>>>>> ipa-server-install.log >>>>>>> .... >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>>> line 436, in run_step >>>>>>> method() >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", >>>>>>> >>>>>>> >>>>>>> >>>>>>> line 342, in __setup_replica_keys >>>>>>> public_key_blob = p11.export_public_key(public_key_handle) >>>>>>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", >>>>>>> line >>>>>>> 1275, in export_public_key >>>>>>> return self._export_RSA_public_key(object) >>>>>>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", >>>>>>> line >>>>>>> 1240, in _export_RSA_public_key >>>>>>> raise Error("export_RSA_public_key: internal error: " >>>>>>> >>>>>>> 2016-01-12T11:00:29Z DEBUG The ipa-server-install command failed, >>>>>>> exception: Error: export_RSA_public_key: internal error: >>>>>>> EVP_PKEY_set1_RSA failed >>>>>>> 2016-01-12T11:00:29Z ERROR export_RSA_public_key: internal error: >>>>>>> EVP_PKEY_set1_RSA failed >>>>>> >>>>>> Updated patch 538 attached. >>>>>> >>>>> Jan 12 12:31:43 master.ipa.test >>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: Connected >>>>> Jan 12 12:31:44 master.ipa.test >>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in LDAP: >>>>> set(['0xf5edad67436d0ed36b75c3a70216fa43', >>>>> '0x7164a931484d505f1e249e3dcbc313e2']) >>>>> Jan 12 12:31:44 master.ipa.test >>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in SoftHSM: >>>>> set(['0xf5edad67436d0ed36b75c3a70216fa43', >>>>> '0x7164a931484d505f1e249e3dcbc313e2', '0x28e302ae6b6ee7e9284cd5f6 >>>>> Jan 12 12:31:44 master.ipa.test >>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: new replica keys in LDAP: >>>>> set([]) >>>>> Jan 12 12:31:44 master.ipa.test >>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: obsolete replica keys in >>>>> local >>>>> HSM: set(['0x28e302ae6b6ee7e9284cd5f61aadbbe7']) >>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: Traceback >>>>> (most >>>>> recent call last): >>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >>>>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 321, in >>>>> ldap2master_replica_keys_sync >>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >>>>> localhsm.replica_pubkeys_wrap[key_id]['ipk11wrap'] = False >>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", line >>>>> 65, in __setitem__ >>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: return >>>>> self.p11.set_attribute(self.handle, attrs_name2id[key], value) >>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>>>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >>>>> 1661, in >>>>> set_attribute >>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >>>>> sizeof(CK_ATTRIBUTE))) >>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: TypeError: an >>>>> integer is required >>>>> Jan 12 12:31:44 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>>>> Main process exited, code=exited, status=1/FAILURE >>>>> >>>> >>>> Updated patch 537 attached. >>>> >>> Jan 12 15:04:10 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[20652]: Connected >>> Jan 12 15:04:11 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[20652]: replica pub keys in LDAP: >>> set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', >>> '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) >>> Jan 12 15:04:11 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[20652]: replica pub keys in SoftHSM: >>> set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', >>> '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) >>> Jan 12 15:04:11 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[20652]: new replica keys in LDAP: >>> set([]) >>> Jan 12 15:04:11 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[20652]: obsolete replica keys in local >>> HSM: set([]) >>> Jan 12 15:04:11 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[20652]: keys in local HSM & LDAP: >>> set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', >>> '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) >>> Jan 12 15:04:11 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[20652]: Updating attribute >>> ipk11verifyrecover from "1" to "False" >>> Jan 12 15:04:11 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[20652]: master keys in local HSM: >>> set([]) >>> Jan 12 15:04:11 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[20652]: master keys in LDAP HSM: >>> set([]) >>> Jan 12 15:04:11 master.ipa.test >>> /usr/libexec/ipa/ipa-ods-exporter[20652]: new master keys in local HSM: >>> set([]) >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: Traceback (most >>> recent call last): >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>> "/usr/libexec/ipa/ipa-ods-exporter", line 665, in >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >>> master2ldap_master_keys_sync(log, ldapkeydb, localhsm) >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>> "/usr/libexec/ipa/ipa-ods-exporter", line 340, in >>> master2ldap_master_keys_sync >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >>> ldapkeydb.flush() >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >>> 311, in flush >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >>> self._update_keys() >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >>> 307, in _update_keys >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >>> key._update_key() >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >>> 179, in _update_key >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >>> self._cleanup_key() >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >>> 170, in _cleanup_key >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: if >>> self.get(attr, empty) == default_attrs[attr]: >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>> "/usr/lib64/python2.7/_abcoll.py", line 382, in get >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: return >>> self[key] >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >>> 132, in __getitem__ >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: val = >>> ldap_bool(val) >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >>> 39, in ldap_bool >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: raise >>> AssertionError('invalid LDAP boolean "%s"' % val) >>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: AssertionError: >>> invalid LDAP boolean "1" >>> Jan 12 15:04:11 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>> Main process exited, code=exited, status=1/FAILURE >>> >>> >>> You can run the dnssec test, it has been fixed. >> >> Updated patches attached. The test now passes. >> > Hello, > > pkcs11helper tests passed > DNSSEC tests passed > > 1) > Slot is unused argument here: > > def __init__(self, slot, user_pin, library_path): > self.p11_ptr = new_ptr(CK_FUNCTION_LIST_PTR) > self.session_ptr = new_ptr(CK_SESSION_HANDLE) > > self.slot = 0 Fixed. > > 2) > should't string_to_pybytes_or_none raise exception instead of returning > None? In C extension returning NULL means error, and exception was > raised by python itself when function ends with returning NULL. > > in export_wrapped_key method > > result = string_to_pybytes_or_none(wrapped_key, > wrapped_key_len_ptr[0]) > return result > > In this case method returns None instead of raising exception. > > Also I think that in _export_RSA_public_key method, > string_to_pybytes_or_none should raise exception when it get NULL as > string too This is exactly how it behaves in the original C code, so I'm not changing it. I noticed I don't return None in _export_RSA_public_key in case of encoding failure. Fixed. > > 3) > Is possible to remove build dependencies added in commit c909690c ? Removed, except for openssl-devel, which is used elsewhere. Updated patches attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-537.6-ipapython-port-p11helper-C-code-to-Python.patch Type: text/x-patch Size: 163635 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-538.3-ipapython-use-python-cryptography-instead-of-libcryp.patch Type: text/x-patch Size: 15136 bytes Desc: not available URL: From simo at redhat.com Wed Jan 20 14:45:01 2016 From: simo at redhat.com (Simo Sorce) Date: Wed, 20 Jan 2016 09:45:01 -0500 Subject: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails In-Reply-To: <569F4862.7010201@redhat.com> References: <568E945F.3030605@redhat.com> <568E949B.1090300@redhat.com> <56961965.9050309@redhat.com> <56967BD8.1000109@redhat.com> <1452807096.3356.182.camel@redhat.com> <5698E793.9090400@redhat.com> <1452873425.3356.192.camel@redhat.com> <56992C6A.7060106@redhat.com> <569F4862.7010201@redhat.com> Message-ID: <1453301101.6970.88.camel@redhat.com> On Wed, 2016-01-20 at 09:42 +0100, Martin Babinsky wrote: > On 01/15/2016 06:29 PM, Martin Babinsky wrote: > > On 01/15/2016 04:57 PM, Simo Sorce wrote: > >> On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote: > >>> On 01/14/2016 10:31 PM, Simo Sorce wrote: > >>>> On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote: > >>>>> On 01/13/2016 10:31 AM, Martin Babinsky wrote: > >>>>>> On 01/07/2016 05:38 PM, Martin Babinsky wrote: > >>>>>>> On 01/07/2016 05:37 PM, Martin Babinsky wrote: > >>>>>>>> https://fedorahosted.org/freeipa/ticket/5584 > >>>>>>>> > >>>>>>> And the patch is here. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> self-NACK, there may be a better way to handle this. I will do some > >>>>>> investigation and send updated patch. > >>>>>> > >>>>> Attaching updated patch. > >>>> > >>>> A failure to obtain a tgt may be due to other reasons (for example the > >>>> KDC crashed), why are you trying to use this test ? > >>>> Isn't it sufficient to see there is no host entry in the directory ? > >>>> > >>>> Simo. > >>>> > >>> There were some corner cases I encountered, mostly concerning a cleanup > >>> after unsuccessful replica promotion. > >>> > >>> You may sometimes end up in a state where local DS is working, but KDC > >>> crashed and the krb5.conf is still pointing at a remote one. In that > >>> case "malformed" replica's local host entry exist, but when such host > >>> tries to get TGT, the AS-REQ goes to remote KDC from other master. > >>> > >>> However, if the admin had in the mean time cleaned up this host's > >>> kerberos principals/keys, the crashed replica gets one of the following > >>> errors: > >>> > >>> Client not found in Kerberos database > >>> Client credentials have been revoked > >>> Generic preauthentication failure > >>> > >>> These were printed out as errors during uninstall, but were actually > >>> expected in situation like this. It is true that the code should check > >>> and ignore these specific errors. > >> > >> Only the first id valid for your case, the others may be transient > >> errors. > >> > >> Simo. > >> > >> > > True, attaching updated patch. The other errors will now pop out in the > > output and the warning will be displayed. > > > > > > > Bump for review. > LGTM Simo. -- Simo Sorce * Red Hat, Inc * New York From mbasti at redhat.com Wed Jan 20 16:45:07 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 20 Jan 2016 17:45:07 +0100 Subject: [Freeipa-devel] [PATCH 0022] topology plugin prevents deletes but does not prevent moddn In-Reply-To: <566AC814.8010108@redhat.com> References: <566AC814.8010108@redhat.com> Message-ID: <569FB993.3040908@redhat.com> On 11.12.2015 13:56, Ludwig Krispenz wrote: > Ticket: https://fedorahosted.org/freeipa/ticket/5536 > > Patch attached. > > Patch works, I cannot move entry out of container via moddn operation. I have question, is it expected to be able rename entry? I tried it and I was able to change RDN #!RESULT OK #!CONNECTION ldap://vm-058-138.abc.idm.lab.eng.brq.redhat.com:636 #!DATE 2016-01-20T16:28:18.702 dn: cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab.eng .brq.redhat.com,cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm, dc=lab,dc=eng,dc=brq,dc=redhat,dc=com changetype: moddn newrdn: cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab .eng.brq.redhat deleteoldrdn: 1 newsuperior: cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm,dc=l ab,dc=eng,dc=brq,dc=redhat,dc=com -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Wed Jan 20 17:40:10 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 20 Jan 2016 18:40:10 +0100 Subject: [Freeipa-devel] [PATCH] Fixed login error message box in LoginScreen page In-Reply-To: <569F379B.1000101@redhat.com> References: <5680DF64.4060808@redhat.com> <569F379B.1000101@redhat.com> Message-ID: <569FC67A.8090704@redhat.com> On 01/20/2016 08:30 AM, Abhijeet Kasurde wrote: > Ping for review request. > > On 12/28/2015 12:36 PM, Abhijeet Kasurde wrote: >> Hi All, >> >> Please review patches attached. ACK Pushed to: master: d9983d8ec651166801cd9fac54378bdd527398a4 ipa-4-2: fc2a4d5366982e8103348293fb75c6b3099b1fbd ipa-4-3: 9f7146e98e53aef868a10ee2d8df4264d43dda63 >> >> Thanks, >> Abhijeet Kasurde -- Petr Vobornik From pvoborni at redhat.com Wed Jan 20 17:42:50 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 20 Jan 2016 18:42:50 +0100 Subject: [Freeipa-devel] [PATCH] 946 webui: fixed showing of success message after password change on login Message-ID: <569FC71A.2020705@redhat.com> similar issue and cause as in https://fedorahosted.org/freeipa/ticket/5567 root cause is that binding triggers validation which clears messages in validation summary. Maybe it could be refactored in a future to not use the same validation summary field for API calls and fields. If you think it is actually ticket #5567 (could be in some point of view) then feel free to push also to 4.2 and 4.3 branch. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0946-webui-fixed-showing-of-success-message-after-passwor.patch Type: text/x-patch Size: 1654 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jan 20 17:52:47 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 20 Jan 2016 18:52:47 +0100 Subject: [Freeipa-devel] [Freeipa-users] IE10 Dialogs close on Enter keypress In-Reply-To: References: Message-ID: <569FC96F.6010909@redhat.com> On 01/07/2016 06:11 AM, Jim Groffen wrote: > Hello, > > I found that when running FreeIPA Web UI on IE10 that modal dialogs close > when enter is pressed. Normal functionality is to 'submit' the dialog on an > enter keypress. > > I found a solution by adding a type="button" attribute to the close button > of the dialog (in /install/ui/src/freeipa/dialog.js). > > I have tested on recent Chrome, IE and Firefox versions as well as on IE10. > Seems to be no side-effects. > > Attached is a patch showing the change I made. Apologies if the patch isn't > formatted correctly. > > Regards, > > Jim G > Thanks for the patch. Looks good - ACK was pushed to master branch https://fedorahosted.org/freeipa/changeset/f5f5c8c603e95d246d2cde92f56959fedba4666d -- Petr Vobornik From pvoborni at redhat.com Wed Jan 20 18:02:42 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 20 Jan 2016 19:02:42 +0100 Subject: [Freeipa-devel] [PATCH] 947 webui: use API call ca_is_enabled instead of enable_ra env variable. Message-ID: <569FCBC2.6020100@redhat.com> To be consistent with backend code. https://fedorahosted.org/freeipa/ticket/5622 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0947-webui-use-API-call-ca_is_enabled-instead-of-enable_r.patch Type: text/x-patch Size: 2173 bytes Desc: not available URL: From lkrispen at redhat.com Thu Jan 21 08:11:45 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 21 Jan 2016 09:11:45 +0100 Subject: [Freeipa-devel] [PATCH 0022] topology plugin prevents deletes but does not prevent moddn In-Reply-To: <569FB993.3040908@redhat.com> References: <566AC814.8010108@redhat.com> <569FB993.3040908@redhat.com> Message-ID: <56A092C1.1050609@redhat.com> On 01/20/2016 05:45 PM, Martin Basti wrote: > > > On 11.12.2015 13:56, Ludwig Krispenz wrote: >> Ticket: https://fedorahosted.org/freeipa/ticket/5536 >> >> Patch attached. >> >> > Patch works, I cannot move entry out of container via moddn operation. > > > I have question, is it expected to be able rename entry? > I tried it and I was able to change RDN yes, that should be fine, it cannot change the connectivity. > > #!RESULT OK > #!CONNECTION ldap://vm-058-138.abc.idm.lab.eng.brq.redhat.com:636 > #!DATE 2016-01-20T16:28:18.702 > dn: > cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab.eng > .brq.redhat.com,cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm, > dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > changetype: moddn > newrdn: > cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab > .eng.brq.redhat > deleteoldrdn: 1 > newsuperior: > cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm,dc=l > ab,dc=eng,dc=brq,dc=redhat,dc=com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Thu Jan 21 09:27:53 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 21 Jan 2016 10:27:53 +0100 Subject: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal Message-ID: <56A0A499.1090809@redhat.com> Hi, the attached patch fixes . Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-540-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch Type: text/x-patch Size: 2639 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-540.0.4_2-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch Type: text/x-patch Size: 2643 bytes Desc: not available URL: From tbordaz at redhat.com Thu Jan 21 09:30:31 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 21 Jan 2016 10:30:31 +0100 Subject: [Freeipa-devel] [PATCH 0022] topology plugin prevents deletes but does not prevent moddn In-Reply-To: <56A092C1.1050609@redhat.com> References: <566AC814.8010108@redhat.com> <569FB993.3040908@redhat.com> <56A092C1.1050609@redhat.com> Message-ID: <56A0A537.4050203@redhat.com> Hi, The fix look good. Just a question, the target entry is checked with ipa_topo_check_entry_type. Is it equivalent to call ipa_topo_is_entry_managed ? thanks thierry On 01/21/2016 09:11 AM, Ludwig Krispenz wrote: > > On 01/20/2016 05:45 PM, Martin Basti wrote: >> >> >> On 11.12.2015 13:56, Ludwig Krispenz wrote: >>> Ticket: https://fedorahosted.org/freeipa/ticket/5536 >>> >>> Patch attached. >>> >>> >> Patch works, I cannot move entry out of container via moddn operation. >> >> >> I have question, is it expected to be able rename entry? >> I tried it and I was able to change RDN > yes, that should be fine, it cannot change the connectivity. >> >> #!RESULT OK >> #!CONNECTION ldap://vm-058-138.abc.idm.lab.eng.brq.redhat.com:636 >> #!DATE 2016-01-20T16:28:18.702 >> dn: >> cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab.eng >> .brq.redhat.com,cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm, >> dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >> changetype: moddn >> newrdn: >> cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab >> .eng.brq.redhat >> deleteoldrdn: 1 >> newsuperior: >> cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm,dc=l >> ab,dc=eng,dc=brq,dc=redhat,dc=com > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jan 21 09:42:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 21 Jan 2016 10:42:56 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <569F9B69.3060701@redhat.com> References: <568E26DF.6090507@redhat.com> <568E646C.6070003@redhat.com> <5694BA31.8010804@redhat.com> <5694C520.2060905@redhat.com> <5694E0DD.40905@redhat.com> <5694E25D.6060203@redhat.com> <5694F274.1040002@redhat.com> <56950325.80907@redhat.com> <5695166E.40608@redhat.com> <569E135D.8010501@redhat.com> <569F82D9.5000106@redhat.com> <569F9B69.3060701@redhat.com> Message-ID: <56A0A820.3070808@redhat.com> On 20.01.2016 15:36, Jan Cholasta wrote: > On 20.1.2016 13:51, Martin Basti wrote: >> >> >> On 19.01.2016 11:43, Jan Cholasta wrote: >>> On 12.1.2016 16:06, Martin Basti wrote: >>>> >>>> >>>> On 12.01.2016 14:44, Jan Cholasta wrote: >>>>> On 12.1.2016 13:32, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 12.01.2016 12:24, Jan Cholasta wrote: >>>>>>> On 12.1.2016 12:17, Martin Basti wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 12.01.2016 10:19, Jan Cholasta wrote: >>>>>>>>> On 12.1.2016 09:32, Martin Basti wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 07.01.2016 14:13, Jan Cholasta wrote: >>>>>>>>>>> On 7.1.2016 09:50, Jan Cholasta wrote: >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> the attached patch ports the _ipap11helper module to >>>>>>>>>>>> python-cffi. >>>>>>>>>>>> >>>>>>>>>>>> Combined with my patch 536 [1], this makes ipapython >>>>>>>>>>>> architecture >>>>>>>>>>>> independent. >>>>>>>>>>> >>>>>>>>>>> Updated patch attached. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> I tried to run DNSSEC tests and it failed unexpectedly: >>>>>>>>>> >>>>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>>>> Connected >>>>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>>>> replica pub keys in LDAP: >>>>>>>>>> set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>>>>>>>> '0xd8538e634797420ca86cda420234443c']) >>>>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>>>> replica pub keys in SoftHSM: >>>>>>>>>> set(['0x51df7c70b9869a7dd2bbd27335dba3f8', >>>>>>>>>> '0x1f7241a64d69ced6c0a14f6999410c59']) >>>>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>>>> new replica keys in LDAP: >>>>>>>>>> set(['0xd8538e634797420ca86cda420234443c']) >>>>>>>>>> Jan 12 08:28:06 master.ipa.test >>>>>>>>>> /usr/libexec/ipa/ipa-ods-exporter[8667]: >>>>>>>>>> label=dnssec-replica:replica1.ipa.test., >>>>>>>>>> id=d8538e634797420ca86cda420234443c, >>>>>>>>>> data=30820122300d06092a864886f70d01010105 >>>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>>>>>>> Traceback >>>>>>>>>> (most >>>>>>>>>> recent call last): >>>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >>>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>>>>>>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >>>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 313, in >>>>>>>>>> ldap2master_replica_keys_sync >>>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>>>>>>> localhsm.import_public_key(new_key_ldap, >>>>>>>>>> new_key_ldap['ipapublickey']) >>>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", >>>>>>>>>> line >>>>>>>>>> 173, in import_public_key >>>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h = >>>>>>>>>> self.p11.import_public_key(**params) >>>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File >>>>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >>>>>>>>>> 1498, in >>>>>>>>>> import_public_key >>>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey = >>>>>>>>>> d2i_PUBKEY(NULL, data_ptr, data_length) >>>>>>>>>> Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: >>>>>>>>>> TypeError: >>>>>>>>>> 'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, >>>>>>>>>> got 3 >>>>>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>>>>>> ipa-ods-exporter.service: >>>>>>>>>> Main process exited, code=exited, status=1/FAILURE >>>>>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>>>>>> ipa-ods-exporter.service: >>>>>>>>>> Unit entered failed state. >>>>>>>>>> Jan 12 08:28:06 master.ipa.test systemd[1]: >>>>>>>>>> ipa-ods-exporter.service: >>>>>>>>>> Failed with result 'exit-code'. >>>>>>>>>> >>>>>>>>>> I haven't seen any other errors >>>>>>>>> >>>>>>>>> Updated patch attached. Added a patch which replaces calls to >>>>>>>>> libcrypto with calls to python-cryptography. >>>>>>>>> >>>>>>>> >>>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Done >>>>>>>> configuring >>>>>>>> DNS (named). >>>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>>>>>>> Configuring DNS >>>>>>>> key synchronization service (ipa-dnskeysyncd) >>>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [1/7]: >>>>>>>> checking >>>>>>>> status >>>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [2/7]: >>>>>>>> setting >>>>>>>> up bind-dyndb-ldap working directory >>>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [3/7]: >>>>>>>> setting >>>>>>>> up kerberos principal >>>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [4/7]: >>>>>>>> setting >>>>>>>> up SoftHSM >>>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [5/7]: >>>>>>>> adding >>>>>>>> DNSSEC containers >>>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [6/7]: >>>>>>>> creating >>>>>>>> replica keys >>>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] [error] >>>>>>>> Error: >>>>>>>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >>>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>>>>>>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>>>> export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed >>>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] >>>>>>>> ipa.ipapython.install.cli.install_tool(Server): ERROR The >>>>>>>> ipa-server-install command failed. See >>>>>>>> /var/log/ipaserver-install.log >>>>>>>> for more information >>>>>>>> [ipa.ipatests.test_integration.host.Host.master.cmd10] Exit >>>>>>>> code: 1 >>>>>>>> >>>>>>>> ipa-server-install.log >>>>>>>> .... >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>>>> line 436, in run_step >>>>>>>> method() >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> line 342, in __setup_replica_keys >>>>>>>> public_key_blob = p11.export_public_key(public_key_handle) >>>>>>>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", >>>>>>>> line >>>>>>>> 1275, in export_public_key >>>>>>>> return self._export_RSA_public_key(object) >>>>>>>> File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", >>>>>>>> line >>>>>>>> 1240, in _export_RSA_public_key >>>>>>>> raise Error("export_RSA_public_key: internal error: " >>>>>>>> >>>>>>>> 2016-01-12T11:00:29Z DEBUG The ipa-server-install command failed, >>>>>>>> exception: Error: export_RSA_public_key: internal error: >>>>>>>> EVP_PKEY_set1_RSA failed >>>>>>>> 2016-01-12T11:00:29Z ERROR export_RSA_public_key: internal error: >>>>>>>> EVP_PKEY_set1_RSA failed >>>>>>> >>>>>>> Updated patch 538 attached. >>>>>>> >>>>>> Jan 12 12:31:43 master.ipa.test >>>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: Connected >>>>>> Jan 12 12:31:44 master.ipa.test >>>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in LDAP: >>>>>> set(['0xf5edad67436d0ed36b75c3a70216fa43', >>>>>> '0x7164a931484d505f1e249e3dcbc313e2']) >>>>>> Jan 12 12:31:44 master.ipa.test >>>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: replica pub keys in >>>>>> SoftHSM: >>>>>> set(['0xf5edad67436d0ed36b75c3a70216fa43', >>>>>> '0x7164a931484d505f1e249e3dcbc313e2', '0x28e302ae6b6ee7e9284cd5f6 >>>>>> Jan 12 12:31:44 master.ipa.test >>>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: new replica keys in LDAP: >>>>>> set([]) >>>>>> Jan 12 12:31:44 master.ipa.test >>>>>> /usr/libexec/ipa/ipa-ods-exporter[31178]: obsolete replica keys in >>>>>> local >>>>>> HSM: set(['0x28e302ae6b6ee7e9284cd5f61aadbbe7']) >>>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: Traceback >>>>>> (most >>>>>> recent call last): >>>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 664, in >>>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >>>>>> ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) >>>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>>>>> "/usr/libexec/ipa/ipa-ods-exporter", line 321, in >>>>>> ldap2master_replica_keys_sync >>>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >>>>>> localhsm.replica_pubkeys_wrap[key_id]['ipk11wrap'] = False >>>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>>>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py", >>>>>> line >>>>>> 65, in __setitem__ >>>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: return >>>>>> self.p11.set_attribute(self.handle, attrs_name2id[key], value) >>>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: File >>>>>> "/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line >>>>>> 1661, in >>>>>> set_attribute >>>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >>>>>> sizeof(CK_ATTRIBUTE))) >>>>>> Jan 12 12:31:44 master.ipa.test ipa-ods-exporter[31178]: >>>>>> TypeError: an >>>>>> integer is required >>>>>> Jan 12 12:31:44 master.ipa.test systemd[1]: >>>>>> ipa-ods-exporter.service: >>>>>> Main process exited, code=exited, status=1/FAILURE >>>>>> >>>>> >>>>> Updated patch 537 attached. >>>>> >>>> Jan 12 15:04:10 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[20652]: Connected >>>> Jan 12 15:04:11 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[20652]: replica pub keys in LDAP: >>>> set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', >>>> '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) >>>> Jan 12 15:04:11 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[20652]: replica pub keys in SoftHSM: >>>> set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', >>>> '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) >>>> Jan 12 15:04:11 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[20652]: new replica keys in LDAP: >>>> set([]) >>>> Jan 12 15:04:11 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[20652]: obsolete replica keys in >>>> local >>>> HSM: set([]) >>>> Jan 12 15:04:11 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[20652]: keys in local HSM & LDAP: >>>> set(['0x0e3dfd7343999d2ea7d17ac4ce15e4ca', >>>> '0x9fc77beeb4b8ef33402e4fbb67d9b5e1']) >>>> Jan 12 15:04:11 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[20652]: Updating attribute >>>> ipk11verifyrecover from "1" to "False" >>>> Jan 12 15:04:11 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[20652]: master keys in local HSM: >>>> set([]) >>>> Jan 12 15:04:11 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[20652]: master keys in LDAP HSM: >>>> set([]) >>>> Jan 12 15:04:11 master.ipa.test >>>> /usr/libexec/ipa/ipa-ods-exporter[20652]: new master keys in local >>>> HSM: >>>> set([]) >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: Traceback >>>> (most >>>> recent call last): >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>>> "/usr/libexec/ipa/ipa-ods-exporter", line 665, in >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >>>> master2ldap_master_keys_sync(log, ldapkeydb, localhsm) >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>>> "/usr/libexec/ipa/ipa-ods-exporter", line 340, in >>>> master2ldap_master_keys_sync >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >>>> ldapkeydb.flush() >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >>>> 311, in flush >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >>>> self._update_keys() >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >>>> 307, in _update_keys >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >>>> key._update_key() >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >>>> 179, in _update_key >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >>>> self._cleanup_key() >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >>>> 170, in _cleanup_key >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: if >>>> self.get(attr, empty) == default_attrs[attr]: >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>>> "/usr/lib64/python2.7/_abcoll.py", line 382, in get >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: return >>>> self[key] >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >>>> 132, in __getitem__ >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: val = >>>> ldap_bool(val) >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: File >>>> "/usr/lib/python2.7/site-packages/ipapython/dnssec/ldapkeydb.py", line >>>> 39, in ldap_bool >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: raise >>>> AssertionError('invalid LDAP boolean "%s"' % val) >>>> Jan 12 15:04:11 master.ipa.test ipa-ods-exporter[20652]: >>>> AssertionError: >>>> invalid LDAP boolean "1" >>>> Jan 12 15:04:11 master.ipa.test systemd[1]: ipa-ods-exporter.service: >>>> Main process exited, code=exited, status=1/FAILURE >>>> >>>> >>>> You can run the dnssec test, it has been fixed. >>> >>> Updated patches attached. The test now passes. >>> >> Hello, >> >> pkcs11helper tests passed >> DNSSEC tests passed >> >> 1) >> Slot is unused argument here: >> >> def __init__(self, slot, user_pin, library_path): >> self.p11_ptr = new_ptr(CK_FUNCTION_LIST_PTR) >> self.session_ptr = new_ptr(CK_SESSION_HANDLE) >> >> self.slot = 0 > > Fixed. > >> >> 2) >> should't string_to_pybytes_or_none raise exception instead of returning >> None? In C extension returning NULL means error, and exception was >> raised by python itself when function ends with returning NULL. >> >> in export_wrapped_key method >> >> result = string_to_pybytes_or_none(wrapped_key, >> wrapped_key_len_ptr[0]) >> return result >> >> In this case method returns None instead of raising exception. >> >> Also I think that in _export_RSA_public_key method, >> string_to_pybytes_or_none should raise exception when it get NULL as >> string too > > This is exactly how it behaves in the original C code, so I'm not > changing it. > > I noticed I don't return None in _export_RSA_public_key in case of > encoding failure. Fixed. > OK >> >> 3) >> Is possible to remove build dependencies added in commit c909690c ? > > Removed, except for openssl-devel, which is used elsewhere. > > Updated patches attached. > ACK Pushed to master: b808376e2f516297dfb8311e514e31f2933bce01 Pushed to ipa-4-3: 5cfb95355353f040b38dabe957a1f453e4318900 From lkrispen at redhat.com Thu Jan 21 09:48:37 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 21 Jan 2016 10:48:37 +0100 Subject: [Freeipa-devel] [PATCH 0022] topology plugin prevents deletes but does not prevent moddn In-Reply-To: <56A0A537.4050203@redhat.com> References: <566AC814.8010108@redhat.com> <569FB993.3040908@redhat.com> <56A092C1.1050609@redhat.com> <56A0A537.4050203@redhat.com> Message-ID: <56A0A975.60002@redhat.com> On 01/21/2016 10:30 AM, thierry bordaz wrote: > Hi, > > The fix look good. > Just a question, the target entry is checked with > ipa_topo_check_entry_type. Is it equivalent to call > ipa_topo_is_entry_managed ? no, ipa_topo_check_entry_type() just determines if it is a segment, a host, to decide how to proceed. ipa_topo_is_entry_managed() would apply to an replication agreement to decide if both endpoints are managed servers ant that the suffix is managed > > thanks > thierry > On 01/21/2016 09:11 AM, Ludwig Krispenz wrote: >> >> On 01/20/2016 05:45 PM, Martin Basti wrote: >>> >>> >>> On 11.12.2015 13:56, Ludwig Krispenz wrote: >>>> Ticket: https://fedorahosted.org/freeipa/ticket/5536 >>>> >>>> Patch attached. >>>> >>>> >>> Patch works, I cannot move entry out of container via moddn operation. >>> >>> >>> I have question, is it expected to be able rename entry? >>> I tried it and I was able to change RDN >> yes, that should be fine, it cannot change the connectivity. >>> >>> #!RESULT OK >>> #!CONNECTION ldap://vm-058-138.abc.idm.lab.eng.brq.redhat.com:636 >>> #!DATE 2016-01-20T16:28:18.702 >>> dn: >>> cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab.eng >>> .brq.redhat.com,cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm, >>> dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >>> changetype: moddn >>> newrdn: >>> cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab >>> .eng.brq.redhat >>> deleteoldrdn: 1 >>> newsuperior: >>> cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm,dc=l >>> ab,dc=eng,dc=brq,dc=redhat,dc=com >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Thu Jan 21 10:21:33 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 21 Jan 2016 11:21:33 +0100 Subject: [Freeipa-devel] [PATCH 0022] topology plugin prevents deletes but does not prevent moddn In-Reply-To: <56A0A975.60002@redhat.com> References: <566AC814.8010108@redhat.com> <569FB993.3040908@redhat.com> <56A092C1.1050609@redhat.com> <56A0A537.4050203@redhat.com> <56A0A975.60002@redhat.com> Message-ID: <56A0B12D.8040006@redhat.com> On 01/21/2016 10:48 AM, Ludwig Krispenz wrote: > > On 01/21/2016 10:30 AM, thierry bordaz wrote: >> Hi, >> >> The fix look good. >> Just a question, the target entry is checked with >> ipa_topo_check_entry_type. Is it equivalent to call >> ipa_topo_is_entry_managed ? > no, ipa_topo_check_entry_type() just determines if it is a segment, a > host, to decide how to proceed. ipa_topo_is_entry_managed() would > apply to an replication agreement to decide if both endpoints are > managed servers ant that the suffix is managed Ok thanks. In fact it does not apply to replica agreements. It allows the modrdn to 'cn=masters' subtree. Is this subtree part of the topology config ? >> >> thanks >> thierry >> On 01/21/2016 09:11 AM, Ludwig Krispenz wrote: >>> >>> On 01/20/2016 05:45 PM, Martin Basti wrote: >>>> >>>> >>>> On 11.12.2015 13:56, Ludwig Krispenz wrote: >>>>> Ticket: https://fedorahosted.org/freeipa/ticket/5536 >>>>> >>>>> Patch attached. >>>>> >>>>> >>>> Patch works, I cannot move entry out of container via moddn operation. >>>> >>>> >>>> I have question, is it expected to be able rename entry? >>>> I tried it and I was able to change RDN >>> yes, that should be fine, it cannot change the connectivity. >>>> >>>> #!RESULT OK >>>> #!CONNECTION ldap://vm-058-138.abc.idm.lab.eng.brq.redhat.com:636 >>>> #!DATE 2016-01-20T16:28:18.702 >>>> dn: >>>> cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab.eng >>>> .brq.redhat.com,cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm, >>>> dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >>>> changetype: moddn >>>> newrdn: >>>> cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab >>>> .eng.brq.redhat >>>> deleteoldrdn: 1 >>>> newsuperior: >>>> cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm,dc=l >>>> ab,dc=eng,dc=brq,dc=redhat,dc=com >>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Thu Jan 21 10:26:44 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 21 Jan 2016 11:26:44 +0100 Subject: [Freeipa-devel] [PATCH 0022] topology plugin prevents deletes but does not prevent moddn In-Reply-To: <56A0B12D.8040006@redhat.com> References: <566AC814.8010108@redhat.com> <569FB993.3040908@redhat.com> <56A092C1.1050609@redhat.com> <56A0A537.4050203@redhat.com> <56A0A975.60002@redhat.com> <56A0B12D.8040006@redhat.com> Message-ID: <56A0B264.1090903@redhat.com> On 01/21/2016 11:21 AM, thierry bordaz wrote: > On 01/21/2016 10:48 AM, Ludwig Krispenz wrote: >> >> On 01/21/2016 10:30 AM, thierry bordaz wrote: >>> Hi, >>> >>> The fix look good. >>> Just a question, the target entry is checked with >>> ipa_topo_check_entry_type. Is it equivalent to call >>> ipa_topo_is_entry_managed ? >> no, ipa_topo_check_entry_type() just determines if it is a segment, a >> host, to decide how to proceed. ipa_topo_is_entry_managed() would >> apply to an replication agreement to decide if both endpoints are >> managed servers ant that the suffix is managed > > Ok thanks. In fact it does not apply to replica agreements. > It allows the modrdn to 'cn=masters' subtree. Is this subtree part of > the topology config ? no, it is probably not a good idea to move a master to another subtree, but it is not the task of the topology plugin to prevent this >>> >>> thanks >>> thierry >>> On 01/21/2016 09:11 AM, Ludwig Krispenz wrote: >>>> >>>> On 01/20/2016 05:45 PM, Martin Basti wrote: >>>>> >>>>> >>>>> On 11.12.2015 13:56, Ludwig Krispenz wrote: >>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/5536 >>>>>> >>>>>> Patch attached. >>>>>> >>>>>> >>>>> Patch works, I cannot move entry out of container via moddn operation. >>>>> >>>>> >>>>> I have question, is it expected to be able rename entry? >>>>> I tried it and I was able to change RDN >>>> yes, that should be fine, it cannot change the connectivity. >>>>> >>>>> #!RESULT OK >>>>> #!CONNECTION ldap://vm-058-138.abc.idm.lab.eng.brq.redhat.com:636 >>>>> #!DATE 2016-01-20T16:28:18.702 >>>>> dn: >>>>> cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab.eng >>>>> .brq.redhat.com,cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm, >>>>> dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >>>>> changetype: moddn >>>>> newrdn: >>>>> cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab >>>>> .eng.brq.redhat >>>>> deleteoldrdn: 1 >>>>> newsuperior: >>>>> cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm,dc=l >>>>> ab,dc=eng,dc=brq,dc=redhat,dc=com >>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jan 21 10:29:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 21 Jan 2016 11:29:10 +0100 Subject: [Freeipa-devel] [PATCH 0406] Exclude o=ipaca from syncrepl In-Reply-To: <569D190F.1070107@redhat.com> References: <569D12CB.6010907@redhat.com> <569D190F.1070107@redhat.com> Message-ID: <56A0B2F6.3030005@redhat.com> On 18.01.2016 17:55, Christian Heimes wrote: > On 2016-01-18 17:28, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5538 >> >> Patch attached > ACK > > Pushed to: master: 54a91c3ed33c7be54cadb188add802e781893ec9 ipa-4-3: 89c32f2bdaf53a1408ea67fe19c0033cff202dfc Can I revert workaround in tests now? From cheimes at redhat.com Thu Jan 21 10:34:31 2016 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 21 Jan 2016 11:34:31 +0100 Subject: [Freeipa-devel] [PATCH 0406] Exclude o=ipaca from syncrepl In-Reply-To: <56A0B2F6.3030005@redhat.com> References: <569D12CB.6010907@redhat.com> <569D190F.1070107@redhat.com> <56A0B2F6.3030005@redhat.com> Message-ID: <56A0B437.8090404@redhat.com> On 2016-01-21 11:29, Martin Basti wrote: > > > On 18.01.2016 17:55, Christian Heimes wrote: >> On 2016-01-18 17:28, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5538 >>> >>> Patch attached >> ACK >> >> > Pushed to: > master: 54a91c3ed33c7be54cadb188add802e781893ec9 > ipa-4-3: 89c32f2bdaf53a1408ea67fe19c0033cff202dfc > > Can I revert workaround in tests now? Yes, please give it a try. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From tbordaz at redhat.com Thu Jan 21 10:35:11 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 21 Jan 2016 11:35:11 +0100 Subject: [Freeipa-devel] [PATCH 0022] topology plugin prevents deletes but does not prevent moddn In-Reply-To: <56A0B264.1090903@redhat.com> References: <566AC814.8010108@redhat.com> <569FB993.3040908@redhat.com> <56A092C1.1050609@redhat.com> <56A0A537.4050203@redhat.com> <56A0A975.60002@redhat.com> <56A0B12D.8040006@redhat.com> <56A0B264.1090903@redhat.com> Message-ID: <56A0B45F.7020301@redhat.com> On 01/21/2016 11:26 AM, Ludwig Krispenz wrote: > > On 01/21/2016 11:21 AM, thierry bordaz wrote: >> On 01/21/2016 10:48 AM, Ludwig Krispenz wrote: >>> >>> On 01/21/2016 10:30 AM, thierry bordaz wrote: >>>> Hi, >>>> >>>> The fix look good. >>>> Just a question, the target entry is checked with >>>> ipa_topo_check_entry_type. Is it equivalent to call >>>> ipa_topo_is_entry_managed ? >>> no, ipa_topo_check_entry_type() just determines if it is a segment, >>> a host, to decide how to proceed. ipa_topo_is_entry_managed() would >>> apply to an replication agreement to decide if both endpoints are >>> managed servers ant that the suffix is managed >> >> Ok thanks. In fact it does not apply to replica agreements. >> It allows the modrdn to 'cn=masters' subtree. Is this subtree part of >> the topology config ? > no, it is probably not a good idea to move a master to another > subtree, but it is not the task of the topology plugin to prevent this Right. Thanks for all your explanations and patience. THe fix is good to me as well. Ack thierry >>>> >>>> thanks >>>> thierry >>>> On 01/21/2016 09:11 AM, Ludwig Krispenz wrote: >>>>> >>>>> On 01/20/2016 05:45 PM, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 11.12.2015 13:56, Ludwig Krispenz wrote: >>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/5536 >>>>>>> >>>>>>> Patch attached. >>>>>>> >>>>>>> >>>>>> Patch works, I cannot move entry out of container via moddn >>>>>> operation. >>>>>> >>>>>> >>>>>> I have question, is it expected to be able rename entry? >>>>>> I tried it and I was able to change RDN >>>>> yes, that should be fine, it cannot change the connectivity. >>>>>> >>>>>> #!RESULT OK >>>>>> #!CONNECTION ldap://vm-058-138.abc.idm.lab.eng.brq.redhat.com:636 >>>>>> #!DATE 2016-01-20T16:28:18.702 >>>>>> dn: >>>>>> cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab.eng >>>>>> .brq.redhat.com,cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm, >>>>>> dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >>>>>> changetype: moddn >>>>>> newrdn: >>>>>> cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab >>>>>> .eng.brq.redhat >>>>>> deleteoldrdn: 1 >>>>>> newsuperior: >>>>>> cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm,dc=l >>>>>> ab,dc=eng,dc=brq,dc=redhat,dc=com >>>>> >>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jan 21 11:53:05 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 21 Jan 2016 12:53:05 +0100 Subject: [Freeipa-devel] [PATCH 0022] topology plugin prevents deletes but does not prevent moddn In-Reply-To: <56A0B45F.7020301@redhat.com> References: <566AC814.8010108@redhat.com> <569FB993.3040908@redhat.com> <56A092C1.1050609@redhat.com> <56A0A537.4050203@redhat.com> <56A0A975.60002@redhat.com> <56A0B12D.8040006@redhat.com> <56A0B264.1090903@redhat.com> <56A0B45F.7020301@redhat.com> Message-ID: <56A0C6A1.6050907@redhat.com> On 21.01.2016 11:35, thierry bordaz wrote: > On 01/21/2016 11:26 AM, Ludwig Krispenz wrote: >> >> On 01/21/2016 11:21 AM, thierry bordaz wrote: >>> On 01/21/2016 10:48 AM, Ludwig Krispenz wrote: >>>> >>>> On 01/21/2016 10:30 AM, thierry bordaz wrote: >>>>> Hi, >>>>> >>>>> The fix look good. >>>>> Just a question, the target entry is checked with >>>>> ipa_topo_check_entry_type. Is it equivalent to call >>>>> ipa_topo_is_entry_managed ? >>>> no, ipa_topo_check_entry_type() just determines if it is a segment, >>>> a host, to decide how to proceed. ipa_topo_is_entry_managed() would >>>> apply to an replication agreement to decide if both endpoints are >>>> managed servers ant that the suffix is managed >>> >>> Ok thanks. In fact it does not apply to replica agreements. >>> It allows the modrdn to 'cn=masters' subtree. Is this subtree part >>> of the topology config ? >> no, it is probably not a good idea to move a master to another >> subtree, but it is not the task of the topology plugin to prevent this > > Right. Thanks for all your explanations and patience. THe fix is good > to me as well. Ack > > thierry Thanks Pushed to: master: c152e1007515f208b0c3b84c1ff13a9fe9b45fdf ipa-4-3: d8bfe61e3d71640fac8b5a2ca3c1107bf6aa83f3 >>>>> >>>>> thanks >>>>> thierry >>>>> On 01/21/2016 09:11 AM, Ludwig Krispenz wrote: >>>>>> >>>>>> On 01/20/2016 05:45 PM, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> On 11.12.2015 13:56, Ludwig Krispenz wrote: >>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/5536 >>>>>>>> >>>>>>>> Patch attached. >>>>>>>> >>>>>>>> >>>>>>> Patch works, I cannot move entry out of container via moddn >>>>>>> operation. >>>>>>> >>>>>>> >>>>>>> I have question, is it expected to be able rename entry? >>>>>>> I tried it and I was able to change RDN >>>>>> yes, that should be fine, it cannot change the connectivity. >>>>>>> >>>>>>> #!RESULT OK >>>>>>> #!CONNECTION ldap://vm-058-138.abc.idm.lab.eng.brq.redhat.com:636 >>>>>>> #!DATE 2016-01-20T16:28:18.702 >>>>>>> dn: >>>>>>> cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab.eng >>>>>>> .brq.redhat.com,cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm, >>>>>>> dc=lab,dc=eng,dc=brq,dc=redhat,dc=com >>>>>>> changetype: moddn >>>>>>> newrdn: >>>>>>> cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab >>>>>>> .eng.brq.redhat >>>>>>> deleteoldrdn: 1 >>>>>>> newsuperior: >>>>>>> cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm,dc=l >>>>>>> ab,dc=eng,dc=brq,dc=redhat,dc=com >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ofayans at redhat.com Thu Jan 21 11:59:45 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 21 Jan 2016 12:59:45 +0100 Subject: [Freeipa-devel] [TEST][Patch 0020] Enabled recreation of test directory during ipa reinstallation Message-ID: <56A0C831.6040909@redhat.com> -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0020-Enabled-recreation-of-test-directory-in-apply_common_fixes.patch Type: text/x-patch Size: 1783 bytes Desc: not available URL: From jcholast at redhat.com Thu Jan 21 12:14:05 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 21 Jan 2016 13:14:05 +0100 Subject: [Freeipa-devel] [PATCH] 0751 spec: Split out python-ipap11helper and, python-default_encoding_utf8 In-Reply-To: <56702B5F.1090403@redhat.com> References: <56606E90.3000909@redhat.com> <56619535.1010700@redhat.com> <566E6D61.80002@redhat.com> <56702971.1060709@redhat.com> <56702B5F.1090403@redhat.com> Message-ID: <56A0CB8D.7030605@redhat.com> On 15.12.2015 16:01, Jan Cholasta wrote: > On 15.12.2015 15:53, Petr Viktorin wrote: >> On 12/14/2015 08:18 AM, Jan Cholasta wrote: >>> On 4.12.2015 14:29, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 3.12.2015 17:32, Petr Viktorin wrote: >>>>> Hello, >>>>> This specfile patch makes python-ipalib noarch, by splitting out the >>>>> arch-dependent stuff. >>>> >>>> I'm not sure if this should be done at all. Both py_default_encoding >>>> and >>>> (especially) _ipap11helper are internal submodules of ipapython and I >>>> don't think they should be packaged separately. >> >> Technically they aren't ? it's "import _ipap11helper", not "import >> ipapython._ipap11helper". Their source is in the ipapython directory, >> but they're built as independent modules. > > This is an implementation detail rather than an architectural decision. > For _ipap11helper, we haven't figured out how to properly put it inside > ipapython, so it's build separately, but it actually is a part of > ipapython. > >> >>>> If this is just about packaging arch-specific code separately from >>>> noarch code, I'm not sure either - all other packages with both Python >>>> and C modules I have seen (e.g. python-ldap, PyYAML) simply do not care >>>> and put everything in a single arch-specific package. IMHO we should >>>> follow. >>> >>> This would mean putting everything into the architecture-specific >>> prefix. Currently the python files in python2-ipalib are installed into >>> the architecture-agnostic prefix, which is wrong, because you can't >>> install both python2-ipalib.i686 and python2-ipalib.x86_64 at the same >>> time. >> >> Putting everything into arch-specific prefix would mean that if you do >> install both arches simultaneously, you'd get two identical copies of >> ipalib, ipapython, and ipaplatform. So if having both installed is a >> concern, I think the noarch bits should be split out. > > I'm aware this means two identical copies of the modules, but the same > thing works for python-ldap and PyYAML (as I pointed out above), so why > shouldn't it work for us? We got rid of both default_encoding_utf8 and _ipap11helper, so python-ipalib can be packaged as noarch. See the attached patch. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-541-spec-file-package-python-ipalib-as-noarch.patch Type: text/x-patch Size: 1485 bytes Desc: not available URL: From tbordaz at redhat.com Thu Jan 21 12:37:00 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 21 Jan 2016 13:37:00 +0100 Subject: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI Message-ID: <56A0D0EC.3010009@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0017-configure-DNA-plugin-shared-config-entries-to-allow-.patch Type: text/x-patch Size: 6720 bytes Desc: not available URL: From ofayans at redhat.com Thu Jan 21 12:42:11 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 21 Jan 2016 13:42:11 +0100 Subject: [Freeipa-devel] [TEST][Patch 0021] Fixed recent replica installation issues in the lab Message-ID: <56A0D223.2060702@redhat.com> -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0021-Removed-ip-address-option-from-replica-installation.patch Type: text/x-patch Size: 2931 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Jan 21 12:53:53 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 21 Jan 2016 13:53:53 +0100 Subject: [Freeipa-devel] [PATCH 0130] disable RA plugins when promoting a replica from CA-less master Message-ID: <56A0D4E1.6030504@redhat.com> this patch ensures that promoted replicas in CA-less topology have correct settings in their default.conf. I couldn't find any ticket for this issue, should I file one so that this patch can land in 4-3 branch? -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0130-disable-RA-plugins-when-promoting-a-replica-from-CA-.patch Type: text/x-patch Size: 2048 bytes Desc: not available URL: From mbasti at redhat.com Thu Jan 21 13:10:42 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 21 Jan 2016 14:10:42 +0100 Subject: [Freeipa-devel] [PATCH] 0049 Remove workaround for CA running check In-Reply-To: <20160120095232.GP31821@dhcp-40-8.bne.redhat.com> References: <20160120074550.GO31821@dhcp-40-8.bne.redhat.com> <569F45A5.1080408@redhat.com> <20160120095232.GP31821@dhcp-40-8.bne.redhat.com> Message-ID: <56A0D8D2.4030400@redhat.com> On 20.01.2016 10:52, Fraser Tweedale wrote: > On Wed, Jan 20, 2016 at 09:30:29AM +0100, Martin Kosek wrote: >> On 01/20/2016 08:45 AM, Fraser Tweedale wrote: >>> The attached patch removes a workaround introduced as part of >>> https://fedorahosted.org/freeipa/ticket/4676. >>> >>> Alternatively, if we want to keep the "workaround" I will submit a >>> different patch that removes unused code and FIXME comments :) >>> >>> Cheers, >>> Fraser >> You may also want to check FreeIPA spec file, if there is now no extra curl >> dependency. I would leave it up to Martin Basti, to confirm that the original >> issue cannot appear again. It was a nightmare to troubleshoot, as I heard :) >> > Good pickup on the curl dependency; indeed it is no longer needed. > Updated patch attached. Thank you, patch works for me. However, I'm not sure where the original error was located, it looked like something in _httplib_request doesn't work properly with SSL. Your patch uses _httplib_request without TLS so it should work. I would like to push this patch only to master, as the issue before wasn't regularly reproducible, and I will keep eye on it. Also I will remove the ticket #4676 from description, because ticket has been closed in 4.1 Milestone. ACK with keeping eyes on it Pushed to master: fd7ea2c9395651d5bce41cc603557fea107f65a7 From pvoborni at redhat.com Thu Jan 21 13:21:51 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 21 Jan 2016 14:21:51 +0100 Subject: [Freeipa-devel] [PATCH 0130] disable RA plugins when promoting a replica from CA-less master In-Reply-To: <56A0D4E1.6030504@redhat.com> References: <56A0D4E1.6030504@redhat.com> Message-ID: <56A0DB6F.9080709@redhat.com> On 01/21/2016 01:53 PM, Martin Babinsky wrote: > this patch ensures that promoted replicas in CA-less topology have > correct settings in their default.conf. > > I couldn't find any ticket for this issue, should I file one so that > this patch can land in 4-3 branch? > yes -- Petr Vobornik From mbabinsk at redhat.com Thu Jan 21 13:45:01 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 21 Jan 2016 14:45:01 +0100 Subject: [Freeipa-devel] [PATCH 0130] disable RA plugins when promoting a replica from CA-less master In-Reply-To: <56A0DB6F.9080709@redhat.com> References: <56A0D4E1.6030504@redhat.com> <56A0DB6F.9080709@redhat.com> Message-ID: <56A0E0DD.10904@redhat.com> On 01/21/2016 02:21 PM, Petr Vobornik wrote: > On 01/21/2016 01:53 PM, Martin Babinsky wrote: >> this patch ensures that promoted replicas in CA-less topology have >> correct settings in their default.conf. >> >> I couldn't find any ticket for this issue, should I file one so that >> this patch can land in 4-3 branch? >> > > yes New ticket here: https://fedorahosted.org/freeipa/ticket/5626 I have also attached the ticket URL to the commit message. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0130.1-disable-RA-plugins-when-promoting-a-replica-from-CA-.patch Type: text/x-patch Size: 2094 bytes Desc: not available URL: From jcholast at redhat.com Thu Jan 21 13:51:44 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 21 Jan 2016 14:51:44 +0100 Subject: [Freeipa-devel] [PATCH 0130] disable RA plugins when promoting a replica from CA-less master In-Reply-To: <56A0E0DD.10904@redhat.com> References: <56A0D4E1.6030504@redhat.com> <56A0DB6F.9080709@redhat.com> <56A0E0DD.10904@redhat.com> Message-ID: <56A0E270.9060000@redhat.com> On 21.1.2016 14:45, Martin Babinsky wrote: > On 01/21/2016 02:21 PM, Petr Vobornik wrote: >> On 01/21/2016 01:53 PM, Martin Babinsky wrote: >>> this patch ensures that promoted replicas in CA-less topology have >>> correct settings in their default.conf. >>> >>> I couldn't find any ticket for this issue, should I file one so that >>> this patch can land in 4-3 branch? >>> >> >> yes > > New ticket here: https://fedorahosted.org/freeipa/ticket/5626 > > I have also attached the ticket URL to the commit message. Why so much code for such a simple change? Please keep the style consistent with the code in install.install() and replicainstall.install(). -- Jan Cholasta From mbabinsk at redhat.com Thu Jan 21 14:04:28 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 21 Jan 2016 15:04:28 +0100 Subject: [Freeipa-devel] [PATCH 0130] disable RA plugins when promoting a replica from CA-less master In-Reply-To: <56A0E270.9060000@redhat.com> References: <56A0D4E1.6030504@redhat.com> <56A0DB6F.9080709@redhat.com> <56A0E0DD.10904@redhat.com> <56A0E270.9060000@redhat.com> Message-ID: <56A0E56C.107@redhat.com> On 01/21/2016 02:51 PM, Jan Cholasta wrote: > On 21.1.2016 14:45, Martin Babinsky wrote: >> On 01/21/2016 02:21 PM, Petr Vobornik wrote: >>> On 01/21/2016 01:53 PM, Martin Babinsky wrote: >>>> this patch ensures that promoted replicas in CA-less topology have >>>> correct settings in their default.conf. >>>> >>>> I couldn't find any ticket for this issue, should I file one so that >>>> this patch can land in 4-3 branch? >>>> >>> >>> yes >> >> New ticket here: https://fedorahosted.org/freeipa/ticket/5626 >> >> I have also attached the ticket URL to the commit message. > > Why so much code for such a simple change? Please keep the style > consistent with the code in install.install() and replicainstall.install(). > It did not occur to me as much code, the logic was equivalent to the stuff other installers do but bit more concise. But attaching updated patch in common style anyway. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0130.2-disable-RA-plugins-when-promoting-a-replica-from-CA-.patch Type: text/x-patch Size: 2151 bytes Desc: not available URL: From mkosek at redhat.com Thu Jan 21 14:46:41 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 21 Jan 2016 15:46:41 +0100 Subject: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI In-Reply-To: <56A0D0EC.3010009@redhat.com> References: <56A0D0EC.3010009@redhat.com> Message-ID: <56A0EF51.6050600@redhat.com> On 01/21/2016 01:37 PM, thierry bordaz wrote: > Thanks! Couple comments: I miss ticket number of description. Does this patch mean that all blocker on DS side preventing remote DNA were fixed? If yes, it may be worth updating Requires in the spec file in that case and making sure the backport is in Fedora 23+ or at least FreeIPA 4.3 COPR repo. From cheimes at redhat.com Thu Jan 21 15:21:51 2016 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 21 Jan 2016 16:21:51 +0100 Subject: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites Message-ID: <56A0F78F.4060407@redhat.com> The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf has been modernized. Insecure or less secure algorithms such as RC4, DES and 3DES are removed. Perfect forward secrecy suites with ephemeral ECDH key exchange have been added. IE 8 on Windows XP is no longer supported. The list of enabled cipher suites has been generated with the script contrib/nssciphersuite/nssciphersuite.py. The supported suites are currently: TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA https://fedorahosted.org/freeipa/ticket/5589 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0030-Modernize-mod_nss-s-cipher-suites.patch Type: text/x-patch Size: 11921 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From tbordaz at redhat.com Thu Jan 21 15:22:16 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 21 Jan 2016 16:22:16 +0100 Subject: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI In-Reply-To: <56A0EF51.6050600@redhat.com> References: <56A0D0EC.3010009@redhat.com> <56A0EF51.6050600@redhat.com> Message-ID: <56A0F7A8.3000301@redhat.com> On 01/21/2016 03:46 PM, Martin Kosek wrote: > On 01/21/2016 01:37 PM, thierry bordaz wrote: > Thanks! Couple comments: > > I miss ticket number of description. Thanks Martin for looking at it. Ouch... the ticket number is https://fedorahosted.org/freeipa/ticket/4026 > > Does this patch mean that all blocker on DS side preventing remote DNA were > fixed? If yes, it may be worth updating Requires in the spec file in that case > and making sure the backport is in Fedora 23+ or at least FreeIPA 4.3 COPR repo. It required following 389-ds tickets that are now both fixed in 1.3.4.6 * https://fedorahosted.org/389/ticket/47779 * https://fedorahosted.org/389/ticket/48362 Is it the change to do in the spec file ? diff --git a/freeipa.spec.in b/freeipa.spec.in index 899af6c..87e80c9 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -130,7 +130,7 @@ Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipaserver = %{version}-%{release} -Requires: 389-ds-base >= 1.3.4.4 +Requires: 389-ds-base >= 1.3.4.6 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 @@ -162,7 +162,7 @@ Requires: zip Requires: policycoreutils >= 2.1.12-5 Requires: tar Requires(pre): certmonger >= 0.78 -Requires(pre): 389-ds-base >= 1.3.4.4 +Requires(pre): 389-ds-base >= 1.3.4.6 Requires: fontawesome-fonts Requires: open-sans-fonts Requires: openssl -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Thu Jan 21 15:23:23 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 21 Jan 2016 16:23:23 +0100 Subject: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI In-Reply-To: <56A0F7A8.3000301@redhat.com> References: <56A0D0EC.3010009@redhat.com> <56A0EF51.6050600@redhat.com> <56A0F7A8.3000301@redhat.com> Message-ID: <56A0F7EB.5050202@redhat.com> On 01/21/2016 04:22 PM, thierry bordaz wrote: > On 01/21/2016 03:46 PM, Martin Kosek wrote: >> On 01/21/2016 01:37 PM, thierry bordaz wrote: >> Thanks! Couple comments: >> >> I miss ticket number of description. > > Thanks Martin for looking at it. > > Ouch... the ticket number is https://fedorahosted.org/freeipa/ticket/4026 >> >> Does this patch mean that all blocker on DS side preventing remote DNA were >> fixed? If yes, it may be worth updating Requires in the spec file in that case >> and making sure the backport is in Fedora 23+ or at least FreeIPA 4.3 COPR repo. > It required following 389-ds tickets that are now both fixed in 1.3.4.6 > > * https://fedorahosted.org/389/ticket/47779 > * https://fedorahosted.org/389/ticket/48362 > > Is it the change to do in the spec file ? > > diff --git a/freeipa.spec.in b/freeipa.spec.in > index 899af6c..87e80c9 100644 > --- a/freeipa.spec.in > +++ b/freeipa.spec.in > @@ -130,7 +130,7 @@ Requires: %{name}-client = %{version}-%{release} > Requires: %{name}-admintools = %{version}-%{release} > Requires: %{name}-common = %{version}-%{release} > Requires: python2-ipaserver = %{version}-%{release} > -Requires: 389-ds-base >= 1.3.4.4 > +Requires: 389-ds-base >= 1.3.4.6 > Requires: openldap-clients > 2.4.35-4 > Requires: nss >= 3.14.3-12.0 > Requires: nss-tools >= 3.14.3-12.0 > @@ -162,7 +162,7 @@ Requires: zip > Requires: policycoreutils >= 2.1.12-5 > Requires: tar > Requires(pre): certmonger >= 0.78 > -Requires(pre): 389-ds-base >= 1.3.4.4 > +Requires(pre): 389-ds-base >= 1.3.4.6 > Requires: fontawesome-fonts > Requires: open-sans-fonts > Requires: openssl That spec file change should be OK, thanks. I did not do other testing, I would leave that up to other developers. From pspacek at redhat.com Thu Jan 21 15:41:32 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 21 Jan 2016 16:41:32 +0100 Subject: [Freeipa-devel] [TEST][Patch 0021] Fixed recent replica installation issues in the lab In-Reply-To: <56A0D223.2060702@redhat.com> References: <56A0D223.2060702@redhat.com> Message-ID: <56A0FC2C.2010004@redhat.com> Hello, On 21.1.2016 13:42, Oleg Fayans wrote: > freeipa-ofayans-0021-Removed-ip-address-option-from-replica-installation.patch > > > From d7ab06a4dcddb919fda351b983d478f1b6968578 Mon Sep 17 00:00:00 2001 > From: Oleg Fayans > Date: Thu, 21 Jan 2016 13:30:02 +0100 > Subject: [PATCH] Removed --ip-address option from replica installation > > Explicitly specifying ip-address of the replica messes up with the current > bind-dyndb-ldap logic, causing reverse zone not to be created. > > Enabled reverse-zone creation for the clients residing in different subnet from > master > --- > ipatests/test_integration/tasks.py | 19 ++++++++++++------- > 1 file changed, 12 insertions(+), 7 deletions(-) > > diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py > index 6eb55501389c72b4c7aaa599fd4852d7e8f1f3c2..43ef78b0c55deed24a0444f0ac6c38ddb2517481 100644 > --- a/ipatests/test_integration/tasks.py > +++ b/ipatests/test_integration/tasks.py > @@ -69,6 +69,8 @@ def prepare_reverse_zone(host, ip): > host.run_command(["ipa", > "dnszone-add", > zone], raiseonerr=False) > + return zone > + > > def prepare_host(host): > if isinstance(host, Host): > @@ -319,11 +321,8 @@ def domainlevel(host): > def replica_prepare(master, replica): > apply_common_fixes(replica) > fix_apache_semaphores(replica) > - prepare_reverse_zone(master, replica.ip) > - master.run_command(['ipa-replica-prepare', > - '-p', replica.config.dirman_password, > - '--ip-address', replica.ip, > - replica.hostname]) > + master.run_command(['ipa-replica-prepare', '-p', replica.config.dirman_password, > + '--auto-reverse', replica.hostname]) I guess that you will need --ip-address option in cases where master's reverse record does not exist (yet). I would recommend you to test this in libvirt or somewhere without revere records, I suspect that it might blow up. > replica_bundle = master.get_file_contents( > paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname) > replica_filename = get_replica_filename(replica) > @@ -339,8 +338,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False, > # and replica installation would fail > args = ['ipa-replica-install', '-U', > '-p', replica.config.dirman_password, > - '-w', replica.config.admin_password, > - '--ip-address', replica.ip] > + '-w', replica.config.admin_password] > if setup_ca: > args.append('--setup-ca') > if setup_dns: > @@ -380,6 +378,13 @@ def install_client(master, client, extra_args=()): > client.collect_log(paths.IPACLIENT_INSTALL_LOG) > > apply_common_fixes(client) > + # Now, for the situations where a client resides in a different subnet from > + # master, we need to explicitly tell master to create a reverse zone for > + # the client and enable dynamic updates for this zone. > + allow_sync_ptr(master) > + zone = prepare_reverse_zone(master, client.ip) > + master.run_command(["ipa", "dnszone-mod", zone, > + "--dynamic-update=TRUE"], raiseonerr=False) I'm not a big fan of ignoring exceptions here, it might be better to encapsulate the first command with try: except: and run the zone-mod only if the add worked as expected. Also, logging an message that reverse zone was not added might be a good idea. HTH Petr^2 Spacek > > client.run_command(['ipa-client-install', '-U', > '--domain', client.domain.name, From tbordaz at redhat.com Thu Jan 21 15:59:55 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 21 Jan 2016 16:59:55 +0100 Subject: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI In-Reply-To: <56A0F7EB.5050202@redhat.com> References: <56A0D0EC.3010009@redhat.com> <56A0EF51.6050600@redhat.com> <56A0F7A8.3000301@redhat.com> <56A0F7EB.5050202@redhat.com> Message-ID: <56A1007B.9020908@redhat.com> On 01/21/2016 04:23 PM, Martin Kosek wrote: > On 01/21/2016 04:22 PM, thierry bordaz wrote: >> On 01/21/2016 03:46 PM, Martin Kosek wrote: >>> On 01/21/2016 01:37 PM, thierry bordaz wrote: >>> Thanks! Couple comments: >>> >>> I miss ticket number of description. >> Thanks Martin for looking at it. >> >> Ouch... the ticket number is https://fedorahosted.org/freeipa/ticket/4026 >>> Does this patch mean that all blocker on DS side preventing remote DNA were >>> fixed? If yes, it may be worth updating Requires in the spec file in that case >>> and making sure the backport is in Fedora 23+ or at least FreeIPA 4.3 COPR repo. >> It required following 389-ds tickets that are now both fixed in 1.3.4.6 >> >> * https://fedorahosted.org/389/ticket/47779 >> * https://fedorahosted.org/389/ticket/48362 >> >> Is it the change to do in the spec file ? >> >> diff --git a/freeipa.spec.in b/freeipa.spec.in >> index 899af6c..87e80c9 100644 >> --- a/freeipa.spec.in >> +++ b/freeipa.spec.in >> @@ -130,7 +130,7 @@ Requires: %{name}-client = %{version}-%{release} >> Requires: %{name}-admintools = %{version}-%{release} >> Requires: %{name}-common = %{version}-%{release} >> Requires: python2-ipaserver = %{version}-%{release} >> -Requires: 389-ds-base >= 1.3.4.4 >> +Requires: 389-ds-base >= 1.3.4.6 >> Requires: openldap-clients > 2.4.35-4 >> Requires: nss >= 3.14.3-12.0 >> Requires: nss-tools >= 3.14.3-12.0 >> @@ -162,7 +162,7 @@ Requires: zip >> Requires: policycoreutils >= 2.1.12-5 >> Requires: tar >> Requires(pre): certmonger >= 0.78 >> -Requires(pre): 389-ds-base >= 1.3.4.4 >> +Requires(pre): 389-ds-base >= 1.3.4.6 >> Requires: fontawesome-fonts >> Requires: open-sans-fonts >> Requires: openssl > That spec file change should be OK, thanks. I did not do other testing, I would > leave that up to other developers. Thanks for the review. Here the second fix thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0017-02-configure-DNA-plugin-shared-config-entries-to-allow-.patch Type: text/x-patch Size: 7828 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Jan 21 16:04:29 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 21 Jan 2016 17:04:29 +0100 Subject: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI In-Reply-To: <56A0D0EC.3010009@redhat.com> References: <56A0D0EC.3010009@redhat.com> Message-ID: <56A1018D.101@redhat.com> On 01/21/2016 01:37 PM, thierry bordaz wrote: > > > Hi Thierry, I have couple of comments to your patch: 1.) there is a number of PEP8 errors in the patch (http://paste.fedoraproject.org/313246/33893701), please fix them. See http://www.freeipa.org/page/Python_Coding_Style for our conventions used in Python code. 2.) + DNA_BIND_METHOD = "dnaRemoteBindMethod" + DNA_CONN_PROTOCOL = "dnaRemoteConnProtocol" + DNA_PLUGIN_DN = 'cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' + dna_config_base = 'cn=Posix IDs,%s' % DNA_PLUGIN_DN Uppercase names are usually reserved for module-level constants. OTOH, local variables should be lowercase. Also you can instantiate dna_config_base directly as DN, using 2-member tuples, i. e: """ dna_config_base = DN(('cn', 'posix IDs'), ('cn', 'Distributed Numeric Assignment Plugin'), ('cn', 'plugins'), ('cn', 'config')) """ When passing DN object to the formatting functions/operators, it is automatically converted to string so no need to hold string and DN object separately. This is done in other places (see function/methods in replication.py). 3.) + for i in range(len(entries)) : + + mod = [] + if entries[i].single_value.get(DNA_BIND_METHOD) != method: + mod.append((ldap.MOD_REPLACE, DNA_BIND_METHOD, method)) + + if entries[i].single_value.get(DNA_CONN_PROTOCOL) != protocol: + mod.append((ldap.MOD_REPLACE, DNA_CONN_PROTOCOL, protocol)) please use idiomatic Python when handling list of entries, e.g.: """ for entry in entries: mod = [] if entry.single_value.get(DNA_BIND_METHOD) != method: ... """ 4.) I think that this method should in DSInstance class since it deals with directory server configuration. Service is a parent object of all other service installers/configurators and should contain only methods common to more children. 5.) Since the method is called from every installer, it could be beneficial to call it in DSInstance.__common_post_setup() as a part of Directory server installation. Is there any reason why this is not the case? 6.) + while attempt != MAX_WAIT: + try: + entries = conn.get_entries(sharedcfgdn, scope=ldap.SCOPE_ONELEVEL, filter='dnaHostname=%s' % self.fqdn) + break + except errors.NotFound: + root_logger.debug("So far enable not find DNA shared config entry for dnaHostname=%s under %s. Retry in 2sec" % (self.fqdn, sharedcfgdn)) + attempt = attempt + 1 + time.sleep(2) + continue + + # safety checking + # there is no return, if there are several entries, as a workaround of #5510 + if len(entries) != 1: I am quite afraid what would happen if the server does not return any entries until 30 s timeout. The code will then continue to the condition which can potentially test an uninitialized variable and blow up with 'NameError'. This should be handled more robustly, e. g. raise an exception when a timeout is reached and no entries were returned. 7.) + if len(mod) > 0: A Pythonic way to test for non-empty container is """ if mods: # do stuff """ since an empty list/dict/set evaluates to False and non-empty containers are True. 8.) + entry = conn.get_entry(entries[i].dn) + if entry.single_value.get(DNA_BIND_METHOD) != method: + root_logger.error("Fail to set SASL/GSSAPI bind method to %s" % (entries[i].dn)) + if entry.single_value.get(DNA_CONN_PROTOCOL) != protocol: + root_logger.error("Fail to set LDAP protocol to %s" % (entries[i].dn)) rather than re-fetching the modified entry and testing what happened, you can just catch an exception raised by unsuccessfull mod and log an error like this: """ try: conn.modify_s(entry.dn, mod) except Exception as e: root_logger.error("Failed to modify entry {}: {}".format(entry, e)) """ as a matter of fact, if the modify_s operation would fail for some reason, an ldap exception would be raised and you checks would not even be executed. 9.) The debug message on line 219 should read "Unable to find DNA shared config entry for dnaHostname=%s so far. Retry in 2 sec.". The errors at the end of the method should have "Failed" instead of "Fail". -- Martin^3 Babinsky From rcritten at redhat.com Thu Jan 21 16:22:28 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jan 2016 11:22:28 -0500 Subject: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI In-Reply-To: <56A1018D.101@redhat.com> References: <56A0D0EC.3010009@redhat.com> <56A1018D.101@redhat.com> Message-ID: <56A105C4.6010107@redhat.com> Martin Babinsky wrote: > On 01/21/2016 01:37 PM, thierry bordaz wrote: > 6.) > > + while attempt != MAX_WAIT: > + try: > + entries = conn.get_entries(sharedcfgdn, > scope=ldap.SCOPE_ONELEVEL, filter='dnaHostname=%s' % self.fqdn) > + break > + except errors.NotFound: > + root_logger.debug("So far enable not find DNA shared > config entry for dnaHostname=%s under %s. Retry in 2sec" % (self.fqdn, > sharedcfgdn)) > + attempt = attempt + 1 > + time.sleep(2) > + continue > + > + # safety checking > + # there is no return, if there are several entries, as a > workaround of #5510 > + if len(entries) != 1: > > I am quite afraid what would happen if the server does not return any > entries until 30 s timeout. The code will then continue to the condition > which can potentially test an uninitialized variable and blow up with > 'NameError'. This should be handled more robustly, e. g. raise an > exception when a timeout is reached and no entries were returned. I agree, but note that it is a 60s timeout (30 tries x 2 second sleeps). This will blow up if something other than NotFound is returned (e.g. connection error), and maybe that's ok. The continue is not needed. rob From mbabinsk at redhat.com Thu Jan 21 16:38:29 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 21 Jan 2016 17:38:29 +0100 Subject: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI In-Reply-To: <56A105C4.6010107@redhat.com> References: <56A0D0EC.3010009@redhat.com> <56A1018D.101@redhat.com> <56A105C4.6010107@redhat.com> Message-ID: <56A10985.7020108@redhat.com> On 01/21/2016 05:22 PM, Rob Crittenden wrote: > Martin Babinsky wrote: >> On 01/21/2016 01:37 PM, thierry bordaz wrote: > >> 6.) >> >> + while attempt != MAX_WAIT: >> + try: >> + entries = conn.get_entries(sharedcfgdn, >> scope=ldap.SCOPE_ONELEVEL, filter='dnaHostname=%s' % self.fqdn) >> + break >> + except errors.NotFound: >> + root_logger.debug("So far enable not find DNA shared >> config entry for dnaHostname=%s under %s. Retry in 2sec" % (self.fqdn, >> sharedcfgdn)) >> + attempt = attempt + 1 >> + time.sleep(2) >> + continue >> + >> + # safety checking >> + # there is no return, if there are several entries, as a >> workaround of #5510 >> + if len(entries) != 1: >> >> I am quite afraid what would happen if the server does not return any >> entries until 30 s timeout. The code will then continue to the condition >> which can potentially test an uninitialized variable and blow up with >> 'NameError'. This should be handled more robustly, e. g. raise an >> exception when a timeout is reached and no entries were returned. > > I agree, but note that it is a 60s timeout (30 tries x 2 second sleeps). > Right, looks like I forgot how to math. I was thinking that this loop could be rewritten in a safer way like this: """ for i in range(0, max_wait + 1): try: entries = conn.get_entries(sharedcfgdn, scope=ldap.SCOPE_ONELEVEL, filter='dnaHostname=%s' % self.fqdn) break except errors.NotFound: root_logger.debug("So far enable not find DNA shared config entry for dnaHostname=%s under %s. Retry in 2sec" % (self.fqdn, sharedcfgdn)) time.sleep(2) else: raise RuntimeError("Could not get dnaHostname entries in {} seconds".format(max_wait * 2)) """ the else: branch will be executed only after the iterator (range in this case because Py3 compatibility) is exhausted thus handling the timeout. > This will blow up if something other than NotFound is returned (e.g. > connection error), and maybe that's ok. > Other exceptions do not worry me, only repeated NotFound due to some bad magic preventing the entries to appear which can lead to unhandled timeout. > The continue is not needed. > > rob > -- Martin^3 Babinsky From mbasti at redhat.com Thu Jan 21 17:14:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 21 Jan 2016 18:14:12 +0100 Subject: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails In-Reply-To: <1453301101.6970.88.camel@redhat.com> References: <568E945F.3030605@redhat.com> <568E949B.1090300@redhat.com> <56961965.9050309@redhat.com> <56967BD8.1000109@redhat.com> <1452807096.3356.182.camel@redhat.com> <5698E793.9090400@redhat.com> <1452873425.3356.192.camel@redhat.com> <56992C6A.7060106@redhat.com> <569F4862.7010201@redhat.com> <1453301101.6970.88.camel@redhat.com> Message-ID: <56A111E4.6010506@redhat.com> On 20.01.2016 15:45, Simo Sorce wrote: > On Wed, 2016-01-20 at 09:42 +0100, Martin Babinsky wrote: >> On 01/15/2016 06:29 PM, Martin Babinsky wrote: >>> On 01/15/2016 04:57 PM, Simo Sorce wrote: >>>> On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote: >>>>> On 01/14/2016 10:31 PM, Simo Sorce wrote: >>>>>> On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote: >>>>>>> On 01/13/2016 10:31 AM, Martin Babinsky wrote: >>>>>>>> On 01/07/2016 05:38 PM, Martin Babinsky wrote: >>>>>>>>> On 01/07/2016 05:37 PM, Martin Babinsky wrote: >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5584 >>>>>>>>>> >>>>>>>>> And the patch is here. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> self-NACK, there may be a better way to handle this. I will do some >>>>>>>> investigation and send updated patch. >>>>>>>> >>>>>>> Attaching updated patch. >>>>>> A failure to obtain a tgt may be due to other reasons (for example the >>>>>> KDC crashed), why are you trying to use this test ? >>>>>> Isn't it sufficient to see there is no host entry in the directory ? >>>>>> >>>>>> Simo. >>>>>> >>>>> There were some corner cases I encountered, mostly concerning a cleanup >>>>> after unsuccessful replica promotion. >>>>> >>>>> You may sometimes end up in a state where local DS is working, but KDC >>>>> crashed and the krb5.conf is still pointing at a remote one. In that >>>>> case "malformed" replica's local host entry exist, but when such host >>>>> tries to get TGT, the AS-REQ goes to remote KDC from other master. >>>>> >>>>> However, if the admin had in the mean time cleaned up this host's >>>>> kerberos principals/keys, the crashed replica gets one of the following >>>>> errors: >>>>> >>>>> Client not found in Kerberos database >>>>> Client credentials have been revoked >>>>> Generic preauthentication failure >>>>> >>>>> These were printed out as errors during uninstall, but were actually >>>>> expected in situation like this. It is true that the code should check >>>>> and ignore these specific errors. >>>> Only the first id valid for your case, the others may be transient >>>> errors. >>>> >>>> Simo. >>>> >>>> >>> True, attaching updated patch. The other errors will now pop out in the >>> output and the warning will be displayed. >>> >>> >>> >> Bump for review. >> > LGTM > Simo. > ACK Pushed to: master: d726da3ba20283ffdc1d384dfedf8e6a732dc3d7 ipa-4-3: 4f0266f925207ca705b45287744b3e609d841cc6 From mbasti at redhat.com Thu Jan 21 17:17:25 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 21 Jan 2016 18:17:25 +0100 Subject: [Freeipa-devel] [PATCH 0129] correctly set LDAP bind related attributes when setting up replication In-Reply-To: <569E6CAA.7070301@redhat.com> References: <569E6CAA.7070301@redhat.com> Message-ID: <56A112A5.3080401@redhat.com> On 19.01.2016 18:04, Martin Babinsky wrote: > Fixes https://fedorahosted.org/freeipa/ticket/5412 > > > ACK Pushed to: master: f2b22ec0172243ae2c388dad012112ff0fd843c6 ipa-4-3: 7c8683d26294a6fd33ff3a4e21a67e39576f34ef -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Thu Jan 21 17:23:02 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 21 Jan 2016 18:23:02 +0100 Subject: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI In-Reply-To: <56A10985.7020108@redhat.com> References: <56A0D0EC.3010009@redhat.com> <56A1018D.101@redhat.com> <56A105C4.6010107@redhat.com> <56A10985.7020108@redhat.com> Message-ID: <56A113F6.7070800@redhat.com> On 01/21/2016 05:38 PM, Martin Babinsky wrote: > On 01/21/2016 05:22 PM, Rob Crittenden wrote: >> Martin Babinsky wrote: >>> On 01/21/2016 01:37 PM, thierry bordaz wrote: >> >>> 6.) >>> >>> + while attempt != MAX_WAIT: >>> + try: >>> + entries = conn.get_entries(sharedcfgdn, >>> scope=ldap.SCOPE_ONELEVEL, filter='dnaHostname=%s' % self.fqdn) >>> + break >>> + except errors.NotFound: >>> + root_logger.debug("So far enable not find DNA shared >>> config entry for dnaHostname=%s under %s. Retry in 2sec" % (self.fqdn, >>> sharedcfgdn)) >>> + attempt = attempt + 1 >>> + time.sleep(2) >>> + continue >>> + >>> + # safety checking >>> + # there is no return, if there are several entries, as a >>> workaround of #5510 >>> + if len(entries) != 1: >>> >>> I am quite afraid what would happen if the server does not return any >>> entries until 30 s timeout. The code will then continue to the >>> condition >>> which can potentially test an uninitialized variable and blow up with >>> 'NameError'. This should be handled more robustly, e. g. raise an >>> exception when a timeout is reached and no entries were returned. >> >> I agree, but note that it is a 60s timeout (30 tries x 2 second sleeps). >> > Right, looks like I forgot how to math. > > I was thinking that this loop could be rewritten in a safer way like > this: > """ > for i in range(0, max_wait + 1): > try: > entries = conn.get_entries(sharedcfgdn, > scope=ldap.SCOPE_ONELEVEL, filter='dnaHostname=%s' % self.fqdn) > break > except errors.NotFound: > root_logger.debug("So far enable not find DNA shared > config entry for dnaHostname=%s under %s. Retry in 2sec" % (self.fqdn, > sharedcfgdn)) > time.sleep(2) > else: > raise RuntimeError("Could not get dnaHostname entries in > {} seconds".format(max_wait * 2)) > """ > > the else: branch will be executed only after the iterator (range in > this case because Py3 compatibility) is exhausted thus handling the > timeout. Hello Martin, Thanks for this very nice code ! I was a bit afraid of aborting a full install if it was not able to update the localhost shared config, this is why it just logged a message. Finally, raising an exception is the thing to do. > >> This will blow up if something other than NotFound is returned (e.g. >> connection error), and maybe that's ok. >> > Other exceptions do not worry me, only repeated NotFound due to some > bad magic preventing the entries to appear which can lead to unhandled > timeout. > >> The continue is not needed. >> >> rob >> > > From pvoborni at redhat.com Thu Jan 21 18:28:35 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 21 Jan 2016 19:28:35 +0100 Subject: [Freeipa-devel] [PATCH] 948 stop installer when setup-ds.pl fail Message-ID: <56A12353.9070903@redhat.com> DS instance install should fail immediately after setup-ds.pl fail. tickets: #2539, #3720, #5607 https://fedorahosted.org/freeipa/ticket/2539 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0948-stop-installer-when-setup-ds.pl-fail.patch Type: text/x-patch Size: 1134 bytes Desc: not available URL: From mbabinsk at redhat.com Fri Jan 22 09:17:54 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 22 Jan 2016 10:17:54 +0100 Subject: [Freeipa-devel] [PATCH] 948 stop installer when setup-ds.pl fail In-Reply-To: <56A12353.9070903@redhat.com> References: <56A12353.9070903@redhat.com> Message-ID: <56A1F3C2.8070805@redhat.com> On 01/21/2016 07:28 PM, Petr Vobornik wrote: > > Petr Vobornik ACK. -- Martin^3 Babinsky From mbabinsk at redhat.com Fri Jan 22 09:34:20 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 22 Jan 2016 10:34:20 +0100 Subject: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal In-Reply-To: <56A0A499.1090809@redhat.com> References: <56A0A499.1090809@redhat.com> Message-ID: <56A1F79C.9050102@redhat.com> On 01/21/2016 10:27 AM, Jan Cholasta wrote: > Hi, > > the attached patch fixes . > > Honza > > > ACK -- Martin^3 Babinsky From jcholast at redhat.com Fri Jan 22 11:28:50 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 22 Jan 2016 12:28:50 +0100 Subject: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal In-Reply-To: <56A1F79C.9050102@redhat.com> References: <56A0A499.1090809@redhat.com> <56A1F79C.9050102@redhat.com> Message-ID: <56A21272.5020709@redhat.com> On 22.1.2016 10:34, Martin Babinsky wrote: > On 01/21/2016 10:27 AM, Jan Cholasta wrote: >> Hi, >> >> the attached patch fixes . >> >> Honza >> >> >> > ACK Self-NACK. Doesn't work with external CA install. -- Jan Cholasta From mkosek at redhat.com Fri Jan 22 11:32:19 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 22 Jan 2016 12:32:19 +0100 Subject: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites In-Reply-To: <56A0F78F.4060407@redhat.com> References: <56A0F78F.4060407@redhat.com> Message-ID: <56A21343.2090607@redhat.com> On 01/21/2016 04:21 PM, Christian Heimes wrote: > The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf > has been modernized. Insecure or less secure algorithms such as RC4, > DES and 3DES are removed. Perfect forward secrecy suites with ephemeral > ECDH key exchange have been added. IE 8 on Windows XP is no longer > supported. > > The list of enabled cipher suites has been generated with the script > contrib/nssciphersuite/nssciphersuite.py. > > The supported suites are currently: > > TLS_RSA_WITH_AES_128_CBC_SHA256 > TLS_RSA_WITH_AES_256_CBC_SHA256 > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > TLS_RSA_WITH_AES_128_GCM_SHA256 > TLS_RSA_WITH_AES_128_CBC_SHA > TLS_RSA_WITH_AES_256_GCM_SHA384 > TLS_RSA_WITH_AES_256_CBC_SHA > > https://fedorahosted.org/freeipa/ticket/5589 Thanks for the patch! I updated the ticket to make sure this change is release notes. From mbasti at redhat.com Fri Jan 22 12:22:47 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 22 Jan 2016 13:22:47 +0100 Subject: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs In-Reply-To: <5698EA71.2040105@redhat.com> References: <5673F1F9.2030403@redhat.com> <56964AB1.1010902@redhat.com> <56975994.6040604@redhat.com> <5697AF06.3070805@redhat.com> <5697B7CD.6050607@redhat.com> <5697BBBA.60503@redhat.com> <5697C5E3.2010307@redhat.com> <5698EA71.2040105@redhat.com> Message-ID: <56A21F17.40406@redhat.com> On 15.01.2016 13:47, Stanislav Laznicka wrote: > > On 01/14/2016 04:59 PM, Petr Vobornik wrote: >> On 01/14/2016 04:16 PM, Ludwig Krispenz wrote: >>> >>> On 01/14/2016 03:59 PM, Stanislav Laznicka wrote: >>>> On 01/14/2016 03:21 PM, Rob Crittenden wrote: >>>>> Stanislav Laznicka wrote: >>>>>> Please see the rebased patches attached. >>>>>> >>>>>> On 01/13/2016 02:01 PM, Martin Basti wrote: >>>>>>> >>>>>>> On 18.12.2015 12:46, Stanislav Laznicka wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Attached are the patches for auto-find and clean of dangling >>>>>>>> (cs)ruvs. Currently, the cleaning of an RUV waits for all >>>>>>>> replicas to >>>>>>>> be online, even on --force. If that were an issue, I can make the >>>>>>>> command fail before trying to clean any of RUVs. However, the >>>>>>>> user is >>>>>>>> shown a replica is offline and is prompted to confirm the >>>>>>>> cleaning so >>>>>>>> the possible wait should not be a problem I believe. >>>>>>>> >>>>>>>> Standa L. >>>>>>>> >>>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> patches needs rebase, I cannot apply them. >>>>> Will this confuse people? Currently, for good or bad, there are two >>>>> commands for managing the two different topologies. This mixes >>>>> some CA >>>>> work into ipa-replica-manage. >>>>> >>>>> rob >>>>> >>>> Well, in the patch, I was just following the discussion at >>>> https://fedorahosted.org/freeipa/ticket/5411. Ludwig mentions that >>>> ipa-csreplica-manage should go deprecated and does not want to enhance >>>> it. Also, the only thing the code does is removing trash from the ds >>>> so it makes sense to me to do it in just one command, as well as the >>>> users might expect that, too. >>>> >>>> I guess it would be possible to add an option that would select which >>>> of the subtrees should be cleaned of RUVs. It should stay as one >>>> command nonetheless. Adding such an option for this command would then >>>> probably mean all the commands should have it as it would make more >>>> sense, though. >>>> >>>> Let me add Petr and Ludwig to CC: as they both had inputs on keeping >>>> the command in just ipa-replica-manage. >>> yes, that was the idea to keep ipa-csreplica-manage (which does not >>> have >>> clean-ruv,..) for domain-level 0, but not add new features. Also >>> "ipa-replica-manage del" now triggers the ruv cleaning of ipaca >>> >> >> Yes, ipa-csreplica-manage should be deprecated. >> >> I think that one of the reasons why dangling CA RUVs are not uncommon >> is that users forget about `ipa-csreplica-manage del` command when >> removing a replica. >> >> New `ipa-replica-manage del` also removes replication agreements and >> therefore cleans RUVs of CA suffix (on domain level 1). In this >> context it is not inconsistent. >> >> Btw, one of the good example why this commands will be helpful is >> following bz, especially a sentence in: >> https://bugzilla.redhat.com/show_bug.cgi?id=1295971#c5 >> """ >> I had some mistakes to clean some valid RUV, for example, 52 for eupre1 >> """ >> >> We should think about list-clean-ruv and abort-clean-ruv commands. >> There is no counterpart for CA suffix now. Could be in different patch. >> >> With clean-dangling-ruvs command it would be good to deprecate >> clean-ruv command of ipa-replica-manage - should be different patch. >> >> I'm not sure if it should abort if some replica is down. Maybe yes >> until https://fedorahosted.org/freeipa/ticket/5396 is fixed. >> >> The path set misses update of man page. > Attached are the patches with the description for the man page. Abort > of the clean-dangling-ruv operation on any replica offline status was > also added. > > Hello, I have a few comments PATCH Automatically detect and remove dangling RUVs 1) + # get the Directory Manager password + if options.dirman_passwd: + dirman_passwd = options.dirman_passwd + else: + dirman_passwd = installutils.read_password('Directory Manager', + confirm=False, validate=False, retry=False) + if dirman_passwd is None: + sys.exit('Directory Manager password is required') + + options.dirman_passwd = dirman_passwd IMO you need only else branch here if not options.dirman_password: dirman_passwd = installutils.read_password('Directory Manager', confirm=False, validate=False, retry=False) if dirman_passwd is None: sys.exit('Directory Manager password is required') options.dirman_passwd = dirman_passwd 2) We should use new formatting in new code (more times in code) + sys.exit( + "Failed to get data from '%s' while trying to list replicas: %s" % + (host, e) + ) sys.exit( "Failed to get data from '{host}' while trying to list replicas: {e}".format( host=host, e=e ) ) 3) + # get all masters + masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), + ipautil.realm_to_suffix(realm)) IMO you should use constants: masters_dn = DN(api.env.container_masters, api.env.basedn) 4) + # Get realm string for config tree + s = realm.split('.') + s = ['dc={dc},'.format(dc=x.lower()) for x in s] + realm_config = DN(('cn', ''.join(s)[0:-1])) Can be api.env.basedn used instead of this block of code? 5) + masters = [x.single_value['cn'] for x in masters] .... + for master in masters: is there any reason why not iterate over the keys in info dict? for master_name, master_data/values/whatever in info.items(): master_data['online'] = True Looks better than: info[master]['online'] = True 6) I asked python gurus, for empty lists and dicts, please use [] and {} instead of list() and dict() It is preferred and faster. 7) + if(info[master]['ca']): + entry = conn.get_entry(csreplica_dn) + csruv = (master, entry.single_value.get('nsDS5ReplicaID')) + if csruv not in csruvs: + csruvs.append(csruv) I dont like too much adding tuples into list and then doing search there, but it is as designed However can you use set() instead of list when the purpose of variable is only testing existence? related to: csruvs ruvs offlines clean_list cleaned 8) conn in finally block may be undefined 9) unused local variables clean_list entry on line 570 10) optional, comment what keys means in info structure -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Fri Jan 22 13:22:42 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 22 Jan 2016 14:22:42 +0100 Subject: [Freeipa-devel] [PATCH 0031] ipatests: fix the install of external ca In-Reply-To: <569E6AA6.2070503@redhat.com> References: <569E64E3.4030406@redhat.com> <569E6AA6.2070503@redhat.com> Message-ID: <56A22D22.8050605@redhat.com> On 01/19/2016 05:56 PM, Milan Kub?k wrote: > On 01/19/2016 05:31 PM, Milan Kub?k wrote: >> Patch attached. >> >> >> > This actually has a ticket opened. Patch with fixed commit message. ;) > > -- > Milan Kubik > > > Hi Milan, for the step 1 installation I would rather reuse the tasks:install_master function which already does (nearly) all CLI option-related magic. You can extend its signature by adding a parameter to pass on additional options like this: --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -258,7 +258,7 @@ def enable_replication_debugging(host): stdin_text=logging_ldif) -def install_master(host, setup_dns=True, setup_kra=False): +def install_master(host, setup_dns=True, setup_kra=False, extra_args=()): host.collect_log(paths.IPASERVER_INSTALL_LOG) host.collect_log(paths.IPACLIENT_INSTALL_LOG) inst = host.domain.realm.replace('.', '-') @@ -284,6 +284,8 @@ def install_master(host, setup_dns=True, setup_kra=False): '--auto-reverse' ]) + args.extend(extra_args) + host.run_command(args) enable_replication_debugging(host) setup_sssd_debugging(host) -- Martin^3 Babinsky From pviktori at redhat.com Fri Jan 22 15:24:23 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 22 Jan 2016 16:24:23 +0100 Subject: [Freeipa-devel] [PATCH] 0751 spec: Split out python-ipap11helper and, python-default_encoding_utf8 In-Reply-To: <56A0CB8D.7030605@redhat.com> References: <56606E90.3000909@redhat.com> <56619535.1010700@redhat.com> <566E6D61.80002@redhat.com> <56702971.1060709@redhat.com> <56702B5F.1090403@redhat.com> <56A0CB8D.7030605@redhat.com> Message-ID: <56A249A7.50709@redhat.com> On 01/21/2016 01:14 PM, Jan Cholasta wrote: > We got rid of both default_encoding_utf8 and _ipap11helper, so > python-ipalib can be packaged as noarch. See the attached patch. The patch looks good to me, so ACK (though an ACK for me probably doesn't count). -- Petr Viktorin From pviktori at redhat.com Fri Jan 22 15:37:20 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 22 Jan 2016 16:37:20 +0100 Subject: [Freeipa-devel] [PATCH] 0760 - Split ipa-client/ into ipaclient/ and client/ In-Reply-To: <5697D18F.8010105@redhat.com> References: <56962826.10404@redhat.com> <56963D11.3050600@redhat.com> <56974647.1010408@redhat.com> <56976EF5.8080601@redhat.com> <569773DC.80808@redhat.com> <5697D18F.8010105@redhat.com> Message-ID: <56A24CB0.6050201@redhat.com> On 01/14/2016 05:49 PM, Petr Viktorin wrote: > On 01/14/2016 11:09 AM, Jan Cholasta wrote: >> On 14.1.2016 10:48, Petr Viktorin wrote: >>> On 01/14/2016 07:55 AM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 13.1.2016 13:03, Martin Babinsky wrote: >>>>> On 01/13/2016 11:34 AM, Petr Viktorin wrote: >>>>>> Hello, >>>>>> I'm planning to port the ipa-client to Python 3, and I'm likely to end >>>>>> up shaking out some dusty corners of the codebase, rather than >>>>>> doing the >>>>>> minimal amount of work :) >>>>>> So I'd like to get your opinions before I commit significant time to >>>>>> this. > > Here's a patch for review. > (I'm sending the full diff for applying; the result is nicer to look at > with `git show -C`) Ping, was there any progress on the patch review? -- Petr Viktorin From mbasti at redhat.com Fri Jan 22 16:47:07 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 22 Jan 2016 17:47:07 +0100 Subject: [Freeipa-devel] [PATCH 0408] CI DNSSEC: add missing glue record Message-ID: <56A25D0B.4080006@redhat.com> Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0408-Fix-DNSSEC-test-add-glue-record.patch Type: text/x-patch Size: 1367 bytes Desc: not available URL: From pspacek at redhat.com Sat Jan 23 09:34:57 2016 From: pspacek at redhat.com (Petr Spacek) Date: Sat, 23 Jan 2016 10:34:57 +0100 Subject: [Freeipa-devel] [PATCH 0408] CI DNSSEC: add missing glue record In-Reply-To: <56A25D0B.4080006@redhat.com> References: <56A25D0B.4080006@redhat.com> Message-ID: <56A34941.5020407@redhat.com> On 22.1.2016 17:47, Martin Basti wrote: > - # make BIND happy, and delegate zone which contains A record of master > + # make BIND happy: add the glue record and delegate zone > + args = [ > + "ipa", "dnsrecord-add", root_zone, self.master.domain.name, > + "--a-rec=" + self.master.ip > + ] > + self.master.run_command(args) > + time.sleep(10) # sleep a bit until data are provided by bind-dyndb-ldap > + LGTM, ACK. In the worst case it will not fix the test :-) -- Petr^2 Spacek From jcholast at redhat.com Mon Jan 25 07:19:12 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 25 Jan 2016 08:19:12 +0100 Subject: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal In-Reply-To: <56A21272.5020709@redhat.com> References: <56A0A499.1090809@redhat.com> <56A1F79C.9050102@redhat.com> <56A21272.5020709@redhat.com> Message-ID: <56A5CC70.6070000@redhat.com> On 22.1.2016 12:28, Jan Cholasta wrote: > On 22.1.2016 10:34, Martin Babinsky wrote: >> On 01/21/2016 10:27 AM, Jan Cholasta wrote: >>> Hi, >>> >>> the attached patch fixes . >>> >>> Honza >>> >>> >>> >> ACK > > Self-NACK. Doesn't work with external CA install. > Updated patches attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-540.1-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch Type: text/x-patch Size: 3248 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-540.1.4_2-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch Type: text/x-patch Size: 3252 bytes Desc: not available URL: From jcholast at redhat.com Mon Jan 25 07:29:43 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 25 Jan 2016 08:29:43 +0100 Subject: [Freeipa-devel] [PATCH 542] replica install: validate DS and HTTP server certificates Message-ID: <56A5CEE7.5050806@redhat.com> Hi, the attached patch fixes . Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-542-replica-install-validate-DS-and-HTTP-server-certific.patch Type: text/x-patch Size: 3269 bytes Desc: not available URL: From jcholast at redhat.com Mon Jan 25 07:54:30 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 25 Jan 2016 08:54:30 +0100 Subject: [Freeipa-devel] [PATCH 543] CA install: explicitly set dogtag_version to 10 Message-ID: <56A5D4B6.8030201@redhat.com> Hi, the attached patch fixes . Note that this is a 4.2-specific fix. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-543-CA-install-explicitly-set-dogtag_version-to-10-when-.patch Type: text/x-patch Size: 1113 bytes Desc: not available URL: From abokovoy at redhat.com Mon Jan 25 07:56:12 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Jan 2016 09:56:12 +0200 Subject: [Freeipa-devel] [PATCH 543] CA install: explicitly set dogtag_version to 10 In-Reply-To: <56A5D4B6.8030201@redhat.com> References: <56A5D4B6.8030201@redhat.com> Message-ID: <20160125075612.GY4316@redhat.com> On Mon, 25 Jan 2016, Jan Cholasta wrote: >Hi, > >the attached patch fixes . > >Note that this is a 4.2-specific fix. > >Honza > >-- >Jan Cholasta >From c2a0684c64538166809883a235bd131518b6e78f Mon Sep 17 00:00:00 2001 >From: Jan Cholasta >Date: Mon, 25 Jan 2016 08:48:42 +0100 >Subject: [PATCH] CA install: explicitly set dogtag_version to 10 > >When installing new CA master, explicitly set the dogtag_version option to >10 in api.bootstrap() to prevent failures in code which expects the value >to be 10 rather than the default value of 9. > >https://fedorahosted.org/freeipa/ticket/5611 >--- > install/tools/ipa-ca-install | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install >index 6564e4d..e8ccaef 100755 >--- a/install/tools/ipa-ca-install >+++ b/install/tools/ipa-ca-install >@@ -162,7 +162,7 @@ def install_master(safe_options, options): > > # override ra_plugin setting read from default.conf so that we have > # functional dogtag backend plugins during CA install >- api.bootstrap(in_server=True, ra_plugin='dogtag') >+ api.bootstrap(in_server=True, ra_plugin='dogtag', dogtag_version=10) > api.finalize() > > dm_password = options.password >-- ACK. -- / Alexander Bokovoy From lkrispen at redhat.com Mon Jan 25 08:30:04 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 25 Jan 2016 09:30:04 +0100 Subject: [Freeipa-devel] Fwd: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists In-Reply-To: References: <569E9D5F.9070801@redhat.com> <569EC761.9090306@redhat.com> <569F5B19.50009@redhat.com> <569FE2EC.5080307@redhat.com> <56A0F93E.3000406@redhat.com> <56A23BDB.1020608@redhat.com> <56A273A3.4010600@redhat.com> Message-ID: <56A5DD0C.6030502@redhat.com> Hi, this is from a discussion on the user-list, there is a difference in acis on 4.2.0 and 4.2.3 this is the aci which is present in 4.2.0 and is missing in 4.2.3: aci: (targetattr = "cn || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai n,dc=net";) does anybody know if and why this was changed ? On 01/24/2016 03:22 AM, Nathan Peters wrote: > # config > dn: cn=config > aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r > ead, search, compare) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > aci: (target ="ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( > targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T > ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task > ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob > jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu > gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura > tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager > s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, > cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C > onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co > nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns > slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas > e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi > guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas > e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g > roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc= > ipatestdomain,dc=net";) > aci: (targetattr = "cn || createtimestamp || description || entryusn || modify > timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou > t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n > sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds > 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || > nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl > eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl > icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits > tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli > calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum > er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || > nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re > plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli > st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic > atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n > sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd > s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable > d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas > ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || > winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub > treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic > a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA > greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R > ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn > =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai > n,dc=net";) > > # SNMP, config > dn: cn=SNMP,cn=config > aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version 3.0;acl > "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");) > > # tasks, config > dn: cn=tasks,cn=config > aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio > n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis > sions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re > -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa > ca";) > aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read > , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip > atestdomain,dc=net";) > aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi > p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Ta > sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automembe > r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > > # csusers, config > dn: ou=csusers,cn=config > aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use > rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > > # 1.3.6.1.4.1.4203.1.9.1.1, features, config > dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config > aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea > d, search ) userdn ="ldap:///all";) > > # 2.16.840.1.113730.3.4.9, features, config > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, > search, compare, proxy) userdn ="ldap:///anyone"; ) > > # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config > dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config > aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al > low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn= > pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd > s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl > ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme > nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag > reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob > jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem > ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli > cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > > # o\3Dipaca, mapping tree, config > dn: cn=o\3Dipaca,cn=mapping tree,cn=config > aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements" > ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd > s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl > ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre > ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl > e,o=ipaca";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob > jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: > Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser > ,ou=people,o=ipaca";) > > # ldbm database, plugins, config > dn: cn=ldbm database,cn=plugins,cn=config > aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a > llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > > # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config > dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl > "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA > Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre > shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range"; > allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss > ions,cn=pbac,dc=ipatestdomain,dc=net";) > > # userRoot, ldbm database, plugins, config > dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config > aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas > e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement > s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > > # search result > search: 2 > result: 0 Success > > # numResponses: 12 > # numEntries: 11 > > > ============================================================================ > 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for reference that the CentOS ACL hasn't changed yet) > ============================================================================ > ================ after reinstallation of dc2 in fedora 23 / ipa 4.2.3 ========================= > > [root at dc1 ~]# ldapsearch -b "cn=config" -D "uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W > Enter LDAP Password: > # config > dn: cn=config > aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r > ead, search, compare) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > aci: (target ="ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( > targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T > ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task > ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob > jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu > gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura > tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager > s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, > cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C > onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co > nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns > slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas > e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi > guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas > e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g > roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc= > ipatestdomain,dc=net";) > aci: (targetattr = "cn || createtimestamp || description || entryusn || modify > timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou > t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n > sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds > 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || > nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl > eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl > icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits > tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli > calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum > er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || > nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re > plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli > st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic > atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n > sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd > s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable > d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas > ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || > winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub > treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic > a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA > greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R > ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn > =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai > n,dc=net";) > > # SNMP, config > dn: cn=SNMP,cn=config > aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version 3.0;acl > "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");) > > # tasks, config > dn: cn=tasks,cn=config > aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio > n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis > sions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re > -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa > ca";) > aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read > , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip > atestdomain,dc=net";) > aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi > p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Ta > sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automembe > r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > > # csusers, config > dn: ou=csusers,cn=config > aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use > rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > > # 1.3.6.1.4.1.4203.1.9.1.1, features, config > dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config > aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea > d, search ) userdn ="ldap:///all";) > > # 2.16.840.1.113730.3.4.9, features, config > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, > search, compare, proxy) userdn ="ldap:///anyone"; ) > > # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config > dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config > aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al > low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn= > pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd > s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl > ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme > nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag > reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob > jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem > ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli > cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > > # o\3Dipaca, mapping tree, config > dn: cn=o\3Dipaca,cn=mapping tree,cn=config > aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements" > ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd > s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl > ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre > ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl > e,o=ipaca";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob > jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: > Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser > ,ou=people,o=ipaca";) > > # ldbm database, plugins, config > dn: cn=ldbm database,cn=plugins,cn=config > aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a > llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > > # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config > dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl > "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA > Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre > shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range"; > allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss > ions,cn=pbac,dc=ipatestdomain,dc=net";) > > # userRoot, ldbm database, plugins, config > dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config > aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas > e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement > s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > > # search result > search: 2 > result: 0 Success > > # numResponses: 12 > # numEntries: 11 > > > > ============================================================================ > 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the replica file was made from dc1 which is a CentOS server that still has the acls(missing some stuff) > ============================================================================ > aci list on dc2 > > [root at dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (aci=*) > # requesting: aci > # > > # config > dn: cn=config > aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r > ead, search, compare) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > aci: (target ="ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( > targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T > ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task > ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob > jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu > gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura > tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager > s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, > cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C > onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co > nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns > slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas > e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi > guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas > e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g > roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc= > ipatestdomain,dc=net";) > > # SNMP, config > dn: cn=SNMP,cn=config > aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version 3.0;acl > "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");) > > # tasks, config > dn: cn=tasks,cn=config > aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio > n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis > sions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re > -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa > ca";) > aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read > , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip > atestdomain,dc=net";) > > # csusers, config > dn: ou=csusers,cn=config > aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use > rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > > # 1.3.6.1.4.1.4203.1.9.1.1, features, config > dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config > aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea > d, search ) userdn ="ldap:///all";) > > # 2.16.840.1.113730.3.4.9, features, config > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, > search, compare, proxy) userdn ="ldap:///anyone"; ) > > # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config > dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config > aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al > low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn= > pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd > s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl > ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme > nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag > reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob > jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem > ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli > cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > > # o\3Dipaca, mapping tree, config > dn: cn=o\3Dipaca,cn=mapping tree,cn=config > aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements" > ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd > s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl > ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre > ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl > e,o=ipaca";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob > jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: > Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser > ,ou=people,o=ipaca";) > > # ldbm database, plugins, config > dn: cn=ldbm database,cn=plugins,cn=config > aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a > llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > > # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config > dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl > "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA > Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre > shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range"; > allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss > ions,cn=pbac,dc=ipatestdomain,dc=net";) > > # userRoot, ldbm database, plugins, config > dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config > aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas > e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement > s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > > # search result > search: 2 > result: 0 Success > > # numResponses: 12 > # numEntries: 11 > > ============================================================================ > 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now missing some stuff) > ============================================================================ > [root at dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (aci=*) > # requesting: aci > # > > # config > dn: cn=config > aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r > ead, search, compare) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > aci: (target ="ldap:///cn=automember rebuild membership,cn=tasks,cn=config")( > targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T > ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task > ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob > jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu > gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura > tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Manager > s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop, > cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C > onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Co > nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns > slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm databas > e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi > guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Databas > e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g > roupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc= > ipatestdomain,dc=net";) > > # SNMP, config > dn: cn=SNMP,cn=config > aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version 3.0;acl > "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");) > > # tasks, config > dn: cn=tasks,cn=config > aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio > n"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permis > sions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re > -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa > ca";) > aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read > , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip > atestdomain,dc=net";) > > # csusers, config > dn: ou=csusers,cn=config > aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use > rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > > # 1.3.6.1.4.1.4203.1.9.1.1, features, config > dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config > aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea > d, search ) userdn ="ldap:///all";) > > # 2.16.840.1.113730.3.4.9, features, config > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, > search, compare, proxy) userdn ="ldap:///anyone"; ) > > # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config > dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config > aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al > low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn= > pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd > s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl > ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme > nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag > reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob > jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem > ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Repli > cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > > # o\3Dipaca, mapping tree, config > dn: cn=o\3Dipaca,cn=mapping tree,cn=config > aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements" > ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd > s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl > ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre > ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl > e,o=ipaca";) > aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob > jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: > Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser > ,ou=people,o=ipaca";) > > # ldbm database, plugins, config > dn: cn=ldbm database,cn=plugins,cn=config > aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a > llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";) > > # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config > dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl > "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA > Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre > shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range"; > allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permiss > ions,cn=pbac,dc=ipatestdomain,dc=net";) > > # userRoot, ldbm database, plugins, config > dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config > aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas > e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreement > s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) > > # search result > search: 2 > result: 0 Success > > # numResponses: 12 > # numEntries: 11 From mbasti at redhat.com Mon Jan 25 09:09:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 25 Jan 2016 10:09:37 +0100 Subject: [Freeipa-devel] Fwd: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists In-Reply-To: <56A5DD0C.6030502@redhat.com> References: <569E9D5F.9070801@redhat.com> <569EC761.9090306@redhat.com> <569F5B19.50009@redhat.com> <569FE2EC.5080307@redhat.com> <56A0F93E.3000406@redhat.com> <56A23BDB.1020608@redhat.com> <56A273A3.4010600@redhat.com> <56A5DD0C.6030502@redhat.com> Message-ID: <56A5E651.7040909@redhat.com> On 25.01.2016 09:30, Ludwig Krispenz wrote: > Hi, > > this is from a discussion on the user-list, there is a difference in > acis on 4.2.0 and 4.2.3 > > this is the aci which is present in 4.2.0 and is missing in 4.2.3: > > aci: (targetattr = "cn || createtimestamp || description || entryusn > || modify > timestamp || nsds50ruv || nsds5beginreplicarefresh || > nsds5debugreplicatimeou > t || nsds5flags || nsds5replicaabortcleanruv || > nsds5replicaautoreferral || n > sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn > || nsds > 5replicabindmethod || nsds5replicabusywaittime || > nsds5replicachangecount || > nsds5replicachangessentsincestartup || nsds5replicacleanruv || > nsds5replicacl > eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || > nsds5repl > icahost || nsds5replicaid || nsds5replicalastinitend || > nsds5replicalastinits > tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || > nsds5repli > calastupdatestart || nsds5replicalastupdatestatus || > nsds5replicalegacyconsum > er || nsds5replicaname || nsds5replicaport || > nsds5replicaprotocoltimeout || > nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || > nsds5re > plicasessionpausetime || nsds5replicastripattrs || > nsds5replicatedattributeli > st || nsds5replicatedattributelisttotal || nsds5replicatimeout || > nsds5replic > atombstonepurgeinterval || nsds5replicatransportinfo || > nsds5replicatype || n > sds5replicaupdateinprogress || nsds5replicaupdateschedule || > nsds5task || nsd > s7directoryreplicasubtree || nsds7dirsynccookie || > nsds7newwingroupsyncenable > d || nsds7newwinusersyncenabled || nsds7windowsdomain || > nsds7windowsreplicas > ubtree || nsruvreplicalastmodified || nsstate || objectclass || > onewaysync || > winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || > winsyncsub > treepair || winsyncwindowsfilter")(targetfilter = > "(|(objectclass=nsds5Replic > a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA > > greement)(objectClass=nsMappingTree))")(version 3.0;acl > "permission:System: R > ead Replication Agreements";allow (compare,read,search) groupdn = > "ldap:///cn > =System: Read Replication > Agreements,cn=permissions,cn=pbac,dc=ipatestdomai > n,dc=net";) > > does anybody know if and why this was changed ? > This ACI is created by ipaserver/install/plugins/update_managed_permissions.py It haven't been touched for a while, did upgrade/install work well? Maybe re-run ipa-server-upgrade should recreate this entry. > > > On 01/24/2016 03:22 AM, Nathan Peters wrote: >> # config >> dn: cn=config >> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; >> allow (r >> ead, search, compare) userdn >> ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> aci: (target ="ldap:///cn=automember rebuild >> membership,cn=tasks,cn=config")( >> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild >> Membership T >> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild >> Membership Task >> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr = "cn || createtimestamp || entryusn || >> modifytimestamp || ob >> jectclass || passsyncmanagersdns*")(target = >> "ldap:///cn=ipa_pwd_extop,cn=plu >> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers >> Configura >> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read >> PassSync Manager >> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr = "passsyncmanagersdns*")(target = >> "ldap:///cn=ipa_pwd_extop, >> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync >> Managers C >> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync >> Managers Co >> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr = "cn || createtimestamp || entryusn || >> modifytimestamp || ns >> slapd-directory* || objectclass")(target = >> "ldap:///cn=config,cn=ldbm databas >> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM >> Database Confi >> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read >> LDBM Databas >> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (version 3.0;acl "permission:Add Configuration >> Sub-Entries";allow (add) g >> roupdn = "ldap:///cn=Add Configuration >> Sub-Entries,cn=permissions,cn=pbac,dc= >> ipatestdomain,dc=net";) >> aci: (targetattr = "cn || createtimestamp || description || entryusn >> || modify >> timestamp || nsds50ruv || nsds5beginreplicarefresh || >> nsds5debugreplicatimeou >> t || nsds5flags || nsds5replicaabortcleanruv || >> nsds5replicaautoreferral || n >> sds5replicabackoffmax || nsds5replicabackoffmin || >> nsds5replicabinddn || nsds >> 5replicabindmethod || nsds5replicabusywaittime || >> nsds5replicachangecount || >> nsds5replicachangessentsincestartup || nsds5replicacleanruv || >> nsds5replicacl >> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || >> nsds5repl >> icahost || nsds5replicaid || nsds5replicalastinitend || >> nsds5replicalastinits >> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || >> nsds5repli >> calastupdatestart || nsds5replicalastupdatestatus || >> nsds5replicalegacyconsum >> er || nsds5replicaname || nsds5replicaport || >> nsds5replicaprotocoltimeout || >> nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot >> || nsds5re >> plicasessionpausetime || nsds5replicastripattrs || >> nsds5replicatedattributeli >> st || nsds5replicatedattributelisttotal || nsds5replicatimeout || >> nsds5replic >> atombstonepurgeinterval || nsds5replicatransportinfo || >> nsds5replicatype || n >> sds5replicaupdateinprogress || nsds5replicaupdateschedule || >> nsds5task || nsd >> s7directoryreplicasubtree || nsds7dirsynccookie || >> nsds7newwingroupsyncenable >> d || nsds7newwinusersyncenabled || nsds7windowsdomain || >> nsds7windowsreplicas >> ubtree || nsruvreplicalastmodified || nsstate || objectclass || >> onewaysync || >> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || >> winsyncsub >> treepair || winsyncwindowsfilter")(targetfilter = >> "(|(objectclass=nsds5Replic >> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA >> greement)(objectClass=nsMappingTree))")(version 3.0;acl >> "permission:System: R >> ead Replication Agreements";allow (compare,read,search) groupdn = >> "ldap:///cn >> =System: Read Replication >> Agreements,cn=permissions,cn=pbac,dc=ipatestdomai >> n,dc=net";) >> >> # SNMP, config >> dn: cn=SNMP,cn=config >> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version >> 3.0;acl >> "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");) >> >> # tasks, config >> dn: cn=tasks,cn=config >> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica >> re-initializatio >> n"; allow (add) groupdn = "ldap:///cn=Modify Replication >> Agreements,cn=permis >> sions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after >> replica re >> -initialization"; allow (add) userdn = >> "ldap:///uid=pkidbuser,ou=people,o=ipa >> ca";) >> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; >> allow (read >> , compare, search) groupdn = >> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip >> atestdomain,dc=net";) >> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild >> membershi >> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read >> Automember Ta >> sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read >> Automembe >> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # csusers, config >> dn: ou=csusers,cn=config >> aci: (targetattr != aci)(version 3.0; aci "cert manager manage >> replication use >> rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> >> # 1.3.6.1.4.1.4203.1.9.1.1, features, config >> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config >> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; >> allow( rea >> d, search ) userdn ="ldap:///all";) >> >> # 2.16.840.1.113730.3.4.9, features, config >> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; >> allow (read, >> search, compare, proxy) userdn ="ldap:///anyone"; ) >> >> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config >> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config >> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication >> Agreements";al >> low (add) groupdn = "ldap:///cn=Add Replication >> Agreements,cn=permissions,cn= >> pbac,dc=ipatestdomain,dc=net";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >> ass=nsMappingTree))")(version 3.0; acl "permission:Modify >> Replication Agreeme >> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify >> Replication Ag >> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >> "permission:Rem >> ove Replication Agreements";allow (delete) groupdn = >> "ldap:///cn=Remove Repli >> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # o\3Dipaca, mapping tree, config >> dn: cn=o\3Dipaca,cn=mapping tree,cn=config >> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication >> Agreements" >> ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify >> Replication Agre >> ements"; allow (read, write, search) userdn = >> "ldap:///uid=pkidbuser,ou=peopl >> e,o=ipaca";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert >> manager: >> Remove Replication Agreements";allow (delete) userdn = >> "ldap:///uid=pkidbuser >> ,ou=people,o=ipaca";) >> >> # ldbm database, plugins, config >> dn: cn=ldbm database,cn=plugins,cn=config >> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV >> searches"; a >> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> >> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >> Plugin,cn=plugins,cn=config >> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version >> 3.0;acl >> "permission:Modify DNA Range";allow (write) groupdn = >> "ldap:///cn=Modify DNA >> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue >> || dnaThre >> shold || dnaType || objectclass)(version 3.0;acl "permission:Read >> DNA Range"; >> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA >> Range,cn=permiss >> ions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # userRoot, ldbm database, plugins, config >> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking >> the databas >> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication >> Agreement >> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 12 >> # numEntries: 11 >> >> >> ============================================================================ >> >> 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there >> is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for reference >> that the CentOS ACL hasn't changed yet) >> ============================================================================ >> >> ================ after reinstallation of dc2 in fedora 23 / ipa 4.2.3 >> ========================= >> >> [root at dc1 ~]# ldapsearch -b "cn=config" -D >> "uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W >> Enter LDAP Password: >> # config >> dn: cn=config >> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; >> allow (r >> ead, search, compare) userdn >> ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> aci: (target ="ldap:///cn=automember rebuild >> membership,cn=tasks,cn=config")( >> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild >> Membership T >> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild >> Membership Task >> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr = "cn || createtimestamp || entryusn || >> modifytimestamp || ob >> jectclass || passsyncmanagersdns*")(target = >> "ldap:///cn=ipa_pwd_extop,cn=plu >> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers >> Configura >> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read >> PassSync Manager >> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr = "passsyncmanagersdns*")(target = >> "ldap:///cn=ipa_pwd_extop, >> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync >> Managers C >> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync >> Managers Co >> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr = "cn || createtimestamp || entryusn || >> modifytimestamp || ns >> slapd-directory* || objectclass")(target = >> "ldap:///cn=config,cn=ldbm databas >> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM >> Database Confi >> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read >> LDBM Databas >> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (version 3.0;acl "permission:Add Configuration >> Sub-Entries";allow (add) g >> roupdn = "ldap:///cn=Add Configuration >> Sub-Entries,cn=permissions,cn=pbac,dc= >> ipatestdomain,dc=net";) >> aci: (targetattr = "cn || createtimestamp || description || entryusn >> || modify >> timestamp || nsds50ruv || nsds5beginreplicarefresh || >> nsds5debugreplicatimeou >> t || nsds5flags || nsds5replicaabortcleanruv || >> nsds5replicaautoreferral || n >> sds5replicabackoffmax || nsds5replicabackoffmin || >> nsds5replicabinddn || nsds >> 5replicabindmethod || nsds5replicabusywaittime || >> nsds5replicachangecount || >> nsds5replicachangessentsincestartup || nsds5replicacleanruv || >> nsds5replicacl >> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || >> nsds5repl >> icahost || nsds5replicaid || nsds5replicalastinitend || >> nsds5replicalastinits >> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || >> nsds5repli >> calastupdatestart || nsds5replicalastupdatestatus || >> nsds5replicalegacyconsum >> er || nsds5replicaname || nsds5replicaport || >> nsds5replicaprotocoltimeout || >> nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot >> || nsds5re >> plicasessionpausetime || nsds5replicastripattrs || >> nsds5replicatedattributeli >> st || nsds5replicatedattributelisttotal || nsds5replicatimeout || >> nsds5replic >> atombstonepurgeinterval || nsds5replicatransportinfo || >> nsds5replicatype || n >> sds5replicaupdateinprogress || nsds5replicaupdateschedule || >> nsds5task || nsd >> s7directoryreplicasubtree || nsds7dirsynccookie || >> nsds7newwingroupsyncenable >> d || nsds7newwinusersyncenabled || nsds7windowsdomain || >> nsds7windowsreplicas >> ubtree || nsruvreplicalastmodified || nsstate || objectclass || >> onewaysync || >> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || >> winsyncsub >> treepair || winsyncwindowsfilter")(targetfilter = >> "(|(objectclass=nsds5Replic >> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA >> greement)(objectClass=nsMappingTree))")(version 3.0;acl >> "permission:System: R >> ead Replication Agreements";allow (compare,read,search) groupdn = >> "ldap:///cn >> =System: Read Replication >> Agreements,cn=permissions,cn=pbac,dc=ipatestdomai >> n,dc=net";) >> >> # SNMP, config >> dn: cn=SNMP,cn=config >> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version >> 3.0;acl >> "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");) >> >> # tasks, config >> dn: cn=tasks,cn=config >> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica >> re-initializatio >> n"; allow (add) groupdn = "ldap:///cn=Modify Replication >> Agreements,cn=permis >> sions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after >> replica re >> -initialization"; allow (add) userdn = >> "ldap:///uid=pkidbuser,ou=people,o=ipa >> ca";) >> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; >> allow (read >> , compare, search) groupdn = >> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip >> atestdomain,dc=net";) >> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild >> membershi >> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read >> Automember Ta >> sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read >> Automembe >> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # csusers, config >> dn: ou=csusers,cn=config >> aci: (targetattr != aci)(version 3.0; aci "cert manager manage >> replication use >> rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> >> # 1.3.6.1.4.1.4203.1.9.1.1, features, config >> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config >> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; >> allow( rea >> d, search ) userdn ="ldap:///all";) >> >> # 2.16.840.1.113730.3.4.9, features, config >> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; >> allow (read, >> search, compare, proxy) userdn ="ldap:///anyone"; ) >> >> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config >> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config >> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication >> Agreements";al >> low (add) groupdn = "ldap:///cn=Add Replication >> Agreements,cn=permissions,cn= >> pbac,dc=ipatestdomain,dc=net";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >> ass=nsMappingTree))")(version 3.0; acl "permission:Modify >> Replication Agreeme >> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify >> Replication Ag >> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >> "permission:Rem >> ove Replication Agreements";allow (delete) groupdn = >> "ldap:///cn=Remove Repli >> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # o\3Dipaca, mapping tree, config >> dn: cn=o\3Dipaca,cn=mapping tree,cn=config >> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication >> Agreements" >> ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify >> Replication Agre >> ements"; allow (read, write, search) userdn = >> "ldap:///uid=pkidbuser,ou=peopl >> e,o=ipaca";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert >> manager: >> Remove Replication Agreements";allow (delete) userdn = >> "ldap:///uid=pkidbuser >> ,ou=people,o=ipaca";) >> >> # ldbm database, plugins, config >> dn: cn=ldbm database,cn=plugins,cn=config >> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV >> searches"; a >> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> >> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >> Plugin,cn=plugins,cn=config >> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version >> 3.0;acl >> "permission:Modify DNA Range";allow (write) groupdn = >> "ldap:///cn=Modify DNA >> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue >> || dnaThre >> shold || dnaType || objectclass)(version 3.0;acl "permission:Read >> DNA Range"; >> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA >> Range,cn=permiss >> ions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # userRoot, ldbm database, plugins, config >> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking >> the databas >> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication >> Agreement >> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 12 >> # numEntries: 11 >> >> >> >> ============================================================================ >> >> 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the >> replica file was made from dc1 which is a CentOS server that still >> has the acls(missing some stuff) >> ============================================================================ >> >> aci list on dc2 >> >> [root at dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" >> "(aci=*)" aci >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: (aci=*) >> # requesting: aci >> # >> >> # config >> dn: cn=config >> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; >> allow (r >> ead, search, compare) userdn >> ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> aci: (target ="ldap:///cn=automember rebuild >> membership,cn=tasks,cn=config")( >> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild >> Membership T >> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild >> Membership Task >> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr = "cn || createtimestamp || entryusn || >> modifytimestamp || ob >> jectclass || passsyncmanagersdns*")(target = >> "ldap:///cn=ipa_pwd_extop,cn=plu >> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers >> Configura >> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read >> PassSync Manager >> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr = "passsyncmanagersdns*")(target = >> "ldap:///cn=ipa_pwd_extop, >> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync >> Managers C >> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync >> Managers Co >> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr = "cn || createtimestamp || entryusn || >> modifytimestamp || ns >> slapd-directory* || objectclass")(target = >> "ldap:///cn=config,cn=ldbm databas >> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM >> Database Confi >> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read >> LDBM Databas >> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (version 3.0;acl "permission:Add Configuration >> Sub-Entries";allow (add) g >> roupdn = "ldap:///cn=Add Configuration >> Sub-Entries,cn=permissions,cn=pbac,dc= >> ipatestdomain,dc=net";) >> >> # SNMP, config >> dn: cn=SNMP,cn=config >> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version >> 3.0;acl >> "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");) >> >> # tasks, config >> dn: cn=tasks,cn=config >> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica >> re-initializatio >> n"; allow (add) groupdn = "ldap:///cn=Modify Replication >> Agreements,cn=permis >> sions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after >> replica re >> -initialization"; allow (add) userdn = >> "ldap:///uid=pkidbuser,ou=people,o=ipa >> ca";) >> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; >> allow (read >> , compare, search) groupdn = >> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip >> atestdomain,dc=net";) >> >> # csusers, config >> dn: ou=csusers,cn=config >> aci: (targetattr != aci)(version 3.0; aci "cert manager manage >> replication use >> rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> >> # 1.3.6.1.4.1.4203.1.9.1.1, features, config >> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config >> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; >> allow( rea >> d, search ) userdn ="ldap:///all";) >> >> # 2.16.840.1.113730.3.4.9, features, config >> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; >> allow (read, >> search, compare, proxy) userdn ="ldap:///anyone"; ) >> >> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config >> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config >> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication >> Agreements";al >> low (add) groupdn = "ldap:///cn=Add Replication >> Agreements,cn=permissions,cn= >> pbac,dc=ipatestdomain,dc=net";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >> ass=nsMappingTree))")(version 3.0; acl "permission:Modify >> Replication Agreeme >> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify >> Replication Ag >> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >> "permission:Rem >> ove Replication Agreements";allow (delete) groupdn = >> "ldap:///cn=Remove Repli >> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # o\3Dipaca, mapping tree, config >> dn: cn=o\3Dipaca,cn=mapping tree,cn=config >> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication >> Agreements" >> ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify >> Replication Agre >> ements"; allow (read, write, search) userdn = >> "ldap:///uid=pkidbuser,ou=peopl >> e,o=ipaca";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert >> manager: >> Remove Replication Agreements";allow (delete) userdn = >> "ldap:///uid=pkidbuser >> ,ou=people,o=ipaca";) >> >> # ldbm database, plugins, config >> dn: cn=ldbm database,cn=plugins,cn=config >> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV >> searches"; a >> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> >> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >> Plugin,cn=plugins,cn=config >> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version >> 3.0;acl >> "permission:Modify DNA Range";allow (write) groupdn = >> "ldap:///cn=Modify DNA >> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue >> || dnaThre >> shold || dnaType || objectclass)(version 3.0;acl "permission:Read >> DNA Range"; >> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA >> Range,cn=permiss >> ions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # userRoot, ldbm database, plugins, config >> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking >> the databas >> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication >> Agreement >> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 12 >> # numEntries: 11 >> >> ============================================================================ >> >> 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now >> missing some stuff) >> ============================================================================ >> >> [root at dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b >> "cn=config" "(aci=*)" aci >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: (aci=*) >> # requesting: aci >> # >> >> # config >> dn: cn=config >> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; >> allow (r >> ead, search, compare) userdn >> ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> aci: (target ="ldap:///cn=automember rebuild >> membership,cn=tasks,cn=config")( >> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild >> Membership T >> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild >> Membership Task >> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr = "cn || createtimestamp || entryusn || >> modifytimestamp || ob >> jectclass || passsyncmanagersdns*")(target = >> "ldap:///cn=ipa_pwd_extop,cn=plu >> gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers >> Configura >> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read >> PassSync Manager >> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr = "passsyncmanagersdns*")(target = >> "ldap:///cn=ipa_pwd_extop, >> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync >> Managers C >> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync >> Managers Co >> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr = "cn || createtimestamp || entryusn || >> modifytimestamp || ns >> slapd-directory* || objectclass")(target = >> "ldap:///cn=config,cn=ldbm databas >> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM >> Database Confi >> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read >> LDBM Databas >> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (version 3.0;acl "permission:Add Configuration >> Sub-Entries";allow (add) g >> roupdn = "ldap:///cn=Add Configuration >> Sub-Entries,cn=permissions,cn=pbac,dc= >> ipatestdomain,dc=net";) >> >> # SNMP, config >> dn: cn=SNMP,cn=config >> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version >> 3.0;acl >> "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");) >> >> # tasks, config >> dn: cn=tasks,cn=config >> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica >> re-initializatio >> n"; allow (add) groupdn = "ldap:///cn=Modify Replication >> Agreements,cn=permis >> sions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after >> replica re >> -initialization"; allow (add) userdn = >> "ldap:///uid=pkidbuser,ou=people,o=ipa >> ca";) >> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; >> allow (read >> , compare, search) groupdn = >> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip >> atestdomain,dc=net";) >> >> # csusers, config >> dn: ou=csusers,cn=config >> aci: (targetattr != aci)(version 3.0; aci "cert manager manage >> replication use >> rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> >> # 1.3.6.1.4.1.4203.1.9.1.1, features, config >> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config >> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; >> allow( rea >> d, search ) userdn ="ldap:///all";) >> >> # 2.16.840.1.113730.3.4.9, features, config >> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; >> allow (read, >> search, compare, proxy) userdn ="ldap:///anyone"; ) >> >> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config >> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config >> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication >> Agreements";al >> low (add) groupdn = "ldap:///cn=Add Replication >> Agreements,cn=permissions,cn= >> pbac,dc=ipatestdomain,dc=net";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >> ass=nsMappingTree))")(version 3.0; acl "permission:Modify >> Replication Agreeme >> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify >> Replication Ag >> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >> "permission:Rem >> ove Replication Agreements";allow (delete) groupdn = >> "ldap:///cn=Remove Repli >> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # o\3Dipaca, mapping tree, config >> dn: cn=o\3Dipaca,cn=mapping tree,cn=config >> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication >> Agreements" >> ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify >> Replication Agre >> ements"; allow (read, write, search) userdn = >> "ldap:///uid=pkidbuser,ou=peopl >> e,o=ipaca";) >> aci: >> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert >> manager: >> Remove Replication Agreements";allow (delete) userdn = >> "ldap:///uid=pkidbuser >> ,ou=people,o=ipaca";) >> >> # ldbm database, plugins, config >> dn: cn=ldbm database,cn=plugins,cn=config >> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV >> searches"; a >> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >> >> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >> Plugin,cn=plugins,cn=config >> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version >> 3.0;acl >> "permission:Modify DNA Range";allow (write) groupdn = >> "ldap:///cn=Modify DNA >> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue >> || dnaThre >> shold || dnaType || objectclass)(version 3.0;acl "permission:Read >> DNA Range"; >> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA >> Range,cn=permiss >> ions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # userRoot, ldbm database, plugins, config >> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking >> the databas >> e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication >> Agreement >> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 12 >> # numEntries: 11 > From lkrispen at redhat.com Mon Jan 25 09:16:19 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 25 Jan 2016 10:16:19 +0100 Subject: [Freeipa-devel] Fwd: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists In-Reply-To: <56A5E651.7040909@redhat.com> References: <569E9D5F.9070801@redhat.com> <569EC761.9090306@redhat.com> <569F5B19.50009@redhat.com> <569FE2EC.5080307@redhat.com> <56A0F93E.3000406@redhat.com> <56A23BDB.1020608@redhat.com> <56A273A3.4010600@redhat.com> <56A5DD0C.6030502@redhat.com> <56A5E651.7040909@redhat.com> Message-ID: <56A5E7E3.1030808@redhat.com> Hi Martin, this is what the guy on freeipa-users said he did: >>> I can now confirm that this is a 100% reproducible bug, and a pretty severe one at that. You should be able to reproduce this issue at will if you follow these steps. It may actually be possible with less servers and less steps, but here is what I did in a test lab today: 1. Create a brand new FreeIPA domain in CentOS 7.2 / FreeIPA 4.2.0 with 3 servers, dc1, dc2, dc3, replicating any way you want. 3. Use ipa-replica-manage del dc2.ipatestdomain.net, and then delete the server / vm / whatever you have it running on 3. Install Fedora 23 on the same IP address and hostname (dc2.ipatestdomain.net). Install FreeIPA server 4.2.3 from replica file created on CA master (dc1). Check aci on dc2. You will notice it's now missing a bunch of stuff. So basically, all it takes to lose that ACL is to create a Fedora FreeIPA server and join it to a CentOS domain. After I had upgraded all 3 to Fedora, that ACLS was lost permanently as it no longer existed on any server because there were no CentOS servers left. <<< If you have more questions on the test case, could you ask directly on the user list, thanks On 01/25/2016 10:09 AM, Martin Basti wrote: > > > On 25.01.2016 09:30, Ludwig Krispenz wrote: >> Hi, >> >> this is from a discussion on the user-list, there is a difference in >> acis on 4.2.0 and 4.2.3 >> >> this is the aci which is present in 4.2.0 and is missing in 4.2.3: >> >> aci: (targetattr = "cn || createtimestamp || description || entryusn >> || modify >> timestamp || nsds50ruv || nsds5beginreplicarefresh || >> nsds5debugreplicatimeou >> t || nsds5flags || nsds5replicaabortcleanruv || >> nsds5replicaautoreferral || n >> sds5replicabackoffmax || nsds5replicabackoffmin || >> nsds5replicabinddn || nsds >> 5replicabindmethod || nsds5replicabusywaittime || >> nsds5replicachangecount || >> nsds5replicachangessentsincestartup || nsds5replicacleanruv || >> nsds5replicacl >> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || >> nsds5repl >> icahost || nsds5replicaid || nsds5replicalastinitend || >> nsds5replicalastinits >> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || >> nsds5repli >> calastupdatestart || nsds5replicalastupdatestatus || >> nsds5replicalegacyconsum >> er || nsds5replicaname || nsds5replicaport || >> nsds5replicaprotocoltimeout || >> nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot >> || nsds5re >> plicasessionpausetime || nsds5replicastripattrs || >> nsds5replicatedattributeli >> st || nsds5replicatedattributelisttotal || nsds5replicatimeout || >> nsds5replic >> atombstonepurgeinterval || nsds5replicatransportinfo || >> nsds5replicatype || n >> sds5replicaupdateinprogress || nsds5replicaupdateschedule || >> nsds5task || nsd >> s7directoryreplicasubtree || nsds7dirsynccookie || >> nsds7newwingroupsyncenable >> d || nsds7newwinusersyncenabled || nsds7windowsdomain || >> nsds7windowsreplicas >> ubtree || nsruvreplicalastmodified || nsstate || objectclass || >> onewaysync || >> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || >> winsyncsub >> treepair || winsyncwindowsfilter")(targetfilter = >> "(|(objectclass=nsds5Replic >> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA >> >> greement)(objectClass=nsMappingTree))")(version 3.0;acl >> "permission:System: R >> ead Replication Agreements";allow (compare,read,search) groupdn = >> "ldap:///cn >> =System: Read Replication >> Agreements,cn=permissions,cn=pbac,dc=ipatestdomai >> n,dc=net";) >> >> does anybody know if and why this was changed ? >> > This ACI is created by > ipaserver/install/plugins/update_managed_permissions.py > > It haven't been touched for a while, did upgrade/install work well? > > Maybe re-run ipa-server-upgrade should recreate this entry. > >> >> >> On 01/24/2016 03:22 AM, Nathan Peters wrote: >>> # config >>> dn: cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager read >>> access"; allow (r >>> ead, search, compare) userdn >>> ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> aci: (target ="ldap:///cn=automember rebuild >>> membership,cn=tasks,cn=config")( >>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild >>> Membership T >>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild >>> Membership Task >>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ob >>> jectclass || passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop,cn=plu >>> gins,cn=config")(version 3.0;acl "permission:Read PassSync >>> Managers Configura >>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> PassSync Manager >>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop, >>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync >>> Managers C >>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync >>> Managers Co >>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ns >>> slapd-directory* || objectclass")(target = >>> "ldap:///cn=config,cn=ldbm databas >>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM >>> Database Confi >>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> LDBM Databas >>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (version 3.0;acl "permission:Add Configuration >>> Sub-Entries";allow (add) g >>> roupdn = "ldap:///cn=Add Configuration >>> Sub-Entries,cn=permissions,cn=pbac,dc= >>> ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || description || entryusn >>> || modify >>> timestamp || nsds50ruv || nsds5beginreplicarefresh || >>> nsds5debugreplicatimeou >>> t || nsds5flags || nsds5replicaabortcleanruv || >>> nsds5replicaautoreferral || n >>> sds5replicabackoffmax || nsds5replicabackoffmin || >>> nsds5replicabinddn || nsds >>> 5replicabindmethod || nsds5replicabusywaittime || >>> nsds5replicachangecount || >>> nsds5replicachangessentsincestartup || nsds5replicacleanruv || >>> nsds5replicacl >>> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled >>> || nsds5repl >>> icahost || nsds5replicaid || nsds5replicalastinitend || >>> nsds5replicalastinits >>> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || >>> nsds5repli >>> calastupdatestart || nsds5replicalastupdatestatus || >>> nsds5replicalegacyconsum >>> er || nsds5replicaname || nsds5replicaport || >>> nsds5replicaprotocoltimeout || >>> nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot >>> || nsds5re >>> plicasessionpausetime || nsds5replicastripattrs || >>> nsds5replicatedattributeli >>> st || nsds5replicatedattributelisttotal || nsds5replicatimeout || >>> nsds5replic >>> atombstonepurgeinterval || nsds5replicatransportinfo || >>> nsds5replicatype || n >>> sds5replicaupdateinprogress || nsds5replicaupdateschedule || >>> nsds5task || nsd >>> s7directoryreplicasubtree || nsds7dirsynccookie || >>> nsds7newwingroupsyncenable >>> d || nsds7newwinusersyncenabled || nsds7windowsdomain || >>> nsds7windowsreplicas >>> ubtree || nsruvreplicalastmodified || nsstate || objectclass || >>> onewaysync || >>> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || >>> winsyncsub >>> treepair || winsyncwindowsfilter")(targetfilter = >>> "(|(objectclass=nsds5Replic >>> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA >>> >>> greement)(objectClass=nsMappingTree))")(version 3.0;acl >>> "permission:System: R >>> ead Replication Agreements";allow (compare,read,search) groupdn = >>> "ldap:///cn >>> =System: Read Replication >>> Agreements,cn=permissions,cn=pbac,dc=ipatestdomai >>> n,dc=net";) >>> >>> # SNMP, config >>> dn: cn=SNMP,cn=config >>> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr >>> !="aci")(version 3.0;acl >>> "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");) >>> >>> # tasks, config >>> dn: cn=tasks,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica >>> re-initializatio >>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication >>> Agreements,cn=permis >>> sions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after >>> replica re >>> -initialization"; allow (add) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipa >>> ca";) >>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; >>> allow (read >>> , compare, search) groupdn = >>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip >>> atestdomain,dc=net";) >>> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild >>> membershi >>> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read >>> Automember Ta >>> sks";allow (compare,read,search) groupdn = "ldap:///cn=System: >>> Read Automembe >>> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # csusers, config >>> dn: ou=csusers,cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage >>> replication use >>> rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> >>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config >>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config >>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; >>> allow( rea >>> d, search ) userdn ="ldap:///all";) >>> >>> # 2.16.840.1.113730.3.4.9, features, config >>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; >>> allow (read, >>> search, compare, proxy) userdn ="ldap:///anyone"; ) >>> >>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config >>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication >>> Agreements";al >>> low (add) groupdn = "ldap:///cn=Add Replication >>> Agreements,cn=permissions,cn= >>> pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> >>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify >>> Replication Agreeme >>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify >>> Replication Ag >>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "permission:Rem >>> ove Replication Agreements";allow (delete) groupdn = >>> "ldap:///cn=Remove Repli >>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # o\3Dipaca, mapping tree, config >>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication >>> Agreements" >>> ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> >>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify >>> Replication Agre >>> ements"; allow (read, write, search) userdn = >>> "ldap:///uid=pkidbuser,ou=peopl >>> e,o=ipaca";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "cert manager: >>> Remove Replication Agreements";allow (delete) userdn = >>> "ldap:///uid=pkidbuser >>> ,ou=people,o=ipaca";) >>> >>> # ldbm database, plugins, config >>> dn: cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV >>> searches"; a >>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> >>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> aci: (targetattr=dnaNextRange || dnaNextValue || >>> dnaMaxValue)(version 3.0;acl >>> "permission:Modify DNA Range";allow (write) groupdn = >>> "ldap:///cn=Modify DNA >>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue >>> || dnaThre >>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read >>> DNA Range"; >>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA >>> Range,cn=permiss >>> ions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # userRoot, ldbm database, plugins, config >>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking >>> the databas >>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove >>> Replication Agreement >>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 12 >>> # numEntries: 11 >>> >>> >>> ============================================================================ >>> >>> 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but >>> there is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for >>> reference that the CentOS ACL hasn't changed yet) >>> ============================================================================ >>> >>> ================ after reinstallation of dc2 in fedora 23 / ipa >>> 4.2.3 ========================= >>> >>> [root at dc1 ~]# ldapsearch -b "cn=config" -D >>> "uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W >>> Enter LDAP Password: >>> # config >>> dn: cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager read >>> access"; allow (r >>> ead, search, compare) userdn >>> ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> aci: (target ="ldap:///cn=automember rebuild >>> membership,cn=tasks,cn=config")( >>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild >>> Membership T >>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild >>> Membership Task >>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ob >>> jectclass || passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop,cn=plu >>> gins,cn=config")(version 3.0;acl "permission:Read PassSync >>> Managers Configura >>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> PassSync Manager >>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop, >>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync >>> Managers C >>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync >>> Managers Co >>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ns >>> slapd-directory* || objectclass")(target = >>> "ldap:///cn=config,cn=ldbm databas >>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM >>> Database Confi >>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> LDBM Databas >>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (version 3.0;acl "permission:Add Configuration >>> Sub-Entries";allow (add) g >>> roupdn = "ldap:///cn=Add Configuration >>> Sub-Entries,cn=permissions,cn=pbac,dc= >>> ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || description || entryusn >>> || modify >>> timestamp || nsds50ruv || nsds5beginreplicarefresh || >>> nsds5debugreplicatimeou >>> t || nsds5flags || nsds5replicaabortcleanruv || >>> nsds5replicaautoreferral || n >>> sds5replicabackoffmax || nsds5replicabackoffmin || >>> nsds5replicabinddn || nsds >>> 5replicabindmethod || nsds5replicabusywaittime || >>> nsds5replicachangecount || >>> nsds5replicachangessentsincestartup || nsds5replicacleanruv || >>> nsds5replicacl >>> eanruvnotified || nsds5replicacredentials || nsds5replicaenabled >>> || nsds5repl >>> icahost || nsds5replicaid || nsds5replicalastinitend || >>> nsds5replicalastinits >>> tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || >>> nsds5repli >>> calastupdatestart || nsds5replicalastupdatestatus || >>> nsds5replicalegacyconsum >>> er || nsds5replicaname || nsds5replicaport || >>> nsds5replicaprotocoltimeout || >>> nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot >>> || nsds5re >>> plicasessionpausetime || nsds5replicastripattrs || >>> nsds5replicatedattributeli >>> st || nsds5replicatedattributelisttotal || nsds5replicatimeout || >>> nsds5replic >>> atombstonepurgeinterval || nsds5replicatransportinfo || >>> nsds5replicatype || n >>> sds5replicaupdateinprogress || nsds5replicaupdateschedule || >>> nsds5task || nsd >>> s7directoryreplicasubtree || nsds7dirsynccookie || >>> nsds7newwingroupsyncenable >>> d || nsds7newwinusersyncenabled || nsds7windowsdomain || >>> nsds7windowsreplicas >>> ubtree || nsruvreplicalastmodified || nsstate || objectclass || >>> onewaysync || >>> winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || >>> winsyncsub >>> treepair || winsyncwindowsfilter")(targetfilter = >>> "(|(objectclass=nsds5Replic >>> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA >>> >>> greement)(objectClass=nsMappingTree))")(version 3.0;acl >>> "permission:System: R >>> ead Replication Agreements";allow (compare,read,search) groupdn = >>> "ldap:///cn >>> =System: Read Replication >>> Agreements,cn=permissions,cn=pbac,dc=ipatestdomai >>> n,dc=net";) >>> >>> # SNMP, config >>> dn: cn=SNMP,cn=config >>> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr >>> !="aci")(version 3.0;acl >>> "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");) >>> >>> # tasks, config >>> dn: cn=tasks,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica >>> re-initializatio >>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication >>> Agreements,cn=permis >>> sions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after >>> replica re >>> -initialization"; allow (add) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipa >>> ca";) >>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; >>> allow (read >>> , compare, search) groupdn = >>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip >>> atestdomain,dc=net";) >>> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild >>> membershi >>> p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read >>> Automember Ta >>> sks";allow (compare,read,search) groupdn = "ldap:///cn=System: >>> Read Automembe >>> r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # csusers, config >>> dn: ou=csusers,cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage >>> replication use >>> rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> >>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config >>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config >>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; >>> allow( rea >>> d, search ) userdn ="ldap:///all";) >>> >>> # 2.16.840.1.113730.3.4.9, features, config >>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; >>> allow (read, >>> search, compare, proxy) userdn ="ldap:///anyone"; ) >>> >>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config >>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication >>> Agreements";al >>> low (add) groupdn = "ldap:///cn=Add Replication >>> Agreements,cn=permissions,cn= >>> pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> >>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify >>> Replication Agreeme >>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify >>> Replication Ag >>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "permission:Rem >>> ove Replication Agreements";allow (delete) groupdn = >>> "ldap:///cn=Remove Repli >>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # o\3Dipaca, mapping tree, config >>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication >>> Agreements" >>> ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> >>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify >>> Replication Agre >>> ements"; allow (read, write, search) userdn = >>> "ldap:///uid=pkidbuser,ou=peopl >>> e,o=ipaca";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "cert manager: >>> Remove Replication Agreements";allow (delete) userdn = >>> "ldap:///uid=pkidbuser >>> ,ou=people,o=ipaca";) >>> >>> # ldbm database, plugins, config >>> dn: cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV >>> searches"; a >>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> >>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> aci: (targetattr=dnaNextRange || dnaNextValue || >>> dnaMaxValue)(version 3.0;acl >>> "permission:Modify DNA Range";allow (write) groupdn = >>> "ldap:///cn=Modify DNA >>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue >>> || dnaThre >>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read >>> DNA Range"; >>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA >>> Range,cn=permiss >>> ions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # userRoot, ldbm database, plugins, config >>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking >>> the databas >>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove >>> Replication Agreement >>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 12 >>> # numEntries: 11 >>> >>> >>> >>> ============================================================================ >>> >>> 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the >>> replica file was made from dc1 which is a CentOS server that still >>> has the acls(missing some stuff) >>> ============================================================================ >>> >>> aci list on dc2 >>> >>> [root at dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" >>> "(aci=*)" aci >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree >>> # filter: (aci=*) >>> # requesting: aci >>> # >>> >>> # config >>> dn: cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager read >>> access"; allow (r >>> ead, search, compare) userdn >>> ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> aci: (target ="ldap:///cn=automember rebuild >>> membership,cn=tasks,cn=config")( >>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild >>> Membership T >>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild >>> Membership Task >>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ob >>> jectclass || passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop,cn=plu >>> gins,cn=config")(version 3.0;acl "permission:Read PassSync >>> Managers Configura >>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> PassSync Manager >>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop, >>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync >>> Managers C >>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync >>> Managers Co >>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ns >>> slapd-directory* || objectclass")(target = >>> "ldap:///cn=config,cn=ldbm databas >>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM >>> Database Confi >>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> LDBM Databas >>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (version 3.0;acl "permission:Add Configuration >>> Sub-Entries";allow (add) g >>> roupdn = "ldap:///cn=Add Configuration >>> Sub-Entries,cn=permissions,cn=pbac,dc= >>> ipatestdomain,dc=net";) >>> >>> # SNMP, config >>> dn: cn=SNMP,cn=config >>> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr >>> !="aci")(version 3.0;acl >>> "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");) >>> >>> # tasks, config >>> dn: cn=tasks,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica >>> re-initializatio >>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication >>> Agreements,cn=permis >>> sions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after >>> replica re >>> -initialization"; allow (add) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipa >>> ca";) >>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; >>> allow (read >>> , compare, search) groupdn = >>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip >>> atestdomain,dc=net";) >>> >>> # csusers, config >>> dn: ou=csusers,cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage >>> replication use >>> rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> >>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config >>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config >>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; >>> allow( rea >>> d, search ) userdn ="ldap:///all";) >>> >>> # 2.16.840.1.113730.3.4.9, features, config >>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; >>> allow (read, >>> search, compare, proxy) userdn ="ldap:///anyone"; ) >>> >>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config >>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication >>> Agreements";al >>> low (add) groupdn = "ldap:///cn=Add Replication >>> Agreements,cn=permissions,cn= >>> pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> >>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify >>> Replication Agreeme >>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify >>> Replication Ag >>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "permission:Rem >>> ove Replication Agreements";allow (delete) groupdn = >>> "ldap:///cn=Remove Repli >>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # o\3Dipaca, mapping tree, config >>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication >>> Agreements" >>> ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> >>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify >>> Replication Agre >>> ements"; allow (read, write, search) userdn = >>> "ldap:///uid=pkidbuser,ou=peopl >>> e,o=ipaca";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "cert manager: >>> Remove Replication Agreements";allow (delete) userdn = >>> "ldap:///uid=pkidbuser >>> ,ou=people,o=ipaca";) >>> >>> # ldbm database, plugins, config >>> dn: cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV >>> searches"; a >>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> >>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> aci: (targetattr=dnaNextRange || dnaNextValue || >>> dnaMaxValue)(version 3.0;acl >>> "permission:Modify DNA Range";allow (write) groupdn = >>> "ldap:///cn=Modify DNA >>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue >>> || dnaThre >>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read >>> DNA Range"; >>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA >>> Range,cn=permiss >>> ions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # userRoot, ldbm database, plugins, config >>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking >>> the databas >>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove >>> Replication Agreement >>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 12 >>> # numEntries: 11 >>> >>> ============================================================================ >>> >>> 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now >>> missing some stuff) >>> ============================================================================ >>> >>> [root at dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b >>> "cn=config" "(aci=*)" aci >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree >>> # filter: (aci=*) >>> # requesting: aci >>> # >>> >>> # config >>> dn: cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager read >>> access"; allow (r >>> ead, search, compare) userdn >>> ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> aci: (target ="ldap:///cn=automember rebuild >>> membership,cn=tasks,cn=config")( >>> targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild >>> Membership T >>> ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild >>> Membership Task >>> ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ob >>> jectclass || passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop,cn=plu >>> gins,cn=config")(version 3.0;acl "permission:Read PassSync >>> Managers Configura >>> tion";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> PassSync Manager >>> s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "passsyncmanagersdns*")(target = >>> "ldap:///cn=ipa_pwd_extop, >>> cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync >>> Managers C >>> onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync >>> Managers Co >>> nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr = "cn || createtimestamp || entryusn || >>> modifytimestamp || ns >>> slapd-directory* || objectclass")(target = >>> "ldap:///cn=config,cn=ldbm databas >>> e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM >>> Database Confi >>> guration";allow (compare,read,search) groupdn = "ldap:///cn=Read >>> LDBM Databas >>> e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (version 3.0;acl "permission:Add Configuration >>> Sub-Entries";allow (add) g >>> roupdn = "ldap:///cn=Add Configuration >>> Sub-Entries,cn=permissions,cn=pbac,dc= >>> ipatestdomain,dc=net";) >>> >>> # SNMP, config >>> dn: cn=SNMP,cn=config >>> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr >>> !="aci")(version 3.0;acl >>> "snmp";allow (read, search, compare)(userdn ="ldap:///anyone");) >>> >>> # tasks, config >>> dn: cn=tasks,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica >>> re-initializatio >>> n"; allow (add) groupdn = "ldap:///cn=Modify Replication >>> Agreements,cn=permis >>> sions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after >>> replica re >>> -initialization"; allow (add) userdn = >>> "ldap:///uid=pkidbuser,ou=people,o=ipa >>> ca";) >>> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; >>> allow (read >>> , compare, search) groupdn = >>> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip >>> atestdomain,dc=net";) >>> >>> # csusers, config >>> dn: ou=csusers,cn=config >>> aci: (targetattr != aci)(version 3.0; aci "cert manager manage >>> replication use >>> rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> >>> # 1.3.6.1.4.1.4203.1.9.1.1, features, config >>> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config >>> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; >>> allow( rea >>> d, search ) userdn ="ldap:///all";) >>> >>> # 2.16.840.1.113730.3.4.9, features, config >>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >>> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; >>> allow (read, >>> search, compare, proxy) userdn ="ldap:///anyone"; ) >>> >>> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config >>> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication >>> Agreements";al >>> low (add) groupdn = "ldap:///cn=Add Replication >>> Agreements,cn=permissions,cn= >>> pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> >>> ass=nsMappingTree))")(version 3.0; acl "permission:Modify >>> Replication Agreeme >>> nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify >>> Replication Ag >>> reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "permission:Rem >>> ove Replication Agreements";allow (delete) groupdn = >>> "ldap:///cn=Remove Repli >>> cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # o\3Dipaca, mapping tree, config >>> dn: cn=o\3Dipaca,cn=mapping tree,cn=config >>> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication >>> Agreements" >>> ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd >>> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl >>> >>> ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify >>> Replication Agre >>> ements"; allow (read, write, search) userdn = >>> "ldap:///uid=pkidbuser,ou=peopl >>> e,o=ipaca";) >>> aci: >>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob >>> jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl >>> "cert manager: >>> Remove Replication Agreements";allow (delete) userdn = >>> "ldap:///uid=pkidbuser >>> ,ou=people,o=ipaca";) >>> >>> # ldbm database, plugins, config >>> dn: cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV >>> searches"; a >>> llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";) >>> >>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> aci: (targetattr=dnaNextRange || dnaNextValue || >>> dnaMaxValue)(version 3.0;acl >>> "permission:Modify DNA Range";allow (write) groupdn = >>> "ldap:///cn=Modify DNA >>> Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue >>> || dnaThre >>> shold || dnaType || objectclass)(version 3.0;acl "permission:Read >>> DNA Range"; >>> allow (read, search, compare) groupdn = "ldap:///cn=Read DNA >>> Range,cn=permiss >>> ions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # userRoot, ldbm database, plugins, config >>> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking >>> the databas >>> e readonly"; allow (write) groupdn = "ldap:///cn=Remove >>> Replication Agreement >>> s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";) >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 12 >>> # numEntries: 11 >> > From fskola at redhat.com Mon Jan 25 10:11:04 2016 From: fskola at redhat.com (Filip Skola) Date: Mon, 25 Jan 2016 05:11:04 -0500 (EST) Subject: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin In-Reply-To: <569CD602.1030604@redhat.com> References: <20151120135636.71171d5c@vor2.netbox.priv> <565C76D6.3010406@redhat.com> <20151203201556.4ff69dba@vor2.netbox.priv> <5665B88E.4000507@redhat.com> <20151209190102.1bb8fc07@vor2.netbox.priv> <1914334378.4564827.1452602733244.JavaMail.zimbra@redhat.com> <1760221088.11921867.1452868707220.JavaMail.zimbra@redhat.com> <569CD602.1030604@redhat.com> Message-ID: <1869235561.17372506.1453716664538.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On 01/15/2016 03:38 PM, Filip Skola wrote: > > Hi, > > > > sending rebased patch. > > > > F. > > > > ----- Original Message ----- > >> Hello, > >> > >> sorry for delays. The patch no longer applies to master. Rebase it, > >> please. > >> > >> Milan > >> > >> ----- Original Message ----- > >> From: "Filip ?kola" > >> To: "Milan Kub?k" > >> Cc: freeipa-devel at redhat.com > >> Sent: Wednesday, 9 December, 2015 7:01:02 PM > >> Subject: Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin > >> > >> On Mon, 7 Dec 2015 17:49:18 +0100 > >> Milan Kub?k wrote: > >> > >>> On 12/03/2015 08:15 PM, Filip ?kola wrote: > >>>> On Mon, 30 Nov 2015 17:18:30 +0100 > >>>> Milan Kub?k wrote: > >>>> > >>>>> On 11/23/2015 04:42 PM, Filip ?kola wrote: > >>>>>> Sending updated patch. > >>>>>> > >>>>>> F. > >>>>>> > >>>>>> On Mon, 23 Nov 2015 14:59:34 +0100 > >>>>>> Filip ?kola wrote: > >>>>>> > >>>>>>> Found couple of issues (broke some dependencies). > >>>>>>> > >>>>>>> NACK > >>>>>>> > >>>>>>> F. > >>>>>>> > >>>>>>> On Fri, 20 Nov 2015 13:56:36 +0100 > >>>>>>> Filip ?kola wrote: > >>>>>>> > >>>>>>>> Another one. > >>>>>>>> > >>>>>>>> F. > >>>>> Hi, the tests look good. Few remarks, though. > >>>>> > >>>>> 1. Please, use the shortes copyright notice in new modules. > >>>>> > >>>>> # > >>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for > >>>>> license # > >>>>> > >>>>> 2. The tests `test_group_remove_group_from_protected_group` and > >>>>> `test_group_full_set_of_objectclass_not_available_post_detach` > >>>>> were not ported. Please, include them in the patch. > >>>>> > >>>>> Also, for less hassle, please rebase your patches on top of > >>>>> freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch > >>>>> Which changes the location of tracker implementations and prevents > >>>>> circular imports. > >>>>> > >>>>> Thanks. > >>>>> > >>>> > >>>> Hi, > >>>> > >>>> these cases are there, in corresponding classes. They are marked > >>>> with the original comments. (However I can move them to separate > >>>> class if desirable.) > >>>> > >>>> The copyright notice is changed. Also included a few changes in the > >>>> test with user without private group. > >>>> > >>>> Filip > >>> NACK > >>> > >>> linter: > >>> ************* Module tracker.group_plugin > >>> ipatests/test_xmlrpc/tracker/group_plugin.py:257: > >>> [E0102(function-redefined), GroupTracker.check_remove_member] method > >>> already defined line 253) > >>> > >>> Probably a leftover after the rebase made on top of my patch. Please > >>> fix it. You can check youch changes by make-lint script before > >>> sending them. > >>> > >>> Thanks > >>> > >> > >> Hi, > >> > >> I learned to use make-lint! > >> > >> Thanks, > >> F. > >> > Hello, > > NACK, pylint doesn't seem to like the way the fixtures are imported > (pytest does a lot of runtime magic) [1]. > One possible solution would be [2]. Though, I don't think this would be > a good idea in our environment. I suggest to create the fixtures on per > module basis. > > > [1]: http://fpaste.org/311949/53118942/ > [2]: > https://pytest.org/latest/fixture.html#using-fixtures-from-classes-modules-or-projects > > -- > Milan Kubik > > Hi, the fixtures were copied into corresponding module. Please note that this patch has a dependence on my patch 0001 (user plugin). Filip -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-fskola-0002-6-Refactor-test_group_plugin.patch Type: text/x-patch Size: 74880 bytes Desc: not available URL: From fskola at redhat.com Mon Jan 25 10:55:35 2016 From: fskola at redhat.com (Filip Skola) Date: Mon, 25 Jan 2016 05:55:35 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin In-Reply-To: <569E4CFB.8040808@redhat.com> References: <20151106113201.5e6a7042@dhcp-24-123.brq.redhat.com> <869710129.24860544.1449498571599.JavaMail.zimbra@redhat.com> <20151210112952.3ddb7136@vor2.netbox.priv> <964966782.26674717.1449760307850.JavaMail.zimbra@redhat.com> <273613290.27075436.1449834011983.JavaMail.zimbra@redhat.com> <184590988.47122995.1450007607203.JavaMail.zimbra@redhat.com> <81340538.11928726.1452868912243.JavaMail.zimbra@redhat.com> <569E4CFB.8040808@redhat.com> Message-ID: <1109856801.17382352.1453719335272.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On 01/15/2016 03:41 PM, Filip Skola wrote: > > Hi, > > > > sending rebased patch on top of 58c42ddac0964a8cce7c1e1faa7516da53f028ad. > > > > Includes a "fix" for the rename-to-invalid-username issue for the new > > version. > > > > F. > > > > ----- Original Message ----- > >> Hi, > >> > >> I don't know what is causing the \r\n issue. I use vim and than send each > >> email with claws-mail. Didn't spot this issue when trying emailing the > >> patch > >> to my other address. I'm trying to send it from zimbra now, let me know if > >> that helped pls. > >> > >> Fix for the stageuser plugin issues caused by this patch should have been > >> included in the last update; I think the remaining issue is not caused by > >> UserTracker changes. Please correct me, if I'm wrong. > >> > >>> There is some issue with "test_rename_to_too_long_login" test. It fails > >>> but > >>> actually this is false positive because it is possible to create login > >>> upto > >>> 255 characters. I don't know why test mentions 32 characters without any > >>> other modified setup. > >>> NACK for now. > >>> - alich - > >> This has been changed. This test still fails, though. > >> > >> Filip > >> > >>> > >>> ----- Original Message ----- > >>>> From: "Ale? Mare?ek" > >>>> To: "Filip ?kola" > >>>> Cc: freeipa-devel at redhat.com, "Milan Kub?k" > >>>> Sent: Thursday, December 10, 2015 4:11:47 PM > >>>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > >>>> > >>>> Ah, sorry, haven't realized there had been devel list attached. > >>>> Ok, there is some problem with \r\n in the patch. > >>>> Filip, please take a look at it... > >>>> Thanks... > >>>> - alich - > >>>> > >>>> ----- Original Message ----- > >>>>> From: "Filip ?kola" > >>>>> To: "Ale? Mare?ek" > >>>>> Cc: freeipa-devel at redhat.com, "Milan Kub?k" > >>>>> Sent: Thursday, December 10, 2015 11:29:52 AM > >>>>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > >>>>> > >>>>> Hi, > >>>>> > >>>>> this if fixed. Also issues with test_stageuser_plugin caused by > >>>>> UserTracker changes should be fixed here. > >>>>> > >>>>> Filip > >>>>> > >>>>> > >>>>> On Mon, 7 Dec 2015 09:29:31 -0500 (EST) > >>>>> Ale? Mare?ek wrote: > >>>>> > >>>>>> NACK. > >>>>>> > >>>>>> $ ./make-lint > >>>>>> ************* Module ipatests.test_xmlrpc.test_user_plugin > >>>>>> ipatests/test_xmlrpc/test_user_plugin.py:42: > >>>>>> [E0611(no-name-in-module), ] No name 'ldaptracker' in module > >>>>>> 'ipatests.test_xmlrpc') > >>>>>> > >>>>>> $ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py > >>>>>> from ipatests.test_xmlrpc.ldaptracker import Tracker > >>>>>> $ ls ipatests/test_xmlrpc/ldaptracker* > >>>>>> ls: cannot access ipatests/test_xmlrpc/ldaptracker*: No such file or > >>>>>> directory > >>>>>> > >>>>>> > >>>>>> ----- Original Message ----- > >>>>>>> From: "Filip ?kola" > >>>>>>> To: "Milan Kub?k" > >>>>>>> Cc: freeipa-devel at redhat.com > >>>>>>> Sent: Thursday, December 3, 2015 5:38:43 PM > >>>>>>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > >>>>>>> > >>>>>>> Hi, > >>>>>>> > >>>>>>> sending corrected version. > >>>>>>> > >>>>>>> F. > >>>>>>> > >>>>>>> On Thu, 12 Nov 2015 14:03:19 +0100 > >>>>>>> Milan Kub?k wrote: > >>>>>>> > >>>>>>>> On 11/10/2015 12:13 PM, Filip ?kola wrote: > >>>>>>>>> Hi, > >>>>>>>>> > >>>>>>>>> fixed. > >>>>>>>>> > >>>>>>>>> F. > >>>>>>>>> > >>>>>>>>> On Tue, 10 Nov 2015 10:52:45 +0100 > >>>>>>>>> Milan Kub?k wrote: > >>>>>>>>> > >>>>>>>>>> On 11/09/2015 04:35 PM, Filip ?kola wrote: > >>>>>>>>>>> Another patch was applied in the meantime. > >>>>>>>>>>> > >>>>>>>>>>> Attaching an updated version. > >>>>>>>>>>> > >>>>>>>>>>> F. > >>>>>>>>>>> > >>>>>>>>>>> On Mon, 9 Nov 2015 13:35:02 +0100 > >>>>>>>>>>> Milan Kub?k wrote: > >>>>>>>>>>> > >>>>>>>>>>>> On 11/06/2015 11:32 AM, Filip ?kola wrote: > >>>>>>>>>>>> Hi, > >>>>>>>>>>>> the patch doesn't apply. > >>>>>>>>>>>> > >>>>>>>>>> Please fix this. > >>>>>>>>>> > >>>>>>>>>> ipatests/test_xmlrpc/test_user_plugin.py:1419: > >>>>>>>>>> [E0602(undefined-variable), > >>>>>>>>>> TestDeniedBindWithExpiredPrincipal.teardown_class] Undefined > >>>>>>>>>> variable 'user1') > >>>>>>>>>> > >>>>>>>>>> Also, use the version numbers for your changed patches. > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> Thanks for the patch. Several issues: > >>>>>>>> > >>>>>>>> 1. Use dict.items instead of dict.iteritems, for python3 > >>>>>>>> compatibility > >>>>>>>> > >>>>>>>> 2. What is the purpose of TestPrepare class? The 'purge' methods > >>>>>>>> do not call any ipa commands. > >>>>>>>> Tracker.make_fixture should be used to make the Tracked resources > >>>>>>>> clean themselves up when they're out of scope. > >>>>>>>> > >>>>>>>> 3. Why reference the resources by hardcoded name if they have a > >>>>>>>> fixture representation? > >>>>>>>> > >>>>>>>> 4. Rewrite {create,delete}_test_group to a fixture. You may want > >>>>>>>> to use different scope (or not). > >>>>>>>> > >>>>>>>> 5. In `def atest_rename_to_invalid_login(self, user):` - use > >>>>>>>> pytest.skipif decorator and provide a reason if you must, > >>>>>>>> do not obfuscate method name in order not to run it. > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> Manage your subscription for the Freeipa-devel mailing list: > >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel > >>>>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > >>>>> > >> -- > >> Manage your subscription for the Freeipa-devel mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > NACK, there are errors occuring that do not appear in the respective > test cases in the declarative test. > In the original module the ` Test a login name that is too long` and > `Try to rename to a username that is too long` do not use {add,set}attr. > Why do you use them? > > I'm also postponing the review of your other patches as they depend on > changes in this one. > > -- > Milan Kubik > > To be honest, I have no idea why I did use setattr in those places. Update of 'rename' attribute was used instead in this version of the patch and that seems to work. Filip -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-fskola-0001-7-Refactor-test_user_plugin.patch Type: text/x-patch Size: 97651 bytes Desc: not available URL: From mbasti at redhat.com Mon Jan 25 11:31:07 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 25 Jan 2016 12:31:07 +0100 Subject: [Freeipa-devel] [PATCH] 0751 spec: Split out python-ipap11helper and, python-default_encoding_utf8 In-Reply-To: <56A249A7.50709@redhat.com> References: <56606E90.3000909@redhat.com> <56619535.1010700@redhat.com> <566E6D61.80002@redhat.com> <56702971.1060709@redhat.com> <56702B5F.1090403@redhat.com> <56A0CB8D.7030605@redhat.com> <56A249A7.50709@redhat.com> Message-ID: <56A6077B.10501@redhat.com> On 22.01.2016 16:24, Petr Viktorin wrote: > On 01/21/2016 01:14 PM, Jan Cholasta wrote: >> We got rid of both default_encoding_utf8 and _ipap11helper, so >> python-ipalib can be packaged as noarch. See the attached patch. > The patch looks good to me, so ACK (though an ACK for me probably > doesn't count). > ACK Pushed to: master: 6896035af2c5ba7468fdab183a385c4a88a1ab77 ipa-4-3: 385693a30862bf370e32e1d66e5efa2f5a641ebb From mbasti at redhat.com Mon Jan 25 12:29:21 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 25 Jan 2016 13:29:21 +0100 Subject: [Freeipa-devel] [PATCH 0408] CI DNSSEC: add missing glue record In-Reply-To: <56A34941.5020407@redhat.com> References: <56A25D0B.4080006@redhat.com> <56A34941.5020407@redhat.com> Message-ID: <56A61521.3090204@redhat.com> On 23.01.2016 10:34, Petr Spacek wrote: > On 22.1.2016 17:47, Martin Basti wrote: >> - # make BIND happy, and delegate zone which contains A record of master >> + # make BIND happy: add the glue record and delegate zone >> + args = [ >> + "ipa", "dnsrecord-add", root_zone, self.master.domain.name, >> + "--a-rec=" + self.master.ip >> + ] >> + self.master.run_command(args) >> + time.sleep(10) # sleep a bit until data are provided by bind-dyndb-ldap >> + > LGTM, ACK. In the worst case it will not fix the test :-) > Pushed to: ipa-4-3: 47422b0f3913e352cd28cac24128afed178701e8 master: cdf08a0a869f83a6111d9560b69c582d2c04f89c From pvomacka at redhat.com Mon Jan 25 12:55:05 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 25 Jan 2016 07:55:05 -0500 (EST) Subject: [Freeipa-devel] New tool tips for Refresh, Revert, Undo and Undo All buttons In-Reply-To: <1166925414.16504371.1453725865029.JavaMail.zimbra@redhat.com> Message-ID: <1126773777.16508720.1453726505512.JavaMail.zimbra@redhat.com> Hello everyone, I just made a patch for the https://fedorahosted.org/freeipa/ticket/5428 ticket. The patch adds tool tips to the buttons in detail views. The text of new tool tips is written in the comment of the ticket. Pavel Vomacka Intern -------------- next part -------------- A non-text attachment was scrubbed... Name: pvomacka-0001-Add-tool-tips-for-Revert-Refresh-Undo-and-Undo-All.patch Type: text/x-patch Size: 5579 bytes Desc: not available URL: From jcholast at redhat.com Mon Jan 25 13:12:09 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 25 Jan 2016 14:12:09 +0100 Subject: [Freeipa-devel] [PATCH] 0760 - Split ipa-client/ into ipaclient/ and client/ In-Reply-To: <5697D18F.8010105@redhat.com> References: <56962826.10404@redhat.com> <56963D11.3050600@redhat.com> <56974647.1010408@redhat.com> <56976EF5.8080601@redhat.com> <569773DC.80808@redhat.com> <5697D18F.8010105@redhat.com> Message-ID: <56A61F29.3050209@redhat.com> On 14.1.2016 17:49, Petr Viktorin wrote: > On 01/14/2016 11:09 AM, Jan Cholasta wrote: >> On 14.1.2016 10:48, Petr Viktorin wrote: >>> On 01/14/2016 07:55 AM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 13.1.2016 13:03, Martin Babinsky wrote: >>>>> On 01/13/2016 11:34 AM, Petr Viktorin wrote: >>>>>> Hello, >>>>>> I'm planning to port the ipa-client to Python 3, and I'm likely to end >>>>>> up shaking out some dusty corners of the codebase, rather than >>>>>> doing the >>>>>> minimal amount of work :) >>>>>> So I'd like to get your opinions before I commit significant time to >>>>>> this. > > Here's a patch for review. > (I'm sending the full diff for applying; the result is nicer to look at > with `git show -C`) > > >>> [...] >>>>>> client-tools/ >>>>>> - man/* >>>>>> - *.c >>>>>> - *.h >>>>>> - all the automake stuff >>>>>> - current contents of ipa-install (Python scripts that go in >>>>>> /usr/sbin) >>>> >>>> I would rather s/client-tools/client/, as this stuff goes into the >>>> freeipa-*client* subpackage. >>> >>> OK. It's just that there's no admintools/ or server/ either. >>> >>> Putting the scripts into install/tools/ (or install/client/) is another >>> possibility. >> >> Right. I guess we have to decide whether we want a directory layout >> based on the component/subpackage or not. install/tools/ works for me >> equally well. > > I put the scripts in client/. IPA supports building just the client > bits, and that's easier if the server and client scripts are separate. > >>>> I'm not sure if this is what you are suggesting or not, but I would like >>>> the man page files to be in the same directory as the corresponding >>>> source code files. >>> >>> Do you mean not having the man/ subdirectory? >> >> Yes. (I don't insist though.) > > Even if you did insist, I think it would be better to ditch > install/tools/man/ and ipatests/man/ at the same time as client/man/, so > I'm leaving this for a potential future patch. It could be done gradually (there already is /ipa.1 for /ipa), but OK. The patch needs a rebase on top of master and ipa-4-3. Otherwise ACK. -- Jan Cholasta From mbasti at redhat.com Mon Jan 25 13:18:24 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 25 Jan 2016 14:18:24 +0100 Subject: [Freeipa-devel] [PATCH] 948 stop installer when setup-ds.pl fail In-Reply-To: <56A1F3C2.8070805@redhat.com> References: <56A12353.9070903@redhat.com> <56A1F3C2.8070805@redhat.com> Message-ID: <56A620A0.1090907@redhat.com> On 22.01.2016 10:17, Martin Babinsky wrote: > On 01/21/2016 07:28 PM, Petr Vobornik wrote: >> >> Petr Vobornik > ACK. > Pushed to: master: b0894a84932c3b02c495f29b7c110dd072da745f ipa-4-3: 0b2961e87c1978dc49395aba6df50269ef359ba4 From pviktori at redhat.com Mon Jan 25 13:49:59 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 25 Jan 2016 14:49:59 +0100 Subject: [Freeipa-devel] [PATCH] 0760 - Split ipa-client/ into ipaclient/ and client/ In-Reply-To: <56A61F29.3050209@redhat.com> References: <56962826.10404@redhat.com> <56963D11.3050600@redhat.com> <56974647.1010408@redhat.com> <56976EF5.8080601@redhat.com> <569773DC.80808@redhat.com> <5697D18F.8010105@redhat.com> <56A61F29.3050209@redhat.com> Message-ID: <56A62807.1040706@redhat.com> On 01/25/2016 02:12 PM, Jan Cholasta wrote: > On 14.1.2016 17:49, Petr Viktorin wrote: >> On 01/14/2016 11:09 AM, Jan Cholasta wrote: >>> On 14.1.2016 10:48, Petr Viktorin wrote: >>>> On 01/14/2016 07:55 AM, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> On 13.1.2016 13:03, Martin Babinsky wrote: >>>>>> On 01/13/2016 11:34 AM, Petr Viktorin wrote: >>>>>>> Hello, >>>>>>> I'm planning to port the ipa-client to Python 3, and I'm likely >>>>>>> to end >>>>>>> up shaking out some dusty corners of the codebase, rather than >>>>>>> doing the >>>>>>> minimal amount of work :) >>>>>>> So I'd like to get your opinions before I commit significant time to >>>>>>> this. >> >> Here's a patch for review. >> (I'm sending the full diff for applying; the result is nicer to look at >> with `git show -C`) >> >> >>>> [...] >>>>>>> client-tools/ >>>>>>> - man/* >>>>>>> - *.c >>>>>>> - *.h >>>>>>> - all the automake stuff >>>>>>> - current contents of ipa-install (Python scripts that go in >>>>>>> /usr/sbin) >>>>> >>>>> I would rather s/client-tools/client/, as this stuff goes into the >>>>> freeipa-*client* subpackage. >>>> >>>> OK. It's just that there's no admintools/ or server/ either. >>>> >>>> Putting the scripts into install/tools/ (or install/client/) is another >>>> possibility. >>> >>> Right. I guess we have to decide whether we want a directory layout >>> based on the component/subpackage or not. install/tools/ works for me >>> equally well. >> >> I put the scripts in client/. IPA supports building just the client >> bits, and that's easier if the server and client scripts are separate. >> >>>>> I'm not sure if this is what you are suggesting or not, but I would >>>>> like >>>>> the man page files to be in the same directory as the corresponding >>>>> source code files. >>>> >>>> Do you mean not having the man/ subdirectory? >>> >>> Yes. (I don't insist though.) >> >> Even if you did insist, I think it would be better to ditch >> install/tools/man/ and ipatests/man/ at the same time as client/man/, so >> I'm leaving this for a potential future patch. > > It could be done gradually (there already is /ipa.1 for /ipa), but OK. > > The patch needs a rebase on top of master and ipa-4-3. Otherwise ACK. Here are the rebased patches. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0760-ipa-4-3-Split-ipa-client-into-ipaclient-Python-library-and-c.patch Type: text/x-patch Size: 714272 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0760-master-Split-ipa-client-into-ipaclient-Python-library-and-c.patch Type: text/x-patch Size: 714666 bytes Desc: not available URL: From pvomacka at redhat.com Mon Jan 25 14:10:56 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 25 Jan 2016 09:10:56 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 0002 Add support for user parameter for /ipa/ui/reset_password.html In-Reply-To: <443518894.16557769.1453730196149.JavaMail.zimbra@redhat.com> Message-ID: <22878941.16566850.1453731056156.JavaMail.zimbra@redhat.com> Hello again, another patch is ready for reviewing. Now it is the patch which adds support for user parameter for /ipa/ui/reset_password.html page. That means that you can prefill username field by using url parameter 'user'. Here is the ticket link: https://fedorahosted.org/freeipa/ticket/5001 . Pavel Vomacka Intern -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0002-Add-support-for-the-user-url-parameter-for-the-reset.patch Type: text/x-patch Size: 1022 bytes Desc: not available URL: From amarecek at redhat.com Mon Jan 25 14:12:39 2016 From: amarecek at redhat.com (=?utf-8?Q?Ale=C5=A1_Mare=C4=8Dek?=) Date: Mon, 25 Jan 2016 09:12:39 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin In-Reply-To: <1109856801.17382352.1453719335272.JavaMail.zimbra@redhat.com> References: <20151106113201.5e6a7042@dhcp-24-123.brq.redhat.com> <20151210112952.3ddb7136@vor2.netbox.priv> <964966782.26674717.1449760307850.JavaMail.zimbra@redhat.com> <273613290.27075436.1449834011983.JavaMail.zimbra@redhat.com> <184590988.47122995.1450007607203.JavaMail.zimbra@redhat.com> <81340538.11928726.1452868912243.JavaMail.zimbra@redhat.com> <569E4CFB.8040808@redhat.com> <1109856801.17382352.1453719335272.JavaMail.zimbra@redhat.com> Message-ID: <322938165.12060097.1453731159502.JavaMail.zimbra@redhat.com> Tested + several other dependent tests executed as well - PASS. The patch looks good, ACK. ----- Original Message ----- > From: "Filip Skola" > To: "Milan Kub?k" > Cc: freeipa-devel at redhat.com, "Ale? Mare?ek" > Sent: Monday, January 25, 2016 11:55:35 AM > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > > > > ----- Original Message ----- > > On 01/15/2016 03:41 PM, Filip Skola wrote: > > > Hi, > > > > > > sending rebased patch on top of 58c42ddac0964a8cce7c1e1faa7516da53f028ad. > > > > > > Includes a "fix" for the rename-to-invalid-username issue for the new > > > version. > > > > > > F. > > > > > > ----- Original Message ----- > > >> Hi, > > >> > > >> I don't know what is causing the \r\n issue. I use vim and than send > > >> each > > >> email with claws-mail. Didn't spot this issue when trying emailing the > > >> patch > > >> to my other address. I'm trying to send it from zimbra now, let me know > > >> if > > >> that helped pls. > > >> > > >> Fix for the stageuser plugin issues caused by this patch should have > > >> been > > >> included in the last update; I think the remaining issue is not caused > > >> by > > >> UserTracker changes. Please correct me, if I'm wrong. > > >> > > >>> There is some issue with "test_rename_to_too_long_login" test. It fails > > >>> but > > >>> actually this is false positive because it is possible to create login > > >>> upto > > >>> 255 characters. I don't know why test mentions 32 characters without > > >>> any > > >>> other modified setup. > > >>> NACK for now. > > >>> - alich - > > >> This has been changed. This test still fails, though. > > >> > > >> Filip > > >> > > >>> > > >>> ----- Original Message ----- > > >>>> From: "Ale? Mare?ek" > > >>>> To: "Filip ?kola" > > >>>> Cc: freeipa-devel at redhat.com, "Milan Kub?k" > > >>>> Sent: Thursday, December 10, 2015 4:11:47 PM > > >>>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > > >>>> > > >>>> Ah, sorry, haven't realized there had been devel list attached. > > >>>> Ok, there is some problem with \r\n in the patch. > > >>>> Filip, please take a look at it... > > >>>> Thanks... > > >>>> - alich - > > >>>> > > >>>> ----- Original Message ----- > > >>>>> From: "Filip ?kola" > > >>>>> To: "Ale? Mare?ek" > > >>>>> Cc: freeipa-devel at redhat.com, "Milan Kub?k" > > >>>>> Sent: Thursday, December 10, 2015 11:29:52 AM > > >>>>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > > >>>>> > > >>>>> Hi, > > >>>>> > > >>>>> this if fixed. Also issues with test_stageuser_plugin caused by > > >>>>> UserTracker changes should be fixed here. > > >>>>> > > >>>>> Filip > > >>>>> > > >>>>> > > >>>>> On Mon, 7 Dec 2015 09:29:31 -0500 (EST) > > >>>>> Ale? Mare?ek wrote: > > >>>>> > > >>>>>> NACK. > > >>>>>> > > >>>>>> $ ./make-lint > > >>>>>> ************* Module ipatests.test_xmlrpc.test_user_plugin > > >>>>>> ipatests/test_xmlrpc/test_user_plugin.py:42: > > >>>>>> [E0611(no-name-in-module), ] No name 'ldaptracker' in module > > >>>>>> 'ipatests.test_xmlrpc') > > >>>>>> > > >>>>>> $ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py > > >>>>>> from ipatests.test_xmlrpc.ldaptracker import Tracker > > >>>>>> $ ls ipatests/test_xmlrpc/ldaptracker* > > >>>>>> ls: cannot access ipatests/test_xmlrpc/ldaptracker*: No such file or > > >>>>>> directory > > >>>>>> > > >>>>>> > > >>>>>> ----- Original Message ----- > > >>>>>>> From: "Filip ?kola" > > >>>>>>> To: "Milan Kub?k" > > >>>>>>> Cc: freeipa-devel at redhat.com > > >>>>>>> Sent: Thursday, December 3, 2015 5:38:43 PM > > >>>>>>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin > > >>>>>>> > > >>>>>>> Hi, > > >>>>>>> > > >>>>>>> sending corrected version. > > >>>>>>> > > >>>>>>> F. > > >>>>>>> > > >>>>>>> On Thu, 12 Nov 2015 14:03:19 +0100 > > >>>>>>> Milan Kub?k wrote: > > >>>>>>> > > >>>>>>>> On 11/10/2015 12:13 PM, Filip ?kola wrote: > > >>>>>>>>> Hi, > > >>>>>>>>> > > >>>>>>>>> fixed. > > >>>>>>>>> > > >>>>>>>>> F. > > >>>>>>>>> > > >>>>>>>>> On Tue, 10 Nov 2015 10:52:45 +0100 > > >>>>>>>>> Milan Kub?k wrote: > > >>>>>>>>> > > >>>>>>>>>> On 11/09/2015 04:35 PM, Filip ?kola wrote: > > >>>>>>>>>>> Another patch was applied in the meantime. > > >>>>>>>>>>> > > >>>>>>>>>>> Attaching an updated version. > > >>>>>>>>>>> > > >>>>>>>>>>> F. > > >>>>>>>>>>> > > >>>>>>>>>>> On Mon, 9 Nov 2015 13:35:02 +0100 > > >>>>>>>>>>> Milan Kub?k wrote: > > >>>>>>>>>>> > > >>>>>>>>>>>> On 11/06/2015 11:32 AM, Filip ?kola wrote: > > >>>>>>>>>>>> Hi, > > >>>>>>>>>>>> the patch doesn't apply. > > >>>>>>>>>>>> > > >>>>>>>>>> Please fix this. > > >>>>>>>>>> > > >>>>>>>>>> ipatests/test_xmlrpc/test_user_plugin.py:1419: > > >>>>>>>>>> [E0602(undefined-variable), > > >>>>>>>>>> TestDeniedBindWithExpiredPrincipal.teardown_class] Undefined > > >>>>>>>>>> variable 'user1') > > >>>>>>>>>> > > >>>>>>>>>> Also, use the version numbers for your changed patches. > > >>>>>>>>>> > > >>>>>>>>> > > >>>>>>>> Thanks for the patch. Several issues: > > >>>>>>>> > > >>>>>>>> 1. Use dict.items instead of dict.iteritems, for python3 > > >>>>>>>> compatibility > > >>>>>>>> > > >>>>>>>> 2. What is the purpose of TestPrepare class? The 'purge' methods > > >>>>>>>> do not call any ipa commands. > > >>>>>>>> Tracker.make_fixture should be used to make the Tracked resources > > >>>>>>>> clean themselves up when they're out of scope. > > >>>>>>>> > > >>>>>>>> 3. Why reference the resources by hardcoded name if they have a > > >>>>>>>> fixture representation? > > >>>>>>>> > > >>>>>>>> 4. Rewrite {create,delete}_test_group to a fixture. You may want > > >>>>>>>> to use different scope (or not). > > >>>>>>>> > > >>>>>>>> 5. In `def atest_rename_to_invalid_login(self, user):` - use > > >>>>>>>> pytest.skipif decorator and provide a reason if you must, > > >>>>>>>> do not obfuscate method name in order not to run it. > > >>>>>>>> > > >>>>>>>> > > >>>>>>> > > >>>>>>> -- > > >>>>>>> Manage your subscription for the Freeipa-devel mailing list: > > >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel > > >>>>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > >>>>> > > >> -- > > >> Manage your subscription for the Freeipa-devel mailing list: > > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > NACK, there are errors occuring that do not appear in the respective > > test cases in the declarative test. > > In the original module the ` Test a login name that is too long` and > > `Try to rename to a username that is too long` do not use {add,set}attr. > > Why do you use them? > > > > I'm also postponing the review of your other patches as they depend on > > changes in this one. > > > > -- > > Milan Kubik > > > > > > To be honest, I have no idea why I did use setattr in those places. Update of > 'rename' attribute was used instead in this version of the patch and that > seems to work. > > Filip From mkubik at redhat.com Mon Jan 25 14:30:06 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Mon, 25 Jan 2016 15:30:06 +0100 Subject: [Freeipa-devel] [PATCH 0031] ipatests: fix the install of external ca In-Reply-To: <56A22D22.8050605@redhat.com> References: <569E64E3.4030406@redhat.com> <569E6AA6.2070503@redhat.com> <56A22D22.8050605@redhat.com> Message-ID: <56A6316E.1050006@redhat.com> On 01/22/2016 02:22 PM, Martin Babinsky wrote: > On 01/19/2016 05:56 PM, Milan Kub?k wrote: >> On 01/19/2016 05:31 PM, Milan Kub?k wrote: >>> Patch attached. >>> >>> >>> >> This actually has a ticket opened. Patch with fixed commit message. ;) >> >> -- >> Milan Kubik >> >> >> > > Hi Milan, > > for the step 1 installation I would rather reuse the > tasks:install_master function which already does (nearly) all CLI > option-related magic. You can extend its signature by adding a > parameter to pass on additional options like this: > > --- a/ipatests/test_integration/tasks.py > +++ b/ipatests/test_integration/tasks.py > @@ -258,7 +258,7 @@ def enable_replication_debugging(host): > stdin_text=logging_ldif) > > > -def install_master(host, setup_dns=True, setup_kra=False): > +def install_master(host, setup_dns=True, setup_kra=False, > extra_args=()): > host.collect_log(paths.IPASERVER_INSTALL_LOG) > host.collect_log(paths.IPACLIENT_INSTALL_LOG) > inst = host.domain.realm.replace('.', '-') > @@ -284,6 +284,8 @@ def install_master(host, setup_dns=True, > setup_kra=False): > '--auto-reverse' > ]) > > + args.extend(extra_args) > + > host.run_command(args) > enable_replication_debugging(host) > setup_sssd_debugging(host) > Thanks for the suggestion. Though, this is not possible without larger changes to tasks.install_master. The external ca test needs to skip several steps that occur in the general install task. In this case, I'd remain with customized install in the test itself. -- Milan Kubik From fskola at redhat.com Mon Jan 25 14:57:25 2016 From: fskola at redhat.com (Filip Skola) Date: Mon, 25 Jan 2016 09:57:25 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin In-Reply-To: <2146003584.17512503.1453733815330.JavaMail.zimbra@redhat.com> Message-ID: <1415364427.17513799.1453733845873.JavaMail.zimbra@redhat.com> Hello, attaching refactored sudocmd_plugin. Filip -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-fskola-0007-Refactor-test_sudocmd_plugin.patch Type: text/x-patch Size: 19835 bytes Desc: not available URL: From mbasti at redhat.com Mon Jan 25 15:06:00 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 25 Jan 2016 16:06:00 +0100 Subject: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin In-Reply-To: <322938165.12060097.1453731159502.JavaMail.zimbra@redhat.com> References: <20151106113201.5e6a7042@dhcp-24-123.brq.redhat.com> <20151210112952.3ddb7136@vor2.netbox.priv> <964966782.26674717.1449760307850.JavaMail.zimbra@redhat.com> <273613290.27075436.1449834011983.JavaMail.zimbra@redhat.com> <184590988.47122995.1450007607203.JavaMail.zimbra@redhat.com> <81340538.11928726.1452868912243.JavaMail.zimbra@redhat.com> <569E4CFB.8040808@redhat.com> <1109856801.17382352.1453719335272.JavaMail.zimbra@redhat.com> <322938165.12060097.1453731159502.JavaMail.zimbra@redhat.com> Message-ID: <56A639D8.30406@redhat.com> On 25.01.2016 15:12, Ale? Mare?ek wrote: > Tested + several other dependent tests executed as well - PASS. > The patch looks good, ACK. > > ----- Original Message ----- >> From: "Filip Skola" >> To: "Milan Kub?k" >> Cc: freeipa-devel at redhat.com, "Ale? Mare?ek" >> Sent: Monday, January 25, 2016 11:55:35 AM >> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin >> >> >> >> ----- Original Message ----- >>> On 01/15/2016 03:41 PM, Filip Skola wrote: >>>> Hi, >>>> >>>> sending rebased patch on top of 58c42ddac0964a8cce7c1e1faa7516da53f028ad. >>>> >>>> Includes a "fix" for the rename-to-invalid-username issue for the new >>>> version. >>>> >>>> F. >>>> >>>> ----- Original Message ----- >>>>> Hi, >>>>> >>>>> I don't know what is causing the \r\n issue. I use vim and than send >>>>> each >>>>> email with claws-mail. Didn't spot this issue when trying emailing the >>>>> patch >>>>> to my other address. I'm trying to send it from zimbra now, let me know >>>>> if >>>>> that helped pls. >>>>> >>>>> Fix for the stageuser plugin issues caused by this patch should have >>>>> been >>>>> included in the last update; I think the remaining issue is not caused >>>>> by >>>>> UserTracker changes. Please correct me, if I'm wrong. >>>>> >>>>>> There is some issue with "test_rename_to_too_long_login" test. It fails >>>>>> but >>>>>> actually this is false positive because it is possible to create login >>>>>> upto >>>>>> 255 characters. I don't know why test mentions 32 characters without >>>>>> any >>>>>> other modified setup. >>>>>> NACK for now. >>>>>> - alich - >>>>> This has been changed. This test still fails, though. >>>>> >>>>> Filip >>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Ale? Mare?ek" >>>>>>> To: "Filip ?kola" >>>>>>> Cc: freeipa-devel at redhat.com, "Milan Kub?k" >>>>>>> Sent: Thursday, December 10, 2015 4:11:47 PM >>>>>>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin >>>>>>> >>>>>>> Ah, sorry, haven't realized there had been devel list attached. >>>>>>> Ok, there is some problem with \r\n in the patch. >>>>>>> Filip, please take a look at it... >>>>>>> Thanks... >>>>>>> - alich - >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>>> From: "Filip ?kola" >>>>>>>> To: "Ale? Mare?ek" >>>>>>>> Cc: freeipa-devel at redhat.com, "Milan Kub?k" >>>>>>>> Sent: Thursday, December 10, 2015 11:29:52 AM >>>>>>>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> this if fixed. Also issues with test_stageuser_plugin caused by >>>>>>>> UserTracker changes should be fixed here. >>>>>>>> >>>>>>>> Filip >>>>>>>> >>>>>>>> >>>>>>>> On Mon, 7 Dec 2015 09:29:31 -0500 (EST) >>>>>>>> Ale? Mare?ek wrote: >>>>>>>> >>>>>>>>> NACK. >>>>>>>>> >>>>>>>>> $ ./make-lint >>>>>>>>> ************* Module ipatests.test_xmlrpc.test_user_plugin >>>>>>>>> ipatests/test_xmlrpc/test_user_plugin.py:42: >>>>>>>>> [E0611(no-name-in-module), ] No name 'ldaptracker' in module >>>>>>>>> 'ipatests.test_xmlrpc') >>>>>>>>> >>>>>>>>> $ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py >>>>>>>>> from ipatests.test_xmlrpc.ldaptracker import Tracker >>>>>>>>> $ ls ipatests/test_xmlrpc/ldaptracker* >>>>>>>>> ls: cannot access ipatests/test_xmlrpc/ldaptracker*: No such file or >>>>>>>>> directory >>>>>>>>> >>>>>>>>> >>>>>>>>> ----- Original Message ----- >>>>>>>>>> From: "Filip ?kola" >>>>>>>>>> To: "Milan Kub?k" >>>>>>>>>> Cc: freeipa-devel at redhat.com >>>>>>>>>> Sent: Thursday, December 3, 2015 5:38:43 PM >>>>>>>>>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> sending corrected version. >>>>>>>>>> >>>>>>>>>> F. >>>>>>>>>> >>>>>>>>>> On Thu, 12 Nov 2015 14:03:19 +0100 >>>>>>>>>> Milan Kub?k wrote: >>>>>>>>>> >>>>>>>>>>> On 11/10/2015 12:13 PM, Filip ?kola wrote: >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> fixed. >>>>>>>>>>>> >>>>>>>>>>>> F. >>>>>>>>>>>> >>>>>>>>>>>> On Tue, 10 Nov 2015 10:52:45 +0100 >>>>>>>>>>>> Milan Kub?k wrote: >>>>>>>>>>>> >>>>>>>>>>>>> On 11/09/2015 04:35 PM, Filip ?kola wrote: >>>>>>>>>>>>>> Another patch was applied in the meantime. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Attaching an updated version. >>>>>>>>>>>>>> >>>>>>>>>>>>>> F. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, 9 Nov 2015 13:35:02 +0100 >>>>>>>>>>>>>> Milan Kub?k wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 11/06/2015 11:32 AM, Filip ?kola wrote: >>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>> the patch doesn't apply. >>>>>>>>>>>>>>> >>>>>>>>>>>>> Please fix this. >>>>>>>>>>>>> >>>>>>>>>>>>> ipatests/test_xmlrpc/test_user_plugin.py:1419: >>>>>>>>>>>>> [E0602(undefined-variable), >>>>>>>>>>>>> TestDeniedBindWithExpiredPrincipal.teardown_class] Undefined >>>>>>>>>>>>> variable 'user1') >>>>>>>>>>>>> >>>>>>>>>>>>> Also, use the version numbers for your changed patches. >>>>>>>>>>>>> >>>>>>>>>>> Thanks for the patch. Several issues: >>>>>>>>>>> >>>>>>>>>>> 1. Use dict.items instead of dict.iteritems, for python3 >>>>>>>>>>> compatibility >>>>>>>>>>> >>>>>>>>>>> 2. What is the purpose of TestPrepare class? The 'purge' methods >>>>>>>>>>> do not call any ipa commands. >>>>>>>>>>> Tracker.make_fixture should be used to make the Tracked resources >>>>>>>>>>> clean themselves up when they're out of scope. >>>>>>>>>>> >>>>>>>>>>> 3. Why reference the resources by hardcoded name if they have a >>>>>>>>>>> fixture representation? >>>>>>>>>>> >>>>>>>>>>> 4. Rewrite {create,delete}_test_group to a fixture. You may want >>>>>>>>>>> to use different scope (or not). >>>>>>>>>>> >>>>>>>>>>> 5. In `def atest_rename_to_invalid_login(self, user):` - use >>>>>>>>>>> pytest.skipif decorator and provide a reason if you must, >>>>>>>>>>> do not obfuscate method name in order not to run it. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >>>>> -- >>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >>> NACK, there are errors occuring that do not appear in the respective >>> test cases in the declarative test. >>> In the original module the ` Test a login name that is too long` and >>> `Try to rename to a username that is too long` do not use {add,set}attr. >>> Why do you use them? >>> >>> I'm also postponing the review of your other patches as they depend on >>> changes in this one. >>> >>> -- >>> Milan Kubik >>> >>> >> To be honest, I have no idea why I did use setattr in those places. Update of >> 'rename' attribute was used instead in this version of the patch and that >> seems to work. >> >> Filip Pushed to: ipa-4-3: a278a74695ef9df381d2668ce6d249ced555aad2 master: 3d1adb325512cf14de8b88ca8178dd4a754256ec From slaznick at redhat.com Mon Jan 25 15:41:23 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Mon, 25 Jan 2016 16:41:23 +0100 Subject: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs In-Reply-To: <56A21F17.40406@redhat.com> References: <5673F1F9.2030403@redhat.com> <56964AB1.1010902@redhat.com> <56975994.6040604@redhat.com> <5697AF06.3070805@redhat.com> <5697B7CD.6050607@redhat.com> <5697BBBA.60503@redhat.com> <5697C5E3.2010307@redhat.com> <5698EA71.2040105@redhat.com> <56A21F17.40406@redhat.com> Message-ID: <56A64223.4030809@redhat.com> Hi, Worked those comments into the code. Also added a bit different info message in clean_ruv with ca=True (ipa-replica-manage:430). Also adding stepst to reproduce: 1. Create a master and some replica (3 replicas is a good solution - 1 with CA, 1 without, 1 to be dangling (with CA)) 2. Change domain level to 0 and ipactl restart 3. Remove the "dangling-to-be" replica from masters.ipa.etc and from both ipaca and domain subtrees in mapping tree.config 4. Try to remove the dangling ruvs with the command Cheers, Standa On 01/22/2016 01:22 PM, Martin Basti wrote: > Hello, > > I have a few comments > > PATCH Automatically detect and remove dangling RUVs > > 1) > + # get the Directory Manager password > + if options.dirman_passwd: > + dirman_passwd = options.dirman_passwd > + else: > + dirman_passwd = installutils.read_password('Directory Manager', > + confirm=False, validate=False, retry=False) > + if dirman_passwd is None: > + sys.exit('Directory Manager password is required') > + > + options.dirman_passwd = dirman_passwd > > IMO you need only else branch here > > if not options.dirman_password: > dirman_passwd = installutils.read_password('Directory Manager', > confirm=False, validate=False, retry=False) > if dirman_passwd is None: > sys.exit('Directory Manager password is required') > options.dirman_passwd = dirman_passwd > > > 2) > We should use new formatting in new code (more times in code) > > + sys.exit( > + "Failed to get data from '%s' while trying to list > replicas: %s" % > + (host, e) > + ) > > sys.exit( > "Failed to get data from '{host}' while trying to list > replicas: {e}".format( > host=host, e=e > ) > ) > > 3) > + # get all masters > + masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), > + ipautil.realm_to_suffix(realm)) > > IMO you should use constants: > masters_dn = DN(api.env.container_masters, api.env.basedn) > > 4) > + # Get realm string for config tree > + s = realm.split('.') > + s = ['dc={dc},'.format(dc=x.lower()) for x in s] > + realm_config = DN(('cn', ''.join(s)[0:-1])) > > Can be api.env.basedn used instead of this block of code? > > 5) > + masters = [x.single_value['cn'] for x in masters] > .... > + for master in masters: > > is there any reason why not iterate over the keys in info dict? > > for master_name, master_data/values/whatever in info.items(): > master_data['online'] = True > > Looks better than: info[master]['online'] = True > > 6) > I asked python gurus, for empty lists and dicts, please use [] and {} > instead of list() and dict() > It is preferred and faster. > > 7) > + if(info[master]['ca']): > + entry = conn.get_entry(csreplica_dn) > + csruv = (master, > entry.single_value.get('nsDS5ReplicaID')) > + if csruv not in csruvs: > + csruvs.append(csruv) > > I dont like too much adding tuples into list and then doing search > there, but it is as designed > > However can you use set() instead of list when the purpose of variable > is only testing existence? > > related to: > csruvs > ruvs > offlines > clean_list > cleaned > > 8) > conn in finally block may be undefined > > 9) > unused local variables > > clean_list > entry on line 570 > > 10) > optional, comment what keys means in info structure > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0011-1-Listing-and-cleaning-RUV-extended-for-CA-suffix.patch Type: text/x-patch Size: 5089 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0012-3-Automatically-detect-and-remove-dangling-RUVs.patch Type: text/x-patch Size: 9181 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Jan 26 09:14:37 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 26 Jan 2016 10:14:37 +0100 Subject: [Freeipa-devel] [PATCH 543] CA install: explicitly set dogtag_version to 10 In-Reply-To: <20160125075612.GY4316@redhat.com> References: <56A5D4B6.8030201@redhat.com> <20160125075612.GY4316@redhat.com> Message-ID: <56A738FD.5030305@redhat.com> On 01/25/2016 08:56 AM, Alexander Bokovoy wrote: > On Mon, 25 Jan 2016, Jan Cholasta wrote: >> Hi, >> >> the attached patch fixes . >> >> Note that this is a 4.2-specific fix. >> >> Honza >> >> -- >> Jan Cholasta > >> From c2a0684c64538166809883a235bd131518b6e78f Mon Sep 17 00:00:00 2001 >> From: Jan Cholasta >> Date: Mon, 25 Jan 2016 08:48:42 +0100 >> Subject: [PATCH] CA install: explicitly set dogtag_version to 10 >> >> When installing new CA master, explicitly set the dogtag_version >> option to >> 10 in api.bootstrap() to prevent failures in code which expects the value >> to be 10 rather than the default value of 9. >> >> https://fedorahosted.org/freeipa/ticket/5611 >> --- >> install/tools/ipa-ca-install | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install >> index 6564e4d..e8ccaef 100755 >> --- a/install/tools/ipa-ca-install >> +++ b/install/tools/ipa-ca-install >> @@ -162,7 +162,7 @@ def install_master(safe_options, options): >> >> # override ra_plugin setting read from default.conf so that we have >> # functional dogtag backend plugins during CA install >> - api.bootstrap(in_server=True, ra_plugin='dogtag') >> + api.bootstrap(in_server=True, ra_plugin='dogtag', dogtag_version=10) >> api.finalize() >> >> dm_password = options.password >> -- > ACK. > Not so fast, I have this patch applied on top of ipa-4-2 and it does not fix the crash described in the ticket. -- Martin^3 Babinsky From mbabinsk at redhat.com Tue Jan 26 09:23:12 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 26 Jan 2016 10:23:12 +0100 Subject: [Freeipa-devel] [PATCH 543] CA install: explicitly set dogtag_version to 10 In-Reply-To: <56A738FD.5030305@redhat.com> References: <56A5D4B6.8030201@redhat.com> <20160125075612.GY4316@redhat.com> <56A738FD.5030305@redhat.com> Message-ID: <56A73B00.1070702@redhat.com> On 01/26/2016 10:14 AM, Martin Babinsky wrote: > On 01/25/2016 08:56 AM, Alexander Bokovoy wrote: >> On Mon, 25 Jan 2016, Jan Cholasta wrote: >>> Hi, >>> >>> the attached patch fixes . >>> >>> Note that this is a 4.2-specific fix. >>> >>> Honza >>> >>> -- >>> Jan Cholasta >> >>> From c2a0684c64538166809883a235bd131518b6e78f Mon Sep 17 00:00:00 2001 >>> From: Jan Cholasta >>> Date: Mon, 25 Jan 2016 08:48:42 +0100 >>> Subject: [PATCH] CA install: explicitly set dogtag_version to 10 >>> >>> When installing new CA master, explicitly set the dogtag_version >>> option to >>> 10 in api.bootstrap() to prevent failures in code which expects the >>> value >>> to be 10 rather than the default value of 9. >>> >>> https://fedorahosted.org/freeipa/ticket/5611 >>> --- >>> install/tools/ipa-ca-install | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install >>> index 6564e4d..e8ccaef 100755 >>> --- a/install/tools/ipa-ca-install >>> +++ b/install/tools/ipa-ca-install >>> @@ -162,7 +162,7 @@ def install_master(safe_options, options): >>> >>> # override ra_plugin setting read from default.conf so that we have >>> # functional dogtag backend plugins during CA install >>> - api.bootstrap(in_server=True, ra_plugin='dogtag') >>> + api.bootstrap(in_server=True, ra_plugin='dogtag', >>> dogtag_version=10) >>> api.finalize() >>> >>> dm_password = options.password >>> -- >> ACK. >> > > Not so fast, I have this patch applied on top of ipa-4-2 and it does not > fix the crash described in the ticket. > See the end of CA install log (http://fpaste.org/314777/14537999/), it seems that despite setting dogtag version to 10 in API initialization, CA instance still thinks it needs to work with version 9. It seems that dogtag.configured_constants() function is to blame: """ In [4]: from ipalib import api In [5]: api.bootstrap(dogtag_version=10) In [6]: api.finalize() In [7]: dogtag.configured_constants() Out[7]: ipapython.dogtag.Dogtag9Constants In [8]: dogtag.configured_constants(api) Out[8]: ipapython.dogtag.Dogtag10Constants """ -- Martin^3 Babinsky From mbabinsk at redhat.com Tue Jan 26 12:06:58 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 26 Jan 2016 13:06:58 +0100 Subject: [Freeipa-devel] [PATCH 0131] fix standalone installation of externally signed CA on IPA master Message-ID: <56A76162.7020303@redhat.com> https://fedorahosted.org/freeipa/ticket/5636 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-2-mbabinsk-0131-fix-standalone-installation-of-externally-signed-CA-.patch Type: text/x-patch Size: 1005 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Jan 26 12:44:07 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 26 Jan 2016 13:44:07 +0100 Subject: [Freeipa-devel] [PATCH 0131] fix standalone installation of externally signed CA on IPA master In-Reply-To: <56A76162.7020303@redhat.com> References: <56A76162.7020303@redhat.com> Message-ID: <56A76A17.7010808@redhat.com> On 01/26/2016 01:06 PM, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/5636 > > > This also happens on ipa-4-3/master but the offending check was moved around. Attaching patch for 4-3/master branches. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0131-fix-standalone-installation-of-externally-signed-CA-.patch Type: text/x-patch Size: 1064 bytes Desc: not available URL: From mbasti at redhat.com Tue Jan 26 13:02:41 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 26 Jan 2016 14:02:41 +0100 Subject: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit Message-ID: <56A76E71.2050205@redhat.com> https://fedorahosted.org/freeipa/ticket/5634 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0409-Warn-user-when-ipa-find-reach-limit.patch Type: text/x-patch Size: 2280 bytes Desc: not available URL: From mbasti at redhat.com Tue Jan 26 13:16:40 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 26 Jan 2016 14:16:40 +0100 Subject: [Freeipa-devel] [PATCH 0407] make lint: migration to config file and pylint plugin due pylint 1.5.2 In-Reply-To: <569F8DEC.6090701@redhat.com> References: <569E2F8A.5090905@redhat.com> <569F8DEC.6090701@redhat.com> Message-ID: <56A771B8.1000803@redhat.com> On 20.01.2016 14:38, Jan Cholasta wrote: > Hi, > > On 19.1.2016 13:43, Martin Basti wrote: >> New pylint version will broke our custom make-lint script again, >> attached patch migrates make-lint to: >> * config file >> * pylint plugin >> which are supported by pylint and should not have regular compatibility >> issues >> >> to test new approach run ./make-lint2 >> >> Advantages: >> * compatibility with pylint >> * works on both pylint-1.4.3-3.fc23.noarch and >> pylint-1.5.2-1.fc24.noarch >> * pylint plugin works in different way than the previous custom checker. >> Missing ("dynamic") attributes are added to abstract syntax tree instead >> of ignoring them and all their sub-members. This makes check better, >> pylint can detect more typos in tests configurations, api, env, etc.. >> >> Disadvantages: >> * any new attribute in api, test config, etc.. must be added to >> definition of missing members (pylint plugin) - this should not happen >> too often > > 1) Please "mv pylint_plugins/fix_ipa_members.py pylint_plugins.py" and > "rm -rf pylint_plugins/", no need for this redundant directory structure. > > 2) Rename pylintrc to freeipa.pylintrc so you have to always specify > it explicitly with --rcfile. > > 3) Use the load-plugins directive in freeipa.pylintrc to load the > plugins rather than --load-plugins. > > 4) Instead of running pylint twice, run it only once with both normal > and Python 3 checks enabled: > > [MESSAGE CONTROL] > enable=all,python3 > disable=...,no-absolute-import > >> >> >> Q&TODO: >> * make-lint: should it be just bash script or rather python script? > > IMO neither, it should be a make target (make lint). > >> * add dynamic detection of python files to be checked > > You can use "find . -type f -executable ! -path \*/.\* ! -name \*.py\* > -exec grep -lsm1 '^#!.*\bpython' \{\} \;". > >> * should I keep the current options from original make-lint? > > No, but allow pylint options to be overridable (make lint > PYLINTFLAGS="--disable=python3") > >> * several false positive errors I haven't been able to fix in plugin >> yet, in worst case they can be locally disabled: > > Disable them locally. > > Honza > Updated patch attached. Please note that make-lint script has been removed, to execute lint check use 'make lint' -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0407.2-make-lint-use-config-file-and-plugin-for-pylint.patch Type: text/x-patch Size: 36489 bytes Desc: not available URL: From pspacek at redhat.com Tue Jan 26 13:55:02 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 26 Jan 2016 14:55:02 +0100 Subject: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit In-Reply-To: <56A76E71.2050205@redhat.com> References: <56A76E71.2050205@redhat.com> Message-ID: <56A77AB6.6070206@redhat.com> On 26.1.2016 14:02, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5634 > > Patch attached. It works for me in API, CLI, and Web UI. The warning is shown as expected. Interestingly, Web UI behaves strangely when search limit is hit. This needs more investigation because it happens even without this patch :-) -- Petr^2 Spacek From mbasti at redhat.com Tue Jan 26 13:56:58 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 26 Jan 2016 14:56:58 +0100 Subject: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit In-Reply-To: <56A77AB6.6070206@redhat.com> References: <56A76E71.2050205@redhat.com> <56A77AB6.6070206@redhat.com> Message-ID: <56A77B2A.5020401@redhat.com> On 26.01.2016 14:55, Petr Spacek wrote: > On 26.1.2016 14:02, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5634 >> >> Patch attached. > It works for me in API, CLI, and Web UI. The warning is shown as expected. > > Interestingly, Web UI behaves strangely when search limit is hit. This needs > more investigation because it happens even without this patch :-) > I found different bug there, webUI passes sizelimit: 0 (unlimited), but this values is not passed to some searches inside BaseldapSearch which raise error, I will file a ticket na provide details there From redhatrises at gmail.com Tue Jan 26 14:00:23 2016 From: redhatrises at gmail.com (Gabe Alford) Date: Tue, 26 Jan 2016 07:00:23 -0700 Subject: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit In-Reply-To: <56A77B2A.5020401@redhat.com> References: <56A76E71.2050205@redhat.com> <56A77AB6.6070206@redhat.com> <56A77B2A.5020401@redhat.com> Message-ID: On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti wrote: > > > On 26.01.2016 14:55, Petr Spacek wrote: > >> On 26.1.2016 14:02, Martin Basti wrote: >> >>> https://fedorahosted.org/freeipa/ticket/5634 >>> >>> Patch attached. >>> >> It works for me in API, CLI, and Web UI. The warning is shown as expected. >> >> Interestingly, Web UI behaves strangely when search limit is hit. This >> needs >> more investigation because it happens even without this patch :-) >> >> I found different bug there, webUI passes sizelimit: 0 (unlimited), but > this values is not passed to some searches inside BaseldapSearch which > raise error, I will file a ticket na provide details there Works for me as well. However, it would be nice to have what ipasearchlimit is limited to in the error message as well. So something like: "Search result has been truncated, the current search limit is set to 10. Please increase the search limit." Does this also address https://fedorahosted.org/freeipa/ticket/4022? Gabe -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jan 26 14:06:47 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 26 Jan 2016 15:06:47 +0100 Subject: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit In-Reply-To: References: <56A76E71.2050205@redhat.com> <56A77AB6.6070206@redhat.com> <56A77B2A.5020401@redhat.com> Message-ID: <56A77D77.7030502@redhat.com> On 26.01.2016 15:00, Gabe Alford wrote: > On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti > wrote: > > > > On 26.01.2016 14:55, Petr Spacek wrote: > > On 26.1.2016 14:02, Martin Basti wrote: > > https://fedorahosted.org/freeipa/ticket/5634 > > Patch attached. > > It works for me in API, CLI, and Web UI. The warning is shown > as expected. > > Interestingly, Web UI behaves strangely when search limit is > hit. This needs > more investigation because it happens even without this patch :-) > > I found different bug there, webUI passes sizelimit: 0 > (unlimited), but this values is not passed to some searches inside > BaseldapSearch which raise error, I will file a ticket na provide > details there > > > Works for me as well. However, it would be nice to have what > ipasearchlimit is limited to in the error message as well. So > something like: thanks for testing. > > "Search result has been truncated, the current search limit is set to > 10. Please increase the search limit." Well this is not so easy to achieve in framework, I prefer not to add number there, it requires bigger change in framework or an extra ldap search. > > Does this also address https://fedorahosted.org/freeipa/ticket/4022? It should. > Gabe -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Jan 26 14:17:11 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 26 Jan 2016 15:17:11 +0100 Subject: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit In-Reply-To: <56A77D77.7030502@redhat.com> References: <56A76E71.2050205@redhat.com> <56A77AB6.6070206@redhat.com> <56A77B2A.5020401@redhat.com> <56A77D77.7030502@redhat.com> Message-ID: <56A77FE7.1020708@redhat.com> On 26.1.2016 15:06, Martin Basti wrote: > > > On 26.01.2016 15:00, Gabe Alford wrote: >> On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti > > wrote: >> >> >> >> On 26.01.2016 14:55, Petr Spacek wrote: >> >> On 26.1.2016 14:02, Martin Basti wrote: >> >> https://fedorahosted.org/freeipa/ticket/5634 >> >> Patch attached. >> >> It works for me in API, CLI, and Web UI. The warning is shown >> as expected. >> >> Interestingly, Web UI behaves strangely when search limit is >> hit. This needs >> more investigation because it happens even without this patch :-) >> >> I found different bug there, webUI passes sizelimit: 0 >> (unlimited), but this values is not passed to some searches inside >> BaseldapSearch which raise error, I will file a ticket na provide >> details there >> >> >> Works for me as well. However, it would be nice to have what ipasearchlimit >> is limited to in the error message as well. So something like: > thanks for testing. > >> >> "Search result has been truncated, the current search limit is set to 10. >> Please increase the search limit." > Well this is not so easy to achieve in framework, I prefer not to add number > there, it requires bigger change in framework or an extra ldap search. >> >> Does this also address https://fedorahosted.org/freeipa/ticket/4022? > It should. Maybe we can use some generic phrase like: "Search result has been truncated to configured search limit." and avoid advice like 'increase search limit' which may not be possible to do, e.g. because user does not have permission to do that etc. -- Petr^2 Spacek From mbasti at redhat.com Tue Jan 26 14:33:02 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 26 Jan 2016 15:33:02 +0100 Subject: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit In-Reply-To: <56A77FE7.1020708@redhat.com> References: <56A76E71.2050205@redhat.com> <56A77AB6.6070206@redhat.com> <56A77B2A.5020401@redhat.com> <56A77D77.7030502@redhat.com> <56A77FE7.1020708@redhat.com> Message-ID: <56A7839E.9030803@redhat.com> On 26.01.2016 15:17, Petr Spacek wrote: > On 26.1.2016 15:06, Martin Basti wrote: >> >> On 26.01.2016 15:00, Gabe Alford wrote: >>> On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti >> > wrote: >>> >>> >>> >>> On 26.01.2016 14:55, Petr Spacek wrote: >>> >>> On 26.1.2016 14:02, Martin Basti wrote: >>> >>> https://fedorahosted.org/freeipa/ticket/5634 >>> >>> Patch attached. >>> >>> It works for me in API, CLI, and Web UI. The warning is shown >>> as expected. >>> >>> Interestingly, Web UI behaves strangely when search limit is >>> hit. This needs >>> more investigation because it happens even without this patch :-) >>> >>> I found different bug there, webUI passes sizelimit: 0 >>> (unlimited), but this values is not passed to some searches inside >>> BaseldapSearch which raise error, I will file a ticket na provide >>> details there >>> >>> >>> Works for me as well. However, it would be nice to have what ipasearchlimit >>> is limited to in the error message as well. So something like: >> thanks for testing. >> >>> "Search result has been truncated, the current search limit is set to 10. >>> Please increase the search limit." >> Well this is not so easy to achieve in framework, I prefer not to add number >> there, it requires bigger change in framework or an extra ldap search. >>> Does this also address https://fedorahosted.org/freeipa/ticket/4022? >> It should. > Maybe we can use some generic phrase like: > "Search result has been truncated to configured search limit." > and avoid advice like 'increase search limit' which may not be possible to do, > e.g. because user does not have permission to do that etc. > Updated patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0409.2-Warn-user-when-ipa-find-reach-limit.patch Type: text/x-patch Size: 2278 bytes Desc: not available URL: From redhatrises at gmail.com Tue Jan 26 14:38:55 2016 From: redhatrises at gmail.com (Gabe Alford) Date: Tue, 26 Jan 2016 07:38:55 -0700 Subject: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit In-Reply-To: <56A7839E.9030803@redhat.com> References: <56A76E71.2050205@redhat.com> <56A77AB6.6070206@redhat.com> <56A77B2A.5020401@redhat.com> <56A77D77.7030502@redhat.com> <56A77FE7.1020708@redhat.com> <56A7839E.9030803@redhat.com> Message-ID: On Tue, Jan 26, 2016 at 7:33 AM, Martin Basti wrote: > > > On 26.01.2016 15:17, Petr Spacek wrote: > >> On 26.1.2016 15:06, Martin Basti wrote: >> >>> >>> On 26.01.2016 15:00, Gabe Alford wrote: >>> >>>> On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti >>> > wrote: >>>> >>>> >>>> >>>> On 26.01.2016 14:55, Petr Spacek wrote: >>>> >>>> On 26.1.2016 14:02, Martin Basti wrote: >>>> >>>> https://fedorahosted.org/freeipa/ticket/5634 >>>> >>>> Patch attached. >>>> >>>> It works for me in API, CLI, and Web UI. The warning is shown >>>> as expected. >>>> >>>> Interestingly, Web UI behaves strangely when search limit is >>>> hit. This needs >>>> more investigation because it happens even without this patch >>>> :-) >>>> >>>> I found different bug there, webUI passes sizelimit: 0 >>>> (unlimited), but this values is not passed to some searches inside >>>> BaseldapSearch which raise error, I will file a ticket na provide >>>> details there >>>> >>>> >>>> Works for me as well. However, it would be nice to have what >>>> ipasearchlimit >>>> is limited to in the error message as well. So something like: >>>> >>> thanks for testing. >>> >>> "Search result has been truncated, the current search limit is set to 10. >>>> Please increase the search limit." >>>> >>> Well this is not so easy to achieve in framework, I prefer not to add >>> number >>> there, it requires bigger change in framework or an extra ldap search. >>> >>>> Does this also address https://fedorahosted.org/freeipa/ticket/4022? >>>> >>> It should. >>> >> Maybe we can use some generic phrase like: >> "Search result has been truncated to configured search limit." >> and avoid advice like 'increase search limit' which may not be possible >> to do, >> e.g. because user does not have permission to do that etc. >> > Sounds good. > Updated patch attached. > Ack from me. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbabej at redhat.com Tue Jan 26 16:48:01 2016 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 26 Jan 2016 17:48:01 +0100 Subject: [Freeipa-devel] [PATCH 0399] ipa-getkeytab: Handle the possibility of not obtaining a result Message-ID: <56A7A341.4070604@redhat.com> Hi, The ldap_result operation can time out, returning a NULL result, which in turn causes the parsing operation to crash. https://fedorahosted.org/freeipa/ticket/5642 Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0399-ipa-getkeytab-Handle-the-possibility-of-not-obtainin.patch Type: text/x-patch Size: 1112 bytes Desc: not available URL: From simo at redhat.com Tue Jan 26 16:59:47 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 26 Jan 2016 11:59:47 -0500 Subject: [Freeipa-devel] [PATCH 0399] ipa-getkeytab: Handle the possibility of not obtaining a result In-Reply-To: <56A7A341.4070604@redhat.com> References: <56A7A341.4070604@redhat.com> Message-ID: <1453827587.9996.52.camel@redhat.com> On Tue, 2016-01-26 at 17:48 +0100, Tomas Babej wrote: > Hi, > > The ldap_result operation can time out, returning a NULL result, > which in turn causes the parsing operation to crash. > > https://fedorahosted.org/freeipa/ticket/5642 > > Tomas > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code LGTM -- Simo Sorce * Red Hat, Inc * New York From mkubik at redhat.com Tue Jan 26 17:37:57 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 26 Jan 2016 18:37:57 +0100 Subject: [Freeipa-devel] [PATCH 0003] Refactor test_replace In-Reply-To: <569507F4.6070604@redhat.com> References: <20151204100402.0474eeaf@vor2.netbox.priv> <56615818.6060402@redhat.com> <20151204112955.51b5c72f@vor2.netbox.priv> <569507F4.6070604@redhat.com> Message-ID: <56A7AEF5.6030909@redhat.com> On 01/12/2016 03:04 PM, Milan Kub?k wrote: > On 12/04/2015 11:29 AM, Filip ?kola wrote: >> On Fri, 4 Dec 2015 10:08:40 +0100 >> Milan Kub?k wrote: >> >>> On 12/04/2015 10:04 AM, Filip ?kola wrote: >>>> Hi, >>>> >>>> sending rather short one this time. >>>> >>>> F. >>> NACK, UserTracker is implemented in >>> ipatests.test_xmlrpc.tracker.user_plugin. >>> >> Ah, sorry for this. >> >> >> F. > Hi, > the tests do not work. Similar problems to test_attr. There are some > problems with the expected and actual results. NACK. > Problems were caused by missing dependency (patch). The code looks good. ACK. -- Milan Kubik From mkubik at redhat.com Tue Jan 26 17:38:22 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 26 Jan 2016 18:38:22 +0100 Subject: [Freeipa-devel] [PATCH 0004] Refactor test_attr In-Reply-To: <569507C1.1080307@redhat.com> References: <20151204162416.28170b8e@vor2.netbox.priv> <20151207130041.409f5022@dhcp-24-120.brq.redhat.com> <20151207132527.7963c5ae@dhcp-24-120.brq.redhat.com> <569507C1.1080307@redhat.com> Message-ID: <56A7AF0E.3030207@redhat.com> On 01/12/2016 03:03 PM, Milan Kub?k wrote: > On 12/07/2015 01:25 PM, Filip ?kola wrote: >> Now the tier marker have lost somewhere on the way... which is >> corrected in this patch. >> >> /me apologizes for the noise >> >> F. >> >> On Mon, 7 Dec 2015 13:00:41 +0100 >> Filip ?kola wrote: >> >>> Self-NACK, resubmitting with the last commit which includes >>> UserTracker from the right location... >>> >>> F. >>> >>> On Fri, 4 Dec 2015 16:24:16 +0100 >>> Filip ?kola wrote: >>> >>>> Hi, >>>> >>>> sending a new version of test_attr. >>>> >>>> F. > Hello, tha patch doesn't work. The tests fail on mismatches in > expected and actual result. > NACK. > My mistake, the code just needed earlier patch. ACK. -- Milan Kubik From mkubik at redhat.com Tue Jan 26 17:56:30 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 26 Jan 2016 18:56:30 +0100 Subject: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin In-Reply-To: <1869235561.17372506.1453716664538.JavaMail.zimbra@redhat.com> References: <20151120135636.71171d5c@vor2.netbox.priv> <565C76D6.3010406@redhat.com> <20151203201556.4ff69dba@vor2.netbox.priv> <5665B88E.4000507@redhat.com> <20151209190102.1bb8fc07@vor2.netbox.priv> <1914334378.4564827.1452602733244.JavaMail.zimbra@redhat.com> <1760221088.11921867.1452868707220.JavaMail.zimbra@redhat.com> <569CD602.1030604@redhat.com> <1869235561.17372506.1453716664538.JavaMail.zimbra@redhat.com> Message-ID: <56A7B34E.2050906@redhat.com> On 01/25/2016 11:11 AM, Filip Skola wrote: > > ----- Original Message ----- >> On 01/15/2016 03:38 PM, Filip Skola wrote: >>> Hi, >>> >>> sending rebased patch. >>> >>> F. >>> >>> ----- Original Message ----- >>>> Hello, >>>> >>>> sorry for delays. The patch no longer applies to master. Rebase it, >>>> please. >>>> >>>> Milan >>>> >>>> ----- Original Message ----- >>>> From: "Filip ?kola" >>>> To: "Milan Kub?k" >>>> Cc: freeipa-devel at redhat.com >>>> Sent: Wednesday, 9 December, 2015 7:01:02 PM >>>> Subject: Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin >>>> >>>> On Mon, 7 Dec 2015 17:49:18 +0100 >>>> Milan Kub?k wrote: >>>> >>>>> On 12/03/2015 08:15 PM, Filip ?kola wrote: >>>>>> On Mon, 30 Nov 2015 17:18:30 +0100 >>>>>> Milan Kub?k wrote: >>>>>> >>>>>>> On 11/23/2015 04:42 PM, Filip ?kola wrote: >>>>>>>> Sending updated patch. >>>>>>>> >>>>>>>> F. >>>>>>>> >>>>>>>> On Mon, 23 Nov 2015 14:59:34 +0100 >>>>>>>> Filip ?kola wrote: >>>>>>>> >>>>>>>>> Found couple of issues (broke some dependencies). >>>>>>>>> >>>>>>>>> NACK >>>>>>>>> >>>>>>>>> F. >>>>>>>>> >>>>>>>>> On Fri, 20 Nov 2015 13:56:36 +0100 >>>>>>>>> Filip ?kola wrote: >>>>>>>>> >>>>>>>>>> Another one. >>>>>>>>>> >>>>>>>>>> F. >>>>>>> Hi, the tests look good. Few remarks, though. >>>>>>> >>>>>>> 1. Please, use the shortes copyright notice in new modules. >>>>>>> >>>>>>> # >>>>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for >>>>>>> license # >>>>>>> >>>>>>> 2. The tests `test_group_remove_group_from_protected_group` and >>>>>>> `test_group_full_set_of_objectclass_not_available_post_detach` >>>>>>> were not ported. Please, include them in the patch. >>>>>>> >>>>>>> Also, for less hassle, please rebase your patches on top of >>>>>>> freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch >>>>>>> Which changes the location of tracker implementations and prevents >>>>>>> circular imports. >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>> Hi, >>>>>> >>>>>> these cases are there, in corresponding classes. They are marked >>>>>> with the original comments. (However I can move them to separate >>>>>> class if desirable.) >>>>>> >>>>>> The copyright notice is changed. Also included a few changes in the >>>>>> test with user without private group. >>>>>> >>>>>> Filip >>>>> NACK >>>>> >>>>> linter: >>>>> ************* Module tracker.group_plugin >>>>> ipatests/test_xmlrpc/tracker/group_plugin.py:257: >>>>> [E0102(function-redefined), GroupTracker.check_remove_member] method >>>>> already defined line 253) >>>>> >>>>> Probably a leftover after the rebase made on top of my patch. Please >>>>> fix it. You can check youch changes by make-lint script before >>>>> sending them. >>>>> >>>>> Thanks >>>>> >>>> Hi, >>>> >>>> I learned to use make-lint! >>>> >>>> Thanks, >>>> F. >>>> >> Hello, >> >> NACK, pylint doesn't seem to like the way the fixtures are imported >> (pytest does a lot of runtime magic) [1]. >> One possible solution would be [2]. Though, I don't think this would be >> a good idea in our environment. I suggest to create the fixtures on per >> module basis. >> >> >> [1]: http://fpaste.org/311949/53118942/ >> [2]: >> https://pytest.org/latest/fixture.html#using-fixtures-from-classes-modules-or-projects >> >> -- >> Milan Kubik >> >> > Hi, > > the fixtures were copied into corresponding module. Please note that this patch has a dependence on my patch 0001 (user plugin). > > Filip Linter: ************* Module ipatests.test_xmlrpc.tracker.group_plugin W:100,26: Calling a dict.iter*() method (dict-iter-method) please use dict.items -- Milan Kubik From mbasti at redhat.com Tue Jan 26 17:56:53 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 26 Jan 2016 18:56:53 +0100 Subject: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs In-Reply-To: <56A64223.4030809@redhat.com> References: <5673F1F9.2030403@redhat.com> <56964AB1.1010902@redhat.com> <56975994.6040604@redhat.com> <5697AF06.3070805@redhat.com> <5697B7CD.6050607@redhat.com> <5697BBBA.60503@redhat.com> <5697C5E3.2010307@redhat.com> <5698EA71.2040105@redhat.com> <56A21F17.40406@redhat.com> <56A64223.4030809@redhat.com> Message-ID: <56A7B365.6090608@redhat.com> On 25.01.2016 16:41, Stanislav Laznicka wrote: > Hi, > > Worked those comments into the code. Also added a bit different info > message in clean_ruv with ca=True (ipa-replica-manage:430). > > Also adding stepst to reproduce: > 1. Create a master and some replica (3 replicas is a good solution - 1 > with CA, 1 without, 1 to be dangling (with CA)) > 2. Change domain level to 0 and ipactl restart > 3. Remove the "dangling-to-be" replica from masters.ipa.etc and from > both ipaca and domain subtrees in mapping tree.config > 4. Try to remove the dangling ruvs with the command > > Cheers, > Standa > > > On 01/22/2016 01:22 PM, Martin Basti wrote: >> Hello, >> >> I have a few comments >> >> PATCH Automatically detect and remove dangling RUVs >> >> 1) >> + # get the Directory Manager password >> + if options.dirman_passwd: >> + dirman_passwd = options.dirman_passwd >> + else: >> + dirman_passwd = installutils.read_password('Directory Manager', >> + confirm=False, validate=False, retry=False) >> + if dirman_passwd is None: >> + sys.exit('Directory Manager password is required') >> + >> + options.dirman_passwd = dirman_passwd >> >> IMO you need only else branch here >> >> if not options.dirman_password: >> dirman_passwd = installutils.read_password('Directory Manager', >> confirm=False, validate=False, retry=False) >> if dirman_passwd is None: >> sys.exit('Directory Manager password is required') >> options.dirman_passwd = dirman_passwd >> >> >> 2) >> We should use new formatting in new code (more times in code) >> >> + sys.exit( >> + "Failed to get data from '%s' while trying to list >> replicas: %s" % >> + (host, e) >> + ) >> >> sys.exit( >> "Failed to get data from '{host}' while trying to list >> replicas: {e}".format( >> host=host, e=e >> ) >> ) >> >> 3) >> + # get all masters >> + masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), >> + ipautil.realm_to_suffix(realm)) >> >> IMO you should use constants: >> masters_dn = DN(api.env.container_masters, api.env.basedn) >> >> 4) >> + # Get realm string for config tree >> + s = realm.split('.') >> + s = ['dc={dc},'.format(dc=x.lower()) for x in s] >> + realm_config = DN(('cn', ''.join(s)[0:-1])) >> >> Can be api.env.basedn used instead of this block of code? >> >> 5) >> + masters = [x.single_value['cn'] for x in masters] >> .... >> + for master in masters: >> >> is there any reason why not iterate over the keys in info dict? >> >> for master_name, master_data/values/whatever in info.items(): >> master_data['online'] = True >> >> Looks better than: info[master]['online'] = True >> >> 6) >> I asked python gurus, for empty lists and dicts, please use [] and {} >> instead of list() and dict() >> It is preferred and faster. >> >> 7) >> + if(info[master]['ca']): >> + entry = conn.get_entry(csreplica_dn) >> + csruv = (master, >> entry.single_value.get('nsDS5ReplicaID')) >> + if csruv not in csruvs: >> + csruvs.append(csruv) >> >> I dont like too much adding tuples into list and then doing search >> there, but it is as designed >> >> However can you use set() instead of list when the purpose of >> variable is only testing existence? >> >> related to: >> csruvs >> ruvs >> offlines >> clean_list >> cleaned >> >> 8) >> conn in finally block may be undefined >> >> 9) >> unused local variables >> >> clean_list >> entry on line 570 >> >> 10) >> optional, comment what keys means in info structure >> > Hello, 1) I accept your silence as the following code cannot use nothing from api.env + # Get realm string for config tree + s = realm.split('.') + s = ['dc={dc},'.format(dc=x.lower()) for x in s] + realm_config = DN(('cn', ''.join(s)[0:-1])) but then please use: s = ['dc={dc}'.format(dc=x.lower()) for x in s] realm_config = DN(('cn', ','.join(s))) But I still think that api.env.basedn can be used, because it contains the same format as you need realm_config = DN(('cn', api.env.basedn)) 2) nitpick ca_dn = DN(('cn', 'ca'), DN(master.dn)) AFAIK can be just ca_dn = DN(('cn', 'ca'), master.dn) 3) uber nitpick This is PEP8 valid, but somehow inconsistent with the rest of code and it hit my eyes print('\t\tid: {id}, hostname: {host}' .format(id=csruv[1], host=csruv[0]) ) we use in code print( something1, something2 ) or print(something1, something2) Otherwise LGTM -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue Jan 26 17:57:49 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 26 Jan 2016 18:57:49 +0100 Subject: [Freeipa-devel] [PATCH] webui: 949 crash nicely if sessionStorage is not available Message-ID: <56A7B39D.8070002@redhat.com> https://fedorahosted.org/freeipa/ticket/5643 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0949-webui-crash-nicely-if-sessionStorage-is-not-availabl.patch Type: text/x-patch Size: 3143 bytes Desc: not available URL: From tbabej at redhat.com Tue Jan 26 17:59:45 2016 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 26 Jan 2016 18:59:45 +0100 Subject: [Freeipa-devel] [PATCH] webui: 949 crash nicely if sessionStorage is not available In-Reply-To: <56A7B39D.8070002@redhat.com> References: <56A7B39D.8070002@redhat.com> Message-ID: <56A7B411.9090508@redhat.com> ACK On 01/26/2016 06:57 PM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/5643 > > From mbasti at redhat.com Tue Jan 26 18:03:51 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 26 Jan 2016 19:03:51 +0100 Subject: [Freeipa-devel] [PATCH 0003] Refactor test_replace In-Reply-To: <56A7AEF5.6030909@redhat.com> References: <20151204100402.0474eeaf@vor2.netbox.priv> <56615818.6060402@redhat.com> <20151204112955.51b5c72f@vor2.netbox.priv> <569507F4.6070604@redhat.com> <56A7AEF5.6030909@redhat.com> Message-ID: <56A7B507.7020305@redhat.com> On 26.01.2016 18:37, Milan Kub?k wrote: > On 01/12/2016 03:04 PM, Milan Kub?k wrote: >> On 12/04/2015 11:29 AM, Filip ?kola wrote: >>> On Fri, 4 Dec 2015 10:08:40 +0100 >>> Milan Kub?k wrote: >>> >>>> On 12/04/2015 10:04 AM, Filip ?kola wrote: >>>>> Hi, >>>>> >>>>> sending rather short one this time. >>>>> >>>>> F. >>>> NACK, UserTracker is implemented in >>>> ipatests.test_xmlrpc.tracker.user_plugin. >>>> >>> Ah, sorry for this. >>> >>> >>> F. >> Hi, >> the tests do not work. Similar problems to test_attr. There are some >> problems with the expected and actual results. NACK. >> > Problems were caused by missing dependency (patch). The code looks > good. ACK. > Pushed to: master: 9ba5bf03a89816ef33f7d0b8dab14aa2e01deaaa ipa-4-3: 66c7ecd8c6b42fe17aa5d5410f67baf8371eba25 From mbasti at redhat.com Tue Jan 26 18:05:06 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 26 Jan 2016 19:05:06 +0100 Subject: [Freeipa-devel] [PATCH 0004] Refactor test_attr In-Reply-To: <56A7AF0E.3030207@redhat.com> References: <20151204162416.28170b8e@vor2.netbox.priv> <20151207130041.409f5022@dhcp-24-120.brq.redhat.com> <20151207132527.7963c5ae@dhcp-24-120.brq.redhat.com> <569507C1.1080307@redhat.com> <56A7AF0E.3030207@redhat.com> Message-ID: <56A7B552.1000000@redhat.com> On 26.01.2016 18:38, Milan Kub?k wrote: > On 01/12/2016 03:03 PM, Milan Kub?k wrote: >> On 12/07/2015 01:25 PM, Filip ?kola wrote: >>> Now the tier marker have lost somewhere on the way... which is >>> corrected in this patch. >>> >>> /me apologizes for the noise >>> >>> F. >>> >>> On Mon, 7 Dec 2015 13:00:41 +0100 >>> Filip ?kola wrote: >>> >>>> Self-NACK, resubmitting with the last commit which includes >>>> UserTracker from the right location... >>>> >>>> F. >>>> >>>> On Fri, 4 Dec 2015 16:24:16 +0100 >>>> Filip ?kola wrote: >>>> >>>>> Hi, >>>>> >>>>> sending a new version of test_attr. >>>>> >>>>> F. >> Hello, tha patch doesn't work. The tests fail on mismatches in >> expected and actual result. >> NACK. >> > My mistake, the code just needed earlier patch. ACK. > Pushed to: master: ec75b01f17e759f3a1bba2d8bb63e09d65fec051 ipa-4-3: 0b04242e3478eab45121893db676cbe3829edb7c From mkubik at redhat.com Tue Jan 26 18:13:56 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 26 Jan 2016 19:13:56 +0100 Subject: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker In-Reply-To: <1592657483.12984474.1453123591078.JavaMail.zimbra@redhat.com> References: <2134068455.1326509.1450781775764.JavaMail.zimbra@redhat.com> <1902672460.4566340.1452602887525.JavaMail.zimbra@redhat.com> <1118746236.11920442.1452868635399.JavaMail.zimbra@redhat.com> <569CD698.4020900@redhat.com> <1592657483.12984474.1453123591078.JavaMail.zimbra@redhat.com> Message-ID: <56A7B764.3080202@redhat.com> On 01/18/2016 02:26 PM, Filip Skola wrote: > Hi, > > this should be fixed in this patch. > > F. > > ----- Original Message ----- >> On 01/15/2016 03:37 PM, Filip Skola wrote: >>> Hi, >>> >>> sending rebased patch. >>> >>> F. >>> >>> ----- Original Message ----- >>>> Hi, >>>> >>>> the patch no longer applies to master. Please rebase it. >>>> >>>> Thanks, >>>> Milan >>>> >>>> ----- Original Message ----- >>>> From: "Filip Skola" >>>> To: freeipa-devel at redhat.com >>>> Cc: "Milan Kub?k" , "Ale? Mare?ek" >>>> >>>> Sent: Tuesday, 22 December, 2015 11:56:15 AM >>>> Subject: [PATCH 0005] Refactor test_nesting, create HostGroupTracker >>>> >>>> Hi, >>>> >>>> another patch from refactoring-test_xmlrpc series. >>>> >>>> Filip >>>> >> NACK, something seems to be missing in the patch >> >> >> ************* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin >> ipatests/test_xmlrpc/tracker/hostgroup_plugin.py:222: [E1101(no-member), >> HostGroupTracker.check_add_member_negative] Instance of >> 'HostGroupTracker' has no 'adds' member) >> >> -- >> Milan Kubik >> >> The same as with patch 0002: ************* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin W:142,26: Calling a dict.iter*() method (dict-iter-method) Please use dict.items method. -- Milan Kubik From mbabinsk at redhat.com Wed Jan 27 07:06:17 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 27 Jan 2016 08:06:17 +0100 Subject: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal In-Reply-To: <56A5CC70.6070000@redhat.com> References: <56A0A499.1090809@redhat.com> <56A1F79C.9050102@redhat.com> <56A21272.5020709@redhat.com> <56A5CC70.6070000@redhat.com> Message-ID: <56A86C69.2040409@redhat.com> On 01/25/2016 08:19 AM, Jan Cholasta wrote: > On 22.1.2016 12:28, Jan Cholasta wrote: >> On 22.1.2016 10:34, Martin Babinsky wrote: >>> On 01/21/2016 10:27 AM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> the attached patch fixes >>>> . >>>> >>>> Honza >>>> >>>> >>>> >>> ACK >> >> Self-NACK. Doesn't work with external CA install. >> > > Updated patches attached. > ACK -- Martin^3 Babinsky From jcholast at redhat.com Wed Jan 27 07:12:25 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 27 Jan 2016 08:12:25 +0100 Subject: [Freeipa-devel] [PATCH] 0049 Remove workaround for CA running check In-Reply-To: <56A0D8D2.4030400@redhat.com> References: <20160120074550.GO31821@dhcp-40-8.bne.redhat.com> <569F45A5.1080408@redhat.com> <20160120095232.GP31821@dhcp-40-8.bne.redhat.com> <56A0D8D2.4030400@redhat.com> Message-ID: <56A86DD9.6020906@redhat.com> On 21.1.2016 14:10, Martin Basti wrote: > > > On 20.01.2016 10:52, Fraser Tweedale wrote: >> On Wed, Jan 20, 2016 at 09:30:29AM +0100, Martin Kosek wrote: >>> On 01/20/2016 08:45 AM, Fraser Tweedale wrote: >>>> The attached patch removes a workaround introduced as part of >>>> https://fedorahosted.org/freeipa/ticket/4676. >>>> >>>> Alternatively, if we want to keep the "workaround" I will submit a >>>> different patch that removes unused code and FIXME comments :) >>>> >>>> Cheers, >>>> Fraser >>> You may also want to check FreeIPA spec file, if there is now no >>> extra curl >>> dependency. I would leave it up to Martin Basti, to confirm that the >>> original >>> issue cannot appear again. It was a nightmare to troubleshoot, as I >>> heard :) >>> >> Good pickup on the curl dependency; indeed it is no longer needed. >> Updated patch attached. > Thank you, patch works for me. However, I'm not sure where the original > error was located, it looked like something in _httplib_request doesn't > work properly with SSL. Your patch uses _httplib_request without TLS so > it should work. > > I would like to push this patch only to master, as the issue before > wasn't regularly reproducible, and I will keep eye on it. > > Also I will remove the ticket #4676 from description, because ticket has > been closed in 4.1 Milestone. > > ACK with keeping eyes on it > > Pushed to master: fd7ea2c9395651d5bce41cc603557fea107f65a7 Please don't introduce additional patches to tickets closed in released milestones. You should open a new ticket for the additional change so that it can be properly triaged and you don't have to guess where it should be pushed. Honza -- Jan Cholasta From jcholast at redhat.com Wed Jan 27 07:22:48 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 27 Jan 2016 08:22:48 +0100 Subject: [Freeipa-devel] [PATCH 0130] disable RA plugins when promoting a replica from CA-less master In-Reply-To: <56A0E56C.107@redhat.com> References: <56A0D4E1.6030504@redhat.com> <56A0DB6F.9080709@redhat.com> <56A0E0DD.10904@redhat.com> <56A0E270.9060000@redhat.com> <56A0E56C.107@redhat.com> Message-ID: <56A87048.2040206@redhat.com> On 21.1.2016 15:04, Martin Babinsky wrote: > On 01/21/2016 02:51 PM, Jan Cholasta wrote: >> On 21.1.2016 14:45, Martin Babinsky wrote: >>> On 01/21/2016 02:21 PM, Petr Vobornik wrote: >>>> On 01/21/2016 01:53 PM, Martin Babinsky wrote: >>>>> this patch ensures that promoted replicas in CA-less topology have >>>>> correct settings in their default.conf. >>>>> >>>>> I couldn't find any ticket for this issue, should I file one so that >>>>> this patch can land in 4-3 branch? >>>>> >>>> >>>> yes >>> >>> New ticket here: https://fedorahosted.org/freeipa/ticket/5626 >>> >>> I have also attached the ticket URL to the commit message. >> >> Why so much code for such a simple change? Please keep the style >> consistent with the code in install.install() and >> replicainstall.install(). >> > > It did not occur to me as much code, the logic was equivalent to the > stuff other installers do but bit more concise. > > But attaching updated patch in common style anyway. Thanks, ACK. Pushed to: master: 7dae5c09d5a6bf084661511bef4811223da64252 ipa-4-3: b63505ef765768b7cbcfc84983c249269ab8b788 -- Jan Cholasta From mbabinsk at redhat.com Wed Jan 27 08:10:58 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 27 Jan 2016 09:10:58 +0100 Subject: [Freeipa-devel] [PATCH 542] replica install: validate DS and HTTP server certificates In-Reply-To: <56A5CEE7.5050806@redhat.com> References: <56A5CEE7.5050806@redhat.com> Message-ID: <56A87B92.2030101@redhat.com> On 01/25/2016 08:29 AM, Jan Cholasta wrote: > Hi, > > the attached patch fixes . > > Honza > > > You may need to rebase the patch on top of ipa-4-2, otherwise ACK. -- Martin^3 Babinsky From pspacek at redhat.com Wed Jan 27 08:16:41 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 27 Jan 2016 09:16:41 +0100 Subject: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit In-Reply-To: References: <56A76E71.2050205@redhat.com> <56A77AB6.6070206@redhat.com> <56A77B2A.5020401@redhat.com> <56A77D77.7030502@redhat.com> <56A77FE7.1020708@redhat.com> <56A7839E.9030803@redhat.com> Message-ID: <56A87CE9.9000009@redhat.com> On 26.1.2016 15:38, Gabe Alford wrote: > On Tue, Jan 26, 2016 at 7:33 AM, Martin Basti wrote: > >> >> >> On 26.01.2016 15:17, Petr Spacek wrote: >> >>> On 26.1.2016 15:06, Martin Basti wrote: >>> >>>> >>>> On 26.01.2016 15:00, Gabe Alford wrote: >>>> >>>>> On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti >>>> > wrote: >>>>> >>>>> >>>>> >>>>> On 26.01.2016 14:55, Petr Spacek wrote: >>>>> >>>>> On 26.1.2016 14:02, Martin Basti wrote: >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5634 >>>>> >>>>> Patch attached. >>>>> >>>>> It works for me in API, CLI, and Web UI. The warning is shown >>>>> as expected. >>>>> >>>>> Interestingly, Web UI behaves strangely when search limit is >>>>> hit. This needs >>>>> more investigation because it happens even without this patch >>>>> :-) >>>>> >>>>> I found different bug there, webUI passes sizelimit: 0 >>>>> (unlimited), but this values is not passed to some searches inside >>>>> BaseldapSearch which raise error, I will file a ticket na provide >>>>> details there >>>>> >>>>> >>>>> Works for me as well. However, it would be nice to have what >>>>> ipasearchlimit >>>>> is limited to in the error message as well. So something like: >>>>> >>>> thanks for testing. >>>> >>>> "Search result has been truncated, the current search limit is set to 10. >>>>> Please increase the search limit." >>>>> >>>> Well this is not so easy to achieve in framework, I prefer not to add >>>> number >>>> there, it requires bigger change in framework or an extra ldap search. >>>> >>>>> Does this also address https://fedorahosted.org/freeipa/ticket/4022? >>>>> >>>> It should. >>>> >>> Maybe we can use some generic phrase like: >>> "Search result has been truncated to configured search limit." >>> and avoid advice like 'increase search limit' which may not be possible >>> to do, >>> e.g. because user does not have permission to do that etc. >>> >> > Sounds good. > > > >> Updated patch attached. >> > > Ack from me. Push it, the weird behavior in WebUI happens even without the patch :-) -- Petr^2 Spacek From ofayans at redhat.com Wed Jan 27 08:23:47 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 27 Jan 2016 09:23:47 +0100 Subject: [Freeipa-devel] [TEST][Patch 0021] Fixed recent replica installation issues in the lab In-Reply-To: <56A0FC2C.2010004@redhat.com> References: <56A0D223.2060702@redhat.com> <56A0FC2C.2010004@redhat.com> Message-ID: <56A87E93.9030302@redhat.com> Hi, On 01/21/2016 04:41 PM, Petr Spacek wrote: > Hello, > > On 21.1.2016 13:42, Oleg Fayans wrote: >> freeipa-ofayans-0021-Removed-ip-address-option-from-replica-installation.patch >> >> >> From d7ab06a4dcddb919fda351b983d478f1b6968578 Mon Sep 17 00:00:00 2001 >> From: Oleg Fayans >> Date: Thu, 21 Jan 2016 13:30:02 +0100 >> Subject: [PATCH] Removed --ip-address option from replica installation >> >> Explicitly specifying ip-address of the replica messes up with the current >> bind-dyndb-ldap logic, causing reverse zone not to be created. >> >> Enabled reverse-zone creation for the clients residing in different subnet from >> master >> --- >> ipatests/test_integration/tasks.py | 19 ++++++++++++------- >> 1 file changed, 12 insertions(+), 7 deletions(-) >> >> diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py >> index 6eb55501389c72b4c7aaa599fd4852d7e8f1f3c2..43ef78b0c55deed24a0444f0ac6c38ddb2517481 100644 >> --- a/ipatests/test_integration/tasks.py >> +++ b/ipatests/test_integration/tasks.py >> @@ -69,6 +69,8 @@ def prepare_reverse_zone(host, ip): >> host.run_command(["ipa", >> "dnszone-add", >> zone], raiseonerr=False) >> + return zone >> + >> >> def prepare_host(host): >> if isinstance(host, Host): >> @@ -319,11 +321,8 @@ def domainlevel(host): >> def replica_prepare(master, replica): >> apply_common_fixes(replica) >> fix_apache_semaphores(replica) >> - prepare_reverse_zone(master, replica.ip) >> - master.run_command(['ipa-replica-prepare', >> - '-p', replica.config.dirman_password, >> - '--ip-address', replica.ip, >> - replica.hostname]) >> + master.run_command(['ipa-replica-prepare', '-p', replica.config.dirman_password, >> + '--auto-reverse', replica.hostname]) > > I guess that you will need --ip-address option in cases where master's reverse > record does not exist (yet). And yo were right. Fixed > > I would recommend you to test this in libvirt or somewhere without revere > records, I suspect that it might blow up. > >> replica_bundle = master.get_file_contents( >> paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname) >> replica_filename = get_replica_filename(replica) >> @@ -339,8 +338,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False, >> # and replica installation would fail >> args = ['ipa-replica-install', '-U', >> '-p', replica.config.dirman_password, >> - '-w', replica.config.admin_password, >> - '--ip-address', replica.ip] >> + '-w', replica.config.admin_password] >> if setup_ca: >> args.append('--setup-ca') >> if setup_dns: >> @@ -380,6 +378,13 @@ def install_client(master, client, extra_args=()): >> client.collect_log(paths.IPACLIENT_INSTALL_LOG) >> >> apply_common_fixes(client) >> + # Now, for the situations where a client resides in a different subnet from >> + # master, we need to explicitly tell master to create a reverse zone for >> + # the client and enable dynamic updates for this zone. >> + allow_sync_ptr(master) >> + zone = prepare_reverse_zone(master, client.ip) >> + master.run_command(["ipa", "dnszone-mod", zone, >> + "--dynamic-update=TRUE"], raiseonerr=False) > > I'm not a big fan of ignoring exceptions here, it might be better to > encapsulate the first command with try: except: and run the zone-mod only if > the add worked as expected. > > Also, logging an message that reverse zone was not added might be a good idea. Agreed. Done. > > HTH > > Petr^2 Spacek > > >> >> client.run_command(['ipa-client-install', '-U', >> '--domain', client.domain.name, > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0021.1-Removed-ip-address-option-from-replica-installation.patch Type: text/x-patch Size: 3097 bytes Desc: not available URL: From ofayans at redhat.com Wed Jan 27 08:24:43 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 27 Jan 2016 09:24:43 +0100 Subject: [Freeipa-devel] [TEST][Patch 0020] Enabled recreation of test directory during ipa reinstallation In-Reply-To: <56A0C831.6040909@redhat.com> References: <56A0C831.6040909@redhat.com> Message-ID: <56A87ECB.1020300@redhat.com> Hi guys, Any chance this can be reviewed any time soon? On 01/21/2016 12:59 PM, Oleg Fayans wrote: > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From jcholast at redhat.com Wed Jan 27 08:27:19 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 27 Jan 2016 09:27:19 +0100 Subject: [Freeipa-devel] [PATCH 543] CA install: explicitly set dogtag_version to 10 In-Reply-To: <56A73B00.1070702@redhat.com> References: <56A5D4B6.8030201@redhat.com> <20160125075612.GY4316@redhat.com> <56A738FD.5030305@redhat.com> <56A73B00.1070702@redhat.com> Message-ID: <56A87F67.80803@redhat.com> On 26.1.2016 10:23, Martin Babinsky wrote: > On 01/26/2016 10:14 AM, Martin Babinsky wrote: >> On 01/25/2016 08:56 AM, Alexander Bokovoy wrote: >>> On Mon, 25 Jan 2016, Jan Cholasta wrote: >>>> Hi, >>>> >>>> the attached patch fixes >>>> . >>>> >>>> Note that this is a 4.2-specific fix. >>>> >>>> Honza >>>> >>>> -- >>>> Jan Cholasta >>> >>>> From c2a0684c64538166809883a235bd131518b6e78f Mon Sep 17 00:00:00 2001 >>>> From: Jan Cholasta >>>> Date: Mon, 25 Jan 2016 08:48:42 +0100 >>>> Subject: [PATCH] CA install: explicitly set dogtag_version to 10 >>>> >>>> When installing new CA master, explicitly set the dogtag_version >>>> option to >>>> 10 in api.bootstrap() to prevent failures in code which expects the >>>> value >>>> to be 10 rather than the default value of 9. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5611 >>>> --- >>>> install/tools/ipa-ca-install | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/install/tools/ipa-ca-install >>>> b/install/tools/ipa-ca-install >>>> index 6564e4d..e8ccaef 100755 >>>> --- a/install/tools/ipa-ca-install >>>> +++ b/install/tools/ipa-ca-install >>>> @@ -162,7 +162,7 @@ def install_master(safe_options, options): >>>> >>>> # override ra_plugin setting read from default.conf so that we have >>>> # functional dogtag backend plugins during CA install >>>> - api.bootstrap(in_server=True, ra_plugin='dogtag') >>>> + api.bootstrap(in_server=True, ra_plugin='dogtag', >>>> dogtag_version=10) >>>> api.finalize() >>>> >>>> dm_password = options.password >>>> -- >>> ACK. >>> >> >> Not so fast, I have this patch applied on top of ipa-4-2 and it does not >> fix the crash described in the ticket. >> > > See the end of CA install log (http://fpaste.org/314777/14537999/), it > seems that despite setting dogtag version to 10 in API initialization, > CA instance still thinks it needs to work with version 9. > > It seems that dogtag.configured_constants() function is to blame: > > """ > In [4]: from ipalib import api > > In [5]: api.bootstrap(dogtag_version=10) > > In [6]: api.finalize() > > In [7]: dogtag.configured_constants() > Out[7]: ipapython.dogtag.Dogtag9Constants > > In [8]: dogtag.configured_constants(api) > Out[8]: ipapython.dogtag.Dogtag10Constants > """ Updated patch attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-543.1.4_2-CA-install-explicitly-set-dogtag_version-to-10-when-.patch Type: text/x-patch Size: 3138 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jan 27 10:02:15 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 27 Jan 2016 11:02:15 +0100 Subject: [Freeipa-devel] [PATCH 0031] ipatests: fix the install of external ca In-Reply-To: <569E6AA6.2070503@redhat.com> References: <569E64E3.4030406@redhat.com> <569E6AA6.2070503@redhat.com> Message-ID: <56A895A7.1040807@redhat.com> On 01/19/2016 05:56 PM, Milan Kub?k wrote: > On 01/19/2016 05:31 PM, Milan Kub?k wrote: >> Patch attached. >> >> >> > This actually has a ticket opened. Patch with fixed commit message. ;) > > -- > Milan Kubik > > > ACK -- Martin^3 Babinsky From ofayans at redhat.com Wed Jan 27 10:16:05 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 27 Jan 2016 11:16:05 +0100 Subject: [Freeipa-devel] [TEST][Patch 0021] Fixed recent replica installation issues in the lab In-Reply-To: <56A87E93.9030302@redhat.com> References: <56A0D223.2060702@redhat.com> <56A0FC2C.2010004@redhat.com> <56A87E93.9030302@redhat.com> Message-ID: <56A898E5.9060202@redhat.com> Sorry, trailing whitespace detected. This version passes lint On 01/27/2016 09:23 AM, Oleg Fayans wrote: > Hi, > > On 01/21/2016 04:41 PM, Petr Spacek wrote: >> Hello, >> >> On 21.1.2016 13:42, Oleg Fayans wrote: >>> freeipa-ofayans-0021-Removed-ip-address-option-from-replica-installation.patch >>> >>> >>> From d7ab06a4dcddb919fda351b983d478f1b6968578 Mon Sep 17 00:00:00 2001 >>> From: Oleg Fayans >>> Date: Thu, 21 Jan 2016 13:30:02 +0100 >>> Subject: [PATCH] Removed --ip-address option from replica installation >>> >>> Explicitly specifying ip-address of the replica messes up with the current >>> bind-dyndb-ldap logic, causing reverse zone not to be created. >>> >>> Enabled reverse-zone creation for the clients residing in different subnet from >>> master >>> --- >>> ipatests/test_integration/tasks.py | 19 ++++++++++++------- >>> 1 file changed, 12 insertions(+), 7 deletions(-) >>> >>> diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py >>> index 6eb55501389c72b4c7aaa599fd4852d7e8f1f3c2..43ef78b0c55deed24a0444f0ac6c38ddb2517481 100644 >>> --- a/ipatests/test_integration/tasks.py >>> +++ b/ipatests/test_integration/tasks.py >>> @@ -69,6 +69,8 @@ def prepare_reverse_zone(host, ip): >>> host.run_command(["ipa", >>> "dnszone-add", >>> zone], raiseonerr=False) >>> + return zone >>> + >>> >>> def prepare_host(host): >>> if isinstance(host, Host): >>> @@ -319,11 +321,8 @@ def domainlevel(host): >>> def replica_prepare(master, replica): >>> apply_common_fixes(replica) >>> fix_apache_semaphores(replica) >>> - prepare_reverse_zone(master, replica.ip) >>> - master.run_command(['ipa-replica-prepare', >>> - '-p', replica.config.dirman_password, >>> - '--ip-address', replica.ip, >>> - replica.hostname]) >>> + master.run_command(['ipa-replica-prepare', '-p', replica.config.dirman_password, >>> + '--auto-reverse', replica.hostname]) >> >> I guess that you will need --ip-address option in cases where master's reverse >> record does not exist (yet). > And yo were right. Fixed > >> >> I would recommend you to test this in libvirt or somewhere without revere >> records, I suspect that it might blow up. >> >>> replica_bundle = master.get_file_contents( >>> paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname) >>> replica_filename = get_replica_filename(replica) >>> @@ -339,8 +338,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False, >>> # and replica installation would fail >>> args = ['ipa-replica-install', '-U', >>> '-p', replica.config.dirman_password, >>> - '-w', replica.config.admin_password, >>> - '--ip-address', replica.ip] >>> + '-w', replica.config.admin_password] >>> if setup_ca: >>> args.append('--setup-ca') >>> if setup_dns: >>> @@ -380,6 +378,13 @@ def install_client(master, client, extra_args=()): >>> client.collect_log(paths.IPACLIENT_INSTALL_LOG) >>> >>> apply_common_fixes(client) >>> + # Now, for the situations where a client resides in a different subnet from >>> + # master, we need to explicitly tell master to create a reverse zone for >>> + # the client and enable dynamic updates for this zone. >>> + allow_sync_ptr(master) >>> + zone = prepare_reverse_zone(master, client.ip) >>> + master.run_command(["ipa", "dnszone-mod", zone, >>> + "--dynamic-update=TRUE"], raiseonerr=False) >> >> I'm not a big fan of ignoring exceptions here, it might be better to >> encapsulate the first command with try: except: and run the zone-mod only if >> the add worked as expected. >> >> Also, logging an message that reverse zone was not added might be a good idea. > Agreed. Done. > >> >> HTH >> >> Petr^2 Spacek >> >> >>> >>> client.run_command(['ipa-client-install', '-U', >>> '--domain', client.domain.name, >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0021.2-Removed-ip-address-option-from-replica-installation.patch Type: text/x-patch Size: 3097 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jan 27 11:10:51 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 27 Jan 2016 12:10:51 +0100 Subject: [Freeipa-devel] [PATCH 543] CA install: explicitly set dogtag_version to 10 In-Reply-To: <56A87F67.80803@redhat.com> References: <56A5D4B6.8030201@redhat.com> <20160125075612.GY4316@redhat.com> <56A738FD.5030305@redhat.com> <56A73B00.1070702@redhat.com> <56A87F67.80803@redhat.com> Message-ID: <56A8A5BB.3000906@redhat.com> On 01/27/2016 09:27 AM, Jan Cholasta wrote: > On 26.1.2016 10:23, Martin Babinsky wrote: >> On 01/26/2016 10:14 AM, Martin Babinsky wrote: >>> On 01/25/2016 08:56 AM, Alexander Bokovoy wrote: >>>> On Mon, 25 Jan 2016, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> the attached patch fixes >>>>> . >>>>> >>>>> Note that this is a 4.2-specific fix. >>>>> >>>>> Honza >>>>> >>>>> -- >>>>> Jan Cholasta >>>> >>>>> From c2a0684c64538166809883a235bd131518b6e78f Mon Sep 17 00:00:00 2001 >>>>> From: Jan Cholasta >>>>> Date: Mon, 25 Jan 2016 08:48:42 +0100 >>>>> Subject: [PATCH] CA install: explicitly set dogtag_version to 10 >>>>> >>>>> When installing new CA master, explicitly set the dogtag_version >>>>> option to >>>>> 10 in api.bootstrap() to prevent failures in code which expects the >>>>> value >>>>> to be 10 rather than the default value of 9. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5611 >>>>> --- >>>>> install/tools/ipa-ca-install | 2 +- >>>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>>> >>>>> diff --git a/install/tools/ipa-ca-install >>>>> b/install/tools/ipa-ca-install >>>>> index 6564e4d..e8ccaef 100755 >>>>> --- a/install/tools/ipa-ca-install >>>>> +++ b/install/tools/ipa-ca-install >>>>> @@ -162,7 +162,7 @@ def install_master(safe_options, options): >>>>> >>>>> # override ra_plugin setting read from default.conf so that we >>>>> have >>>>> # functional dogtag backend plugins during CA install >>>>> - api.bootstrap(in_server=True, ra_plugin='dogtag') >>>>> + api.bootstrap(in_server=True, ra_plugin='dogtag', >>>>> dogtag_version=10) >>>>> api.finalize() >>>>> >>>>> dm_password = options.password >>>>> -- >>>> ACK. >>>> >>> >>> Not so fast, I have this patch applied on top of ipa-4-2 and it does not >>> fix the crash described in the ticket. >>> >> >> See the end of CA install log (http://fpaste.org/314777/14537999/), it >> seems that despite setting dogtag version to 10 in API initialization, >> CA instance still thinks it needs to work with version 9. >> >> It seems that dogtag.configured_constants() function is to blame: >> >> """ >> In [4]: from ipalib import api >> >> In [5]: api.bootstrap(dogtag_version=10) >> >> In [6]: api.finalize() >> >> In [7]: dogtag.configured_constants() >> Out[7]: ipapython.dogtag.Dogtag9Constants >> >> In [8]: dogtag.configured_constants(api) >> Out[8]: ipapython.dogtag.Dogtag10Constants >> """ > > Updated patch attached. > ACK -- Martin^3 Babinsky From jcholast at redhat.com Wed Jan 27 11:12:53 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 27 Jan 2016 12:12:53 +0100 Subject: [Freeipa-devel] [PATCH] 0760 - Split ipa-client/ into ipaclient/ and client/ In-Reply-To: <56A62807.1040706@redhat.com> References: <56962826.10404@redhat.com> <56963D11.3050600@redhat.com> <56974647.1010408@redhat.com> <56976EF5.8080601@redhat.com> <569773DC.80808@redhat.com> <5697D18F.8010105@redhat.com> <56A61F29.3050209@redhat.com> <56A62807.1040706@redhat.com> Message-ID: <56A8A635.2070400@redhat.com> On 25.1.2016 14:49, Petr Viktorin wrote: > On 01/25/2016 02:12 PM, Jan Cholasta wrote: >> On 14.1.2016 17:49, Petr Viktorin wrote: >>> On 01/14/2016 11:09 AM, Jan Cholasta wrote: >>>> On 14.1.2016 10:48, Petr Viktorin wrote: >>>>> On 01/14/2016 07:55 AM, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> On 13.1.2016 13:03, Martin Babinsky wrote: >>>>>>> On 01/13/2016 11:34 AM, Petr Viktorin wrote: >>>>>>>> Hello, >>>>>>>> I'm planning to port the ipa-client to Python 3, and I'm likely >>>>>>>> to end >>>>>>>> up shaking out some dusty corners of the codebase, rather than >>>>>>>> doing the >>>>>>>> minimal amount of work :) >>>>>>>> So I'd like to get your opinions before I commit significant time to >>>>>>>> this. >>> >>> Here's a patch for review. >>> (I'm sending the full diff for applying; the result is nicer to look at >>> with `git show -C`) >>> >>> >>>>> [...] >>>>>>>> client-tools/ >>>>>>>> - man/* >>>>>>>> - *.c >>>>>>>> - *.h >>>>>>>> - all the automake stuff >>>>>>>> - current contents of ipa-install (Python scripts that go in >>>>>>>> /usr/sbin) >>>>>> >>>>>> I would rather s/client-tools/client/, as this stuff goes into the >>>>>> freeipa-*client* subpackage. >>>>> >>>>> OK. It's just that there's no admintools/ or server/ either. >>>>> >>>>> Putting the scripts into install/tools/ (or install/client/) is another >>>>> possibility. >>>> >>>> Right. I guess we have to decide whether we want a directory layout >>>> based on the component/subpackage or not. install/tools/ works for me >>>> equally well. >>> >>> I put the scripts in client/. IPA supports building just the client >>> bits, and that's easier if the server and client scripts are separate. >>> >>>>>> I'm not sure if this is what you are suggesting or not, but I would >>>>>> like >>>>>> the man page files to be in the same directory as the corresponding >>>>>> source code files. >>>>> >>>>> Do you mean not having the man/ subdirectory? >>>> >>>> Yes. (I don't insist though.) >>> >>> Even if you did insist, I think it would be better to ditch >>> install/tools/man/ and ipatests/man/ at the same time as client/man/, so >>> I'm leaving this for a potential future patch. >> >> It could be done gradually (there already is /ipa.1 for /ipa), but OK. >> >> The patch needs a rebase on top of master and ipa-4-3. Otherwise ACK. > > Here are the rebased patches. I filed a ticket for this and the rest of the py3 client effort: . Pushed to: master: 840de9bb48b37508e11fc0514761161e7cd0f9ef ipa-4-3: 11f315bcfcc756d4ea8a16a87df1a1a4dd980250 -- Jan Cholasta From mbasti at redhat.com Wed Jan 27 11:57:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 27 Jan 2016 12:57:03 +0100 Subject: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit In-Reply-To: <56A87CE9.9000009@redhat.com> References: <56A76E71.2050205@redhat.com> <56A77AB6.6070206@redhat.com> <56A77B2A.5020401@redhat.com> <56A77D77.7030502@redhat.com> <56A77FE7.1020708@redhat.com> <56A7839E.9030803@redhat.com> <56A87CE9.9000009@redhat.com> Message-ID: <56A8B08F.8040502@redhat.com> On 27.01.2016 09:16, Petr Spacek wrote: > On 26.1.2016 15:38, Gabe Alford wrote: >> On Tue, Jan 26, 2016 at 7:33 AM, Martin Basti wrote: >> >>> >>> On 26.01.2016 15:17, Petr Spacek wrote: >>> >>>> On 26.1.2016 15:06, Martin Basti wrote: >>>> >>>>> On 26.01.2016 15:00, Gabe Alford wrote: >>>>> >>>>>> On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti >>>>> > wrote: >>>>>> >>>>>> >>>>>> >>>>>> On 26.01.2016 14:55, Petr Spacek wrote: >>>>>> >>>>>> On 26.1.2016 14:02, Martin Basti wrote: >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5634 >>>>>> >>>>>> Patch attached. >>>>>> >>>>>> It works for me in API, CLI, and Web UI. The warning is shown >>>>>> as expected. >>>>>> >>>>>> Interestingly, Web UI behaves strangely when search limit is >>>>>> hit. This needs >>>>>> more investigation because it happens even without this patch >>>>>> :-) >>>>>> >>>>>> I found different bug there, webUI passes sizelimit: 0 >>>>>> (unlimited), but this values is not passed to some searches inside >>>>>> BaseldapSearch which raise error, I will file a ticket na provide >>>>>> details there >>>>>> >>>>>> >>>>>> Works for me as well. However, it would be nice to have what >>>>>> ipasearchlimit >>>>>> is limited to in the error message as well. So something like: >>>>>> >>>>> thanks for testing. >>>>> >>>>> "Search result has been truncated, the current search limit is set to 10. >>>>>> Please increase the search limit." >>>>>> >>>>> Well this is not so easy to achieve in framework, I prefer not to add >>>>> number >>>>> there, it requires bigger change in framework or an extra ldap search. >>>>> >>>>>> Does this also address https://fedorahosted.org/freeipa/ticket/4022? >>>>>> >>>>> It should. >>>>> >>>> Maybe we can use some generic phrase like: >>>> "Search result has been truncated to configured search limit." >>>> and avoid advice like 'increase search limit' which may not be possible >>>> to do, >>>> e.g. because user does not have permission to do that etc. >>>> >> Sounds good. >> >> >> >>> Updated patch attached. >>> >> Ack from me. > Push it, the weird behavior in WebUI happens even without the patch :-) > Pushed to master: 9a945b201eab40dff7781d3240f046b648644779 From mbasti at redhat.com Wed Jan 27 12:15:57 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 27 Jan 2016 13:15:57 +0100 Subject: [Freeipa-devel] [PATCH 0031] ipatests: fix the install of external ca In-Reply-To: <56A895A7.1040807@redhat.com> References: <569E64E3.4030406@redhat.com> <569E6AA6.2070503@redhat.com> <56A895A7.1040807@redhat.com> Message-ID: <56A8B4FD.4090300@redhat.com> On 27.01.2016 11:02, Martin Babinsky wrote: > On 01/19/2016 05:56 PM, Milan Kub?k wrote: >> On 01/19/2016 05:31 PM, Milan Kub?k wrote: >>> Patch attached. >>> >>> >>> >> This actually has a ticket opened. Patch with fixed commit message. ;) >> >> -- >> Milan Kubik >> >> >> > ACK > Pushed to: master: 8f6fb7b4eaa74e9478f946a3be862e2d02158f6d ipa-4-3: 7454db09185ee0131c2f85c7922bc2af374db766 From pvoborni at redhat.com Wed Jan 27 13:16:33 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 27 Jan 2016 14:16:33 +0100 Subject: [Freeipa-devel] New tool tips for Refresh, Revert, Undo and Undo All buttons In-Reply-To: <1126773777.16508720.1453726505512.JavaMail.zimbra@redhat.com> References: <1126773777.16508720.1453726505512.JavaMail.zimbra@redhat.com> Message-ID: <56A8C331.9010004@redhat.com> On 01/25/2016 01:55 PM, Pavel Vomacka wrote: > Hello everyone, > > I just made a patch for the > https://fedorahosted.org/freeipa/ticket/5428 ticket. The patch adds > tool tips to the buttons in detail views. The text of new tool tips > is written in the comment of the ticket. > > Pavel Vomacka Intern > ACK Pushed to master: d5674b1490939551a0040a4d88ebc6f9437e74d9 -- Petr Vobornik From pvoborni at redhat.com Wed Jan 27 13:19:27 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 27 Jan 2016 14:19:27 +0100 Subject: [Freeipa-devel] [PATCH] 0002 Add support for user parameter for /ipa/ui/reset_password.html In-Reply-To: <22878941.16566850.1453731056156.JavaMail.zimbra@redhat.com> References: <22878941.16566850.1453731056156.JavaMail.zimbra@redhat.com> Message-ID: <56A8C3DF.5010607@redhat.com> On 01/25/2016 03:10 PM, Pavel Vomacka wrote: > Hello again, > > another patch is ready for reviewing. Now it is the patch which adds > support for user parameter for /ipa/ui/reset_password.html page. That > means that you can prefill username field by using url parameter > 'user'. Here is the ticket link: > https://fedorahosted.org/freeipa/ticket/5001 . > > Pavel Vomacka Intern > > ACK Pushed to master: 3a0985b7889bb604184a2a9fa42261efa194d032 -- Petr Vobornik From tbabej at redhat.com Wed Jan 27 13:34:26 2016 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 27 Jan 2016 14:34:26 +0100 Subject: [Freeipa-devel] [PATCH] webui: 949 crash nicely if sessionStorage is not available In-Reply-To: <56A7B411.9090508@redhat.com> References: <56A7B39D.8070002@redhat.com> <56A7B411.9090508@redhat.com> Message-ID: <56A8C762.9030501@redhat.com> On 01/26/2016 06:59 PM, Tomas Babej wrote: > ACK > > On 01/26/2016 06:57 PM, Petr Vobornik wrote: >> https://fedorahosted.org/freeipa/ticket/5643 >> >> > Pushed to master: 6e1eb5bc8f83faa38203bd308896d0b15f359b24 From tbabej at redhat.com Wed Jan 27 13:41:16 2016 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 27 Jan 2016 14:41:16 +0100 Subject: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal In-Reply-To: <56A86C69.2040409@redhat.com> References: <56A0A499.1090809@redhat.com> <56A1F79C.9050102@redhat.com> <56A21272.5020709@redhat.com> <56A5CC70.6070000@redhat.com> <56A86C69.2040409@redhat.com> Message-ID: <56A8C8FC.1050608@redhat.com> On 01/27/2016 08:06 AM, Martin Babinsky wrote: > On 01/25/2016 08:19 AM, Jan Cholasta wrote: >> On 22.1.2016 12:28, Jan Cholasta wrote: >>> On 22.1.2016 10:34, Martin Babinsky wrote: >>>> On 01/21/2016 10:27 AM, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> the attached patch fixes >>>>> . >>>>> >>>>> Honza >>>>> >>>>> >>>>> >>>> ACK >>> >>> Self-NACK. Doesn't work with external CA install. >>> >> >> Updated patches attached. >> > ACK > Pushed to master: eaafeddf769c25bd44b490ae18ffb58e97df4963 Pushed to ipa-4-2: 2314fa66fd7fe543209292660d4f7f9611cdedb2 From tbabej at redhat.com Wed Jan 27 13:44:38 2016 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 27 Jan 2016 14:44:38 +0100 Subject: [Freeipa-devel] [PATCH 543] CA install: explicitly set dogtag_version to 10 In-Reply-To: <56A8A5BB.3000906@redhat.com> References: <56A5D4B6.8030201@redhat.com> <20160125075612.GY4316@redhat.com> <56A738FD.5030305@redhat.com> <56A73B00.1070702@redhat.com> <56A87F67.80803@redhat.com> <56A8A5BB.3000906@redhat.com> Message-ID: <56A8C9C6.7040206@redhat.com> On 01/27/2016 12:10 PM, Martin Babinsky wrote: > On 01/27/2016 09:27 AM, Jan Cholasta wrote: >> On 26.1.2016 10:23, Martin Babinsky wrote: >>> On 01/26/2016 10:14 AM, Martin Babinsky wrote: >>>> On 01/25/2016 08:56 AM, Alexander Bokovoy wrote: >>>>> On Mon, 25 Jan 2016, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> the attached patch fixes >>>>>> . >>>>>> >>>>>> Note that this is a 4.2-specific fix. >>>>>> >>>>>> Honza >>>>>> >>>>>> -- >>>>>> Jan Cholasta >>>>> >>>>>> From c2a0684c64538166809883a235bd131518b6e78f Mon Sep 17 00:00:00 >>>>>> 2001 >>>>>> From: Jan Cholasta >>>>>> Date: Mon, 25 Jan 2016 08:48:42 +0100 >>>>>> Subject: [PATCH] CA install: explicitly set dogtag_version to 10 >>>>>> >>>>>> When installing new CA master, explicitly set the dogtag_version >>>>>> option to >>>>>> 10 in api.bootstrap() to prevent failures in code which expects the >>>>>> value >>>>>> to be 10 rather than the default value of 9. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5611 >>>>>> --- >>>>>> install/tools/ipa-ca-install | 2 +- >>>>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>>>> >>>>>> diff --git a/install/tools/ipa-ca-install >>>>>> b/install/tools/ipa-ca-install >>>>>> index 6564e4d..e8ccaef 100755 >>>>>> --- a/install/tools/ipa-ca-install >>>>>> +++ b/install/tools/ipa-ca-install >>>>>> @@ -162,7 +162,7 @@ def install_master(safe_options, options): >>>>>> >>>>>> # override ra_plugin setting read from default.conf so that we >>>>>> have >>>>>> # functional dogtag backend plugins during CA install >>>>>> - api.bootstrap(in_server=True, ra_plugin='dogtag') >>>>>> + api.bootstrap(in_server=True, ra_plugin='dogtag', >>>>>> dogtag_version=10) >>>>>> api.finalize() >>>>>> >>>>>> dm_password = options.password >>>>>> -- >>>>> ACK. >>>>> >>>> >>>> Not so fast, I have this patch applied on top of ipa-4-2 and it does >>>> not >>>> fix the crash described in the ticket. >>>> >>> >>> See the end of CA install log (http://fpaste.org/314777/14537999/), it >>> seems that despite setting dogtag version to 10 in API initialization, >>> CA instance still thinks it needs to work with version 9. >>> >>> It seems that dogtag.configured_constants() function is to blame: >>> >>> """ >>> In [4]: from ipalib import api >>> >>> In [5]: api.bootstrap(dogtag_version=10) >>> >>> In [6]: api.finalize() >>> >>> In [7]: dogtag.configured_constants() >>> Out[7]: ipapython.dogtag.Dogtag9Constants >>> >>> In [8]: dogtag.configured_constants(api) >>> Out[8]: ipapython.dogtag.Dogtag10Constants >>> """ >> >> Updated patch attached. >> > > ACK > Pushed to ipa-4-2: 7c78a1f1a4637d0b736b976822646f51926aa214 From jcholast at redhat.com Wed Jan 27 13:53:23 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 27 Jan 2016 14:53:23 +0100 Subject: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal In-Reply-To: <56A8C8FC.1050608@redhat.com> References: <56A0A499.1090809@redhat.com> <56A1F79C.9050102@redhat.com> <56A21272.5020709@redhat.com> <56A5CC70.6070000@redhat.com> <56A86C69.2040409@redhat.com> <56A8C8FC.1050608@redhat.com> Message-ID: <56A8CBD3.7080006@redhat.com> On 27.1.2016 14:41, Tomas Babej wrote: > > > On 01/27/2016 08:06 AM, Martin Babinsky wrote: >> On 01/25/2016 08:19 AM, Jan Cholasta wrote: >>> On 22.1.2016 12:28, Jan Cholasta wrote: >>>> On 22.1.2016 10:34, Martin Babinsky wrote: >>>>> On 01/21/2016 10:27 AM, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> the attached patch fixes >>>>>> . >>>>>> >>>>>> Honza >>>>>> >>>>>> >>>>>> >>>>> ACK >>>> >>>> Self-NACK. Doesn't work with external CA install. >>>> >>> >>> Updated patches attached. >>> >> ACK >> > > Pushed to master: eaafeddf769c25bd44b490ae18ffb58e97df4963 > Pushed to ipa-4-2: 2314fa66fd7fe543209292660d4f7f9611cdedb2 It seems you forgot ipa-4-3. -- Jan Cholasta From tbabej at redhat.com Wed Jan 27 13:54:21 2016 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 27 Jan 2016 14:54:21 +0100 Subject: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal In-Reply-To: <56A8CBD3.7080006@redhat.com> References: <56A0A499.1090809@redhat.com> <56A1F79C.9050102@redhat.com> <56A21272.5020709@redhat.com> <56A5CC70.6070000@redhat.com> <56A86C69.2040409@redhat.com> <56A8C8FC.1050608@redhat.com> <56A8CBD3.7080006@redhat.com> Message-ID: <56A8CC0D.8050001@redhat.com> On 01/27/2016 02:53 PM, Jan Cholasta wrote: > On 27.1.2016 14:41, Tomas Babej wrote: >> >> >> On 01/27/2016 08:06 AM, Martin Babinsky wrote: >>> On 01/25/2016 08:19 AM, Jan Cholasta wrote: >>>> On 22.1.2016 12:28, Jan Cholasta wrote: >>>>> On 22.1.2016 10:34, Martin Babinsky wrote: >>>>>> On 01/21/2016 10:27 AM, Jan Cholasta wrote: >>>>>>> Hi, >>>>>>> >>>>>>> the attached patch fixes >>>>>>> . >>>>>>> >>>>>>> Honza >>>>>>> >>>>>>> >>>>>>> >>>>>> ACK >>>>> >>>>> Self-NACK. Doesn't work with external CA install. >>>>> >>>> >>>> Updated patches attached. >>>> >>> ACK >>> >> >> Pushed to master: eaafeddf769c25bd44b490ae18ffb58e97df4963 >> Pushed to ipa-4-2: 2314fa66fd7fe543209292660d4f7f9611cdedb2 > > It seems you forgot ipa-4-3. > Yep, thanks. Pushed to ipa-4-3: 659c5ae7e649c1f03ac9f93c1b5369f037811d7d From pvoborni at redhat.com Wed Jan 27 14:39:47 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 27 Jan 2016 15:39:47 +0100 Subject: [Freeipa-devel] [PATCH] 950 webui: remove moot error from webui build Message-ID: <56A8D6B3.3020908@redhat.com> add module 'libs/d3' to a list of modules provided by third party libraries it is provided by d3 library in libs directory https://fedorahosted.org/freeipa/ticket/5641 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0950-webui-remove-moot-error-from-webui-build.patch Type: text/x-patch Size: 1055 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jan 27 14:58:07 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 27 Jan 2016 15:58:07 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipalib/cli.py: pythonify Collector class In-Reply-To: <569D242C.2030903@redhat.com> References: <569D242C.2030903@redhat.com> Message-ID: <56A8DAFF.3080905@redhat.com> On 01/18/2016 06:43 PM, Martin Babinsky wrote: > A little patch that should make some future pylint errors disappear. > > > Attaching updated patch that does not promote direct molestation of instance dictionaries. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0128.1-ipalib-cli.py-pythonify-Collector-class.patch Type: text/x-patch Size: 1799 bytes Desc: not available URL: From redhatrises at gmail.com Wed Jan 27 15:01:54 2016 From: redhatrises at gmail.com (Gabe Alford) Date: Wed, 27 Jan 2016 08:01:54 -0700 Subject: [Freeipa-devel] [PATCH] 950 webui: remove moot error from webui build In-Reply-To: <56A8D6B3.3020908@redhat.com> References: <56A8D6B3.3020908@redhat.com> Message-ID: Ack. Works as expected. Gabe On Wed, Jan 27, 2016 at 7:39 AM, Petr Vobornik wrote: > add module 'libs/d3' to a list of modules provided by third party libraries > > it is provided by d3 library in libs directory > > https://fedorahosted.org/freeipa/ticket/5641 > -- > Petr Vobornik > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbabej at redhat.com Wed Jan 27 15:04:18 2016 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 27 Jan 2016 16:04:18 +0100 Subject: [Freeipa-devel] [PATCH 155] ipa-kdb: get_authz_data_types() make sure entry can be NULL In-Reply-To: <20160106111510.GO6480@p.redhat.com> References: <20160106111510.GO6480@p.redhat.com> Message-ID: <56A8DC72.2010709@redhat.com> On 01/06/2016 12:15 PM, Sumit Bose wrote: > Hi, > > this patch fixes and issue found by Simo when he called > get_authz_data_types() with the second argument being NULL. > This function determines which type of authorization data should be > added to the Kerberos ticket. There are global default and it is > possible to configure this per service as well. The second argument is > the data base entry of a service. If no service is given it makes sens > to return the global defaults and most parts of get_authz_data_types() > handle this case well and this patch fixes the remain issue and adds a > test for this as well. > > Please note that currently get_authz_data_types() is used in a code path > where the service entry is expected to be not NULL and it turned out > that in Simo's case it will be non-NULL as well. Nevertheless the patch > makes the code more robust and makes the future use of > get_authz_data_types() more safe. > > bye, > Sumit > > > ACK, thanks. From tbabej at redhat.com Wed Jan 27 15:05:00 2016 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 27 Jan 2016 16:05:00 +0100 Subject: [Freeipa-devel] [PATCH 155] ipa-kdb: get_authz_data_types() make sure entry can be NULL In-Reply-To: <56A8DC72.2010709@redhat.com> References: <20160106111510.GO6480@p.redhat.com> <56A8DC72.2010709@redhat.com> Message-ID: <56A8DC9C.30808@redhat.com> On 01/27/2016 04:04 PM, Tomas Babej wrote: > > > On 01/06/2016 12:15 PM, Sumit Bose wrote: >> Hi, >> >> this patch fixes and issue found by Simo when he called >> get_authz_data_types() with the second argument being NULL. >> This function determines which type of authorization data should be >> added to the Kerberos ticket. There are global default and it is >> possible to configure this per service as well. The second argument is >> the data base entry of a service. If no service is given it makes sens >> to return the global defaults and most parts of get_authz_data_types() >> handle this case well and this patch fixes the remain issue and adds a >> test for this as well. >> >> Please note that currently get_authz_data_types() is used in a code path >> where the service entry is expected to be not NULL and it turned out >> that in Simo's case it will be non-NULL as well. Nevertheless the patch >> makes the code more robust and makes the future use of >> get_authz_data_types() more safe. >> >> bye, >> Sumit >> >> >> > > ACK, thanks. > It is worth noting I added a commit message for the patch, based on the Sumit's summary here. Pushed to master: 45b0148fcce3fded5cea52b6fadd50114358ba25 From pvoborni at redhat.com Wed Jan 27 15:09:02 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 27 Jan 2016 16:09:02 +0100 Subject: [Freeipa-devel] [PATCH] 950 webui: remove moot error from webui build In-Reply-To: References: <56A8D6B3.3020908@redhat.com> Message-ID: <56A8DD8E.3070609@redhat.com> On 01/27/2016 04:01 PM, Gabe Alford wrote: > Ack. Works as expected. Thanks for review. Pushed to: master: e668b06231553457df64eb43bef8918b21b4ebdc ipa-4-3: b9573f968a13d1373020be91a50786db81c1f1a3 > > Gabe > > On Wed, Jan 27, 2016 at 7:39 AM, Petr Vobornik wrote: > >> add module 'libs/d3' to a list of modules provided by third party libraries >> >> it is provided by d3 library in libs directory >> >> https://fedorahosted.org/freeipa/ticket/5641 >> -- >> Petr Vobornik >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> > -- Petr Vobornik From mbabinsk at redhat.com Wed Jan 27 16:03:11 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 27 Jan 2016 17:03:11 +0100 Subject: [Freeipa-devel] [PATCH 0399] ipa-getkeytab: Handle the possibility of not obtaining a result In-Reply-To: <56A7A341.4070604@redhat.com> References: <56A7A341.4070604@redhat.com> Message-ID: <56A8EA3F.9020604@redhat.com> On 01/26/2016 05:48 PM, Tomas Babej wrote: > Hi, > > The ldap_result operation can time out, returning a NULL result, > which in turn causes the parsing operation to crash. > > https://fedorahosted.org/freeipa/ticket/5642 > > Tomas > > > ACK -- Martin^3 Babinsky From tbabej at redhat.com Wed Jan 27 16:10:45 2016 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 27 Jan 2016 17:10:45 +0100 Subject: [Freeipa-devel] [PATCH 0399] ipa-getkeytab: Handle the possibility of not obtaining a result In-Reply-To: <56A8EA3F.9020604@redhat.com> References: <56A7A341.4070604@redhat.com> <56A8EA3F.9020604@redhat.com> Message-ID: <56A8EC05.5060402@redhat.com> On 01/27/2016 05:03 PM, Martin Babinsky wrote: > On 01/26/2016 05:48 PM, Tomas Babej wrote: >> Hi, >> >> The ldap_result operation can time out, returning a NULL result, >> which in turn causes the parsing operation to crash. >> >> https://fedorahosted.org/freeipa/ticket/5642 >> >> Tomas >> >> >> > ACK > Pushed to master: d53c2f6b806335507ffd5e78be42471b85a39bbf From pviktori at redhat.com Wed Jan 27 17:38:14 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 27 Jan 2016 18:38:14 +0100 Subject: [Freeipa-devel] [PATCHES] 0761-0769 More Python3 fixes Message-ID: <56A90086.30600@redhat.com> Hello, Here is a mixed bag of Python 3 fixes. They fix some tests, and they should enable you to use `python3 /usr/bin/ipa`. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0761-test_parameters-Ignore-bad-error-message-in-Python-3.patch Type: text/x-patch Size: 1326 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0762-Fix-bytes-string-handling-in-rpc.patch Type: text/x-patch Size: 2337 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0763-ipaldap-ldapupdate-Encoding-fixes-for-Python-3.patch Type: text/x-patch Size: 2874 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0764-ipautil.run-kernel_keyring-Encoding-fixes-for-Python.patch Type: text/x-patch Size: 2926 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0765-tests-Use-absolute-imports.patch Type: text/x-patch Size: 1800 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0766-ipautil-Use-mode-w-in-write_tmp_file.patch Type: text/x-patch Size: 822 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0767-test_util-str-bytes-check-fixes-for-Python-3.patch Type: text/x-patch Size: 1849 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0768-p11helper-Port-to-Python-3.patch Type: text/x-patch Size: 1747 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0769-cli-Don-t-encode-decode-for-stdin-stdout-on-Python-3.patch Type: text/x-patch Size: 2150 bytes Desc: not available URL: From mbasti at redhat.com Thu Jan 28 08:47:27 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 28 Jan 2016 09:47:27 +0100 Subject: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites In-Reply-To: <56A21343.2090607@redhat.com> References: <56A0F78F.4060407@redhat.com> <56A21343.2090607@redhat.com> Message-ID: <56A9D59F.4020204@redhat.com> On 22.01.2016 12:32, Martin Kosek wrote: > On 01/21/2016 04:21 PM, Christian Heimes wrote: >> The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf >> has been modernized. Insecure or less secure algorithms such as RC4, >> DES and 3DES are removed. Perfect forward secrecy suites with ephemeral >> ECDH key exchange have been added. IE 8 on Windows XP is no longer >> supported. >> >> The list of enabled cipher suites has been generated with the script >> contrib/nssciphersuite/nssciphersuite.py. >> >> The supported suites are currently: >> >> TLS_RSA_WITH_AES_128_CBC_SHA256 >> TLS_RSA_WITH_AES_256_CBC_SHA256 >> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA >> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 >> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA >> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >> TLS_RSA_WITH_AES_128_GCM_SHA256 >> TLS_RSA_WITH_AES_128_CBC_SHA >> TLS_RSA_WITH_AES_256_GCM_SHA384 >> TLS_RSA_WITH_AES_256_CBC_SHA >> >> https://fedorahosted.org/freeipa/ticket/5589 > > Thanks for the patch! I updated the ticket to make sure this change is > release notes. > Hello, I'm not sure if I'm the right person to do review on this, but I will try :-) 1) Your patch adds whitespace error Applying: Modernize mod_nss's cipher suites /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:52: new blank line at EOF. + warning: 1 line adds whitespace errors. 2) +import urllib.request # pylint: disable=E0611 Please specify pylint disabled check by name 3) +def update_mod_nss_cipher_suite(http): in this upgrade, is there any possibility that ciphers might be upgraded again in future? (IMO yes). I think, it can be better to store revision of change instead of boolean LAST_REVISION = 1 if revision >= LAST_REVISION: return sysupgrade.set_upgrade_state('nss.conf', 'cipher_suite_revision', LAST_REVISION) Otherwise it works From ofayans at redhat.com Thu Jan 28 09:22:29 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 28 Jan 2016 10:22:29 +0100 Subject: [Freeipa-devel] [TEST][Patch 0021] Fixed recent replica installation issues in the lab In-Reply-To: <56A898E5.9060202@redhat.com> References: <56A0D223.2060702@redhat.com> <56A0FC2C.2010004@redhat.com> <56A87E93.9030302@redhat.com> <56A898E5.9060202@redhat.com> Message-ID: <56A9DDD5.8010106@redhat.com> Guys, could you take a look at this one? On 01/27/2016 11:16 AM, Oleg Fayans wrote: > Sorry, trailing whitespace detected. This version passes lint > > On 01/27/2016 09:23 AM, Oleg Fayans wrote: >> Hi, >> >> On 01/21/2016 04:41 PM, Petr Spacek wrote: >>> Hello, >>> >>> On 21.1.2016 13:42, Oleg Fayans wrote: >>>> freeipa-ofayans-0021-Removed-ip-address-option-from-replica-installation.patch >>>> >>>> >>>> From d7ab06a4dcddb919fda351b983d478f1b6968578 Mon Sep 17 00:00:00 2001 >>>> From: Oleg Fayans >>>> Date: Thu, 21 Jan 2016 13:30:02 +0100 >>>> Subject: [PATCH] Removed --ip-address option from replica installation >>>> >>>> Explicitly specifying ip-address of the replica messes up with the current >>>> bind-dyndb-ldap logic, causing reverse zone not to be created. >>>> >>>> Enabled reverse-zone creation for the clients residing in different subnet from >>>> master >>>> --- >>>> ipatests/test_integration/tasks.py | 19 ++++++++++++------- >>>> 1 file changed, 12 insertions(+), 7 deletions(-) >>>> >>>> diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py >>>> index 6eb55501389c72b4c7aaa599fd4852d7e8f1f3c2..43ef78b0c55deed24a0444f0ac6c38ddb2517481 100644 >>>> --- a/ipatests/test_integration/tasks.py >>>> +++ b/ipatests/test_integration/tasks.py >>>> @@ -69,6 +69,8 @@ def prepare_reverse_zone(host, ip): >>>> host.run_command(["ipa", >>>> "dnszone-add", >>>> zone], raiseonerr=False) >>>> + return zone >>>> + >>>> >>>> def prepare_host(host): >>>> if isinstance(host, Host): >>>> @@ -319,11 +321,8 @@ def domainlevel(host): >>>> def replica_prepare(master, replica): >>>> apply_common_fixes(replica) >>>> fix_apache_semaphores(replica) >>>> - prepare_reverse_zone(master, replica.ip) >>>> - master.run_command(['ipa-replica-prepare', >>>> - '-p', replica.config.dirman_password, >>>> - '--ip-address', replica.ip, >>>> - replica.hostname]) >>>> + master.run_command(['ipa-replica-prepare', '-p', replica.config.dirman_password, >>>> + '--auto-reverse', replica.hostname]) >>> >>> I guess that you will need --ip-address option in cases where master's reverse >>> record does not exist (yet). >> And yo were right. Fixed >> >>> >>> I would recommend you to test this in libvirt or somewhere without revere >>> records, I suspect that it might blow up. >>> >>>> replica_bundle = master.get_file_contents( >>>> paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname) >>>> replica_filename = get_replica_filename(replica) >>>> @@ -339,8 +338,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False, >>>> # and replica installation would fail >>>> args = ['ipa-replica-install', '-U', >>>> '-p', replica.config.dirman_password, >>>> - '-w', replica.config.admin_password, >>>> - '--ip-address', replica.ip] >>>> + '-w', replica.config.admin_password] >>>> if setup_ca: >>>> args.append('--setup-ca') >>>> if setup_dns: >>>> @@ -380,6 +378,13 @@ def install_client(master, client, extra_args=()): >>>> client.collect_log(paths.IPACLIENT_INSTALL_LOG) >>>> >>>> apply_common_fixes(client) >>>> + # Now, for the situations where a client resides in a different subnet from >>>> + # master, we need to explicitly tell master to create a reverse zone for >>>> + # the client and enable dynamic updates for this zone. >>>> + allow_sync_ptr(master) >>>> + zone = prepare_reverse_zone(master, client.ip) >>>> + master.run_command(["ipa", "dnszone-mod", zone, >>>> + "--dynamic-update=TRUE"], raiseonerr=False) >>> >>> I'm not a big fan of ignoring exceptions here, it might be better to >>> encapsulate the first command with try: except: and run the zone-mod only if >>> the add worked as expected. >>> >>> Also, logging an message that reverse zone was not added might be a good idea. >> Agreed. Done. >> >>> >>> HTH >>> >>> Petr^2 Spacek >>> >>> >>>> >>>> client.run_command(['ipa-client-install', '-U', >>>> '--domain', client.domain.name, >>> >> >> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ofayans at redhat.com Thu Jan 28 09:23:29 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 28 Jan 2016 10:23:29 +0100 Subject: [Freeipa-devel] [TEST][Patch 0020] Enabled recreation of test directory during ipa reinstallation In-Reply-To: <56A87ECB.1020300@redhat.com> References: <56A0C831.6040909@redhat.com> <56A87ECB.1020300@redhat.com> Message-ID: <56A9DE11.6030207@redhat.com> Fellas, can anyone spend a free moment to review this? On 01/27/2016 09:24 AM, Oleg Fayans wrote: > Hi guys, > > Any chance this can be reviewed any time soon? > > On 01/21/2016 12:59 PM, Oleg Fayans wrote: >> >> >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From fskola at redhat.com Thu Jan 28 09:42:51 2016 From: fskola at redhat.com (Filip Skola) Date: Thu, 28 Jan 2016 04:42:51 -0500 (EST) Subject: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin In-Reply-To: <56A7B34E.2050906@redhat.com> References: <20151120135636.71171d5c@vor2.netbox.priv> <5665B88E.4000507@redhat.com> <20151209190102.1bb8fc07@vor2.netbox.priv> <1914334378.4564827.1452602733244.JavaMail.zimbra@redhat.com> <1760221088.11921867.1452868707220.JavaMail.zimbra@redhat.com> <569CD602.1030604@redhat.com> <1869235561.17372506.1453716664538.JavaMail.zimbra@redhat.com> <56A7B34E.2050906@redhat.com> Message-ID: <1320714330.19162635.1453974171503.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On 01/25/2016 11:11 AM, Filip Skola wrote: > > > > ----- Original Message ----- > >> On 01/15/2016 03:38 PM, Filip Skola wrote: > >>> Hi, > >>> > >>> sending rebased patch. > >>> > >>> F. > >>> > >>> ----- Original Message ----- > >>>> Hello, > >>>> > >>>> sorry for delays. The patch no longer applies to master. Rebase it, > >>>> please. > >>>> > >>>> Milan > >>>> > >>>> ----- Original Message ----- > >>>> From: "Filip ?kola" > >>>> To: "Milan Kub?k" > >>>> Cc: freeipa-devel at redhat.com > >>>> Sent: Wednesday, 9 December, 2015 7:01:02 PM > >>>> Subject: Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin > >>>> > >>>> On Mon, 7 Dec 2015 17:49:18 +0100 > >>>> Milan Kub?k wrote: > >>>> > >>>>> On 12/03/2015 08:15 PM, Filip ?kola wrote: > >>>>>> On Mon, 30 Nov 2015 17:18:30 +0100 > >>>>>> Milan Kub?k wrote: > >>>>>> > >>>>>>> On 11/23/2015 04:42 PM, Filip ?kola wrote: > >>>>>>>> Sending updated patch. > >>>>>>>> > >>>>>>>> F. > >>>>>>>> > >>>>>>>> On Mon, 23 Nov 2015 14:59:34 +0100 > >>>>>>>> Filip ?kola wrote: > >>>>>>>> > >>>>>>>>> Found couple of issues (broke some dependencies). > >>>>>>>>> > >>>>>>>>> NACK > >>>>>>>>> > >>>>>>>>> F. > >>>>>>>>> > >>>>>>>>> On Fri, 20 Nov 2015 13:56:36 +0100 > >>>>>>>>> Filip ?kola wrote: > >>>>>>>>> > >>>>>>>>>> Another one. > >>>>>>>>>> > >>>>>>>>>> F. > >>>>>>> Hi, the tests look good. Few remarks, though. > >>>>>>> > >>>>>>> 1. Please, use the shortes copyright notice in new modules. > >>>>>>> > >>>>>>> # > >>>>>>> # Copyright (C) 2015 FreeIPA Contributors see COPYING for > >>>>>>> license # > >>>>>>> > >>>>>>> 2. The tests `test_group_remove_group_from_protected_group` and > >>>>>>> `test_group_full_set_of_objectclass_not_available_post_detach` > >>>>>>> were not ported. Please, include them in the patch. > >>>>>>> > >>>>>>> Also, for less hassle, please rebase your patches on top of > >>>>>>> freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch > >>>>>>> Which changes the location of tracker implementations and prevents > >>>>>>> circular imports. > >>>>>>> > >>>>>>> Thanks. > >>>>>>> > >>>>>> Hi, > >>>>>> > >>>>>> these cases are there, in corresponding classes. They are marked > >>>>>> with the original comments. (However I can move them to separate > >>>>>> class if desirable.) > >>>>>> > >>>>>> The copyright notice is changed. Also included a few changes in the > >>>>>> test with user without private group. > >>>>>> > >>>>>> Filip > >>>>> NACK > >>>>> > >>>>> linter: > >>>>> ************* Module tracker.group_plugin > >>>>> ipatests/test_xmlrpc/tracker/group_plugin.py:257: > >>>>> [E0102(function-redefined), GroupTracker.check_remove_member] method > >>>>> already defined line 253) > >>>>> > >>>>> Probably a leftover after the rebase made on top of my patch. Please > >>>>> fix it. You can check youch changes by make-lint script before > >>>>> sending them. > >>>>> > >>>>> Thanks > >>>>> > >>>> Hi, > >>>> > >>>> I learned to use make-lint! > >>>> > >>>> Thanks, > >>>> F. > >>>> > >> Hello, > >> > >> NACK, pylint doesn't seem to like the way the fixtures are imported > >> (pytest does a lot of runtime magic) [1]. > >> One possible solution would be [2]. Though, I don't think this would be > >> a good idea in our environment. I suggest to create the fixtures on per > >> module basis. > >> > >> > >> [1]: http://fpaste.org/311949/53118942/ > >> [2]: > >> https://pytest.org/latest/fixture.html#using-fixtures-from-classes-modules-or-projects > >> > >> -- > >> Milan Kubik > >> > >> > > Hi, > > > > the fixtures were copied into corresponding module. Please note that this > > patch has a dependence on my patch 0001 (user plugin). > > > > Filip > Linter: > ************* Module ipatests.test_xmlrpc.tracker.group_plugin > W:100,26: Calling a dict.iter*() method (dict-iter-method) > > please use dict.items > > -- > Milan Kubik > > Hi, sorry. This has been fixed in this patch. Filip -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-fskola-0002-7-Refactor-test_group_plugin.patch Type: text/x-patch Size: 74872 bytes Desc: not available URL: From fskola at redhat.com Thu Jan 28 09:45:47 2016 From: fskola at redhat.com (Filip Skola) Date: Thu, 28 Jan 2016 04:45:47 -0500 (EST) Subject: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker In-Reply-To: <56A7B764.3080202@redhat.com> References: <2134068455.1326509.1450781775764.JavaMail.zimbra@redhat.com> <1902672460.4566340.1452602887525.JavaMail.zimbra@redhat.com> <1118746236.11920442.1452868635399.JavaMail.zimbra@redhat.com> <569CD698.4020900@redhat.com> <1592657483.12984474.1453123591078.JavaMail.zimbra@redhat.com> <56A7B764.3080202@redhat.com> Message-ID: <212120579.19163053.1453974347696.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On 01/18/2016 02:26 PM, Filip Skola wrote: > > Hi, > > > > this should be fixed in this patch. > > > > F. > > > > ----- Original Message ----- > >> On 01/15/2016 03:37 PM, Filip Skola wrote: > >>> Hi, > >>> > >>> sending rebased patch. > >>> > >>> F. > >>> > >>> ----- Original Message ----- > >>>> Hi, > >>>> > >>>> the patch no longer applies to master. Please rebase it. > >>>> > >>>> Thanks, > >>>> Milan > >>>> > >>>> ----- Original Message ----- > >>>> From: "Filip Skola" > >>>> To: freeipa-devel at redhat.com > >>>> Cc: "Milan Kub?k" , "Ale? Mare?ek" > >>>> > >>>> Sent: Tuesday, 22 December, 2015 11:56:15 AM > >>>> Subject: [PATCH 0005] Refactor test_nesting, create HostGroupTracker > >>>> > >>>> Hi, > >>>> > >>>> another patch from refactoring-test_xmlrpc series. > >>>> > >>>> Filip > >>>> > >> NACK, something seems to be missing in the patch > >> > >> > >> ************* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin > >> ipatests/test_xmlrpc/tracker/hostgroup_plugin.py:222: [E1101(no-member), > >> HostGroupTracker.check_add_member_negative] Instance of > >> 'HostGroupTracker' has no 'adds' member) > >> > >> -- > >> Milan Kubik > >> > >> > The same as with patch 0002: > ************* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin > W:142,26: Calling a dict.iter*() method (dict-iter-method) > > Please use dict.items method. > > -- > Milan Kubik > > Hi, attaching a fixed patch. This patch is dependent on updated group plugin test patch 0002-7. Filip -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-fskola-0005-4-Refactor-test_nesting-create-HostGroupTracker.patch Type: text/x-patch Size: 44587 bytes Desc: not available URL: From pvomacka at redhat.com Thu Jan 28 11:20:59 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 28 Jan 2016 12:20:59 +0100 Subject: [Freeipa-devel] [PATCH] 0003 webui: Issue New Certificate dialogs validates data Message-ID: <56A9F99B.6090909@redhat.com> Hello, I made a patch for the https://fedorahosted.org/freeipa/ticket/5432 ticket. All Issue new certificate dialogs now validates input data. -- Pavel Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0003-Add-validation-to-Issue-new-certificate-dialog.patch Type: text/x-patch Size: 5556 bytes Desc: not available URL: From fskola at redhat.com Thu Jan 28 11:49:17 2016 From: fskola at redhat.com (Filip Skola) Date: Thu, 28 Jan 2016 06:49:17 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 0008 Refactor test_sudocmdgroup_plugin, create SudoCmdGroupTracker In-Reply-To: <188013196.19197554.1453981691880.JavaMail.zimbra@redhat.com> Message-ID: <1667642851.19197845.1453981757248.JavaMail.zimbra@redhat.com> Hi, sending the next sudo patch. This one depends on the previous one (sudocmd_plugin). Filip -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-fskola-0008-Refactor-test_sudocmdgroup_plugin.patch Type: text/x-patch Size: 41312 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jan 28 12:58:52 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 28 Jan 2016 13:58:52 +0100 Subject: [Freeipa-devel] [PATCH 154] ipa-kdb: map_groups() consider all results In-Reply-To: <20160105185533.GK6480@p.redhat.com> References: <20160105185533.GK6480@p.redhat.com> Message-ID: <56AA108C.3090808@redhat.com> On 01/05/2016 07:55 PM, Sumit Bose wrote: > Hi, > > to find out to which local group a external user is mapped we do a > dereference search over the external groups with the SIDs related to the > external user. If a SID is mapped to more than one external group we > currently consider only the first returned match. With this patch all > results are taken into account. This makes sure all expected local group > memberships are added to the PAC which resolves > https://fedorahosted.org/freeipa/ticket/5573. > > bye, > Sumit > bump for review. -- Petr Vobornik From mbasti at redhat.com Thu Jan 28 13:49:34 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 28 Jan 2016 14:49:34 +0100 Subject: [Freeipa-devel] [PATCH 0131] fix standalone installation of externally signed CA on IPA master In-Reply-To: <56A76A17.7010808@redhat.com> References: <56A76162.7020303@redhat.com> <56A76A17.7010808@redhat.com> Message-ID: <56AA1C6E.9000101@redhat.com> On 26.01.2016 13:44, Martin Babinsky wrote: > On 01/26/2016 01:06 PM, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/5636 >> >> >> > This also happens on ipa-4-3/master but the offending check was moved > around. Attaching patch for 4-3/master branches. > > > ACK for master and ipa-4-3 I continue with testing on ipa-4-2 to be sure -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbabej at redhat.com Thu Jan 28 14:20:46 2016 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 28 Jan 2016 15:20:46 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipalib/cli.py: pythonify Collector class In-Reply-To: <56A8DAFF.3080905@redhat.com> References: <569D242C.2030903@redhat.com> <56A8DAFF.3080905@redhat.com> Message-ID: <56AA23BE.3070708@redhat.com> On 01/27/2016 03:58 PM, Martin Babinsky wrote: > On 01/18/2016 06:43 PM, Martin Babinsky wrote: >> A little patch that should make some future pylint errors disappear. >> >> >> > Attaching updated patch that does not promote direct molestation of > instance dictionaries. > > > Patch looks good, one thing I am concerened about though is that __todict__ now returns a direct reference to the internal, mutable dict, and no longer a (shallow) copy. Maybe we should use dict.copy() there? Tomas From pvoborni at redhat.com Thu Jan 28 15:15:12 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 28 Jan 2016 16:15:12 +0100 Subject: [Freeipa-devel] [PATCH] 951 webui: fail nicely if cookies are disabled Message-ID: <56AA3080.4090600@redhat.com> Reworks also sessionStorage test because disablement of cookies might be connected with sessionStorage and localStorage. E.g. Chrome raises exception when *Storage is accessed with "Block sites from setting any data" settings set in "Content Settings/Cookies" section. https://fedorahosted.org/freeipa/ticket/4338 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0951-webui-fail-nicely-if-cookies-are-disabled.patch Type: text/x-patch Size: 2504 bytes Desc: not available URL: From tbabej at redhat.com Thu Jan 28 15:23:20 2016 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 28 Jan 2016 16:23:20 +0100 Subject: [Freeipa-devel] [PATCH] 951 webui: fail nicely if cookies are disabled In-Reply-To: <56AA3080.4090600@redhat.com> References: <56AA3080.4090600@redhat.com> Message-ID: <56AA3268.9050805@redhat.com> On 01/28/2016 04:15 PM, Petr Vobornik wrote: > Reworks also sessionStorage test because disablement of cookies might be > connected with sessionStorage and localStorage. E.g. Chrome raises > exception when *Storage is accessed with "Block sites from setting any > data" settings set in "Content Settings/Cookies" section. > > https://fedorahosted.org/freeipa/ticket/4338 > > Seems that two spaces inserted themselves to the error message for localStorage :) From pvoborni at redhat.com Thu Jan 28 15:25:14 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 28 Jan 2016 16:25:14 +0100 Subject: [Freeipa-devel] [PATCH] 951 webui: fail nicely if cookies are disabled In-Reply-To: <56AA3268.9050805@redhat.com> References: <56AA3080.4090600@redhat.com> <56AA3268.9050805@redhat.com> Message-ID: <56AA32DA.9000209@redhat.com> On 01/28/2016 04:23 PM, Tomas Babej wrote: > > > On 01/28/2016 04:15 PM, Petr Vobornik wrote: >> Reworks also sessionStorage test because disablement of cookies might be >> connected with sessionStorage and localStorage. E.g. Chrome raises >> exception when *Storage is accessed with "Block sites from setting any >> data" settings set in "Content Settings/Cookies" section. >> >> https://fedorahosted.org/freeipa/ticket/4338 >> >> > > Seems that two spaces inserted themselves to the error message for > localStorage :) > updated patch attached. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0951-1-webui-fail-nicely-if-cookies-are-disabled.patch Type: text/x-patch Size: 2502 bytes Desc: not available URL: From mbasti at redhat.com Thu Jan 28 15:36:44 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 28 Jan 2016 16:36:44 +0100 Subject: [Freeipa-devel] [PATCH 0131] fix standalone installation of externally signed CA on IPA master In-Reply-To: <56AA1C6E.9000101@redhat.com> References: <56A76162.7020303@redhat.com> <56A76A17.7010808@redhat.com> <56AA1C6E.9000101@redhat.com> Message-ID: <56AA358C.7040202@redhat.com> On 28.01.2016 14:49, Martin Basti wrote: > > > On 26.01.2016 13:44, Martin Babinsky wrote: >> On 01/26/2016 01:06 PM, Martin Babinsky wrote: >>> https://fedorahosted.org/freeipa/ticket/5636 >>> >>> >>> >> This also happens on ipa-4-3/master but the offending check was moved >> around. Attaching patch for 4-3/master branches. >> >> >> > ACK for master and ipa-4-3 > > I continue with testing on ipa-4-2 to be sure > > ACK master: 72e72615df8b178ebbcb2e4944ba289ef263c951 ipa-4-3: 87cd18892fcbc520c8d45c5f7624a909c9347779 ipa-4-2: 24384624b3ad2eb0e5ffe6483c34156c7d335888 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Thu Jan 28 15:44:47 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 28 Jan 2016 16:44:47 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipalib/cli.py: pythonify Collector class In-Reply-To: <56AA23BE.3070708@redhat.com> References: <569D242C.2030903@redhat.com> <56A8DAFF.3080905@redhat.com> <56AA23BE.3070708@redhat.com> Message-ID: <56AA376F.1010102@redhat.com> On 01/28/2016 03:20 PM, Tomas Babej wrote: > > > On 01/27/2016 03:58 PM, Martin Babinsky wrote: >> On 01/18/2016 06:43 PM, Martin Babinsky wrote: >>> A little patch that should make some future pylint errors disappear. >>> >>> >>> >> Attaching updated patch that does not promote direct molestation of >> instance dictionaries. >> >> >> > > Patch looks good, one thing I am concerened about though is that > __todict__ now returns a direct reference to the internal, mutable dict, > and no longer a (shallow) copy. > > Maybe we should use dict.copy() there? > > Tomas > Ah I didn't realize that. Fixed in updated patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0128.2-ipalib-cli.py-pythonify-Collector-class.patch Type: text/x-patch Size: 1810 bytes Desc: not available URL: From tbabej at redhat.com Thu Jan 28 16:06:03 2016 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 28 Jan 2016 17:06:03 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipalib/cli.py: pythonify Collector class In-Reply-To: <56AA376F.1010102@redhat.com> References: <569D242C.2030903@redhat.com> <56A8DAFF.3080905@redhat.com> <56AA23BE.3070708@redhat.com> <56AA376F.1010102@redhat.com> Message-ID: <56AA3C6B.5080403@redhat.com> On 01/28/2016 04:44 PM, Martin Babinsky wrote: > On 01/28/2016 03:20 PM, Tomas Babej wrote: >> >> >> On 01/27/2016 03:58 PM, Martin Babinsky wrote: >>> On 01/18/2016 06:43 PM, Martin Babinsky wrote: >>>> A little patch that should make some future pylint errors disappear. >>>> >>>> >>>> >>> Attaching updated patch that does not promote direct molestation of >>> instance dictionaries. >>> >>> >>> >> >> Patch looks good, one thing I am concerened about though is that >> __todict__ now returns a direct reference to the internal, mutable dict, >> and no longer a (shallow) copy. >> >> Maybe we should use dict.copy() there? >> >> Tomas >> > > Ah I didn't realize that. Fixed in updated patch. > Nitpick: Sorry for being misleading - I did not mean to suggest invoking the method using the dict type directly. While being equivalent, the dict.copy(self.__options) it's less idiomatic than: self.__options.copy() Tomas From mbabinsk at redhat.com Thu Jan 28 16:32:42 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 28 Jan 2016 17:32:42 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipalib/cli.py: pythonify Collector class In-Reply-To: <56AA3C6B.5080403@redhat.com> References: <569D242C.2030903@redhat.com> <56A8DAFF.3080905@redhat.com> <56AA23BE.3070708@redhat.com> <56AA376F.1010102@redhat.com> <56AA3C6B.5080403@redhat.com> Message-ID: <56AA42AA.2010407@redhat.com> On 01/28/2016 05:06 PM, Tomas Babej wrote: > > > On 01/28/2016 04:44 PM, Martin Babinsky wrote: >> On 01/28/2016 03:20 PM, Tomas Babej wrote: >>> >>> >>> On 01/27/2016 03:58 PM, Martin Babinsky wrote: >>>> On 01/18/2016 06:43 PM, Martin Babinsky wrote: >>>>> A little patch that should make some future pylint errors disappear. >>>>> >>>>> >>>>> >>>> Attaching updated patch that does not promote direct molestation of >>>> instance dictionaries. >>>> >>>> >>>> >>> >>> Patch looks good, one thing I am concerened about though is that >>> __todict__ now returns a direct reference to the internal, mutable dict, >>> and no longer a (shallow) copy. >>> >>> Maybe we should use dict.copy() there? >>> >>> Tomas >>> >> >> Ah I didn't realize that. Fixed in updated patch. >> > > Nitpick: Sorry for being misleading - I did not mean to suggest invoking > the method using the dict type directly. While being equivalent, the > > dict.copy(self.__options) > > it's less idiomatic than: > > self.__options.copy() > > Tomas > Ah sorry I forgot how to python again. Attaching patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0128.3-ipalib-cli.py-pythonify-Collector-class.patch Type: text/x-patch Size: 1806 bytes Desc: not available URL: From pvomacka at redhat.com Thu Jan 28 16:55:28 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 28 Jan 2016 17:55:28 +0100 Subject: [Freeipa-devel] [PATCH] 0003 webui: Issue New Certificate dialogs validates data In-Reply-To: <56A9F99B.6090909@redhat.com> References: <56A9F99B.6090909@redhat.com> Message-ID: <56AA4800.60207@redhat.com> Hello, On 01/28/2016 12:20 PM, Pavel Vomacka wrote: > 'Issue new certificate' dialog now validates whether user fills 'principal' and 'csr' field. > In case that one of these fields is empty then it does not allow to submit the dialog. > > https://fedorahosted.org/freeipa/ticket/5432 I'm sending edited patch. One useless section is removed. The textarea for CSR is moved to another section which has the same layout. The method for creating content was useless, too. So it is removed in this patch. -- Pavel Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0003-2-Add-validation-to-Issue-new-certificate-dialog.patch Type: text/x-patch Size: 4549 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jan 28 18:28:17 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 28 Jan 2016 19:28:17 +0100 Subject: [Freeipa-devel] New tool tips for Refresh, Revert, Undo and Undo All buttons In-Reply-To: <1126773777.16508720.1453726505512.JavaMail.zimbra@redhat.com> References: <1126773777.16508720.1453726505512.JavaMail.zimbra@redhat.com> Message-ID: <56AA5DC1.6050200@redhat.com> On 01/25/2016 01:55 PM, Pavel Vomacka wrote: > Hello everyone, > > I just made a patch for the > https://fedorahosted.org/freeipa/ticket/5428 ticket. The patch adds > tool tips to the buttons in detail views. The text of new tool tips > is written in the comment of the ticket. > > Pavel Vomacka Intern > Hi, there are few issues, NACK. 1. this patch uses tabs instead of spaces, previous was correct 2. code which focuses first invalid field could be replaced by: widget_mod.focus_invalid(that); 3. there is a convention that field and widget names uses the same name as the param, therefore 'textarea_cert' should be 'csr'. There is no convention for messages in html widget but it might be better to use a name reflecting purpose and not implementation. Instead of 'message_html_widget' use 'instructions' or just 'message' - consistent with spec option. Also I've filed: https://fedorahosted.org/freeipa/ticket/5652 -- Petr Vobornik From abokovoy at redhat.com Fri Jan 29 06:38:31 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jan 2016 08:38:31 +0200 Subject: [Freeipa-devel] [PATCH 154] ipa-kdb: map_groups() consider all results In-Reply-To: <20160105185533.GK6480@p.redhat.com> References: <20160105185533.GK6480@p.redhat.com> Message-ID: <20160129063831.GU8506@redhat.com> On Tue, 05 Jan 2016, Sumit Bose wrote: >Hi, > >to find out to which local group a external user is mapped we do a >dereference search over the external groups with the SIDs related to the >external user. If a SID is mapped to more than one external group we >currently consider only the first returned match. With this patch all >results are taken into account. This makes sure all expected local group >memberships are added to the PAC which resolves >https://fedorahosted.org/freeipa/ticket/5573. The code looks fine but I have not tested it. Hopefully, will do so in between FOSDEM and devconf.cz. -- / Alexander Bokovoy From slaznick at redhat.com Fri Jan 29 07:42:32 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 29 Jan 2016 08:42:32 +0100 Subject: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs In-Reply-To: <56A7B365.6090608@redhat.com> References: <5673F1F9.2030403@redhat.com> <56964AB1.1010902@redhat.com> <56975994.6040604@redhat.com> <5697AF06.3070805@redhat.com> <5697B7CD.6050607@redhat.com> <5697BBBA.60503@redhat.com> <5697C5E3.2010307@redhat.com> <5698EA71.2040105@redhat.com> <56A21F17.40406@redhat.com> <56A64223.4030809@redhat.com> <56A7B365.6090608@redhat.com> Message-ID: <56AB17E8.4060804@redhat.com> On 01/26/2016 06:56 PM, Martin Basti wrote: > > > On 25.01.2016 16:41, Stanislav Laznicka wrote: >> Hi, >> >> Worked those comments into the code. Also added a bit different info >> message in clean_ruv with ca=True (ipa-replica-manage:430). >> >> Also adding stepst to reproduce: >> 1. Create a master and some replica (3 replicas is a good solution - >> 1 with CA, 1 without, 1 to be dangling (with CA)) >> 2. Change domain level to 0 and ipactl restart >> 3. Remove the "dangling-to-be" replica from masters.ipa.etc and from >> both ipaca and domain subtrees in mapping tree.config >> 4. Try to remove the dangling ruvs with the command >> >> Cheers, >> Standa >> >> >> On 01/22/2016 01:22 PM, Martin Basti wrote: >>> Hello, >>> >>> I have a few comments >>> >>> PATCH Automatically detect and remove dangling RUVs >>> >>> 1) >>> + # get the Directory Manager password >>> + if options.dirman_passwd: >>> + dirman_passwd = options.dirman_passwd >>> + else: >>> + dirman_passwd = installutils.read_password('Directory Manager', >>> + confirm=False, validate=False, retry=False) >>> + if dirman_passwd is None: >>> + sys.exit('Directory Manager password is required') >>> + >>> + options.dirman_passwd = dirman_passwd >>> >>> IMO you need only else branch here >>> >>> if not options.dirman_password: >>> dirman_passwd = installutils.read_password('Directory Manager', >>> confirm=False, validate=False, retry=False) >>> if dirman_passwd is None: >>> sys.exit('Directory Manager password is required') >>> options.dirman_passwd = dirman_passwd >>> >>> >>> 2) >>> We should use new formatting in new code (more times in code) >>> >>> + sys.exit( >>> + "Failed to get data from '%s' while trying to list >>> replicas: %s" % >>> + (host, e) >>> + ) >>> >>> sys.exit( >>> "Failed to get data from '{host}' while trying to list >>> replicas: {e}".format( >>> host=host, e=e >>> ) >>> ) >>> >>> 3) >>> + # get all masters >>> + masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', >>> 'etc'), >>> + ipautil.realm_to_suffix(realm)) >>> >>> IMO you should use constants: >>> masters_dn = DN(api.env.container_masters, api.env.basedn) >>> >>> 4) >>> + # Get realm string for config tree >>> + s = realm.split('.') >>> + s = ['dc={dc},'.format(dc=x.lower()) for x in s] >>> + realm_config = DN(('cn', ''.join(s)[0:-1])) >>> >>> Can be api.env.basedn used instead of this block of code? >>> >>> 5) >>> + masters = [x.single_value['cn'] for x in masters] >>> .... >>> + for master in masters: >>> >>> is there any reason why not iterate over the keys in info dict? >>> >>> for master_name, master_data/values/whatever in info.items(): >>> master_data['online'] = True >>> >>> Looks better than: info[master]['online'] = True >>> >>> 6) >>> I asked python gurus, for empty lists and dicts, please use [] and >>> {} instead of list() and dict() >>> It is preferred and faster. >>> >>> 7) >>> + if(info[master]['ca']): >>> + entry = conn.get_entry(csreplica_dn) >>> + csruv = (master, >>> entry.single_value.get('nsDS5ReplicaID')) >>> + if csruv not in csruvs: >>> + csruvs.append(csruv) >>> >>> I dont like too much adding tuples into list and then doing search >>> there, but it is as designed >>> >>> However can you use set() instead of list when the purpose of >>> variable is only testing existence? >>> >>> related to: >>> csruvs >>> ruvs >>> offlines >>> clean_list >>> cleaned >>> >>> 8) >>> conn in finally block may be undefined >>> >>> 9) >>> unused local variables >>> >>> clean_list >>> entry on line 570 >>> >>> 10) >>> optional, comment what keys means in info structure >>> >> > Hello, > > 1) > I accept your silence as the following code cannot use nothing from > api.env > + # Get realm string for config tree > + s = realm.split('.') > + s = ['dc={dc},'.format(dc=x.lower()) for x in s] > + realm_config = DN(('cn', ''.join(s)[0:-1])) > > but then please use: > s = ['dc={dc}'.format(dc=x.lower()) for x in s] > realm_config = DN(('cn', ','.join(s))) > > But I still think that api.env.basedn can be used, because it contains > the same format as you need > realm_config = DN(('cn', api.env.basedn)) > Sorry, forgot to mention that in the last email. However, turns out you are right. I didn't think DN works like this but it does, so this is now in it. > 2) nitpick > ca_dn = DN(('cn', 'ca'), DN(master.dn)) > > AFAIK can be just > > ca_dn = DN(('cn', 'ca'), master.dn) > My bad, fixed. > 3) uber nitpick > This is PEP8 valid, but somehow inconsistent with the rest of code and > it hit my eyes > > print('\t\tid: {id}, hostname: {host}' > .format(id=csruv[1], host=csruv[0]) > ) > > we use in code > > print( > something1, > something2 > ) > > or > > print(something1, > something2) > And that shouldn't be there anymore, too :) > Otherwise LGTM -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0011-1-Listing-and-cleaning-RUV-extended-for-CA-suffix.patch Type: text/x-patch Size: 5089 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0012-4-Automatically-detect-and-remove-dangling-RUVs.patch Type: text/x-patch Size: 8948 bytes Desc: not available URL: From mbabinsk at redhat.com Fri Jan 29 08:01:32 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 29 Jan 2016 09:01:32 +0100 Subject: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica In-Reply-To: <569F4808.8070100@redhat.com> References: <56967E77.8000604@redhat.com> <5696826C.2050300@redhat.com> <5697CD04.3010709@redhat.com> <569F4808.8070100@redhat.com> Message-ID: <56AB1C5C.8020708@redhat.com> On 01/20/2016 09:40 AM, Martin Babinsky wrote: > On 01/14/2016 05:29 PM, Martin Babinsky wrote: >> On 01/13/2016 05:59 PM, Rob Crittenden wrote: >>> Martin Babinsky wrote: >>>> fixes https://fedorahosted.org/freeipa/ticket/5584 >>>> >>>> In order to ensure consistent behavior with ipa-client-install, I opted >>>> to reuse the configure_openldap_conf() function and restoring the >>>> config >>>> from client sysrestore before modifying it. >>>> >>>> If you think this approach is not optimal please propose an alternative >>>> solution. >>> >>> You could also just do an action set on URI to change the value, right? >>> It would need a new function but it would be very small. >>> >>> If you do end up keeping this I'd want a new commit message for moving >>> the code to include why you're moving it (to avoid the need to deference >>> the ticket). >>> >>> rob >>> >> >> Here's the patch that implements the change in URI directive. Please >> keep in mind that we not only have to change the URI to point to >> ourselves, we also have to do it in a way consistent with >> ipa-client-install, i.e. leave a comment with new URI if it was already >> set by third party. >> >> Plain 'addifnotset' directive will not do, however, because then we end >> up with two comments, one original, and one pointing to ourselves. Plain >> 'set' may rewrite the URI set by user and thus we would have to test its >> value anyway. >> >> The correct handling of these cases coupled with a way IPAChangeConf is >> written results in a solution presented here. >> >> The fact that it is not much shorter than configure_openldap_conf and is >> additionally pretty ugly (a fact at least partially caused by me not >> being very fluent in IPAChangeConf usage) led me to the conclusion that >> restoring original ldap.conf and reusing already wirrten code for >> reediting it anew with replica as URI is actually not that bad idea. >> >> >> > > Bump for review/discussion. > Another bump. -- Martin^3 Babinsky From jcholast at redhat.com Fri Jan 29 08:25:25 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 29 Jan 2016 09:25:25 +0100 Subject: [Freeipa-devel] [PATCHES] 0761-0769 More Python3 fixes In-Reply-To: <56A90086.30600@redhat.com> References: <56A90086.30600@redhat.com> Message-ID: <56AB21F5.40902@redhat.com> Hi, On 27.1.2016 18:38, Petr Viktorin wrote: > Hello, > > Here is a mixed bag of Python 3 fixes. > They fix some tests, and they should enable you to use `python3 > /usr/bin/ipa`. Patch 761: 1) The "invalid 'my_number': " bit comes from IPA itself, shouldn't we check at least that? Patch 762: 1) We should handle UnicodeError here as well, in addition to TypeError: if k.lower() == 'negotiate': try: - token = base64.b64decode(v) + token = base64.b64decode(v.encode('ascii')) break # b64decode raises TypeError on invalid input except TypeError: 2) I would prefer if the encoding was specified explicitly here: + response = json_decode_binary(json.loads(response.decode())) Patch 763: 1) + altname = altname 2) Nitpick, but could you please: - if isinstance(name_or_oid, unicode): - name_or_oid = name_or_oid.encode('utf-8') + if six.PY2: + if isinstance(name_or_oid, unicode): + name_or_oid = name_or_oid.encode('utf-8') This way it's more visible that this is a py2-only thing. Patch 764: LGTM Patch 765: 1) +import tempfile +import tempfile Patch 766-767: LGTM Patch 768: 1) Only binascii.Error should be handled in int_to_bytes, the try-except block is there just to handle odd-length strings. 2) I think you can just remove the library_path.encode(), it's there because the original C code did the same thing, but don't think it's necessary. Patch 769: LGTM Honza -- Jan Cholasta From jcholast at redhat.com Fri Jan 29 08:42:36 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 29 Jan 2016 09:42:36 +0100 Subject: [Freeipa-devel] [PATCHES] 0761-0769 More Python3 fixes In-Reply-To: <56AB21F5.40902@redhat.com> References: <56A90086.30600@redhat.com> <56AB21F5.40902@redhat.com> Message-ID: <56AB25FC.5090505@redhat.com> On 29.1.2016 09:25, Jan Cholasta wrote: > Hi, > > On 27.1.2016 18:38, Petr Viktorin wrote: >> Hello, >> >> Here is a mixed bag of Python 3 fixes. >> They fix some tests, and they should enable you to use `python3 >> /usr/bin/ipa`. > > Patch 761: > > 1) The "invalid 'my_number': " bit comes from IPA itself, shouldn't we > check at least that? > > > Patch 762: > > 1) We should handle UnicodeError here as well, in addition to TypeError: > > if k.lower() == 'negotiate': > try: > - token = base64.b64decode(v) > + token = base64.b64decode(v.encode('ascii')) > break > # b64decode raises TypeError on invalid input > except TypeError: > > 2) I would prefer if the encoding was specified explicitly here: > > + response = json_decode_binary(json.loads(response.decode())) > > > Patch 763: > > 1) > > + altname = altname > > 2) Nitpick, but could you please: > > - if isinstance(name_or_oid, unicode): > - name_or_oid = name_or_oid.encode('utf-8') > + if six.PY2: > + if isinstance(name_or_oid, unicode): > + name_or_oid = name_or_oid.encode('utf-8') > > This way it's more visible that this is a py2-only thing. > > > Patch 764: LGTM > > > Patch 765: > > 1) > > +import tempfile > +import tempfile > > > Patch 766-767: LGTM > > > Patch 768: > > 1) Only binascii.Error should be handled in int_to_bytes, the try-except > block is there just to handle odd-length strings. > > 2) I think you can just remove the library_path.encode(), it's there > because the original C code did the same thing, but don't think it's > necessary. > > > Patch 769: LGTM Also, could you please reference in the patches? -- Jan Cholasta From mbasti at redhat.com Fri Jan 29 09:33:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Jan 2016 10:33:37 +0100 Subject: [Freeipa-devel] [TEST][Patch 0020] Enabled recreation of test directory during ipa reinstallation In-Reply-To: <56A0C831.6040909@redhat.com> References: <56A0C831.6040909@redhat.com> Message-ID: <56AB31F1.5050300@redhat.com> On 21.01.2016 12:59, Oleg Fayans wrote: > > Hello, 1) I'm not sure if it is bug or it is related to this patch, but there is missing symetry in test_caless, I see there apply fixes but not unapply_fixes ipatests/ipa-test-task:378: tasks.unapply_fixes(host) ipatests/test_integration/tasks.py:201:def unapply_fixes(host): ipatests/test_integration/tasks.py:646: unapply_fixes(host) ipatests/test_integration/tasks.py:654: unapply_fixes(host) ipatests/test_integration/tasks.py:997: unapply_fixes(replica) ipatests/test_integration/test_legacy_clients.py:373: tasks.unapply_fixes(cls.legacy_client) ipatests/test_integration/tasks.py:91:def apply_common_fixes(host, fix_resolv=True): ipatests/test_integration/tasks.py:269: apply_common_fixes(host, fix_resolv=False) ipatests/test_integration/tasks.py:320: apply_common_fixes(replica) ipatests/test_integration/tasks.py:386: apply_common_fixes(client) ipatests/test_integration/test_caless.py:101: tasks.apply_common_fixes(host) ipatests/test_integration/test_legacy_clients.py:361: tasks.apply_common_fixes(cls.legacy_client) 2) IMO unapply_fixes is called twice for replica uninstall uninstall_master(replica) + unapply_fixes(replica) uninstall_master calls unapply_fixes() too 3) what is purpose of prepare_host? I saw it used only in test_forced_client_reenrollment.py Which test was failing? 4) in test_forced_client_reenrollment.py there is direct call of prepare_host, but this is also install_client that calls prepare_host too (added by your patch) Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Jan 29 09:43:41 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Jan 2016 10:43:41 +0100 Subject: [Freeipa-devel] [PATCH 0410] CI DNSSEC: fix zone delegation In-Reply-To: <56A61521.3090204@redhat.com> References: <56A25D0B.4080006@redhat.com> <56A34941.5020407@redhat.com> <56A61521.3090204@redhat.com> Message-ID: <56AB344D.2060205@redhat.com> On 25.01.2016 13:29, Martin Basti wrote: > > > On 23.01.2016 10:34, Petr Spacek wrote: >> On 22.1.2016 17:47, Martin Basti wrote: >>> - # make BIND happy, and delegate zone which contains A >>> record of master >>> + # make BIND happy: add the glue record and delegate zone >>> + args = [ >>> + "ipa", "dnsrecord-add", root_zone, >>> self.master.domain.name, >>> + "--a-rec=" + self.master.ip >>> + ] >>> + self.master.run_command(args) >>> + time.sleep(10) # sleep a bit until data are provided by >>> bind-dyndb-ldap >>> + >> LGTM, ACK. In the worst case it will not fix the test :-) >> > Pushed to: > ipa-4-3: 47422b0f3913e352cd28cac24128afed178701e8 > master: cdf08a0a869f83a6111d9560b69c582d2c04f89c > Here is better fix that should actually work in lab :) patch attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0410-DNSSEC-CI-fix-zone-delegations.patch Type: text/x-patch Size: 1462 bytes Desc: not available URL: From mbasti at redhat.com Fri Jan 29 09:48:00 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Jan 2016 10:48:00 +0100 Subject: [Freeipa-devel] [PATCH 0411] upgrade: log to ipaupgrade.log if ipa is not installed Message-ID: <56AB3550.6020409@redhat.com> Missing record in ipaupgrade.log that upgrade failed because IPA is not installed, causes harder time to debugging upgrade from log. Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0411-Upgrade-log-to-ipaupgrade.log-when-IPA-server-is-not.patch Type: text/x-patch Size: 1067 bytes Desc: not available URL: From pvomacka at redhat.com Fri Jan 29 09:58:04 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Fri, 29 Jan 2016 10:58:04 +0100 Subject: [Freeipa-devel] [PATCH] 0003 webui: Issue New Certificate dialogs validates data In-Reply-To: <56AA5DC1.6050200@redhat.com> References: <1126773777.16508720.1453726505512.JavaMail.zimbra@redhat.com> <56AA5DC1.6050200@redhat.com> Message-ID: <56AB37AC.1080006@redhat.com> On 01/28/2016 07:28 PM, Petr Vobornik wrote: > Hi, there are few issues, NACK. > > 1. this patch uses tabs instead of spaces, previous was correct Fixed. > > 2. code which focuses first invalid field could be replaced by: > widget_mod.focus_invalid(that); The old loop is replaced by this method. > > 3. there is a convention that field and widget names uses the same > name as the param, therefore 'textarea_cert' should be 'csr'. There is > no convention for messages in html widget but it might be better to > use a name reflecting purpose and not implementation. Instead of > 'message_html_widget' use 'instructions' or just 'message' - > consistent with spec option. > Fixed. I chose 'message' instead of 'message_html_widget'. > Also I've filed: https://fedorahosted.org/freeipa/ticket/5652 Pavel Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0003-3-Add-validation-to-Issue-new-certificate-dialog.patch Type: text/x-patch Size: 4426 bytes Desc: not available URL: From pspacek at redhat.com Fri Jan 29 10:10:03 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 29 Jan 2016 11:10:03 +0100 Subject: [Freeipa-devel] [PATCH 0410] CI DNSSEC: fix zone delegation In-Reply-To: <56AB344D.2060205@redhat.com> References: <56A25D0B.4080006@redhat.com> <56A34941.5020407@redhat.com> <56A61521.3090204@redhat.com> <56AB344D.2060205@redhat.com> Message-ID: <56AB3A7B.3050409@redhat.com> On 29.1.2016 10:43, Martin Basti wrote: > > > On 25.01.2016 13:29, Martin Basti wrote: >> >> >> On 23.01.2016 10:34, Petr Spacek wrote: >>> On 22.1.2016 17:47, Martin Basti wrote: >>>> - # make BIND happy, and delegate zone which contains A record of >>>> master >>>> + # make BIND happy: add the glue record and delegate zone >>>> + args = [ >>>> + "ipa", "dnsrecord-add", root_zone, self.master.domain.name, >>>> + "--a-rec=" + self.master.ip >>>> + ] >>>> + self.master.run_command(args) >>>> + time.sleep(10) # sleep a bit until data are provided by >>>> bind-dyndb-ldap >>>> + >>> LGTM, ACK. In the worst case it will not fix the test :-) >>> >> Pushed to: >> ipa-4-3: 47422b0f3913e352cd28cac24128afed178701e8 >> master: cdf08a0a869f83a6111d9560b69c582d2c04f89c >> > > Here is better fix that should actually work in lab :) > patch attached ACK -- Petr^2 Spacek From mbasti at redhat.com Fri Jan 29 10:52:43 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Jan 2016 11:52:43 +0100 Subject: [Freeipa-devel] [PATCH 0410] CI DNSSEC: fix zone delegation In-Reply-To: <56AB3A7B.3050409@redhat.com> References: <56A25D0B.4080006@redhat.com> <56A34941.5020407@redhat.com> <56A61521.3090204@redhat.com> <56AB344D.2060205@redhat.com> <56AB3A7B.3050409@redhat.com> Message-ID: <56AB447B.5010309@redhat.com> On 29.01.2016 11:10, Petr Spacek wrote: > On 29.1.2016 10:43, Martin Basti wrote: >> >> On 25.01.2016 13:29, Martin Basti wrote: >>> >>> On 23.01.2016 10:34, Petr Spacek wrote: >>>> On 22.1.2016 17:47, Martin Basti wrote: >>>>> - # make BIND happy, and delegate zone which contains A record of >>>>> master >>>>> + # make BIND happy: add the glue record and delegate zone >>>>> + args = [ >>>>> + "ipa", "dnsrecord-add", root_zone, self.master.domain.name, >>>>> + "--a-rec=" + self.master.ip >>>>> + ] >>>>> + self.master.run_command(args) >>>>> + time.sleep(10) # sleep a bit until data are provided by >>>>> bind-dyndb-ldap >>>>> + >>>> LGTM, ACK. In the worst case it will not fix the test :-) >>>> >>> Pushed to: >>> ipa-4-3: 47422b0f3913e352cd28cac24128afed178701e8 >>> master: cdf08a0a869f83a6111d9560b69c582d2c04f89c >>> >> Here is better fix that should actually work in lab :) >> patch attached > ACK > Pushed to: master: c5076452d6332284d11bae932ebac1464fe2578a ipa-4-3: 2eece8c16ae460db8b1f9e4019612128af399bf7 From pspacek at redhat.com Fri Jan 29 10:58:03 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 29 Jan 2016 11:58:03 +0100 Subject: [Freeipa-devel] [TEST][Patch 0021] Fixed recent replica installation issues in the lab In-Reply-To: <56A898E5.9060202@redhat.com> References: <56A0D223.2060702@redhat.com> <56A0FC2C.2010004@redhat.com> <56A87E93.9030302@redhat.com> <56A898E5.9060202@redhat.com> Message-ID: <56AB45BB.3070102@redhat.com> On 27.1.2016 11:16, Oleg Fayans wrote: > Sorry, trailing whitespace detected. This version passes lint > > On 01/27/2016 09:23 AM, Oleg Fayans wrote: >> > Hi, >> > >> > On 01/21/2016 04:41 PM, Petr Spacek wrote: >>> >> Hello, >>> >> >>> >> On 21.1.2016 13:42, Oleg Fayans wrote: >>>> >>> freeipa-ofayans-0021-Removed-ip-address-option-from-replica-installation.patch >>>> >>> >>>> >>> >>>> >>> From d7ab06a4dcddb919fda351b983d478f1b6968578 Mon Sep 17 00:00:00 2001 >>>> >>> From: Oleg Fayans >>>> >>> Date: Thu, 21 Jan 2016 13:30:02 +0100 >>>> >>> Subject: [PATCH] Removed --ip-address option from replica installation >>>> >>> >>>> >>> Explicitly specifying ip-address of the replica messes up with the current >>>> >>> bind-dyndb-ldap logic, causing reverse zone not to be created. >>>> >>> >>>> >>> Enabled reverse-zone creation for the clients residing in different subnet from >>>> >>> master >>>> >>> --- >>>> >>> ipatests/test_integration/tasks.py | 19 ++++++++++++------- >>>> >>> 1 file changed, 12 insertions(+), 7 deletions(-) >>>> >>> >>>> >>> diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py >>>> >>> index 6eb55501389c72b4c7aaa599fd4852d7e8f1f3c2..43ef78b0c55deed24a0444f0ac6c38ddb2517481 100644 >>>> >>> --- a/ipatests/test_integration/tasks.py >>>> >>> +++ b/ipatests/test_integration/tasks.py >>>> >>> @@ -69,6 +69,8 @@ def prepare_reverse_zone(host, ip): >>>> >>> host.run_command(["ipa", >>>> >>> "dnszone-add", >>>> >>> zone], raiseonerr=False) >>>> >>> + return zone >>>> >>> + >>>> >>> >>>> >>> def prepare_host(host): >>>> >>> if isinstance(host, Host): >>>> >>> @@ -319,11 +321,8 @@ def domainlevel(host): >>>> >>> def replica_prepare(master, replica): >>>> >>> apply_common_fixes(replica) >>>> >>> fix_apache_semaphores(replica) >>>> >>> - prepare_reverse_zone(master, replica.ip) >>>> >>> - master.run_command(['ipa-replica-prepare', >>>> >>> - '-p', replica.config.dirman_password, >>>> >>> - '--ip-address', replica.ip, >>>> >>> - replica.hostname]) >>>> >>> + master.run_command(['ipa-replica-prepare', '-p', replica.config.dirman_password, >>>> >>> + '--auto-reverse', replica.hostname]) >>> >> >>> >> I guess that you will need --ip-address option in cases where master's reverse >>> >> record does not exist (yet). >> > And yo were right. Fixed >> > >>> >> >>> >> I would recommend you to test this in libvirt or somewhere without revere >>> >> records, I suspect that it might blow up. >>> >> >>>> >>> replica_bundle = master.get_file_contents( >>>> >>> paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname) >>>> >>> replica_filename = get_replica_filename(replica) >>>> >>> @@ -339,8 +338,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False, >>>> >>> # and replica installation would fail >>>> >>> args = ['ipa-replica-install', '-U', >>>> >>> '-p', replica.config.dirman_password, >>>> >>> - '-w', replica.config.admin_password, >>>> >>> - '--ip-address', replica.ip] >>>> >>> + '-w', replica.config.admin_password] >>>> >>> if setup_ca: >>>> >>> args.append('--setup-ca') >>>> >>> if setup_dns: >>>> >>> @@ -380,6 +378,13 @@ def install_client(master, client, extra_args=()): >>>> >>> client.collect_log(paths.IPACLIENT_INSTALL_LOG) >>>> >>> >>>> >>> apply_common_fixes(client) >>>> >>> + # Now, for the situations where a client resides in a different subnet from >>>> >>> + # master, we need to explicitly tell master to create a reverse zone for >>>> >>> + # the client and enable dynamic updates for this zone. >>>> >>> + allow_sync_ptr(master) >>>> >>> + zone = prepare_reverse_zone(master, client.ip) >>>> >>> + master.run_command(["ipa", "dnszone-mod", zone, >>>> >>> + "--dynamic-update=TRUE"], raiseonerr=False) >>> >> >>> >> I'm not a big fan of ignoring exceptions here, it might be better to >>> >> encapsulate the first command with try: except: and run the zone-mod only if >>> >> the add worked as expected. >>> >> >>> >> Also, logging an message that reverse zone was not added might be a good idea. >> > Agreed. Done. >> > >>> >> >>> >> HTH >>> >> >>> >> Petr^2 Spacek >>> >> >>> >> >>>> >>> >>>> >>> client.run_command(['ipa-client-install', '-U', >>>> >>> '--domain', client.domain.name, >>> >> >> > >> > >> > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. > > > freeipa-ofayans-0021.2-Removed-ip-address-option-from-replica-installation.patch > > > From e70daf4ed9dfbac7e8ea75cb8e9ab0f2af12ad48 Mon Sep 17 00:00:00 2001 > From: Oleg Fayans > Date: Wed, 27 Jan 2016 11:09:03 +0100 > Subject: [PATCH] Removed --ip-address option from replica installation > > Explicitly specifying ip-address of the replica messes up with the current > bind-dyndb-ldap logic, causing reverse zone not to be created. NACK The commit message and logic is incorrect. In fact it has nothing to do with bind-dyndb-ldap. Either: a] The zone already exists somewhere so you should not create it in IPA, and this --ip-address option is invalid. b] The zone does not exist yet and then --ip-address option is required. I do not see any logic around > '--ip-address', replica.ip, thus the NACK. In other words, network setup is job for a provisioning system. IPA needs to respect whatever the provisioning system did or did not do. Feel free to ask if something is unclear. (other comments inline) > > Enabled reverse-zone creation for the clients residing in different subnet from > master > --- > ipatests/test_integration/tasks.py | 20 +++++++++++++++----- > 1 file changed, 15 insertions(+), 5 deletions(-) > > diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py > index 6eb55501389c72b4c7aaa599fd4852d7e8f1f3c2..b8b7fcfcbbb1dc672349119bbbb4cdbbd68c54ec 100644 > --- a/ipatests/test_integration/tasks.py > +++ b/ipatests/test_integration/tasks.py > @@ -66,9 +66,13 @@ def check_arguments_are(slice, instanceof): > > def prepare_reverse_zone(host, ip): > zone = get_reverse_zone_default(ip) > - host.run_command(["ipa", > + result = host.run_command(["ipa", > "dnszone-add", > zone], raiseonerr=False) > + if result.returncode > 0: > + log.warn(result.stderr_text) > + return zone, result.returncode > + > > def prepare_host(host): > if isinstance(host, Host): > @@ -319,11 +323,10 @@ def domainlevel(host): > def replica_prepare(master, replica): > apply_common_fixes(replica) > fix_apache_semaphores(replica) > - prepare_reverse_zone(master, replica.ip) > master.run_command(['ipa-replica-prepare', > '-p', replica.config.dirman_password, > '--ip-address', replica.ip, > - replica.hostname]) > + '--auto-reverse', replica.hostname]) > replica_bundle = master.get_file_contents( > paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname) > replica_filename = get_replica_filename(replica) > @@ -339,8 +342,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False, > # and replica installation would fail > args = ['ipa-replica-install', '-U', > '-p', replica.config.dirman_password, > - '-w', replica.config.admin_password, > - '--ip-address', replica.ip] > + '-w', replica.config.admin_password] > if setup_ca: > args.append('--setup-ca') > if setup_dns: > @@ -380,6 +382,14 @@ def install_client(master, client, extra_args=()): > client.collect_log(paths.IPACLIENT_INSTALL_LOG) > > apply_common_fixes(client) > + # Now, for the situations where a client resides in a different subnet from > + # master, we need to explicitly tell master to create a reverse zone for > + # the client and enable dynamic updates for this zone. > + allow_sync_ptr(master) > + zone, error = prepare_reverse_zone(master, client.ip) > + if not error: > + master.run_command(["ipa", "dnszone-mod", zone, > + "--dynamic-update=TRUE"], raiseonerr=False) I believe that this call to dnszone-mod should use raiseonerr=True so you know that environment was not configured to accept dynamic updates. > > client.run_command(['ipa-client-install', '-U', > '--domain', client.domain.name, > -- 2.4.3 -- Petr^2 Spacek From lslebodn at redhat.com Fri Jan 29 11:12:19 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 29 Jan 2016 12:12:19 +0100 Subject: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4 Message-ID: <20160129111218.GD24839@mail.corp.redhat.com> ehlo, attached patch shoudl fix build on fedora-24. It blocks static analysis scan. Even though it unblock build on fedora-24 the solution is not ideal. It's possible that some changes need to be done in samba side as well. (missing prototypes for trim_string, smb_xstrdup LS -------------- next part -------------- >From f9057ca98557094a4db84ac072ee9efd02a4ff79 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Fri, 29 Jan 2016 10:40:18 +0100 Subject: [PATCH 1/3] IPA-SAM: Fix build with samba 4.4 samba_util.h is not shipped with samba-4.4 and it was indirectly included by "ndr.h" Some functions have prototypes in different header file "util/talloc_stack.h" and other does not have declarations in other header file. But they are still part of libsamba-util.so sh$ objdump -T /usr/lib64/libsamba-util.so.0.0.1 | grep -E "trim_s|xstrdup" 0000000000022200 g DF .text 000000000000001f SAMBA_UTIL_0.0.1 smb_xstrdup 00000000000223b0 g DF .text 000000000000019d SAMBA_UTIL_0.0.1 trim_string ipa_sam.c: In function 'ldapsam_uid_to_sid': ipa_sam.c:836:24: warning: implicit declaration of function 'talloc_stackframe' [-Wimplicit-function-declaration] TALLOC_CTX *tmp_ctx = talloc_stackframe(); ^ ipa_sam.c: In function 'pdb_init_ipasam': ipa_sam.c:4493:2: warning: implicit declaration of function 'trim_string' [-Wimplicit-function-declaration] trim_string( uri, "\"", "\"" ); ^ ipa_sam.c:4580:26: warning: implicit declaration of function 'smb_xstrdup' [-Wimplicit-function-declaration] ldap_state->domain_dn = smb_xstrdup(dn); ^ --- daemons/ipa-sam/ipa_sam.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 7274d600b532f1066661e8a614a47eea7632ed70..871775b0a19e9c273652ff7a0b497d86bb866aa6 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -19,6 +19,12 @@ #include #include #include +#include + +#ifndef _SAMBA_UTIL_H_ +bool trim_string(char *s, const char *front, const char *back); +char *smb_xstrdup(const char *s); +#endif #include #include -- 2.5.0 From mkosek at redhat.com Fri Jan 29 11:12:41 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jan 2016 12:12:41 +0100 Subject: [Freeipa-devel] [PATCH 0411] upgrade: log to ipaupgrade.log if ipa is not installed In-Reply-To: <56AB3550.6020409@redhat.com> References: <56AB3550.6020409@redhat.com> Message-ID: <56AB4929.3030003@redhat.com> On 01/29/2016 10:48 AM, Martin Basti wrote: > Missing record in ipaupgrade.log that upgrade failed because IPA is not > installed, causes harder time to debugging upgrade from log. > > Patch attached. I am thinking that in these general catch-all clauses, it could be also useful to print the stack trace in the DEBUG log, especially for the cases when the exception is re-raised to some general one, like here: try: data_upgrade.create_instance() ... except RuntimeError: raise RuntimeError('IPA upgrade failed.', 1) From lslebodn at redhat.com Fri Jan 29 11:15:41 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 29 Jan 2016 12:15:41 +0100 Subject: [Freeipa-devel] [PATCH 2/3] ASN1: Fix warning Wpointer-to-int-cast Message-ID: <20160129111541.GE24839@mail.corp.redhat.com> ehlo, the first patch is very simple and it just suppress warning. The second patch is either bug or dead code. I fixed it as a bug. I'm not sure how to test 2nd patch. LS -------------- next part -------------- >From 49b9cd2f037f52d5095acc0d05ee1684ebb6a121 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Fri, 29 Jan 2016 11:52:08 +0100 Subject: [PATCH 2/3] ASN1: Fix warning Wpointer-to-int-cast The cast operator "()" has higher priority then ternary operator "?:" and therefore the first argument of ternary operator (pointer) was cast to "int" and then interpreted as boolean value. I think we wanted to cast value of ternary operator to type int. However it's not necesary becuase both of branches has type int. --- asn1/asn1c/constr_SET_OF.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/asn1/asn1c/constr_SET_OF.c b/asn1/asn1c/constr_SET_OF.c index 09f27db53dada6869accd8dbb3aba0f56b49e00b..312cfc2e91d3cc710bc26a12322828c00e400b9b 100644 --- a/asn1/asn1c/constr_SET_OF.c +++ b/asn1/asn1c/constr_SET_OF.c @@ -904,7 +904,7 @@ SET_OF_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, nelems = uper_get_length(pd, ct ? ct->effective_bits : -1, &repeat); ASN_DEBUG("Got to decode %d elements (eff %d)", - (int)nelems, (int)ct ? ct->effective_bits : -1); + (int)nelems, ct ? ct->effective_bits : -1); if(nelems < 0) _ASN_DECODE_STARVED; } -- 2.5.0 -------------- next part -------------- >From fae6c79b65be4b21859f703dbcb7cfbb20286070 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Fri, 29 Jan 2016 11:56:23 +0100 Subject: [PATCH 3/3] ASN1: Fix warning Wunused-value There was used operator "equal to" but there should be an assignment. --- asn1/asn1c/constr_SET_OF.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/asn1/asn1c/constr_SET_OF.c b/asn1/asn1c/constr_SET_OF.c index 312cfc2e91d3cc710bc26a12322828c00e400b9b..0d5efa4f83c189887822f4012fd2a500faf04ae4 100644 --- a/asn1/asn1c/constr_SET_OF.c +++ b/asn1/asn1c/constr_SET_OF.c @@ -921,7 +921,7 @@ SET_OF_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, ASN_DEBUG("Failed to add element into %s", td->name); /* Fall through */ - rv.code == RC_FAIL; + rv.code = RC_FAIL; } else { ASN_DEBUG("Failed decoding %s of %s (SET OF)", elm->type->name, td->name); -- 2.5.0 From mkosek at redhat.com Fri Jan 29 11:17:24 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Jan 2016 12:17:24 +0100 Subject: [Freeipa-devel] [PATCH 2/3] ASN1: Fix warning Wpointer-to-int-cast In-Reply-To: <20160129111541.GE24839@mail.corp.redhat.com> References: <20160129111541.GE24839@mail.corp.redhat.com> Message-ID: <56AB4A44.3030904@redhat.com> On 01/29/2016 12:15 PM, Lukas Slebodnik wrote: > ehlo, > > the first patch is very simple and it just suppress warning. > The second patch is either bug or dead code. I fixed it as a bug. > I'm not sure how to test 2nd patch. > > LS Thanks. But isn't this the code generated by asn1 tool? Maybe it would be better to fix the tool, or maybe regenerate it with a newer version of the tool? Otherwise the improvements will get lost. From lslebodn at redhat.com Fri Jan 29 11:31:48 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 29 Jan 2016 12:31:48 +0100 Subject: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4 In-Reply-To: <20160129111218.GD24839@mail.corp.redhat.com> References: <20160129111218.GD24839@mail.corp.redhat.com> Message-ID: <20160129113147.GF24839@mail.corp.redhat.com> On (29/01/16 12:12), Lukas Slebodnik wrote: >ehlo, > >attached patch shoudl fix build on fedora-24. >It blocks static analysis scan. > >Even though it unblock build on fedora-24 >the solution is not ideal. It's possible that some changes >need to be done in samba side as well. >(missing prototypes for trim_string, smb_xstrdup > >LS BTW there is also another issue in IPA-SAM. The value of macro LDAP_PAGE_SIZE has changed and therefore there is a warning. ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined #define LDAP_PAGE_SIZE 1024 ^ In file included from /usr/include/samba-4.0/smbldap.h:24:0, from ipa_sam.c:31: /usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition #define LDAP_PAGE_SIZE 1000 LS From lslebodn at redhat.com Fri Jan 29 11:48:36 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 29 Jan 2016 12:48:36 +0100 Subject: [Freeipa-devel] [PATCH 2/3] ASN1: Fix warning Wpointer-to-int-cast In-Reply-To: <56AB4A44.3030904@redhat.com> References: <20160129111541.GE24839@mail.corp.redhat.com> <56AB4A44.3030904@redhat.com> Message-ID: <20160129114832.GG24839@mail.corp.redhat.com> On (29/01/16 12:17), Martin Kosek wrote: >On 01/29/2016 12:15 PM, Lukas Slebodnik wrote: >> ehlo, >> >> the first patch is very simple and it just suppress warning. >> The second patch is either bug or dead code. I fixed it as a bug. >> I'm not sure how to test 2nd patch. >> >> LS > >Thanks. But isn't this the code generated by asn1 tool? Maybe it would be >better to fix the tool, or maybe regenerate it with a newer version of the >tool? Otherwise the improvements will get lost. > As you wish. Updated patch is attached. LS -------------- next part -------------- >From 47ca1fddb778c9aa68fb82f70458364a77d66aea Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Fri, 29 Jan 2016 12:44:19 +0100 Subject: [PATCH 2/2] ASN1: Regenerate code with new tool asn1c-0.9.27 asn1c-0.9.27 generates code without compiler warning and fixes dead-code/bug constr_SET_OF.c: In function 'SET_OF_decode_uper': constr_SET_OF.c:907:18: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] (int)nelems, (int)ct ? ct->effective_bits : -1); ^ constr_SET_OF.c:924:5: warning: statement with no effect [-Wunused-value] rv.code == RC_FAIL; ^ --- asn1/asn1c/BIT_STRING.c | 9 +- asn1/asn1c/GKCurrentKeys.c | 6 +- asn1/asn1c/GKCurrentKeys.h | 3 +- asn1/asn1c/GKNewKeys.c | 12 +- asn1/asn1c/GKNewKeys.h | 3 +- asn1/asn1c/GKReply.c | 8 +- asn1/asn1c/GKReply.h | 3 +- asn1/asn1c/GetKeytabControl.c | 10 +- asn1/asn1c/GetKeytabControl.h | 3 +- asn1/asn1c/INTEGER.c | 466 +++++++++++++++++++++++++++++------------- asn1/asn1c/INTEGER.h | 17 ++ asn1/asn1c/Int32.c | 7 +- asn1/asn1c/Int32.h | 3 +- asn1/asn1c/KrbKey.c | 10 +- asn1/asn1c/KrbKey.h | 3 +- asn1/asn1c/NativeEnumerated.c | 11 +- asn1/asn1c/NativeInteger.c | 32 ++- asn1/asn1c/OCTET_STRING.c | 449 +++++++++++++++++++++++++++++++--------- asn1/asn1c/OCTET_STRING.h | 8 +- asn1/asn1c/TypeValuePair.c | 8 +- asn1/asn1c/TypeValuePair.h | 3 +- asn1/asn1c/asn_codecs.h | 4 +- asn1/asn1c/asn_codecs_prim.c | 43 ++-- asn1/asn1c/asn_internal.h | 27 ++- asn1/asn1c/asn_system.h | 35 +++- asn1/asn1c/ber_decoder.c | 2 +- asn1/asn1c/ber_decoder.h | 1 + asn1/asn1c/constr_CHOICE.c | 70 ++++--- asn1/asn1c/constr_SEQUENCE.c | 253 +++++++++++++++++++---- asn1/asn1c/constr_SET_OF.c | 17 +- asn1/asn1c/der_encoder.h | 1 + asn1/asn1c/per_decoder.c | 38 ++++ asn1/asn1c/per_decoder.h | 14 +- asn1/asn1c/per_encoder.c | 136 ++++++++---- asn1/asn1c/per_encoder.h | 24 ++- asn1/asn1c/per_opentype.c | 378 ++++++++++++++++++++++++++++++++++ asn1/asn1c/per_opentype.h | 22 ++ asn1/asn1c/per_support.c | 207 +++++++++++++++++-- asn1/asn1c/per_support.h | 38 +++- asn1/asn1c/xer_decoder.c | 14 +- asn1/asn1c/xer_decoder.h | 7 +- 41 files changed, 1931 insertions(+), 474 deletions(-) create mode 100644 asn1/asn1c/per_opentype.c create mode 100644 asn1/asn1c/per_opentype.h diff --git a/asn1/asn1c/BIT_STRING.c b/asn1/asn1c/BIT_STRING.c index 6469d4fd2c8782048e228c19e67950f3b2dc1305..9b9827127b7ba438676630efef975e0e80ac45aa 100644 --- a/asn1/asn1c/BIT_STRING.c +++ b/asn1/asn1c/BIT_STRING.c @@ -15,7 +15,7 @@ static ber_tlv_tag_t asn_DEF_BIT_STRING_tags[] = { static asn_OCTET_STRING_specifics_t asn_DEF_BIT_STRING_specs = { sizeof(BIT_STRING_t), offsetof(BIT_STRING_t, _asn_ctx), - 1, /* Special indicator that this is a BIT STRING type */ + ASN_OSUBV_BIT }; asn_TYPE_descriptor_t asn_DEF_BIT_STRING = { "BIT STRING", @@ -50,14 +50,15 @@ BIT_STRING_constraint(asn_TYPE_descriptor_t *td, const void *sptr, const BIT_STRING_t *st = (const BIT_STRING_t *)sptr; if(st && st->buf) { - if(st->size == 1 && st->bits_unused) { - _ASN_CTFAIL(app_key, td, + if((st->size == 0 && st->bits_unused) + || st->bits_unused < 0 || st->bits_unused > 7) { + _ASN_CTFAIL(app_key, td, sptr, "%s: invalid padding byte (%s:%d)", td->name, __FILE__, __LINE__); return -1; } } else { - _ASN_CTFAIL(app_key, td, + _ASN_CTFAIL(app_key, td, sptr, "%s: value not given (%s:%d)", td->name, __FILE__, __LINE__); return -1; diff --git a/asn1/asn1c/GKCurrentKeys.c b/asn1/asn1c/GKCurrentKeys.c index abcc53130d64259d0f2947b04412b4b769bb4360..bc7c1aacabdad433abeab83ddb43ba405aaff14b 100644 --- a/asn1/asn1c/GKCurrentKeys.c +++ b/asn1/asn1c/GKCurrentKeys.c @@ -1,12 +1,10 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` */ -#include - #include "GKCurrentKeys.h" static asn_TYPE_member_t asn_MBR_GKCurrentKeys_1[] = { @@ -24,7 +22,7 @@ static ber_tlv_tag_t asn_DEF_GKCurrentKeys_tags_1[] = { (ASN_TAG_CLASS_UNIVERSAL | (16 << 2)) }; static asn_TYPE_tag2member_t asn_MAP_GKCurrentKeys_tag2el_1[] = { - { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 } /* serviceIdentity at 19 */ + { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 } /* serviceIdentity */ }; static asn_SEQUENCE_specifics_t asn_SPC_GKCurrentKeys_specs_1 = { sizeof(struct GKCurrentKeys), diff --git a/asn1/asn1c/GKCurrentKeys.h b/asn1/asn1c/GKCurrentKeys.h index 7ec4e4c60dd5c605bec311f713e33630dedaca58..d1c318630bc2eaab8a21cfd8393c1e6936bec2f7 100644 --- a/asn1/asn1c/GKCurrentKeys.h +++ b/asn1/asn1c/GKCurrentKeys.h @@ -1,5 +1,5 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` @@ -35,3 +35,4 @@ extern asn_TYPE_descriptor_t asn_DEF_GKCurrentKeys; #endif #endif /* _GKCurrentKeys_H_ */ +#include diff --git a/asn1/asn1c/GKNewKeys.c b/asn1/asn1c/GKNewKeys.c index 35ebcf245c25c02572377381ba3418f3f8488fd7..a3001ac93eba492a38c610e04485bccf7c90ac16 100644 --- a/asn1/asn1c/GKNewKeys.c +++ b/asn1/asn1c/GKNewKeys.c @@ -1,12 +1,10 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` */ -#include - #include "GKNewKeys.h" static asn_TYPE_member_t asn_MBR_enctypes_3[] = { @@ -66,7 +64,7 @@ static asn_TYPE_member_t asn_MBR_GKNewKeys_1[] = { }, { ATF_NOFLAGS, 0, offsetof(struct GKNewKeys, enctypes), (ASN_TAG_CLASS_CONTEXT | (1 << 2)), - +1, /* EXPLICIT tag at current level */ + 0, &asn_DEF_enctypes_3, 0, /* Defer constraints checking to the member type */ 0, /* PER is not compiled, use -gen-PER */ @@ -87,9 +85,9 @@ static ber_tlv_tag_t asn_DEF_GKNewKeys_tags_1[] = { (ASN_TAG_CLASS_UNIVERSAL | (16 << 2)) }; static asn_TYPE_tag2member_t asn_MAP_GKNewKeys_tag2el_1[] = { - { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* serviceIdentity at 13 */ - { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 }, /* enctypes at 14 */ - { (ASN_TAG_CLASS_CONTEXT | (2 << 2)), 2, 0, 0 } /* password at 15 */ + { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* serviceIdentity */ + { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 }, /* enctypes */ + { (ASN_TAG_CLASS_CONTEXT | (2 << 2)), 2, 0, 0 } /* password */ }; static asn_SEQUENCE_specifics_t asn_SPC_GKNewKeys_specs_1 = { sizeof(struct GKNewKeys), diff --git a/asn1/asn1c/GKNewKeys.h b/asn1/asn1c/GKNewKeys.h index 2cd158dff9c36cd6f632448235e889f3c8ab937f..6b2a0df59fd34c27f24968639aff964b369bbdc9 100644 --- a/asn1/asn1c/GKNewKeys.h +++ b/asn1/asn1c/GKNewKeys.h @@ -1,5 +1,5 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` @@ -45,3 +45,4 @@ extern asn_TYPE_descriptor_t asn_DEF_GKNewKeys; #endif #endif /* _GKNewKeys_H_ */ +#include diff --git a/asn1/asn1c/GKReply.c b/asn1/asn1c/GKReply.c index 220c791e2d84b2ea9d889307403bc2b64781f3ce..85fdfa37903feb1f2e8888f8a696982c2286df81 100644 --- a/asn1/asn1c/GKReply.c +++ b/asn1/asn1c/GKReply.c @@ -1,12 +1,10 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` */ -#include - #include "GKReply.h" static asn_TYPE_member_t asn_MBR_keys_3[] = { @@ -77,8 +75,8 @@ static ber_tlv_tag_t asn_DEF_GKReply_tags_1[] = { (ASN_TAG_CLASS_UNIVERSAL | (16 << 2)) }; static asn_TYPE_tag2member_t asn_MAP_GKReply_tag2el_1[] = { - { (ASN_TAG_CLASS_UNIVERSAL | (2 << 2)), 0, 0, 0 }, /* newkvno at 23 */ - { (ASN_TAG_CLASS_UNIVERSAL | (16 << 2)), 1, 0, 0 } /* keys at 25 */ + { (ASN_TAG_CLASS_UNIVERSAL | (2 << 2)), 0, 0, 0 }, /* newkvno */ + { (ASN_TAG_CLASS_UNIVERSAL | (16 << 2)), 1, 0, 0 } /* keys */ }; static asn_SEQUENCE_specifics_t asn_SPC_GKReply_specs_1 = { sizeof(struct GKReply), diff --git a/asn1/asn1c/GKReply.h b/asn1/asn1c/GKReply.h index 7f058f6bf481ee2e570138f06fdef3d913949e9f..70a9c9698e86a1582dd7687f931d6b1af1bf0bdf 100644 --- a/asn1/asn1c/GKReply.h +++ b/asn1/asn1c/GKReply.h @@ -1,5 +1,5 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` @@ -49,3 +49,4 @@ extern asn_TYPE_descriptor_t asn_DEF_GKReply; #include "KrbKey.h" #endif /* _GKReply_H_ */ +#include diff --git a/asn1/asn1c/GetKeytabControl.c b/asn1/asn1c/GetKeytabControl.c index 65b55d1ef34e31b81ef7b751608da4cc6c12020c..8ce4750cbe3114b6456ca4044221f3d90225b742 100644 --- a/asn1/asn1c/GetKeytabControl.c +++ b/asn1/asn1c/GetKeytabControl.c @@ -1,12 +1,10 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` */ -#include - #include "GetKeytabControl.h" static asn_TYPE_member_t asn_MBR_GetKeytabControl_1[] = { @@ -39,9 +37,9 @@ static asn_TYPE_member_t asn_MBR_GetKeytabControl_1[] = { }, }; static asn_TYPE_tag2member_t asn_MAP_GetKeytabControl_tag2el_1[] = { - { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* newkeys at 7 */ - { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 }, /* curkeys at 8 */ - { (ASN_TAG_CLASS_CONTEXT | (2 << 2)), 2, 0, 0 } /* reply at 10 */ + { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* newkeys */ + { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 }, /* curkeys */ + { (ASN_TAG_CLASS_CONTEXT | (2 << 2)), 2, 0, 0 } /* reply */ }; static asn_CHOICE_specifics_t asn_SPC_GetKeytabControl_specs_1 = { sizeof(struct GetKeytabControl), diff --git a/asn1/asn1c/GetKeytabControl.h b/asn1/asn1c/GetKeytabControl.h index 5f5fcd22e74f65e9356be886520b8ddd3cac348c..fc012c8461052b7225db148e40e46de314468cb0 100644 --- a/asn1/asn1c/GetKeytabControl.h +++ b/asn1/asn1c/GetKeytabControl.h @@ -1,5 +1,5 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` @@ -50,3 +50,4 @@ extern asn_TYPE_descriptor_t asn_DEF_GetKeytabControl; #endif #endif /* _GetKeytabControl_H_ */ +#include diff --git a/asn1/asn1c/INTEGER.c b/asn1/asn1c/INTEGER.c index 9c8b9ed3a5d778c30185842ca04cc5d8f9ca058b..38ddb60bd19bf59e491636d53e01df24aef6be58 100644 --- a/asn1/asn1c/INTEGER.c +++ b/asn1/asn1c/INTEGER.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2003, 2004, 2005, 2006 Lev Walkin . + * Copyright (c) 2003-2014 Lev Walkin . * All rights reserved. * Redistribution and modifications are permitted subject to BSD license. */ @@ -24,8 +24,13 @@ asn_TYPE_descriptor_t asn_DEF_INTEGER = { INTEGER_encode_der, INTEGER_decode_xer, INTEGER_encode_xer, +#ifdef ASN_DISABLE_PER_SUPPORT + 0, + 0, +#else INTEGER_decode_uper, /* Unaligned PER decoder */ INTEGER_encode_uper, /* Unaligned PER encoder */ +#endif /* ASN_DISABLE_PER_SUPPORT */ 0, /* Use generic outmost tag fetcher */ asn_DEF_INTEGER_tags, sizeof(asn_DEF_INTEGER_tags) / sizeof(asn_DEF_INTEGER_tags[0]), @@ -106,47 +111,30 @@ INTEGER__dump(asn_TYPE_descriptor_t *td, const INTEGER_t *st, asn_app_consume_by char scratch[32]; /* Enough for 64-bit integer */ uint8_t *buf = st->buf; uint8_t *buf_end = st->buf + st->size; - signed long accum; + signed long value; ssize_t wrote = 0; char *p; int ret; - /* - * Advance buf pointer until the start of the value's body. - * This will make us able to process large integers using simple case, - * when the actual value is small - * (0x0000000000abcdef would yield a fine 0x00abcdef) - */ - /* Skip the insignificant leading bytes */ - for(; buf < buf_end-1; buf++) { - switch(*buf) { - case 0x00: if((buf[1] & 0x80) == 0) continue; break; - case 0xff: if((buf[1] & 0x80) != 0) continue; break; - } - break; - } + if(specs && specs->field_unsigned) + ret = asn_INTEGER2ulong(st, (unsigned long *)&value); + else + ret = asn_INTEGER2long(st, &value); /* Simple case: the integer size is small */ - if((size_t)(buf_end - buf) <= sizeof(accum)) { + if(ret == 0) { const asn_INTEGER_enum_map_t *el; size_t scrsize; char *scr; - if(buf == buf_end) { - accum = 0; - } else { - accum = (*buf & 0x80) ? -1 : 0; - for(; buf < buf_end; buf++) - accum = (accum << 8) | *buf; - } - - el = INTEGER_map_value2enum(specs, accum); + el = (value >= 0 || !specs || !specs->field_unsigned) + ? INTEGER_map_value2enum(specs, value) : 0; if(el) { scrsize = el->enum_len + 32; scr = (char *)alloca(scrsize); if(plainOrXER == 0) ret = snprintf(scr, scrsize, - "%ld (%s)", accum, el->enum_name); + "%ld (%s)", value, el->enum_name); else ret = snprintf(scr, scrsize, "<%s/>", el->enum_name); @@ -158,7 +146,9 @@ INTEGER__dump(asn_TYPE_descriptor_t *td, const INTEGER_t *st, asn_app_consume_by } else { scrsize = sizeof(scratch); scr = scratch; - ret = snprintf(scr, scrsize, "%ld", accum); + ret = snprintf(scr, scrsize, + (specs && specs->field_unsigned) + ?"%lu":"%ld", value); } assert(ret > 0 && (size_t)ret < scrsize); return (cb(scr, ret, app_key) < 0) ? -1 : ret; @@ -317,57 +307,71 @@ INTEGER_st_prealloc(INTEGER_t *st, int min_size) { static enum xer_pbd_rval INTEGER__xer_body_decode(asn_TYPE_descriptor_t *td, void *sptr, const void *chunk_buf, size_t chunk_size) { INTEGER_t *st = (INTEGER_t *)sptr; - long sign = 1; - long value; + long dec_value; + long hex_value = 0; const char *lp; const char *lstart = (const char *)chunk_buf; const char *lstop = lstart + chunk_size; enum { - ST_SKIPSPACE, + ST_LEADSPACE, ST_SKIPSPHEX, ST_WAITDIGITS, ST_DIGITS, + ST_DIGITS_TRAILSPACE, ST_HEXDIGIT1, ST_HEXDIGIT2, + ST_HEXDIGITS_TRAILSPACE, ST_HEXCOLON, - ST_EXTRASTUFF - } state = ST_SKIPSPACE; + ST_END_ENUM, + ST_UNEXPECTED + } state = ST_LEADSPACE; + const char *dec_value_start = 0; /* INVARIANT: always !0 in ST_DIGITS */ + const char *dec_value_end = 0; if(chunk_size) - ASN_DEBUG("INTEGER body %d 0x%2x..0x%2x", - chunk_size, *lstart, lstop[-1]); + ASN_DEBUG("INTEGER body %ld 0x%2x..0x%2x", + (long)chunk_size, *lstart, lstop[-1]); + + if(INTEGER_st_prealloc(st, (chunk_size/3) + 1)) + return XPBD_SYSTEM_FAILURE; /* * We may have received a tag here. It will be processed inline. * Use strtoul()-like code and serialize the result. */ - for(value = 0, lp = lstart; lp < lstop; lp++) { + for(lp = lstart; lp < lstop; lp++) { int lv = *lp; switch(lv) { case 0x09: case 0x0a: case 0x0d: case 0x20: switch(state) { - case ST_SKIPSPACE: + case ST_LEADSPACE: + case ST_DIGITS_TRAILSPACE: + case ST_HEXDIGITS_TRAILSPACE: case ST_SKIPSPHEX: continue; + case ST_DIGITS: + dec_value_end = lp; + state = ST_DIGITS_TRAILSPACE; + continue; case ST_HEXCOLON: - if(xer_is_whitespace(lp, lstop - lp)) { - lp = lstop - 1; - continue; - } - break; + state = ST_HEXDIGITS_TRAILSPACE; + continue; default: break; } break; case 0x2d: /* '-' */ - if(state == ST_SKIPSPACE) { - sign = -1; + if(state == ST_LEADSPACE) { + dec_value = 0; + dec_value_start = lp; state = ST_WAITDIGITS; continue; } break; case 0x2b: /* '+' */ - if(state == ST_SKIPSPACE) { + if(state == ST_LEADSPACE) { + dec_value = 0; + dec_value_start = lp; state = ST_WAITDIGITS; continue; } @@ -375,48 +379,32 @@ INTEGER__xer_body_decode(asn_TYPE_descriptor_t *td, void *sptr, const void *chun case 0x30: case 0x31: case 0x32: case 0x33: case 0x34: case 0x35: case 0x36: case 0x37: case 0x38: case 0x39: switch(state) { - case ST_DIGITS: break; + case ST_DIGITS: continue; case ST_SKIPSPHEX: /* Fall through */ case ST_HEXDIGIT1: - value = (lv - 0x30) << 4; + hex_value = (lv - 0x30) << 4; state = ST_HEXDIGIT2; continue; case ST_HEXDIGIT2: - value += (lv - 0x30); + hex_value += (lv - 0x30); state = ST_HEXCOLON; - st->buf[st->size++] = value; + st->buf[st->size++] = (uint8_t)hex_value; continue; case ST_HEXCOLON: return XPBD_BROKEN_ENCODING; - default: + case ST_LEADSPACE: + dec_value = 0; + dec_value_start = lp; + /* FALL THROUGH */ + case ST_WAITDIGITS: state = ST_DIGITS; + continue; + default: break; } - - { - long new_value = value * 10; - - if(new_value / 10 != value) - /* Overflow */ - return XPBD_DECODER_LIMIT; - - value = new_value + (lv - 0x30); - /* Check for two's complement overflow */ - if(value < 0) { - /* Check whether it is a LONG_MIN */ - if(sign == -1 - && (unsigned long)value - == ~((unsigned long)-1 >> 1)) { - sign = 1; - } else { - /* Overflow */ - return XPBD_DECODER_LIMIT; - } - } - } - continue; - case 0x3c: /* '<' */ - if(state == ST_SKIPSPACE) { + break; + case 0x3c: /* '<', start of XML encoded enumeration */ + if(state == ST_LEADSPACE) { const asn_INTEGER_enum_map_t *el; el = INTEGER_map_enum2value( (asn_INTEGER_specifics_t *) @@ -424,8 +412,8 @@ INTEGER__xer_body_decode(asn_TYPE_descriptor_t *td, void *sptr, const void *chun if(el) { ASN_DEBUG("Found \"%s\" => %ld", el->enum_name, el->nat_value); - state = ST_DIGITS; - value = el->nat_value; + dec_value = el->nat_value; + state = ST_END_ENUM; lp = lstop - 1; continue; } @@ -443,13 +431,12 @@ INTEGER__xer_body_decode(asn_TYPE_descriptor_t *td, void *sptr, const void *chun * places as a decimal value. * Switch decoding mode. */ ASN_DEBUG("INTEGER re-evaluate as hex form"); - if(INTEGER_st_prealloc(st, (chunk_size/3) + 1)) - return XPBD_SYSTEM_FAILURE; state = ST_SKIPSPHEX; + dec_value_start = 0; lp = lstart - 1; continue; } else { - ASN_DEBUG("state %d at %d", state, lp - lstart); + ASN_DEBUG("state %d at %ld", state, (long)(lp - lstart)); break; } /* [A-Fa-f] */ @@ -457,24 +444,23 @@ INTEGER__xer_body_decode(asn_TYPE_descriptor_t *td, void *sptr, const void *chun case 0x61:case 0x62:case 0x63:case 0x64:case 0x65:case 0x66: switch(state) { case ST_SKIPSPHEX: - case ST_SKIPSPACE: /* Fall through */ + case ST_LEADSPACE: /* Fall through */ case ST_HEXDIGIT1: - value = lv - ((lv < 0x61) ? 0x41 : 0x61); - value += 10; - value <<= 4; + hex_value = lv - ((lv < 0x61) ? 0x41 : 0x61); + hex_value += 10; + hex_value <<= 4; state = ST_HEXDIGIT2; continue; case ST_HEXDIGIT2: - value += lv - ((lv < 0x61) ? 0x41 : 0x61); - value += 10; - st->buf[st->size++] = value; + hex_value += lv - ((lv < 0x61) ? 0x41 : 0x61); + hex_value += 10; + st->buf[st->size++] = (uint8_t)hex_value; state = ST_HEXCOLON; continue; case ST_DIGITS: ASN_DEBUG("INTEGER re-evaluate as hex form"); - if(INTEGER_st_prealloc(st, (chunk_size/3) + 1)) - return XPBD_SYSTEM_FAILURE; state = ST_SKIPSPHEX; + dec_value_start = 0; lp = lstart - 1; continue; default: @@ -484,39 +470,54 @@ INTEGER__xer_body_decode(asn_TYPE_descriptor_t *td, void *sptr, const void *chun } /* Found extra non-numeric stuff */ - ASN_DEBUG("Found non-numeric 0x%2x at %d", - lv, lp - lstart); - state = ST_EXTRASTUFF; + ASN_DEBUG("INTEGER :: Found non-numeric 0x%2x at %ld", + lv, (long)(lp - lstart)); + state = ST_UNEXPECTED; break; } switch(state) { + case ST_END_ENUM: + /* Got a complete and valid enumeration encoded as a tag. */ + break; case ST_DIGITS: - /* Everything is cool */ + dec_value_end = lstop; + /* FALL THROUGH */ + case ST_DIGITS_TRAILSPACE: + /* The last symbol encountered was a digit. */ + switch(asn_strtol_lim(dec_value_start, &dec_value_end, &dec_value)) { + case ASN_STRTOL_OK: + break; + case ASN_STRTOL_ERROR_RANGE: + return XPBD_DECODER_LIMIT; + case ASN_STRTOL_ERROR_INVAL: + case ASN_STRTOL_EXPECT_MORE: + case ASN_STRTOL_EXTRA_DATA: + return XPBD_BROKEN_ENCODING; + } break; case ST_HEXCOLON: + case ST_HEXDIGITS_TRAILSPACE: st->buf[st->size] = 0; /* Just in case termination */ return XPBD_BODY_CONSUMED; case ST_HEXDIGIT1: case ST_HEXDIGIT2: case ST_SKIPSPHEX: return XPBD_BROKEN_ENCODING; - default: - if(xer_is_whitespace(lp, lstop - lp)) { - if(state != ST_EXTRASTUFF) - return XPBD_NOT_BODY_IGNORE; - break; - } else { - ASN_DEBUG("INTEGER: No useful digits (state %d)", - state); - return XPBD_BROKEN_ENCODING; /* No digits */ - } - break; + case ST_LEADSPACE: + /* Content not found */ + return XPBD_NOT_BODY_IGNORE; + case ST_WAITDIGITS: + case ST_UNEXPECTED: + ASN_DEBUG("INTEGER: No useful digits (state %d)", state); + return XPBD_BROKEN_ENCODING; /* No digits */ } - value *= sign; /* Change sign, if needed */ - - if(asn_long2INTEGER(st, value)) + /* + * Convert the result of parsing of enumeration or a straight + * decimal value into a BER representation. + */ + if(asn_long2INTEGER(st, dec_value)) return XPBD_SYSTEM_FAILURE; return XPBD_BODY_CONSUMED; @@ -551,9 +552,12 @@ INTEGER_encode_xer(asn_TYPE_descriptor_t *td, void *sptr, _ASN_ENCODED_OK(er); } +#ifndef ASN_DISABLE_PER_SUPPORT + asn_dec_rval_t INTEGER_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) { + asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics; asn_dec_rval_t rval = { RC_OK, 0 }; INTEGER_t *st = (INTEGER_t *)*sptr; asn_per_constraint_t *ct; @@ -576,6 +580,8 @@ INTEGER_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, } FREEMEM(st->buf); + st->buf = 0; + st->size = 0; if(ct) { if(ct->flags & APC_SEMI_CONSTRAINED) { st->buf = (uint8_t *)CALLOC(1, 2); @@ -586,25 +592,38 @@ INTEGER_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, st->buf = (uint8_t *)MALLOC(1 + size + 1); if(!st->buf) _ASN_DECODE_FAILED; st->size = size; - } else { - st->size = 0; } - } else { - st->size = 0; } - /* X.691, #12.2.2 */ + /* X.691-2008/11, #13.2.2, constrained whole number */ if(ct && ct->flags != APC_UNCONSTRAINED) { - /* #10.5.6 */ + /* #11.5.6 */ ASN_DEBUG("Integer with range %d bits", ct->range_bits); if(ct->range_bits >= 0) { - long value = per_get_few_bits(pd, ct->range_bits); - if(value < 0) _ASN_DECODE_STARVED; - ASN_DEBUG("Got value %ld + low %ld", - value, ct->lower_bound); - value += ct->lower_bound; - if(asn_long2INTEGER(st, value)) + if((size_t)ct->range_bits > 8 * sizeof(unsigned long)) _ASN_DECODE_FAILED; + + if(specs && specs->field_unsigned) { + unsigned long uvalue; + if(uper_get_constrained_whole_number(pd, + &uvalue, ct->range_bits)) + _ASN_DECODE_STARVED; + ASN_DEBUG("Got value %lu + low %ld", + uvalue, ct->lower_bound); + uvalue += ct->lower_bound; + if(asn_ulong2INTEGER(st, uvalue)) + _ASN_DECODE_FAILED; + } else { + unsigned long svalue; + if(uper_get_constrained_whole_number(pd, + &svalue, ct->range_bits)) + _ASN_DECODE_STARVED; + ASN_DEBUG("Got value %ld + low %ld", + svalue, ct->lower_bound); + svalue += ct->lower_bound; + if(asn_long2INTEGER(st, svalue)) + _ASN_DECODE_FAILED; + } return rval; } } else { @@ -649,6 +668,7 @@ INTEGER_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, asn_enc_rval_t INTEGER_encode_uper(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po) { + asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics; asn_enc_rval_t er; INTEGER_t *st = (INTEGER_t *)sptr; const uint8_t *buf; @@ -665,21 +685,41 @@ INTEGER_encode_uper(asn_TYPE_descriptor_t *td, if(ct) { int inext = 0; - if(asn_INTEGER2long(st, &value)) - _ASN_ENCODE_FAILED; - /* Check proper range */ - if(ct->flags & APC_SEMI_CONSTRAINED) { - if(value < ct->lower_bound) - inext = 1; - } else if(ct->range_bits >= 0) { - if(value < ct->lower_bound - || value > ct->upper_bound) - inext = 1; + if(specs && specs->field_unsigned) { + unsigned long uval; + if(asn_INTEGER2ulong(st, &uval)) + _ASN_ENCODE_FAILED; + /* Check proper range */ + if(ct->flags & APC_SEMI_CONSTRAINED) { + if(uval < (unsigned long)ct->lower_bound) + inext = 1; + } else if(ct->range_bits >= 0) { + if(uval < (unsigned long)ct->lower_bound + || uval > (unsigned long)ct->upper_bound) + inext = 1; + } + ASN_DEBUG("Value %lu (%02x/%d) lb %lu ub %lu %s", + uval, st->buf[0], st->size, + ct->lower_bound, ct->upper_bound, + inext ? "ext" : "fix"); + value = uval; + } else { + if(asn_INTEGER2long(st, &value)) + _ASN_ENCODE_FAILED; + /* Check proper range */ + if(ct->flags & APC_SEMI_CONSTRAINED) { + if(value < ct->lower_bound) + inext = 1; + } else if(ct->range_bits >= 0) { + if(value < ct->lower_bound + || value > ct->upper_bound) + inext = 1; + } + ASN_DEBUG("Value %ld (%02x/%d) lb %ld ub %ld %s", + value, st->buf[0], st->size, + ct->lower_bound, ct->upper_bound, + inext ? "ext" : "fix"); } - ASN_DEBUG("Value %ld (%02x/%d) lb %ld ub %ld %s", - value, st->buf[0], st->size, - ct->lower_bound, ct->upper_bound, - inext ? "ext" : "fix"); if(ct->flags & APC_EXTENSIBLE) { if(per_put_few_bits(po, inext, 1)) _ASN_ENCODE_FAILED; @@ -690,13 +730,13 @@ INTEGER_encode_uper(asn_TYPE_descriptor_t *td, } - /* X.691, #12.2.2 */ + /* X.691-11/2008, #13.2.2, test if constrained whole number */ if(ct && ct->range_bits >= 0) { - /* #10.5.6 */ - ASN_DEBUG("Encoding integer with range %d bits", - ct->range_bits); - if(per_put_few_bits(po, value - ct->lower_bound, - ct->range_bits)) + /* #11.5.6 -> #11.3 */ + ASN_DEBUG("Encoding integer %ld (%lu) with range %d bits", + value, value - ct->lower_bound, ct->range_bits); + unsigned long v = value - ct->lower_bound; + if(uper_put_constrained_whole_number_u(po, v, ct->range_bits)) _ASN_ENCODE_FAILED; _ASN_ENCODED_OK(er); } @@ -719,6 +759,8 @@ INTEGER_encode_uper(asn_TYPE_descriptor_t *td, _ASN_ENCODED_OK(er); } +#endif /* ASN_DISABLE_PER_SUPPORT */ + int asn_INTEGER2long(const INTEGER_t *iptr, long *lptr) { uint8_t *b, *end; @@ -780,6 +822,63 @@ asn_INTEGER2long(const INTEGER_t *iptr, long *lptr) { } int +asn_INTEGER2ulong(const INTEGER_t *iptr, unsigned long *lptr) { + uint8_t *b, *end; + unsigned long l; + size_t size; + + if(!iptr || !iptr->buf || !lptr) { + errno = EINVAL; + return -1; + } + + b = iptr->buf; + size = iptr->size; + end = b + size; + + /* If all extra leading bytes are zeroes, ignore them */ + for(; size > sizeof(unsigned long); b++, size--) { + if(*b) { + /* Value won't fit unsigned long */ + errno = ERANGE; + return -1; + } + } + + /* Conversion engine */ + for(l = 0; b < end; b++) + l = (l << 8) | *b; + + *lptr = l; + return 0; +} + +int +asn_ulong2INTEGER(INTEGER_t *st, unsigned long value) { + uint8_t *buf; + uint8_t *end; + uint8_t *b; + int shr; + + if(value <= LONG_MAX) + return asn_long2INTEGER(st, value); + + buf = (uint8_t *)MALLOC(1 + sizeof(value)); + if(!buf) return -1; + + end = buf + (sizeof(value) + 1); + buf[0] = 0; + for(b = buf + 1, shr = (sizeof(long)-1)*8; b < end; shr -= 8, b++) + *b = (uint8_t)(value >> shr); + + if(st->buf) FREEMEM(st->buf); + st->buf = buf; + st->size = 1 + sizeof(value); + + return 0; +} + +int asn_long2INTEGER(INTEGER_t *st, long value) { uint8_t *buf, *bp; uint8_t *p; @@ -833,3 +932,92 @@ asn_long2INTEGER(INTEGER_t *st, long value) { return 0; } + +/* + * This function is going to be DEPRECATED soon. + */ +enum asn_strtol_result_e +asn_strtol(const char *str, const char *end, long *lp) { + const char *endp = end; + + switch(asn_strtol_lim(str, &endp, lp)) { + case ASN_STRTOL_ERROR_RANGE: + return ASN_STRTOL_ERROR_RANGE; + case ASN_STRTOL_ERROR_INVAL: + return ASN_STRTOL_ERROR_INVAL; + case ASN_STRTOL_EXPECT_MORE: + return ASN_STRTOL_ERROR_INVAL; /* Retain old behavior */ + case ASN_STRTOL_OK: + return ASN_STRTOL_OK; + case ASN_STRTOL_EXTRA_DATA: + return ASN_STRTOL_ERROR_INVAL; /* Retain old behavior */ + } + + return ASN_STRTOL_ERROR_INVAL; /* Retain old behavior */ +} + +/* + * Parse the number in the given string until the given *end position, + * returning the position after the last parsed character back using the + * same (*end) pointer. + * WARNING: This behavior is different from the standard strtol(3). + */ +enum asn_strtol_result_e +asn_strtol_lim(const char *str, const char **end, long *lp) { + int sign = 1; + long l; + + const long upper_boundary = LONG_MAX / 10; + long last_digit_max = LONG_MAX % 10; + + if(str >= *end) return ASN_STRTOL_ERROR_INVAL; + + switch(*str) { + case '-': + last_digit_max++; + sign = -1; + case '+': + str++; + if(str >= *end) { + *end = str; + return ASN_STRTOL_EXPECT_MORE; + } + } + + for(l = 0; str < (*end); str++) { + switch(*str) { + case 0x30: case 0x31: case 0x32: case 0x33: case 0x34: + case 0x35: case 0x36: case 0x37: case 0x38: case 0x39: { + int d = *str - '0'; + if(l < upper_boundary) { + l = l * 10 + d; + } else if(l == upper_boundary) { + if(d <= last_digit_max) { + if(sign > 0) { + l = l * 10 + d; + } else { + sign = 1; + l = -l * 10 - d; + } + } else { + *end = str; + return ASN_STRTOL_ERROR_RANGE; + } + } else { + *end = str; + return ASN_STRTOL_ERROR_RANGE; + } + } + continue; + default: + *end = str; + *lp = sign * l; + return ASN_STRTOL_EXTRA_DATA; + } + } + + *end = str; + *lp = sign * l; + return ASN_STRTOL_OK; +} + diff --git a/asn1/asn1c/INTEGER.h b/asn1/asn1c/INTEGER.h index 62832b12e1271e1f27a5edd5b4a0f82986ff2fc3..fe08b038167e6a002f0da0d98ef0444c800c8318 100644 --- a/asn1/asn1c/INTEGER.h +++ b/asn1/asn1c/INTEGER.h @@ -30,6 +30,8 @@ typedef struct asn_INTEGER_specifics_s { int map_count; /* Elements in either map */ int extension; /* This map is extensible */ int strict_enumeration; /* Enumeration set is fixed */ + int field_width; /* Size of native integer */ + int field_unsigned; /* Signed=0, unsigned=1 */ } asn_INTEGER_specifics_t; asn_struct_print_f INTEGER_print; @@ -51,7 +53,22 @@ per_type_encoder_f INTEGER_encode_uper; * -1/ENOMEM: Memory allocation failed (in asn_long2INTEGER()). */ int asn_INTEGER2long(const INTEGER_t *i, long *l); +int asn_INTEGER2ulong(const INTEGER_t *i, unsigned long *l); int asn_long2INTEGER(INTEGER_t *i, long l); +int asn_ulong2INTEGER(INTEGER_t *i, unsigned long l); + +/* A a reified version of strtol(3) with nicer error reporting. */ +enum asn_strtol_result_e { + ASN_STRTOL_ERROR_RANGE = -3, /* Input outside of numeric range for long type */ + ASN_STRTOL_ERROR_INVAL = -2, /* Invalid data encountered (e.g., "+-") */ + ASN_STRTOL_EXPECT_MORE = -1, /* More data expected (e.g. "+") */ + ASN_STRTOL_OK = 0, /* Conversion succeded, number ends at (*end) */ + ASN_STRTOL_EXTRA_DATA = 1, /* Conversion succeded, but the string has extra stuff */ +}; +enum asn_strtol_result_e asn_strtol_lim(const char *str, const char **end, long *l); + +/* The asn_strtol is going to be DEPRECATED soon */ +enum asn_strtol_result_e asn_strtol(const char *str, const char *end, long *l); /* * Convert the integer value into the corresponding enumeration map entry. diff --git a/asn1/asn1c/Int32.c b/asn1/asn1c/Int32.c index 600934beed3fcff4527de4969c1d3effd272355e..7c11ea5fb197a855398d51d0f6808d267229b032 100644 --- a/asn1/asn1c/Int32.c +++ b/asn1/asn1c/Int32.c @@ -1,12 +1,10 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` */ -#include - #include "Int32.h" int @@ -23,7 +21,7 @@ Int32_constraint(asn_TYPE_descriptor_t *td, const void *sptr, value = *(const long *)sptr; - if((value >= -2147483648 && value <= 2147483647)) { + if((value >= (-2147483647L - 1) && value <= 2147483647)) { /* Constraint check succeeded */ return 0; } else { @@ -42,6 +40,7 @@ static void Int32_1_inherit_TYPE_descriptor(asn_TYPE_descriptor_t *td) { td->free_struct = asn_DEF_NativeInteger.free_struct; td->print_struct = asn_DEF_NativeInteger.print_struct; + td->check_constraints = asn_DEF_NativeInteger.check_constraints; td->ber_decoder = asn_DEF_NativeInteger.ber_decoder; td->der_encoder = asn_DEF_NativeInteger.der_encoder; td->xer_decoder = asn_DEF_NativeInteger.xer_decoder; diff --git a/asn1/asn1c/Int32.h b/asn1/asn1c/Int32.h index 9ee672ec9b5d49cfaddd2bf0bfb5ab2c5015d498..2f1a673d26de54919840efa169dbd3897d77caed 100644 --- a/asn1/asn1c/Int32.h +++ b/asn1/asn1c/Int32.h @@ -1,5 +1,5 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` @@ -36,3 +36,4 @@ xer_type_encoder_f Int32_encode_xer; #endif #endif /* _Int32_H_ */ +#include diff --git a/asn1/asn1c/KrbKey.c b/asn1/asn1c/KrbKey.c index 3abbdf1b6e42ee759c149b6cbfa4b53695a2f0a3..0454ea6422fd23f1223bd038a8bfe3ed1093bacb 100644 --- a/asn1/asn1c/KrbKey.c +++ b/asn1/asn1c/KrbKey.c @@ -1,12 +1,10 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` */ -#include - #include "KrbKey.h" static asn_TYPE_member_t asn_MBR_KrbKey_1[] = { @@ -42,9 +40,9 @@ static ber_tlv_tag_t asn_DEF_KrbKey_tags_1[] = { (ASN_TAG_CLASS_UNIVERSAL | (16 << 2)) }; static asn_TYPE_tag2member_t asn_MAP_KrbKey_tag2el_1[] = { - { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* key at 28 */ - { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 }, /* salt at 29 */ - { (ASN_TAG_CLASS_CONTEXT | (2 << 2)), 2, 0, 0 } /* s2kparams at 30 */ + { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* key */ + { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 }, /* salt */ + { (ASN_TAG_CLASS_CONTEXT | (2 << 2)), 2, 0, 0 } /* s2kparams */ }; static asn_SEQUENCE_specifics_t asn_SPC_KrbKey_specs_1 = { sizeof(struct KrbKey), diff --git a/asn1/asn1c/KrbKey.h b/asn1/asn1c/KrbKey.h index 3134be528d1b9848b17d5eaee941aeef6fbd91b6..ac517e33b2c3064825820792720f6e8d8d110f92 100644 --- a/asn1/asn1c/KrbKey.h +++ b/asn1/asn1c/KrbKey.h @@ -1,5 +1,5 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` @@ -44,3 +44,4 @@ extern asn_TYPE_descriptor_t asn_DEF_KrbKey; #include "TypeValuePair.h" #endif /* _KrbKey_H_ */ +#include diff --git a/asn1/asn1c/NativeEnumerated.c b/asn1/asn1c/NativeEnumerated.c index e3af1ca49b2c722513876e70219bb0ac8e74cbd9..1554220f87ab7f5ba230b939343b989a33bab0bf 100644 --- a/asn1/asn1c/NativeEnumerated.c +++ b/asn1/asn1c/NativeEnumerated.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2004 Lev Walkin . All rights reserved. + * Copyright (c) 2004, 2007 Lev Walkin . All rights reserved. * Redistribution and modifications are permitted subject to BSD license. */ /* @@ -177,9 +177,9 @@ NativeEnumerated_encode_uper(asn_TYPE_descriptor_t *td, inext = 1; } if(ct->flags & APC_EXTENSIBLE) { - if(per_put_few_bits(po, inext, 0)) + if(per_put_few_bits(po, inext, 1)) _ASN_ENCODE_FAILED; - ct = 0; + if(inext) ct = 0; } else if(inext) { _ASN_ENCODE_FAILED; } @@ -196,7 +196,10 @@ NativeEnumerated_encode_uper(asn_TYPE_descriptor_t *td, /* * X.691, #10.6: normally small non-negative whole number; */ - if(uper_put_nsnnwn(po, value - (specs->extension - 1))) + ASN_DEBUG("value = %ld, ext = %d, inext = %d, res = %ld", + value, specs->extension, inext, + value - (inext ? (specs->extension - 1) : 0)); + if(uper_put_nsnnwn(po, value - (inext ? (specs->extension - 1) : 0))) _ASN_ENCODE_FAILED; _ASN_ENCODED_OK(er); diff --git a/asn1/asn1c/NativeInteger.c b/asn1/asn1c/NativeInteger.c index 34599f6186cd77d38106e171ec3b24cb29638afa..cffd0be8e6b0451de80bff13252f7100a4009bda 100644 --- a/asn1/asn1c/NativeInteger.c +++ b/asn1/asn1c/NativeInteger.c @@ -48,6 +48,7 @@ asn_dec_rval_t NativeInteger_decode_ber(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, void **nint_ptr, const void *buf_ptr, size_t size, int tag_mode) { + asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics; long *native = (long *)*nint_ptr; asn_dec_rval_t rval; ber_tlv_len_t length; @@ -105,7 +106,9 @@ NativeInteger_decode_ber(asn_codec_ctx_t *opt_codec_ctx, tmp.buf = (uint8_t *)unconst_buf.nonconstbuf; tmp.size = length; - if(asn_INTEGER2long(&tmp, &l)) { + if((specs&&specs->field_unsigned) + ? asn_INTEGER2ulong(&tmp, (unsigned long *)&l) /* sic */ + : asn_INTEGER2long(&tmp, &l)) { rval.code = RC_FAIL; rval.consumed = 0; return rval; @@ -145,7 +148,7 @@ NativeInteger_encode_der(asn_TYPE_descriptor_t *sd, void *ptr, /* Prepare a fake INTEGER */ for(p = buf + sizeof(buf) - 1; p >= buf; p--, native >>= 8) - *p = native; + *p = (uint8_t)native; tmp.buf = buf; tmp.size = sizeof(buf); @@ -167,6 +170,7 @@ asn_dec_rval_t NativeInteger_decode_xer(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, void **sptr, const char *opt_mname, const void *buf_ptr, size_t size) { + asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics; asn_dec_rval_t rval; INTEGER_t st; void *st_ptr = (void *)&st; @@ -182,7 +186,9 @@ NativeInteger_decode_xer(asn_codec_ctx_t *opt_codec_ctx, opt_mname, buf_ptr, size); if(rval.code == RC_OK) { long l; - if(asn_INTEGER2long(&st, &l)) { + if((specs&&specs->field_unsigned) + ? asn_INTEGER2ulong(&st, (unsigned long *)&l) /* sic */ + : asn_INTEGER2long(&st, &l)) { rval.code = RC_FAIL; rval.consumed = 0; } else { @@ -205,6 +211,7 @@ asn_enc_rval_t NativeInteger_encode_xer(asn_TYPE_descriptor_t *td, void *sptr, int ilevel, enum xer_encoder_flags_e flags, asn_app_consume_bytes_f *cb, void *app_key) { + asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics; char scratch[32]; /* Enough for 64-bit int */ asn_enc_rval_t er; const long *native = (const long *)sptr; @@ -214,7 +221,9 @@ NativeInteger_encode_xer(asn_TYPE_descriptor_t *td, void *sptr, if(!native) _ASN_ENCODE_FAILED; - er.encoded = snprintf(scratch, sizeof(scratch), "%ld", *native); + er.encoded = snprintf(scratch, sizeof(scratch), + (specs && specs->field_unsigned) + ? "%lu" : "%ld", *native); if(er.encoded <= 0 || (size_t)er.encoded >= sizeof(scratch) || cb(scratch, er.encoded, app_key) < 0) _ASN_ENCODE_FAILED; @@ -227,6 +236,7 @@ NativeInteger_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) { + asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics; asn_dec_rval_t rval; long *native = (long *)*sptr; INTEGER_t tmpint; @@ -244,7 +254,9 @@ NativeInteger_decode_uper(asn_codec_ctx_t *opt_codec_ctx, rval = INTEGER_decode_uper(opt_codec_ctx, td, constraints, &tmpintptr, pd); if(rval.code == RC_OK) { - if(asn_INTEGER2long(&tmpint, native)) + if((specs&&specs->field_unsigned) + ? asn_INTEGER2ulong(&tmpint, (unsigned long *)native) + : asn_INTEGER2long(&tmpint, native)) rval.code = RC_FAIL; else ASN_DEBUG("NativeInteger %s got value %ld", @@ -258,6 +270,7 @@ NativeInteger_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_enc_rval_t NativeInteger_encode_uper(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po) { + asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics; asn_enc_rval_t er; long native; INTEGER_t tmpint; @@ -269,7 +282,9 @@ NativeInteger_encode_uper(asn_TYPE_descriptor_t *td, ASN_DEBUG("Encoding NativeInteger %s %ld (UPER)", td->name, native); memset(&tmpint, 0, sizeof(tmpint)); - if(asn_long2INTEGER(&tmpint, native)) + if((specs&&specs->field_unsigned) + ? asn_ulong2INTEGER(&tmpint, native) + : asn_long2INTEGER(&tmpint, native)) _ASN_ENCODE_FAILED; er = INTEGER_encode_uper(td, constraints, &tmpint, po); ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_INTEGER, &tmpint); @@ -282,6 +297,7 @@ NativeInteger_encode_uper(asn_TYPE_descriptor_t *td, int NativeInteger_print(asn_TYPE_descriptor_t *td, const void *sptr, int ilevel, asn_app_consume_bytes_f *cb, void *app_key) { + asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics; const long *native = (const long *)sptr; char scratch[32]; /* Enough for 64-bit int */ int ret; @@ -290,7 +306,9 @@ NativeInteger_print(asn_TYPE_descriptor_t *td, const void *sptr, int ilevel, (void)ilevel; /* Unused argument */ if(native) { - ret = snprintf(scratch, sizeof(scratch), "%ld", *native); + ret = snprintf(scratch, sizeof(scratch), + (specs && specs->field_unsigned) + ? "%lu" : "%ld", *native); assert(ret > 0 && (size_t)ret < sizeof(scratch)); return (cb(scratch, ret, app_key) < 0) ? -1 : 0; } else { diff --git a/asn1/asn1c/OCTET_STRING.c b/asn1/asn1c/OCTET_STRING.c index 3a83bd98c5b30a10b5fb12b78bd4f317e8abb27a..f2eec13aa4dfe1eca3e618eff9d57939ed34bf0d 100644 --- a/asn1/asn1c/OCTET_STRING.c +++ b/asn1/asn1c/OCTET_STRING.c @@ -17,10 +17,12 @@ static ber_tlv_tag_t asn_DEF_OCTET_STRING_tags[] = { static asn_OCTET_STRING_specifics_t asn_DEF_OCTET_STRING_specs = { sizeof(OCTET_STRING_t), offsetof(OCTET_STRING_t, _asn_ctx), - 0 + ASN_OSUBV_STR }; -static asn_per_constraint_t asn_DEF_OCTET_STRING_constraint = { - APC_SEMI_CONSTRAINED, -1, -1, 0, 0 +static asn_per_constraints_t asn_DEF_OCTET_STRING_constraints = { + { APC_CONSTRAINED, 8, 8, 0, 255 }, + { APC_SEMI_CONSTRAINED, -1, -1, 0, 0 }, + 0, 0 }; asn_TYPE_descriptor_t asn_DEF_OCTET_STRING = { "OCTET STRING", /* Canonical name */ @@ -103,15 +105,6 @@ asn_TYPE_descriptor_t asn_DEF_OCTET_STRING = { } while(0) /* - * Internal variant of the OCTET STRING. - */ -typedef enum OS_type { - _TT_GENERIC = 0, /* Just a random OCTET STRING */ - _TT_BIT_STRING = 1, /* BIT STRING type, a special case */ - _TT_ANY = 2 /* ANY type, a special case too */ -} OS_type_e; - -/* * The main reason why ASN.1 is still alive is that too much time and effort * is necessary for learning it more or less adequately, thus creating a gut * necessity to demonstrate that aquired skill everywhere afterwards. @@ -185,11 +178,11 @@ OCTET_STRING_decode_ber(asn_codec_ctx_t *opt_codec_ctx, struct _stack *stck; /* Expectations stack structure */ struct _stack_el *sel = 0; /* Stack element */ int tlv_constr; - OS_type_e type_variant = (OS_type_e)specs->subvariant; + enum asn_OS_Subvariant type_variant = specs->subvariant; ASN_DEBUG("Decoding %s as %s (frame %ld)", td->name, - (type_variant == _TT_GENERIC) ? + (type_variant == ASN_OSUBV_STR) ? "OCTET STRING" : "OS-SpecialCase", (long)size); @@ -230,7 +223,7 @@ OCTET_STRING_decode_ber(asn_codec_ctx_t *opt_codec_ctx, * Jump into stackless primitive decoding. */ _CH_PHASE(ctx, 3); - if(type_variant == _TT_ANY && tag_mode != 1) + if(type_variant == ASN_OSUBV_ANY && tag_mode != 1) APPEND(buf_ptr, rval.consumed); ADVANCE(rval.consumed); goto phase3; @@ -309,7 +302,7 @@ OCTET_STRING_decode_ber(asn_codec_ctx_t *opt_codec_ctx, ASN_DEBUG("Eat EOC; wn=%d--", sel->want_nulls); - if(type_variant == _TT_ANY + if(type_variant == ASN_OSUBV_ANY && (tag_mode != 1 || sel->cont_level)) APPEND("\0\0", 2); @@ -334,10 +327,10 @@ OCTET_STRING_decode_ber(asn_codec_ctx_t *opt_codec_ctx, * depending on ASN.1 type being decoded. */ switch(type_variant) { - case _TT_BIT_STRING: + case ASN_OSUBV_BIT: /* X.690: 8.6.4.1, NOTE 2 */ /* Fall through */ - case _TT_GENERIC: + case ASN_OSUBV_STR: default: if(sel) { int level = sel->cont_level; @@ -352,7 +345,7 @@ OCTET_STRING_decode_ber(asn_codec_ctx_t *opt_codec_ctx, /* else, Fall through */ } /* Fall through */ - case _TT_ANY: + case ASN_OSUBV_ANY: expected_tag = tlv_tag; break; } @@ -397,7 +390,7 @@ OCTET_STRING_decode_ber(asn_codec_ctx_t *opt_codec_ctx, } else { sel->left = tlv_len; } - if(type_variant == _TT_ANY + if(type_variant == ASN_OSUBV_ANY && (tag_mode != 1 || sel->cont_level)) APPEND(buf_ptr, tlvl); sel->got += tlvl; @@ -431,7 +424,7 @@ OCTET_STRING_decode_ber(asn_codec_ctx_t *opt_codec_ctx, len = ((ber_tlv_len_t)size < sel->left) ? (ber_tlv_len_t)size : sel->left; if(len > 0) { - if(type_variant == _TT_BIT_STRING + if(type_variant == ASN_OSUBV_BIT && sel->bits_chopped == 0) { /* Put the unused-bits-octet away */ st->bits_unused = *(const uint8_t *)buf_ptr; @@ -464,7 +457,7 @@ OCTET_STRING_decode_ber(asn_codec_ctx_t *opt_codec_ctx, if(size < (size_t)ctx->left) { if(!size) RETURN(RC_WMORE); - if(type_variant == _TT_BIT_STRING && !ctx->context) { + if(type_variant == ASN_OSUBV_BIT && !ctx->context) { st->bits_unused = *(const uint8_t *)buf_ptr; ctx->left--; ADVANCE(1); @@ -475,7 +468,7 @@ OCTET_STRING_decode_ber(asn_codec_ctx_t *opt_codec_ctx, ADVANCE(size); RETURN(RC_WMORE); } else { - if(type_variant == _TT_BIT_STRING + if(type_variant == ASN_OSUBV_BIT && !ctx->context && ctx->left) { st->bits_unused = *(const uint8_t *)buf_ptr; ctx->left--; @@ -502,14 +495,14 @@ OCTET_STRING_decode_ber(asn_codec_ctx_t *opt_codec_ctx, /* * BIT STRING-specific processing. */ - if(type_variant == _TT_BIT_STRING && st->size) { + if(type_variant == ASN_OSUBV_BIT && st->size) { /* Finalize BIT STRING: zero out unused bits. */ st->buf[st->size-1] &= 0xff << st->bits_unused; } ASN_DEBUG("Took %ld bytes to encode %s: [%s]:%ld", (long)consumed_myself, td->name, - (type_variant == _TT_GENERIC) ? (char *)st->buf : "", + (type_variant == ASN_OSUBV_STR) ? (char *)st->buf : "", (long)st->size); @@ -528,7 +521,7 @@ OCTET_STRING_encode_der(asn_TYPE_descriptor_t *td, void *sptr, ? (asn_OCTET_STRING_specifics_t *)td->specifics : &asn_DEF_OCTET_STRING_specs; BIT_STRING_t *st = (BIT_STRING_t *)sptr; - OS_type_e type_variant = (OS_type_e)specs->subvariant; + enum asn_OS_Subvariant type_variant = specs->subvariant; int fix_last_byte = 0; ASN_DEBUG("%s %s as OCTET STRING", @@ -537,10 +530,11 @@ OCTET_STRING_encode_der(asn_TYPE_descriptor_t *td, void *sptr, /* * Write tags. */ - if(type_variant != _TT_ANY || tag_mode == 1) { + if(type_variant != ASN_OSUBV_ANY || tag_mode == 1) { er.encoded = der_write_tags(td, - (type_variant == _TT_BIT_STRING) + st->size, - tag_mode, type_variant == _TT_ANY, tag, cb, app_key); + (type_variant == ASN_OSUBV_BIT) + st->size, + tag_mode, type_variant == ASN_OSUBV_ANY, tag, + cb, app_key); if(er.encoded == -1) { er.failed_type = td; er.structure_ptr = sptr; @@ -548,19 +542,19 @@ OCTET_STRING_encode_der(asn_TYPE_descriptor_t *td, void *sptr, } } else { /* Disallow: [] IMPLICIT ANY */ - assert(type_variant != _TT_ANY || tag_mode != -1); + assert(type_variant != ASN_OSUBV_ANY || tag_mode != -1); er.encoded = 0; } if(!cb) { - er.encoded += (type_variant == _TT_BIT_STRING) + st->size; + er.encoded += (type_variant == ASN_OSUBV_BIT) + st->size; _ASN_ENCODED_OK(er); } /* * Prepare to deal with the last octet of BIT STRING. */ - if(type_variant == _TT_BIT_STRING) { + if(type_variant == ASN_OSUBV_BIT) { uint8_t b = st->bits_unused & 0x07; if(b && st->size) fix_last_byte = 1; _ASN_CALLBACK(&b, 1); @@ -595,7 +589,7 @@ OCTET_STRING_encode_xer(asn_TYPE_descriptor_t *td, void *sptr, uint8_t *end; size_t i; - if(!st || !st->buf) + if(!st || (!st->buf && st->size)) _ASN_ENCODE_FAILED; er.encoded = 0; @@ -751,7 +745,7 @@ OCTET_STRING_encode_xer_utf8(asn_TYPE_descriptor_t *td, void *sptr, (void)ilevel; /* Unused argument */ (void)flags; /* Unused argument */ - if(!st || !st->buf) + if(!st || (!st->buf && st->size)) _ASN_ENCODE_FAILED; buf = st->buf; @@ -1197,6 +1191,135 @@ OCTET_STRING_decode_xer_utf8(asn_codec_ctx_t *opt_codec_ctx, OCTET_STRING__convert_entrefs); } +static int +OCTET_STRING_per_get_characters(asn_per_data_t *po, uint8_t *buf, + size_t units, unsigned int bpc, unsigned int unit_bits, + long lb, long ub, asn_per_constraints_t *pc) { + uint8_t *end = buf + units * bpc; + + ASN_DEBUG("Expanding %d characters into (%ld..%ld):%d", + (int)units, lb, ub, unit_bits); + + /* X.691: 27.5.4 */ + if((unsigned long)ub <= ((unsigned long)2 << (unit_bits - 1))) { + /* Decode without translation */ + lb = 0; + } else if(pc && pc->code2value) { + if(unit_bits > 16) + return 1; /* FATAL: can't have constrained + * UniversalString with more than + * 16 million code points */ + for(; buf < end; buf += bpc) { + int value; + int code = per_get_few_bits(po, unit_bits); + if(code < 0) return -1; /* WMORE */ + value = pc->code2value(code); + if(value < 0) { + ASN_DEBUG("Code %d (0x%02x) is" + " not in map (%ld..%ld)", + code, code, lb, ub); + return 1; /* FATAL */ + } + switch(bpc) { + case 1: *buf = value; break; + case 2: buf[0] = value >> 8; buf[1] = value; break; + case 4: buf[0] = value >> 24; buf[1] = value >> 16; + buf[2] = value >> 8; buf[3] = value; break; + } + } + return 0; + } + + /* Shortcut the no-op copying to the aligned structure */ + if(lb == 0 && (unit_bits == 8 * bpc)) { + return per_get_many_bits(po, buf, 0, unit_bits * units); + } + + for(; buf < end; buf += bpc) { + int code = per_get_few_bits(po, unit_bits); + int ch = code + lb; + if(code < 0) return -1; /* WMORE */ + if(ch > ub) { + ASN_DEBUG("Code %d is out of range (%ld..%ld)", + ch, lb, ub); + return 1; /* FATAL */ + } + switch(bpc) { + case 1: *buf = ch; break; + case 2: buf[0] = ch >> 8; buf[1] = ch; break; + case 4: buf[0] = ch >> 24; buf[1] = ch >> 16; + buf[2] = ch >> 8; buf[3] = ch; break; + } + } + + return 0; +} + +static int +OCTET_STRING_per_put_characters(asn_per_outp_t *po, const uint8_t *buf, + size_t units, unsigned int bpc, unsigned int unit_bits, + long lb, long ub, asn_per_constraints_t *pc) { + const uint8_t *end = buf + units * bpc; + + ASN_DEBUG("Squeezing %d characters into (%ld..%ld):%d (%d bpc)", + (int)units, lb, ub, unit_bits, bpc); + + /* X.691: 27.5.4 */ + if((unsigned long)ub <= ((unsigned long)2 << (unit_bits - 1))) { + /* Encode as is */ + lb = 0; + } else if(pc && pc->value2code) { + for(; buf < end; buf += bpc) { + int code; + uint32_t value; + switch(bpc) { + case 1: value = *(const uint8_t *)buf; break; + case 2: value = (buf[0] << 8) | buf[1]; break; + case 4: value = (buf[0] << 24) | (buf[1] << 16) + | (buf[2] << 8) | buf[3]; break; + default: return -1; + } + code = pc->value2code(value); + if(code < 0) { + ASN_DEBUG("Character %d (0x%02x) is" + " not in map (%ld..%ld)", + *buf, *buf, lb, ub); + return -1; + } + if(per_put_few_bits(po, code, unit_bits)) + return -1; + } + } + + /* Shortcut the no-op copying to the aligned structure */ + if(lb == 0 && (unit_bits == 8 * bpc)) { + return per_put_many_bits(po, buf, unit_bits * units); + } + + for(ub -= lb; buf < end; buf += bpc) { + int ch; + uint32_t value; + switch(bpc) { + case 1: value = *(const uint8_t *)buf; break; + case 2: value = (buf[0] << 8) | buf[1]; break; + case 4: value = (buf[0] << 24) | (buf[1] << 16) + | (buf[2] << 8) | buf[3]; break; + default: return -1; + } + ch = value - lb; + if(ch < 0 || ch > ub) { + ASN_DEBUG("Character %d (0x%02x)" + " is out of range (%ld..%ld)", + *buf, *buf, lb, ub + lb); + return -1; + } + if(per_put_few_bits(po, ch, unit_bits)) + return -1; + } + + return 0; +} + asn_dec_rval_t OCTET_STRING_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, @@ -1205,18 +1328,62 @@ OCTET_STRING_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_OCTET_STRING_specifics_t *specs = td->specifics ? (asn_OCTET_STRING_specifics_t *)td->specifics : &asn_DEF_OCTET_STRING_specs; - asn_per_constraint_t *ct = constraints ? &constraints->size - : (td->per_constraints - ? &td->per_constraints->size - : &asn_DEF_OCTET_STRING_constraint); + asn_per_constraints_t *pc = constraints ? constraints + : td->per_constraints; + asn_per_constraint_t *cval; + asn_per_constraint_t *csiz; asn_dec_rval_t rval = { RC_OK, 0 }; BIT_STRING_t *st = (BIT_STRING_t *)*sptr; ssize_t consumed_myself = 0; int repeat; - int unit_bits = (specs->subvariant != 1) * 7 + 1; + enum { + OS__BPC_BIT = 0, + OS__BPC_CHAR = 1, + OS__BPC_U16 = 2, + OS__BPC_U32 = 4 + } bpc; /* Bytes per character */ + unsigned int unit_bits; + unsigned int canonical_unit_bits; (void)opt_codec_ctx; + if(pc) { + cval = &pc->value; + csiz = &pc->size; + } else { + cval = &asn_DEF_OCTET_STRING_constraints.value; + csiz = &asn_DEF_OCTET_STRING_constraints.size; + } + + switch(specs->subvariant) { + default: + case ASN_OSUBV_ANY: + ASN_DEBUG("Unrecognized subvariant %d", specs->subvariant); + RETURN(RC_FAIL); + case ASN_OSUBV_BIT: + canonical_unit_bits = unit_bits = 1; + bpc = OS__BPC_BIT; + break; + case ASN_OSUBV_STR: + canonical_unit_bits = unit_bits = 8; + if(cval->flags & APC_CONSTRAINED) + unit_bits = cval->range_bits; + bpc = OS__BPC_CHAR; + break; + case ASN_OSUBV_U16: + canonical_unit_bits = unit_bits = 16; + if(cval->flags & APC_CONSTRAINED) + unit_bits = cval->range_bits; + bpc = OS__BPC_U16; + break; + case ASN_OSUBV_U32: + canonical_unit_bits = unit_bits = 32; + if(cval->flags & APC_CONSTRAINED) + unit_bits = cval->range_bits; + bpc = OS__BPC_U32; + break; + } + /* * Allocate the string. */ @@ -1225,24 +1392,26 @@ OCTET_STRING_decode_uper(asn_codec_ctx_t *opt_codec_ctx, if(!st) RETURN(RC_FAIL); } - ASN_DEBUG("PER Decoding %s %ld .. %ld bits %d", - ct->flags & APC_EXTENSIBLE ? "extensible" : "fixed", - ct->lower_bound, ct->upper_bound, ct->effective_bits); + ASN_DEBUG("PER Decoding %s size %ld .. %ld bits %d", + csiz->flags & APC_EXTENSIBLE ? "extensible" : "non-extensible", + csiz->lower_bound, csiz->upper_bound, csiz->effective_bits); - if(ct->flags & APC_EXTENSIBLE) { + if(csiz->flags & APC_EXTENSIBLE) { int inext = per_get_few_bits(pd, 1); if(inext < 0) RETURN(RC_WMORE); - if(inext) ct = &asn_DEF_OCTET_STRING_constraint; - consumed_myself = 0; + if(inext) { + csiz = &asn_DEF_OCTET_STRING_constraints.size; + cval = &asn_DEF_OCTET_STRING_constraints.value; + unit_bits = canonical_unit_bits; + } } - if(ct->effective_bits >= 0 - && (!st->buf || st->size < ct->upper_bound)) { + if(csiz->effective_bits >= 0) { FREEMEM(st->buf); - if(unit_bits == 1) { - st->size = (ct->upper_bound + 7) >> 3; + if(bpc) { + st->size = csiz->upper_bound * bpc; } else { - st->size = ct->upper_bound; + st->size = (csiz->upper_bound + 7) >> 3; } st->buf = (uint8_t *)MALLOC(st->size + 1); if(!st->buf) { st->size = 0; RETURN(RC_FAIL); } @@ -1251,46 +1420,70 @@ OCTET_STRING_decode_uper(asn_codec_ctx_t *opt_codec_ctx, /* X.691, #16.5: zero-length encoding */ /* X.691, #16.6: short fixed length encoding (up to 2 octets) */ /* X.691, #16.7: long fixed length encoding (up to 64K octets) */ - if(ct->effective_bits == 0) { - int ret = per_get_many_bits(pd, st->buf, 0, - unit_bits * ct->upper_bound); + if(csiz->effective_bits == 0) { + int ret; + if(bpc) { + ASN_DEBUG("Encoding OCTET STRING size %ld", + csiz->upper_bound); + ret = OCTET_STRING_per_get_characters(pd, st->buf, + csiz->upper_bound, bpc, unit_bits, + cval->lower_bound, cval->upper_bound, pc); + if(ret > 0) RETURN(RC_FAIL); + } else { + ASN_DEBUG("Encoding BIT STRING size %ld", + csiz->upper_bound); + ret = per_get_many_bits(pd, st->buf, 0, + unit_bits * csiz->upper_bound); + } if(ret < 0) RETURN(RC_WMORE); - consumed_myself += unit_bits * ct->upper_bound; + consumed_myself += unit_bits * csiz->upper_bound; st->buf[st->size] = 0; - if(unit_bits == 1 && (ct->upper_bound & 0x7)) - st->bits_unused = 8 - (ct->upper_bound & 0x7); + if(bpc == 0) { + int ubs = (csiz->upper_bound & 0x7); + st->bits_unused = ubs ? 8 - ubs : 0; + } RETURN(RC_OK); } st->size = 0; do { + ssize_t raw_len; ssize_t len_bytes; ssize_t len_bits; void *p; int ret; /* Get the PER length */ - len_bits = uper_get_length(pd, ct->effective_bits, &repeat); - if(len_bits < 0) RETURN(RC_WMORE); - len_bits += ct->lower_bound; + raw_len = uper_get_length(pd, csiz->effective_bits, &repeat); + if(raw_len < 0) RETURN(RC_WMORE); + raw_len += csiz->lower_bound; ASN_DEBUG("Got PER length eb %ld, len %ld, %s (%s)", - (long)ct->effective_bits, (long)len_bits, + (long)csiz->effective_bits, (long)raw_len, repeat ? "repeat" : "once", td->name); - if(unit_bits == 1) { + if(bpc) { + len_bytes = raw_len * bpc; + len_bits = len_bytes * unit_bits; + } else { + len_bits = raw_len; len_bytes = (len_bits + 7) >> 3; if(len_bits & 0x7) st->bits_unused = 8 - (len_bits & 0x7); /* len_bits be multiple of 16K if repeat is set */ - } else { - len_bytes = len_bits; - len_bits = len_bytes << 3; } p = REALLOC(st->buf, st->size + len_bytes + 1); if(!p) RETURN(RC_FAIL); st->buf = (uint8_t *)p; - ret = per_get_many_bits(pd, &st->buf[st->size], 0, len_bits); + if(bpc) { + ret = OCTET_STRING_per_get_characters(pd, + &st->buf[st->size], raw_len, bpc, unit_bits, + cval->lower_bound, cval->upper_bound, pc); + if(ret > 0) RETURN(RC_FAIL); + } else { + ret = per_get_many_bits(pd, &st->buf[st->size], + 0, len_bits); + } if(ret < 0) RETURN(RC_WMORE); st->size += len_bytes; } while(repeat); @@ -1306,41 +1499,87 @@ OCTET_STRING_encode_uper(asn_TYPE_descriptor_t *td, asn_OCTET_STRING_specifics_t *specs = td->specifics ? (asn_OCTET_STRING_specifics_t *)td->specifics : &asn_DEF_OCTET_STRING_specs; - asn_per_constraint_t *ct = constraints ? &constraints->size - : (td->per_constraints - ? &td->per_constraints->size - : &asn_DEF_OCTET_STRING_constraint); + asn_per_constraints_t *pc = constraints ? constraints + : td->per_constraints; + asn_per_constraint_t *cval; + asn_per_constraint_t *csiz; const BIT_STRING_t *st = (const BIT_STRING_t *)sptr; - int unit_bits = (specs->subvariant != 1) * 7 + 1; - asn_enc_rval_t er; - int ct_extensible = ct->flags & APC_EXTENSIBLE; + asn_enc_rval_t er = { 0, 0, 0 }; int inext = 0; /* Lies not within extension root */ - int sizeinunits = st->size; + unsigned int unit_bits; + unsigned int canonical_unit_bits; + unsigned int sizeinunits; const uint8_t *buf; int ret; + enum { + OS__BPC_BIT = 0, + OS__BPC_CHAR = 1, + OS__BPC_U16 = 2, + OS__BPC_U32 = 4 + } bpc; /* Bytes per character */ + int ct_extensible; - if(!st || !st->buf) + if(!st || (!st->buf && st->size)) _ASN_ENCODE_FAILED; - if(unit_bits == 1) { + if(pc) { + cval = &pc->value; + csiz = &pc->size; + } else { + cval = &asn_DEF_OCTET_STRING_constraints.value; + csiz = &asn_DEF_OCTET_STRING_constraints.size; + } + ct_extensible = csiz->flags & APC_EXTENSIBLE; + + switch(specs->subvariant) { + default: + case ASN_OSUBV_ANY: + _ASN_ENCODE_FAILED; + case ASN_OSUBV_BIT: + canonical_unit_bits = unit_bits = 1; + bpc = OS__BPC_BIT; + sizeinunits = st->size * 8 - (st->bits_unused & 0x07); ASN_DEBUG("BIT STRING of %d bytes, %d bits unused", sizeinunits, st->bits_unused); - sizeinunits = sizeinunits * 8 - (st->bits_unused & 0x07); + break; + case ASN_OSUBV_STR: + canonical_unit_bits = unit_bits = 8; + if(cval->flags & APC_CONSTRAINED) + unit_bits = cval->range_bits; + bpc = OS__BPC_CHAR; + sizeinunits = st->size; + break; + case ASN_OSUBV_U16: + canonical_unit_bits = unit_bits = 16; + if(cval->flags & APC_CONSTRAINED) + unit_bits = cval->range_bits; + bpc = OS__BPC_U16; + sizeinunits = st->size / 2; + break; + case ASN_OSUBV_U32: + canonical_unit_bits = unit_bits = 32; + if(cval->flags & APC_CONSTRAINED) + unit_bits = cval->range_bits; + bpc = OS__BPC_U32; + sizeinunits = st->size / 4; + break; } ASN_DEBUG("Encoding %s into %d units of %d bits" - " (%d..%d, effective %d)%s", + " (%ld..%ld, effective %d)%s", td->name, sizeinunits, unit_bits, - ct->lower_bound, ct->upper_bound, - ct->effective_bits, ct_extensible ? " EXT" : ""); + csiz->lower_bound, csiz->upper_bound, + csiz->effective_bits, ct_extensible ? " EXT" : ""); - /* Figure out wheter size lies within PER visible consrtaint */ + /* Figure out whether size lies within PER visible constraint */ - if(ct->effective_bits >= 0) { - if(sizeinunits < ct->lower_bound - || sizeinunits > ct->upper_bound) { + if(csiz->effective_bits >= 0) { + if((int)sizeinunits < csiz->lower_bound + || (int)sizeinunits > csiz->upper_bound) { if(ct_extensible) { - ct = &asn_DEF_OCTET_STRING_constraint; + cval = &asn_DEF_OCTET_STRING_constraints.value; + csiz = &asn_DEF_OCTET_STRING_constraints.size; + unit_bits = canonical_unit_bits; inext = 1; } else _ASN_ENCODE_FAILED; @@ -1358,14 +1597,21 @@ OCTET_STRING_encode_uper(asn_TYPE_descriptor_t *td, /* X.691, #16.5: zero-length encoding */ /* X.691, #16.6: short fixed length encoding (up to 2 octets) */ /* X.691, #16.7: long fixed length encoding (up to 64K octets) */ - if(ct->effective_bits >= 0) { + if(csiz->effective_bits >= 0) { ASN_DEBUG("Encoding %d bytes (%ld), length in %d bits", - st->size, sizeinunits - ct->lower_bound, - ct->effective_bits); - ret = per_put_few_bits(po, sizeinunits - ct->lower_bound, - ct->effective_bits); + st->size, sizeinunits - csiz->lower_bound, + csiz->effective_bits); + ret = per_put_few_bits(po, sizeinunits - csiz->lower_bound, + csiz->effective_bits); if(ret) _ASN_ENCODE_FAILED; - ret = per_put_many_bits(po, st->buf, sizeinunits * unit_bits); + if(bpc) { + ret = OCTET_STRING_per_put_characters(po, st->buf, + sizeinunits, bpc, unit_bits, + cval->lower_bound, cval->upper_bound, pc); + } else { + ret = per_put_many_bits(po, st->buf, + sizeinunits * unit_bits); + } if(ret) _ASN_ENCODE_FAILED; _ASN_ENCODED_OK(er); } @@ -1383,15 +1629,22 @@ OCTET_STRING_encode_uper(asn_TYPE_descriptor_t *td, ssize_t maySave = uper_put_length(po, sizeinunits); if(maySave < 0) _ASN_ENCODE_FAILED; - ASN_DEBUG("Encoding %d of %d", maySave, sizeinunits); + ASN_DEBUG("Encoding %ld of %ld", + (long)maySave, (long)sizeinunits); - ret = per_put_many_bits(po, buf, maySave * unit_bits); + if(bpc) { + ret = OCTET_STRING_per_put_characters(po, buf, + maySave, bpc, unit_bits, + cval->lower_bound, cval->upper_bound, pc); + } else { + ret = per_put_many_bits(po, buf, maySave * unit_bits); + } if(ret) _ASN_ENCODE_FAILED; - if(unit_bits == 1) - buf += maySave >> 3; + if(bpc) + buf += maySave * bpc; else - buf += maySave; + buf += maySave >> 3; sizeinunits -= maySave; assert(!(maySave & 0x07) || !sizeinunits); } @@ -1412,7 +1665,8 @@ OCTET_STRING_print(asn_TYPE_descriptor_t *td, const void *sptr, int ilevel, (void)td; /* Unused argument */ - if(!st || !st->buf) return (cb("", 8, app_key) < 0) ? -1 : 0; + if(!st || (!st->buf && st->size)) + return (cb("", 8, app_key) < 0) ? -1 : 0; /* * Dump the contents of the buffer in hexadecimal. @@ -1448,7 +1702,7 @@ OCTET_STRING_print_utf8(asn_TYPE_descriptor_t *td, const void *sptr, (void)td; /* Unused argument */ (void)ilevel; /* Unused argument */ - if(st && st->buf) { + if(st && (st->buf || !st->size)) { return (cb(st->buf, st->size, app_key) < 0) ? -1 : 0; } else { return (cb("", 8, app_key) < 0) ? -1 : 0; @@ -1472,6 +1726,7 @@ OCTET_STRING_free(asn_TYPE_descriptor_t *td, void *sptr, int contents_only) { if(st->buf) { FREEMEM(st->buf); + st->buf = 0; } /* diff --git a/asn1/asn1c/OCTET_STRING.h b/asn1/asn1c/OCTET_STRING.h index 5150161a7a1a19e8e7c123776684e66c1cd429cf..8df9a182d36345c5deb5a0cdc608fe77287cfa08 100644 --- a/asn1/asn1c/OCTET_STRING.h +++ b/asn1/asn1c/OCTET_STRING.h @@ -70,7 +70,13 @@ typedef struct asn_OCTET_STRING_specifics_s { int struct_size; /* Size of the structure */ int ctx_offset; /* Offset of the asn_struct_ctx_t member */ - int subvariant; /* {0,1,2} for O-S, BIT STRING or ANY */ + enum asn_OS_Subvariant { + ASN_OSUBV_ANY, /* The open type (ANY) */ + ASN_OSUBV_BIT, /* BIT STRING */ + ASN_OSUBV_STR, /* String types, not {BMP,Universal}String */ + ASN_OSUBV_U16, /* 16-bit character (BMPString) */ + ASN_OSUBV_U32 /* 32-bit character (UniversalString) */ + } subvariant; } asn_OCTET_STRING_specifics_t; #ifdef __cplusplus diff --git a/asn1/asn1c/TypeValuePair.c b/asn1/asn1c/TypeValuePair.c index 707eef3f65c4bf0a64b4864391e64865cc19d7ca..3e78d530aa3d71925278edd38ae25221e7bfc603 100644 --- a/asn1/asn1c/TypeValuePair.c +++ b/asn1/asn1c/TypeValuePair.c @@ -1,12 +1,10 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` */ -#include - #include "TypeValuePair.h" static asn_TYPE_member_t asn_MBR_TypeValuePair_1[] = { @@ -33,8 +31,8 @@ static ber_tlv_tag_t asn_DEF_TypeValuePair_tags_1[] = { (ASN_TAG_CLASS_UNIVERSAL | (16 << 2)) }; static asn_TYPE_tag2member_t asn_MAP_TypeValuePair_tag2el_1[] = { - { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* type at 34 */ - { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 } /* value at 35 */ + { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* type */ + { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 } /* value */ }; static asn_SEQUENCE_specifics_t asn_SPC_TypeValuePair_specs_1 = { sizeof(struct TypeValuePair), diff --git a/asn1/asn1c/TypeValuePair.h b/asn1/asn1c/TypeValuePair.h index 538b4609c5f0fe051988885c84c3caf6d8b85452..39997cded703511c09868f968fac64236cb97124 100644 --- a/asn1/asn1c/TypeValuePair.h +++ b/asn1/asn1c/TypeValuePair.h @@ -1,5 +1,5 @@ /* - * Generated by asn1c-0.9.21 (http://lionet.info/asn1c) + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) * From ASN.1 module "KeytabModule" * found in "ipa.asn1" * `asn1c -fskeletons-copy` @@ -37,3 +37,4 @@ extern asn_TYPE_descriptor_t asn_DEF_TypeValuePair; #endif #endif /* _TypeValuePair_H_ */ +#include diff --git a/asn1/asn1c/asn_codecs.h b/asn1/asn1c/asn_codecs.h index 4a251d940880a03b24dc9f3fe41f2febb9b49211..e5600142aaa2125259236a23bb5451f0e41bcad7 100644 --- a/asn1/asn1c/asn_codecs.h +++ b/asn1/asn1c/asn_codecs.h @@ -62,7 +62,7 @@ typedef struct asn_enc_rval_s { tmp_error.encoded = -1; \ tmp_error.failed_type = td; \ tmp_error.structure_ptr = sptr; \ - ASN_DEBUG("Failed to encode element %s", td->name); \ + ASN_DEBUG("Failed to encode element %s", td ? td->name : ""); \ return tmp_error; \ } while(0) #define _ASN_ENCODED_OK(rval) do { \ @@ -92,7 +92,7 @@ typedef struct asn_dec_rval_s { asn_dec_rval_t tmp_error; \ tmp_error.code = RC_FAIL; \ tmp_error.consumed = 0; \ - ASN_DEBUG("Failed to decode element %s", td->name); \ + ASN_DEBUG("Failed to decode element %s", td ? td->name : ""); \ return tmp_error; \ } while(0) #define _ASN_DECODE_STARVED do { \ diff --git a/asn1/asn1c/asn_codecs_prim.c b/asn1/asn1c/asn_codecs_prim.c index 4e5c63937adafc40a56b67fe5b3d9482220907d5..8e604a492a4d199bed6bf107513028c53136efdb 100644 --- a/asn1/asn1c/asn_codecs_prim.c +++ b/asn1/asn1c/asn_codecs_prim.c @@ -15,7 +15,7 @@ ber_decode_primitive(asn_codec_ctx_t *opt_codec_ctx, void **sptr, const void *buf_ptr, size_t size, int tag_mode) { ASN__PRIMITIVE_TYPE_t *st = (ASN__PRIMITIVE_TYPE_t *)*sptr; asn_dec_rval_t rval; - ber_tlv_len_t length; + ber_tlv_len_t length = 0; // =0 to avoid [incorrect] warning. /* * If the structure is not there, allocate it. @@ -143,20 +143,26 @@ struct xdp_arg_s { int want_more; }; - +/* + * Since some kinds of primitive values can be encoded using value-specific + * tags (, , etc), the primitive decoder must + * be supplied with such tags to parse them as needed. + */ static int xer_decode__unexpected_tag(void *key, const void *chunk_buf, size_t chunk_size) { struct xdp_arg_s *arg = (struct xdp_arg_s *)key; enum xer_pbd_rval bret; - if(arg->decoded_something) { - if(xer_is_whitespace(chunk_buf, chunk_size)) - return 0; /* Skip it. */ - /* - * Decoding was done once already. Prohibit doing it again. - */ + /* + * The chunk_buf is guaranteed to start at '<'. + */ + assert(chunk_size && ((const char *)chunk_buf)[0] == 0x3c); + + /* + * Decoding was performed once already. Prohibit doing it again. + */ + if(arg->decoded_something) return -1; - } bret = arg->prim_body_decoder(arg->type_descriptor, arg->struct_key, chunk_buf, chunk_size); @@ -177,13 +183,20 @@ xer_decode__unexpected_tag(void *key, const void *chunk_buf, size_t chunk_size) } static ssize_t -xer_decode__body(void *key, const void *chunk_buf, size_t chunk_size, int have_more) { +xer_decode__primitive_body(void *key, const void *chunk_buf, size_t chunk_size, int have_more) { struct xdp_arg_s *arg = (struct xdp_arg_s *)key; enum xer_pbd_rval bret; + size_t lead_wsp_size; if(arg->decoded_something) { - if(xer_is_whitespace(chunk_buf, chunk_size)) + if(xer_whitespace_span(chunk_buf, chunk_size) == chunk_size) { + /* + * Example: + * "123 " + * ^- chunk_buf position. + */ return chunk_size; + } /* * Decoding was done once already. Prohibit doing it again. */ @@ -203,6 +216,10 @@ xer_decode__body(void *key, const void *chunk_buf, size_t chunk_size, int have_m return -1; } + lead_wsp_size = xer_whitespace_span(chunk_buf, chunk_size); + chunk_buf = (const char *)chunk_buf + lead_wsp_size; + chunk_size -= lead_wsp_size; + bret = arg->prim_body_decoder(arg->type_descriptor, arg->struct_key, chunk_buf, chunk_size); switch(bret) { @@ -215,7 +232,7 @@ xer_decode__body(void *key, const void *chunk_buf, size_t chunk_size, int have_m arg->decoded_something = 1; /* Fall through */ case XPBD_NOT_BODY_IGNORE: /* Safe to proceed further */ - return chunk_size; + return lead_wsp_size + chunk_size; } return -1; @@ -253,7 +270,7 @@ xer_decode_primitive(asn_codec_ctx_t *opt_codec_ctx, rc = xer_decode_general(opt_codec_ctx, &s_ctx, &s_arg, xml_tag, buf_ptr, size, - xer_decode__unexpected_tag, xer_decode__body); + xer_decode__unexpected_tag, xer_decode__primitive_body); switch(rc.code) { case RC_OK: if(!s_arg.decoded_something) { diff --git a/asn1/asn1c/asn_internal.h b/asn1/asn1c/asn_internal.h index 67f055a62fbf74c397d2c108469549291ef9e6af..7e0f71be08a40835b85ad4e4ac12106f6dbacd97 100644 --- a/asn1/asn1c/asn_internal.h +++ b/asn1/asn1c/asn_internal.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2003, 2004, 2005 Lev Walkin . + * Copyright (c) 2003, 2004, 2005, 2007 Lev Walkin . * All rights reserved. * Redistribution and modifications are permitted subject to BSD license. */ @@ -20,7 +20,7 @@ extern "C" { #endif /* Environment version might be used to avoid running with the old library */ -#define ASN1C_ENVIRONMENT_VERSION 920 /* Compile-time version */ +#define ASN1C_ENVIRONMENT_VERSION 923 /* Compile-time version */ int get_asn1c_environment_version(void); /* Run-time version */ #define CALLOC(nmemb, size) calloc(nmemb, size) @@ -28,6 +28,9 @@ int get_asn1c_environment_version(void); /* Run-time version */ #define REALLOC(oldptr, size) realloc(oldptr, size) #define FREEMEM(ptr) free(ptr) +#define asn_debug_indent 0 +#define ASN_DEBUG_INDENT_ADD(i) do{}while(0) + /* * A macro for debugging the ASN.1 internals. * You may enable or override it. @@ -35,10 +38,21 @@ int get_asn1c_environment_version(void); /* Run-time version */ #ifndef ASN_DEBUG /* If debugging code is not defined elsewhere... */ #if EMIT_ASN_DEBUG == 1 /* And it was asked to emit this code... */ #ifdef __GNUC__ -#define ASN_DEBUG(fmt, args...) do { \ - fprintf(stderr, fmt, ##args); \ - fprintf(stderr, " (%s:%d)\n", \ - __FILE__, __LINE__); \ +#ifdef ASN_THREAD_SAFE +/* Thread safety requires sacrifice in output indentation: + * Retain empty definition of ASN_DEBUG_INDENT_ADD. */ +#else /* !ASN_THREAD_SAFE */ +#undef ASN_DEBUG_INDENT_ADD +#undef asn_debug_indent +int asn_debug_indent; +#define ASN_DEBUG_INDENT_ADD(i) do { asn_debug_indent += i; } while(0) +#endif /* ASN_THREAD_SAFE */ +#define ASN_DEBUG(fmt, args...) do { \ + int adi = asn_debug_indent; \ + while(adi--) fprintf(stderr, " "); \ + fprintf(stderr, fmt, ##args); \ + fprintf(stderr, " (%s:%d)\n", \ + __FILE__, __LINE__); \ } while(0) #else /* !__GNUC__ */ void ASN_DEBUG_f(const char *fmt, ...); @@ -70,6 +84,7 @@ static inline void ASN_DEBUG(const char *fmt, ...) { (void)fmt; } int __nl = ((nl) != 0); \ int __i; \ if(__nl) _ASN_CALLBACK("\n", 1); \ + if(__level < 0) __level = 0; \ for(__i = 0; __i < __level; __i++) \ _ASN_CALLBACK(" ", 4); \ er.encoded += __nl + 4 * __level; \ diff --git a/asn1/asn1c/asn_system.h b/asn1/asn1c/asn_system.h index d7ebdaa4e16a2636184db6ba4fe34fda5860a6bc..e420ad2da679eeea8fd0175bb865cc211a8e26cd 100644 --- a/asn1/asn1c/asn_system.h +++ b/asn1/asn1c/asn_system.h @@ -1,5 +1,6 @@ /*- - * Copyright (c) 2003, 2004 Lev Walkin . All rights reserved. + * Copyright (c) 2003, 2004, 2007 Lev Walkin . + * All rights reserved. * Redistribution and modifications are permitted subject to BSD license. */ /* @@ -16,20 +17,27 @@ #include /* For *alloc(3) */ #include /* For memcpy(3) */ #include /* For size_t */ +#include /* For LONG_MAX */ #include /* For va_start */ #include /* for offsetof and ptrdiff_t */ -#ifdef WIN32 +#ifdef _WIN32 #include -#include #define snprintf _snprintf #define vsnprintf _vsnprintf +/* To avoid linking with ws2_32.lib, here's the definition of ntohl() */ +#define sys_ntohl(l) ((((l) << 24) & 0xff000000) \ + | (((l) << 8) & 0xff0000) \ + | (((l) >> 8) & 0xff00) \ + | ((l >> 24) & 0xff)) + #ifdef _MSC_VER /* MSVS.Net */ #ifndef __cplusplus #define inline __inline #endif +#ifndef ASSUMESTDTYPES /* Standard types have been defined elsewhere */ #define ssize_t SSIZE_T typedef char int8_t; typedef short int16_t; @@ -37,6 +45,7 @@ typedef int int32_t; typedef unsigned char uint8_t; typedef unsigned short uint16_t; typedef unsigned int uint32_t; +#endif /* ASSUMESTDTYPES */ #define WIN32_LEAN_AND_MEAN #include #include @@ -44,9 +53,11 @@ typedef unsigned int uint32_t; #define finite _finite #define copysign _copysign #define ilogb _logb +#else /* !_MSC_VER */ +#include #endif /* _MSC_VER */ -#else /* !WIN32 */ +#else /* !_WIN32 */ #if defined(__vxworks) #include @@ -74,19 +85,33 @@ typedef unsigned int uint32_t; #endif /* defined(sun) */ #endif +#include /* for ntohl() */ +#define sys_ntohl(foo) ntohl(foo) + #endif /* defined(__vxworks) */ -#endif /* WIN32 */ +#endif /* _WIN32 */ #if __GNUC__ >= 3 #ifndef GCC_PRINTFLIKE #define GCC_PRINTFLIKE(fmt,var) __attribute__((format(printf,fmt,var))) #endif +#ifndef GCC_NOTUSED +#define GCC_NOTUSED __attribute__((unused)) +#endif #else #ifndef GCC_PRINTFLIKE #define GCC_PRINTFLIKE(fmt,var) /* nothing */ #endif +#ifndef GCC_NOTUSED +#define GCC_NOTUSED #endif +#endif + +/* Figure out if thread safety is requested */ +#if !defined(ASN_THREAD_SAFE) && (defined(THREAD_SAFE) || defined(_REENTRANT)) +#define ASN_THREAD_SAFE +#endif /* Thread safety */ #ifndef offsetof /* If not defined by */ #define offsetof(s, m) ((ptrdiff_t)&(((s *)0)->m) - (ptrdiff_t)((s *)0)) diff --git a/asn1/asn1c/ber_decoder.c b/asn1/asn1c/ber_decoder.c index 601f66c0b0274b74dcb56e7eca469ded9b076b2c..0f994009079996ef4aedb219bd0d003e308c0fb6 100644 --- a/asn1/asn1c/ber_decoder.c +++ b/asn1/asn1c/ber_decoder.c @@ -206,7 +206,7 @@ ber_check_tags(asn_codec_ctx_t *opt_codec_ctx, */ len_len = ber_fetch_length(tlv_constr, (const char *)ptr + tag_len, size - tag_len, &tlv_len); - ASN_DEBUG("Fetchinig len = %ld", (long)len_len); + ASN_DEBUG("Fetching len = %ld", (long)len_len); switch(len_len) { case -1: RETURN(RC_FAIL); case 0: RETURN(RC_WMORE); diff --git a/asn1/asn1c/ber_decoder.h b/asn1/asn1c/ber_decoder.h index 768133b67e75b4eb18e523e1943245e17ce9b3aa..9fe2e895dfb65375948b83a893629959d5c576b1 100644 --- a/asn1/asn1c/ber_decoder.h +++ b/asn1/asn1c/ber_decoder.h @@ -17,6 +17,7 @@ struct asn_codec_ctx_s; /* Forward declaration */ /* * The BER decoder of any type. * This function may be invoked directly from the application. + * The der_encode() function (der_encoder.h) is an opposite to ber_decode(). */ asn_dec_rval_t ber_decode(struct asn_codec_ctx_s *opt_codec_ctx, struct asn_TYPE_descriptor_s *type_descriptor, diff --git a/asn1/asn1c/constr_CHOICE.c b/asn1/asn1c/constr_CHOICE.c index b8d6fa9a7f210585e851f8f1ab3cadf1d8fe4923..5a1e0d3862aa6c3eed8d17d5505764961a970274 100644 --- a/asn1/asn1c/constr_CHOICE.c +++ b/asn1/asn1c/constr_CHOICE.c @@ -1,10 +1,11 @@ /* - * Copyright (c) 2003, 2004, 2005, 2006 Lev Walkin . + * Copyright (c) 2003, 2004, 2005, 2006, 2007 Lev Walkin . * All rights reserved. * Redistribution and modifications are permitted subject to BSD license. */ #include #include +#include /* * Number of bytes left for this structure. @@ -482,7 +483,7 @@ CHOICE_constraint(asn_TYPE_descriptor_t *td, const void *sptr, int present; if(!sptr) { - _ASN_CTFAIL(app_key, td, + _ASN_CTFAIL(app_key, td, sptr, "%s: value not given (%s:%d)", td->name, __FILE__, __LINE__); return -1; @@ -501,7 +502,7 @@ CHOICE_constraint(asn_TYPE_descriptor_t *td, const void *sptr, if(!memb_ptr) { if(elm->optional) return 0; - _ASN_CTFAIL(app_key, td, + _ASN_CTFAIL(app_key, td, sptr, "%s: mandatory CHOICE element %s absent (%s:%d)", td->name, elm->name, __FILE__, __LINE__); return -1; @@ -524,7 +525,7 @@ CHOICE_constraint(asn_TYPE_descriptor_t *td, const void *sptr, return ret; } } else { - _ASN_CTFAIL(app_key, td, + _ASN_CTFAIL(app_key, td, sptr, "%s: no CHOICE element given (%s:%d)", td->name, __FILE__, __LINE__); return -1; @@ -534,7 +535,7 @@ CHOICE_constraint(asn_TYPE_descriptor_t *td, const void *sptr, #undef XER_ADVANCE #define XER_ADVANCE(num_bytes) do { \ size_t num = num_bytes; \ - buf_ptr = ((const char *)buf_ptr) + num;\ + buf_ptr = (const void *)(((const char *)buf_ptr) + num); \ size -= num; \ consumed_myself += num; \ } while(0) @@ -871,8 +872,6 @@ CHOICE_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, value += specs->ext_start; if(value >= td->elements_count) _ASN_DECODE_FAILED; - ASN_DEBUG("NOT IMPLEMENTED YET"); - _ASN_DECODE_FAILED; } /* Adjust if canonical order is different from natural order */ @@ -892,11 +891,17 @@ CHOICE_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, } ASN_DEBUG("Discovered CHOICE %s encodes %s", td->name, elm->name); - rv = elm->type->uper_decoder(opt_codec_ctx, elm->type, + if(ct && ct->range_bits >= 0) { + rv = elm->type->uper_decoder(opt_codec_ctx, elm->type, elm->per_constraints, memb_ptr2, pd); + } else { + rv = uper_open_type_get(opt_codec_ctx, elm->type, + elm->per_constraints, memb_ptr2, pd); + } + if(rv.code != RC_OK) - ASN_DEBUG("Failed to decode %s in %s (CHOICE)", - elm->name, td->name); + ASN_DEBUG("Failed to decode %s in %s (CHOICE) %d", + elm->name, td->name, rv.code); return rv; } @@ -908,6 +913,7 @@ CHOICE_encode_uper(asn_TYPE_descriptor_t *td, asn_per_constraint_t *ct; void *memb_ptr; int present; + int present_enc; if(!sptr) _ASN_ENCODE_FAILED; @@ -929,15 +935,17 @@ CHOICE_encode_uper(asn_TYPE_descriptor_t *td, else present--; - /* Adjust if canonical order is different from natural order */ - if(specs->canonical_order) - present = specs->canonical_order[present]; - ASN_DEBUG("Encoding %s CHOICE element %d", td->name, present); + /* Adjust if canonical order is different from natural order */ + if(specs->canonical_order) + present_enc = specs->canonical_order[present]; + else + present_enc = present; + if(ct && ct->range_bits >= 0) { - if(present < ct->lower_bound - || present > ct->upper_bound) { + if(present_enc < ct->lower_bound + || present_enc > ct->upper_bound) { if(ct->flags & APC_EXTENSIBLE) { if(per_put_few_bits(po, 1, 1)) _ASN_ENCODE_FAILED; @@ -951,18 +959,6 @@ CHOICE_encode_uper(asn_TYPE_descriptor_t *td, if(per_put_few_bits(po, 0, 1)) _ASN_ENCODE_FAILED; - if(ct && ct->range_bits >= 0) { - if(per_put_few_bits(po, present, ct->range_bits)) - _ASN_ENCODE_FAILED; - } else { - if(specs->ext_start == -1) - _ASN_ENCODE_FAILED; - if(uper_put_nsnnwn(po, present - specs->ext_start)) - _ASN_ENCODE_FAILED; - ASN_DEBUG("NOT IMPLEMENTED YET"); - _ASN_ENCODE_FAILED; - } - elm = &td->elements[present]; if(elm->flags & ATF_POINTER) { /* Member is a pointer to another structure */ @@ -972,8 +968,24 @@ CHOICE_encode_uper(asn_TYPE_descriptor_t *td, memb_ptr = (char *)sptr + elm->memb_offset; } - return elm->type->uper_encoder(elm->type, elm->per_constraints, + if(ct && ct->range_bits >= 0) { + if(per_put_few_bits(po, present_enc, ct->range_bits)) + _ASN_ENCODE_FAILED; + + return elm->type->uper_encoder(elm->type, elm->per_constraints, memb_ptr, po); + } else { + asn_enc_rval_t rval; + if(specs->ext_start == -1) + _ASN_ENCODE_FAILED; + if(uper_put_nsnnwn(po, present_enc - specs->ext_start)) + _ASN_ENCODE_FAILED; + if(uper_open_type_put(elm->type, elm->per_constraints, + memb_ptr, po)) + _ASN_ENCODE_FAILED; + rval.encoded = 0; + _ASN_ENCODED_OK(rval); + } } diff --git a/asn1/asn1c/constr_SEQUENCE.c b/asn1/asn1c/constr_SEQUENCE.c index b769434345763a454777a89458155f5debea73c8..c405a18f0ceedc9cebae7fce392d37299a992daf 100644 --- a/asn1/asn1c/constr_SEQUENCE.c +++ b/asn1/asn1c/constr_SEQUENCE.c @@ -1,10 +1,11 @@ /*- - * Copyright (c) 2003, 2004, 2005, 2006 Lev Walkin . + * Copyright (c) 2003, 2004, 2005, 2006, 2007 Lev Walkin . * All rights reserved. * Redistribution and modifications are permitted subject to BSD license. */ #include #include +#include /* * Number of bytes left for this structure. @@ -33,7 +34,7 @@ #undef ADVANCE #define ADVANCE(num_bytes) do { \ size_t num = num_bytes; \ - ptr = ((const char *)ptr) + num;\ + ptr = ((const char *)ptr) + num; \ size -= num; \ if(ctx->left >= 0) \ ctx->left -= num; \ @@ -346,7 +347,8 @@ SEQUENCE_decode_ber(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, * or an extension (...), * or an end of the indefinite-length structure. */ - if(!IN_EXTENSION_GROUP(specs, edx)) { + if(!IN_EXTENSION_GROUP(specs, + edx + elements[edx].optional)) { ASN_DEBUG("Unexpected tag %s (at %d)", ber_tlv_tag_string(tlv_tag), edx); ASN_DEBUG("Expected tag %s (%s)%s", @@ -358,7 +360,10 @@ SEQUENCE_decode_ber(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, } else { /* Skip this tag */ ssize_t skip; + edx += elements[edx].optional; + ASN_DEBUG("Skipping unexpected %s (at %d)", + ber_tlv_tag_string(tlv_tag), edx); skip = ber_skip_length(opt_codec_ctx, BER_TLV_CONSTRUCTED(ptr), (const char *)ptr + tag_len, @@ -662,8 +667,7 @@ SEQUENCE_decode_xer(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, if(elm->flags & ATF_POINTER) { /* Member is a pointer to another structure */ - memb_ptr2 = (void **)((char *)st - + elm->memb_offset); + memb_ptr2 = (void **)((char *)st + elm->memb_offset); } else { memb_ptr = (char *)st + elm->memb_offset; memb_ptr2 = &memb_ptr; @@ -976,7 +980,7 @@ SEQUENCE_constraint(asn_TYPE_descriptor_t *td, const void *sptr, int edx; if(!sptr) { - _ASN_CTFAIL(app_key, td, + _ASN_CTFAIL(app_key, td, sptr, "%s: value not given (%s:%d)", td->name, __FILE__, __LINE__); return -1; @@ -994,7 +998,7 @@ SEQUENCE_constraint(asn_TYPE_descriptor_t *td, const void *sptr, if(!memb_ptr) { if(elm->optional) continue; - _ASN_CTFAIL(app_key, td, + _ASN_CTFAIL(app_key, td, sptr, "%s: mandatory element %s absent (%s:%d)", td->name, elm->name, __FILE__, __LINE__); return -1; @@ -1027,7 +1031,7 @@ SEQUENCE_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) { asn_SEQUENCE_specifics_t *specs = (asn_SEQUENCE_specifics_t *)td->specifics; void *st = *sptr; /* Target structure. */ - int extpresent = 0; /* Extension additions are present */ + int extpresent; /* Extension additions are present */ uint8_t *opres; /* Presence of optional root members */ asn_per_data_t opmd; asn_dec_rval_t rv; @@ -1049,9 +1053,12 @@ SEQUENCE_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, if(specs->ext_before >= 0) { extpresent = per_get_few_bits(pd, 1); if(extpresent < 0) _ASN_DECODE_STARVED; + } else { + extpresent = 0; } /* Prepare a place and read-in the presence bitmap */ + memset(&opmd, 0, sizeof(opmd)); if(specs->roms_count) { opres = (uint8_t *)MALLOC(((specs->roms_count + 7) >> 3) + 1); if(!opres) _ASN_DECODE_FAILED; @@ -1061,24 +1068,24 @@ SEQUENCE_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, _ASN_DECODE_STARVED; } opmd.buffer = opres; - opmd.nboff = 0; opmd.nbits = specs->roms_count; ASN_DEBUG("Read in presence bitmap for %s of %d bits (%x..)", td->name, specs->roms_count, *opres); } else { opres = 0; - memset(&opmd, 0, sizeof opmd); } /* * Get the sequence ROOT elements. */ - for(edx = 0; edx < ((specs->ext_before < 0) - ? td->elements_count : specs->ext_before + 1); edx++) { + for(edx = 0; edx < td->elements_count; edx++) { asn_TYPE_member_t *elm = &td->elements[edx]; void *memb_ptr; /* Pointer to the member */ void **memb_ptr2; /* Pointer to that pointer */ + if(IN_EXTENSION_GROUP(specs, edx)) + continue; + /* Fetch the pointer to this member */ if(elm->flags & ATF_POINTER) { memb_ptr2 = (void **)((char *)st + elm->memb_offset); @@ -1101,6 +1108,7 @@ SEQUENCE_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, FREEMEM(opres); _ASN_DECODE_FAILED; } + ASN_DEBUG("Filled-in default"); } /* The member is just not present */ continue; @@ -1120,50 +1128,176 @@ SEQUENCE_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, } } + /* Optionality map is not needed anymore */ + FREEMEM(opres); + /* * Deal with extensions. */ if(extpresent) { - ASN_DEBUG("Extensibility for %s: NOT IMPLEMENTED", td->name); - _ASN_DECODE_FAILED; - } else { - for(edx = specs->roms_count; edx < specs->roms_count - + specs->aoms_count; edx++) { - asn_TYPE_member_t *elm = &td->elements[edx]; - void *memb_ptr; /* Pointer to the member */ - void **memb_ptr2; /* Pointer to that pointer */ - - if(!elm->default_value) continue; - - /* Fetch the pointer to this member */ - if(elm->flags & ATF_POINTER) { - memb_ptr2 = (void **)((char *)st - + elm->memb_offset); - } else { - memb_ptr = (char *)st + elm->memb_offset; - memb_ptr2 = &memb_ptr; - } + ssize_t bmlength; + uint8_t *epres; /* Presence of extension members */ + asn_per_data_t epmd; + + bmlength = uper_get_nslength(pd); + if(bmlength < 0) _ASN_DECODE_STARVED; + + ASN_DEBUG("Extensions %ld present in %s", (long)bmlength, td->name); + + epres = (uint8_t *)MALLOC((bmlength + 15) >> 3); + if(!epres) _ASN_DECODE_STARVED; + + /* Get the extensions map */ + if(per_get_many_bits(pd, epres, 0, bmlength)) + _ASN_DECODE_STARVED; + + memset(&epmd, 0, sizeof(epmd)); + epmd.buffer = epres; + epmd.nbits = bmlength; + ASN_DEBUG("Read in extensions bitmap for %s of %ld bits (%x..)", + td->name, (long)bmlength, *epres); + + /* Go over extensions and read them in */ + for(edx = specs->ext_after + 1; edx < td->elements_count; edx++) { + asn_TYPE_member_t *elm = &td->elements[edx]; + void *memb_ptr; /* Pointer to the member */ + void **memb_ptr2; /* Pointer to that pointer */ + int present; + + if(!IN_EXTENSION_GROUP(specs, edx)) { + ASN_DEBUG("%d is not extension", edx); + continue; + } - /* Set default value */ - if(elm->default_value(1, memb_ptr2)) { - FREEMEM(opres); - _ASN_DECODE_FAILED; + /* Fetch the pointer to this member */ + if(elm->flags & ATF_POINTER) { + memb_ptr2 = (void **)((char *)st + elm->memb_offset); + } else { + memb_ptr = (void *)((char *)st + elm->memb_offset); + memb_ptr2 = &memb_ptr; + } + + present = per_get_few_bits(&epmd, 1); + if(present <= 0) { + if(present < 0) break; /* No more extensions */ + continue; + } + + ASN_DEBUG("Decoding member %s in %s %p", elm->name, td->name, *memb_ptr2); + rv = uper_open_type_get(opt_codec_ctx, elm->type, + elm->per_constraints, memb_ptr2, pd); + if(rv.code != RC_OK) { + FREEMEM(epres); + return rv; + } + } + + /* Skip over overflow extensions which aren't present + * in this system's version of the protocol */ + for(;;) { + ASN_DEBUG("Getting overflow extensions"); + switch(per_get_few_bits(&epmd, 1)) { + case -1: break; + case 0: continue; + default: + if(uper_open_type_skip(opt_codec_ctx, pd)) { + FREEMEM(epres); + _ASN_DECODE_STARVED; + } } + break; + } + + FREEMEM(epres); + } + + /* Fill DEFAULT members in extensions */ + for(edx = specs->roms_count; edx < specs->roms_count + + specs->aoms_count; edx++) { + asn_TYPE_member_t *elm = &td->elements[edx]; + void **memb_ptr2; /* Pointer to member pointer */ + + if(!elm->default_value) continue; + + /* Fetch the pointer to this member */ + if(elm->flags & ATF_POINTER) { + memb_ptr2 = (void **)((char *)st + + elm->memb_offset); + if(*memb_ptr2) continue; + } else { + continue; /* Extensions are all optionals */ + } + + /* Set default value */ + if(elm->default_value(1, memb_ptr2)) { + _ASN_DECODE_FAILED; } } rv.consumed = 0; rv.code = RC_OK; - FREEMEM(opres); return rv; } +static int +SEQUENCE_handle_extensions(asn_TYPE_descriptor_t *td, void *sptr, + asn_per_outp_t *po1, asn_per_outp_t *po2) { + asn_SEQUENCE_specifics_t *specs + = (asn_SEQUENCE_specifics_t *)td->specifics; + int exts_present = 0; + int exts_count = 0; + int edx; + + if(specs->ext_before < 0) + return 0; + + /* Find out which extensions are present */ + for(edx = specs->ext_after + 1; edx < td->elements_count; edx++) { + asn_TYPE_member_t *elm = &td->elements[edx]; + void *memb_ptr; /* Pointer to the member */ + void **memb_ptr2; /* Pointer to that pointer */ + int present; + + if(!IN_EXTENSION_GROUP(specs, edx)) { + ASN_DEBUG("%s (@%d) is not extension", elm->type->name, edx); + continue; + } + + /* Fetch the pointer to this member */ + if(elm->flags & ATF_POINTER) { + memb_ptr2 = (void **)((char *)sptr + elm->memb_offset); + present = (*memb_ptr2 != 0); + } else { + memb_ptr = (void *)((char *)sptr + elm->memb_offset); + memb_ptr2 = &memb_ptr; + present = 1; + } + + ASN_DEBUG("checking %s (@%d) present => %d", + elm->type->name, edx, present); + exts_count++; + exts_present += present; + + /* Encode as presence marker */ + if(po1 && per_put_few_bits(po1, present, 1)) + return -1; + /* Encode as open type field */ + if(po2 && present && uper_open_type_put(elm->type, + elm->per_constraints, *memb_ptr2, po2)) + return -1; + + } + + return exts_present ? exts_count : 0; +} + asn_enc_rval_t SEQUENCE_encode_uper(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po) { asn_SEQUENCE_specifics_t *specs = (asn_SEQUENCE_specifics_t *)td->specifics; asn_enc_rval_t er; + int n_extensions; int edx; int i; @@ -1175,8 +1309,18 @@ SEQUENCE_encode_uper(asn_TYPE_descriptor_t *td, er.encoded = 0; ASN_DEBUG("Encoding %s as SEQUENCE (UPER)", td->name); - if(specs->ext_before >= 0) - _ASN_ENCODE_FAILED; /* We don't encode extensions yet */ + + + /* + * X.691#18.1 Whether structure is extensible + * and whether to encode extensions + */ + if(specs->ext_before >= 0) { + n_extensions = SEQUENCE_handle_extensions(td, sptr, 0, 0); + per_put_few_bits(po, n_extensions ? 1 : 0, 1); + } else { + n_extensions = 0; /* There are no extensions to encode */ + } /* Encode a presence bitmap */ for(i = 0; i < specs->roms_count; i++) { @@ -1212,14 +1356,21 @@ SEQUENCE_encode_uper(asn_TYPE_descriptor_t *td, } /* - * Get the sequence ROOT elements. + * Encode the sequence ROOT elements. */ - for(edx = 0; edx < ((specs->ext_before < 0) - ? td->elements_count : specs->ext_before + 1); edx++) { + ASN_DEBUG("ext_after = %d, ec = %d, eb = %d", specs->ext_after, td->elements_count, specs->ext_before); + for(edx = 0; edx < ((specs->ext_after < 0) + ? td->elements_count : specs->ext_before - 1); edx++) { + asn_TYPE_member_t *elm = &td->elements[edx]; void *memb_ptr; /* Pointer to the member */ void **memb_ptr2; /* Pointer to that pointer */ + if(IN_EXTENSION_GROUP(specs, edx)) + continue; + + ASN_DEBUG("About to encode %s", elm->type->name); + /* Fetch the pointer to this member */ if(elm->flags & ATF_POINTER) { memb_ptr2 = (void **)((char *)sptr + elm->memb_offset); @@ -1240,12 +1391,32 @@ SEQUENCE_encode_uper(asn_TYPE_descriptor_t *td, if(elm->default_value && elm->default_value(0, memb_ptr2) == 1) continue; + ASN_DEBUG("Encoding %s->%s", td->name, elm->name); er = elm->type->uper_encoder(elm->type, elm->per_constraints, *memb_ptr2, po); if(er.encoded == -1) return er; } + /* No extensions to encode */ + if(!n_extensions) _ASN_ENCODED_OK(er); + + ASN_DEBUG("Length of %d bit-map", n_extensions); + /* #18.8. Write down the presence bit-map length. */ + if(uper_put_nslength(po, n_extensions)) + _ASN_ENCODE_FAILED; + + ASN_DEBUG("Bit-map of %d elements", n_extensions); + /* #18.7. Encoding the extensions presence bit-map. */ + /* TODO: act upon NOTE in #18.7 for canonical PER */ + if(SEQUENCE_handle_extensions(td, sptr, po, 0) != n_extensions) + _ASN_ENCODE_FAILED; + + ASN_DEBUG("Writing %d extensions", n_extensions); + /* #18.9. Encode extensions as open type fields. */ + if(SEQUENCE_handle_extensions(td, sptr, 0, po) != n_extensions) + _ASN_ENCODE_FAILED; + _ASN_ENCODED_OK(er); } diff --git a/asn1/asn1c/constr_SET_OF.c b/asn1/asn1c/constr_SET_OF.c index 09f27db53dada6869accd8dbb3aba0f56b49e00b..b68d7ca1b2f852cbe7188e5166555f9ec2b35f63 100644 --- a/asn1/asn1c/constr_SET_OF.c +++ b/asn1/asn1c/constr_SET_OF.c @@ -227,6 +227,8 @@ SET_OF_decode_ber(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, } /* Fall through */ case RC_FAIL: /* Fatal error */ + ASN_STRUCT_FREE(*elm->type, ctx->ptr); + ctx->ptr = 0; RETURN(RC_FAIL); } /* switch(rval) */ @@ -787,8 +789,10 @@ SET_OF_print(asn_TYPE_descriptor_t *td, const void *sptr, int ilevel, void SET_OF_free(asn_TYPE_descriptor_t *td, void *ptr, int contents_only) { if(td && ptr) { + asn_SET_OF_specifics_t *specs; asn_TYPE_member_t *elm = td->elements; asn_anonymous_set_ *list = _A_SET_FROM_VOID(ptr); + asn_struct_ctx_t *ctx; /* Decoder context */ int i; /* @@ -804,6 +808,13 @@ SET_OF_free(asn_TYPE_descriptor_t *td, void *ptr, int contents_only) { asn_set_empty(list); /* Remove (list->array) */ + specs = (asn_SET_OF_specifics_t *)td->specifics; + ctx = (asn_struct_ctx_t *)((char *)ptr + specs->ctx_offset); + if(ctx->ptr) { + ASN_STRUCT_FREE(*elm->type, ctx->ptr); + ctx->ptr = 0; + } + if(!contents_only) { FREEMEM(ptr); } @@ -819,7 +830,7 @@ SET_OF_constraint(asn_TYPE_descriptor_t *td, const void *sptr, int i; if(!sptr) { - _ASN_CTFAIL(app_key, td, + _ASN_CTFAIL(app_key, td, sptr, "%s: value not given (%s:%d)", td->name, __FILE__, __LINE__); return -1; @@ -904,7 +915,7 @@ SET_OF_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, nelems = uper_get_length(pd, ct ? ct->effective_bits : -1, &repeat); ASN_DEBUG("Got to decode %d elements (eff %d)", - (int)nelems, (int)ct ? ct->effective_bits : -1); + (int)nelems, (int)(ct ? ct->effective_bits : -1)); if(nelems < 0) _ASN_DECODE_STARVED; } @@ -921,7 +932,7 @@ SET_OF_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, ASN_DEBUG("Failed to add element into %s", td->name); /* Fall through */ - rv.code == RC_FAIL; + rv.code = RC_FAIL; } else { ASN_DEBUG("Failed decoding %s of %s (SET OF)", elm->type->name, td->name); diff --git a/asn1/asn1c/der_encoder.h b/asn1/asn1c/der_encoder.h index 4e2fb06c28194510c6434f4829e56b2436d8f092..61431c6dbdc87e98de8b7804d438476bca86caa5 100644 --- a/asn1/asn1c/der_encoder.h +++ b/asn1/asn1c/der_encoder.h @@ -15,6 +15,7 @@ struct asn_TYPE_descriptor_s; /* Forward declaration */ /* * The DER encoder of any type. May be invoked by the application. + * The ber_decode() function (ber_decoder.h) is an opposite of der_encode(). */ asn_enc_rval_t der_encode(struct asn_TYPE_descriptor_s *type_descriptor, void *struct_ptr, /* Structure to be encoded */ diff --git a/asn1/asn1c/per_decoder.c b/asn1/asn1c/per_decoder.c index 16dee369624bbf28bb8957e222abe77059980d9f..220d7f9f7f2307b5c5256afe3c92df1f1413c486 100644 --- a/asn1/asn1c/per_decoder.c +++ b/asn1/asn1c/per_decoder.c @@ -2,6 +2,40 @@ #include #include +/* + * Decode a "Production of a complete encoding", X.691#10.1. + * The complete encoding contains at least one byte, and is an integral + * multiple of 8 bytes. + */ +asn_dec_rval_t +uper_decode_complete(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, void **sptr, const void *buffer, size_t size) { + asn_dec_rval_t rval; + + rval = uper_decode(opt_codec_ctx, td, sptr, buffer, size, 0, 0); + if(rval.consumed) { + /* + * We've always given 8-aligned data, + * so convert bits to integral bytes. + */ + rval.consumed += 7; + rval.consumed >>= 3; + } else if(rval.code == RC_OK) { + if(size) { + if(((const uint8_t *)buffer)[0] == 0) { + rval.consumed = 1; /* 1 byte */ + } else { + ASN_DEBUG("Expecting single zeroed byte"); + rval.code = RC_FAIL; + } + } else { + /* Must contain at least 8 bits. */ + rval.code = RC_WMORE; + } + } + + return rval; +} + asn_dec_rval_t uper_decode(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, void **sptr, const void *buffer, size_t size, int skip_bits, int unused_bits) { asn_codec_ctx_t s_codec_ctx; @@ -30,6 +64,7 @@ uper_decode(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, void **sp } /* Fill in the position indicator */ + memset(&pd, 0, sizeof(pd)); pd.buffer = (const uint8_t *)buffer; pd.nboff = skip_bits; pd.nbits = 8 * size - unused_bits; /* 8 is CHAR_BIT from */ @@ -46,6 +81,9 @@ uper_decode(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, void **sp /* Return the number of consumed bits */ rval.consumed = ((pd.buffer - (const uint8_t *)buffer) << 3) + pd.nboff - skip_bits; + ASN_DEBUG("PER decoding consumed %ld, counted %ld", + (long)rval.consumed, (long)pd.moved); + assert(rval.consumed == pd.moved); } else { /* PER codec is not a restartable */ rval.consumed = 0; diff --git a/asn1/asn1c/per_decoder.h b/asn1/asn1c/per_decoder.h index 26aaf59400445aff62fb007370fc35c0cfa9b1b2..8397a545fb9b2e950942aae892a32385730989e7 100644 --- a/asn1/asn1c/per_decoder.h +++ b/asn1/asn1c/per_decoder.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2005 Lev Walkin . All rights reserved. + * Copyright (c) 2005, 2007 Lev Walkin . All rights reserved. * Redistribution and modifications are permitted subject to BSD license. */ #ifndef _PER_DECODER_H_ @@ -15,7 +15,19 @@ extern "C" { struct asn_TYPE_descriptor_s; /* Forward declaration */ /* + * Unaligned PER decoder of a "complete encoding" as per X.691#10.1. + * On success, this call always returns (.consumed >= 1), as per X.691#10.1.3. + */ +asn_dec_rval_t uper_decode_complete(struct asn_codec_ctx_s *opt_codec_ctx, + struct asn_TYPE_descriptor_s *type_descriptor, /* Type to decode */ + void **struct_ptr, /* Pointer to a target structure's pointer */ + const void *buffer, /* Data to be decoded */ + size_t size /* Size of data buffer */ + ); + +/* * Unaligned PER decoder of any ASN.1 type. May be invoked by the application. + * WARNING: This call returns the number of BITS read from the stream. Beware. */ asn_dec_rval_t uper_decode(struct asn_codec_ctx_s *opt_codec_ctx, struct asn_TYPE_descriptor_s *type_descriptor, /* Type to decode */ diff --git a/asn1/asn1c/per_encoder.c b/asn1/asn1c/per_encoder.c index 614dd23331d482a05b973f790449359e7f503768..e76ef74a95a3d055aa65e3253d0121c8fb0410e6 100644 --- a/asn1/asn1c/per_encoder.c +++ b/asn1/asn1c/per_encoder.c @@ -2,41 +2,11 @@ #include #include -/* Flush partially filled buffer */ -static int _uper_encode_flush_outp(asn_per_outp_t *po); +static asn_enc_rval_t uper_encode_internal(asn_TYPE_descriptor_t *td, asn_per_constraints_t *, void *sptr, asn_app_consume_bytes_f *cb, void *app_key); asn_enc_rval_t uper_encode(asn_TYPE_descriptor_t *td, void *sptr, asn_app_consume_bytes_f *cb, void *app_key) { - asn_per_outp_t po; - asn_enc_rval_t er; - - /* - * Invoke type-specific encoder. - */ - if(!td || !td->uper_encoder) - _ASN_ENCODE_FAILED; /* PER is not compiled in */ - - po.buffer = po.tmpspace; - po.nboff = 0; - po.nbits = 8 * sizeof(po.tmpspace); - po.outper = cb; - po.op_key = app_key; - po.flushed_bytes = 0; - - er = td->uper_encoder(td, 0, sptr, &po); - if(er.encoded != -1) { - size_t bits_to_flush; - - bits_to_flush = ((po.buffer - po.tmpspace) << 3) + po.nboff; - - /* Set number of bits encoded to a firm value */ - er.encoded = (po.flushed_bytes << 3) + bits_to_flush; - - if(_uper_encode_flush_outp(&po)) - _ASN_ENCODE_FAILED; - } - - return er; + return uper_encode_internal(td, 0, sptr, cb, app_key); } /* @@ -63,20 +33,71 @@ asn_enc_rval_t uper_encode_to_buffer(asn_TYPE_descriptor_t *td, void *sptr, void *buffer, size_t buffer_size) { enc_to_buf_arg key; - /* - * Invoke type-specific encoder. - */ - if(!td || !td->uper_encoder) - _ASN_ENCODE_FAILED; /* PER is not compiled in */ - key.buffer = buffer; key.left = buffer_size; - ASN_DEBUG("Encoding \"%s\" using UNALIGNED PER", td->name); + if(td) ASN_DEBUG("Encoding \"%s\" using UNALIGNED PER", td->name); - return uper_encode(td, sptr, encode_to_buffer_cb, &key); + return uper_encode_internal(td, 0, sptr, encode_to_buffer_cb, &key); } +typedef struct enc_dyn_arg { + void *buffer; + size_t length; + size_t allocated; +} enc_dyn_arg; +static int +encode_dyn_cb(const void *buffer, size_t size, void *key) { + enc_dyn_arg *arg = key; + if(arg->length + size >= arg->allocated) { + void *p; + arg->allocated = arg->allocated ? (arg->allocated << 2) : size; + p = REALLOC(arg->buffer, arg->allocated); + if(!p) { + FREEMEM(arg->buffer); + memset(arg, 0, sizeof(*arg)); + return -1; + } + arg->buffer = p; + } + memcpy(((char *)arg->buffer) + arg->length, buffer, size); + arg->length += size; + return 0; +} +ssize_t +uper_encode_to_new_buffer(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, void **buffer_r) { + asn_enc_rval_t er; + enc_dyn_arg key; + + memset(&key, 0, sizeof(key)); + + er = uper_encode_internal(td, constraints, sptr, encode_dyn_cb, &key); + switch(er.encoded) { + case -1: + FREEMEM(key.buffer); + return -1; + case 0: + FREEMEM(key.buffer); + key.buffer = MALLOC(1); + if(key.buffer) { + *(char *)key.buffer = '\0'; + *buffer_r = key.buffer; + return 1; + } else { + return -1; + } + default: + *buffer_r = key.buffer; + ASN_DEBUG("Complete encoded in %ld bits", (long)er.encoded); + return ((er.encoded + 7) >> 3); + } +} + +/* + * Internally useful functions. + */ + +/* Flush partially filled buffer */ static int _uper_encode_flush_outp(asn_per_outp_t *po) { uint8_t *buf; @@ -93,3 +114,38 @@ _uper_encode_flush_outp(asn_per_outp_t *po) { return po->outper(po->tmpspace, buf - po->tmpspace, po->op_key); } + +static asn_enc_rval_t +uper_encode_internal(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, asn_app_consume_bytes_f *cb, void *app_key) { + asn_per_outp_t po; + asn_enc_rval_t er; + + /* + * Invoke type-specific encoder. + */ + if(!td || !td->uper_encoder) + _ASN_ENCODE_FAILED; /* PER is not compiled in */ + + po.buffer = po.tmpspace; + po.nboff = 0; + po.nbits = 8 * sizeof(po.tmpspace); + po.outper = cb; + po.op_key = app_key; + po.flushed_bytes = 0; + + er = td->uper_encoder(td, constraints, sptr, &po); + if(er.encoded != -1) { + size_t bits_to_flush; + + bits_to_flush = ((po.buffer - po.tmpspace) << 3) + po.nboff; + + /* Set number of bits encoded to a firm value */ + er.encoded = (po.flushed_bytes << 3) + bits_to_flush; + + if(_uper_encode_flush_outp(&po)) + _ASN_ENCODE_FAILED; + } + + return er; +} + diff --git a/asn1/asn1c/per_encoder.h b/asn1/asn1c/per_encoder.h index 9ac130b7373cc354effd24058027ea85ca3a9e59..95a6506e47b54695ad1eab616dbe02cded6f6338 100644 --- a/asn1/asn1c/per_encoder.h +++ b/asn1/asn1c/per_encoder.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2006 Lev Walkin . All rights reserved. + * Copyright (c) 2006, 2007 Lev Walkin . All rights reserved. * Redistribution and modifications are permitted subject to BSD license. */ #ifndef _PER_ENCODER_H_ @@ -16,6 +16,9 @@ struct asn_TYPE_descriptor_s; /* Forward declaration */ /* * Unaligned PER encoder of any ASN.1 type. May be invoked by the application. + * WARNING: This function returns the number of encoded bits in the .encoded + * field of the return value. Use the following formula to convert to bytes: + * bytes = ((.encoded + 7) / 8) */ asn_enc_rval_t uper_encode(struct asn_TYPE_descriptor_s *type_descriptor, void *struct_ptr, /* Structure to be encoded */ @@ -23,7 +26,11 @@ asn_enc_rval_t uper_encode(struct asn_TYPE_descriptor_s *type_descriptor, void *app_key /* Arbitrary callback argument */ ); -/* A variant of uper_encode() which encodes data into the existing buffer */ +/* + * A variant of uper_encode() which encodes data into the existing buffer + * WARNING: This function returns the number of encoded bits in the .encoded + * field of the return value. + */ asn_enc_rval_t uper_encode_to_buffer( struct asn_TYPE_descriptor_s *type_descriptor, void *struct_ptr, /* Structure to be encoded */ @@ -31,6 +38,19 @@ asn_enc_rval_t uper_encode_to_buffer( size_t buffer_size /* Initial buffer size (max) */ ); +/* + * A variant of uper_encode_to_buffer() which allocates buffer itself. + * Returns the number of bytes in the buffer or -1 in case of failure. + * WARNING: This function produces a "Production of the complete encoding", + * with length of at least one octet. Contrast this to precise bit-packing + * encoding of uper_encode() and uper_encode_to_buffer(). + */ +ssize_t uper_encode_to_new_buffer( + struct asn_TYPE_descriptor_s *type_descriptor, + asn_per_constraints_t *constraints, + void *struct_ptr, /* Structure to be encoded */ + void **buffer_r /* Buffer allocated and returned */ +); /* * Type of the generic PER encoder function. diff --git a/asn1/asn1c/per_opentype.c b/asn1/asn1c/per_opentype.c new file mode 100644 index 0000000000000000000000000000000000000000..ec404cf9b07b7005ddc93c66df1bd4775ed4811d --- /dev/null +++ b/asn1/asn1c/per_opentype.c @@ -0,0 +1,378 @@ +/* + * Copyright (c) 2007 Lev Walkin . All rights reserved. + * Redistribution and modifications are permitted subject to BSD license. + */ +#include +#include +#include +#include + +typedef struct uper_ugot_key { + asn_per_data_t oldpd; /* Old per data source */ + size_t unclaimed; + size_t ot_moved; /* Number of bits moved by OT processing */ + int repeat; +} uper_ugot_key; + +static int uper_ugot_refill(asn_per_data_t *pd); +static int per_skip_bits(asn_per_data_t *pd, int skip_nbits); +static asn_dec_rval_t uper_sot_suck(asn_codec_ctx_t *, asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd); + +/* + * Encode an "open type field". + * #10.1, #10.2 + */ +int +uper_open_type_put(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po) { + void *buf; + void *bptr; + ssize_t size; + size_t toGo; + + ASN_DEBUG("Open type put %s ...", td->name); + + size = uper_encode_to_new_buffer(td, constraints, sptr, &buf); + if(size <= 0) return -1; + + for(bptr = buf, toGo = size; toGo;) { + ssize_t maySave = uper_put_length(po, toGo); + ASN_DEBUG("Prepending length %d to %s and allowing to save %d", + (int)size, td->name, (int)maySave); + if(maySave < 0) break; + if(per_put_many_bits(po, bptr, maySave * 8)) break; + bptr = (char *)bptr + maySave; + toGo -= maySave; + } + + FREEMEM(buf); + if(toGo) return -1; + + ASN_DEBUG("Open type put %s of length %ld + overhead (1byte?)", + td->name, (long)size); + + return 0; +} + +static asn_dec_rval_t +uper_open_type_get_simple(asn_codec_ctx_t *ctx, asn_TYPE_descriptor_t *td, + asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) { + asn_dec_rval_t rv; + ssize_t chunk_bytes; + int repeat; + uint8_t *buf = 0; + size_t bufLen = 0; + size_t bufSize = 0; + asn_per_data_t spd; + size_t padding; + + _ASN_STACK_OVERFLOW_CHECK(ctx); + + ASN_DEBUG("Getting open type %s...", td->name); + + do { + chunk_bytes = uper_get_length(pd, -1, &repeat); + if(chunk_bytes < 0) { + FREEMEM(buf); + _ASN_DECODE_STARVED; + } + if(bufLen + chunk_bytes > bufSize) { + void *ptr; + bufSize = chunk_bytes + (bufSize << 2); + ptr = REALLOC(buf, bufSize); + if(!ptr) { + FREEMEM(buf); + _ASN_DECODE_FAILED; + } + buf = ptr; + } + if(per_get_many_bits(pd, buf + bufLen, 0, chunk_bytes << 3)) { + FREEMEM(buf); + _ASN_DECODE_STARVED; + } + bufLen += chunk_bytes; + } while(repeat); + + ASN_DEBUG("Getting open type %s encoded in %ld bytes", td->name, + (long)bufLen); + + memset(&spd, 0, sizeof(spd)); + spd.buffer = buf; + spd.nbits = bufLen << 3; + + ASN_DEBUG_INDENT_ADD(+4); + rv = td->uper_decoder(ctx, td, constraints, sptr, &spd); + ASN_DEBUG_INDENT_ADD(-4); + + if(rv.code == RC_OK) { + /* Check padding validity */ + padding = spd.nbits - spd.nboff; + if ((padding < 8 || + /* X.691#10.1.3 */ + (spd.nboff == 0 && spd.nbits == 8 && spd.buffer == buf)) && + per_get_few_bits(&spd, padding) == 0) { + /* Everything is cool */ + FREEMEM(buf); + return rv; + } + FREEMEM(buf); + if(padding >= 8) { + ASN_DEBUG("Too large padding %d in open type", (int)padding); + _ASN_DECODE_FAILED; + } else { + ASN_DEBUG("Non-zero padding"); + _ASN_DECODE_FAILED; + } + } else { + FREEMEM(buf); + /* rv.code could be RC_WMORE, nonsense in this context */ + rv.code = RC_FAIL; /* Noone would give us more */ + } + + return rv; +} + +static asn_dec_rval_t GCC_NOTUSED +uper_open_type_get_complex(asn_codec_ctx_t *ctx, asn_TYPE_descriptor_t *td, + asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) { + uper_ugot_key arg; + asn_dec_rval_t rv; + ssize_t padding; + + _ASN_STACK_OVERFLOW_CHECK(ctx); + + ASN_DEBUG("Getting open type %s from %s", td->name, + per_data_string(pd)); + arg.oldpd = *pd; + arg.unclaimed = 0; + arg.ot_moved = 0; + arg.repeat = 1; + pd->refill = uper_ugot_refill; + pd->refill_key = &arg; + pd->nbits = pd->nboff; /* 0 good bits at this point, will refill */ + pd->moved = 0; /* This now counts the open type size in bits */ + + ASN_DEBUG_INDENT_ADD(+4); + rv = td->uper_decoder(ctx, td, constraints, sptr, pd); + ASN_DEBUG_INDENT_ADD(-4); + +#define UPDRESTOREPD do { \ + /* buffer and nboff are valid, preserve them. */ \ + pd->nbits = arg.oldpd.nbits - (pd->moved - arg.ot_moved); \ + pd->moved = arg.oldpd.moved + (pd->moved - arg.ot_moved); \ + pd->refill = arg.oldpd.refill; \ + pd->refill_key = arg.oldpd.refill_key; \ + } while(0) + + if(rv.code != RC_OK) { + UPDRESTOREPD; + return rv; + } + + ASN_DEBUG("OpenType %s pd%s old%s unclaimed=%d, repeat=%d", td->name, + per_data_string(pd), + per_data_string(&arg.oldpd), + (int)arg.unclaimed, (int)arg.repeat); + + padding = pd->moved % 8; + if(padding) { + int32_t pvalue; + if(padding > 7) { + ASN_DEBUG("Too large padding %d in open type", + (int)padding); + rv.code = RC_FAIL; + UPDRESTOREPD; + return rv; + } + padding = 8 - padding; + ASN_DEBUG("Getting padding of %d bits", (int)padding); + pvalue = per_get_few_bits(pd, padding); + switch(pvalue) { + case -1: + ASN_DEBUG("Padding skip failed"); + UPDRESTOREPD; + _ASN_DECODE_STARVED; + case 0: break; + default: + ASN_DEBUG("Non-blank padding (%d bits 0x%02x)", + (int)padding, (int)pvalue); + UPDRESTOREPD; + _ASN_DECODE_FAILED; + } + } + if(pd->nboff != pd->nbits) { + ASN_DEBUG("Open type %s overhead pd%s old%s", td->name, + per_data_string(pd), per_data_string(&arg.oldpd)); + if(1) { + UPDRESTOREPD; + _ASN_DECODE_FAILED; + } else { + arg.unclaimed += pd->nbits - pd->nboff; + } + } + + /* Adjust pd back so it points to original data */ + UPDRESTOREPD; + + /* Skip data not consumed by the decoder */ + if(arg.unclaimed) { + ASN_DEBUG("Getting unclaimed %d", (int)arg.unclaimed); + switch(per_skip_bits(pd, arg.unclaimed)) { + case -1: + ASN_DEBUG("Claim of %d failed", (int)arg.unclaimed); + _ASN_DECODE_STARVED; + case 0: + ASN_DEBUG("Got claim of %d", (int)arg.unclaimed); + break; + default: + /* Padding must be blank */ + ASN_DEBUG("Non-blank unconsumed padding"); + _ASN_DECODE_FAILED; + } + arg.unclaimed = 0; + } + + if(arg.repeat) { + ASN_DEBUG("Not consumed the whole thing"); + rv.code = RC_FAIL; + return rv; + } + + return rv; +} + + +asn_dec_rval_t +uper_open_type_get(asn_codec_ctx_t *ctx, asn_TYPE_descriptor_t *td, + asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) { + + return uper_open_type_get_simple(ctx, td, constraints, sptr, pd); +} + +int +uper_open_type_skip(asn_codec_ctx_t *ctx, asn_per_data_t *pd) { + asn_TYPE_descriptor_t s_td; + asn_dec_rval_t rv; + + s_td.name = ""; + s_td.uper_decoder = uper_sot_suck; + + rv = uper_open_type_get(ctx, &s_td, 0, 0, pd); + if(rv.code != RC_OK) + return -1; + else + return 0; +} + +/* + * Internal functions. + */ + +static asn_dec_rval_t +uper_sot_suck(asn_codec_ctx_t *ctx, asn_TYPE_descriptor_t *td, + asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) { + asn_dec_rval_t rv; + + (void)ctx; + (void)td; + (void)constraints; + (void)sptr; + + while(per_get_few_bits(pd, 24) >= 0); + + rv.code = RC_OK; + rv.consumed = pd->moved; + + return rv; +} + +static int +uper_ugot_refill(asn_per_data_t *pd) { + uper_ugot_key *arg = pd->refill_key; + ssize_t next_chunk_bytes, next_chunk_bits; + ssize_t avail; + + asn_per_data_t *oldpd = &arg->oldpd; + + ASN_DEBUG("REFILLING pd->moved=%ld, oldpd->moved=%ld", + (long)pd->moved, (long)oldpd->moved); + + /* Advance our position to where pd is */ + oldpd->buffer = pd->buffer; + oldpd->nboff = pd->nboff; + oldpd->nbits -= pd->moved - arg->ot_moved; + oldpd->moved += pd->moved - arg->ot_moved; + arg->ot_moved = pd->moved; + + if(arg->unclaimed) { + /* Refill the container */ + if(per_get_few_bits(oldpd, 1)) + return -1; + if(oldpd->nboff == 0) { + assert(0); + return -1; + } + pd->buffer = oldpd->buffer; + pd->nboff = oldpd->nboff - 1; + pd->nbits = oldpd->nbits; + ASN_DEBUG("UNCLAIMED <- return from (pd->moved=%ld)", + (long)pd->moved); + return 0; + } + + if(!arg->repeat) { + ASN_DEBUG("Want more but refill doesn't have it"); + return -1; + } + + next_chunk_bytes = uper_get_length(oldpd, -1, &arg->repeat); + ASN_DEBUG("Open type LENGTH %ld bytes at off %ld, repeat %ld", + (long)next_chunk_bytes, (long)oldpd->moved, (long)arg->repeat); + if(next_chunk_bytes < 0) return -1; + if(next_chunk_bytes == 0) { + pd->refill = 0; /* No more refills, naturally */ + assert(!arg->repeat); /* Implementation guarantee */ + } + next_chunk_bits = next_chunk_bytes << 3; + avail = oldpd->nbits - oldpd->nboff; + if(avail >= next_chunk_bits) { + pd->nbits = oldpd->nboff + next_chunk_bits; + arg->unclaimed = 0; + ASN_DEBUG("!+Parent frame %ld bits, alloting %ld [%ld..%ld] (%ld)", + (long)next_chunk_bits, (long)oldpd->moved, + (long)oldpd->nboff, (long)oldpd->nbits, + (long)(oldpd->nbits - oldpd->nboff)); + } else { + pd->nbits = oldpd->nbits; + arg->unclaimed = next_chunk_bits - avail; + ASN_DEBUG("!-Parent frame %ld, require %ld, will claim %ld", + (long)avail, (long)next_chunk_bits, + (long)arg->unclaimed); + } + pd->buffer = oldpd->buffer; + pd->nboff = oldpd->nboff; + ASN_DEBUG("Refilled pd%s old%s", + per_data_string(pd), per_data_string(oldpd)); + return 0; +} + +static int +per_skip_bits(asn_per_data_t *pd, int skip_nbits) { + int hasNonZeroBits = 0; + while(skip_nbits > 0) { + int skip; + + /* per_get_few_bits() is more efficient when nbits <= 24 */ + if(skip_nbits < 24) + skip = skip_nbits; + else + skip = 24; + skip_nbits -= skip; + + switch(per_get_few_bits(pd, skip)) { + case -1: return -1; /* Starving */ + case 0: continue; /* Skipped empty space */ + default: hasNonZeroBits = 1; continue; + } + } + return hasNonZeroBits; +} diff --git a/asn1/asn1c/per_opentype.h b/asn1/asn1c/per_opentype.h new file mode 100644 index 0000000000000000000000000000000000000000..facfaa6377bddcc85e23ac8c511f3d047a56324b --- /dev/null +++ b/asn1/asn1c/per_opentype.h @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2007 Lev Walkin . All rights reserved. + * Redistribution and modifications are permitted subject to BSD license. + */ +#ifndef _PER_OPENTYPE_H_ +#define _PER_OPENTYPE_H_ + +#ifdef __cplusplus +extern "C" { +#endif + +asn_dec_rval_t uper_open_type_get(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd); + +int uper_open_type_skip(asn_codec_ctx_t *opt_codec_ctx, asn_per_data_t *pd); + +int uper_open_type_put(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po); + +#ifdef __cplusplus +} +#endif + +#endif /* _PER_OPENTYPE_H_ */ diff --git a/asn1/asn1c/per_support.c b/asn1/asn1c/per_support.c index c83441931caf1fcc3a79c0062014833db3d141b5..0d089f495226347e6bb5f7ef5c04d5f7cdaa3d64 100644 --- a/asn1/asn1c/per_support.c +++ b/asn1/asn1c/per_support.c @@ -1,25 +1,67 @@ /* - * Copyright (c) 2005, 2006 Lev Walkin . All rights reserved. + * Copyright (c) 2005-2014 Lev Walkin . + * All rights reserved. * Redistribution and modifications are permitted subject to BSD license. */ #include #include #include +char * +per_data_string(asn_per_data_t *pd) { + static char buf[2][32]; + static int n; + n = (n+1) % 2; + snprintf(buf[n], sizeof(buf), + "{m=%ld span %+ld[%d..%d] (%d)}", + (long)pd->moved, + (((long)pd->buffer) & 0xf), + (int)pd->nboff, (int)pd->nbits, + (int)(pd->nbits - pd->nboff)); + return buf[n]; +} + +void +per_get_undo(asn_per_data_t *pd, int nbits) { + if((ssize_t)pd->nboff < nbits) { + assert((ssize_t)pd->nboff < nbits); + } else { + pd->nboff -= nbits; + pd->moved -= nbits; + } +} + /* * Extract a small number of bits (<= 31) from the specified PER data pointer. */ int32_t per_get_few_bits(asn_per_data_t *pd, int nbits) { size_t off; /* Next after last bit offset */ + ssize_t nleft; /* Number of bits left in this stream */ uint32_t accum; const uint8_t *buf; - if(nbits < 0 || pd->nboff + nbits > pd->nbits) + if(nbits < 0) return -1; - ASN_DEBUG("[PER get %d bits from %p+%d bits]", - nbits, pd->buffer, pd->nboff); + nleft = pd->nbits - pd->nboff; + if(nbits > nleft) { + int32_t tailv, vhead; + if(!pd->refill || nbits > 31) return -1; + /* Accumulate unused bytes before refill */ + ASN_DEBUG("Obtain the rest %d bits (want %d)", + (int)nleft, (int)nbits); + tailv = per_get_few_bits(pd, nleft); + if(tailv < 0) return -1; + /* Refill (replace pd contents with new data) */ + if(pd->refill(pd)) + return -1; + nbits -= nleft; + vhead = per_get_few_bits(pd, nbits); + /* Combine the rest of previous pd with the head of new one */ + tailv = (tailv << nbits) | vhead; /* Could == -1 */ + return tailv; + } /* * Normalize position indicator. @@ -29,7 +71,9 @@ per_get_few_bits(asn_per_data_t *pd, int nbits) { pd->nbits -= (pd->nboff & ~0x07); pd->nboff &= 0x07; } - off = (pd->nboff += nbits); + pd->moved += nbits; + pd->nboff += nbits; + off = pd->nboff; buf = pd->buffer; /* @@ -47,15 +91,29 @@ per_get_few_bits(asn_per_data_t *pd, int nbits) { else if(nbits <= 31) { asn_per_data_t tpd = *pd; /* Here are we with our 31-bits limit plus 1..7 bits offset. */ - tpd.nboff -= nbits; + per_get_undo(&tpd, nbits); + /* The number of available bits in the stream allow + * for the following operations to take place without + * invoking the ->refill() function */ accum = per_get_few_bits(&tpd, nbits - 24) << 24; accum |= per_get_few_bits(&tpd, 24); } else { - pd->nboff -= nbits; /* Oops, revert back */ + per_get_undo(pd, nbits); return -1; } - return (accum & (((uint32_t)1 << nbits) - 1)); + accum &= (((uint32_t)1 << nbits) - 1); + + ASN_DEBUG(" [PER got %2d<=%2d bits => span %d %+ld[%d..%d]:%02x (%d) => 0x%x]", + (int)nbits, (int)nleft, + (int)pd->moved, + (((long)pd->buffer) & 0xf), + (int)pd->nboff, (int)pd->nbits, + pd->buffer[0], + (int)(pd->nbits - pd->nboff), + (int)accum); + + return accum; } /* @@ -130,6 +188,30 @@ uper_get_length(asn_per_data_t *pd, int ebits, int *repeat) { } /* + * Get the normally small length "n". + * This procedure used to decode length of extensions bit-maps + * for SET and SEQUENCE types. + */ +ssize_t +uper_get_nslength(asn_per_data_t *pd) { + ssize_t length; + + ASN_DEBUG("Getting normally small length"); + + if(per_get_few_bits(pd, 1) == 0) { + length = per_get_few_bits(pd, 6) + 1; + if(length <= 0) return -1; + ASN_DEBUG("l=%d", (int)length); + return length; + } else { + int repeat; + length = uper_get_length(pd, -1, &repeat); + if(length >= 0 && !repeat) return length; + return -1; /* Error, or do not support >16K extensions */ + } +} + +/* * Get the normally small non-negative whole number. * X.691, #10.6 */ @@ -156,8 +238,8 @@ uper_get_nsnnwn(asn_per_data_t *pd) { } /* - * Put the normally small non-negative whole number. - * X.691, #10.6 + * X.691-11/2008, #11.6 + * Encoding of a normally small non-negative whole number */ int uper_put_nsnnwn(asn_per_outp_t *po, int n) { @@ -182,6 +264,58 @@ uper_put_nsnnwn(asn_per_outp_t *po, int n) { } +/* X.691-2008/11, #11.5.6 -> #11.3 */ +int uper_get_constrained_whole_number(asn_per_data_t *pd, unsigned long *out_value, int nbits) { + unsigned long lhalf; /* Lower half of the number*/ + long half; + + if(nbits <= 31) { + half = per_get_few_bits(pd, nbits); + if(half < 0) return -1; + *out_value = half; + return 0; + } + + if((size_t)nbits > 8 * sizeof(*out_value)) + return -1; /* RANGE */ + + half = per_get_few_bits(pd, 31); + if(half < 0) return -1; + + if(uper_get_constrained_whole_number(pd, &lhalf, nbits - 31)) + return -1; + + *out_value = ((unsigned long)half << (nbits - 31)) | lhalf; + return 0; +} + + +/* X.691-2008/11, #11.5.6 -> #11.3 */ +int uper_put_constrained_whole_number_s(asn_per_outp_t *po, long v, int nbits) { + /* + * Assume signed number can be safely coerced into + * unsigned of the same range. + * The following testing code will likely be optimized out + * by compiler if it is true. + */ + unsigned long uvalue1 = ULONG_MAX; + long svalue = uvalue1; + unsigned long uvalue2 = svalue; + assert(uvalue1 == uvalue2); + return uper_put_constrained_whole_number_u(po, v, nbits); +} + +int uper_put_constrained_whole_number_u(asn_per_outp_t *po, unsigned long v, int nbits) { + if(nbits <= 31) { + return per_put_few_bits(po, v, nbits); + } else { + /* Put higher portion first, followed by lower 31-bit */ + if(uper_put_constrained_whole_number_u(po, v >> 31, nbits - 31)) + return -1; + return per_put_few_bits(po, v, 31); + } +} + /* * Put a small number of bits (<= 31). */ @@ -193,8 +327,8 @@ per_put_few_bits(asn_per_outp_t *po, uint32_t bits, int obits) { if(obits <= 0 || obits >= 32) return obits ? -1 : 0; - ASN_DEBUG("[PER put %d bits to %p+%d bits]", - obits, po->buffer, po->nboff); + ASN_DEBUG("[PER put %d bits %x to %p+%d bits]", + obits, (int)bits, po->buffer, (int)po->nboff); /* * Normalize position indicator. @@ -210,7 +344,9 @@ per_put_few_bits(asn_per_outp_t *po, uint32_t bits, int obits) { */ if(po->nboff + obits > po->nbits) { int complete_bytes = (po->buffer - po->tmpspace); - if(po->outper(po->buffer, complete_bytes, po->op_key) < 0) + ASN_DEBUG("[PER output %ld complete + %ld]", + (long)complete_bytes, (long)po->flushed_bytes); + if(po->outper(po->tmpspace, complete_bytes, po->op_key) < 0) return -1; if(po->nboff) po->tmpspace[0] = po->buffer[0]; @@ -224,41 +360,47 @@ per_put_few_bits(asn_per_outp_t *po, uint32_t bits, int obits) { */ buf = po->buffer; omsk = ~((1 << (8 - po->nboff)) - 1); - off = (po->nboff += obits); + off = (po->nboff + obits); /* Clear data of debris before meaningful bits */ bits &= (((uint32_t)1 << obits) - 1); - ASN_DEBUG("[PER out %d %u/%x (t=%d,o=%d) %x&%x=%x]", obits, bits, bits, - po->nboff - obits, off, buf[0], omsk&0xff, buf[0] & omsk); + ASN_DEBUG("[PER out %d %u/%x (t=%d,o=%d) %x&%x=%x]", obits, + (int)bits, (int)bits, + (int)po->nboff, (int)off, + buf[0], (int)(omsk&0xff), + (int)(buf[0] & omsk)); if(off <= 8) /* Completely within 1 byte */ + po->nboff = off, bits <<= (8 - off), buf[0] = (buf[0] & omsk) | bits; else if(off <= 16) + po->nboff = off, bits <<= (16 - off), buf[0] = (buf[0] & omsk) | (bits >> 8), buf[1] = bits; else if(off <= 24) + po->nboff = off, bits <<= (24 - off), buf[0] = (buf[0] & omsk) | (bits >> 16), buf[1] = bits >> 8, buf[2] = bits; else if(off <= 31) + po->nboff = off, bits <<= (32 - off), buf[0] = (buf[0] & omsk) | (bits >> 24), buf[1] = bits >> 16, buf[2] = bits >> 8, buf[3] = bits; else { - ASN_DEBUG("->[PER out split %d]", obits); - per_put_few_bits(po, bits >> 8, 24); + per_put_few_bits(po, bits >> (obits - 24), 24); per_put_few_bits(po, bits, obits - 24); - ASN_DEBUG("<-[PER out split %d]", obits); } - ASN_DEBUG("[PER out %u/%x => %02x buf+%d]", - bits, bits, buf[0], po->buffer - po->tmpspace); + ASN_DEBUG("[PER out %u/%x => %02x buf+%ld]", + (int)bits, (int)bits, buf[0], + (long)(po->buffer - po->tmpspace)); return 0; } @@ -316,3 +458,26 @@ uper_put_length(asn_per_outp_t *po, size_t length) { ? -1 : (ssize_t)(length << 14); } + +/* + * Put the normally small length "n" into the stream. + * This procedure used to encode length of extensions bit-maps + * for SET and SEQUENCE types. + */ +int +uper_put_nslength(asn_per_outp_t *po, size_t length) { + + if(length <= 64) { + /* #10.9.3.4 */ + if(length == 0) return -1; + return per_put_few_bits(po, length-1, 7) ? -1 : 0; + } else { + if(uper_put_length(po, length) != (ssize_t)length) { + /* This might happen in case of >16K extensions */ + return -1; + } + } + + return 0; +} + diff --git a/asn1/asn1c/per_support.h b/asn1/asn1c/per_support.h index 420bb83c58d081ba3949951b67709e3200e7192a..10c84ed0839100912db28219647fb7594c84a9b0 100644 --- a/asn1/asn1c/per_support.h +++ b/asn1/asn1c/per_support.h @@ -1,5 +1,6 @@ /* - * Copyright (c) 2005, 2006 Lev Walkin . All rights reserved. + * Copyright (c) 2005-2014 Lev Walkin . + * All rights reserved. * Redistribution and modifications are permitted subject to BSD license. */ #ifndef _PER_SUPPORT_H_ @@ -29,15 +30,20 @@ typedef struct asn_per_constraint_s { typedef struct asn_per_constraints_s { asn_per_constraint_t value; asn_per_constraint_t size; + int (*value2code)(unsigned int value); + int (*code2value)(unsigned int code); } asn_per_constraints_t; /* * This structure describes a position inside an incoming PER bit stream. */ typedef struct asn_per_data_s { - const uint8_t *buffer; /* Pointer to the octet stream */ - size_t nboff; /* Bit offset to the meaningful bit */ - size_t nbits; /* Number of bits in the stream */ + const uint8_t *buffer; /* Pointer to the octet stream */ + size_t nboff; /* Bit offset to the meaningful bit */ + size_t nbits; /* Number of bits in the stream */ + size_t moved; /* Number of bits moved through this bit stream */ + int (*refill)(struct asn_per_data_s *); + void *refill_key; } asn_per_data_t; /* @@ -47,6 +53,9 @@ typedef struct asn_per_data_s { */ int32_t per_get_few_bits(asn_per_data_t *per_data, int get_nbits); +/* Undo the immediately preceeding "get_few_bits" operation */ +void per_get_undo(asn_per_data_t *per_data, int get_nbits); + /* * Extract a large number of bits from the specified PER data pointer. * This function returns -1 if the specified number of bits could not be @@ -63,10 +72,21 @@ ssize_t uper_get_length(asn_per_data_t *pd, int *repeat); /* + * Get the normally small length "n". + */ +ssize_t uper_get_nslength(asn_per_data_t *pd); + +/* * Get the normally small non-negative whole number. */ ssize_t uper_get_nsnnwn(asn_per_data_t *pd); +/* X.691-2008/11, #11.5.6 */ +int uper_get_constrained_whole_number(asn_per_data_t *pd, unsigned long *v, int nbits); + +/* Non-thread-safe debugging function, don't use it */ +char *per_data_string(asn_per_data_t *pd); + /* * This structure supports forming PER output. */ @@ -86,6 +106,10 @@ int per_put_few_bits(asn_per_outp_t *per_data, uint32_t bits, int obits); /* Output a large number of bits */ int per_put_many_bits(asn_per_outp_t *po, const uint8_t *src, int put_nbits); +/* X.691-2008/11, #11.5 */ +int uper_put_constrained_whole_number_s(asn_per_outp_t *po, long v, int nbits); +int uper_put_constrained_whole_number_u(asn_per_outp_t *po, unsigned long v, int nbits); + /* * Put the length "n" to the Unaligned PER stream. * This function returns the number of units which may be flushed @@ -94,6 +118,12 @@ int per_put_many_bits(asn_per_outp_t *po, const uint8_t *src, int put_nbits); ssize_t uper_put_length(asn_per_outp_t *po, size_t whole_length); /* + * Put the normally small length "n" to the Unaligned PER stream. + * Returns 0 or -1. + */ +int uper_put_nslength(asn_per_outp_t *po, size_t length); + +/* * Put the normally small non-negative whole number. */ int uper_put_nsnnwn(asn_per_outp_t *po, int n); diff --git a/asn1/asn1c/xer_decoder.c b/asn1/asn1c/xer_decoder.c index 161dc78ce5320368d07c0cd9b01032d07997e0fb..cb4b5f87850c14b2bd93331250db2e342ba0a68a 100644 --- a/asn1/asn1c/xer_decoder.c +++ b/asn1/asn1c/xer_decoder.c @@ -109,7 +109,8 @@ xer_check_tag(const void *buf_ptr, int size, const char *need_tag) { if(size < 2 || buf[0] != LANGLE || buf[size-1] != RANGLE) { if(size >= 2) - ASN_DEBUG("Broken XML tag: \"%c...%c\"", buf[0], buf[size - 1]); + ASN_DEBUG("Broken XML tag: \"%c...%c\"", + buf[0], buf[size - 1]); return XCT_BROKEN; } @@ -315,8 +316,8 @@ xer_decode_general(asn_codec_ctx_t *opt_codec_ctx, } -int -xer_is_whitespace(const void *chunk_buf, size_t chunk_size) { +size_t +xer_whitespace_span(const void *chunk_buf, size_t chunk_size) { const char *p = (const char *)chunk_buf; const char *pend = p + chunk_size; @@ -329,12 +330,13 @@ xer_is_whitespace(const void *chunk_buf, size_t chunk_size) { * SPACE (32) */ case 0x09: case 0x0a: case 0x0d: case 0x20: + continue; + default: break; - default: - return 0; } + break; } - return 1; /* All whitespace */ + return (p - (const char *)chunk_buf); } /* diff --git a/asn1/asn1c/xer_decoder.h b/asn1/asn1c/xer_decoder.h index cf0d846fe72d66d0c03548e9f6f4b2c3ecab716d..6988648e8dcc28c73e9c405f78efcc33f4e9aff2 100644 --- a/asn1/asn1c/xer_decoder.h +++ b/asn1/asn1c/xer_decoder.h @@ -87,12 +87,11 @@ xer_check_tag_e xer_check_tag(const void *buf_ptr, int size, const char *need_tag); /* - * Check whether this buffer consists of entirely XER whitespace characters. + * Get the number of bytes consisting entirely of XER whitespace characters. * RETURN VALUES: - * 1: Whitespace or empty string - * 0: Non-whitespace + * >=0: Number of whitespace characters in the string. */ -int xer_is_whitespace(const void *chunk_buf, size_t chunk_size); +size_t xer_whitespace_span(const void *chunk_buf, size_t chunk_size); /* * Skip the series of anticipated extensions. -- 2.5.0 From mbabinsk at redhat.com Fri Jan 29 12:06:15 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 29 Jan 2016 13:06:15 +0100 Subject: [Freeipa-devel] [PATCH 2/3] ASN1: Fix warning Wpointer-to-int-cast In-Reply-To: <20160129114832.GG24839@mail.corp.redhat.com> References: <20160129111541.GE24839@mail.corp.redhat.com> <56AB4A44.3030904@redhat.com> <20160129114832.GG24839@mail.corp.redhat.com> Message-ID: <56AB55B7.6070306@redhat.com> On 01/29/2016 12:48 PM, Lukas Slebodnik wrote: > On (29/01/16 12:17), Martin Kosek wrote: >> On 01/29/2016 12:15 PM, Lukas Slebodnik wrote: >>> ehlo, >>> >>> the first patch is very simple and it just suppress warning. >>> The second patch is either bug or dead code. I fixed it as a bug. >>> I'm not sure how to test 2nd patch. >>> >>> LS >> >> Thanks. But isn't this the code generated by asn1 tool? Maybe it would be >> better to fix the tool, or maybe regenerate it with a newer version of the >> tool? Otherwise the improvements will get lost. >> > As you wish. > > Updated patch is attached. > > LS > > > Hi Lukas, I have done testing with the skeleton code generated by asn1c 9.27 in the past. While it did fix some of the issues reported by the static analyzer, it also introduced plenty of new ones that were not there before. I was planning to check this out with the guy from upstream https://github.com/vlm/asn1c but the priority of the tasks was overshadowed by more important stuff. We can consult our issues with him if you wish. -- Martin^3 Babinsky From lslebodn at redhat.com Fri Jan 29 12:11:32 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 29 Jan 2016 13:11:32 +0100 Subject: [Freeipa-devel] [PATCH] extdom: Remove unused macro Message-ID: <20160129121132.GH24839@mail.corp.redhat.com> ehlo, Last usage of the macro SSSD_SYSDB_SID_STR was removed in the commit 0ee8fe11aea9811c724182def3f50960d5dd87b3 LS -------------- next part -------------- >From 8f7818fb1efc1a224ddf7360d8c7bf6bd36da852 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Fri, 29 Jan 2016 13:08:07 +0100 Subject: [PATCH 4/4] extdom: Remove unused macro Last usage of the macre SSSD_SYSDB_SID_STR was removed in the commit 0ee8fe11aea9811c724182def3f50960d5dd87b3 --- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index f5905c78e5f6eb635fcd0acf0afeda3bdb3b9baa..445624f3986944d3469214fe9c7b34ce7d9b36d1 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -489,8 +489,6 @@ int pack_ber_sid(const char *sid, struct berval **berval) return LDAP_SUCCESS; } -#define SSSD_SYSDB_SID_STR "objectSIDString" - int pack_ber_user(struct ipa_extdom_ctx *ctx, enum response_types response_type, const char *domain_name, const char *user_name, -- 2.5.0 From ofayans at redhat.com Fri Jan 29 12:24:01 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 29 Jan 2016 13:24:01 +0100 Subject: [Freeipa-devel] [TEST][Patch 0020] Enabled recreation of test directory during ipa reinstallation In-Reply-To: <56AB31F1.5050300@redhat.com> References: <56A0C831.6040909@redhat.com> <56AB31F1.5050300@redhat.com> Message-ID: <56AB59E1.70604@redhat.com> Hi Martin, On 01/29/2016 10:33 AM, Martin Basti wrote: > > > On 21.01.2016 12:59, Oleg Fayans wrote: >> >> > Hello, > > 1) > I'm not sure if it is bug or it is related to this patch, but there is > missing symetry in test_caless, I see there apply fixes but not > unapply_fixes test_caless is currently worked at, the patch containing a lot of changes is on it's way, so the current version of this file can be ignored. > > ipatests/ipa-test-task:378: tasks.unapply_fixes(host) > ipatests/test_integration/tasks.py:201:def unapply_fixes(host): > ipatests/test_integration/tasks.py:646: unapply_fixes(host) > ipatests/test_integration/tasks.py:654: unapply_fixes(host) > ipatests/test_integration/tasks.py:997: unapply_fixes(replica) > ipatests/test_integration/test_legacy_clients.py:373: > tasks.unapply_fixes(cls.legacy_client) > > > ipatests/test_integration/tasks.py:91:def apply_common_fixes(host, > fix_resolv=True): > ipatests/test_integration/tasks.py:269: apply_common_fixes(host, > fix_resolv=False) > ipatests/test_integration/tasks.py:320: apply_common_fixes(replica) > ipatests/test_integration/tasks.py:386: apply_common_fixes(client) > ipatests/test_integration/test_caless.py:101: > tasks.apply_common_fixes(host) > ipatests/test_integration/test_legacy_clients.py:361: > tasks.apply_common_fixes(cls.legacy_client) > > 2) > IMO unapply_fixes is called twice for replica uninstall > > uninstall_master(replica) > + unapply_fixes(replica) > > uninstall_master calls unapply_fixes() too right. Fixed > > 3) > what is purpose of prepare_host? I saw it used only in > test_forced_client_reenrollment.py The purpose is to create a testing folder that contains the host configuration file env.sh and system file backups The problem was that unapply_common_fixes removed the testing directory. If you then wanted to re-install master within the same test execution, it would fail at the attempt to backup system files (as part of apply_common_fixes, see backup_file method in tasks.py - line that does mkdir_recursive) > Which test was failing? Test_replica_promotion.py (not merged yet) And basically any test that includes more than one installation-uninstallation cycle would be affected > > 4) > in test_forced_client_reenrollment.py there is direct call of > prepare_host, but this is also install_client that calls prepare_host > too (added by your patch) We can remove prepare_host call from test_client_reenrollment. Do you think I should do it in the same patch, or in a separate one? > > Martin -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0020.1-Enabled-recreation-of-test-directory-in-apply_common_fixes.patch Type: text/x-patch Size: 1538 bytes Desc: not available URL: From lslebodn at redhat.com Fri Jan 29 12:37:29 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 29 Jan 2016 13:37:29 +0100 Subject: [Freeipa-devel] [PATCH 2/3] ASN1: Fix warning Wpointer-to-int-cast In-Reply-To: <56AB55B7.6070306@redhat.com> References: <20160129111541.GE24839@mail.corp.redhat.com> <56AB4A44.3030904@redhat.com> <20160129114832.GG24839@mail.corp.redhat.com> <56AB55B7.6070306@redhat.com> Message-ID: <20160129123729.GI24839@mail.corp.redhat.com> On (29/01/16 13:06), Martin Babinsky wrote: >On 01/29/2016 12:48 PM, Lukas Slebodnik wrote: >>On (29/01/16 12:17), Martin Kosek wrote: >>>On 01/29/2016 12:15 PM, Lukas Slebodnik wrote: >>>>ehlo, >>>> >>>>the first patch is very simple and it just suppress warning. >>>>The second patch is either bug or dead code. I fixed it as a bug. >>>>I'm not sure how to test 2nd patch. >>>> >>>>LS >>> >>>Thanks. But isn't this the code generated by asn1 tool? Maybe it would be >>>better to fix the tool, or maybe regenerate it with a newer version of the >>>tool? Otherwise the improvements will get lost. >>> >>As you wish. >> >>Updated patch is attached. >> >>LS >> >> >> >Hi Lukas, > >I have done testing with the skeleton code generated by asn1c 9.27 in the >past. While it did fix some of the issues reported by the static analyzer, it >also introduced plenty of new ones that were not there before. > What kind of issues? Were problems in genrated code or in tepmplate? Which tests did you use? LS From mbasti at redhat.com Fri Jan 29 12:44:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Jan 2016 13:44:49 +0100 Subject: [Freeipa-devel] [TEST][Patch 0020] Enabled recreation of test directory during ipa reinstallation In-Reply-To: <56AB59E1.70604@redhat.com> References: <56A0C831.6040909@redhat.com> <56AB31F1.5050300@redhat.com> <56AB59E1.70604@redhat.com> Message-ID: <56AB5EC1.9070401@redhat.com> On 29.01.2016 13:24, Oleg Fayans wrote: > Hi Martin, > > On 01/29/2016 10:33 AM, Martin Basti wrote: >> >> On 21.01.2016 12:59, Oleg Fayans wrote: >>> >> Hello, >> >> 1) >> I'm not sure if it is bug or it is related to this patch, but there is >> missing symetry in test_caless, I see there apply fixes but not >> unapply_fixes > test_caless is currently worked at, the patch containing a lot of > changes is on it's way, so the current version of this file can be ignored. ok > >> ipatests/ipa-test-task:378: tasks.unapply_fixes(host) >> ipatests/test_integration/tasks.py:201:def unapply_fixes(host): >> ipatests/test_integration/tasks.py:646: unapply_fixes(host) >> ipatests/test_integration/tasks.py:654: unapply_fixes(host) >> ipatests/test_integration/tasks.py:997: unapply_fixes(replica) >> ipatests/test_integration/test_legacy_clients.py:373: >> tasks.unapply_fixes(cls.legacy_client) >> >> >> ipatests/test_integration/tasks.py:91:def apply_common_fixes(host, >> fix_resolv=True): >> ipatests/test_integration/tasks.py:269: apply_common_fixes(host, >> fix_resolv=False) >> ipatests/test_integration/tasks.py:320: apply_common_fixes(replica) >> ipatests/test_integration/tasks.py:386: apply_common_fixes(client) >> ipatests/test_integration/test_caless.py:101: >> tasks.apply_common_fixes(host) >> ipatests/test_integration/test_legacy_clients.py:361: >> tasks.apply_common_fixes(cls.legacy_client) > >> 2) >> IMO unapply_fixes is called twice for replica uninstall >> >> uninstall_master(replica) >> + unapply_fixes(replica) >> >> uninstall_master calls unapply_fixes() too > right. Fixed > >> 3) >> what is purpose of prepare_host? I saw it used only in >> test_forced_client_reenrollment.py > The purpose is to create a testing folder that contains the host > configuration file env.sh and system file backups > > The problem was that unapply_common_fixes removed the testing directory. > If you then wanted to re-install master within the same test execution, > it would fail at the attempt to backup system files (as part of > apply_common_fixes, see backup_file method in tasks.py - line that does > mkdir_recursive) ok > >> Which test was failing? > Test_replica_promotion.py (not merged yet) > And basically any test that includes more than one > installation-uninstallation cycle would be affected I didn't noticed yet > >> 4) >> in test_forced_client_reenrollment.py there is direct call of >> prepare_host, but this is also install_client that calls prepare_host >> too (added by your patch) > We can remove prepare_host call from test_client_reenrollment. Do you > think I should do it in the same patch, or in a separate one? In this patch please. >> Martin From ofayans at redhat.com Fri Jan 29 12:50:54 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 29 Jan 2016 13:50:54 +0100 Subject: [Freeipa-devel] [TEST][Patch 0020] Enabled recreation of test directory during ipa reinstallation In-Reply-To: <56AB5EC1.9070401@redhat.com> References: <56A0C831.6040909@redhat.com> <56AB31F1.5050300@redhat.com> <56AB59E1.70604@redhat.com> <56AB5EC1.9070401@redhat.com> Message-ID: <56AB602E.80709@redhat.com> Hi, On 01/29/2016 01:44 PM, Martin Basti wrote: > > > On 29.01.2016 13:24, Oleg Fayans wrote: >> Hi Martin, >> >> On 01/29/2016 10:33 AM, Martin Basti wrote: >>> >>> On 21.01.2016 12:59, Oleg Fayans wrote: >>>> >>> Hello, >>> >>> 1) >>> I'm not sure if it is bug or it is related to this patch, but there is >>> missing symetry in test_caless, I see there apply fixes but not >>> unapply_fixes >> test_caless is currently worked at, the patch containing a lot of >> changes is on it's way, so the current version of this file can be >> ignored. > ok >> >>> ipatests/ipa-test-task:378: tasks.unapply_fixes(host) >>> ipatests/test_integration/tasks.py:201:def unapply_fixes(host): >>> ipatests/test_integration/tasks.py:646: unapply_fixes(host) >>> ipatests/test_integration/tasks.py:654: unapply_fixes(host) >>> ipatests/test_integration/tasks.py:997: unapply_fixes(replica) >>> ipatests/test_integration/test_legacy_clients.py:373: >>> tasks.unapply_fixes(cls.legacy_client) >>> >>> >>> ipatests/test_integration/tasks.py:91:def apply_common_fixes(host, >>> fix_resolv=True): >>> ipatests/test_integration/tasks.py:269: apply_common_fixes(host, >>> fix_resolv=False) >>> ipatests/test_integration/tasks.py:320: apply_common_fixes(replica) >>> ipatests/test_integration/tasks.py:386: apply_common_fixes(client) >>> ipatests/test_integration/test_caless.py:101: >>> tasks.apply_common_fixes(host) >>> ipatests/test_integration/test_legacy_clients.py:361: >>> tasks.apply_common_fixes(cls.legacy_client) >> >>> 2) >>> IMO unapply_fixes is called twice for replica uninstall >>> >>> uninstall_master(replica) >>> + unapply_fixes(replica) >>> >>> uninstall_master calls unapply_fixes() too >> right. Fixed >> >>> 3) >>> what is purpose of prepare_host? I saw it used only in >>> test_forced_client_reenrollment.py >> The purpose is to create a testing folder that contains the host >> configuration file env.sh and system file backups >> >> The problem was that unapply_common_fixes removed the testing directory. >> If you then wanted to re-install master within the same test execution, >> it would fail at the attempt to backup system files (as part of >> apply_common_fixes, see backup_file method in tasks.py - line that does >> mkdir_recursive) > ok >> >>> Which test was failing? >> Test_replica_promotion.py (not merged yet) >> And basically any test that includes more than one >> installation-uninstallation cycle would be affected > I didn't noticed yet That's because so far all our integration tests implied only one such cycle. But that does not mean we should restrict ourselves to this pattern :) >> >>> 4) >>> in test_forced_client_reenrollment.py there is direct call of >>> prepare_host, but this is also install_client that calls prepare_host >>> too (added by your patch) >> We can remove prepare_host call from test_client_reenrollment. Do you >> think I should do it in the same patch, or in a separate one? > In this patch please. Done >>> Martin > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0020.2-Enabled-recreation-of-test-directory-in-apply_common_fixes.patch Type: text/x-patch Size: 2265 bytes Desc: not available URL: From mbasti at redhat.com Fri Jan 29 13:15:54 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Jan 2016 14:15:54 +0100 Subject: [Freeipa-devel] [TEST][Patch 0020] Enabled recreation of test directory during ipa reinstallation In-Reply-To: <56AB602E.80709@redhat.com> References: <56A0C831.6040909@redhat.com> <56AB31F1.5050300@redhat.com> <56AB59E1.70604@redhat.com> <56AB5EC1.9070401@redhat.com> <56AB602E.80709@redhat.com> Message-ID: <56AB660A.5080301@redhat.com> On 29.01.2016 13:50, Oleg Fayans wrote: > Hi, > > On 01/29/2016 01:44 PM, Martin Basti wrote: >> >> On 29.01.2016 13:24, Oleg Fayans wrote: >>> Hi Martin, >>> >>> On 01/29/2016 10:33 AM, Martin Basti wrote: >>>> On 21.01.2016 12:59, Oleg Fayans wrote: >>>> Hello, >>>> >>>> 1) >>>> I'm not sure if it is bug or it is related to this patch, but there is >>>> missing symetry in test_caless, I see there apply fixes but not >>>> unapply_fixes >>> test_caless is currently worked at, the patch containing a lot of >>> changes is on it's way, so the current version of this file can be >>> ignored. >> ok >>>> ipatests/ipa-test-task:378: tasks.unapply_fixes(host) >>>> ipatests/test_integration/tasks.py:201:def unapply_fixes(host): >>>> ipatests/test_integration/tasks.py:646: unapply_fixes(host) >>>> ipatests/test_integration/tasks.py:654: unapply_fixes(host) >>>> ipatests/test_integration/tasks.py:997: unapply_fixes(replica) >>>> ipatests/test_integration/test_legacy_clients.py:373: >>>> tasks.unapply_fixes(cls.legacy_client) >>>> >>>> >>>> ipatests/test_integration/tasks.py:91:def apply_common_fixes(host, >>>> fix_resolv=True): >>>> ipatests/test_integration/tasks.py:269: apply_common_fixes(host, >>>> fix_resolv=False) >>>> ipatests/test_integration/tasks.py:320: apply_common_fixes(replica) >>>> ipatests/test_integration/tasks.py:386: apply_common_fixes(client) >>>> ipatests/test_integration/test_caless.py:101: >>>> tasks.apply_common_fixes(host) >>>> ipatests/test_integration/test_legacy_clients.py:361: >>>> tasks.apply_common_fixes(cls.legacy_client) >>>> 2) >>>> IMO unapply_fixes is called twice for replica uninstall >>>> >>>> uninstall_master(replica) >>>> + unapply_fixes(replica) >>>> >>>> uninstall_master calls unapply_fixes() too >>> right. Fixed >>> >>>> 3) >>>> what is purpose of prepare_host? I saw it used only in >>>> test_forced_client_reenrollment.py >>> The purpose is to create a testing folder that contains the host >>> configuration file env.sh and system file backups >>> >>> The problem was that unapply_common_fixes removed the testing directory. >>> If you then wanted to re-install master within the same test execution, >>> it would fail at the attempt to backup system files (as part of >>> apply_common_fixes, see backup_file method in tasks.py - line that does >>> mkdir_recursive) >> ok >>>> Which test was failing? >>> Test_replica_promotion.py (not merged yet) >>> And basically any test that includes more than one >>> installation-uninstallation cycle would be affected >> I didn't noticed yet > That's because so far all our integration tests implied only one such > cycle. But that does not mean we should restrict ourselves to this > pattern :) > >>>> 4) >>>> in test_forced_client_reenrollment.py there is direct call of >>>> prepare_host, but this is also install_client that calls prepare_host >>>> too (added by your patch) >>> We can remove prepare_host call from test_client_reenrollment. Do you >>> think I should do it in the same patch, or in a separate one? >> In this patch please. > Done > >>>> Martin ACK Pushed to: master: b23fea76608a7d820062d1e30f06b99adeaab0ee ipa-4-3: 8952367cca62c3c8d340a44d59ffddc16a8ff8fd From cheimes at redhat.com Fri Jan 29 13:42:02 2016 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 29 Jan 2016 14:42:02 +0100 Subject: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites In-Reply-To: <56A9D59F.4020204@redhat.com> References: <56A0F78F.4060407@redhat.com> <56A21343.2090607@redhat.com> <56A9D59F.4020204@redhat.com> Message-ID: <56AB6C2A.2040604@redhat.com> On 2016-01-28 09:47, Martin Basti wrote: > > > On 22.01.2016 12:32, Martin Kosek wrote: >> On 01/21/2016 04:21 PM, Christian Heimes wrote: >>> The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf >>> has been modernized. Insecure or less secure algorithms such as RC4, >>> DES and 3DES are removed. Perfect forward secrecy suites with ephemeral >>> ECDH key exchange have been added. IE 8 on Windows XP is no longer >>> supported. >>> >>> The list of enabled cipher suites has been generated with the script >>> contrib/nssciphersuite/nssciphersuite.py. >>> >>> The supported suites are currently: >>> >>> TLS_RSA_WITH_AES_128_CBC_SHA256 >>> TLS_RSA_WITH_AES_256_CBC_SHA256 >>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 >>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA >>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 >>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA >>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>> TLS_RSA_WITH_AES_128_GCM_SHA256 >>> TLS_RSA_WITH_AES_128_CBC_SHA >>> TLS_RSA_WITH_AES_256_GCM_SHA384 >>> TLS_RSA_WITH_AES_256_CBC_SHA >>> >>> https://fedorahosted.org/freeipa/ticket/5589 >> >> Thanks for the patch! I updated the ticket to make sure this change is >> release notes. >> > Hello, > > I'm not sure if I'm the right person to do review on this, but I will > try :-) > > 1) > Your patch adds whitespace error > > Applying: Modernize mod_nss's cipher suites > /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:52: new blank > line at EOF. > + > warning: 1 line adds whitespace errors. > > > 2) > +import urllib.request # pylint: disable=E0611 > > Please specify pylint disabled check by name > > 3) > +def update_mod_nss_cipher_suite(http): > > in this upgrade, is there any possibility that ciphers might be upgraded > again in future? (IMO yes). > > I think, it can be better to store revision of change instead of boolean > > LAST_REVISION = 1 > > if revision >= LAST_REVISION: > return > > sysupgrade.set_upgrade_state('nss.conf', 'cipher_suite_revision', > LAST_REVISION) Thanks for the review. I have addressed the problems. Instead of a revision number I'm using a date string. The sysupgrade module only stores str and bool. With a date-based revision it's easy to see when the cipher suite was checked last time. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-cheimes-0030-2-Modernize-mod_nss-s-cipher-suites.patch Type: text/x-patch Size: 12048 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From slaznick at redhat.com Fri Jan 29 13:49:55 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 29 Jan 2016 14:49:55 +0100 Subject: [Freeipa-devel] [PATCH 0013-0021] Coverity patches Message-ID: <56AB6E03.2030601@redhat.com> Hello, I made some patches based on the Coverity report from 18.1.2016. Cheers, Standa -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0013-Removing-dead-code.patch Type: text/x-patch Size: 2284 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0014-Wrong-assert.patch Type: text/x-patch Size: 1133 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0015-Searching-for-an-attribute-in-a-wrong-object.patch Type: text/x-patch Size: 942 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0016-Class-attribute-type-should-be-used-instead.patch Type: text/x-patch Size: 968 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0017-Removed-identical-branch.patch Type: text/x-patch Size: 843 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0018-completed_external-might-not-have-beed-defined.patch Type: text/x-patch Size: 1180 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0019-Accessing-attribute-of-a-possible-None-value.patch Type: text/x-patch Size: 1102 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0020-Possible-close-write-into-None-or-closed-file.patch Type: text/x-patch Size: 1830 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0021-Fixed-possible-dereferencing-of-undefined-objects.patch Type: text/x-patch Size: 1590 bytes Desc: not available URL: From sbose at redhat.com Fri Jan 29 13:56:43 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 29 Jan 2016 14:56:43 +0100 Subject: [Freeipa-devel] [PATCH] extdom: Remove unused macro In-Reply-To: <20160129121132.GH24839@mail.corp.redhat.com> References: <20160129121132.GH24839@mail.corp.redhat.com> Message-ID: <20160129135643.GO19151@p.redhat.com> On Fri, Jan 29, 2016 at 01:11:32PM +0100, Lukas Slebodnik wrote: > ehlo, > > Last usage of the macro SSSD_SYSDB_SID_STR was removed > in the commit 0ee8fe11aea9811c724182def3f50960d5dd87b3 > > LS ACK bye, Sumit From mbasti at redhat.com Fri Jan 29 14:05:51 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Jan 2016 15:05:51 +0100 Subject: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites In-Reply-To: <56AB6C2A.2040604@redhat.com> References: <56A0F78F.4060407@redhat.com> <56A21343.2090607@redhat.com> <56A9D59F.4020204@redhat.com> <56AB6C2A.2040604@redhat.com> Message-ID: <56AB71BF.9070009@redhat.com> On 29.01.2016 14:42, Christian Heimes wrote: > On 2016-01-28 09:47, Martin Basti wrote: >> >> On 22.01.2016 12:32, Martin Kosek wrote: >>> On 01/21/2016 04:21 PM, Christian Heimes wrote: >>>> The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf >>>> has been modernized. Insecure or less secure algorithms such as RC4, >>>> DES and 3DES are removed. Perfect forward secrecy suites with ephemeral >>>> ECDH key exchange have been added. IE 8 on Windows XP is no longer >>>> supported. >>>> >>>> The list of enabled cipher suites has been generated with the script >>>> contrib/nssciphersuite/nssciphersuite.py. >>>> >>>> The supported suites are currently: >>>> >>>> TLS_RSA_WITH_AES_128_CBC_SHA256 >>>> TLS_RSA_WITH_AES_256_CBC_SHA256 >>>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 >>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA >>>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 >>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA >>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>>> TLS_RSA_WITH_AES_128_GCM_SHA256 >>>> TLS_RSA_WITH_AES_128_CBC_SHA >>>> TLS_RSA_WITH_AES_256_GCM_SHA384 >>>> TLS_RSA_WITH_AES_256_CBC_SHA >>>> >>>> https://fedorahosted.org/freeipa/ticket/5589 >>> Thanks for the patch! I updated the ticket to make sure this change is >>> release notes. >>> >> Hello, >> >> I'm not sure if I'm the right person to do review on this, but I will >> try :-) >> >> 1) >> Your patch adds whitespace error >> >> Applying: Modernize mod_nss's cipher suites >> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:52: new blank >> line at EOF. >> + >> warning: 1 line adds whitespace errors. >> >> >> 2) >> +import urllib.request # pylint: disable=E0611 >> >> Please specify pylint disabled check by name >> >> 3) >> +def update_mod_nss_cipher_suite(http): >> >> in this upgrade, is there any possibility that ciphers might be upgraded >> again in future? (IMO yes). >> >> I think, it can be better to store revision of change instead of boolean >> >> LAST_REVISION = 1 >> >> if revision >= LAST_REVISION: >> return >> >> sysupgrade.set_upgrade_state('nss.conf', 'cipher_suite_revision', >> LAST_REVISION) > Thanks for the review. I have addressed the problems. Instead of a > revision number I'm using a date string. The sysupgrade module only > stores str and bool. With a date-based revision it's easy to see when > the cipher suite was checked last time. > > Christian > Thanks 1) Pylint :-) + with urllib.request.urlopen(SOURCE) as r: # pylint: disable=E1101 2) + if revision == httpinstance.NSS_CIPHER_REVISION: may happen a case where just comparation with '==' can cause a issues (docker world)? Should not be there rather '>='? 3) + root_logger.info("Cipher suite already updated") Sorry that I did not noticed earlier, this should be just debug level, IMO this message is not so important, it will cause only mess on output (we already have plenty of unneeded info messages in upgrade, they will be fixed once) From slaznick at redhat.com Fri Jan 29 14:49:20 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 29 Jan 2016 15:49:20 +0100 Subject: [Freeipa-devel] [PATCH 0013-0021] Coverity patches In-Reply-To: <56AB6E03.2030601@redhat.com> References: <56AB6E03.2030601@redhat.com> Message-ID: <56AB7BF0.9030008@redhat.com> Reworded the commits so that they better reflect what's going on in those. On 01/29/2016 02:49 PM, Stanislav Laznicka wrote: > Hello, > > I made some patches based on the Coverity report from 18.1.2016. > > Cheers, > Standa > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0013-2-Removing-dead-code.patch Type: text/x-patch Size: 2236 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0014-2-Wrong-assert-in-ldapkeydb.patch Type: text/x-patch Size: 1217 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0015-2-Searching-for-an-attribute-in-a-wrong-object.patch Type: text/x-patch Size: 999 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0016-2-Builtin-type-used-wrong-in-Param-class.patch Type: text/x-patch Size: 1014 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0017-2-Removed-identical-branch.patch Type: text/x-patch Size: 872 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0018-2-completed_external-might-not-have-beed-defined.patch Type: text/x-patch Size: 1249 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0019-2-Accessing-attribute-of-a-possible-None-value.patch Type: text/x-patch Size: 1126 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0020-2-Possible-close-write-into-None-or-closed-file.patch Type: text/x-patch Size: 1920 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0021-2-Fixed-possible-dereferencing-of-undefined-objects.patch Type: text/x-patch Size: 1654 bytes Desc: not available URL: From mbasti at redhat.com Fri Jan 29 14:48:43 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Jan 2016 15:48:43 +0100 Subject: [Freeipa-devel] [PATCH 0013-0021] Coverity patches In-Reply-To: <56AB6E03.2030601@redhat.com> References: <56AB6E03.2030601@redhat.com> Message-ID: <56AB7BCB.3040309@redhat.com> On 29.01.2016 14:49, Stanislav Laznicka wrote: > Hello, > > I made some patches based on the Coverity report from 18.1.2016. > > Cheers, > Standa > > NACK *) please describe issue in commit message instead of #coverity number in all patches PATCH: Removing dead code LGTM PATCH: Wrong assert I'm not sure with this, please ask pspacek PATCH: Searching for an attribute in a wrong object Please file a ticket for this, if this is right, we might want to backport patch PATCH: Class attribute 'type' should be used instead LGTM PATCH: Removed identical branch NACK, bytes and string are not the same type, this may cause issues in python3 PATCH: completed_external might not have beed defined LGTM PATCH: Accessing attribute of a possible None value LGTM PATCH: Possible close/write into None or closed file it looks like assertion overkill to me, would be better to rewrite the logic IMO PATCH: Fixed possible dereferencing of undefined objects NACK 1) - root_logger.error('Failed to get create new request.') + else: + raise RuntimeError('Failed to add a request to DBUS.' raise original error, do not reraise new exception, it will lost traceback 2) I would put return to else: block, and raise RuntimeError in try block, then just add except (TypeError, RuntimeError) Try to avoid broad exceptions. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Jan 29 14:49:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Jan 2016 15:49:33 +0100 Subject: [Freeipa-devel] [PATCH 0013-0021] Coverity patches In-Reply-To: <56AB7BF0.9030008@redhat.com> References: <56AB6E03.2030601@redhat.com> <56AB7BF0.9030008@redhat.com> Message-ID: <56AB7BFD.1020308@redhat.com> On 29.01.2016 15:49, Stanislav Laznicka wrote: > Reworded the commits so that they better reflect what's going on in those. > > On 01/29/2016 02:49 PM, Stanislav Laznicka wrote: >> Hello, >> >> I made some patches based on the Coverity report from 18.1.2016. >> >> Cheers, >> Standa >> >> > > > NACK, see my previous email -------------- next part -------------- An HTML attachment was scrubbed... URL: From ofayans at redhat.com Fri Jan 29 15:09:50 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 29 Jan 2016 16:09:50 +0100 Subject: [Freeipa-devel] [TEST][Patch 0022] small refactoring in integration tests due to BZ 1303095 Message-ID: <56AB80BE.4090604@redhat.com> -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0022-Moved-NM-configuration-calls-to-the-IntegrationTest.patch Type: text/x-patch Size: 3468 bytes Desc: not available URL: From mbasti at redhat.com Fri Jan 29 16:15:35 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Jan 2016 17:15:35 +0100 Subject: [Freeipa-devel] [PATCH] extdom: Remove unused macro In-Reply-To: <20160129135643.GO19151@p.redhat.com> References: <20160129121132.GH24839@mail.corp.redhat.com> <20160129135643.GO19151@p.redhat.com> Message-ID: <56AB9027.40208@redhat.com> On 29.01.2016 14:56, Sumit Bose wrote: > On Fri, Jan 29, 2016 at 01:11:32PM +0100, Lukas Slebodnik wrote: >> ehlo, >> >> Last usage of the macro SSSD_SYSDB_SID_STR was removed >> in the commit 0ee8fe11aea9811c724182def3f50960d5dd87b3 >> >> LS > ACK > > bye, > Sumit > Pushed to master: 4bef7577b746d8decd65c18f81b1e8fdd9cf06a7 From mbasti at redhat.com Fri Jan 29 17:06:15 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Jan 2016 18:06:15 +0100 Subject: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica In-Reply-To: <56AB1C5C.8020708@redhat.com> References: <56967E77.8000604@redhat.com> <5696826C.2050300@redhat.com> <5697CD04.3010709@redhat.com> <569F4808.8070100@redhat.com> <56AB1C5C.8020708@redhat.com> Message-ID: <56AB9C07.7040408@redhat.com> On 29.01.2016 09:01, Martin Babinsky wrote: > On 01/20/2016 09:40 AM, Martin Babinsky wrote: >> On 01/14/2016 05:29 PM, Martin Babinsky wrote: >>> On 01/13/2016 05:59 PM, Rob Crittenden wrote: >>>> Martin Babinsky wrote: >>>>> fixes https://fedorahosted.org/freeipa/ticket/5584 >>>>> >>>>> In order to ensure consistent behavior with ipa-client-install, I >>>>> opted >>>>> to reuse the configure_openldap_conf() function and restoring the >>>>> config >>>>> from client sysrestore before modifying it. >>>>> >>>>> If you think this approach is not optimal please propose an >>>>> alternative >>>>> solution. >>>> >>>> You could also just do an action set on URI to change the value, >>>> right? >>>> It would need a new function but it would be very small. >>>> >>>> If you do end up keeping this I'd want a new commit message for moving >>>> the code to include why you're moving it (to avoid the need to >>>> deference >>>> the ticket). >>>> >>>> rob >>>> >>> >>> Here's the patch that implements the change in URI directive. Please >>> keep in mind that we not only have to change the URI to point to >>> ourselves, we also have to do it in a way consistent with >>> ipa-client-install, i.e. leave a comment with new URI if it was already >>> set by third party. >>> >>> Plain 'addifnotset' directive will not do, however, because then we end >>> up with two comments, one original, and one pointing to ourselves. >>> Plain >>> 'set' may rewrite the URI set by user and thus we would have to test >>> its >>> value anyway. >>> >>> The correct handling of these cases coupled with a way IPAChangeConf is >>> written results in a solution presented here. >>> >>> The fact that it is not much shorter than configure_openldap_conf >>> and is >>> additionally pretty ugly (a fact at least partially caused by me not >>> being very fluent in IPAChangeConf usage) led me to the conclusion that >>> restoring original ldap.conf and reusing already wirrten code for >>> reediting it anew with replica as URI is actually not that bad idea. >>> >>> >>> >> >> Bump for review/discussion. >> > Another bump. > Works for me, ACK From mbasti at redhat.com Fri Jan 29 17:16:52 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Jan 2016 18:16:52 +0100 Subject: [Freeipa-devel] [PATCH 0412] CI tests: Do not set ip address for replica without installed IPA DNS in topology Message-ID: <56AB9E84.8010309@redhat.com> Patch attached. Should fix test_installation for domain level 0 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0412-Tests-Do-not-set-ip-address-for-replica-prepare-with.patch Type: text/x-patch Size: 3593 bytes Desc: not available URL: From abokovoy at redhat.com Fri Jan 29 17:59:13 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Jan 2016 19:59:13 +0200 Subject: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4 In-Reply-To: <20160129113147.GF24839@mail.corp.redhat.com> References: <20160129111218.GD24839@mail.corp.redhat.com> <20160129113147.GF24839@mail.corp.redhat.com> Message-ID: <20160129175913.GC21804@redhat.com> On Fri, 29 Jan 2016, Lukas Slebodnik wrote: >On (29/01/16 12:12), Lukas Slebodnik wrote: >>ehlo, >> >>attached patch shoudl fix build on fedora-24. >>It blocks static analysis scan. >> >>Even though it unblock build on fedora-24 >>the solution is not ideal. It's possible that some changes >>need to be done in samba side as well. >>(missing prototypes for trim_string, smb_xstrdup >> >>LS > >BTW there is also another issue in IPA-SAM. >The value of macro LDAP_PAGE_SIZE has changed >and therefore there is a warning. > >ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined > #define LDAP_PAGE_SIZE 1024 > ^ >In file included from /usr/include/samba-4.0/smbldap.h:24:0, > from ipa_sam.c:31: >/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition > #define LDAP_PAGE_SIZE 1000 This is something we should fix. I'll look at it once in Brno. -- / Alexander Bokovoy From lslebodn at redhat.com Fri Jan 29 19:51:15 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 29 Jan 2016 20:51:15 +0100 Subject: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4 In-Reply-To: <20160129111218.GD24839@mail.corp.redhat.com> References: <20160129111218.GD24839@mail.corp.redhat.com> Message-ID: <20160129195114.GC7714@mail.corp.redhat.com> On (29/01/16 12:12), Lukas Slebodnik wrote: >ehlo, > >attached patch shoudl fix build on fedora-24. >It blocks static analysis scan. > >Even though it unblock build on fedora-24 >the solution is not ideal. It's possible that some changes >need to be done in samba side as well. >(missing prototypes for trim_string, smb_xstrdup > >LS >>From f9057ca98557094a4db84ac072ee9efd02a4ff79 Mon Sep 17 00:00:00 2001 >From: Lukas Slebodnik >Date: Fri, 29 Jan 2016 10:40:18 +0100 >Subject: [PATCH 1/3] IPA-SAM: Fix build with samba 4.4 > >samba_util.h is not shipped with samba-4.4 >and it was indirectly included by "ndr.h" > I checked the samba 4.4 release notes and they intentionaly removed samba_util.h @see https://github.com/samba-team/samba/blob/master/WHATSNEW.txt#L191 REMOVED FEATURES ================ Public headers -------------- Several public headers are not installed any longer. They are made for internal use only. More public headers will very likely be removed in future releases. The following headers are not installed any longer: dlinklist.h, gen_ndr/epmapper.h, gen_ndr/mgmt.h, gen_ndr/ndr_atsvc_c.h, gen_ndr/ndr_epmapper_c.h, gen_ndr/ndr_epmapper.h, gen_ndr/ndr_mgmt_c.h, gen_ndr/ndr_mgmt.h,gensec.h, ldap_errors.h, ldap_message.h, ldap_ndr.h, ldap-util.h, pytalloc.h, read_smb.h, registry.h, roles.h, samba_util.h, LS From side_control at runlevelone.net Sun Jan 31 09:39:39 2016 From: side_control at runlevelone.net (Dan Lavu) Date: Sun, 31 Jan 2016 04:39:39 -0500 Subject: [Freeipa-devel] FreeIPA Cloud/Openstack Configuration? In-Reply-To: References: Message-ID: <56ADD65B.9010804@runlevelone.net> I started playing around with Openstack and was installing FreeIPA on a tenant network and I wanted to replicate to a server on provider network or another network entirely. If you are not familiar with Openstack, a lot of cloud implementations will have a virtual private network that is entirely isolated from the outside world until an IP is attached to the guest. So this had me thinking about best practices and cloud implementations using FreeIPA. I can't seem to find a lot documentation on this. So the complication I've come across is that the tenant network is not route-able by default, but you can attach a floating-IP which is route-able to the external FreeIPA server but the host entries are going to differ. For clarification in the below diagram, (if this diagram doesn't show up, it is attached). openstack_networks idm2, has the local IP of 192.168.50.13 and has a floating ip 0f 192.168.73.7, but on the guest 192.168.73.7 is not known at all, for it to be route-able it does some source natting using neutron and openvswitch. So during the installation, it's not possible to use the external IP because the installer will indicate the IP doesn't exist or is not route-able. So I ultimately installed FreeIPA using the internal address and modified the A record to point to the floating external IP address. Lastly modified the host file to have the name resolve to the internal address. I feel like there is a cleaner way of doing this. Now it gets even more complicated if different hostnames are used, since IPA does a URL rewrite and I'm sure there are other name dependencies I'm unaware of. So my questions are, do we have a documentation about installation FreeIPA on a cloud platform to serve external hosts? Do we have any instructions on adding another name to the FreeIPA server certificate? (I know we have steps for client hosts) I can see this being resolved by having idm2 access requests for two domains, i.e. 192.168.73.0/24 company.com and 192.168.50.0/24 cloud.company.com. Is there any other solutions? Is this something that we need to address? Thanks, Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: openstack_networks.png Type: image/png Size: 89724 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: openstack_networks.png Type: image/png Size: 89724 bytes Desc: not available URL: