From freeipa-github-notification at redhat.com Wed Feb 1 01:02:19 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 01 Feb 2017 02:02:19 +0100 Subject: [Freeipa-devel] [freeipa PR#416][synchronized] replica install: relax domain level check for promotion In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/416 Author: frasertweedale Title: #416: replica install: relax domain level check for promotion Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/416/head:pr416 git checkout pr416 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-416.patch Type: text/x-diff Size: 4418 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 1 01:17:28 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 01 Feb 2017 02:17:28 +0100 Subject: [Freeipa-devel] [freeipa PR#415][synchronized] ca-del: require CA to already be disabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/415 Author: frasertweedale Title: #415: ca-del: require CA to already be disabled Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/415/head:pr415 git checkout pr415 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-415.patch Type: text/x-diff Size: 3061 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 1 04:45:48 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 01 Feb 2017 05:45:48 +0100 Subject: [Freeipa-devel] [freeipa PR#415][comment] ca-del: require CA to already be disabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/415 Title: #415: ca-del: require CA to already be disabled frasertweedale commented: """ @apophys done; PR updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/415#issuecomment-276571411 From freeipa-github-notification at redhat.com Wed Feb 1 04:48:13 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 01 Feb 2017 05:48:13 +0100 Subject: [Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion frasertweedale commented: """ @HonzaCholasta @MartinBasti PR updated. I extracted the specific (== 0) and (>= 1) checks to the relevant call sites. Also separated DL retrieval and "DL in range for IPA version" check into separate functions. """ See the full comment at https://github.com/freeipa/freeipa/pull/416#issuecomment-276571652 From mharmsen at redhat.com Wed Feb 1 07:56:35 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 1 Feb 2017 00:56:35 -0700 Subject: [Freeipa-devel] Karma Requests for pki-core-10.3.5-11 Message-ID: *The following updated candidate builds of pki-core 10.3.5 were generated:* * *Fedora 24* o *pki-core-10.3.5-11.fc24 * * *Fedora 25* o *pki-core-10.3.5-11.fc25 * * *Fedora 26* o *pki-core-10.3.5-11.fc26 * *These builds address the following PKI TRAC tickets:* * *PKI TRAC Ticket #1741 - ECDSA Certificates Generated by Certificate System fail NIST validation test with parameter field. * * *PKI TRAC Ticket #2450 - Unable to search certificate requests using the latest request ID * * *PKI TRAC Ticket #2534 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status * * *PKI TRAC Ticket #2564 - pki-tomcat for 10+ minutes before generating cert * * *PKI TRAC Ticket #2570 - Problem with default AJP hostname in IPv6 environment. * * *PKI TRAC Ticket #2573 - CA Certificate Issuance Date displayed on CA website incorrect * * *PKI TRAC Ticket #2579 - NumberFormatException in LDAPProfileSubsystem * *Please provide Karma for the following builds:* * *Fedora 24* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-a2898f25b1 pki-core-10.3.5-11.fc24 * * *Fedora 25* o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-fe062eaff7 pki-core-10.3.5-11.fc25 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Wed Feb 1 08:47:38 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Feb 2017 09:47:38 +0100 Subject: [Freeipa-devel] [freeipa PR#413][synchronized] Complete stageuser API In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/413 Author: dkupka Title: #413: Complete stageuser API Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/413/head:pr413 git checkout pr413 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-413.patch Type: text/x-diff Size: 28273 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 1 08:51:33 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Feb 2017 09:51:33 +0100 Subject: [Freeipa-devel] [freeipa PR#413][comment] Complete stageuser API In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/413 Title: #413: Complete stageuser API dkupka commented: """ I've removed the first commit, thank you for noticing, I've probably just rebased on branch containing it and then forget to remove it. There's no ticket for handling missing SAN in ipalib.x509 because i just uncovered newspaper when I replaced the certificates in our test and it was easier to just fix it than reproducing and reporting it. """ See the full comment at https://github.com/freeipa/freeipa/pull/413#issuecomment-276603721 From freeipa-github-notification at redhat.com Wed Feb 1 09:09:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Feb 2017 10:09:27 +0100 Subject: [Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] MartinBasti commented: """ bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-276607135 From freeipa-github-notification at redhat.com Wed Feb 1 09:34:27 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 01 Feb 2017 10:34:27 +0100 Subject: [Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] HonzaCholasta commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-276612233 From freeipa-github-notification at redhat.com Wed Feb 1 13:32:41 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 01 Feb 2017 14:32:41 +0100 Subject: [Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-399.patch Type: text/x-diff Size: 96826 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 1 21:48:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 01 Feb 2017 22:48:13 +0100 Subject: [Freeipa-devel] [freeipa PR#430][opened] [py3] tests_xmlrpc: do not call str() on bytes Message-ID: URL: https://github.com/freeipa/freeipa/pull/430 Author: MartinBasti Title: #430: [py3] tests_xmlrpc: do not call str() on bytes Action: opened PR body: """ Calling str() on bytes causes undesired side effect: it adds prefix "b" to the result of conversion. The method decode() should be used instead. https://fedorahosted.org/freeipa/ticket/4985 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/430/head:pr430 git checkout pr430 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-430.patch Type: text/x-diff Size: 2151 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 2 08:28:48 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 02 Feb 2017 09:28:48 +0100 Subject: [Freeipa-devel] [freeipa PR#430][+ack] [py3] tests_xmlrpc: do not call str() on bytes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/430 Title: #430: [py3] tests_xmlrpc: do not call str() on bytes Label: +ack From freeipa-github-notification at redhat.com Thu Feb 2 08:29:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Feb 2017 09:29:45 +0100 Subject: [Freeipa-devel] [freeipa PR#431][opened] py3: ldapupdate: fix logging str(bytes) issue Message-ID: URL: https://github.com/freeipa/freeipa/pull/431 Author: MartinBasti Title: #431: py3: ldapupdate: fix logging str(bytes) issue Action: opened PR body: """ bytes as argument of str() gives unexpected result by adding prefix "b" there. Also add missing safe_option() call to logging (it will fix another str(bytes) issue) https://fedorahosted.org/freeipa/ticket/4985 Other byteswarnings are from https://github.com/etingof/pyasn1/issues/14 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/431/head:pr431 git checkout pr431 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-431.patch Type: text/x-diff Size: 1687 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 2 10:03:02 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 02 Feb 2017 11:03:02 +0100 Subject: [Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-399.patch Type: text/x-diff Size: 46983 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 2 11:02:29 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 02 Feb 2017 12:02:29 +0100 Subject: [Freeipa-devel] [freeipa PR#432][opened] build: Add missing dependency on libxmlrpc{, _util} Message-ID: URL: https://github.com/freeipa/freeipa/pull/432 Author: dkupka Title: #432: build: Add missing dependency on libxmlrpc{,_util} Action: opened PR body: """ Change in libxmlrpc packaging uncovered missing linking dependency in our build system. https://fedorahosted.org/freeipa/ticket/6637 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/432/head:pr432 git checkout pr432 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-432.patch Type: text/x-diff Size: 997 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 2 11:02:34 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Feb 2017 12:02:34 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 110765 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 2 11:02:38 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Feb 2017 12:02:38 +0100 Subject: [Freeipa-devel] [freeipa PR#367][edited] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: edited Changed field: body Original value: """ This batch of patches removes NSSConnection along with the whole ipapython.nsslib from IPA and replaces it with more standard httplib.HTTPSConnection. NSSConnection was causing a lot of trouble in the past because it is apparently very fragile when it comes to nss library initialization. On top of that, when NSSConnection is used to set up an HTTPS connection in FIPS, it always requires a password to NSS database as NSS apparently tries to create a temporary private key and store it to the database even though client authentication is not required in the SSL connection. TODO (will require changes in certmonger/dogatg.c): - [x] remove NSSConnection from client modules - [x] remove NSSConnection from server modules where it's used to connect to the certificate server - [x] remove the nsslib library completely - [ ] we may probably remove ipaCert from /etc/httpd/alias and stop tracking it with certmonger - [ ] once ^- is done, track /var/lib/ipa/ra-agent.pem in certmonger instead https://fedorahosted.org/freeipa/ticket/5695 """ From freeipa-github-notification at redhat.com Thu Feb 2 11:02:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Feb 2017 12:02:39 +0100 Subject: [Freeipa-devel] [freeipa PR#367][edited] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: edited Changed field: body Original value: """ This batch of patches removes NSSConnection along with the whole ipapython.nsslib from IPA and replaces it with more standard httplib.HTTPSConnection. NSSConnection was causing a lot of trouble in the past because it is apparently very fragile when it comes to nss library initialization. On top of that, when NSSConnection is used to set up an HTTPS connection in FIPS, it always requires a password to NSS database as NSS apparently tries to create a temporary private key and store it to the database even though client authentication is not required in the SSL connection. TODO (will require changes in certmonger/dogatg.c): - [x] remove NSSConnection from client modules - [x] remove NSSConnection from server modules where it's used to connect to the certificate server - [x] remove the nsslib library completely - [x] we may probably remove ipaCert from /etc/httpd/alias and stop tracking it with certmonger - [ ] once ^- is done, track /var/lib/ipa/ra-agent.pem in certmonger instead https://fedorahosted.org/freeipa/ticket/5695 """ From freeipa-github-notification at redhat.com Thu Feb 2 11:04:58 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Feb 2017 12:04:58 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 110731 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 2 11:10:44 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Feb 2017 12:10:44 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ In the latest patchset, the "ipaCert" is removed from the "/etc/httpd/alias/" NSSDB and all the machinery around the certificate is moved accordingly. I am addressing support of old SSL protocol versions in https://github.com/freeipa/freeipa/pull/396, although that one currently requires some changes. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-276929867 From freeipa-github-notification at redhat.com Thu Feb 2 12:44:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Feb 2017 13:44:01 +0100 Subject: [Freeipa-devel] [freeipa PR#430][+pushed] [py3] tests_xmlrpc: do not call str() on bytes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/430 Title: #430: [py3] tests_xmlrpc: do not call str() on bytes Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 2 12:44:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Feb 2017 13:44:03 +0100 Subject: [Freeipa-devel] [freeipa PR#430][comment] [py3] tests_xmlrpc: do not call str() on bytes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/430 Title: #430: [py3] tests_xmlrpc: do not call str() on bytes MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5de70e31999eb219bd47aa81b0c003a6c15cf748 """ See the full comment at https://github.com/freeipa/freeipa/pull/430#issuecomment-276947658 From freeipa-github-notification at redhat.com Thu Feb 2 12:44:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Feb 2017 13:44:04 +0100 Subject: [Freeipa-devel] [freeipa PR#430][closed] [py3] tests_xmlrpc: do not call str() on bytes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/430 Author: MartinBasti Title: #430: [py3] tests_xmlrpc: do not call str() on bytes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/430/head:pr430 git checkout pr430 From freeipa-github-notification at redhat.com Thu Feb 2 12:47:23 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Feb 2017 13:47:23 +0100 Subject: [Freeipa-devel] [freeipa PR#425][comment] ipa-kra-install must create directory if it does not exist In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/425 Title: #425: ipa-kra-install must create directory if it does not exist MartinBasti commented: """ Pushed: master: 066f5b7c904208d0fd79862dfaa7166fff42fd30 ipa-kra-install must create directory if it does not exist """ See the full comment at https://github.com/freeipa/freeipa/pull/425#issuecomment-276948333 From freeipa-github-notification at redhat.com Thu Feb 2 12:47:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Feb 2017 13:47:24 +0100 Subject: [Freeipa-devel] [freeipa PR#425][closed] ipa-kra-install must create directory if it does not exist In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/425 Author: flo-renaud Title: #425: ipa-kra-install must create directory if it does not exist Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/425/head:pr425 git checkout pr425 From freeipa-github-notification at redhat.com Thu Feb 2 12:47:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 02 Feb 2017 13:47:30 +0100 Subject: [Freeipa-devel] [freeipa PR#425][+pushed] ipa-kra-install must create directory if it does not exist In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/425 Title: #425: ipa-kra-install must create directory if it does not exist Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 2 13:30:02 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 02 Feb 2017 14:30:02 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 112406 bytes Desc: not available URL: From Oucema.Bellagha at hotmail.com Thu Feb 2 14:17:52 2017 From: Oucema.Bellagha at hotmail.com (Oucema Bellagha) Date: Thu, 2 Feb 2017 14:17:52 +0000 Subject: [Freeipa-devel] Using Key-authentication for AD users as 2nd factor Message-ID: Hi Linux folks, After setting up the one-way trust between IPA - AD, users from AD can authenticate to Linux resources using their own keys, that's great but now I want to add a second factor authentication for those AD users which is public key authentication, is that possible? I mean we can add a field to AD named "ssh-key" but how to use that field for 2 nd fact authentication within IPA, or is there any other option ? Regards, -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Thu Feb 2 15:29:37 2017 From: freeipa-github-notification at redhat.com (celestian) Date: Thu, 02 Feb 2017 16:29:37 +0100 Subject: [Freeipa-devel] [freeipa PR#409][synchronized] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Author: celestian Title: #409: ipatests: nested netgroups (intg) Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/409/head:pr409 git checkout pr409 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-409.patch Type: text/x-diff Size: 7906 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 2 15:32:24 2017 From: freeipa-github-notification at redhat.com (celestian) Date: Thu, 02 Feb 2017 16:32:24 +0100 Subject: [Freeipa-devel] [freeipa PR#409][comment] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Title: #409: ipatests: nested netgroups (intg) celestian commented: """ I addressed all comment, I hope. I know that there are still some pylint stuff like: ``` ipatests/test_integration/test_netgroup.py:91: [E1101(no-member), TestNetgroups.check_users_in_netgroups] Class 'domain' has no 'name' member) ipatests/test_integration/test_netgroup.py:108: [E1101(no-member), TestNetgroups.check_nested_netgroup_hierarchy] Class 'domain' has no 'name' member) ipatests/test_integration/test_netgroup.py:132: [E1101(no-member), TestNetgroups.test_remove_nested_netgroup] Class 'domain' has no 'name' member) ``` I don't know why due to line 228 and 230 in pylint_plugins.py. Missed I something? """ See the full comment at https://github.com/freeipa/freeipa/pull/409#issuecomment-276989863 From freeipa-github-notification at redhat.com Thu Feb 2 16:08:18 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Thu, 02 Feb 2017 17:08:18 +0100 Subject: [Freeipa-devel] [freeipa PR#420][comment] WIP: Allow login to WebUI using Kerberos aliases/enterprise principals In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/420 Title: #420: WIP: Allow login to WebUI using Kerberos aliases/enterprise principals dkupka commented: """ LGTM and works as expected. Not ACKing only because it's marked as WIP. """ See the full comment at https://github.com/freeipa/freeipa/pull/420#issuecomment-277000582 From freeipa-github-notification at redhat.com Fri Feb 3 08:35:40 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 03 Feb 2017 09:35:40 +0100 Subject: [Freeipa-devel] [freeipa PR#420][comment] WIP: Allow login to WebUI using Kerberos aliases/enterprise principals In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/420 Title: #420: WIP: Allow login to WebUI using Kerberos aliases/enterprise principals martbab commented: """ I would wait with ACKing/pushing this PR until https://github.com/freeipa/freeipa/pull/314 is pushed. """ See the full comment at https://github.com/freeipa/freeipa/pull/420#issuecomment-277192602 From freeipa-github-notification at redhat.com Fri Feb 3 11:46:55 2017 From: freeipa-github-notification at redhat.com (celestian) Date: Fri, 03 Feb 2017 12:46:55 +0100 Subject: [Freeipa-devel] [freeipa PR#409][synchronized] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Author: celestian Title: #409: ipatests: nested netgroups (intg) Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/409/head:pr409 git checkout pr409 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-409.patch Type: text/x-diff Size: 8312 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 3 11:50:23 2017 From: freeipa-github-notification at redhat.com (celestian) Date: Fri, 03 Feb 2017 12:50:23 +0100 Subject: [Freeipa-devel] [freeipa PR#409][comment] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Title: #409: ipatests: nested netgroups (intg) celestian commented: """ I addressed issue in Travis and Quantified. New version pushed. PS: Right way is ```self.master.domain.name``` """ See the full comment at https://github.com/freeipa/freeipa/pull/409#issuecomment-277229608 From freeipa-github-notification at redhat.com Fri Feb 3 12:51:56 2017 From: freeipa-github-notification at redhat.com (celestian) Date: Fri, 03 Feb 2017 13:51:56 +0100 Subject: [Freeipa-devel] [freeipa PR#409][synchronized] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Author: celestian Title: #409: ipatests: nested netgroups (intg) Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/409/head:pr409 git checkout pr409 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-409.patch Type: text/x-diff Size: 8312 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 3 12:52:35 2017 From: freeipa-github-notification at redhat.com (celestian) Date: Fri, 03 Feb 2017 13:52:35 +0100 Subject: [Freeipa-devel] [freeipa PR#409][comment] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Title: #409: ipatests: nested netgroups (intg) celestian commented: """ 2015-->2017 addressed. New version pushed. """ See the full comment at https://github.com/freeipa/freeipa/pull/409#issuecomment-277239936 From freeipa-github-notification at redhat.com Fri Feb 3 14:42:57 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 03 Feb 2017 15:42:57 +0100 Subject: [Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion stlaz commented: """ The purpose of `check_domain_level()` was to have a unified means of checking whether the domain level in the rest of the domain corresponds to the installation media which is presented by the user. Looking back at it I think I chose poor naming and documentation of the check so it's rather confusing. If you find a way to make a unified check in both domain levels (=> a single function call for both DLs that will raise exception when wrong installation media is presented), that'd be nice. Otherwise feel free to split it back to what it was previously. """ See the full comment at https://github.com/freeipa/freeipa/pull/416#issuecomment-277263462 From freeipa-github-notification at redhat.com Fri Feb 3 16:23:09 2017 From: freeipa-github-notification at redhat.com (celestian) Date: Fri, 03 Feb 2017 17:23:09 +0100 Subject: [Freeipa-devel] [freeipa PR#409][synchronized] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Author: celestian Title: #409: ipatests: nested netgroups (intg) Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/409/head:pr409 git checkout pr409 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-409.patch Type: text/x-diff Size: 7846 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 3 16:23:36 2017 From: freeipa-github-notification at redhat.com (celestian) Date: Fri, 03 Feb 2017 17:23:36 +0100 Subject: [Freeipa-devel] [freeipa PR#409][comment] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Title: #409: ipatests: nested netgroups (intg) celestian commented: """ Addressed, pushed. """ See the full comment at https://github.com/freeipa/freeipa/pull/409#issuecomment-277292355 From freeipa-github-notification at redhat.com Fri Feb 3 16:24:12 2017 From: freeipa-github-notification at redhat.com (celestian) Date: Fri, 03 Feb 2017 17:24:12 +0100 Subject: [Freeipa-devel] [freeipa PR#409][comment] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Title: #409: ipatests: nested netgroups (intg) celestian commented: """ Addressed, pushed. """ See the full comment at https://github.com/freeipa/freeipa/pull/409#issuecomment-277292355 From freeipa-github-notification at redhat.com Sat Feb 4 06:27:38 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Sat, 04 Feb 2017 07:27:38 +0100 Subject: [Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion frasertweedale commented: """ @stlaz there are three considerations when "checking the DL": 1. Retrieving the current DL. 2. Checking that current DL is supported by server version. 3. Checking that attempted method of installation is supported on currently DL. Whether it makes sense to have a unified function for (3), I am not sure. I think the approach as implemented in this PR - that each replica installation method checks the DL and if necessary raises an appropriate error message - is satisfactory. Certainly it makes more sense to me to have these checks separate from the check for (2). """ See the full comment at https://github.com/freeipa/freeipa/pull/416#issuecomment-277423018 From freeipa-github-notification at redhat.com Sat Feb 4 13:57:54 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Sat, 04 Feb 2017 14:57:54 +0100 Subject: [Freeipa-devel] [freeipa PR#433][opened] csrgen: Allow some certificate fields to be specified by the user Message-ID: URL: https://github.com/freeipa/freeipa/pull/433 Author: LiptonB Title: #433: csrgen: Allow some certificate fields to be specified by the user Action: opened PR body: """ These patches allow CSR generation rules to contain a "prompt," which will cause data to be requested from the user and interpolated into the CSR. The second commit runs the prompt through gettext. As I asked about [here](https://www.redhat.com/archives/freeipa-devel/2016-August/msg00823.html), I'm not sure if this is useful because the prompt strings in the rule files won't be recognized as translatable. But I decided to include the commit for discussion. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/433/head:pr433 git checkout pr433 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-433.patch Type: text/x-diff Size: 11290 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Feb 4 15:38:06 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Sat, 04 Feb 2017 16:38:06 +0100 Subject: [Freeipa-devel] [freeipa PR#434][opened] csrgen: Automate full cert request flow Message-ID: URL: https://github.com/freeipa/freeipa/pull/434 Author: LiptonB Title: #434: csrgen: Automate full cert request flow Action: opened PR body: """ Adds `--autogenerate` flag to `ipa cert-request` command. It no longer requires a CSR passed on the command line, instead it creates a config (bash script) with `cert-get-requestdata`, then runs it to build a CSR, and submits that CSR. Example usage (NSS database): $ ipa cert-request --autogenerate --principal blipton --profile-id userCert --database /tmp/certs Example usage (PEM private key file): $ ipa cert-request --autogenerate --principal blipton --profile-id userCert --private-key /tmp/key.pem """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/434/head:pr434 git checkout pr434 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-434.patch Type: text/x-diff Size: 9366 bytes Desc: not available URL: From blipton at redhat.com Sat Feb 4 15:40:51 2017 From: blipton at redhat.com (Ben Lipton) Date: Sat, 4 Feb 2017 10:40:51 -0500 Subject: [Freeipa-devel] CSR autogeneration next steps In-Reply-To: <5198614b-1704-27b6-7985-46d57b528643@redhat.com> References: <4d31f26b-e332-7362-2b8e-3382a0109067@redhat.com> <2ac0c9af-ef4a-65fe-0cb9-2d161bb7eba0@redhat.com> <77684b8f-c0f5-b1ad-cf7c-075184b5ee39@redhat.com> <71e4dec2-dde8-1cf5-c4cf-399e70f5c60d@redhat.com> <547fedb7-9996-0264-edb4-a563c1f038cf@redhat.com> <5198614b-1704-27b6-7985-46d57b528643@redhat.com> Message-ID: <55d37716-ae4d-1924-6e6e-44d169e6fa5d@redhat.com> On 01/12/2017 04:35 AM, Jan Cholasta wrote: > On 11.1.2017 00:38, Ben Lipton wrote: >> >> On 01/10/2017 01:58 AM, Jan Cholasta wrote: >>> On 19.12.2016 21:59, Ben Lipton wrote: >>>> >>>> On 12/15/2016 11:11 PM, Ben Lipton wrote: >>>>> >>>>> On 12/12/2016 03:52 AM, Jan Cholasta wrote: >>>>>> On 5.12.2016 16:48, Ben Lipton wrote: >>>>>>> Hi Jan, thanks for the comments. >>>>>>> >>>>>>> >>>>>>> On 12/05/2016 04:25 AM, Jan Cholasta wrote: >>>>>>>> Hi Ben, >>>>>>>> >>>>>>>> On 3.11.2016 00:12, Ben Lipton wrote: >>>>>>>>> Hi everybody, >>>>>>>>> >>>>>>>>> Soon I'm going to have to reduce the amount of time I spend on >>>>>>>>> new >>>>>>>>> development work for the CSR autogeneration project, and I >>>>>>>>> want to >>>>>>>>> leave >>>>>>>>> the project in as organized a state as possible. So, I'm taking >>>>>>>>> inventory of the work I've done in order to make sure that what's >>>>>>>>> ready >>>>>>>>> for review can get reviewed and the ideas that have been >>>>>>>>> discussed >>>>>>>>> get >>>>>>>>> prototyped or at least recorded so they won't be forgotten. >>>>>>>> >>>>>>>> Thanks, I have some questions and comments, see below. >>>>>>>> >>>>>>>>> >>>>>>>>> Code that's ready for review (I will continue to put in as much >>>>>>>>> time as >>>>>>>>> needed to help get these ready for submission): >>>>>>>>> >>>>>>>>> - Current PR: https://github.com/freeipa/freeipa/pull/10 >>>>>>>> >>>>>>>> How hard would it be to update the PR to use the "new" interface >>>>>>>> from >>>>>>>> the design thread? By this I mean that currently there is a >>>>>>>> command >>>>>>>> (cert_get_requestdata), which creates a CSR from profile id + >>>>>>>> principal + helper, but in the design we discussed a command which >>>>>>>> creates a CertificationRequestInfo from profile id + principal + >>>>>>>> public key. >>>>>>>> >>>>>>>> Internally it could use the OpenSSL helper, no need to >>>>>>>> implement the >>>>>>>> full "new" design. With your build_requestinfo.c code below it >>>>>>>> looks >>>>>>>> like it should be pretty straightforward. >>>>>>> >>>>>>> This is probably doable with the cffi, but I'm concerned about >>>>>>> usability. A user can run the current command to get a (reusable) >>>>>>> script, and run the script to get a CSR. It works with keys in >>>>>>> both PEM >>>>>>> files and NSS databases already. If we change to outputting a >>>>>>> CertificationRequestInfo, in order to make this usable on the >>>>>>> command >>>>>>> line, we'll need: >>>>>>> - An additional tool to sign a CSR given a CertificationRequestInfo >>>>>>> (for >>>>>>> both types of key storage). >>>>>>> - A way to extract a SubjectPublicKeyInfo structure from a key >>>>>>> within >>>>>>> the ipa command (like [1] but we need it for both types of key >>>>>>> storage) >>>>>>> Since as far as I know there's no standard encoding for files >>>>>>> containing >>>>>>> only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be >>>>>>> writing and distributing these ourselves. I think that's where >>>>>>> most of >>>>>>> the extra work will come in. >>>>>> >>>>>> For PEM files, this is easily doable using python-cryptography (to >>>>>> extract SubjectPublicKeyInfo and sign CertificationRequestInfo) and >>>>>> PyASN1 (to create a CSR from the CertificationRequestInfo and the >>>>>> signature). >>>>> >>>>> I didn't realize that python-cryptography knew about >>>>> SubjectPublicKeyInfo structures, but indeed this seems to be pretty >>>>> straightforward: >>>>> >>>>> key = load_pem_private_key(key_bytes, None, default_backend()) >>>>> pubkey_info = key.public_key().public_bytes(Encoding.DER, >>>>> PublicFormat.SubjectPublicKeyInfo) >>>>> >>>>> Thanks for letting me know this functionality already existed. >> >> I'm currently working on the step of signing the >> CertificationRequestInfo and creating a CSR from it. I think I have it >> working with pyasn1, but of course the "signature algorithm" for the CSR >> needs to be specified and implemented within the code since I'm not >> using a library that understands CSRs natively. The code I have >> currently always produces CSRs with the sha256WithRSAEncryption >> algorithm (DER-encode request info, SHA256, PKCS #1v1.5 padding, RSA >> encryption), and the OID for that algorithm is hardcoded in the output >> CSR. Is this ok or will we need more flexibility than that? > > IMO it's OK for starters. > >>>>>> >>>>>> For NSS databases, this will be trickier and will require calling C >>>>>> functions, as neither certutil nor python-nss provide a way to a) >>>>>> address existing keys in the database by key ID b) get >>>>>> SubjectPublicKeyInfo for a given key. >>> >>> This can be worked around by: >>> >>> 1. Generating a key + temporary certificate: >>> >>> n=$(head -c 40 /dev/urandom | base32) >>> certutil -S -n $n -s CN=$n -x -t ,, >>> >>> 2. Extracting the public key from the certificate: >>> >>> certutil -L -n $n -a >temp.crt >>> (extract the public key using python-cryptography) >>> >>> 3. Deleting the temporary certificate: >>> >>> certutil -D -n $n >>> >>> 4. Importing the newly issued certificate: >>> >>> certutil -A -n $n -t ,, -a >> >> Oof, thanks, I'm not sure I would have been able to come up with that. >> Can you generate a key without a temporary certificate if you use the >> NSS API, or does their model require every key to belong to a cert? > > I'm pretty sure it's possible, but it certainly won't be as simple as > this. I gave up after a few hours of digging into NSS source code and > not being able to figure out how. > >>>>>> >>>>>> As for encoding, the obvious choice is DER. It does not really >>>>>> matter >>>>>> there is no standard file format, as we won't be transferring these >>>>>> as files anyway. >>>>> >>>>> Agreed. I just meant there aren't tools already because this isn't a >>>>> type of file one often needs to process. >>>>>> >>>>>>> >>>>>>> Would it be ok to stick with the current design in this PR? I'd >>>>>>> feel >>>>>>> much better if we could get the basic functionality into the >>>>>>> repo and >>>>>>> then iterate on it rather than changing the plan at this point. >>>>>>> I can >>>>>>> create a separate PR to change cert_get_requestdata to this new >>>>>>> interface and at the same time add the necessary adapters (bullet >>>>>>> points >>>>>>> above) to make it user-friendly. >>>>>> >>>>>> Works for me. >>>>> >>>>> Updated the PR to fix conflicts with master. Had some trouble with CI >>>>> but creating a new PR with the same commits fixed it >>>>> (https://github.com/freeipa/freeipa/pull/337). Not sure if it's fixed >>>>> permanently, so I guess I'll just keep the two PRs synchronized now, >>>>> or we could close the old one. >>> >>> You can close the old one. >>> >>> Just to make sure we are on the same page, you want this PR to be >>> merged before submitting additional PRs built on top of it? >> >> Yes, I would like to merge this one to have as a starting point if >> you're comfortable with it: https://github.com/freeipa/freeipa/pull/337. >> I just did a force push to clean up the history, but the final diff >> should be the same as it was before. > > OK. > >>> >>>>>> >>>>>>> >>>>>>> I would probably just implement the adapters within the >>>>>>> cert_build/cert_request client code unless you think having >>>>>>> standalone >>>>>>> tools is valuable. I suppose certmonger is going to need these >>>>>>> features >>>>>>> too, but I don't know how well sharing code between them is >>>>>>> going to >>>>>>> work. >>>>>> >>>>>> cert-request is exactly the place where it should be :-) I wouldn't >>>>>> bother with certmonger until we have a server-side csrgen. >>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> - Allow some fields to be specified by the user at creation time: >>>>>>>>> https://github.com/LiptonB/freeipa/commits/local-user-data >>>>>>>> >>>>>>>> Good idea :-) >>>>>>>> >>>>>>>>> >>>>>>>>> - Automation for the full process from getting CSR data to >>>>>>>>> requesting >>>>>>>>> cert: https://github.com/LiptonB/freeipa/commits/local-cert-build >>>>>>>> >>>>>>>> LGTM, although I would prefer if this was a client-side >>>>>>>> extension of >>>>>>>> cert-request rather than a completely new command. >>>>>>> >>>>>>> I did try that at first, but I struggled to figure out the >>>>>>> interface >>>>>>> for >>>>>>> the modified cert-request. (Not that the current solution is so >>>>>>> great, >>>>>>> what with the copying of options from cert_request and certreq.) >>>>>>> If I >>>>>>> remember correctly, I was uncertain how to implement parameters >>>>>>> that >>>>>>> are >>>>>>> required/invalid based on other parameters: the current >>>>>>> cert-request >>>>>>> takes a signed CSR (required), a principal (required), and a >>>>>>> profile >>>>>>> ID; >>>>>>> the new cert-request (what I implemented as cert-build) takes a >>>>>>> principal (required), a profile ID (required), and a key location >>>>>>> (required). I can't remember if that was the only problem, but >>>>>>> I'll try >>>>>>> again to merge the commands and get back to you. >>>>>> >>>>>> To make the CSR argument optional on the client, you can do this: >>>>>> >>>>>> def get_options(self): >>>>>> for option in super(cert_request, self).get_options(): >>>>>> if option.name == 'csr': >>>>>> option = option.clone(required=False) >>>>>> yield >>>>>> >>>>>> IMO profile ID should default to caIPAserviceCert on the client as >>>>>> well. >>>>> >>>>> I originally had it doing so, but changed it to a required option >>>>> based on feedback in this email: >>>>> https://www.redhat.com/archives/freeipa-devel/2016-August/msg00021.html: >>>>> >>>>> >>>>> "In general use I think that 'caIPAserviceCert' is unlikely to be >>>>> used >>>>> a majory of the time, and it is a new command so there are no >>>>> compatibility issues; therefore why not make the profile option >>>>> mandatory?" I guess since we're talking about cert-request now, the >>>>> compatibility issues are back. >>>>> >>>>> https://github.com/LiptonB/freeipa/commits/local-cert-build has now >>>>> been updated to change the cert_request command rather than adding a >>>>> new command. It seems to work now (thanks for the advice on making >>>>> the >>>>> argument optional), the only thing I'm having trouble with is the >>>>> default for the profile_id argument. Previously, the default was >>>>> applied by this code in cert_request.execute: >>>>> >>>>> profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) >>>>> >>>>> But now, in the client, I need the default to pass to >>>>> cert_get_requestdata if no profile is specified. I'm not sure I can >>>>> access backends from the client to get it the same way the server >>>>> code >>>>> does. Should I just import ipapython/dogtag.py and use the >>>>> DEFAULT_PROFILE set in there? Is there a way I can give the option a >>>>> default that will be seen in both the server and the client? >> Just wanted to call attention to this question. The code that's >> currently problematic is here: >> https://github.com/LiptonB/freeipa/blob/dda05b0b4dfa332569a8ca75632eaeceb95fbd6a/ipaclient/plugins/cert.py#L86 >> >> (will pass None when in fact the argument default should be used). > > self.get_default_of('profile_id') > >>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> Other prototypes and design ideas that aren't ready for >>>>>>>>> submission >>>>>>>>> yet: >>>>>>>>> >>>>>>>>> - Utility written in C to build a CertificationRequestInfo from a >>>>>>>>> SubjectPublicKeyInfo and an openssl-style config file. The >>>>>>>>> purpose of >>>>>>>>> this is to take a config that my code already knows how to >>>>>>>>> generate, and >>>>>>>>> put it in a form that certmonger can use. This is nearly done and >>>>>>>>> available at: >>>>>>>>> https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> Nice! As I said above, this could really make implementing the >>>>>>>> "new" >>>>>>>> csrgen interface simple. >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> - Ideally it should be possible to use this tool to reimplement >>>>>>>>> the full >>>>>>>>> cert-request automation (local-cert-build branch) without a >>>>>>>>> dependency >>>>>>>>> on the certutil/openssl tools. However, I don't think any of the >>>>>>>>> python >>>>>>>>> crypto libraries have bindings for the functions that deal with >>>>>>>>> CertificationRequestInfo objects, so I don't think I can do this >>>>>>>>> in the >>>>>>>>> short term. >>>>>>>> >>>>>>>> You can use python-cffi to write your own minimal bindings. It's >>>>>>>> fairly straightforward, take a look at FreeIPA commit 500ee7e2 >>>>>>>> for an >>>>>>>> example of how to port C code to Python with python-cffi. >>>>>>> >>>>>>> Thank you for the example. I will take a look. >>>>>>>> >>>>>>>>> >>>>>>>>> - Certmonger "helper" program that takes in the >>>>>>>>> CertificationRequestInfo >>>>>>>>> that certmonger generates, calls out to IPA for profile-specific >>>>>>>>> data, >>>>>>>>> and returns an updated CertificationRequestInfo built from the >>>>>>>>> data. >>>>>>>>> Certmonger doesn't currently support this type of helper, but >>>>>>>>> (if I >>>>>>>>> understood correctly) this is the architecture Nalin believed >>>>>>>>> would be >>>>>>>>> simplest to fit in. This is not done yet, but I intend to >>>>>>>>> complete it >>>>>>>>> soon - it shouldn't require much code beyond what's in >>>>>>>>> build_requestinfo.c. >>>>>>>> >>>>>>>> To me this sounds like it should be a new operation of the current >>>>>>>> helper rather than a completely new helper. >>>>>>> >>>>>>> Maybe so. I certainly wouldn't call this a finished design, I just >>>>>>> wanted to have some kind of proof of concept for how the certmonger >>>>>>> integration could work. For what it's worth, that prototype is now >>>>>>> available at [2]. >>>>>> >>>>>> OK. >>>>>> >>>>>>>> >>>>>>>> Anyway, the ultimate goal is to move the csrgen code to the >>>>>>>> server, >>>>>>>> which means everything the helper will have to do is call a >>>>>>>> command >>>>>>>> over RPC. >>>>>>>> >>>>>>>>> >>>>>>>>> - Tool to convert an XER-encoded cert extension to DER, given the >>>>>>>>> ASN.1 >>>>>>>>> description of the extension. This would unblock Jan Cholasta's >>>>>>>>> idea of >>>>>>>>> using XSLT for templates rather than text-based formatting. I >>>>>>>>> should be >>>>>>>>> able to implement the conversion tool, but it may be a while >>>>>>>>> before I >>>>>>>>> have time to demo the full XSLT idea. >>>>>>>> >>>>>>>> Was there any progress on this? >>>>>>> >>>>>>> I have started working on implementing it with asn1c, and I'm >>>>>>> already >>>>>>> seeing some of the inconvenience (security issues aside) of >>>>>>> building on >>>>>>> the server. Libtasn1 seems like a much better model, but doesn't >>>>>>> seem to >>>>>>> have XER support. Anyway, don't quite have results here yet but I >>>>>>> think >>>>>>> I should have the XER->DER demo with asn1c ready in a week or two. >>>>>> >>>>>> Implementing XER codec on top of libtasn1 shouldn't be too hard; I >>>>>> have a WIP which I will post soon. >>>> >>>> It took me some experimentation to get this to work, but the solution >>>> with asn1c is actually quite simple because the tool automatically >>>> provides a sample C file that converts between different formats. So, >>>> this very basic shell script is able to do the conversion: >>>> https://github.com/LiptonB/freeipa-prototypes/blob/master/xer2der.sh >>>> >>>> $ cat ExtKeyUsage.xer >>>> >>>> 1.3.6.1.5.5.7.3.2 >>>> 1.3.6.1.5.5.7.3.4 >>>> >>>> >>>> $ cat KeyUsage.asn1 >>>> KUModule DEFINITIONS ::= >>>> BEGIN >>>> >>>> KeyUsage ::= BIT STRING { >>>> digitalSignature (0), >>>> nonRepudiation (1), -- recent editions of X.509 have >>>> -- renamed this bit to >>>> contentCommitment >>>> keyEncipherment (2), >>>> dataEncipherment (3), >>>> keyAgreement (4), >>>> keyCertSign (5), >>>> cRLSign (6), >>>> encipherOnly (7), >>>> decipherOnly (8) } >>>> >>>> ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId >>>> >>>> KeyPurposeId ::= OBJECT IDENTIFIER >>>> >>>> END >>>> >>>> $ ./xer2der.sh KeyUsage.asn1 ExtKeyUsageSyntax ExtKeyUsage.xer >>>> 2>/dev/null | xxd >>>> 00000000: 3014 0608 2b06 0105 0507 0302 0608 2b06 0...+.........+. >>>> 00000010: 0105 0507 0304 ...... >>> >>> So far I don't have a working example using libtasn1. I have something >>> close to it, but it's hacky, as the libtasn1 API is pretty limited, >>> and I didn't have time to work on it in the last few weeks. > > I got it working, needs just a little polishing. It's still ugly hacky > though. > >>> >>>> >>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> So: currently on my to do list are the certmonger helper and the >>>>>>>>> XER->DER conversion tool. Do you have any comments about these >>>>>>>>> plans, >>>>>>>>> and is there anything else I can do to wrap up the project >>>>>>>>> neatly? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Ben >>>>>>>>> >>>>>>>> >>>>>>>> Honza >>>>>>>> >>>>>>> [1] >>>>>>> https://github.com/LiptonB/freeipa-prototypes/blob/master/key2spki.c >>>>>>> >>>>>>> [2] >>>>>>> https://github.com/LiptonB/freeipa-prototypes/blob/master/cm_ipa_csrgen.c >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>> >> > > Thank you for the review! I just created https://github.com/freeipa/freeipa/pull/433 and https://github.com/freeipa/freeipa/pull/434 for the two follow-up branches I had pending (and updated with ideas from this thread and the previous PR's thread). I'm still working on converting the API to consuming SubjectPublicKeyInfo structures and producing CertificationRequestInfo ones - I have the OpenSSL flow working, but am still missing a step for the NSS flow. Specifically, after step 2 of the 4 you suggested above, I need to use NSS to use the private key in the db to sign the SubjectPublicKeyInfo before I can use python-cryptography to make it into a CSR like I'm doing with OpenSSL. I'm sure this is not very hard, but I haven't quite figured it out yet. From freeipa-github-notification at redhat.com Mon Feb 6 07:29:38 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 06 Feb 2017 08:29:38 +0100 Subject: [Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion stlaz commented: """ @frasertweedale Alright. I am definitely not against having it separated since we came to the realization that replica install checks can not be merged in a satisfactory way anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/416#issuecomment-277604102 From freeipa-github-notification at redhat.com Mon Feb 6 07:48:00 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Mon, 06 Feb 2017 08:48:00 +0100 Subject: [Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command Akasurde commented: """ @MartinBasti is there any action item pending on my side? """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-277606801 From jcholast at redhat.com Mon Feb 6 08:16:24 2017 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 6 Feb 2017 09:16:24 +0100 Subject: [Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication In-Reply-To: <20170111010915.GR4539@dhcp-40-8.bne.redhat.com> References: <20170106080804.GP4539@dhcp-40-8.bne.redhat.com> <2f2b8dd8-3b96-2b90-fa39-c2c1c45e438a@redhat.com> <20170111010915.GR4539@dhcp-40-8.bne.redhat.com> Message-ID: On 11.1.2017 02:09, Fraser Tweedale wrote: > On Tue, Jan 10, 2017 at 10:48:08AM +0100, Martin Babinsky wrote: >> Hi Fraser, >> >> I have some rather inane comments. I guess Jan cholasta will do a more >> thorough review of your design. See below: >> >> On 01/06/2017 09:08 AM, Fraser Tweedale wrote: >>> Hi comrades, >>> >>> I have written up the high-level details of the FreeIPA->Dogtag >>> GSS-API authentication design. The goal is improve security by >>> removing an egregious privilege separation violation: the RA Agent >>> cert. >>> >>> There is a fair bit of work still to do on the Dogtag side but >>> things are shaping up there and it's time to work out the IPA >>> aspects. The design is at: >>> >>> http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication >> >> first of all, you link a internal document from publicly available design >> page. you should prepare a publicly visible version of the Dogtag-side >> design and link that. >> > Will do; thanks. > >> It would also be nice to have a high-level graphical representation of the >> proposed CSR processing workflow. I think you can re-use the one that is in >> the Dogtag part, omit the Dogtag internals and add IPA-specific parts. >> > I will definitely do this a bit later, once more details of IPA > design are established. > >>> >>> Right now, I need feedback about the Domain Level aspects: whether >>> it is the right approach, whether there are mechanisms to perform >>> update steps (specifically: LDAP updates and/or api calls) alongside >>> a DL bump, or if there aren't, how to deal with that (implement such >>> a mechanism, make admins do extra steps, ???). >>> >> >> Is the DL bump really necessary? Are you sure we really can not just update >> the profile configuration and let older Dogtag installation handle it >> gracefully? IIRC we have done some profile inclusion work in 4.2 development >> and on and never really bothered about older Dogtag understanding them. >> > The problem is that the new profiles will refer to plugins (i.e. > classes) that do not exist in older versions of Dogtag. Profile > config is replicated, so if we upgrade profile config with old > versions of Dogtag in the topology, it breaks them. > > I considered a mechanism where multiple versions of a profile exist > in LDAP (i.e. multiple attribute values), and Dogtag picks the one > that's "right" for it. (An example of how to do this might be > attribute tagging where tag indicates minimum version of Dogtag > containing components used in that profile version, and Dogag picks > the highest that it supports). The advantage of such a mechanism is > that we could use it for any future scenario where we introduce new > profile components that we want to use in IPA. The downside is that > it significantly complicates profile management (including for > administrators), and can result in the same profile having different > behaviour on different Dogtag instances, which could be confusing > and make it harder to diagnose issues. Given the tradeoffs, I think > a DL bump is preferable. I don't like the prospect of having to bump DL every time a new component is introduced. This time it might be OK, because the new DL is apparently required for the RA -> GSSAPI change, but IMHO in general a change in a certificate profile does not warrant a DL bump. I agree that maintaining multiple versions of a profile is not the way to go, but I think there are other options: * Change `auth.instance_id` from `raCertAuth` to a new, IPA-specific `ipaAuth`. Configure `auths.instance.ipaAuth` in CS.cfg to behave exactly the same as `raCertAuth`. This will have to be done on all masters, including old ones, which can receive the change in a bug fix update (4.4.x). Then, on upgrade to new IPA with GSSAPI enabled Dogtag, change `auths.instance.ipaAuth` to use external script for authentication. Similar thing could be done for other profile components. * Do not care about old masters. Update the profile and let certificate requests on old masters fail. This should be fine, as the situation where there are different version masters should be only temporary until all masters are upgraded. If an appropriate error is returned from cert-request, automated requests via certmonger will be re-attempted and will succeed once all masters are upgraded. > >> Anyway I guess we can call `certprofile-import' to load >> ExternalProcessConstraint-enabled profile upon setting domain level to 2, we >> just have to know where on the FS it is located. >> >>> Of course, any other general or specific feedback is welcome. >>> >>> Thanks, >>> Fraser >>> >> >> So if I understand correctly there will be no change in CA ACL management >> interface and only the code which evaluates them will be factored out into >> 'ipa-pki-validate-cert-request' command? Also, wouldn't it simpler if the CA >> ACL evaluation was delegated to a separate API command instead? >> ExternalProcessConstraint would then only ask IPA JSON api and process the >> response. >> > There are no changes to CA ACL management interface as part of this > design, but there are proposals to extend/rework it in future, e.g. > #6424, #6425, #6426. > > Having a separate command for CA ACL evaluation is a good idea, and > a clean refactoring target. ExternalProcessConstraint is generic > with no knowledge of IPA API, but 'pki-pki-validate-cert-request' > can invoke the new API command. > > Thanks for your feedback, Martin! > > Cheers, > Fraser > -- Jan Cholasta From freeipa-github-notification at redhat.com Mon Feb 6 08:26:21 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 06 Feb 2017 09:26:21 +0100 Subject: [Freeipa-devel] [freeipa PR#432][comment] build: Add missing dependency on libxmlrpc{, _util} In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/432 Title: #432: build: Add missing dependency on libxmlrpc{,_util} tiran commented: """ ACK ipa-join uses functions from ```libxmlrpc.so``` (e.g. ```xmlrpc_string_new```) and from ```libxmlrpc_util.so``` (e.g. ```xmlrpc_env_init```). In the past it was no problem because ```libxmlrpc_client.so``` depends on both libraries and pulled the function in. Nowadays indirect linking triggers a DSO error. All libraries must be linked directly. """ See the full comment at https://github.com/freeipa/freeipa/pull/432#issuecomment-277613117 From abokovoy at redhat.com Mon Feb 6 08:37:34 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Feb 2017 10:37:34 +0200 Subject: [Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication In-Reply-To: References: <20170106080804.GP4539@dhcp-40-8.bne.redhat.com> <2f2b8dd8-3b96-2b90-fa39-c2c1c45e438a@redhat.com> <20170111010915.GR4539@dhcp-40-8.bne.redhat.com> Message-ID: <20170206083734.pnjiqx2ndhtu6nwc@redhat.com> On ma, 06 helmi 2017, Jan Cholasta wrote: >On 11.1.2017 02:09, Fraser Tweedale wrote: >>On Tue, Jan 10, 2017 at 10:48:08AM +0100, Martin Babinsky wrote: >>>Hi Fraser, >>> >>>I have some rather inane comments. I guess Jan cholasta will do a more >>>thorough review of your design. See below: >>> >>>On 01/06/2017 09:08 AM, Fraser Tweedale wrote: >>>>Hi comrades, >>>> >>>>I have written up the high-level details of the FreeIPA->Dogtag >>>>GSS-API authentication design. The goal is improve security by >>>>removing an egregious privilege separation violation: the RA Agent >>>>cert. >>>> >>>>There is a fair bit of work still to do on the Dogtag side but >>>>things are shaping up there and it's time to work out the IPA >>>>aspects. The design is at: >>>> >>>> http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication >>> >>>first of all, you link a internal document from publicly available design >>>page. you should prepare a publicly visible version of the Dogtag-side >>>design and link that. >>> >>Will do; thanks. >> >>>It would also be nice to have a high-level graphical representation of the >>>proposed CSR processing workflow. I think you can re-use the one that is in >>>the Dogtag part, omit the Dogtag internals and add IPA-specific parts. >>> >>I will definitely do this a bit later, once more details of IPA >>design are established. >> >>>> >>>>Right now, I need feedback about the Domain Level aspects: whether >>>>it is the right approach, whether there are mechanisms to perform >>>>update steps (specifically: LDAP updates and/or api calls) alongside >>>>a DL bump, or if there aren't, how to deal with that (implement such >>>>a mechanism, make admins do extra steps, ???). >>>> >>> >>>Is the DL bump really necessary? Are you sure we really can not just update >>>the profile configuration and let older Dogtag installation handle it >>>gracefully? IIRC we have done some profile inclusion work in 4.2 development >>>and on and never really bothered about older Dogtag understanding them. >>> >>The problem is that the new profiles will refer to plugins (i.e. >>classes) that do not exist in older versions of Dogtag. Profile >>config is replicated, so if we upgrade profile config with old >>versions of Dogtag in the topology, it breaks them. >> >>I considered a mechanism where multiple versions of a profile exist >>in LDAP (i.e. multiple attribute values), and Dogtag picks the one >>that's "right" for it. (An example of how to do this might be >>attribute tagging where tag indicates minimum version of Dogtag >>containing components used in that profile version, and Dogag picks >>the highest that it supports). The advantage of such a mechanism is >>that we could use it for any future scenario where we introduce new >>profile components that we want to use in IPA. The downside is that >>it significantly complicates profile management (including for >>administrators), and can result in the same profile having different >>behaviour on different Dogtag instances, which could be confusing >>and make it harder to diagnose issues. Given the tradeoffs, I think >>a DL bump is preferable. > >I don't like the prospect of having to bump DL every time a new >component is introduced. This time it might be OK, because the new DL >is apparently required for the RA -> GSSAPI change, but IMHO in >general a change in a certificate profile does not warrant a DL bump. > >I agree that maintaining multiple versions of a profile is not the way >to go, but I think there are other options: > >* Change `auth.instance_id` from `raCertAuth` to a new, IPA-specific >`ipaAuth`. Configure `auths.instance.ipaAuth` in CS.cfg to behave >exactly the same as `raCertAuth`. This will have to be done on all >masters, including old ones, which can receive the change in a bug fix >update (4.4.x). Then, on upgrade to new IPA with GSSAPI enabled >Dogtag, change `auths.instance.ipaAuth` to use external script for >authentication. Similar thing could be done for other profile >components. > >* Do not care about old masters. Update the profile and let >certificate requests on old masters fail. This should be fine, as the >situation where there are different version masters should be only >temporary until all masters are upgraded. If an appropriate error is >returned from cert-request, automated requests via certmonger will be >re-attempted and will succeed once all masters are upgraded. I'd prefer an option number one. Using an IPA-specific auth instance would allow us to be more flexible in manipulating the properties of it in future without worrying to break older setups. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Mon Feb 6 09:02:55 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 06 Feb 2017 10:02:55 +0100 Subject: [Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Author: tiran Title: #364: Client-only builds with --disable-server Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/364/head:pr364 git checkout pr364 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-364.patch Type: text/x-diff Size: 19065 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 09:13:17 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 06 Feb 2017 10:13:17 +0100 Subject: [Freeipa-devel] [freeipa PR#432][+ack] build: Add missing dependency on libxmlrpc{, _util} In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/432 Title: #432: build: Add missing dependency on libxmlrpc{,_util} Label: +ack From jcholast at redhat.com Mon Feb 6 09:24:31 2017 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 6 Feb 2017 10:24:31 +0100 Subject: [Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag In-Reply-To: <06bccd8a-cebe-4acb-a5af-7c1ed985f313@redhat.com> References: <20170113070713.GG4539@dhcp-40-8.bne.redhat.com> <06bccd8a-cebe-4acb-a5af-7c1ed985f313@redhat.com> Message-ID: On 17.1.2017 08:57, David Kupka wrote: > On 13/01/17 08:07, Fraser Tweedale wrote: >> Related to design: >> http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication >> >> Currently there are some operations that hit the CA that involve a >> number of privileged operations against the CA, but for which there >> is only one associated IPA permission. Deleting a CA is a good >> example (but it is one specific case of a more general issue). >> Summary of current ca-del behaviour: >> >> 1. Disable LWCA in Dogtag (uses RA Agent cert) >> 2. Delete LWCA in Dogtag (uses RA Agent cert) >> 3. Delete CA entry from IPA (requires "System: Delete CA" permission) >> >> So there are two things going on under the hood: a modify operation >> (disable CA) and the delete. >> >> When we implement proxy authentication to Dogtag, Dogtag will >> enforce the IPA permissions on its operations. Disable will map to >> "System: Modify CA" and delete to "System: Delete CA". So to delete >> a CA a user will need *both* permissions. Which could be >> surprising. >> >> There are a couple of reasonable approaches to this. >> >> 1. Decouple the disable and delete operations. If CA is not >> disabled, the user will be instructed to execute the ca-disable >> command separately before they can disable the CA. This introduces >> an additional manual step for operators. >> >> 2. Just improve the error reporting. In my WIP, for a user that has >> 'System: Delete CA' permission but not 'System: Modify CA', the >> reported failure is a 403 Authorization Error from Dogtag. We can >> add guards to fail more gracefully. >> >> I lean towards #2 because I guess the common case will be that users >> either get all CA admin permissions, or none, and we don't want to >> make more work (in the form of more commands to run) for users in >> the common case. >> >> I welcome alternative views and suggestions. >> >> Thanks, >> Fraser >> > Hi Fraser, > as a user with "System: Delete CA" permission calling "ca-del" command I > would be really surprised that I don't have enough privileges to > complete the action. > > I would expect: > a) "Cannot delete active CA, disable it first" error. > b) Delete will be completed successfully. All internal and to my sight > hidden operations will be allowed just because I'm allowed to perform > the delete operation. > > I think that b) might lead to strange exceptions in authorization > checking and therefore to security issues. So I would prefer decoupling > ca-disable and ca-del as you're describing in 1). IMO having to disable the CA before deletion is an implementation detail and should not be exposed to the user at all. Why do we have to disable the CA from IPA in ca-del? I would expect Dogtag to disable it itself internally when it's being deleted. -- Jan Cholasta From ftweedal at redhat.com Mon Feb 6 09:38:01 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 6 Feb 2017 19:38:01 +1000 Subject: [Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication In-Reply-To: <20170206083734.pnjiqx2ndhtu6nwc@redhat.com> References: <20170106080804.GP4539@dhcp-40-8.bne.redhat.com> <2f2b8dd8-3b96-2b90-fa39-c2c1c45e438a@redhat.com> <20170111010915.GR4539@dhcp-40-8.bne.redhat.com> <20170206083734.pnjiqx2ndhtu6nwc@redhat.com> Message-ID: <20170206093801.GQ3557@dhcp-40-8.bne.redhat.com> On Mon, Feb 06, 2017 at 10:37:34AM +0200, Alexander Bokovoy wrote: > On ma, 06 helmi 2017, Jan Cholasta wrote: > > On 11.1.2017 02:09, Fraser Tweedale wrote: > > > On Tue, Jan 10, 2017 at 10:48:08AM +0100, Martin Babinsky wrote: > > > > Hi Fraser, > > > > > > > > I have some rather inane comments. I guess Jan cholasta will do a more > > > > thorough review of your design. See below: > > > > > > > > On 01/06/2017 09:08 AM, Fraser Tweedale wrote: > > > > > Hi comrades, > > > > > > > > > > I have written up the high-level details of the FreeIPA->Dogtag > > > > > GSS-API authentication design. The goal is improve security by > > > > > removing an egregious privilege separation violation: the RA Agent > > > > > cert. > > > > > > > > > > There is a fair bit of work still to do on the Dogtag side but > > > > > things are shaping up there and it's time to work out the IPA > > > > > aspects. The design is at: > > > > > > > > > > http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication > > > > > > > > first of all, you link a internal document from publicly available design > > > > page. you should prepare a publicly visible version of the Dogtag-side > > > > design and link that. > > > > > > > Will do; thanks. > > > > > > > It would also be nice to have a high-level graphical representation of the > > > > proposed CSR processing workflow. I think you can re-use the one that is in > > > > the Dogtag part, omit the Dogtag internals and add IPA-specific parts. > > > > > > > I will definitely do this a bit later, once more details of IPA > > > design are established. > > > > > > > > > > > > > Right now, I need feedback about the Domain Level aspects: whether > > > > > it is the right approach, whether there are mechanisms to perform > > > > > update steps (specifically: LDAP updates and/or api calls) alongside > > > > > a DL bump, or if there aren't, how to deal with that (implement such > > > > > a mechanism, make admins do extra steps, ???). > > > > > > > > > > > > > Is the DL bump really necessary? Are you sure we really can not just update > > > > the profile configuration and let older Dogtag installation handle it > > > > gracefully? IIRC we have done some profile inclusion work in 4.2 development > > > > and on and never really bothered about older Dogtag understanding them. > > > > > > > The problem is that the new profiles will refer to plugins (i.e. > > > classes) that do not exist in older versions of Dogtag. Profile > > > config is replicated, so if we upgrade profile config with old > > > versions of Dogtag in the topology, it breaks them. > > > > > > I considered a mechanism where multiple versions of a profile exist > > > in LDAP (i.e. multiple attribute values), and Dogtag picks the one > > > that's "right" for it. (An example of how to do this might be > > > attribute tagging where tag indicates minimum version of Dogtag > > > containing components used in that profile version, and Dogag picks > > > the highest that it supports). The advantage of such a mechanism is > > > that we could use it for any future scenario where we introduce new > > > profile components that we want to use in IPA. The downside is that > > > it significantly complicates profile management (including for > > > administrators), and can result in the same profile having different > > > behaviour on different Dogtag instances, which could be confusing > > > and make it harder to diagnose issues. Given the tradeoffs, I think > > > a DL bump is preferable. > > > > I don't like the prospect of having to bump DL every time a new > > component is introduced. This time it might be OK, because the new DL is > > apparently required for the RA -> GSSAPI change, but IMHO in general a > > change in a certificate profile does not warrant a DL bump. > > > > I agree that maintaining multiple versions of a profile is not the way > > to go, but I think there are other options: > > > > * Change `auth.instance_id` from `raCertAuth` to a new, IPA-specific > > `ipaAuth`. Configure `auths.instance.ipaAuth` in CS.cfg to behave > > exactly the same as `raCertAuth`. This will have to be done on all > > masters, including old ones, which can receive the change in a bug fix > > update (4.4.x). Then, on upgrade to new IPA with GSSAPI enabled Dogtag, > > change `auths.instance.ipaAuth` to use external script for > > authentication. Similar thing could be done for other profile > > components. > > > > * Do not care about old masters. Update the profile and let certificate > > requests on old masters fail. This should be fine, as the situation > > where there are different version masters should be only temporary until > > all masters are upgraded. If an appropriate error is returned from > > cert-request, automated requests via certmonger will be re-attempted and > > will succeed once all masters are upgraded. > I'd prefer an option number one. Using an IPA-specific auth instance > would allow us to be more flexible in manipulating the properties of it > in future without worrying to break older setups. > This is essentially what will be accomplished with ExternalProcessConstraint, which in FreeIPA profiles will be configured to invoke a process that is shipped as part of FreeIPA. Using an authentication plugin is not quite right because it will do IPA-specific validation, not just authnz. Cheers, Fraser > -- > / Alexander Bokovoy From freeipa-github-notification at redhat.com Mon Feb 6 09:47:37 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 06 Feb 2017 10:47:37 +0100 Subject: [Freeipa-devel] [freeipa PR#407][synchronized] New lite-server implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/407 Author: tiran Title: #407: New lite-server implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/407/head:pr407 git checkout pr407 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-407.patch Type: text/x-diff Size: 14710 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 10:26:11 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 06 Feb 2017 11:26:11 +0100 Subject: [Freeipa-devel] [freeipa PR#407][synchronized] New lite-server implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/407 Author: tiran Title: #407: New lite-server implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/407/head:pr407 git checkout pr407 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-407.patch Type: text/x-diff Size: 14989 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 11:18:18 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 12:18:18 +0100 Subject: [Freeipa-devel] [freeipa PR#435][opened] py3: cert.py: create principal object from string Message-ID: URL: https://github.com/freeipa/freeipa/pull/435 Author: MartinBasti Title: #435: py3: cert.py: create principal object from string Action: opened PR body: """ Principal object must be created from string not from bytes https://fedorahosted.org/freeipa/ticket/4985 https://fedorahosted.org/freeipa/ticket/6640 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/435/head:pr435 git checkout pr435 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-435.patch Type: text/x-diff Size: 1121 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 11:47:06 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Feb 2017 12:47:06 +0100 Subject: [Freeipa-devel] [freeipa PR#436][opened] x509: allow leading text in PEM files Message-ID: URL: https://github.com/freeipa/freeipa/pull/436 Author: HonzaCholasta Title: #436: x509: allow leading text in PEM files Action: opened PR body: """ This fixes a regression introduced in commit b8d6524d43dd0667184aebc79fb77a9b8a46939a. https://fedorahosted.org/freeipa/ticket/4985 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/436/head:pr436 git checkout pr436 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-436.patch Type: text/x-diff Size: 1808 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 11:56:53 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 06 Feb 2017 12:56:53 +0100 Subject: [Freeipa-devel] [freeipa PR#436][comment] x509: allow leading text in PEM files In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/436 Title: #436: x509: allow leading text in PEM files tiran commented: """ NACK The ^ is correct because the regular expression must search for a line that starts with ```-----BEGIN CERTIFICATE-----```. I cannot reproduce the issue locally. The regexp matches a cert with leading text: ``` >>> import re >>> regexp = u"^-----BEGIN CERTIFICATE-----(.*?)-----END CERTIFICATE-----" >>> pem = u"leading line\n-----BEGIN CERTIFICATE-----\nabcd\n-----END CERTIFICATE-----\ntrailing text" >>> re.search(regexp, pem, re.MULTILINE | re.DOTALL) <_sre.SRE_Match object at 0x7f667778d0a8> >>> re.search(regexp, pem, re.MULTILINE | re.DOTALL).group(1) u'\nabcd\n' ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/436#issuecomment-277661149 From freeipa-github-notification at redhat.com Mon Feb 6 12:09:51 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Feb 2017 13:09:51 +0100 Subject: [Freeipa-devel] [freeipa PR#436][comment] x509: allow leading text in PEM files In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/436 Title: #436: x509: allow leading text in PEM files HonzaCholasta commented: """ Oops, didn't realize that `^` matches beginning of each line in multiline mode. I think we can keep the test, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/436#issuecomment-277663630 From freeipa-github-notification at redhat.com Mon Feb 6 12:11:30 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Feb 2017 13:11:30 +0100 Subject: [Freeipa-devel] [freeipa PR#436][synchronized] x509: allow leading text in PEM files In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/436 Author: HonzaCholasta Title: #436: x509: allow leading text in PEM files Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/436/head:pr436 git checkout pr436 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-436.patch Type: text/x-diff Size: 1180 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 12:18:29 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 06 Feb 2017 13:18:29 +0100 Subject: [Freeipa-devel] [freeipa PR#436][comment] x509: allow leading text in PEM files In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/436 Title: #436: x509: allow leading text in PEM files tiran commented: """ Yes, please keep the test. It should pass with the current regular expression, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/436#issuecomment-277665259 From freeipa-github-notification at redhat.com Mon Feb 6 12:37:51 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 06 Feb 2017 13:37:51 +0100 Subject: [Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Author: abbra Title: #410: ipa-kdb: support KDB DAL version 6.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/410/head:pr410 git checkout pr410 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-410.patch Type: text/x-diff Size: 8608 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 12:41:26 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 06 Feb 2017 13:41:26 +0100 Subject: [Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 abbra commented: """ I split the tables into separate ones and also made independent #if/#endif blocks for them. Finally, I added a spec file guard to force using 1.15-5 or later version on Fedora 26 or later. """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-277669579 From freeipa-github-notification at redhat.com Mon Feb 6 12:53:18 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 06 Feb 2017 13:53:18 +0100 Subject: [Freeipa-devel] [freeipa PR#436][+ack] x509: allow leading text in PEM files In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/436 Title: #436: x509: allow leading text in PEM files Label: +ack From freeipa-github-notification at redhat.com Mon Feb 6 13:37:06 2017 From: freeipa-github-notification at redhat.com (celestian) Date: Mon, 06 Feb 2017 14:37:06 +0100 Subject: [Freeipa-devel] [freeipa PR#409][synchronized] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Author: celestian Title: #409: ipatests: nested netgroups (intg) Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/409/head:pr409 git checkout pr409 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-409.patch Type: text/x-diff Size: 7862 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 13:48:37 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 06 Feb 2017 14:48:37 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 240057 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 13:54:04 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Feb 2017 14:54:04 +0100 Subject: [Freeipa-devel] [freeipa PR#436][comment] x509: allow leading text in PEM files In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/436 Title: #436: x509: allow leading text in PEM files HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/89dfbab3ca076812590f371c21abcb51b350170b """ See the full comment at https://github.com/freeipa/freeipa/pull/436#issuecomment-277687144 From freeipa-github-notification at redhat.com Mon Feb 6 13:54:05 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Feb 2017 14:54:05 +0100 Subject: [Freeipa-devel] [freeipa PR#436][closed] x509: allow leading text in PEM files In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/436 Author: HonzaCholasta Title: #436: x509: allow leading text in PEM files Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/436/head:pr436 git checkout pr436 From freeipa-github-notification at redhat.com Mon Feb 6 13:54:07 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 06 Feb 2017 14:54:07 +0100 Subject: [Freeipa-devel] [freeipa PR#436][+pushed] x509: allow leading text in PEM files In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/436 Title: #436: x509: allow leading text in PEM files Label: +pushed From freeipa-github-notification at redhat.com Mon Feb 6 13:56:28 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 06 Feb 2017 14:56:28 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 239331 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 15:58:52 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 06 Feb 2017 16:58:52 +0100 Subject: [Freeipa-devel] [freeipa PR#437][opened] FIPS: replica install check Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: opened PR body: """ PR depends on the rest of the FIPS patches. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-437.patch Type: text/x-diff Size: 4273 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 16:19:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 17:19:45 +0100 Subject: [Freeipa-devel] [freeipa PR#432][+pushed] build: Add missing dependency on libxmlrpc{, _util} In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/432 Title: #432: build: Add missing dependency on libxmlrpc{,_util} Label: +pushed From freeipa-github-notification at redhat.com Mon Feb 6 16:19:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 17:19:48 +0100 Subject: [Freeipa-devel] [freeipa PR#432][comment] build: Add missing dependency on libxmlrpc{, _util} In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/432 Title: #432: build: Add missing dependency on libxmlrpc{,_util} MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f4088b3a00b3cbd1a0133ac90cba85e501573f76 """ See the full comment at https://github.com/freeipa/freeipa/pull/432#issuecomment-277732073 From freeipa-github-notification at redhat.com Mon Feb 6 16:19:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 17:19:49 +0100 Subject: [Freeipa-devel] [freeipa PR#432][closed] build: Add missing dependency on libxmlrpc{, _util} In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/432 Author: dkupka Title: #432: build: Add missing dependency on libxmlrpc{,_util} Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/432/head:pr432 git checkout pr432 From freeipa-github-notification at redhat.com Mon Feb 6 16:22:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 17:22:01 +0100 Subject: [Freeipa-devel] [freeipa PR#432][comment] build: Add missing dependency on libxmlrpc{, _util} In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/432 Title: #432: build: Add missing dependency on libxmlrpc{,_util} MartinBasti commented: """ Needs separate PR for ipa-4-4 branch """ See the full comment at https://github.com/freeipa/freeipa/pull/432#issuecomment-277732697 From freeipa-github-notification at redhat.com Mon Feb 6 16:27:29 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 06 Feb 2017 17:27:29 +0100 Subject: [Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" flo-renaud commented: """ Hi, PR updated with dependency on pki 10.3.5-11 (note that this package is currently available in fedora updates-testing only). """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-277734364 From freeipa-github-notification at redhat.com Mon Feb 6 16:28:43 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 06 Feb 2017 17:28:43 +0100 Subject: [Freeipa-devel] [freeipa PR#395][synchronized] Configure PKI ajp redirection to use "localhost" instead of "::1" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/395 Author: flo-renaud Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/395/head:pr395 git checkout pr395 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-395.patch Type: text/x-diff Size: 2434 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 16:28:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 17:28:58 +0100 Subject: [Freeipa-devel] [freeipa PR#422][+pushed] Fix reference before assignment In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/422 Title: #422: Fix reference before assignment Label: +pushed From freeipa-github-notification at redhat.com Mon Feb 6 16:28:59 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 17:28:59 +0100 Subject: [Freeipa-devel] [freeipa PR#422][comment] Fix reference before assignment In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/422 Title: #422: Fix reference before assignment MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/924794f62b9d3d0f46ca18e4f9338eaed865c03e """ See the full comment at https://github.com/freeipa/freeipa/pull/422#issuecomment-277734802 From freeipa-github-notification at redhat.com Mon Feb 6 16:29:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 17:29:01 +0100 Subject: [Freeipa-devel] [freeipa PR#422][closed] Fix reference before assignment In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/422 Author: frasertweedale Title: #422: Fix reference before assignment Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/422/head:pr422 git checkout pr422 From freeipa-github-notification at redhat.com Mon Feb 6 16:36:40 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 06 Feb 2017 17:36:40 +0100 Subject: [Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-437.patch Type: text/x-diff Size: 5330 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 16:46:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 17:46:00 +0100 Subject: [Freeipa-devel] [freeipa PR#409][+ack] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Title: #409: ipatests: nested netgroups (intg) Label: +ack From freeipa-github-notification at redhat.com Mon Feb 6 16:58:08 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 17:58:08 +0100 Subject: [Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check MartinBasti commented: """ I'm still afraid that users may want to create a FIPS replica from the non-FIPS master, even if it is not recommended due security. How can be this achieved? """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-277743511 From freeipa-github-notification at redhat.com Mon Feb 6 17:05:36 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 06 Feb 2017 18:05:36 +0100 Subject: [Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check tomaskrizek commented: """ @MartinBasti Since this check is performed only during installation, the user could simply install non-FIPS replica and then turn FIPS on afterwards. There might be issues with this approach and thus it is neither recommended nor supported, as stated in the [documentation](https://www.freeipa.org/page/V4/FreeIPA-on-FIPS#Multiple_servers_in_topology). """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-277745754 From freeipa-github-notification at redhat.com Mon Feb 6 17:27:57 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 06 Feb 2017 18:27:57 +0100 Subject: [Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-437.patch Type: text/x-diff Size: 4971 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 17:32:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 18:32:39 +0100 Subject: [Freeipa-devel] [freeipa PR#435][synchronized] py3: cert.py: create principal object from string In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/435 Author: MartinBasti Title: #435: py3: cert.py: create principal object from string Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/435/head:pr435 git checkout pr435 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-435.patch Type: text/x-diff Size: 1456 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 17:32:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 18:32:42 +0100 Subject: [Freeipa-devel] [freeipa PR#435][edited] py3: fix replica install regression In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/435 Author: MartinBasti Title: #435: py3: fix replica install regression Action: edited Changed field: title Original value: """ py3: cert.py: create principal object from string """ From freeipa-github-notification at redhat.com Mon Feb 6 18:12:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 19:12:57 +0100 Subject: [Freeipa-devel] [freeipa PR#427][synchronized] [Py3] WSGI part 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/427 Author: MartinBasti Title: #427: [Py3] WSGI part 2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/427/head:pr427 git checkout pr427 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-427.patch Type: text/x-diff Size: 10910 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 6 19:01:23 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 06 Feb 2017 20:01:23 +0100 Subject: [Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check MartinBasti commented: """ @tomaskrizek on current versions of RHEL and fedora IPA doesn't start in FIPS, but upgrading first and then enabling FIPS might be the way """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-277778586 From rcritten at redhat.com Mon Feb 6 20:01:13 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 6 Feb 2017 15:01:13 -0500 Subject: [Freeipa-devel] python-pyasn1 updated in rawhide and updates-testing for F-25 Message-ID: <7080ca61-8c85-5f9a-dedc-acb004370879@redhat.com> I updated the Fedora pyasn1 package to the latest release, 0.2.1. I did some very basic testing against IPA 4.2 and it worked ok. The build is already up in rawhide and is on the way to updates-testing in Bohdi. It would be great to get some karma on it. I have auto-push turned off so it won't go stable in a week automatically. rob From freeipa-github-notification at redhat.com Tue Feb 7 07:43:03 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 07 Feb 2017 08:43:03 +0100 Subject: [Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check martbab commented: """ @tomaskrizek since you added a new key to the Env object, you will have to fix `test_ipalib/test_config.py` to account for this change, see https://travis-ci.org/freeipa/freeipa/jobs/198916106#L443 """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-277924079 From freeipa-github-notification at redhat.com Tue Feb 7 08:43:00 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Tue, 07 Feb 2017 09:43:00 +0100 Subject: [Freeipa-devel] [freeipa PR#421][synchronized] Update warning message for replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/421 Author: Akasurde Title: #421: Update warning message for replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/421/head:pr421 git checkout pr421 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-421.patch Type: text/x-diff Size: 1442 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 08:46:14 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 07 Feb 2017 09:46:14 +0100 Subject: [Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 abbra commented: """ @simo5 @frozencemetery unfortunately, the provide of "krb5-kdb-version = 6.1" is on krb5-libs, not on krb5-devel, so I cannot do a buildrequires dependency this way. """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-277935827 From freeipa-github-notification at redhat.com Tue Feb 7 09:43:36 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 07 Feb 2017 10:43:36 +0100 Subject: [Freeipa-devel] [freeipa PR#435][+ack] py3: fix replica install regression In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/435 Title: #435: py3: fix replica install regression Label: +ack From freeipa-github-notification at redhat.com Tue Feb 7 09:43:40 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 07 Feb 2017 10:43:40 +0100 Subject: [Freeipa-devel] [freeipa PR#435][comment] py3: fix replica install regression In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/435 Title: #435: py3: fix replica install regression stlaz commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/435#issuecomment-277948678 From freeipa-github-notification at redhat.com Tue Feb 7 09:48:10 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Feb 2017 10:48:10 +0100 Subject: [Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 simo5 commented: """ @frozencemetery Should we provide krb5-kdb-version-devel from krb5-devel ? """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-277949768 From freeipa-github-notification at redhat.com Tue Feb 7 09:49:57 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 07 Feb 2017 10:49:57 +0100 Subject: [Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check pvoborni commented: """ @MartinBasti I'm not sure from your comment if you would like to provide a way to change non-FIPS server into a FIPS server or just brainstorming ways how it can be worked around. In any case this path is not a goal and actually should be discouraged. http://www.freeipa.org/page/V4/FreeIPA-on-FIPS#Design """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-277950210 From freeipa-github-notification at redhat.com Tue Feb 7 10:37:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 11:37:01 +0100 Subject: [Freeipa-devel] [freeipa PR#435][comment] py3: fix replica install regression In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/435 Title: #435: py3: fix replica install regression MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/91ab650ac42d34d4958e33da7ef0641842511a89 """ See the full comment at https://github.com/freeipa/freeipa/pull/435#issuecomment-277961075 From freeipa-github-notification at redhat.com Tue Feb 7 10:37:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 11:37:02 +0100 Subject: [Freeipa-devel] [freeipa PR#435][+pushed] py3: fix replica install regression In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/435 Title: #435: py3: fix replica install regression Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 7 10:37:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 11:37:04 +0100 Subject: [Freeipa-devel] [freeipa PR#435][closed] py3: fix replica install regression In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/435 Author: MartinBasti Title: #435: py3: fix replica install regression Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/435/head:pr435 git checkout pr435 From freeipa-github-notification at redhat.com Tue Feb 7 10:56:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 11:56:34 +0100 Subject: [Freeipa-devel] [freeipa PR#409][+pushed] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Title: #409: ipatests: nested netgroups (intg) Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 7 10:56:35 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 11:56:35 +0100 Subject: [Freeipa-devel] [freeipa PR#409][comment] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Title: #409: ipatests: nested netgroups (intg) MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/dc99d3c04e43b08d2364209a641b8b9111e5986c """ See the full comment at https://github.com/freeipa/freeipa/pull/409#issuecomment-277965285 From freeipa-github-notification at redhat.com Tue Feb 7 10:56:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 11:56:36 +0100 Subject: [Freeipa-devel] [freeipa PR#409][closed] ipatests: nested netgroups (intg) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/409 Author: celestian Title: #409: ipatests: nested netgroups (intg) Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/409/head:pr409 git checkout pr409 From freeipa-github-notification at redhat.com Tue Feb 7 11:01:22 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 12:01:22 +0100 Subject: [Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check MartinBasti commented: """ @pvoborni more or less brainstorming, as I'm almost sure that people will want to migrate current deployments to FIPS mode """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-277966347 From jcholast at redhat.com Tue Feb 7 11:08:09 2017 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 7 Feb 2017 12:08:09 +0100 Subject: [Freeipa-devel] CSR autogeneration next steps In-Reply-To: <55d37716-ae4d-1924-6e6e-44d169e6fa5d@redhat.com> References: <4d31f26b-e332-7362-2b8e-3382a0109067@redhat.com> <2ac0c9af-ef4a-65fe-0cb9-2d161bb7eba0@redhat.com> <77684b8f-c0f5-b1ad-cf7c-075184b5ee39@redhat.com> <71e4dec2-dde8-1cf5-c4cf-399e70f5c60d@redhat.com> <547fedb7-9996-0264-edb4-a563c1f038cf@redhat.com> <5198614b-1704-27b6-7985-46d57b528643@redhat.com> <55d37716-ae4d-1924-6e6e-44d169e6fa5d@redhat.com> Message-ID: <2e484b09-dd5f-b153-8576-8dd33ef8e5f9@redhat.com> On 4.2.2017 16:40, Ben Lipton wrote: > On 01/12/2017 04:35 AM, Jan Cholasta wrote: >> On 11.1.2017 00:38, Ben Lipton wrote: >>> >>> On 01/10/2017 01:58 AM, Jan Cholasta wrote: >>>> On 19.12.2016 21:59, Ben Lipton wrote: >>>>> >>>>> On 12/15/2016 11:11 PM, Ben Lipton wrote: >>>>>> >>>>>> On 12/12/2016 03:52 AM, Jan Cholasta wrote: >>>>>>> On 5.12.2016 16:48, Ben Lipton wrote: >>>>>>>> Hi Jan, thanks for the comments. >>>>>>>> >>>>>>>> >>>>>>>> On 12/05/2016 04:25 AM, Jan Cholasta wrote: >>>>>>>>> Hi Ben, >>>>>>>>> >>>>>>>>> On 3.11.2016 00:12, Ben Lipton wrote: >>>>>>>>>> Hi everybody, >>>>>>>>>> >>>>>>>>>> Soon I'm going to have to reduce the amount of time I spend on >>>>>>>>>> new >>>>>>>>>> development work for the CSR autogeneration project, and I >>>>>>>>>> want to >>>>>>>>>> leave >>>>>>>>>> the project in as organized a state as possible. So, I'm taking >>>>>>>>>> inventory of the work I've done in order to make sure that what's >>>>>>>>>> ready >>>>>>>>>> for review can get reviewed and the ideas that have been >>>>>>>>>> discussed >>>>>>>>>> get >>>>>>>>>> prototyped or at least recorded so they won't be forgotten. >>>>>>>>> >>>>>>>>> Thanks, I have some questions and comments, see below. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Code that's ready for review (I will continue to put in as much >>>>>>>>>> time as >>>>>>>>>> needed to help get these ready for submission): >>>>>>>>>> >>>>>>>>>> - Current PR: https://github.com/freeipa/freeipa/pull/10 >>>>>>>>> >>>>>>>>> How hard would it be to update the PR to use the "new" interface >>>>>>>>> from >>>>>>>>> the design thread? By this I mean that currently there is a >>>>>>>>> command >>>>>>>>> (cert_get_requestdata), which creates a CSR from profile id + >>>>>>>>> principal + helper, but in the design we discussed a command which >>>>>>>>> creates a CertificationRequestInfo from profile id + principal + >>>>>>>>> public key. >>>>>>>>> >>>>>>>>> Internally it could use the OpenSSL helper, no need to >>>>>>>>> implement the >>>>>>>>> full "new" design. With your build_requestinfo.c code below it >>>>>>>>> looks >>>>>>>>> like it should be pretty straightforward. >>>>>>>> >>>>>>>> This is probably doable with the cffi, but I'm concerned about >>>>>>>> usability. A user can run the current command to get a (reusable) >>>>>>>> script, and run the script to get a CSR. It works with keys in >>>>>>>> both PEM >>>>>>>> files and NSS databases already. If we change to outputting a >>>>>>>> CertificationRequestInfo, in order to make this usable on the >>>>>>>> command >>>>>>>> line, we'll need: >>>>>>>> - An additional tool to sign a CSR given a CertificationRequestInfo >>>>>>>> (for >>>>>>>> both types of key storage). >>>>>>>> - A way to extract a SubjectPublicKeyInfo structure from a key >>>>>>>> within >>>>>>>> the ipa command (like [1] but we need it for both types of key >>>>>>>> storage) >>>>>>>> Since as far as I know there's no standard encoding for files >>>>>>>> containing >>>>>>>> only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be >>>>>>>> writing and distributing these ourselves. I think that's where >>>>>>>> most of >>>>>>>> the extra work will come in. >>>>>>> >>>>>>> For PEM files, this is easily doable using python-cryptography (to >>>>>>> extract SubjectPublicKeyInfo and sign CertificationRequestInfo) and >>>>>>> PyASN1 (to create a CSR from the CertificationRequestInfo and the >>>>>>> signature). >>>>>> >>>>>> I didn't realize that python-cryptography knew about >>>>>> SubjectPublicKeyInfo structures, but indeed this seems to be pretty >>>>>> straightforward: >>>>>> >>>>>> key = load_pem_private_key(key_bytes, None, default_backend()) >>>>>> pubkey_info = key.public_key().public_bytes(Encoding.DER, >>>>>> PublicFormat.SubjectPublicKeyInfo) >>>>>> >>>>>> Thanks for letting me know this functionality already existed. >>> >>> I'm currently working on the step of signing the >>> CertificationRequestInfo and creating a CSR from it. I think I have it >>> working with pyasn1, but of course the "signature algorithm" for the CSR >>> needs to be specified and implemented within the code since I'm not >>> using a library that understands CSRs natively. The code I have >>> currently always produces CSRs with the sha256WithRSAEncryption >>> algorithm (DER-encode request info, SHA256, PKCS #1v1.5 padding, RSA >>> encryption), and the OID for that algorithm is hardcoded in the output >>> CSR. Is this ok or will we need more flexibility than that? >> >> IMO it's OK for starters. >> >>>>>>> >>>>>>> For NSS databases, this will be trickier and will require calling C >>>>>>> functions, as neither certutil nor python-nss provide a way to a) >>>>>>> address existing keys in the database by key ID b) get >>>>>>> SubjectPublicKeyInfo for a given key. >>>> >>>> This can be worked around by: >>>> >>>> 1. Generating a key + temporary certificate: >>>> >>>> n=$(head -c 40 /dev/urandom | base32) >>>> certutil -S -n $n -s CN=$n -x -t ,, >>>> >>>> 2. Extracting the public key from the certificate: >>>> >>>> certutil -L -n $n -a >temp.crt >>>> (extract the public key using python-cryptography) >>>> >>>> 3. Deleting the temporary certificate: >>>> >>>> certutil -D -n $n >>>> >>>> 4. Importing the newly issued certificate: >>>> >>>> certutil -A -n $n -t ,, -a >>> >>> Oof, thanks, I'm not sure I would have been able to come up with that. >>> Can you generate a key without a temporary certificate if you use the >>> NSS API, or does their model require every key to belong to a cert? >> >> I'm pretty sure it's possible, but it certainly won't be as simple as >> this. I gave up after a few hours of digging into NSS source code and >> not being able to figure out how. >> >>>>>>> >>>>>>> As for encoding, the obvious choice is DER. It does not really >>>>>>> matter >>>>>>> there is no standard file format, as we won't be transferring these >>>>>>> as files anyway. >>>>>> >>>>>> Agreed. I just meant there aren't tools already because this isn't a >>>>>> type of file one often needs to process. >>>>>>> >>>>>>>> >>>>>>>> Would it be ok to stick with the current design in this PR? I'd >>>>>>>> feel >>>>>>>> much better if we could get the basic functionality into the >>>>>>>> repo and >>>>>>>> then iterate on it rather than changing the plan at this point. >>>>>>>> I can >>>>>>>> create a separate PR to change cert_get_requestdata to this new >>>>>>>> interface and at the same time add the necessary adapters (bullet >>>>>>>> points >>>>>>>> above) to make it user-friendly. >>>>>>> >>>>>>> Works for me. >>>>>> >>>>>> Updated the PR to fix conflicts with master. Had some trouble with CI >>>>>> but creating a new PR with the same commits fixed it >>>>>> (https://github.com/freeipa/freeipa/pull/337). Not sure if it's fixed >>>>>> permanently, so I guess I'll just keep the two PRs synchronized now, >>>>>> or we could close the old one. >>>> >>>> You can close the old one. >>>> >>>> Just to make sure we are on the same page, you want this PR to be >>>> merged before submitting additional PRs built on top of it? >>> >>> Yes, I would like to merge this one to have as a starting point if >>> you're comfortable with it: https://github.com/freeipa/freeipa/pull/337. >>> I just did a force push to clean up the history, but the final diff >>> should be the same as it was before. >> >> OK. >> >>>> >>>>>>> >>>>>>>> >>>>>>>> I would probably just implement the adapters within the >>>>>>>> cert_build/cert_request client code unless you think having >>>>>>>> standalone >>>>>>>> tools is valuable. I suppose certmonger is going to need these >>>>>>>> features >>>>>>>> too, but I don't know how well sharing code between them is >>>>>>>> going to >>>>>>>> work. >>>>>>> >>>>>>> cert-request is exactly the place where it should be :-) I wouldn't >>>>>>> bother with certmonger until we have a server-side csrgen. >>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> - Allow some fields to be specified by the user at creation time: >>>>>>>>>> https://github.com/LiptonB/freeipa/commits/local-user-data >>>>>>>>> >>>>>>>>> Good idea :-) >>>>>>>>> >>>>>>>>>> >>>>>>>>>> - Automation for the full process from getting CSR data to >>>>>>>>>> requesting >>>>>>>>>> cert: https://github.com/LiptonB/freeipa/commits/local-cert-build >>>>>>>>> >>>>>>>>> LGTM, although I would prefer if this was a client-side >>>>>>>>> extension of >>>>>>>>> cert-request rather than a completely new command. >>>>>>>> >>>>>>>> I did try that at first, but I struggled to figure out the >>>>>>>> interface >>>>>>>> for >>>>>>>> the modified cert-request. (Not that the current solution is so >>>>>>>> great, >>>>>>>> what with the copying of options from cert_request and certreq.) >>>>>>>> If I >>>>>>>> remember correctly, I was uncertain how to implement parameters >>>>>>>> that >>>>>>>> are >>>>>>>> required/invalid based on other parameters: the current >>>>>>>> cert-request >>>>>>>> takes a signed CSR (required), a principal (required), and a >>>>>>>> profile >>>>>>>> ID; >>>>>>>> the new cert-request (what I implemented as cert-build) takes a >>>>>>>> principal (required), a profile ID (required), and a key location >>>>>>>> (required). I can't remember if that was the only problem, but >>>>>>>> I'll try >>>>>>>> again to merge the commands and get back to you. >>>>>>> >>>>>>> To make the CSR argument optional on the client, you can do this: >>>>>>> >>>>>>> def get_options(self): >>>>>>> for option in super(cert_request, self).get_options(): >>>>>>> if option.name == 'csr': >>>>>>> option = option.clone(required=False) >>>>>>> yield >>>>>>> >>>>>>> IMO profile ID should default to caIPAserviceCert on the client as >>>>>>> well. >>>>>> >>>>>> I originally had it doing so, but changed it to a required option >>>>>> based on feedback in this email: >>>>>> https://www.redhat.com/archives/freeipa-devel/2016-August/msg00021.html: >>>>>> >>>>>> >>>>>> "In general use I think that 'caIPAserviceCert' is unlikely to be >>>>>> used >>>>>> a majory of the time, and it is a new command so there are no >>>>>> compatibility issues; therefore why not make the profile option >>>>>> mandatory?" I guess since we're talking about cert-request now, the >>>>>> compatibility issues are back. >>>>>> >>>>>> https://github.com/LiptonB/freeipa/commits/local-cert-build has now >>>>>> been updated to change the cert_request command rather than adding a >>>>>> new command. It seems to work now (thanks for the advice on making >>>>>> the >>>>>> argument optional), the only thing I'm having trouble with is the >>>>>> default for the profile_id argument. Previously, the default was >>>>>> applied by this code in cert_request.execute: >>>>>> >>>>>> profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) >>>>>> >>>>>> But now, in the client, I need the default to pass to >>>>>> cert_get_requestdata if no profile is specified. I'm not sure I can >>>>>> access backends from the client to get it the same way the server >>>>>> code >>>>>> does. Should I just import ipapython/dogtag.py and use the >>>>>> DEFAULT_PROFILE set in there? Is there a way I can give the option a >>>>>> default that will be seen in both the server and the client? >>> Just wanted to call attention to this question. The code that's >>> currently problematic is here: >>> https://github.com/LiptonB/freeipa/blob/dda05b0b4dfa332569a8ca75632eaeceb95fbd6a/ipaclient/plugins/cert.py#L86 >>> >>> (will pass None when in fact the argument default should be used). >> >> self.get_default_of('profile_id') >> >>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Other prototypes and design ideas that aren't ready for >>>>>>>>>> submission >>>>>>>>>> yet: >>>>>>>>>> >>>>>>>>>> - Utility written in C to build a CertificationRequestInfo from a >>>>>>>>>> SubjectPublicKeyInfo and an openssl-style config file. The >>>>>>>>>> purpose of >>>>>>>>>> this is to take a config that my code already knows how to >>>>>>>>>> generate, and >>>>>>>>>> put it in a form that certmonger can use. This is nearly done and >>>>>>>>>> available at: >>>>>>>>>> https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> Nice! As I said above, this could really make implementing the >>>>>>>>> "new" >>>>>>>>> csrgen interface simple. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> - Ideally it should be possible to use this tool to reimplement >>>>>>>>>> the full >>>>>>>>>> cert-request automation (local-cert-build branch) without a >>>>>>>>>> dependency >>>>>>>>>> on the certutil/openssl tools. However, I don't think any of the >>>>>>>>>> python >>>>>>>>>> crypto libraries have bindings for the functions that deal with >>>>>>>>>> CertificationRequestInfo objects, so I don't think I can do this >>>>>>>>>> in the >>>>>>>>>> short term. >>>>>>>>> >>>>>>>>> You can use python-cffi to write your own minimal bindings. It's >>>>>>>>> fairly straightforward, take a look at FreeIPA commit 500ee7e2 >>>>>>>>> for an >>>>>>>>> example of how to port C code to Python with python-cffi. >>>>>>>> >>>>>>>> Thank you for the example. I will take a look. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> - Certmonger "helper" program that takes in the >>>>>>>>>> CertificationRequestInfo >>>>>>>>>> that certmonger generates, calls out to IPA for profile-specific >>>>>>>>>> data, >>>>>>>>>> and returns an updated CertificationRequestInfo built from the >>>>>>>>>> data. >>>>>>>>>> Certmonger doesn't currently support this type of helper, but >>>>>>>>>> (if I >>>>>>>>>> understood correctly) this is the architecture Nalin believed >>>>>>>>>> would be >>>>>>>>>> simplest to fit in. This is not done yet, but I intend to >>>>>>>>>> complete it >>>>>>>>>> soon - it shouldn't require much code beyond what's in >>>>>>>>>> build_requestinfo.c. >>>>>>>>> >>>>>>>>> To me this sounds like it should be a new operation of the current >>>>>>>>> helper rather than a completely new helper. >>>>>>>> >>>>>>>> Maybe so. I certainly wouldn't call this a finished design, I just >>>>>>>> wanted to have some kind of proof of concept for how the certmonger >>>>>>>> integration could work. For what it's worth, that prototype is now >>>>>>>> available at [2]. >>>>>>> >>>>>>> OK. >>>>>>> >>>>>>>>> >>>>>>>>> Anyway, the ultimate goal is to move the csrgen code to the >>>>>>>>> server, >>>>>>>>> which means everything the helper will have to do is call a >>>>>>>>> command >>>>>>>>> over RPC. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> - Tool to convert an XER-encoded cert extension to DER, given the >>>>>>>>>> ASN.1 >>>>>>>>>> description of the extension. This would unblock Jan Cholasta's >>>>>>>>>> idea of >>>>>>>>>> using XSLT for templates rather than text-based formatting. I >>>>>>>>>> should be >>>>>>>>>> able to implement the conversion tool, but it may be a while >>>>>>>>>> before I >>>>>>>>>> have time to demo the full XSLT idea. >>>>>>>>> >>>>>>>>> Was there any progress on this? >>>>>>>> >>>>>>>> I have started working on implementing it with asn1c, and I'm >>>>>>>> already >>>>>>>> seeing some of the inconvenience (security issues aside) of >>>>>>>> building on >>>>>>>> the server. Libtasn1 seems like a much better model, but doesn't >>>>>>>> seem to >>>>>>>> have XER support. Anyway, don't quite have results here yet but I >>>>>>>> think >>>>>>>> I should have the XER->DER demo with asn1c ready in a week or two. >>>>>>> >>>>>>> Implementing XER codec on top of libtasn1 shouldn't be too hard; I >>>>>>> have a WIP which I will post soon. >>>>> >>>>> It took me some experimentation to get this to work, but the solution >>>>> with asn1c is actually quite simple because the tool automatically >>>>> provides a sample C file that converts between different formats. So, >>>>> this very basic shell script is able to do the conversion: >>>>> https://github.com/LiptonB/freeipa-prototypes/blob/master/xer2der.sh >>>>> >>>>> $ cat ExtKeyUsage.xer >>>>> >>>>> 1.3.6.1.5.5.7.3.2 >>>>> 1.3.6.1.5.5.7.3.4 >>>>> >>>>> >>>>> $ cat KeyUsage.asn1 >>>>> KUModule DEFINITIONS ::= >>>>> BEGIN >>>>> >>>>> KeyUsage ::= BIT STRING { >>>>> digitalSignature (0), >>>>> nonRepudiation (1), -- recent editions of X.509 have >>>>> -- renamed this bit to >>>>> contentCommitment >>>>> keyEncipherment (2), >>>>> dataEncipherment (3), >>>>> keyAgreement (4), >>>>> keyCertSign (5), >>>>> cRLSign (6), >>>>> encipherOnly (7), >>>>> decipherOnly (8) } >>>>> >>>>> ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId >>>>> >>>>> KeyPurposeId ::= OBJECT IDENTIFIER >>>>> >>>>> END >>>>> >>>>> $ ./xer2der.sh KeyUsage.asn1 ExtKeyUsageSyntax ExtKeyUsage.xer >>>>> 2>/dev/null | xxd >>>>> 00000000: 3014 0608 2b06 0105 0507 0302 0608 2b06 0...+.........+. >>>>> 00000010: 0105 0507 0304 ...... >>>> >>>> So far I don't have a working example using libtasn1. I have something >>>> close to it, but it's hacky, as the libtasn1 API is pretty limited, >>>> and I didn't have time to work on it in the last few weeks. >> >> I got it working, needs just a little polishing. It's still ugly hacky >> though. >> >>>> >>>>> >>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> So: currently on my to do list are the certmonger helper and the >>>>>>>>>> XER->DER conversion tool. Do you have any comments about these >>>>>>>>>> plans, >>>>>>>>>> and is there anything else I can do to wrap up the project >>>>>>>>>> neatly? >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Ben >>>>>>>>>> >>>>>>>>> >>>>>>>>> Honza >>>>>>>>> >>>>>>>> [1] >>>>>>>> https://github.com/LiptonB/freeipa-prototypes/blob/master/key2spki.c >>>>>>>> >>>>>>>> [2] >>>>>>>> https://github.com/LiptonB/freeipa-prototypes/blob/master/cm_ipa_csrgen.c >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> >>> >> >> > Thank you for the review! I just created > https://github.com/freeipa/freeipa/pull/433 and > https://github.com/freeipa/freeipa/pull/434 for the two follow-up > branches I had pending (and updated with ideas from this thread and the > previous PR's thread). I'm still working on converting the API to > consuming SubjectPublicKeyInfo structures and producing > CertificationRequestInfo ones - I have the OpenSSL flow working, but am > still missing a step for the NSS flow. Specifically, after step 2 of the > 4 you suggested above, I need to use NSS to use the private key in the > db to sign the SubjectPublicKeyInfo before I can use python-cryptography > to make it into a CSR like I'm doing with OpenSSL. I'm sure this is not > very hard, but I haven't quite figured it out yet. Sigh, NSS does not have a generic signing tool (cmsutil and signtool are not generic enough) and python-nss does not have a signing API. I got this far: from nss import nss nss.nss_init(db_path) nss.set_password_callback(lambda slot, retry, password: password) slot = nss.get_internal_key_slot() slot.authenticate(False, db_password) cert = nss.find_cert_from_nickname(nickname) key = nss.find_key_by_any_cert(cert) Unfortunately this means we will have to call C code. IMO it would be best to drop support for NSS for the time being and add it back when we know exactly what C code to call. -- Jan Cholasta From freeipa-github-notification at redhat.com Tue Feb 7 11:12:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 12:12:20 +0100 Subject: [Freeipa-devel] [freeipa PR#413][+ack] Complete stageuser API In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/413 Title: #413: Complete stageuser API Label: +ack From freeipa-github-notification at redhat.com Tue Feb 7 11:18:33 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 07 Feb 2017 12:18:33 +0100 Subject: [Freeipa-devel] [freeipa PR#336][+ack] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] Label: +ack From freeipa-github-notification at redhat.com Tue Feb 7 11:41:05 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 07 Feb 2017 12:41:05 +0100 Subject: [Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Author: stlaz Title: #396: Explicitly remove support of SSLv2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/396/head:pr396 git checkout pr396 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-396.patch Type: text/x-diff Size: 5143 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 11:46:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 12:46:36 +0100 Subject: [Freeipa-devel] [freeipa PR#418][+ack] replica install: do not log host OTP In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/418 Title: #418: replica install: do not log host OTP Label: +ack From freeipa-github-notification at redhat.com Tue Feb 7 11:52:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 12:52:33 +0100 Subject: [Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command MartinBasti commented: """ @Akasurde sorry for delay, we still miss test. Otherwise I'm fine with this approach (when issue commented inline fixed) """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-277977077 From freeipa-github-notification at redhat.com Tue Feb 7 12:19:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 13:19:04 +0100 Subject: [Freeipa-devel] [freeipa PR#336][+pushed] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 7 12:19:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 13:19:07 +0100 Subject: [Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/66fa0585aa3a7219aa3f5b548a0a84f052d62b8e https://fedorahosted.org/freeipa/changeset/bd83fdf51621fe777c1f7823dcb13c4dfa26fa8e """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-277982495 From freeipa-github-notification at redhat.com Tue Feb 7 12:19:08 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 13:19:08 +0100 Subject: [Freeipa-devel] [freeipa PR#336][closed] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Author: MartinBasti Title: #336: [py3] pki: add missing depedency pki-base[-python3] Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/336/head:pr336 git checkout pr336 From freeipa-github-notification at redhat.com Tue Feb 7 12:57:30 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 07 Feb 2017 13:57:30 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code martbab commented: """ I have figured out that the previous Travis failures were caused by missing version in mod_auth_gssapi Requires. If I downgrade the package to mod_auth_gssapi-1.4.1-1.fc25.x86_64 apache crashes on unknown directive: ``` Feb 07 13:32:41 master1.ipa.test httpd[45040]: Invalid command 'GssapiDelegCcachePerms', perhaps misspelled or defined by a module not included in the server configuration Feb 07 13:32:41 master1.ipa.test systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Feb 07 13:32:41 master1.ipa.test systemd[1]: Failed to start The Apache HTTP Server. Feb 07 13:32:41 master1.ipa.test systemd[1]: httpd.service: Unit entered failed state. Feb 07 13:32:41 master1.ipa.test systemd[1]: httpd.service: Failed with result 'exit-code'. ``` We will need bump requires to mod_auth_gssapi-1.5.0-1. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-277991477 From freeipa-github-notification at redhat.com Tue Feb 7 12:58:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 13:58:13 +0100 Subject: [Freeipa-devel] [freeipa PR#418][+pushed] replica install: do not log host OTP In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/418 Title: #418: replica install: do not log host OTP Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 7 12:58:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 13:58:14 +0100 Subject: [Freeipa-devel] [freeipa PR#418][closed] replica install: do not log host OTP In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/418 Author: HonzaCholasta Title: #418: replica install: do not log host OTP Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/418/head:pr418 git checkout pr418 From freeipa-github-notification at redhat.com Tue Feb 7 12:58:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 13:58:16 +0100 Subject: [Freeipa-devel] [freeipa PR#418][comment] replica install: do not log host OTP In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/418 Title: #418: replica install: do not log host OTP MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/054c1e013aee6fdbee2e9966c32df02d91f0c2c1 """ See the full comment at https://github.com/freeipa/freeipa/pull/418#issuecomment-277991659 From freeipa-github-notification at redhat.com Tue Feb 7 12:59:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 13:59:09 +0100 Subject: [Freeipa-devel] [freeipa PR#413][comment] Complete stageuser API In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/413 Title: #413: Complete stageuser API MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9c0e86530ec693606ca4f69e74a9dfe4118a21aa https://fedorahosted.org/freeipa/changeset/7e2d185ba09382a815e9b0530aeae3d56f9378d1 https://fedorahosted.org/freeipa/changeset/308c790ee90f00e0bc2c40abf51c30e5250631e9 https://fedorahosted.org/freeipa/changeset/7b68cc5b08c5563535486d72f37b766209791dbf https://fedorahosted.org/freeipa/changeset/c5c98af99db53b5f9453bf70e9fd4c11e219cf3e https://fedorahosted.org/freeipa/changeset/9382efde4fbc027dcfb5dc5f22d25296f232e0a6 https://fedorahosted.org/freeipa/changeset/8e139d4b559a6f19d859e078e1940a69d8977fdb """ See the full comment at https://github.com/freeipa/freeipa/pull/413#issuecomment-277991933 From freeipa-github-notification at redhat.com Tue Feb 7 12:59:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 13:59:10 +0100 Subject: [Freeipa-devel] [freeipa PR#413][+pushed] Complete stageuser API In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/413 Title: #413: Complete stageuser API Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 7 12:59:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 13:59:11 +0100 Subject: [Freeipa-devel] [freeipa PR#413][closed] Complete stageuser API In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/413 Author: dkupka Title: #413: Complete stageuser API Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/413/head:pr413 git checkout pr413 From freeipa-github-notification at redhat.com Tue Feb 7 13:11:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 07 Feb 2017 14:11:39 +0100 Subject: [Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Author: stlaz Title: #396: Explicitly remove support of SSLv2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/396/head:pr396 git checkout pr396 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-396.patch Type: text/x-diff Size: 5352 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 13:12:13 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 07 Feb 2017 14:12:13 +0100 Subject: [Freeipa-devel] [freeipa PR#438][opened] ipaldap: preserve order of values in LDAPEntry._sync() Message-ID: URL: https://github.com/freeipa/freeipa/pull/438 Author: HonzaCholasta Title: #438: ipaldap: preserve order of values in LDAPEntry._sync() Action: opened PR body: """ In Python 2, the order was preserved by accident. This change makes sure the order is preserved in both Python 2 and 3. https://fedorahosted.org/freeipa/ticket/4985 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/438/head:pr438 git checkout pr438 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-438.patch Type: text/x-diff Size: 2783 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 13:15:05 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 07 Feb 2017 14:15:05 +0100 Subject: [Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Title: #396: Explicitly remove support of SSLv2 stlaz commented: """ Did not realize merging to Env from default constants was happening in the end of `_finalize_core()`, moved the checks in config.py accordingly. Also, for some reason, github shows `root_logger` issue as solved but it's not - should all `root_logger` appearances be replaces by a module-own logger? """ See the full comment at https://github.com/freeipa/freeipa/pull/396#issuecomment-277996232 From freeipa-github-notification at redhat.com Tue Feb 7 13:19:47 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Feb 2017 14:19:47 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 239419 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 14:03:45 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Feb 2017 15:03:45 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I added 1.5.0 as a dep in freeipa.spec.in and rebased the PR """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278008429 From freeipa-github-notification at redhat.com Tue Feb 7 14:36:53 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 07 Feb 2017 15:36:53 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 239419 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 14:42:11 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 07 Feb 2017 15:42:11 +0100 Subject: [Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Author: stlaz Title: #396: Explicitly remove support of SSLv2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/396/head:pr396 git checkout pr396 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-396.patch Type: text/x-diff Size: 5347 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 15:10:27 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 07 Feb 2017 16:10:27 +0100 Subject: [Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Title: #396: Explicitly remove support of SSLv2 HonzaCholasta commented: """ @stlaz, you don't have to replace `root_logger` in old code, but don't use it in new code. """ See the full comment at https://github.com/freeipa/freeipa/pull/396#issuecomment-278028074 From freeipa-github-notification at redhat.com Tue Feb 7 15:29:59 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Feb 2017 16:29:59 +0100 Subject: [Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-437.patch Type: text/x-diff Size: 4971 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 15:32:21 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 07 Feb 2017 16:32:21 +0100 Subject: [Freeipa-devel] [freeipa PR#438][synchronized] ipaldap: preserve order of values in LDAPEntry._sync() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/438 Author: HonzaCholasta Title: #438: ipaldap: preserve order of values in LDAPEntry._sync() Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/438/head:pr438 git checkout pr438 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-438.patch Type: text/x-diff Size: 1153 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 15:33:07 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Feb 2017 16:33:07 +0100 Subject: [Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check tomaskrizek commented: """ Thanks for the feedback. Hopefully I addressed all the concerns above in the update. """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-278035787 From freeipa-github-notification at redhat.com Tue Feb 7 16:02:22 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 17:02:22 +0100 Subject: [Freeipa-devel] [freeipa PR#439][opened] [Py3] tests: fix various bytes related issues in tests Message-ID: URL: https://github.com/freeipa/freeipa/pull/439 Author: MartinBasti Title: #439: [Py3] tests: fix various bytes related issues in tests Action: opened PR body: """ This is more or less for testing purposes of py2/py3 compatibility """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/439/head:pr439 git checkout pr439 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-439.patch Type: text/x-diff Size: 2314 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 16:26:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 17:26:01 +0100 Subject: [Freeipa-devel] [freeipa PR#439][synchronized] [Py3] tests: fix various bytes related issues in tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/439 Author: MartinBasti Title: #439: [Py3] tests: fix various bytes related issues in tests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/439/head:pr439 git checkout pr439 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-439.patch Type: text/x-diff Size: 4157 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 16:26:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 17:26:39 +0100 Subject: [Freeipa-devel] [freeipa PR#439][edited] [Py3] tests: fix various bytes related issues in tests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/439 Author: MartinBasti Title: #439: [Py3] tests: fix various bytes related issues in tests Action: edited Changed field: title Original value: """ [Py3] tests: fix various bytes related issues in tests """ From freeipa-github-notification at redhat.com Tue Feb 7 16:29:38 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 17:29:38 +0100 Subject: [Freeipa-devel] [freeipa PR#440][opened] [Py3] fix various issues in tests related to BytesWarning Message-ID: URL: https://github.com/freeipa/freeipa/pull/440 Author: MartinBasti Title: #440: [Py3] fix various issues in tests related to BytesWarning Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/440/head:pr440 git checkout pr440 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-440.patch Type: text/x-diff Size: 5188 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 16:37:27 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Feb 2017 17:37:27 +0100 Subject: [Freeipa-devel] [freeipa PR#426][comment] DNSSEC: forwarders validation improvement In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/426 Title: #426: DNSSEC: forwarders validation improvement tomaskrizek commented: """ I think the same issue can also occur in `validate_dnssec_zone_forwarder_step2()`. """ See the full comment at https://github.com/freeipa/freeipa/pull/426#issuecomment-278056789 From freeipa-github-notification at redhat.com Tue Feb 7 16:48:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 17:48:58 +0100 Subject: [Freeipa-devel] [freeipa PR#427][synchronized] [Py3] WSGI part 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/427 Author: MartinBasti Title: #427: [Py3] WSGI part 2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/427/head:pr427 git checkout pr427 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-427.patch Type: text/x-diff Size: 10252 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 16:53:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 17:53:04 +0100 Subject: [Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/439 Author: MartinBasti Title: #439: [WIP] [Py3] testing both py2/py3 in travis Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/439/head:pr439 git checkout pr439 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-439.patch Type: text/x-diff Size: 4155 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 17:30:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 18:30:47 +0100 Subject: [Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/439 Author: MartinBasti Title: #439: [WIP] [Py3] testing both py2/py3 in travis Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/439/head:pr439 git checkout pr439 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-439.patch Type: text/x-diff Size: 11871 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 17:34:05 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 07 Feb 2017 18:34:05 +0100 Subject: [Freeipa-devel] [freeipa PR#423][comment] dns-update-system-records: add support for nsupdate output format In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/423 Title: #423: dns-update-system-records: add support for nsupdate output format tomaskrizek commented: """ I added some in-line comments/questions. """ See the full comment at https://github.com/freeipa/freeipa/pull/423#issuecomment-278076554 From freeipa-github-notification at redhat.com Tue Feb 7 17:37:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 18:37:33 +0100 Subject: [Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/439 Author: MartinBasti Title: #439: [WIP] [Py3] testing both py2/py3 in travis Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/439/head:pr439 git checkout pr439 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-439.patch Type: text/x-diff Size: 11792 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 17:54:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 18:54:24 +0100 Subject: [Freeipa-devel] [freeipa PR#433][comment] csrgen: Allow some certificate fields to be specified by the user In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/433 Title: #433: csrgen: Allow some certificate fields to be specified by the user MartinBasti commented: """ ``` ************* Module ipaclient.csrgen ipaclient/csrgen.py:376: [E1101(no-member), CSRGenerator.get_user_prompts] Module 'ipalib.errors' has no 'CertificateMappingError' member) ipaclient/csrgen.py:380: [E1101(no-member), CSRGenerator.get_user_prompts] Module 'ipalib.errors' has no 'CertificateMappingError' member) ipaclient/csrgen.py:385: [E1101(no-member), CSRGenerator.get_user_prompts] Module 'ipalib.errors' has no 'CertificateMappingError' member) ipaclient/csrgen.py:367: [W0612(unused-variable), CSRGenerator.get_user_prompts] Unused variable 'syntax_rules') ************* Module ipatests.test_ipaclient.test_csrgen ipatests/test_ipaclient/test_csrgen.py:322: [W0612(unused-variable), test_rule_handling.test_userdata_included] Unused variable 'script') ipatests/test_ipaclient/test_csrgen.py:324: [W0612(unused-variable), test_rule_handling.test_userdata_included] Unused variable 'expected_script'm) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/433#issuecomment-278083528 From freeipa-github-notification at redhat.com Tue Feb 7 17:59:28 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 07 Feb 2017 18:59:28 +0100 Subject: [Freeipa-devel] [freeipa PR#434][comment] csrgen: Automate full cert request flow In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/434 Title: #434: csrgen: Automate full cert request flow MartinBasti commented: """ - pylint: ``` ************* Module ipaclient.plugins.cert ipaclient/plugins/cert.py:102: [W1612(unicode-builtin), cert_request.forward] unicode built-in referenced) ipaclient/plugins/cert.py:127: [W1612(unicode-builtin), cert_request.forward] unicode built-in referenced) ipaclient/plugins/cert.py:99: [W0612(unused-variable), cert_request.forward] Unused variable 'requestdata') ``` for unicode you can use etiher `six.string_type()` or ``` if six.PY3: unicode = str ``` - pep8 errors - failing test expects DN object instead of String """ See the full comment at https://github.com/freeipa/freeipa/pull/434#issuecomment-278085296 From freeipa-github-notification at redhat.com Tue Feb 7 18:08:24 2017 From: freeipa-github-notification at redhat.com (frozencemetery) Date: Tue, 07 Feb 2017 19:08:24 +0100 Subject: [Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 frozencemetery commented: """ @simo5 @abbra I'll move it over, but it won't break anything to pull in krb5-devel *and* krb5-kdb-version as far as I can tell. """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-278088391 From freeipa-github-notification at redhat.com Tue Feb 7 18:08:46 2017 From: freeipa-github-notification at redhat.com (frozencemetery) Date: Tue, 07 Feb 2017 19:08:46 +0100 Subject: [Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 frozencemetery commented: """ @simo5 @abbra I'll move it over, but it won't break anything to pull in krb5-devel *and* krb5-kdb-version as far as I can tell. """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-278088391 From freeipa-github-notification at redhat.com Tue Feb 7 19:06:01 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 07 Feb 2017 20:06:01 +0100 Subject: [Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Author: abbra Title: #410: ipa-kdb: support KDB DAL version 6.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/410/head:pr410 git checkout pr410 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-410.patch Type: text/x-diff Size: 12044 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 19:09:16 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 07 Feb 2017 20:09:16 +0100 Subject: [Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Author: abbra Title: #410: ipa-kdb: support KDB DAL version 6.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/410/head:pr410 git checkout pr410 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-410.patch Type: text/x-diff Size: 9072 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 7 19:10:37 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 07 Feb 2017 20:10:37 +0100 Subject: [Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 abbra commented: """ Updated the spec file and the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-278108158 From freeipa-github-notification at redhat.com Wed Feb 8 05:56:26 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 08 Feb 2017 06:56:26 +0100 Subject: [Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org frasertweedale commented: """ So... any blocker on merging this? """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-278236511 From freeipa-github-notification at redhat.com Wed Feb 8 05:56:54 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 08 Feb 2017 06:56:54 +0100 Subject: [Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion frasertweedale commented: """ Any other changes requested? What's preventing ack on this? """ See the full comment at https://github.com/freeipa/freeipa/pull/416#issuecomment-278236565 From ftweedal at redhat.com Wed Feb 8 06:29:43 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 8 Feb 2017 16:29:43 +1000 Subject: [Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag In-Reply-To: References: <20170113070713.GG4539@dhcp-40-8.bne.redhat.com> <06bccd8a-cebe-4acb-a5af-7c1ed985f313@redhat.com> Message-ID: <20170208062943.GX3557@dhcp-40-8.bne.redhat.com> On Mon, Feb 06, 2017 at 10:24:31AM +0100, Jan Cholasta wrote: > On 17.1.2017 08:57, David Kupka wrote: > > On 13/01/17 08:07, Fraser Tweedale wrote: > > > Related to design: > > > http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication > > > > > > Currently there are some operations that hit the CA that involve a > > > number of privileged operations against the CA, but for which there > > > is only one associated IPA permission. Deleting a CA is a good > > > example (but it is one specific case of a more general issue). > > > Summary of current ca-del behaviour: > > > > > > 1. Disable LWCA in Dogtag (uses RA Agent cert) > > > 2. Delete LWCA in Dogtag (uses RA Agent cert) > > > 3. Delete CA entry from IPA (requires "System: Delete CA" permission) > > > > > > So there are two things going on under the hood: a modify operation > > > (disable CA) and the delete. > > > > > > When we implement proxy authentication to Dogtag, Dogtag will > > > enforce the IPA permissions on its operations. Disable will map to > > > "System: Modify CA" and delete to "System: Delete CA". So to delete > > > a CA a user will need *both* permissions. Which could be > > > surprising. > > > > > > There are a couple of reasonable approaches to this. > > > > > > 1. Decouple the disable and delete operations. If CA is not > > > disabled, the user will be instructed to execute the ca-disable > > > command separately before they can disable the CA. This introduces > > > an additional manual step for operators. > > > > > > 2. Just improve the error reporting. In my WIP, for a user that has > > > 'System: Delete CA' permission but not 'System: Modify CA', the > > > reported failure is a 403 Authorization Error from Dogtag. We can > > > add guards to fail more gracefully. > > > > > > I lean towards #2 because I guess the common case will be that users > > > either get all CA admin permissions, or none, and we don't want to > > > make more work (in the form of more commands to run) for users in > > > the common case. > > > > > > I welcome alternative views and suggestions. > > > > > > Thanks, > > > Fraser > > > > > Hi Fraser, > > as a user with "System: Delete CA" permission calling "ca-del" command I > > would be really surprised that I don't have enough privileges to > > complete the action. > > > > I would expect: > > a) "Cannot delete active CA, disable it first" error. > > b) Delete will be completed successfully. All internal and to my sight > > hidden operations will be allowed just because I'm allowed to perform > > the delete operation. > > > > I think that b) might lead to strange exceptions in authorization > > checking and therefore to security issues. So I would prefer decoupling > > ca-disable and ca-del as you're describing in 1). > > IMO having to disable the CA before deletion is an implementation detail and > should not be exposed to the user at all. Why do we have to disable the CA > from IPA in ca-del? I would expect Dogtag to disable it itself internally > when it's being deleted. > The CA requiring disablement before deletion is a property of how Dogtag Lightweight CAs are implement. I don't intend to change this (besides, it might need to be this way for Common Criteria; a similar restriction exists for profiles). We could make it so that in IPA context, delete permission implies disable permission. Currently (in Dogtag) permission to enable/disable is the 'modify' permission. So to do this without implying that someone with 'delete' permission as 'modify' permission, I'd need to add an explicit 'enable/disable ca' permission. This is a good idea, but it is more work to add the required ACLs (which will need to be done during IPA upgrade or installation). I'll shelve https://github.com/freeipa/freeipa/pull/415 for now, but keep the patch in my working branch and code it out later, if there's time before release. Otherwise we might need to keep it until there's time for the proper fix, so that things don't break. Thanks, Fraser From freeipa-github-notification at redhat.com Wed Feb 8 06:30:49 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 08 Feb 2017 07:30:49 +0100 Subject: [Freeipa-devel] [freeipa PR#415][comment] ca-del: require CA to already be disabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/415 Title: #415: ca-del: require CA to already be disabled frasertweedale commented: """ Shelving this PR for now. It might get resurrected later. Discussion: https://www.redhat.com/archives/freeipa-devel/2017-February/msg00150.html """ See the full comment at https://github.com/freeipa/freeipa/pull/415#issuecomment-278241186 From freeipa-github-notification at redhat.com Wed Feb 8 06:30:51 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 08 Feb 2017 07:30:51 +0100 Subject: [Freeipa-devel] [freeipa PR#415][closed] ca-del: require CA to already be disabled In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/415 Author: frasertweedale Title: #415: ca-del: require CA to already be disabled Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/415/head:pr415 git checkout pr415 From jcholast at redhat.com Wed Feb 8 07:02:18 2017 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Feb 2017 08:02:18 +0100 Subject: [Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag In-Reply-To: <20170208062943.GX3557@dhcp-40-8.bne.redhat.com> References: <20170113070713.GG4539@dhcp-40-8.bne.redhat.com> <06bccd8a-cebe-4acb-a5af-7c1ed985f313@redhat.com> <20170208062943.GX3557@dhcp-40-8.bne.redhat.com> Message-ID: On 8.2.2017 07:29, Fraser Tweedale wrote: > On Mon, Feb 06, 2017 at 10:24:31AM +0100, Jan Cholasta wrote: >> On 17.1.2017 08:57, David Kupka wrote: >>> On 13/01/17 08:07, Fraser Tweedale wrote: >>>> Related to design: >>>> http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication >>>> >>>> Currently there are some operations that hit the CA that involve a >>>> number of privileged operations against the CA, but for which there >>>> is only one associated IPA permission. Deleting a CA is a good >>>> example (but it is one specific case of a more general issue). >>>> Summary of current ca-del behaviour: >>>> >>>> 1. Disable LWCA in Dogtag (uses RA Agent cert) >>>> 2. Delete LWCA in Dogtag (uses RA Agent cert) >>>> 3. Delete CA entry from IPA (requires "System: Delete CA" permission) >>>> >>>> So there are two things going on under the hood: a modify operation >>>> (disable CA) and the delete. >>>> >>>> When we implement proxy authentication to Dogtag, Dogtag will >>>> enforce the IPA permissions on its operations. Disable will map to >>>> "System: Modify CA" and delete to "System: Delete CA". So to delete >>>> a CA a user will need *both* permissions. Which could be >>>> surprising. >>>> >>>> There are a couple of reasonable approaches to this. >>>> >>>> 1. Decouple the disable and delete operations. If CA is not >>>> disabled, the user will be instructed to execute the ca-disable >>>> command separately before they can disable the CA. This introduces >>>> an additional manual step for operators. >>>> >>>> 2. Just improve the error reporting. In my WIP, for a user that has >>>> 'System: Delete CA' permission but not 'System: Modify CA', the >>>> reported failure is a 403 Authorization Error from Dogtag. We can >>>> add guards to fail more gracefully. >>>> >>>> I lean towards #2 because I guess the common case will be that users >>>> either get all CA admin permissions, or none, and we don't want to >>>> make more work (in the form of more commands to run) for users in >>>> the common case. >>>> >>>> I welcome alternative views and suggestions. >>>> >>>> Thanks, >>>> Fraser >>>> >>> Hi Fraser, >>> as a user with "System: Delete CA" permission calling "ca-del" command I >>> would be really surprised that I don't have enough privileges to >>> complete the action. >>> >>> I would expect: >>> a) "Cannot delete active CA, disable it first" error. >>> b) Delete will be completed successfully. All internal and to my sight >>> hidden operations will be allowed just because I'm allowed to perform >>> the delete operation. >>> >>> I think that b) might lead to strange exceptions in authorization >>> checking and therefore to security issues. So I would prefer decoupling >>> ca-disable and ca-del as you're describing in 1). >> >> IMO having to disable the CA before deletion is an implementation detail and >> should not be exposed to the user at all. Why do we have to disable the CA >> from IPA in ca-del? I would expect Dogtag to disable it itself internally >> when it's being deleted. >> > The CA requiring disablement before deletion is a property of how > Dogtag Lightweight CAs are implement. I don't intend to change this > (besides, it might need to be this way for Common Criteria; a > similar restriction exists for profiles). OK. > > We could make it so that in IPA context, delete permission implies > disable permission. Currently (in Dogtag) permission to > enable/disable is the 'modify' permission. So to do this without > implying that someone with 'delete' permission as 'modify' > permission, I'd need to add an explicit 'enable/disable ca' > permission. +1 > > This is a good idea, but it is more work to add the required ACLs > (which will need to be done during IPA upgrade or installation). > I'll shelve https://github.com/freeipa/freeipa/pull/415 for now, but > keep the patch in my working branch and code it out later, if > there's time before release. Otherwise we might need to keep it > until there's time for the proper fix, so that things don't break. OK. I can give you a hand with the ACLs if you want. > > Thanks, > Fraser > -- Jan Cholasta From ftweedal at redhat.com Wed Feb 8 07:06:03 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 8 Feb 2017 17:06:03 +1000 Subject: [Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag In-Reply-To: References: <20170113070713.GG4539@dhcp-40-8.bne.redhat.com> <06bccd8a-cebe-4acb-a5af-7c1ed985f313@redhat.com> <20170208062943.GX3557@dhcp-40-8.bne.redhat.com> Message-ID: <20170208070603.GY3557@dhcp-40-8.bne.redhat.com> On Wed, Feb 08, 2017 at 08:02:18AM +0100, Jan Cholasta wrote: > On 8.2.2017 07:29, Fraser Tweedale wrote: > > On Mon, Feb 06, 2017 at 10:24:31AM +0100, Jan Cholasta wrote: > > > On 17.1.2017 08:57, David Kupka wrote: > > > > On 13/01/17 08:07, Fraser Tweedale wrote: > > > > > Related to design: > > > > > http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication > > > > > > > > > > Currently there are some operations that hit the CA that involve a > > > > > number of privileged operations against the CA, but for which there > > > > > is only one associated IPA permission. Deleting a CA is a good > > > > > example (but it is one specific case of a more general issue). > > > > > Summary of current ca-del behaviour: > > > > > > > > > > 1. Disable LWCA in Dogtag (uses RA Agent cert) > > > > > 2. Delete LWCA in Dogtag (uses RA Agent cert) > > > > > 3. Delete CA entry from IPA (requires "System: Delete CA" permission) > > > > > > > > > > So there are two things going on under the hood: a modify operation > > > > > (disable CA) and the delete. > > > > > > > > > > When we implement proxy authentication to Dogtag, Dogtag will > > > > > enforce the IPA permissions on its operations. Disable will map to > > > > > "System: Modify CA" and delete to "System: Delete CA". So to delete > > > > > a CA a user will need *both* permissions. Which could be > > > > > surprising. > > > > > > > > > > There are a couple of reasonable approaches to this. > > > > > > > > > > 1. Decouple the disable and delete operations. If CA is not > > > > > disabled, the user will be instructed to execute the ca-disable > > > > > command separately before they can disable the CA. This introduces > > > > > an additional manual step for operators. > > > > > > > > > > 2. Just improve the error reporting. In my WIP, for a user that has > > > > > 'System: Delete CA' permission but not 'System: Modify CA', the > > > > > reported failure is a 403 Authorization Error from Dogtag. We can > > > > > add guards to fail more gracefully. > > > > > > > > > > I lean towards #2 because I guess the common case will be that users > > > > > either get all CA admin permissions, or none, and we don't want to > > > > > make more work (in the form of more commands to run) for users in > > > > > the common case. > > > > > > > > > > I welcome alternative views and suggestions. > > > > > > > > > > Thanks, > > > > > Fraser > > > > > > > > > Hi Fraser, > > > > as a user with "System: Delete CA" permission calling "ca-del" command I > > > > would be really surprised that I don't have enough privileges to > > > > complete the action. > > > > > > > > I would expect: > > > > a) "Cannot delete active CA, disable it first" error. > > > > b) Delete will be completed successfully. All internal and to my sight > > > > hidden operations will be allowed just because I'm allowed to perform > > > > the delete operation. > > > > > > > > I think that b) might lead to strange exceptions in authorization > > > > checking and therefore to security issues. So I would prefer decoupling > > > > ca-disable and ca-del as you're describing in 1). > > > > > > IMO having to disable the CA before deletion is an implementation detail and > > > should not be exposed to the user at all. Why do we have to disable the CA > > > from IPA in ca-del? I would expect Dogtag to disable it itself internally > > > when it's being deleted. > > > > > The CA requiring disablement before deletion is a property of how > > Dogtag Lightweight CAs are implement. I don't intend to change this > > (besides, it might need to be this way for Common Criteria; a > > similar restriction exists for profiles). > > OK. > > > > > We could make it so that in IPA context, delete permission implies > > disable permission. Currently (in Dogtag) permission to > > enable/disable is the 'modify' permission. So to do this without > > implying that someone with 'delete' permission as 'modify' > > permission, I'd need to add an explicit 'enable/disable ca' > > permission. > > +1 > > > > > This is a good idea, but it is more work to add the required ACLs > > (which will need to be done during IPA upgrade or installation). > > I'll shelve https://github.com/freeipa/freeipa/pull/415 for now, but > > keep the patch in my working branch and code it out later, if > > there's time before release. Otherwise we might need to keep it > > until there's time for the proper fix, so that things don't break. > > OK. I can give you a hand with the ACLs if you want. > Thanks. The ACLs are part of Dogtag actually; so when we upgrade to a verison of Dogtag with the new permissions, new ACLs will need to be added. There will be two versions of the ACLs: one set for use with RA Agent cert authn, and one set for use with externally authenticated FreeIPA principals. There are a handful of similar "new ACLs to chase Dogtag changes" that will be part of the GSS-API work. I have a good understanding of what needs to happen. Cheers, Fraser From jcholast at redhat.com Wed Feb 8 07:18:11 2017 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Feb 2017 08:18:11 +0100 Subject: [Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag In-Reply-To: <20170208070603.GY3557@dhcp-40-8.bne.redhat.com> References: <20170113070713.GG4539@dhcp-40-8.bne.redhat.com> <06bccd8a-cebe-4acb-a5af-7c1ed985f313@redhat.com> <20170208062943.GX3557@dhcp-40-8.bne.redhat.com> <20170208070603.GY3557@dhcp-40-8.bne.redhat.com> Message-ID: On 8.2.2017 08:06, Fraser Tweedale wrote: > On Wed, Feb 08, 2017 at 08:02:18AM +0100, Jan Cholasta wrote: >> On 8.2.2017 07:29, Fraser Tweedale wrote: >>> On Mon, Feb 06, 2017 at 10:24:31AM +0100, Jan Cholasta wrote: >>>> On 17.1.2017 08:57, David Kupka wrote: >>>>> On 13/01/17 08:07, Fraser Tweedale wrote: >>>>>> Related to design: >>>>>> http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication >>>>>> >>>>>> Currently there are some operations that hit the CA that involve a >>>>>> number of privileged operations against the CA, but for which there >>>>>> is only one associated IPA permission. Deleting a CA is a good >>>>>> example (but it is one specific case of a more general issue). >>>>>> Summary of current ca-del behaviour: >>>>>> >>>>>> 1. Disable LWCA in Dogtag (uses RA Agent cert) >>>>>> 2. Delete LWCA in Dogtag (uses RA Agent cert) >>>>>> 3. Delete CA entry from IPA (requires "System: Delete CA" permission) >>>>>> >>>>>> So there are two things going on under the hood: a modify operation >>>>>> (disable CA) and the delete. >>>>>> >>>>>> When we implement proxy authentication to Dogtag, Dogtag will >>>>>> enforce the IPA permissions on its operations. Disable will map to >>>>>> "System: Modify CA" and delete to "System: Delete CA". So to delete >>>>>> a CA a user will need *both* permissions. Which could be >>>>>> surprising. >>>>>> >>>>>> There are a couple of reasonable approaches to this. >>>>>> >>>>>> 1. Decouple the disable and delete operations. If CA is not >>>>>> disabled, the user will be instructed to execute the ca-disable >>>>>> command separately before they can disable the CA. This introduces >>>>>> an additional manual step for operators. >>>>>> >>>>>> 2. Just improve the error reporting. In my WIP, for a user that has >>>>>> 'System: Delete CA' permission but not 'System: Modify CA', the >>>>>> reported failure is a 403 Authorization Error from Dogtag. We can >>>>>> add guards to fail more gracefully. >>>>>> >>>>>> I lean towards #2 because I guess the common case will be that users >>>>>> either get all CA admin permissions, or none, and we don't want to >>>>>> make more work (in the form of more commands to run) for users in >>>>>> the common case. >>>>>> >>>>>> I welcome alternative views and suggestions. >>>>>> >>>>>> Thanks, >>>>>> Fraser >>>>>> >>>>> Hi Fraser, >>>>> as a user with "System: Delete CA" permission calling "ca-del" command I >>>>> would be really surprised that I don't have enough privileges to >>>>> complete the action. >>>>> >>>>> I would expect: >>>>> a) "Cannot delete active CA, disable it first" error. >>>>> b) Delete will be completed successfully. All internal and to my sight >>>>> hidden operations will be allowed just because I'm allowed to perform >>>>> the delete operation. >>>>> >>>>> I think that b) might lead to strange exceptions in authorization >>>>> checking and therefore to security issues. So I would prefer decoupling >>>>> ca-disable and ca-del as you're describing in 1). >>>> >>>> IMO having to disable the CA before deletion is an implementation detail and >>>> should not be exposed to the user at all. Why do we have to disable the CA >>>> from IPA in ca-del? I would expect Dogtag to disable it itself internally >>>> when it's being deleted. >>>> >>> The CA requiring disablement before deletion is a property of how >>> Dogtag Lightweight CAs are implement. I don't intend to change this >>> (besides, it might need to be this way for Common Criteria; a >>> similar restriction exists for profiles). >> >> OK. >> >>> >>> We could make it so that in IPA context, delete permission implies >>> disable permission. Currently (in Dogtag) permission to >>> enable/disable is the 'modify' permission. So to do this without >>> implying that someone with 'delete' permission as 'modify' >>> permission, I'd need to add an explicit 'enable/disable ca' >>> permission. >> >> +1 >> >>> >>> This is a good idea, but it is more work to add the required ACLs >>> (which will need to be done during IPA upgrade or installation). >>> I'll shelve https://github.com/freeipa/freeipa/pull/415 for now, but >>> keep the patch in my working branch and code it out later, if >>> there's time before release. Otherwise we might need to keep it >>> until there's time for the proper fix, so that things don't break. >> >> OK. I can give you a hand with the ACLs if you want. >> > Thanks. The ACLs are part of Dogtag actually; so when we upgrade to > a verison of Dogtag with the new permissions, new ACLs will need to > be added. There will be two versions of the ACLs: one set for use > with RA Agent cert authn, and one set for use with externally > authenticated FreeIPA principals. > > There are a handful of similar "new ACLs to chase Dogtag changes" > that will be part of the GSS-API work. I have a good understanding > of what needs to happen. I see. I though you meant ACIs on IPA side. Are we not going to rely on our ACIs for access control in Dogtag + GSSAPI? > > Cheers, > Fraser > -- Jan Cholasta From freeipa-github-notification at redhat.com Wed Feb 8 07:26:27 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Feb 2017 08:26:27 +0100 Subject: [Freeipa-devel] [freeipa PR#427][+ack] [Py3] WSGI part 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/427 Title: #427: [Py3] WSGI part 2 Label: +ack From freeipa-github-notification at redhat.com Wed Feb 8 07:27:01 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Feb 2017 08:27:01 +0100 Subject: [Freeipa-devel] [freeipa PR#427][+pushed] [Py3] WSGI part 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/427 Title: #427: [Py3] WSGI part 2 Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 8 07:27:02 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Feb 2017 08:27:02 +0100 Subject: [Freeipa-devel] [freeipa PR#427][comment] [Py3] WSGI part 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/427 Title: #427: [Py3] WSGI part 2 HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/caa560ca79e4038b161b27d11e3f144606dbbcdb https://fedorahosted.org/freeipa/changeset/a93b2bea5ce88a934ba2ab39bdaa518fb55064c4 https://fedorahosted.org/freeipa/changeset/a3d3b0ad2537c9d11d9c6108c31e079f0dfcf31c https://fedorahosted.org/freeipa/changeset/03d0a55e8a21a334ca4dc625527cae93633a7314 https://fedorahosted.org/freeipa/changeset/a584758cfb87567a9c640ae107903b0f6c9fec30 https://fedorahosted.org/freeipa/changeset/ab53d80883320060769b7bfada2a813b345b9e4a https://fedorahosted.org/freeipa/changeset/4c84341b8bc14cd19a4e2c2df4c13b95ff7eeb05 """ See the full comment at https://github.com/freeipa/freeipa/pull/427#issuecomment-278250082 From freeipa-github-notification at redhat.com Wed Feb 8 07:27:04 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Feb 2017 08:27:04 +0100 Subject: [Freeipa-devel] [freeipa PR#427][closed] [Py3] WSGI part 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/427 Author: MartinBasti Title: #427: [Py3] WSGI part 2 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/427/head:pr427 git checkout pr427 From mkosek at redhat.com Wed Feb 8 07:29:26 2017 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 8 Feb 2017 08:29:26 +0100 Subject: [Freeipa-devel] FreeIPA and wildcard certificates Message-ID: <1c7e5abb-9c33-1cdd-fd4b-221a15c85672@redhat.com> Hi Fraser and the list, I recently was in a conversation about integrating OpenShift with FreeIPA. One of the gaps was around generating a wildcard certificate by FreeIPA that will be used in the default OpenShift router for applications that do not deploy own certificates [1]. Is there any way that FreeIPA can generate it? I was thinking that uploading some custom certificate profile in FreeIPA may let us get such certificate... Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in [2]? Thanks! [1] https://docs.openshift.com/container-platform/3.4/install_config/router/default_haproxy_router.html#using-wildcard-certificates [2] https://fedorahosted.org/freeipa/ticket/3475 -- Martin Kosek Manager, Software Engineering - Identity Management Team Red Hat, Inc. From freeipa-github-notification at redhat.com Wed Feb 8 07:37:47 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Feb 2017 08:37:47 +0100 Subject: [Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Author: stlaz Title: #396: Explicitly remove support of SSLv2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/396/head:pr396 git checkout pr396 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-396.patch Type: text/x-diff Size: 5830 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 07:38:33 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Feb 2017 08:38:33 +0100 Subject: [Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Title: #396: Explicitly remove support of SSLv2 stlaz commented: """ Done. Also added a docstring to the `get_proper_tls_version_span()` function. """ See the full comment at https://github.com/freeipa/freeipa/pull/396#issuecomment-278252451 From freeipa-github-notification at redhat.com Wed Feb 8 08:03:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 09:03:58 +0100 Subject: [Freeipa-devel] [freeipa PR#428][synchronized] [WIP] [Py3] ipa-server-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/428 Author: MartinBasti Title: #428: [WIP] [Py3] ipa-server-install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/428/head:pr428 git checkout pr428 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-428.patch Type: text/x-diff Size: 18003 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 08:04:15 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 09:04:15 +0100 Subject: [Freeipa-devel] [freeipa PR#428][edited] [WIP] [Py3] ipa-server-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/428 Author: MartinBasti Title: #428: [WIP] [Py3] ipa-server-install Action: edited Changed field: title Original value: """ [WIP] [Py3] ipa-server-install """ From abokovoy at redhat.com Wed Feb 8 08:19:54 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 8 Feb 2017 10:19:54 +0200 Subject: [Freeipa-devel] FreeIPA and wildcard certificates In-Reply-To: <1c7e5abb-9c33-1cdd-fd4b-221a15c85672@redhat.com> References: <1c7e5abb-9c33-1cdd-fd4b-221a15c85672@redhat.com> Message-ID: <20170208081954.c4kethc4lzjagdmp@redhat.com> On ke, 08 helmi 2017, Martin Kosek wrote: >Hi Fraser and the list, > >I recently was in a conversation about integrating OpenShift with FreeIPA. One >of the gaps was around generating a wildcard certificate by FreeIPA that will >be used in the default OpenShift router for applications that do not deploy own >certificates [1]. > >Is there any way that FreeIPA can generate it? I was thinking that uploading >some custom certificate profile in FreeIPA may let us get such certificate... >Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in >[2]? Yes, we need a new RFE. There are checks in IPA that prevent wildcard certificates to be issued: - we ensure subject 'cn' of the certificate matches a Kerberos principal specified in the request - we validate that host object exists in IPA when the Kerberos principal is host/... We could lift off these two limitations for 'cn=*,$suffix' but there is still a need to apply proper ACLs when issuing the cert -- e.g. some object has to be used for performing access rights check. The wildcard certificate does not need to be stored anywhere in the tree, but a check still needs to be done. For example, for Kerberos PKINIT certificate which is issued to KDC we don't store public certificate in LDAP either but we do two checks: - a special KDC certificate profile is used to issue the cert - a special hostname check is done so that only IPA masters are able to request this certificate For the wildcard certificate I think we could have following: - use a separate profile for the wildcard, associated with a sub-CA - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so that actual certificate ignores requested CN. - a special check to be done so that only wildcard-based subject alternative names can be added to a wildcard certificate request - all Kerberos principal / hostname checks are skipped. - actual ACL check is done by CA ACL. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Wed Feb 8 08:32:13 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Feb 2017 09:32:13 +0100 Subject: [Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org martbab commented: """ We were discussing yout PR with @HonzaCholasta yesterday and he suggested that we could pack the test runner log, HTTP and dirsrv logs and server installer log into an archive and upload it to https://transfer.sh/ a very lightweight file hosting site. What do you think? """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-278263943 From freeipa-github-notification at redhat.com Wed Feb 8 09:15:45 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Feb 2017 10:15:45 +0100 Subject: [Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org HonzaCholasta commented: """ Right, I suggested https://transfer.sh, because uploading a file there is as easy as: ```bash curl --upload-file ./file https://transfer.sh/file ``` BTW I would not limit ourselves to the few logs @martbab suggested, but upload as much as possible: `/var/log/ipa*`, `/var/log/httpd`, `/var/log/dirsrv`, `/var/log/pki/pki-tomcat`, `journalctl` dump for all of our services, ... """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-278273110 From freeipa-github-notification at redhat.com Wed Feb 8 09:19:38 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Feb 2017 10:19:38 +0100 Subject: [Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org martbab commented: """ @HonzaCholasta I have measured the size of the whole gzipp'ed /var/log directory from the CI run and it has around 6 megs. We may thus paste the whole archived directory there (including journal and stuff) and have all the bases covered. I am working on a POC patch and will see how it will turn out. """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-278273906 From freeipa-github-notification at redhat.com Wed Feb 8 09:23:02 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Feb 2017 10:23:02 +0100 Subject: [Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-437.patch Type: text/x-diff Size: 8308 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 09:44:46 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Feb 2017 10:44:46 +0100 Subject: [Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check stlaz commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-278279899 From freeipa-github-notification at redhat.com Wed Feb 8 10:35:09 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 08 Feb 2017 11:35:09 +0100 Subject: [Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org frasertweedale commented: """ :+1: sounds good. Take what's there and run with it :) """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-278291532 From freeipa-github-notification at redhat.com Wed Feb 8 10:36:40 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 08 Feb 2017 11:36:40 +0100 Subject: [Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org HonzaCholasta commented: """ @martbab, I would rather not include irrelevant stuff, it's just noise. """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-278291898 From freeipa-github-notification at redhat.com Wed Feb 8 11:31:23 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 08 Feb 2017 12:31:23 +0100 Subject: [Freeipa-devel] [freeipa PR#441][opened] Print test env information Message-ID: URL: https://github.com/freeipa/freeipa/pull/441 Author: tiran Title: #441: Print test env information Action: opened PR body: """ Print api.env, uname, euid/egid, cwd and Python version when tests are run with -v (e.g. ipa-run-tests -v). Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/441/head:pr441 git checkout pr441 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-441.patch Type: text/x-diff Size: 1239 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 11:35:53 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Feb 2017 12:35:53 +0100 Subject: [Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org martbab commented: """ @HonzaCholasta ok in that case I will archive: `/var/log/httpd`, `/var/log/dirsrv/`, `/var/log/pki/pki-tomcat`, `ipaserver/client-install.log` and a dump from systemd journal. Should be enough. """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-278304161 From freeipa-github-notification at redhat.com Wed Feb 8 12:27:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 13:27:16 +0100 Subject: [Freeipa-devel] [freeipa PR#424][comment] Tests: fix wait_for_replication task In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/424 Title: #424: Tests: fix wait_for_replication task MartinBasti commented: """ bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/424#issuecomment-278315718 From freeipa-github-notification at redhat.com Wed Feb 8 12:28:47 2017 From: freeipa-github-notification at redhat.com (apophys) Date: Wed, 08 Feb 2017 13:28:47 +0100 Subject: [Freeipa-devel] [freeipa PR#424][+ack] Tests: fix wait_for_replication task In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/424 Title: #424: Tests: fix wait_for_replication task Label: +ack From freeipa-github-notification at redhat.com Wed Feb 8 12:29:52 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Feb 2017 13:29:52 +0100 Subject: [Freeipa-devel] [freeipa PR#440][+ack] [Py3] fix various issues in tests related to BytesWarning In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/440 Title: #440: [Py3] fix various issues in tests related to BytesWarning Label: +ack From freeipa-github-notification at redhat.com Wed Feb 8 12:32:52 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 08 Feb 2017 13:32:52 +0100 Subject: [Freeipa-devel] [freeipa PR#442][opened] Add option to run tests in-tree and out-of-tree mode Message-ID: URL: https://github.com/freeipa/freeipa/pull/442 Author: tiran Title: #442: Add option to run tests in-tree and out-of-tree mode Action: opened PR body: """ By default ipa-run-tests and pytest auto-detect the presence of ../ipasetup.py.in and run tests in-tree mode when the file exists. The option can be overriden with ipa-run-tests --in-tree=true/false. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/442/head:pr442 git checkout pr442 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-442.patch Type: text/x-diff Size: 1932 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 12:41:02 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 08 Feb 2017 13:41:02 +0100 Subject: [Freeipa-devel] [freeipa PR#442][synchronized] Add option to run tests in-tree and out-of-tree mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/442 Author: tiran Title: #442: Add option to run tests in-tree and out-of-tree mode Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/442/head:pr442 git checkout pr442 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-442.patch Type: text/x-diff Size: 2073 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 12:59:03 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 08 Feb 2017 13:59:03 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 240582 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 13:16:23 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Feb 2017 14:16:23 +0100 Subject: [Freeipa-devel] [freeipa PR#424][+pushed] Tests: fix wait_for_replication task In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/424 Title: #424: Tests: fix wait_for_replication task Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 8 13:16:24 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Feb 2017 14:16:24 +0100 Subject: [Freeipa-devel] [freeipa PR#424][comment] Tests: fix wait_for_replication task In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/424 Title: #424: Tests: fix wait_for_replication task martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ad1a5551d5ec716dc745f39e82d38cc634229cb0 """ See the full comment at https://github.com/freeipa/freeipa/pull/424#issuecomment-278325879 From freeipa-github-notification at redhat.com Wed Feb 8 13:16:25 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Feb 2017 14:16:25 +0100 Subject: [Freeipa-devel] [freeipa PR#424][closed] Tests: fix wait_for_replication task In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/424 Author: MartinBasti Title: #424: Tests: fix wait_for_replication task Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/424/head:pr424 git checkout pr424 From freeipa-github-notification at redhat.com Wed Feb 8 13:19:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 14:19:58 +0100 Subject: [Freeipa-devel] [freeipa PR#426][comment] DNSSEC: forwarders validation improvement In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/426 Title: #426: DNSSEC: forwarders validation improvement MartinBasti commented: """ I was thinking about it and I disagree. Checking forwards zone behaves differently than check for global forwarders. The validate `_dnssec_zone_forwarder_step2` is called aginst an IPA DNS server, so there shouln't be that issue as we know how bind is supposed to work. """ See the full comment at https://github.com/freeipa/freeipa/pull/426#issuecomment-278326644 From freeipa-github-notification at redhat.com Wed Feb 8 13:56:41 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 14:56:41 +0100 Subject: [Freeipa-devel] [freeipa PR#423][synchronized] dns-update-system-records: add support for nsupdate output format In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/423 Author: MartinBasti Title: #423: dns-update-system-records: add support for nsupdate output format Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/423/head:pr423 git checkout pr423 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-423.patch Type: text/x-diff Size: 6506 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 14:24:36 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Feb 2017 15:24:36 +0100 Subject: [Freeipa-devel] [freeipa PR#443][opened] Stronger check for DM password during server install Message-ID: URL: https://github.com/freeipa/freeipa/pull/443 Author: stlaz Title: #443: Stronger check for DM password during server install Action: opened PR body: """ DM password is used as an NSS database password during server installation, therefore it must comply to NSS database requirements for password in FIPS. https://fedorahosted.org/freeipa/ticket/5695 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/443/head:pr443 git checkout pr443 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-443.patch Type: text/x-diff Size: 1980 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 14:33:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 15:33:58 +0100 Subject: [Freeipa-devel] [freeipa PR#428][synchronized] [Py3] ipa-server-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/428 Author: MartinBasti Title: #428: [Py3] ipa-server-install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/428/head:pr428 git checkout pr428 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-428.patch Type: text/x-diff Size: 17917 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 14:40:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 15:40:26 +0100 Subject: [Freeipa-devel] [freeipa PR#440][synchronized] [Py3] fix various issues in tests related to BytesWarning In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/440 Author: MartinBasti Title: #440: [Py3] fix various issues in tests related to BytesWarning Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/440/head:pr440 git checkout pr440 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-440.patch Type: text/x-diff Size: 5188 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 14:41:34 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 15:41:34 +0100 Subject: [Freeipa-devel] [freeipa PR#440][comment] [Py3] fix various issues in tests related to BytesWarning In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/440 Title: #440: [Py3] fix various issues in tests related to BytesWarning MartinBasti commented: """ The last commit has wrong ticket """ See the full comment at https://github.com/freeipa/freeipa/pull/440#issuecomment-278346559 From freeipa-github-notification at redhat.com Wed Feb 8 14:41:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 15:41:49 +0100 Subject: [Freeipa-devel] [freeipa PR#440][comment] [Py3] fix various issues in tests related to BytesWarning In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/440 Title: #440: [Py3] fix various issues in tests related to BytesWarning MartinBasti commented: """ The last commit has wrong ticket """ See the full comment at https://github.com/freeipa/freeipa/pull/440#issuecomment-278346559 From freeipa-github-notification at redhat.com Wed Feb 8 14:42:05 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 15:42:05 +0100 Subject: [Freeipa-devel] [freeipa PR#440][+pushed] [Py3] fix various issues in tests related to BytesWarning In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/440 Title: #440: [Py3] fix various issues in tests related to BytesWarning Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 8 14:42:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 15:42:07 +0100 Subject: [Freeipa-devel] [freeipa PR#440][comment] [Py3] fix various issues in tests related to BytesWarning In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/440 Title: #440: [Py3] fix various issues in tests related to BytesWarning MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d38540acd614bcaa489023401fc8db7c02cd3892 https://fedorahosted.org/freeipa/changeset/6bb5af7bea21d44b4e5ee20cfaa2f76b12ea0929 https://fedorahosted.org/freeipa/changeset/a5ccdc16cbcec433ef061dfe65515e32c3021ea2 """ See the full comment at https://github.com/freeipa/freeipa/pull/440#issuecomment-278346715 From freeipa-github-notification at redhat.com Wed Feb 8 14:42:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 15:42:10 +0100 Subject: [Freeipa-devel] [freeipa PR#440][closed] [Py3] fix various issues in tests related to BytesWarning In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/440 Author: MartinBasti Title: #440: [Py3] fix various issues in tests related to BytesWarning Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/440/head:pr440 git checkout pr440 From freeipa-github-notification at redhat.com Wed Feb 8 14:52:37 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Feb 2017 15:52:37 +0100 Subject: [Freeipa-devel] [freeipa PR#426][+ack] DNSSEC: forwarders validation improvement In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/426 Title: #426: DNSSEC: forwarders validation improvement Label: +ack From freeipa-github-notification at redhat.com Wed Feb 8 14:57:11 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 08 Feb 2017 15:57:11 +0100 Subject: [Freeipa-devel] [freeipa PR#443][comment] Stronger check for DM password during server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/443 Title: #443: Stronger check for DM password during server install pvoborni commented: """ Function check_password_fips_nssdb_compatible looks like a great candidate for unit test. """ See the full comment at https://github.com/freeipa/freeipa/pull/443#issuecomment-278350912 From freeipa-github-notification at redhat.com Wed Feb 8 14:57:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 15:57:36 +0100 Subject: [Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/439 Author: MartinBasti Title: #439: [WIP] [Py3] testing both py2/py3 in travis Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/439/head:pr439 git checkout pr439 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-439.patch Type: text/x-diff Size: 11987 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 15:00:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 16:00:13 +0100 Subject: [Freeipa-devel] [freeipa PR#426][+pushed] DNSSEC: forwarders validation improvement In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/426 Title: #426: DNSSEC: forwarders validation improvement Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 8 15:00:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 16:00:14 +0100 Subject: [Freeipa-devel] [freeipa PR#426][comment] DNSSEC: forwarders validation improvement In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/426 Title: #426: DNSSEC: forwarders validation improvement MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/387a1513bb9dc0dc546753bfaa8a59aae8f30b83 """ See the full comment at https://github.com/freeipa/freeipa/pull/426#issuecomment-278351747 From freeipa-github-notification at redhat.com Wed Feb 8 15:00:15 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 16:00:15 +0100 Subject: [Freeipa-devel] [freeipa PR#426][closed] DNSSEC: forwarders validation improvement In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/426 Author: MartinBasti Title: #426: DNSSEC: forwarders validation improvement Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/426/head:pr426 git checkout pr426 From freeipa-github-notification at redhat.com Wed Feb 8 15:08:05 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 16:08:05 +0100 Subject: [Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/439 Author: MartinBasti Title: #439: [WIP] [Py3] testing both py2/py3 in travis Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/439/head:pr439 git checkout pr439 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-439.patch Type: text/x-diff Size: 12083 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 15:10:19 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 08 Feb 2017 16:10:19 +0100 Subject: [Freeipa-devel] [freeipa PR#423][comment] dns-update-system-records: add support for nsupdate output format In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/423 Title: #423: dns-update-system-records: add support for nsupdate output format pvoborni commented: """ I've added acceptance criteria and user story to the related FreeIPA ticket. I miss a "how to use part" - a specific example. This should be in FreeIPA.org wiki, e.g. in design page (rest of the design page can be copied user story and empty), but the how to use section with both auth methods is a critical part. """ See the full comment at https://github.com/freeipa/freeipa/pull/423#issuecomment-278354671 From freeipa-github-notification at redhat.com Wed Feb 8 15:18:28 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Wed, 08 Feb 2017 16:18:28 +0100 Subject: [Freeipa-devel] [freeipa PR#444][opened] Allow nsaccountlock to be searched in user-find and user-show commands Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Author: redhatrises Title: #444: Allow nsaccountlock to be searched in user-find and user-show commands Action: opened PR body: """ This patch provides the ability to search and find users who are enabled/disabled in `ipa user-show` and `ipa user-find` commands without breaking API compatibility. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/444/head:pr444 git checkout pr444 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-444.patch Type: text/x-diff Size: 1804 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 15:24:05 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Feb 2017 16:24:05 +0100 Subject: [Freeipa-devel] [freeipa PR#445][opened] Remove is_fips_enabled checks in installers and ipactl Message-ID: URL: https://github.com/freeipa/freeipa/pull/445 Author: stlaz Title: #445: Remove is_fips_enabled checks in installers and ipactl Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/5695 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/445/head:pr445 git checkout pr445 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-445.patch Type: text/x-diff Size: 3316 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 15:24:21 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 16:24:21 +0100 Subject: [Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/439 Author: MartinBasti Title: #439: [WIP] [Py3] testing both py2/py3 in travis Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/439/head:pr439 git checkout pr439 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-439.patch Type: text/x-diff Size: 12083 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 15:25:14 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Feb 2017 16:25:14 +0100 Subject: [Freeipa-devel] [freeipa PR#446][opened] Certdb passwd Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: Certdb passwd Action: opened PR body: """ With this patchset, ipa-client-install should not ask for NSS database password. Prerequisite: https://github.com/freeipa/freeipa/pull/367 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-446.patch Type: text/x-diff Size: 5091 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 15:26:15 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Feb 2017 16:26:15 +0100 Subject: [Freeipa-devel] [freeipa PR#446][edited] Certdb passwd In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: Certdb passwd Action: edited Changed field: title Original value: """ Certdb passwd """ From freeipa-github-notification at redhat.com Wed Feb 8 15:26:53 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Feb 2017 16:26:53 +0100 Subject: [Freeipa-devel] [freeipa PR#446][edited] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: edited Changed field: body Original value: """ With this patchset, ipa-client-install should not ask for NSS database password. Prerequisite: https://github.com/freeipa/freeipa/pull/367 """ From freeipa-github-notification at redhat.com Wed Feb 8 15:32:36 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Feb 2017 16:32:36 +0100 Subject: [Freeipa-devel] [freeipa PR#443][synchronized] Stronger check for DM password during server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/443 Author: stlaz Title: #443: Stronger check for DM password during server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/443/head:pr443 git checkout pr443 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-443.patch Type: text/x-diff Size: 1984 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 15:35:33 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Wed, 08 Feb 2017 16:35:33 +0100 Subject: [Freeipa-devel] [freeipa PR#444][synchronized] Allow nsaccountlock to be searched in user-find and user-show commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Author: redhatrises Title: #444: Allow nsaccountlock to be searched in user-find and user-show commands Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/444/head:pr444 git checkout pr444 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-444.patch Type: text/x-diff Size: 1802 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 15:40:56 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Feb 2017 16:40:56 +0100 Subject: [Freeipa-devel] [freeipa PR#447][opened] AD trust installer modularization: prelude Message-ID: URL: https://github.com/freeipa/freeipa/pull/447 Author: martbab Title: #447: AD trust installer modularization: prelude Action: opened PR body: """ This PR is more of a preparatory work for modularization of AD trust installer code. The code was formatted to conform with PEP-8, explicit exit statements were replaced with exceptions and a minor pylint issues were fixed. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/447/head:pr447 git checkout pr447 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-447.patch Type: text/x-diff Size: 29698 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 15:48:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 16:48:24 +0100 Subject: [Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/439 Author: MartinBasti Title: #439: [WIP] [Py3] testing both py2/py3 in travis Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/439/head:pr439 git checkout pr439 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-439.patch Type: text/x-diff Size: 12071 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 16:01:28 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 08 Feb 2017 17:01:28 +0100 Subject: [Freeipa-devel] [freeipa PR#447][comment] AD trust installer modularization: prelude In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/447 Title: #447: AD trust installer modularization: prelude abbra commented: """ LGTM -- I haven't run the code but read through it. """ See the full comment at https://github.com/freeipa/freeipa/pull/447#issuecomment-278370312 From freeipa-github-notification at redhat.com Wed Feb 8 16:09:35 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Feb 2017 17:09:35 +0100 Subject: [Freeipa-devel] [freeipa PR#431][+ack] py3: ldapupdate: fix logging str(bytes) issue In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/431 Title: #431: py3: ldapupdate: fix logging str(bytes) issue Label: +ack From freeipa-github-notification at redhat.com Wed Feb 8 16:10:39 2017 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Wed, 08 Feb 2017 17:10:39 +0100 Subject: [Freeipa-devel] [freeipa PR#448][opened] Tests: Basic coverage with tree root domain Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Author: gkaihorodova Title: #448: Tests: Basic coverage with tree root domain Action: opened PR body: """ Tests: Basic coverage with tree root domain Extend existing legacy client tests to cover test cases with tree root domain. https://fedorahosted.org/freeipa/ticket/6489 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/448/head:pr448 git checkout pr448 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-448.patch Type: text/x-diff Size: 5957 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 16:14:34 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Feb 2017 17:14:34 +0100 Subject: [Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-437.patch Type: text/x-diff Size: 8961 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 16:15:57 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Feb 2017 17:15:57 +0100 Subject: [Freeipa-devel] [freeipa PR#449][opened] Travis CI: Upload the logs from failed jobs to transfer.sh Message-ID: URL: https://github.com/freeipa/freeipa/pull/449 Author: martbab Title: #449: Travis CI: Upload the logs from failed jobs to transfer.sh Action: opened PR body: """ When a non-lint job fails, all the relevant logs from the test runner will be gzipped and uploaded to https://transfer.sh file sharing service. The download link will then be displayed at the very end of the Travis build log. You can see the output of a failed job here: https://travis-ci.org/martbab/freeipa/jobs/199647801 Just go all the way to the log bottom and expand the last statement. I have not found any other way to make the link more visible unfortunately. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/449/head:pr449 git checkout pr449 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-449.patch Type: text/x-diff Size: 242041 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 16:17:31 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Feb 2017 17:17:31 +0100 Subject: [Freeipa-devel] [freeipa PR#449][synchronized] Travis CI: Upload the logs from failed jobs to transfer.sh In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/449 Author: martbab Title: #449: Travis CI: Upload the logs from failed jobs to transfer.sh Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/449/head:pr449 git checkout pr449 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-449.patch Type: text/x-diff Size: 2702 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 16:24:41 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 08 Feb 2017 17:24:41 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ `make dist` failed if configure was executed with `--disable-server` ``` make[3]: Leaving directory '/workdir/freeipa/po' make[2]: Leaving directory '/workdir/freeipa/po' (cd daemons && make top_distdir=../freeipa-4.4.90.dev201702081623+git9da17b545 distdir=../freeipa-4.4.90.dev201702081623+git9da17b545/daemons \ am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir) make[2]: Entering directory '/workdir/freeipa/daemons' make[2]: *** No rule to make target 'distdir'. Stop. make[2]: Leaving directory '/workdir/freeipa/daemons' make[1]: *** [Makefile:707: distdir] Error 1 make[1]: Leaving directory '/workdir/freeipa' make: *** [Makefile:806: dist] Error 2 ``` Do we care? """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-278377302 From freeipa-github-notification at redhat.com Wed Feb 8 16:36:58 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 08 Feb 2017 17:36:58 +0100 Subject: [Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain martbab commented: """ I have quickly skimmed through code and have one comment. Also, I have noticed the extreme code triplication of the test cases. I think that this warrants some refactoring first before adding tree-root domain tests. """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-278381632 From freeipa-github-notification at redhat.com Wed Feb 8 17:06:43 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Feb 2017 18:06:43 +0100 Subject: [Freeipa-devel] [freeipa PR#450][opened] Add FIPS-token password of HTTPD NSS database Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Author: stlaz Title: #450: Add FIPS-token password of HTTPD NSS database Action: opened PR body: """ This change is required for httpd to function properly in FIPS https://fedorahosted.org/freeipa/ticket/5695 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/450/head:pr450 git checkout pr450 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-450.patch Type: text/x-diff Size: 1335 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 17:15:35 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 18:15:35 +0100 Subject: [Freeipa-devel] [freeipa PR#431][+pushed] py3: ldapupdate: fix logging str(bytes) issue In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/431 Title: #431: py3: ldapupdate: fix logging str(bytes) issue Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 8 17:15:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 18:15:37 +0100 Subject: [Freeipa-devel] [freeipa PR#431][comment] py3: ldapupdate: fix logging str(bytes) issue In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/431 Title: #431: py3: ldapupdate: fix logging str(bytes) issue MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b24787a67fd8b19b9222979a963a8f28b22153ee """ See the full comment at https://github.com/freeipa/freeipa/pull/431#issuecomment-278394914 From freeipa-github-notification at redhat.com Wed Feb 8 17:15:38 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 18:15:38 +0100 Subject: [Freeipa-devel] [freeipa PR#431][closed] py3: ldapupdate: fix logging str(bytes) issue In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/431 Author: MartinBasti Title: #431: py3: ldapupdate: fix logging str(bytes) issue Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/431/head:pr431 git checkout pr431 From freeipa-github-notification at redhat.com Wed Feb 8 17:26:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 18:26:20 +0100 Subject: [Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/439 Author: MartinBasti Title: #439: [WIP] [Py3] testing both py2/py3 in travis Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/439/head:pr439 git checkout pr439 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-439.patch Type: text/x-diff Size: 12067 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 17:35:22 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Feb 2017 18:35:22 +0100 Subject: [Freeipa-devel] [freeipa PR#445][synchronized] Remove is_fips_enabled checks in installers and ipactl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/445 Author: stlaz Title: #445: Remove is_fips_enabled checks in installers and ipactl Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/445/head:pr445 git checkout pr445 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-445.patch Type: text/x-diff Size: 3724 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 17:36:37 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Feb 2017 18:36:37 +0100 Subject: [Freeipa-devel] [freeipa PR#451][opened] certdb: remove unused keysize property Message-ID: URL: https://github.com/freeipa/freeipa/pull/451 Author: tomaskrizek Title: #451: certdb: remove unused keysize property Action: opened PR body: """ Keysize property is no longer used anywhere in the code. It was originally introduced for the request_cert function, which was later refactored to use a function argument instead. --- The value of this property caught my eye, because I don't think we should be using 1024bit keys. Fortunately, I discovered this bit of code is obsolete and we actually use 2048bit key length by default. Commit that originally introduced the property: 158b4e8ff4704b967d4049e2a16f9b32fbb33b80 Commit that removed the usage of the property: 9182c10b03a7841c9318ad64ae6c5deda77d93d1 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/451/head:pr451 git checkout pr451 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-451.patch Type: text/x-diff Size: 898 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 17:39:33 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 08 Feb 2017 18:39:33 +0100 Subject: [Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/451 Title: #451: certdb: remove unused keysize property stlaz commented: """ If you want to remove them, you may want to check for other properties as well (I see `valid_months` at least). """ See the full comment at https://github.com/freeipa/freeipa/pull/451#issuecomment-278403244 From freeipa-github-notification at redhat.com Wed Feb 8 17:46:40 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 08 Feb 2017 18:46:40 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ See inline comment and issue above; otherwise LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-278405529 From freeipa-github-notification at redhat.com Wed Feb 8 18:03:49 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Feb 2017 19:03:49 +0100 Subject: [Freeipa-devel] [freeipa PR#451][synchronized] certdb: remove unused keysize property In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/451 Author: tomaskrizek Title: #451: certdb: remove unused keysize property Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/451/head:pr451 git checkout pr451 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-451.patch Type: text/x-diff Size: 1809 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 18:04:42 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Feb 2017 19:04:42 +0100 Subject: [Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/451 Title: #451: certdb: remove unused keysize property tomaskrizek commented: """ Commit that removed valid_moths property: e736e75ce9724ae8298a5b69d093313cd6e62b60 """ See the full comment at https://github.com/freeipa/freeipa/pull/451#issuecomment-278411676 From freeipa-github-notification at redhat.com Wed Feb 8 18:10:58 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 08 Feb 2017 19:10:58 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tomaskrizek commented: """ @tiran Do you need `make dist` for anything? I'm not aware of any plans to release client-only IPA sources, so I don't think it's needed. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-278413427 From freeipa-github-notification at redhat.com Wed Feb 8 18:19:57 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 08 Feb 2017 19:19:57 +0100 Subject: [Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Author: tiran Title: #364: Client-only builds with --disable-server Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/364/head:pr364 git checkout pr364 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-364.patch Type: text/x-diff Size: 19119 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 18:21:28 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 08 Feb 2017 19:21:28 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ @tomaskrizek @lslebodn Although I don't need ```make dist```, you made me aware of a bug in ```Makefile.am```. automake and ```+=``` do not mix well. I moved the list into a new var ```SERVER_SUBDIRS```. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-278416196 From freeipa-github-notification at redhat.com Wed Feb 8 19:09:51 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 08 Feb 2017 20:09:51 +0100 Subject: [Freeipa-devel] [freeipa PR#452][opened] [ WIP] ipa-run-tests: allow to run tests with server-api Message-ID: URL: https://github.com/freeipa/freeipa/pull/452 Author: MartinBasti Title: #452: [ WIP] ipa-run-tests: allow to run tests with server-api Action: opened PR body: """ This allow to test server-api with ipa-run-tests. It is useful because internal error tracebacks are printed to test output and it is handy to use it with python -bb option to check BytesWarnings - I havent tested option parsing in pytest yet, only the code around that allows to run server_api - This can be useful with Travis to see tracebacks directly in test output - tests may be faster - we should really rename test_xmlrpc to something like test_api - I will use this for python -bb testing """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/452/head:pr452 git checkout pr452 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-452.patch Type: text/x-diff Size: 3151 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 8 20:06:35 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 08 Feb 2017 21:06:35 +0100 Subject: [Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Author: tiran Title: #364: Client-only builds with --disable-server Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/364/head:pr364 git checkout pr364 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-364.patch Type: text/x-diff Size: 19120 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 00:05:00 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 09 Feb 2017 01:05:00 +0100 Subject: [Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/451 Title: #451: certdb: remove unused keysize property frasertweedale commented: """ Conditional ACK: just fix the type `s/moths/months/` in the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/451#issuecomment-278503991 From freeipa-github-notification at redhat.com Thu Feb 9 00:05:09 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 09 Feb 2017 01:05:09 +0100 Subject: [Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/451 Title: #451: certdb: remove unused keysize property frasertweedale commented: """ Conditional ACK: just fix the type `s/moths/months/` in the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/451#issuecomment-278503991 From freeipa-github-notification at redhat.com Thu Feb 9 00:21:03 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 09 Feb 2017 01:21:03 +0100 Subject: [Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org frasertweedale commented: """ Superseded by https://github.com/freeipa/freeipa/pull/449 ; closing. """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-278506829 From freeipa-github-notification at redhat.com Thu Feb 9 00:21:04 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 09 Feb 2017 01:21:04 +0100 Subject: [Freeipa-devel] [freeipa PR#370][closed] ci: send build log to paste.fedoraproject.org In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/370 Author: frasertweedale Title: #370: ci: send build log to paste.fedoraproject.org Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/370/head:pr370 git checkout pr370 From ftweedal at redhat.com Thu Feb 9 01:12:00 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 9 Feb 2017 11:12:00 +1000 Subject: [Freeipa-devel] FreeIPA and wildcard certificates In-Reply-To: <20170208081954.c4kethc4lzjagdmp@redhat.com> References: <1c7e5abb-9c33-1cdd-fd4b-221a15c85672@redhat.com> <20170208081954.c4kethc4lzjagdmp@redhat.com> Message-ID: <20170209011200.GA3557@dhcp-40-8.bne.redhat.com> On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: > On ke, 08 helmi 2017, Martin Kosek wrote: > > Hi Fraser and the list, > > > > I recently was in a conversation about integrating OpenShift with FreeIPA. One > > of the gaps was around generating a wildcard certificate by FreeIPA that will > > be used in the default OpenShift router for applications that do not deploy own > > certificates [1]. > > > > Is there any way that FreeIPA can generate it? I was thinking that uploading > > some custom certificate profile in FreeIPA may let us get such certificate... > > Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in > > [2]? > Yes, we need a new RFE. There are checks in IPA that prevent wildcard > certificates to be issued: > > - we ensure subject 'cn' of the certificate matches a Kerberos principal > specified in the request > > - we validate that host object exists in IPA when the Kerberos > principal is host/... > > We could lift off these two limitations for 'cn=*,$suffix' but there is > still a need to apply proper ACLs when issuing the cert -- e.g. some > object has to be used for performing access rights check. The wildcard > certificate does not need to be stored anywhere in the tree, but a > check still needs to be done. > > For example, for Kerberos PKINIT certificate which is issued to KDC we > don't store public certificate in LDAP either but we do two checks: > - a special KDC certificate profile is used to issue the cert > - a special hostname check is done so that only IPA masters are able to > request this certificate > > For the wildcard certificate I think we could have following: > - use a separate profile for the wildcard, associated with a sub-CA > - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so that > actual certificate ignores requested CN. > - a special check to be done so that only wildcard-based subject > alternative names can be added to a wildcard certificate request > - all Kerberos principal / hostname checks are skipped. > - actual ACL check is done by CA ACL. > Issuing wildcard certs is a deprecated practice[1]. I am not dismissing the needs of OpenShift (or PaaS/IaaS solutions in general) but I'd like to have a discussion with them about how they're currently dealing with certs and whether a different direction other than wildcard certs is feasible. Martin, who should I reach out to? Feel free to copy them into this discussion. [1] https://tools.ietf.org/html/rfc6125#section-7.2 If we do go ahead with wildcard cert support in FreeIPA, some of my initial questions are: - For the OpenShift use case, what is the "parent" domain name and is it the same as the IPA domain name? Is it a subdomain of the IPA domain name? - Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard cert under entire IPA domain name. - Do we need to support issuing "*.${IPA_HOSTNAME}"? i.e. wildcard certs under names of IPA host principals. Cheers, Fraser From freeipa-github-notification at redhat.com Thu Feb 9 02:53:28 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Thu, 09 Feb 2017 03:53:28 +0100 Subject: [Freeipa-devel] [freeipa PR#434][synchronized] csrgen: Automate full cert request flow In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/434 Author: LiptonB Title: #434: csrgen: Automate full cert request flow Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/434/head:pr434 git checkout pr434 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-434.patch Type: text/x-diff Size: 12249 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 03:15:52 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Thu, 09 Feb 2017 04:15:52 +0100 Subject: [Freeipa-devel] [freeipa PR#433][synchronized] csrgen: Allow some certificate fields to be specified by the user In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/433 Author: LiptonB Title: #433: csrgen: Allow some certificate fields to be specified by the user Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/433/head:pr433 git checkout pr433 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-433.patch Type: text/x-diff Size: 14143 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 06:50:39 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Feb 2017 07:50:39 +0100 Subject: [Freeipa-devel] [freeipa PR#443][comment] Stronger check for DM password during server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/443 Title: #443: Stronger check for DM password during server install HonzaCholasta commented: """ IMHO you got it backwards - DM password may not comply to NSS requirements for passwords, therefore it must not be used as a password for any NSS database during server install. """ See the full comment at https://github.com/freeipa/freeipa/pull/443#issuecomment-278561684 From mkosek at redhat.com Thu Feb 9 07:37:23 2017 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 9 Feb 2017 08:37:23 +0100 Subject: [Freeipa-devel] FreeIPA and wildcard certificates In-Reply-To: <20170209011200.GA3557@dhcp-40-8.bne.redhat.com> References: <1c7e5abb-9c33-1cdd-fd4b-221a15c85672@redhat.com> <20170208081954.c4kethc4lzjagdmp@redhat.com> <20170209011200.GA3557@dhcp-40-8.bne.redhat.com> Message-ID: <340637ac-a6ba-517a-e2e8-a9ddaf7e63d5@redhat.com> On 02/09/2017 02:12 AM, Fraser Tweedale wrote: > On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: >> On ke, 08 helmi 2017, Martin Kosek wrote: >>> Hi Fraser and the list, >>> >>> I recently was in a conversation about integrating OpenShift with FreeIPA. One >>> of the gaps was around generating a wildcard certificate by FreeIPA that will >>> be used in the default OpenShift router for applications that do not deploy own >>> certificates [1]. >>> >>> Is there any way that FreeIPA can generate it? I was thinking that uploading >>> some custom certificate profile in FreeIPA may let us get such certificate... >>> Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in >>> [2]? >> Yes, we need a new RFE. There are checks in IPA that prevent wildcard >> certificates to be issued: >> >> - we ensure subject 'cn' of the certificate matches a Kerberos principal >> specified in the request >> >> - we validate that host object exists in IPA when the Kerberos >> principal is host/... >> >> We could lift off these two limitations for 'cn=*,$suffix' but there is >> still a need to apply proper ACLs when issuing the cert -- e.g. some >> object has to be used for performing access rights check. The wildcard >> certificate does not need to be stored anywhere in the tree, but a >> check still needs to be done. >> >> For example, for Kerberos PKINIT certificate which is issued to KDC we >> don't store public certificate in LDAP either but we do two checks: >> - a special KDC certificate profile is used to issue the cert >> - a special hostname check is done so that only IPA masters are able to >> request this certificate >> >> For the wildcard certificate I think we could have following: >> - use a separate profile for the wildcard, associated with a sub-CA >> - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so that >> actual certificate ignores requested CN. >> - a special check to be done so that only wildcard-based subject >> alternative names can be added to a wildcard certificate request >> - all Kerberos principal / hostname checks are skipped. >> - actual ACL check is done by CA ACL. >> > Issuing wildcard certs is a deprecated practice[1]. I am not > dismissing the needs of OpenShift (or PaaS/IaaS solutions in > general) but I'd like to have a discussion with them about how > they're currently dealing with certs and whether a different > direction other than wildcard certs is feasible. Martin, who should > I reach out to? Feel free to copy them into this discussion. Right now, I am talking to a Solution Architect, i.e. someone who is building GAed solutions, not developers. This is not something we would change short-term anyway, this is how current OpenShift v2 or v3 behaves, despite the RFC. While I understand why having certificate *.lab.example.com and using it for my lab machines is a bad idea and increases the attack vector, I do not see it that way for OpenShift. There, applications get URL like ".myopenshift.test" and all is routed by one entity, the OpenShift broker. So the key.cert is on one location, just serving different names that are provisioned with OpenShift. I can understand that issuing a new certificate for every application provisioned by OpenShift and then renewing it complicates the design significantly. I am trying to be creative and see if current OpenShift could leverage FreeIPA CA and issue the broker cert, with current profile capabilities or with small change. > [1] https://tools.ietf.org/html/rfc6125#section-7.2 > > If we do go ahead with wildcard cert support in FreeIPA, some of my > initial questions are: > > - For the OpenShift use case, what is the "parent" domain name and > is it the same as the IPA domain name? Is it a subdomain of the > IPA domain name? > > - Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard > cert under entire IPA domain name. > > - Do we need to support issuing "*.${IPA_HOSTNAME}"? i.e. wildcard > certs under names of IPA host principals. I do not know, but I can ask if it is important for you :-) Martin From abokovoy at redhat.com Thu Feb 9 07:42:38 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Feb 2017 09:42:38 +0200 Subject: [Freeipa-devel] FreeIPA and wildcard certificates In-Reply-To: <20170209011200.GA3557@dhcp-40-8.bne.redhat.com> References: <1c7e5abb-9c33-1cdd-fd4b-221a15c85672@redhat.com> <20170208081954.c4kethc4lzjagdmp@redhat.com> <20170209011200.GA3557@dhcp-40-8.bne.redhat.com> Message-ID: <20170209074238.q6f6o7xwpi7r5pxj@redhat.com> On to, 09 helmi 2017, Fraser Tweedale wrote: >On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: >> On ke, 08 helmi 2017, Martin Kosek wrote: >> > Hi Fraser and the list, >> > >> > I recently was in a conversation about integrating OpenShift with FreeIPA. One >> > of the gaps was around generating a wildcard certificate by FreeIPA that will >> > be used in the default OpenShift router for applications that do not deploy own >> > certificates [1]. >> > >> > Is there any way that FreeIPA can generate it? I was thinking that uploading >> > some custom certificate profile in FreeIPA may let us get such certificate... >> > Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in >> > [2]? >> Yes, we need a new RFE. There are checks in IPA that prevent wildcard >> certificates to be issued: >> >> - we ensure subject 'cn' of the certificate matches a Kerberos principal >> specified in the request >> >> - we validate that host object exists in IPA when the Kerberos >> principal is host/... >> >> We could lift off these two limitations for 'cn=*,$suffix' but there is >> still a need to apply proper ACLs when issuing the cert -- e.g. some >> object has to be used for performing access rights check. The wildcard >> certificate does not need to be stored anywhere in the tree, but a >> check still needs to be done. >> >> For example, for Kerberos PKINIT certificate which is issued to KDC we >> don't store public certificate in LDAP either but we do two checks: >> - a special KDC certificate profile is used to issue the cert >> - a special hostname check is done so that only IPA masters are able to >> request this certificate >> >> For the wildcard certificate I think we could have following: >> - use a separate profile for the wildcard, associated with a sub-CA >> - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so that >> actual certificate ignores requested CN. >> - a special check to be done so that only wildcard-based subject >> alternative names can be added to a wildcard certificate request >> - all Kerberos principal / hostname checks are skipped. >> - actual ACL check is done by CA ACL. >> >Issuing wildcard certs is a deprecated practice[1]. I am not >dismissing the needs of OpenShift (or PaaS/IaaS solutions in >general) but I'd like to have a discussion with them about how >they're currently dealing with certs and whether a different >direction other than wildcard certs is feasible. Martin, who should >I reach out to? Feel free to copy them into this discussion. > >[1] https://tools.ietf.org/html/rfc6125#section-7.2 While it is not recommended to issue wildcard certificates, it is far from being a deprecated practice. In fact, almost all commercial CAs do have wildcard certificate product in their portfolio. We also have seen customers coming to use FreeIPA with wildcard certificates issued by external CAs. This practice is not going to disappear. >If we do go ahead with wildcard cert support in FreeIPA, some of my >initial questions are: > >- For the OpenShift use case, what is the "parent" domain name and > is it the same as the IPA domain name? Is it a subdomain of the > IPA domain name? > >- Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard > cert under entire IPA domain name. > >- Do we need to support issuing "*.${IPA_HOSTNAME}"? i.e. wildcard > certs under names of IPA host principals. Another question would be: - Do we need to support issuing "hostname.*.${IPA_DOMAIN}"? I.e. wildcard cert where a '*' character is not a leftmost label. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Thu Feb 9 08:09:07 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 09 Feb 2017 09:09:07 +0100 Subject: [Freeipa-devel] [freeipa PR#450][synchronized] Add FIPS-token password of HTTPD NSS database In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Author: stlaz Title: #450: Add FIPS-token password of HTTPD NSS database Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/450/head:pr450 git checkout pr450 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-450.patch Type: text/x-diff Size: 1032 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 09:11:35 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 09 Feb 2017 10:11:35 +0100 Subject: [Freeipa-devel] [freeipa PR#443][comment] Stronger check for DM password during server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/443 Title: #443: Stronger check for DM password during server install stlaz commented: """ @HonzaCholasta: +1, you're right, I should investigate more on how to change this behavior, either we or Dogtag don't behave correctly here. @pvoborni, @tomaskrizek: out of curiousity, do we have a design/guideline on how to write unit tests for FreeIPA? Did not find any. """ See the full comment at https://github.com/freeipa/freeipa/pull/443#issuecomment-278586306 From freeipa-github-notification at redhat.com Thu Feb 9 09:29:11 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Feb 2017 10:29:11 +0100 Subject: [Freeipa-devel] [freeipa PR#451][synchronized] certdb: remove unused keysize property In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/451 Author: tomaskrizek Title: #451: certdb: remove unused keysize property Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/451/head:pr451 git checkout pr451 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-451.patch Type: text/x-diff Size: 1810 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 09:29:26 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Feb 2017 10:29:26 +0100 Subject: [Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/451 Title: #451: certdb: remove unused keysize property tomaskrizek commented: """ @frasertweedale Fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/451#issuecomment-278590229 From freeipa-github-notification at redhat.com Thu Feb 9 09:35:52 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 09 Feb 2017 10:35:52 +0100 Subject: [Freeipa-devel] [freeipa PR#449][synchronized] Travis CI: Upload the logs from failed jobs to transfer.sh In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/449 Author: martbab Title: #449: Travis CI: Upload the logs from failed jobs to transfer.sh Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/449/head:pr449 git checkout pr449 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-449.patch Type: text/x-diff Size: 2690 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 09:38:05 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Feb 2017 10:38:05 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tomaskrizek commented: """ Server build works now, but there's still the `make dist` issue discussed above. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-278592125 From freeipa-github-notification at redhat.com Thu Feb 9 09:49:30 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Feb 2017 10:49:30 +0100 Subject: [Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-437.patch Type: text/x-diff Size: 8800 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 10:01:14 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 09 Feb 2017 11:01:14 +0100 Subject: [Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Author: tiran Title: #364: Client-only builds with --disable-server Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/364/head:pr364 git checkout pr364 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-364.patch Type: text/x-diff Size: 15645 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 10:01:52 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 09 Feb 2017 11:01:52 +0100 Subject: [Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Author: tiran Title: #364: Client-only builds with --disable-server Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/364/head:pr364 git checkout pr364 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-364.patch Type: text/x-diff Size: 14849 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 10:06:53 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 09 Feb 2017 11:06:53 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ I followed @lslebodn advice and changed the PR a bit. I now generate all Makefiles again to fix the ```make dist``` issue. Some of the Makefile are not working correctly because some vars are declared empty (e.g. header locations, libs and so on). Since they are not included in ```SUBDIRS```, they are not used in ```make```. ```make dist``` uses ```DIST_SUBDIRS``` and does not depend on the missing vars. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-278598712 From freeipa-github-notification at redhat.com Thu Feb 9 10:12:32 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 09 Feb 2017 11:12:32 +0100 Subject: [Freeipa-devel] [freeipa PR#442][synchronized] Add option to run tests in-tree and out-of-tree mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/442 Author: tiran Title: #442: Add option to run tests in-tree and out-of-tree mode Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/442/head:pr442 git checkout pr442 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-442.patch Type: text/x-diff Size: 2073 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 10:26:28 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 09 Feb 2017 11:26:28 +0100 Subject: [Freeipa-devel] [freeipa PR#394][synchronized] Add fix for ipa plugins command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/394 Author: Akasurde Title: #394: Add fix for ipa plugins command Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/394/head:pr394 git checkout pr394 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-394.patch Type: text/x-diff Size: 1763 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 10:31:15 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 09 Feb 2017 11:31:15 +0100 Subject: [Freeipa-devel] [freeipa PR#384][closed] Add fix for user prompt in dnsrecord-add In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/384 Author: Akasurde Title: #384: Add fix for user prompt in dnsrecord-add Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/384/head:pr384 git checkout pr384 From freeipa-github-notification at redhat.com Thu Feb 9 10:39:50 2017 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Thu, 09 Feb 2017 11:39:50 +0100 Subject: [Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain gkaihorodova commented: """ Can you be a little bit more specific about "triplication of the test cases ", please. Because, to be honest, I'm having hard time trying to navigate myself there. """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-278606153 From freeipa-github-notification at redhat.com Thu Feb 9 10:48:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 11:48:25 +0100 Subject: [Freeipa-devel] [freeipa PR#370][+rejected] ci: send build log to paste.fedoraproject.org In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: ci: send build log to paste.fedoraproject.org Label: +rejected From freeipa-github-notification at redhat.com Thu Feb 9 11:05:58 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Feb 2017 12:05:58 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ While investigating the CI test failures, I stumbled upon another issue - two simultaneous login requests will deadlock httpd until it is restarted. This is how I did it: ```bash ( export KRB5CCNAME=$(mktemp) echo password | kinit admin curl https://$HOSTNAME/ipa/session/login_kerberos --cacert /etc/ipa/ca.crt --negotiate -u : -e https://$HOSTNAME/ipa/session/json -D - ) & ( export KRB5CCNAME=$(mktemp) echo password | kinit notadmin curl https://$HOSTNAME/ipa/session/login_kerberos --cacert /etc/ipa/ca.crt --negotiate -u : -e https://$HOSTNAME/ipa/session/json -D - ) ``` It is not reproducible on the master branch. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278611793 From bind-dyndb-ldap-github-notification at redhat.com Thu Feb 9 11:44:04 2017 From: bind-dyndb-ldap-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 12:44:04 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#7][comment] Added named.conf API transformation script to spec In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7 Title: #7: Added named.conf API transformation script to spec MartinBasti commented: """ IMO those explanatory comments should be in code not in github """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/7#issuecomment-278619365 From bind-dyndb-ldap-github-notification at redhat.com Thu Feb 9 11:44:36 2017 From: bind-dyndb-ldap-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 12:44:36 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#7][comment] Added named.conf API transformation script to spec In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7 Title: #7: Added named.conf API transformation script to spec MartinBasti commented: """ otherwise LGTM """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/7#issuecomment-278619482 From freeipa-github-notification at redhat.com Thu Feb 9 12:07:21 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 13:07:21 +0100 Subject: [Freeipa-devel] [freeipa PR#441][+ack] Print test env information In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/441 Title: #441: Print test env information Label: +ack From bind-dyndb-ldap-github-notification at redhat.com Thu Feb 9 12:11:52 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Feb 2017 13:11:52 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#7][synchronized] Added named.conf API transformation script to spec In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7 Author: tomaskrizek Title: #7: Added named.conf API transformation script to spec Action: synchronized To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/7/head:pr7 git checkout pr7 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-7.patch Type: text/x-diff Size: 2930 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Thu Feb 9 12:14:08 2017 From: bind-dyndb-ldap-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 13:14:08 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#7][+ack] Added named.conf API transformation script to spec In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7 Title: #7: Added named.conf API transformation script to spec Label: +ack From freeipa-github-notification at redhat.com Thu Feb 9 12:18:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 13:18:39 +0100 Subject: [Freeipa-devel] [freeipa PR#351][comment] [fedora-26] named.conf template: update API for bind 9.11 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/351 Title: #351: [fedora-26] named.conf template: update API for bind 9.11 MartinBasti commented: """ Tested manually """ See the full comment at https://github.com/freeipa/freeipa/pull/351#issuecomment-278625764 From freeipa-github-notification at redhat.com Thu Feb 9 12:18:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 13:18:45 +0100 Subject: [Freeipa-devel] [freeipa PR#351][+ack] [fedora-26] named.conf template: update API for bind 9.11 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/351 Title: #351: [fedora-26] named.conf template: update API for bind 9.11 Label: +ack From freeipa-github-notification at redhat.com Thu Feb 9 12:19:26 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Feb 2017 13:19:26 +0100 Subject: [Freeipa-devel] [freeipa PR#449][+ack] Travis CI: Upload the logs from failed jobs to transfer.sh In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/449 Title: #449: Travis CI: Upload the logs from failed jobs to transfer.sh Label: +ack From freeipa-github-notification at redhat.com Thu Feb 9 12:20:20 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Feb 2017 13:20:20 +0100 Subject: [Freeipa-devel] [freeipa PR#449][+pushed] Travis CI: Upload the logs from failed jobs to transfer.sh In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/449 Title: #449: Travis CI: Upload the logs from failed jobs to transfer.sh Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 9 12:20:22 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Feb 2017 13:20:22 +0100 Subject: [Freeipa-devel] [freeipa PR#449][comment] Travis CI: Upload the logs from failed jobs to transfer.sh In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/449 Title: #449: Travis CI: Upload the logs from failed jobs to transfer.sh HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/91341f4035e0d78b0adbe9a09ba69e1fd35ec26d """ See the full comment at https://github.com/freeipa/freeipa/pull/449#issuecomment-278626102 From freeipa-github-notification at redhat.com Thu Feb 9 12:20:24 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 09 Feb 2017 13:20:24 +0100 Subject: [Freeipa-devel] [freeipa PR#449][closed] Travis CI: Upload the logs from failed jobs to transfer.sh In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/449 Author: martbab Title: #449: Travis CI: Upload the logs from failed jobs to transfer.sh Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/449/head:pr449 git checkout pr449 From bind-dyndb-ldap-github-notification at redhat.com Thu Feb 9 12:27:25 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Feb 2017 13:27:25 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#7][comment] Added named.conf API transformation script to spec In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7 Title: #7: Added named.conf API transformation script to spec tomaskrizek commented: """ master: - [f1028150504049a64b6c34c785c6a20e2a7ca76a](https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/commit/?id=f1028150504049a64b6c34c785c6a20e2a7ca76a) """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/7#issuecomment-278627381 From bind-dyndb-ldap-github-notification at redhat.com Thu Feb 9 12:27:26 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Feb 2017 13:27:26 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#7][closed] Added named.conf API transformation script to spec In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7 Author: tomaskrizek Title: #7: Added named.conf API transformation script to spec Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/7/head:pr7 git checkout pr7 From bind-dyndb-ldap-github-notification at redhat.com Thu Feb 9 12:27:32 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Thu, 09 Feb 2017 13:27:32 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#7][+pushed] Added named.conf API transformation script to spec In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7 Title: #7: Added named.conf API transformation script to spec Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 9 12:57:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 13:57:30 +0100 Subject: [Freeipa-devel] [freeipa PR#447][+ack] AD trust installer modularization: prelude In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/447 Title: #447: AD trust installer modularization: prelude Label: +ack From freeipa-github-notification at redhat.com Thu Feb 9 13:06:25 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 09 Feb 2017 14:06:25 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I think I know what is going on here, can you add an actual test to the testsuite that checks this ? I will fix my PR to not cause this deadlock, I've reproduce it here. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278635045 From freeipa-github-notification at redhat.com Thu Feb 9 13:07:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 14:07:54 +0100 Subject: [Freeipa-devel] [freeipa PR#438][+ack] ipaldap: preserve order of values in LDAPEntry._sync() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/438 Title: #438: ipaldap: preserve order of values in LDAPEntry._sync() Label: +ack From freeipa-github-notification at redhat.com Thu Feb 9 13:07:56 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 09 Feb 2017 14:07:56 +0100 Subject: [Freeipa-devel] [freeipa PR#447][+pushed] AD trust installer modularization: prelude In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/447 Title: #447: AD trust installer modularization: prelude Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 9 13:07:58 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 09 Feb 2017 14:07:58 +0100 Subject: [Freeipa-devel] [freeipa PR#447][comment] AD trust installer modularization: prelude In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/447 Title: #447: AD trust installer modularization: prelude martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/847be3a8a85cd58e5a011c0c2bc7e1123eb4a1aa https://fedorahosted.org/freeipa/changeset/e27f6bfdc31b767be9ded411e869716b76f478ce https://fedorahosted.org/freeipa/changeset/d7cfbb870fce40b50f6df2446c864099f8ea833e """ See the full comment at https://github.com/freeipa/freeipa/pull/447#issuecomment-278635383 From freeipa-github-notification at redhat.com Thu Feb 9 13:07:59 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 09 Feb 2017 14:07:59 +0100 Subject: [Freeipa-devel] [freeipa PR#447][closed] AD trust installer modularization: prelude In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/447 Author: martbab Title: #447: AD trust installer modularization: prelude Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/447/head:pr447 git checkout pr447 From freeipa-github-notification at redhat.com Thu Feb 9 13:17:30 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Thu, 09 Feb 2017 14:17:30 +0100 Subject: [Freeipa-devel] [freeipa PR#433][comment] csrgen: Allow some certificate fields to be specified by the user In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/433 Title: #433: csrgen: Allow some certificate fields to be specified by the user LiptonB commented: """ Sorry for submitting this with lint errors - fixed now. """ See the full comment at https://github.com/freeipa/freeipa/pull/433#issuecomment-278637593 From freeipa-github-notification at redhat.com Thu Feb 9 13:27:33 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 09 Feb 2017 14:27:33 +0100 Subject: [Freeipa-devel] [freeipa PR#451][+ack] certdb: remove unused keysize property In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/451 Title: #451: certdb: remove unused keysize property Label: +ack From freeipa-github-notification at redhat.com Thu Feb 9 13:59:23 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Thu, 09 Feb 2017 14:59:23 +0100 Subject: [Freeipa-devel] [freeipa PR#434][synchronized] csrgen: Automate full cert request flow In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/434 Author: LiptonB Title: #434: csrgen: Automate full cert request flow Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/434/head:pr434 git checkout pr434 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-434.patch Type: text/x-diff Size: 16655 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 14:01:32 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 09 Feb 2017 15:01:32 +0100 Subject: [Freeipa-devel] [freeipa PR#453][opened] Cleanup certdb Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Author: tiran Title: #453: Cleanup certdb Action: opened PR body: """ * use with statement to open/close files * prefer fchmod/fchown when a file descriptor is available * set permission before data is written to file * remove chdir() hack with proper cwd argument to ipautil.run() Do not ever change the working directory of a program. It's a really bad idea. Just consider what is going to happen if two threads or two different parts of a process decide to own control over the working directory? Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/453/head:pr453 git checkout pr453 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-453.patch Type: text/x-diff Size: 12716 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 14:02:02 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Thu, 09 Feb 2017 15:02:02 +0100 Subject: [Freeipa-devel] [freeipa PR#434][comment] csrgen: Automate full cert request flow In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/434 Title: #434: csrgen: Automate full cert request flow LiptonB commented: """ Thanks for the comments, and sorry about submitting this with lint errors. I think I've followed all of your suggestions, let me know what you think. """ See the full comment at https://github.com/freeipa/freeipa/pull/434#issuecomment-278648710 From freeipa-github-notification at redhat.com Thu Feb 9 14:05:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:05:36 +0100 Subject: [Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion MartinBasti commented: """ ACK and I found a new bug: https://fedorahosted.org/freeipa/ticket/6654 """ See the full comment at https://github.com/freeipa/freeipa/pull/416#issuecomment-278649734 From freeipa-github-notification at redhat.com Thu Feb 9 14:05:44 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:05:44 +0100 Subject: [Freeipa-devel] [freeipa PR#416][+ack] replica install: relax domain level check for promotion In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion Label: +ack From freeipa-github-notification at redhat.com Thu Feb 9 14:25:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:25:10 +0100 Subject: [Freeipa-devel] [freeipa PR#416][+pushed] replica install: relax domain level check for promotion In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 9 14:25:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:25:12 +0100 Subject: [Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/416 Title: #416: replica install: relax domain level check for promotion MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f51869bf5214e2d2322f85bf72b7ae86b6893974 """ See the full comment at https://github.com/freeipa/freeipa/pull/416#issuecomment-278655609 From freeipa-github-notification at redhat.com Thu Feb 9 14:25:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:25:13 +0100 Subject: [Freeipa-devel] [freeipa PR#416][closed] replica install: relax domain level check for promotion In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/416 Author: frasertweedale Title: #416: replica install: relax domain level check for promotion Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/416/head:pr416 git checkout pr416 From freeipa-github-notification at redhat.com Thu Feb 9 14:48:36 2017 From: freeipa-github-notification at redhat.com (rcritten) Date: Thu, 09 Feb 2017 15:48:36 +0100 Subject: [Freeipa-devel] [freeipa PR#453][comment] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Title: #453: Cleanup certdb rcritten commented: """ I'm pretty sure the chdir() hack was due to SELinux issues, be sure to test in enforcing mode. It may no longer be required. """ See the full comment at https://github.com/freeipa/freeipa/pull/453#issuecomment-278662888 From freeipa-github-notification at redhat.com Thu Feb 9 14:57:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:57:36 +0100 Subject: [Freeipa-devel] [freeipa PR#441][comment] Print test env information In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/441 Title: #441: Print test env information MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b20f6fb29478de6b4f25741bc4fd975a5e0be671 """ See the full comment at https://github.com/freeipa/freeipa/pull/441#issuecomment-278665863 From freeipa-github-notification at redhat.com Thu Feb 9 14:57:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:57:37 +0100 Subject: [Freeipa-devel] [freeipa PR#441][+pushed] Print test env information In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/441 Title: #441: Print test env information Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 9 14:57:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:57:39 +0100 Subject: [Freeipa-devel] [freeipa PR#441][closed] Print test env information In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/441 Author: tiran Title: #441: Print test env information Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/441/head:pr441 git checkout pr441 From freeipa-github-notification at redhat.com Thu Feb 9 14:58:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:58:11 +0100 Subject: [Freeipa-devel] [freeipa PR#438][+pushed] ipaldap: preserve order of values in LDAPEntry._sync() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/438 Title: #438: ipaldap: preserve order of values in LDAPEntry._sync() Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 9 14:58:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:58:12 +0100 Subject: [Freeipa-devel] [freeipa PR#438][comment] ipaldap: preserve order of values in LDAPEntry._sync() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/438 Title: #438: ipaldap: preserve order of values in LDAPEntry._sync() MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/e920ae22525d34e1f524e2e59159ac50c603bc8c """ See the full comment at https://github.com/freeipa/freeipa/pull/438#issuecomment-278666074 From freeipa-github-notification at redhat.com Thu Feb 9 14:58:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:58:14 +0100 Subject: [Freeipa-devel] [freeipa PR#438][closed] ipaldap: preserve order of values in LDAPEntry._sync() In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/438 Author: HonzaCholasta Title: #438: ipaldap: preserve order of values in LDAPEntry._sync() Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/438/head:pr438 git checkout pr438 From freeipa-github-notification at redhat.com Thu Feb 9 14:59:29 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:59:29 +0100 Subject: [Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/451 Title: #451: certdb: remove unused keysize property MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/47565c0fc75721f457e87b1c3e3325fff6a3b3ae https://fedorahosted.org/freeipa/changeset/36f46a5301ce62b5549899e5d693fca0b88946fb """ See the full comment at https://github.com/freeipa/freeipa/pull/451#issuecomment-278666458 From freeipa-github-notification at redhat.com Thu Feb 9 14:59:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:59:30 +0100 Subject: [Freeipa-devel] [freeipa PR#451][+pushed] certdb: remove unused keysize property In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/451 Title: #451: certdb: remove unused keysize property Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 9 14:59:32 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 15:59:32 +0100 Subject: [Freeipa-devel] [freeipa PR#451][closed] certdb: remove unused keysize property In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/451 Author: tomaskrizek Title: #451: certdb: remove unused keysize property Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/451/head:pr451 git checkout pr451 From freeipa-github-notification at redhat.com Thu Feb 9 15:00:19 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 09 Feb 2017 16:00:19 +0100 Subject: [Freeipa-devel] [freeipa PR#453][synchronized] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Author: tiran Title: #453: Cleanup certdb Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/453/head:pr453 git checkout pr453 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-453.patch Type: text/x-diff Size: 12716 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 15:01:25 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 09 Feb 2017 16:01:25 +0100 Subject: [Freeipa-devel] [freeipa PR#453][comment] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Title: #453: Cleanup certdb tiran commented: """ Thx Rob, I use ```ipautil.run(cwd=...)``` to change the working directory just for the subprocess instead of the entire parent process. """ See the full comment at https://github.com/freeipa/freeipa/pull/453#issuecomment-278667106 From freeipa-github-notification at redhat.com Thu Feb 9 15:30:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 16:30:52 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find and user-show commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find and user-show commands MartinBasti commented: """ Hello, thank you for PR! I have a few comments: - Why user-show needs --nsaccountlock option? - Could be this done by changing flags instead of overriding get_options? IMO it is compatible ```diff diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py index 0194f1b..3df2723 100644 --- a/ipaserver/plugins/user.py +++ b/ipaserver/plugins/user.py @@ -371,7 +371,7 @@ class user(baseuser): takes_params = baseuser.takes_params + ( Bool('nsaccountlock?', label=_('Account disabled'), - flags=['no_option'], + flags=['no_create', 'no_update'], ), Bool('preserved?', label=_('Preserved user'), ``` Adding @HonzaCholasta to make sure that changing options in this way is compatible """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-278676072 From freeipa-github-notification at redhat.com Thu Feb 9 15:35:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 16:35:19 +0100 Subject: [Freeipa-devel] [freeipa PR#351][+pushed] [fedora-26] named.conf template: update API for bind 9.11 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/351 Title: #351: [fedora-26] named.conf template: update API for bind 9.11 Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 9 15:35:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 16:35:20 +0100 Subject: [Freeipa-devel] [freeipa PR#351][comment] [fedora-26] named.conf template: update API for bind 9.11 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/351 Title: #351: [fedora-26] named.conf template: update API for bind 9.11 MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c26dd805bdb020b12346d8cb66638883c1f46b9e https://fedorahosted.org/freeipa/changeset/e8a2abd548b594e6f22f38445ee32bcaa7f27303 https://fedorahosted.org/freeipa/changeset/5de7065fe5769e5c3d90205b0ecc963d96f4db58 """ See the full comment at https://github.com/freeipa/freeipa/pull/351#issuecomment-278677437 From freeipa-github-notification at redhat.com Thu Feb 9 15:35:21 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 16:35:21 +0100 Subject: [Freeipa-devel] [freeipa PR#351][closed] [fedora-26] named.conf template: update API for bind 9.11 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/351 Author: tomaskrizek Title: #351: [fedora-26] named.conf template: update API for bind 9.11 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/351/head:pr351 git checkout pr351 From mbasti at redhat.com Thu Feb 9 15:39:26 2017 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Feb 2017 16:39:26 +0100 Subject: [Freeipa-devel] [INFO] Freeipa/freeipa-master copr repo required for FreeIPA from master branch Message-ID: Hello, from now you need freeipa/freeipa-master copr repo to run IPA built from master branch (at least on F25/F24) due bind and bind-dyndb-ldap packages. Sorry for inconvenience. Martin^2 From freeipa-github-notification at redhat.com Thu Feb 9 16:13:28 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 09 Feb 2017 17:13:28 +0100 Subject: [Freeipa-devel] [freeipa PR#454][opened] Move AD trust installation code to a separate module Message-ID: URL: https://github.com/freeipa/freeipa/pull/454 Author: martbab Title: #454: Move AD trust installation code to a separate module Action: opened PR body: """ This facilitates calling the necessary checks and configuration code as a module from e.g. a composite installer. The code that checks for the admin credentials stays in the standalone installer as the code inside the adtrust module is expected to operate also without admin credentials. https://fedorahosted.org/freeipa/ticket/6629 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/454/head:pr454 git checkout pr454 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-454.patch Type: text/x-diff Size: 33090 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 16:13:53 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Thu, 09 Feb 2017 17:13:53 +0100 Subject: [Freeipa-devel] [freeipa PR#394][synchronized] Add fix for ipa plugins command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/394 Author: Akasurde Title: #394: Add fix for ipa plugins command Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/394/head:pr394 git checkout pr394 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-394.patch Type: text/x-diff Size: 1559 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 16:52:16 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Thu, 09 Feb 2017 17:52:16 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find and user-show commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find and user-show commands redhatrises commented: """ > Why user-show needs --nsaccountlock option? I didn't want to limit it to user-find. However, it looks like adding the option is actually pointless as that information is in the output already. I can fix that. > Could be this done by changing flags instead of overriding get_options? IMO it is compatible @MartinBasti sure. Not sure where we are with ABI/API compatibility issues which is why I didn't use the overriding get_options. I guess we will see what @HonzaCholasta says. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-278701548 From freeipa-github-notification at redhat.com Thu Feb 9 16:56:46 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 09 Feb 2017 17:56:46 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 241990 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 17:03:01 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 09 Feb 2017 18:03:01 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py I haven't figured out exactly what happens in change_password, I see from logs sent from @martbab that the kinit as the user alice is performed, but apache see only admin connections. I suspect that the issue is in ipalib/rpc.py in create_connection, where apply_session_cookie() is called, but can't be sure. I need a way to repro these tests locally to confirm. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278704831 From freeipa-github-notification at redhat.com Thu Feb 9 17:03:33 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 09 Feb 2017 18:03:33 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py I haven't figured out exactly what happens in change_password, I see from logs sent from @martbab that the kinit as the user alice is performed, but apache see only admin connections. I suspect that the issue is in ipalib/rpc.py in create_connection, where apply_session_cookie() is called, but can't be sure. I need a way to repro these tests locally to confirm. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278704831 From freeipa-github-notification at redhat.com Thu Feb 9 18:56:09 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 09 Feb 2017 19:56:09 +0100 Subject: [Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-446.patch Type: text/x-diff Size: 14673 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 19:14:50 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 20:14:50 +0100 Subject: [Freeipa-devel] [freeipa PR#423][synchronized] dns-update-system-records: add support for nsupdate output format In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/423 Author: MartinBasti Title: #423: dns-update-system-records: add support for nsupdate output format Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/423/head:pr423 git checkout pr423 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-423.patch Type: text/x-diff Size: 6437 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 9 19:16:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 09 Feb 2017 20:16:49 +0100 Subject: [Freeipa-devel] [freeipa PR#423][comment] dns-update-system-records: add support for nsupdate output format In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/423 Title: #423: dns-update-system-records: add support for nsupdate output format MartinBasti commented: """ @pvoborni http://www.freeipa.org/page/Howto/Updating_FreeIPA_system_DNS_records_on_a_remote_DNS_server Still WIP, but can be reviewed if format fulfill expectations. """ See the full comment at https://github.com/freeipa/freeipa/pull/423#issuecomment-278743068 From ftweedal at redhat.com Thu Feb 9 21:44:18 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 10 Feb 2017 07:44:18 +1000 Subject: [Freeipa-devel] FreeIPA and wildcard certificates In-Reply-To: <340637ac-a6ba-517a-e2e8-a9ddaf7e63d5@redhat.com> References: <1c7e5abb-9c33-1cdd-fd4b-221a15c85672@redhat.com> <20170208081954.c4kethc4lzjagdmp@redhat.com> <20170209011200.GA3557@dhcp-40-8.bne.redhat.com> <340637ac-a6ba-517a-e2e8-a9ddaf7e63d5@redhat.com> Message-ID: <20170209214418.GD3557@dhcp-40-8.bne.redhat.com> On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote: > On 02/09/2017 02:12 AM, Fraser Tweedale wrote: > > On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: > >> On ke, 08 helmi 2017, Martin Kosek wrote: > >>> Hi Fraser and the list, > >>> > >>> I recently was in a conversation about integrating OpenShift with FreeIPA. One > >>> of the gaps was around generating a wildcard certificate by FreeIPA that will > >>> be used in the default OpenShift router for applications that do not deploy own > >>> certificates [1]. > >>> > >>> Is there any way that FreeIPA can generate it? I was thinking that uploading > >>> some custom certificate profile in FreeIPA may let us get such certificate... > >>> Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in > >>> [2]? > >> Yes, we need a new RFE. There are checks in IPA that prevent wildcard > >> certificates to be issued: > >> > >> - we ensure subject 'cn' of the certificate matches a Kerberos principal > >> specified in the request > >> > >> - we validate that host object exists in IPA when the Kerberos > >> principal is host/... > >> > >> We could lift off these two limitations for 'cn=*,$suffix' but there is > >> still a need to apply proper ACLs when issuing the cert -- e.g. some > >> object has to be used for performing access rights check. The wildcard > >> certificate does not need to be stored anywhere in the tree, but a > >> check still needs to be done. > >> > >> For example, for Kerberos PKINIT certificate which is issued to KDC we > >> don't store public certificate in LDAP either but we do two checks: > >> - a special KDC certificate profile is used to issue the cert > >> - a special hostname check is done so that only IPA masters are able to > >> request this certificate > >> > >> For the wildcard certificate I think we could have following: > >> - use a separate profile for the wildcard, associated with a sub-CA > >> - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so that > >> actual certificate ignores requested CN. > >> - a special check to be done so that only wildcard-based subject > >> alternative names can be added to a wildcard certificate request > >> - all Kerberos principal / hostname checks are skipped. > >> - actual ACL check is done by CA ACL. > >> > > Issuing wildcard certs is a deprecated practice[1]. I am not > > dismissing the needs of OpenShift (or PaaS/IaaS solutions in > > general) but I'd like to have a discussion with them about how > > they're currently dealing with certs and whether a different > > direction other than wildcard certs is feasible. Martin, who should > > I reach out to? Feel free to copy them into this discussion. > > Right now, I am talking to a Solution Architect, i.e. someone who is building > GAed solutions, not developers. This is not something we would change > short-term anyway, this is how current OpenShift v2 or v3 behaves, despite the RFC. > > While I understand why having certificate *.lab.example.com and using it for my > lab machines is a bad idea and increases the attack vector, I do not see it > that way for OpenShift. There, applications get URL like > ".myopenshift.test" and all is routed by one entity, the OpenShift > broker. So the key.cert is on one location, just serving different names that > are provisioned with OpenShift. > > I can understand that issuing a new certificate for every application > provisioned by OpenShift and then renewing it complicates the design > significantly. I am trying to be creative and see if current OpenShift could > leverage FreeIPA CA and issue the broker cert, with current profile > capabilities or with small change. > I believe OpenShift supports per-application certificates (i.e. when app developers/maintainers supply their own cert for a custom domain). So it might be possible in v2 or v3 to provision a cert for every app. An automated solution does not yet exist but that doesn't mean it can't be built out of what's currently GA. > > [1] https://tools.ietf.org/html/rfc6125#section-7.2 > > > > If we do go ahead with wildcard cert support in FreeIPA, some of my > > initial questions are: > > > > - For the OpenShift use case, what is the "parent" domain name and > > is it the same as the IPA domain name? Is it a subdomain of the > > IPA domain name? > > > > - Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard > > cert under entire IPA domain name. > > > > - Do we need to support issuing "*.${IPA_HOSTNAME}"? i.e. wildcard > > certs under names of IPA host principals. > > I do not know, but I can ask if it is important for you :-) > It's important to know what I actually need to do if we proceed with implementing this :) Cheers, Fraser From freeipa-github-notification at redhat.com Fri Feb 10 03:45:46 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Fri, 10 Feb 2017 04:45:46 +0100 Subject: [Freeipa-devel] [freeipa PR#444][synchronized] Allow nsaccountlock to be searched in user-find and user-show commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Author: redhatrises Title: #444: Allow nsaccountlock to be searched in user-find and user-show commands Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/444/head:pr444 git checkout pr444 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-444.patch Type: text/x-diff Size: 1183 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 10 03:53:26 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Fri, 10 Feb 2017 04:53:26 +0100 Subject: [Freeipa-devel] [freeipa PR#444][edited] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Author: redhatrises Title: #444: Allow nsaccountlock to be searched in user-find commands Action: edited Changed field: title Original value: """ Allow nsaccountlock to be searched in user-find and user-show commands """ From freeipa-github-notification at redhat.com Fri Feb 10 03:53:47 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Fri, 10 Feb 2017 04:53:47 +0100 Subject: [Freeipa-devel] [freeipa PR#444][edited] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Author: redhatrises Title: #444: Allow nsaccountlock to be searched in user-find commands Action: edited Changed field: body Original value: """ This patch provides the ability to search and find users who are enabled/disabled in `ipa user-show` and `ipa user-find` commands without breaking API compatibility. """ From freeipa-github-notification at redhat.com Fri Feb 10 07:30:24 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Feb 2017 08:30:24 +0100 Subject: [Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-446.patch Type: text/x-diff Size: 14674 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 10 08:18:06 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Feb 2017 09:18:06 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands HonzaCholasta commented: """ Replacing `flags=['no_option']` with `flags=['no_create', 'no_update']` is not backward compatible - the `no_option` flag only hides the option in the CLI, but `no_create` / `no_update` would completely remove it from `user_add` / `user_mod`. So, @redhatrises's approach is OK, although I would rather remove the `no_option` flag in `user.takes_options` and add it back in `user_add.get_options()` and `user_mod.get_options()`. Also, now that the options is visible in CLI, you should set `cli_name='disabled'` on it, so that we have a `--disabled` option rather than `--nsaccountlock` option in `ipa user-find`. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-278884001 From mkosek at redhat.com Fri Feb 10 08:23:10 2017 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 10 Feb 2017 09:23:10 +0100 Subject: [Freeipa-devel] FreeIPA and wildcard certificates In-Reply-To: <20170209214418.GD3557@dhcp-40-8.bne.redhat.com> References: <1c7e5abb-9c33-1cdd-fd4b-221a15c85672@redhat.com> <20170208081954.c4kethc4lzjagdmp@redhat.com> <20170209011200.GA3557@dhcp-40-8.bne.redhat.com> <340637ac-a6ba-517a-e2e8-a9ddaf7e63d5@redhat.com> <20170209214418.GD3557@dhcp-40-8.bne.redhat.com> Message-ID: On 02/09/2017 10:44 PM, Fraser Tweedale wrote: > On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote: >> On 02/09/2017 02:12 AM, Fraser Tweedale wrote: >>> On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: >>>> On ke, 08 helmi 2017, Martin Kosek wrote: >>>>> Hi Fraser and the list, >>>>> >>>>> I recently was in a conversation about integrating OpenShift with FreeIPA. One >>>>> of the gaps was around generating a wildcard certificate by FreeIPA that will >>>>> be used in the default OpenShift router for applications that do not deploy own >>>>> certificates [1]. >>>>> >>>>> Is there any way that FreeIPA can generate it? I was thinking that uploading >>>>> some custom certificate profile in FreeIPA may let us get such certificate... >>>>> Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in >>>>> [2]? >>>> Yes, we need a new RFE. There are checks in IPA that prevent wildcard >>>> certificates to be issued: >>>> >>>> - we ensure subject 'cn' of the certificate matches a Kerberos principal >>>> specified in the request >>>> >>>> - we validate that host object exists in IPA when the Kerberos >>>> principal is host/... >>>> >>>> We could lift off these two limitations for 'cn=*,$suffix' but there is >>>> still a need to apply proper ACLs when issuing the cert -- e.g. some >>>> object has to be used for performing access rights check. The wildcard >>>> certificate does not need to be stored anywhere in the tree, but a >>>> check still needs to be done. >>>> >>>> For example, for Kerberos PKINIT certificate which is issued to KDC we >>>> don't store public certificate in LDAP either but we do two checks: >>>> - a special KDC certificate profile is used to issue the cert >>>> - a special hostname check is done so that only IPA masters are able to >>>> request this certificate >>>> >>>> For the wildcard certificate I think we could have following: >>>> - use a separate profile for the wildcard, associated with a sub-CA >>>> - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so that >>>> actual certificate ignores requested CN. >>>> - a special check to be done so that only wildcard-based subject >>>> alternative names can be added to a wildcard certificate request >>>> - all Kerberos principal / hostname checks are skipped. >>>> - actual ACL check is done by CA ACL. >>>> >>> Issuing wildcard certs is a deprecated practice[1]. I am not >>> dismissing the needs of OpenShift (or PaaS/IaaS solutions in >>> general) but I'd like to have a discussion with them about how >>> they're currently dealing with certs and whether a different >>> direction other than wildcard certs is feasible. Martin, who should >>> I reach out to? Feel free to copy them into this discussion. >> >> Right now, I am talking to a Solution Architect, i.e. someone who is building >> GAed solutions, not developers. This is not something we would change >> short-term anyway, this is how current OpenShift v2 or v3 behaves, despite the RFC. >> >> While I understand why having certificate *.lab.example.com and using it for my >> lab machines is a bad idea and increases the attack vector, I do not see it >> that way for OpenShift. There, applications get URL like >> ".myopenshift.test" and all is routed by one entity, the OpenShift >> broker. So the key.cert is on one location, just serving different names that >> are provisioned with OpenShift. >> >> I can understand that issuing a new certificate for every application >> provisioned by OpenShift and then renewing it complicates the design >> significantly. I am trying to be creative and see if current OpenShift could >> leverage FreeIPA CA and issue the broker cert, with current profile >> capabilities or with small change. >> > I believe OpenShift supports per-application certificates (i.e. when > app developers/maintainers supply their own cert for a custom > domain). So it might be possible in v2 or v3 to provision a cert > for every app. Right, it supports this. But then issuing the certificate and renewal is a responsibility of app developer, AFAIK. I do not think if OpenShift has all the needed hooks to do this automatically and call certmonger for example. TLDR; adding a support of certmonger and issuing a certificate for every new application is a whole another degree of complexity than just issuing a Wildcard certificate for the router. I am not saying it should not be done, I am just saying that being able to generate a wildcard certificate with FreeIPA would let us integrate with OpenShift much better than now and with (hopefully) low effort involved, i.e. faster. > An automated solution does not yet exist but that > doesn't mean it can't be built out of what's currently GA. > >>> [1] https://tools.ietf.org/html/rfc6125#section-7.2 >>> >>> If we do go ahead with wildcard cert support in FreeIPA, some of my >>> initial questions are: >>> >>> - For the OpenShift use case, what is the "parent" domain name and >>> is it the same as the IPA domain name? Is it a subdomain of the >>> IPA domain name? >>> >>> - Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard >>> cert under entire IPA domain name. >>> >>> - Do we need to support issuing "*.${IPA_HOSTNAME}"? i.e. wildcard >>> certs under names of IPA host principals. >> >> I do not know, but I can ask if it is important for you :-) >> > It's important to know what I actually need to do if we proceed with > implementing this :) We do not need to jump on implementing it right away, you already have a lot on your plate. Right now, I must just want to know: - is there any way how I can generate wildcard cert with current FreeIPA, using a custom certificate profile. I assume the answer is no. - how complex would it be to add support of Wildcard certificate support to FreeIPA (rough scope). Thanks, Martin From ftweedal at redhat.com Fri Feb 10 09:37:08 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 10 Feb 2017 19:37:08 +1000 Subject: [Freeipa-devel] FreeIPA and wildcard certificates In-Reply-To: References: <1c7e5abb-9c33-1cdd-fd4b-221a15c85672@redhat.com> <20170208081954.c4kethc4lzjagdmp@redhat.com> <20170209011200.GA3557@dhcp-40-8.bne.redhat.com> <340637ac-a6ba-517a-e2e8-a9ddaf7e63d5@redhat.com> <20170209214418.GD3557@dhcp-40-8.bne.redhat.com> Message-ID: <20170210093708.GI3557@dhcp-40-8.bne.redhat.com> On Fri, Feb 10, 2017 at 09:23:10AM +0100, Martin Kosek wrote: > On 02/09/2017 10:44 PM, Fraser Tweedale wrote: > > On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote: > >> On 02/09/2017 02:12 AM, Fraser Tweedale wrote: > >>> On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: > >>>> On ke, 08 helmi 2017, Martin Kosek wrote: > >>>>> Hi Fraser and the list, > >>>>> > >>>>> I recently was in a conversation about integrating OpenShift with FreeIPA. One > >>>>> of the gaps was around generating a wildcard certificate by FreeIPA that will > >>>>> be used in the default OpenShift router for applications that do not deploy own > >>>>> certificates [1]. > >>>>> > >>>>> Is there any way that FreeIPA can generate it? I was thinking that uploading > >>>>> some custom certificate profile in FreeIPA may let us get such certificate... > >>>>> Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in > >>>>> [2]? > >>>> Yes, we need a new RFE. There are checks in IPA that prevent wildcard > >>>> certificates to be issued: > >>>> > >>>> - we ensure subject 'cn' of the certificate matches a Kerberos principal > >>>> specified in the request > >>>> > >>>> - we validate that host object exists in IPA when the Kerberos > >>>> principal is host/... > >>>> > >>>> We could lift off these two limitations for 'cn=*,$suffix' but there is > >>>> still a need to apply proper ACLs when issuing the cert -- e.g. some > >>>> object has to be used for performing access rights check. The wildcard > >>>> certificate does not need to be stored anywhere in the tree, but a > >>>> check still needs to be done. > >>>> > >>>> For example, for Kerberos PKINIT certificate which is issued to KDC we > >>>> don't store public certificate in LDAP either but we do two checks: > >>>> - a special KDC certificate profile is used to issue the cert > >>>> - a special hostname check is done so that only IPA masters are able to > >>>> request this certificate > >>>> > >>>> For the wildcard certificate I think we could have following: > >>>> - use a separate profile for the wildcard, associated with a sub-CA > >>>> - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so that > >>>> actual certificate ignores requested CN. > >>>> - a special check to be done so that only wildcard-based subject > >>>> alternative names can be added to a wildcard certificate request > >>>> - all Kerberos principal / hostname checks are skipped. > >>>> - actual ACL check is done by CA ACL. > >>>> > >>> Issuing wildcard certs is a deprecated practice[1]. I am not > >>> dismissing the needs of OpenShift (or PaaS/IaaS solutions in > >>> general) but I'd like to have a discussion with them about how > >>> they're currently dealing with certs and whether a different > >>> direction other than wildcard certs is feasible. Martin, who should > >>> I reach out to? Feel free to copy them into this discussion. > >> > >> Right now, I am talking to a Solution Architect, i.e. someone who is building > >> GAed solutions, not developers. This is not something we would change > >> short-term anyway, this is how current OpenShift v2 or v3 behaves, despite the RFC. > >> > >> While I understand why having certificate *.lab.example.com and using it for my > >> lab machines is a bad idea and increases the attack vector, I do not see it > >> that way for OpenShift. There, applications get URL like > >> ".myopenshift.test" and all is routed by one entity, the OpenShift > >> broker. So the key.cert is on one location, just serving different names that > >> are provisioned with OpenShift. > >> > >> I can understand that issuing a new certificate for every application > >> provisioned by OpenShift and then renewing it complicates the design > >> significantly. I am trying to be creative and see if current OpenShift could > >> leverage FreeIPA CA and issue the broker cert, with current profile > >> capabilities or with small change. > >> > > I believe OpenShift supports per-application certificates (i.e. when > > app developers/maintainers supply their own cert for a custom > > domain). So it might be possible in v2 or v3 to provision a cert > > for every app. > > Right, it supports this. But then issuing the certificate and renewal is a > responsibility of app developer, AFAIK. I do not think if OpenShift has all the > needed hooks to do this automatically and call certmonger for example. > > TLDR; adding a support of certmonger and issuing a certificate for every new > application is a whole another degree of complexity than just issuing a > Wildcard certificate for the router. I am not saying it should not be done, I > am just saying that being able to generate a wildcard certificate with FreeIPA > would let us integrate with OpenShift much better than now and with (hopefully) > low effort involved, i.e. faster. > > > An automated solution does not yet exist but that > > doesn't mean it can't be built out of what's currently GA. > > > >>> [1] https://tools.ietf.org/html/rfc6125#section-7.2 > >>> > >>> If we do go ahead with wildcard cert support in FreeIPA, some of my > >>> initial questions are: > >>> > >>> - For the OpenShift use case, what is the "parent" domain name and > >>> is it the same as the IPA domain name? Is it a subdomain of the > >>> IPA domain name? > >>> > >>> - Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard > >>> cert under entire IPA domain name. > >>> > >>> - Do we need to support issuing "*.${IPA_HOSTNAME}"? i.e. wildcard > >>> certs under names of IPA host principals. > >> > >> I do not know, but I can ask if it is important for you :-) > >> > > It's important to know what I actually need to do if we proceed with > > implementing this :) > > We do not need to jump on implementing it right away, you already have a lot on > your plate. Right now, I must just want to know: > > - is there any way how I can generate wildcard cert with current FreeIPA, using > a custom certificate profile. I assume the answer is no. > I have an idea. - Assume there exists a FreeIPA host `foo.example.com', the "parent" domain name for the desired wildcard name `*.foo.example.com'. - Create a profile with the config: policyset.serverCertSet..constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet..constraint.name=Subject Name Constraint policyset.serverCertSet..constraint.params.accept=true policyset.serverCertSet..constraint.params.pattern=CN=[^,]+,.+ policyset.serverCertSet..default.class_id=subjectNameDefaultImpl policyset.serverCertSet..default.name=Subject Name Default policyset.serverCertSet..default.params.name=CN=*.$request.req_subject_name.cn$, o=EXAMPLE.COM - Set up CA ACLs to constrain use of this profile for issuance only to hosts for which a wildcard cert *under* their hostname is allowed. - Issue wildcard cert. I'm not 100% sure if that last directive from the snippet above is valid. Worth a shot. > - how complex would it be to add support of Wildcard certificate support to > FreeIPA (rough scope). > It really depends on the answers to my earlier questions :) Need to know *exactly* what is needed for OpenShift in terms of how the domain(s) to include in the cert relate to IPA domain or host/service principals defined therein. Cheers, Fraser From freeipa-github-notification at redhat.com Fri Feb 10 09:38:40 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Feb 2017 10:38:40 +0100 Subject: [Freeipa-devel] [freeipa PR#450][synchronized] Add FIPS-token password of HTTPD NSS database In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Author: stlaz Title: #450: Add FIPS-token password of HTTPD NSS database Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/450/head:pr450 git checkout pr450 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-450.patch Type: text/x-diff Size: 1573 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 10 09:43:11 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 10 Feb 2017 10:43:11 +0100 Subject: [Freeipa-devel] [freeipa PR#455][opened] Backup /root/kracert.p12 Message-ID: URL: https://github.com/freeipa/freeipa/pull/455 Author: tiran Title: #455: Backup /root/kracert.p12 Action: opened PR body: """ ipa-backup now backs up /root/kracert.p12. The file contains the certs and encrypted private keys for KRA transport, storage and audit. Closes: https://fedorahosted.org/freeipa/ticket/6659 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/455/head:pr455 git checkout pr455 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-455.patch Type: text/x-diff Size: 979 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 10 10:33:40 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 10 Feb 2017 11:33:40 +0100 Subject: [Freeipa-devel] [freeipa PR#456][opened] bindinstance: fix named.conf parsing regexs Message-ID: URL: https://github.com/freeipa/freeipa/pull/456 Author: tomaskrizek Title: #456: bindinstance: fix named.conf parsing regexs Action: opened PR body: """ Since named.conf API for bind-dyndb-ldap was updated, our parsing regexes have to change. https://fedorahosted.org/freeipa/ticket/6565 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/456/head:pr456 git checkout pr456 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-456.patch Type: text/x-diff Size: 3751 bytes Desc: not available URL: From mkosek at redhat.com Fri Feb 10 10:48:39 2017 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 10 Feb 2017 11:48:39 +0100 Subject: [Freeipa-devel] FreeIPA and wildcard certificates In-Reply-To: <20170210093708.GI3557@dhcp-40-8.bne.redhat.com> References: <1c7e5abb-9c33-1cdd-fd4b-221a15c85672@redhat.com> <20170208081954.c4kethc4lzjagdmp@redhat.com> <20170209011200.GA3557@dhcp-40-8.bne.redhat.com> <340637ac-a6ba-517a-e2e8-a9ddaf7e63d5@redhat.com> <20170209214418.GD3557@dhcp-40-8.bne.redhat.com> <20170210093708.GI3557@dhcp-40-8.bne.redhat.com> Message-ID: <37f8b430-92d4-3ab2-69a2-1b96cbb5b75b@redhat.com> On 02/10/2017 10:37 AM, Fraser Tweedale wrote: > On Fri, Feb 10, 2017 at 09:23:10AM +0100, Martin Kosek wrote: >> On 02/09/2017 10:44 PM, Fraser Tweedale wrote: >>> On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote: >>>> On 02/09/2017 02:12 AM, Fraser Tweedale wrote: >>>>> On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: >>>>>> On ke, 08 helmi 2017, Martin Kosek wrote: >>>>>>> Hi Fraser and the list, >>>>>>> >>>>>>> I recently was in a conversation about integrating OpenShift with FreeIPA. One >>>>>>> of the gaps was around generating a wildcard certificate by FreeIPA that will >>>>>>> be used in the default OpenShift router for applications that do not deploy own >>>>>>> certificates [1]. >>>>>>> >>>>>>> Is there any way that FreeIPA can generate it? I was thinking that uploading >>>>>>> some custom certificate profile in FreeIPA may let us get such certificate... >>>>>>> Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in >>>>>>> [2]? >>>>>> Yes, we need a new RFE. There are checks in IPA that prevent wildcard >>>>>> certificates to be issued: >>>>>> >>>>>> - we ensure subject 'cn' of the certificate matches a Kerberos principal >>>>>> specified in the request >>>>>> >>>>>> - we validate that host object exists in IPA when the Kerberos >>>>>> principal is host/... >>>>>> >>>>>> We could lift off these two limitations for 'cn=*,$suffix' but there is >>>>>> still a need to apply proper ACLs when issuing the cert -- e.g. some >>>>>> object has to be used for performing access rights check. The wildcard >>>>>> certificate does not need to be stored anywhere in the tree, but a >>>>>> check still needs to be done. >>>>>> >>>>>> For example, for Kerberos PKINIT certificate which is issued to KDC we >>>>>> don't store public certificate in LDAP either but we do two checks: >>>>>> - a special KDC certificate profile is used to issue the cert >>>>>> - a special hostname check is done so that only IPA masters are able to >>>>>> request this certificate >>>>>> >>>>>> For the wildcard certificate I think we could have following: >>>>>> - use a separate profile for the wildcard, associated with a sub-CA >>>>>> - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so that >>>>>> actual certificate ignores requested CN. >>>>>> - a special check to be done so that only wildcard-based subject >>>>>> alternative names can be added to a wildcard certificate request >>>>>> - all Kerberos principal / hostname checks are skipped. >>>>>> - actual ACL check is done by CA ACL. >>>>>> >>>>> Issuing wildcard certs is a deprecated practice[1]. I am not >>>>> dismissing the needs of OpenShift (or PaaS/IaaS solutions in >>>>> general) but I'd like to have a discussion with them about how >>>>> they're currently dealing with certs and whether a different >>>>> direction other than wildcard certs is feasible. Martin, who should >>>>> I reach out to? Feel free to copy them into this discussion. >>>> >>>> Right now, I am talking to a Solution Architect, i.e. someone who is building >>>> GAed solutions, not developers. This is not something we would change >>>> short-term anyway, this is how current OpenShift v2 or v3 behaves, despite the RFC. >>>> >>>> While I understand why having certificate *.lab.example.com and using it for my >>>> lab machines is a bad idea and increases the attack vector, I do not see it >>>> that way for OpenShift. There, applications get URL like >>>> ".myopenshift.test" and all is routed by one entity, the OpenShift >>>> broker. So the key.cert is on one location, just serving different names that >>>> are provisioned with OpenShift. >>>> >>>> I can understand that issuing a new certificate for every application >>>> provisioned by OpenShift and then renewing it complicates the design >>>> significantly. I am trying to be creative and see if current OpenShift could >>>> leverage FreeIPA CA and issue the broker cert, with current profile >>>> capabilities or with small change. >>>> >>> I believe OpenShift supports per-application certificates (i.e. when >>> app developers/maintainers supply their own cert for a custom >>> domain). So it might be possible in v2 or v3 to provision a cert >>> for every app. >> >> Right, it supports this. But then issuing the certificate and renewal is a >> responsibility of app developer, AFAIK. I do not think if OpenShift has all the >> needed hooks to do this automatically and call certmonger for example. >> >> TLDR; adding a support of certmonger and issuing a certificate for every new >> application is a whole another degree of complexity than just issuing a >> Wildcard certificate for the router. I am not saying it should not be done, I >> am just saying that being able to generate a wildcard certificate with FreeIPA >> would let us integrate with OpenShift much better than now and with (hopefully) >> low effort involved, i.e. faster. >> >>> An automated solution does not yet exist but that >>> doesn't mean it can't be built out of what's currently GA. >>> >>>>> [1] https://tools.ietf.org/html/rfc6125#section-7.2 >>>>> >>>>> If we do go ahead with wildcard cert support in FreeIPA, some of my >>>>> initial questions are: >>>>> >>>>> - For the OpenShift use case, what is the "parent" domain name and >>>>> is it the same as the IPA domain name? Is it a subdomain of the >>>>> IPA domain name? >>>>> >>>>> - Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard >>>>> cert under entire IPA domain name. >>>>> >>>>> - Do we need to support issuing "*.${IPA_HOSTNAME}"? i.e. wildcard >>>>> certs under names of IPA host principals. >>>> >>>> I do not know, but I can ask if it is important for you :-) >>>> >>> It's important to know what I actually need to do if we proceed with >>> implementing this :) >> >> We do not need to jump on implementing it right away, you already have a lot on >> your plate. Right now, I must just want to know: >> >> - is there any way how I can generate wildcard cert with current FreeIPA, using >> a custom certificate profile. I assume the answer is no. >> > I have an idea. > > - Assume there exists a FreeIPA host `foo.example.com', the "parent" > domain name for the desired wildcard name `*.foo.example.com'. > > - Create a profile with the config: > > policyset.serverCertSet..constraint.class_id=subjectNameConstraintImpl > policyset.serverCertSet..constraint.name=Subject Name Constraint > policyset.serverCertSet..constraint.params.accept=true > policyset.serverCertSet..constraint.params.pattern=CN=[^,]+,.+ > policyset.serverCertSet..default.class_id=subjectNameDefaultImpl > policyset.serverCertSet..default.name=Subject Name Default > policyset.serverCertSet..default.params.name=CN=*.$request.req_subject_name.cn$, o=EXAMPLE.COM > > - Set up CA ACLs to constrain use of this profile for issuance only > to hosts for which a wildcard cert *under* their hostname is > allowed. > > - Issue wildcard cert. > > I'm not 100% sure if that last directive from the snippet above is > valid. Worth a shot. This is exactly what I was looking for, as a workaround! Do you think you would be able to try it (not necessarily right now, but in several days)? Just so that we know it would work. >> - how complex would it be to add support of Wildcard certificate support to >> FreeIPA (rough scope). >> > It really depends on the answers to my earlier questions :) Need to > know *exactly* what is needed for OpenShift in terms of how the > domain(s) to include in the cert relate to IPA domain or > host/service principals defined therein. We should not make feature too specific to OpenShift anyway, so I do not think the answers to these questions need to come from OpenShift, but rather from our understanding of how to make this feature useful for FreeIPA users. But if you check OpenShift documentation: https://docs.openshift.com/container-platform/3.4/install_config/router/default_haproxy_router.html#using-wildcard-certificates you will see that the domain for the wildcard is configurable. So AFAIK, the OpenShift may join a realm EXAMPLE.COM and have the wildcard cert for '*.cloudapps.example.com. Thanks! Martin From freeipa-github-notification at redhat.com Fri Feb 10 11:30:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Feb 2017 12:30:24 +0100 Subject: [Freeipa-devel] [freeipa PR#452][comment] [ WIP] ipa-run-tests: allow to run tests with server-api In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/452 Title: #452: [ WIP] ipa-run-tests: allow to run tests with server-api MartinBasti commented: """ There are too many issues, it is not possible to run tests with server api easily, too many changes required. """ See the full comment at https://github.com/freeipa/freeipa/pull/452#issuecomment-278921678 From freeipa-github-notification at redhat.com Fri Feb 10 11:30:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Feb 2017 12:30:26 +0100 Subject: [Freeipa-devel] [freeipa PR#452][closed] [ WIP] ipa-run-tests: allow to run tests with server-api In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/452 Author: MartinBasti Title: #452: [ WIP] ipa-run-tests: allow to run tests with server-api Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/452/head:pr452 git checkout pr452 From freeipa-github-notification at redhat.com Fri Feb 10 11:30:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Feb 2017 12:30:33 +0100 Subject: [Freeipa-devel] [freeipa PR#452][+rejected] [ WIP] ipa-run-tests: allow to run tests with server-api In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/452 Title: #452: [ WIP] ipa-run-tests: allow to run tests with server-api Label: +rejected From freeipa-github-notification at redhat.com Fri Feb 10 11:32:12 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 10 Feb 2017 12:32:12 +0100 Subject: [Freeipa-devel] [freeipa PR#452][comment] [ WIP] ipa-run-tests: allow to run tests with server-api In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/452 Title: #452: [ WIP] ipa-run-tests: allow to run tests with server-api tiran commented: """ It's going to get simpler when privilege separation patch has landet. """ See the full comment at https://github.com/freeipa/freeipa/pull/452#issuecomment-278921964 From freeipa-github-notification at redhat.com Fri Feb 10 11:44:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Feb 2017 12:44:49 +0100 Subject: [Freeipa-devel] [freeipa PR#456][+ack] bindinstance: fix named.conf parsing regexs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/456 Title: #456: bindinstance: fix named.conf parsing regexs Label: +ack From freeipa-github-notification at redhat.com Fri Feb 10 11:46:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Feb 2017 12:46:24 +0100 Subject: [Freeipa-devel] [freeipa PR#456][closed] bindinstance: fix named.conf parsing regexs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/456 Author: tomaskrizek Title: #456: bindinstance: fix named.conf parsing regexs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/456/head:pr456 git checkout pr456 From freeipa-github-notification at redhat.com Fri Feb 10 11:46:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Feb 2017 12:46:25 +0100 Subject: [Freeipa-devel] [freeipa PR#456][comment] bindinstance: fix named.conf parsing regexs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/456 Title: #456: bindinstance: fix named.conf parsing regexs MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/52582ae9284b80c22a272f0793f0cddfb761f6dc https://fedorahosted.org/freeipa/changeset/2f4442fff52090bad95a9b1f4f078e4d9acc8069 """ See the full comment at https://github.com/freeipa/freeipa/pull/456#issuecomment-278924269 From freeipa-github-notification at redhat.com Fri Feb 10 11:46:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Feb 2017 12:46:27 +0100 Subject: [Freeipa-devel] [freeipa PR#456][+pushed] bindinstance: fix named.conf parsing regexs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/456 Title: #456: bindinstance: fix named.conf parsing regexs Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 10 12:20:09 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Feb 2017 13:20:09 +0100 Subject: [Freeipa-devel] [freeipa PR#450][synchronized] Add FIPS-token password of HTTPD NSS database In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Author: stlaz Title: #450: Add FIPS-token password of HTTPD NSS database Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/450/head:pr450 git checkout pr450 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-450.patch Type: text/x-diff Size: 1445 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 10 12:41:39 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Feb 2017 13:41:39 +0100 Subject: [Freeipa-devel] [freeipa PR#457][opened] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab Message-ID: URL: https://github.com/freeipa/freeipa/pull/457 Author: martbab Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab Action: opened PR body: """ In order to be able to function as a part of composite installer, samba configuration code must be able to work without admin credentials. This requires changes in the CIFS principal key retrieval method so that it is not bound to the presence of privileged user ccache. This is achieved by slightly altering and re-using the recently developed code for service keytab retrieval. https://fedorahosted.org/freeipa/ticket/6638 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/457/head:pr457 git checkout pr457 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-457.patch Type: text/x-diff Size: 5683 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 10 12:56:47 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Feb 2017 13:56:47 +0100 Subject: [Freeipa-devel] [freeipa PR#428][+ack] [Py3] ipa-server-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/428 Title: #428: [Py3] ipa-server-install Label: +ack From freeipa-github-notification at redhat.com Fri Feb 10 12:57:58 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Feb 2017 13:57:58 +0100 Subject: [Freeipa-devel] [freeipa PR#428][+pushed] [Py3] ipa-server-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/428 Title: #428: [Py3] ipa-server-install Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 10 12:58:00 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Feb 2017 13:58:00 +0100 Subject: [Freeipa-devel] [freeipa PR#428][comment] [Py3] ipa-server-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/428 Title: #428: [Py3] ipa-server-install HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/88b192a37ead1538e6d840c2f686f8d21a948542 https://fedorahosted.org/freeipa/changeset/2674a217acc2864a5fed98d7ef1e7031eae4f866 https://fedorahosted.org/freeipa/changeset/c27a46177c710fb18bf5b02beab4bd82c191a4bc https://fedorahosted.org/freeipa/changeset/8660b9e96801a764e808ca69c3c14a4a019d4eb8 https://fedorahosted.org/freeipa/changeset/d4aa75d10582443b38447985c3fce8e65fcd48a6 https://fedorahosted.org/freeipa/changeset/f31d73b79aaa1746f7d32576658fcd4136870115 https://fedorahosted.org/freeipa/changeset/7fd36e4d3651f327a8c3a2f13b92a2a304352dfd https://fedorahosted.org/freeipa/changeset/47f912e16ba6de2f3579de610b0d902cf3e621a2 https://fedorahosted.org/freeipa/changeset/488d01ced715929d47f6766a63b7d6c597125562 https://fedorahosted.org/freeipa/changeset/69072cb80f8c4b7f6eff0c7cdfe6545fe59ea7b5 https://fedorahosted.org/freeipa/changeset/dd119f8aadb13e95e4db43053bc36c70977b001e """ See the full comment at https://github.com/freeipa/freeipa/pull/428#issuecomment-278936205 From freeipa-github-notification at redhat.com Fri Feb 10 12:58:01 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 10 Feb 2017 13:58:01 +0100 Subject: [Freeipa-devel] [freeipa PR#428][closed] [Py3] ipa-server-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/428 Author: MartinBasti Title: #428: [Py3] ipa-server-install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/428/head:pr428 git checkout pr428 From freeipa-github-notification at redhat.com Fri Feb 10 13:15:18 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Feb 2017 14:15:18 +0100 Subject: [Freeipa-devel] [freeipa PR#455][comment] Backup /root/kracert.p12 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/455 Title: #455: Backup /root/kracert.p12 stlaz commented: """ Works as expected, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/455#issuecomment-278939314 From freeipa-github-notification at redhat.com Fri Feb 10 13:15:22 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Feb 2017 14:15:22 +0100 Subject: [Freeipa-devel] [freeipa PR#455][+ack] Backup /root/kracert.p12 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/455 Title: #455: Backup /root/kracert.p12 Label: +ack From freeipa-github-notification at redhat.com Fri Feb 10 13:17:26 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Feb 2017 14:17:26 +0100 Subject: [Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain martbab commented: """ If you look at the test cases (e.g. test_login_ipa-user, test_login_ad_user, test_login_subdomain_user are the 'best: examples) you can see that the function body is the same code copy-pasted with slight alterations so that it works for the new case. Your patch adds a *fourth* level of copy-pasta to the code, which is something that grieves me greatly. Clearly, you can group the common code into a private method that can be only called with the use-case specific parameters for each test case. Or you can expand the existing mixing hierarchy to achieve this. Then it would also be simpler to extend the test cases for tree-root domains. """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-278939703 From freeipa-github-notification at redhat.com Fri Feb 10 13:22:16 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Feb 2017 14:22:16 +0100 Subject: [Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-446.patch Type: text/x-diff Size: 15517 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 10 13:36:06 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 10 Feb 2017 14:36:06 +0100 Subject: [Freeipa-devel] [freeipa PR#458][opened] Bytes deprecation warnings Message-ID: URL: https://github.com/freeipa/freeipa/pull/458 Author: tiran Title: #458: Bytes deprecation warnings Action: opened PR body: """ * Enable bytes and deprecation warnings * Fix a couple of bytes and deprecation warnings https://fedorahosted.org/freeipa/ticket/6631 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/458/head:pr458 git checkout pr458 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-458.patch Type: text/x-diff Size: 10923 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 10 13:56:09 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 10 Feb 2017 14:56:09 +0100 Subject: [Freeipa-devel] [freeipa PR#458][synchronized] Bytes deprecation warnings In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/458 Author: tiran Title: #458: Bytes deprecation warnings Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/458/head:pr458 git checkout pr458 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-458.patch Type: text/x-diff Size: 12097 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 10 13:59:44 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 10 Feb 2017 14:59:44 +0100 Subject: [Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-437.patch Type: text/x-diff Size: 8824 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 10 14:03:50 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Feb 2017 15:03:50 +0100 Subject: [Freeipa-devel] [freeipa PR#457][synchronized] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/457 Author: martbab Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/457/head:pr457 git checkout pr457 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-457.patch Type: text/x-diff Size: 5668 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 10 14:04:16 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Feb 2017 15:04:16 +0100 Subject: [Freeipa-devel] [freeipa PR#457][comment] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/457 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab martbab commented: """ Sorry I just got confused for a bit. Fixed the docstring now refer only to 'samba keytab'. """ See the full comment at https://github.com/freeipa/freeipa/pull/457#issuecomment-278949030 From freeipa-github-notification at redhat.com Fri Feb 10 14:04:35 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 10 Feb 2017 15:04:35 +0100 Subject: [Freeipa-devel] [freeipa PR#458][edited] Enable Bytes and deprecation warnings In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/458 Author: tiran Title: #458: Enable Bytes and deprecation warnings Action: edited Changed field: title Original value: """ Bytes deprecation warnings """ From freeipa-github-notification at redhat.com Fri Feb 10 14:05:33 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 10 Feb 2017 15:05:33 +0100 Subject: [Freeipa-devel] [freeipa PR#458][comment] Enable Bytes and deprecation warnings In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/458 Title: #458: Enable Bytes and deprecation warnings abbra commented: """ Thanks. LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/458#issuecomment-278949308 From freeipa-github-notification at redhat.com Fri Feb 10 14:11:39 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 10 Feb 2017 15:11:39 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server pvoborni commented: """ I still think that this use case needs to be documented in http://www.freeipa.org/page/V4/Build_system_refactoring#How_to_Use . IMHO `make dist` can fail with --disable-server. Use case for `make dist` is releasing and there is no point to do release without server bitw. But make sure to document it and test that `make dist` works without it ;) . """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-278950622 From freeipa-github-notification at redhat.com Fri Feb 10 14:16:54 2017 From: freeipa-github-notification at redhat.com (rcritten) Date: Fri, 10 Feb 2017 15:16:54 +0100 Subject: [Freeipa-devel] [freeipa PR#450][comment] Add FIPS-token password of HTTPD NSS database In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Title: #450: Add FIPS-token password of HTTPD NSS database rcritten commented: """ I guess this is one approach to fix the problem. Would it be cleaner to pass in, or detect, FIPS mode, and only write out the token that will actually be used? """ See the full comment at https://github.com/freeipa/freeipa/pull/450#issuecomment-278951822 From freeipa-github-notification at redhat.com Fri Feb 10 14:18:18 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Fri, 10 Feb 2017 15:18:18 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (10/02/17 06:11), Petr Vobornik wrote: >I still think that this use case needs to be documented in http://www.freeipa.org/page/V4/Build_system_refactoring#How_to_Use . > >IMHO `make dist` can fail with --disable-server. Use case for `make dist` is releasing and there is no point to do release without server bitw. But make sure to document it and test that `make dist` works without it ;) . > Petr FYI: make dist should include all files into tarball even though configure was invoked with parameter --disable-server. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-278952140 From freeipa-github-notification at redhat.com Fri Feb 10 14:25:43 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 10 Feb 2017 15:25:43 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ In the latest version, ```--disable-server``` does not affect ```make dist```. It only changes the components that are built by ```make``` and installed by ```make install```. ```--disable-server ``` is already documented at http://www.freeipa.org/page/V4/Build_system_refactoring#Configuration . After the PR has landed, I'll update the table. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-278953837 From freeipa-github-notification at redhat.com Fri Feb 10 14:45:54 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 10 Feb 2017 15:45:54 +0100 Subject: [Freeipa-devel] [freeipa PR#450][comment] Add FIPS-token password of HTTPD NSS database In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Title: #450: Add FIPS-token password of HTTPD NSS database stlaz commented: """ That was my original approach to it but we had offline talk with @HonzaCholasta and got to the point that it might be better to do it this way. From my point of view it's more fool-proof for the people who would install FreeIPA in non-FIPS mode but then thought it'd be cool to turn FIPS on. Anyone reading this in the future - that is **NOT SUPPORTED**. There would probably be more different issues, let this not be one. """ See the full comment at https://github.com/freeipa/freeipa/pull/450#issuecomment-278958767 From freeipa-github-notification at redhat.com Fri Feb 10 14:49:01 2017 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Fri, 10 Feb 2017 15:49:01 +0100 Subject: [Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain gkaihorodova commented: """ Thank you for explanation and tips. I noticed it as well and I agree that it (and not only that) worth refactoring. Yes, my PR is more or less copy-paste, because I was following existing pattern in the code. Also I think PR can be pushed and at the same time feel free to open ticket/request or whatever is more suitable for refactoring task and signed it to me. Please, don t be grieve, it makes me sad """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-278961376 From freeipa-github-notification at redhat.com Fri Feb 10 15:12:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Feb 2017 16:12:19 +0100 Subject: [Freeipa-devel] [freeipa PR#458][+ack] Enable Bytes and deprecation warnings In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/458 Title: #458: Enable Bytes and deprecation warnings Label: +ack From freeipa-github-notification at redhat.com Fri Feb 10 15:17:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Feb 2017 16:17:12 +0100 Subject: [Freeipa-devel] [freeipa PR#458][+pushed] Enable Bytes and deprecation warnings In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/458 Title: #458: Enable Bytes and deprecation warnings Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 10 15:17:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Feb 2017 16:17:13 +0100 Subject: [Freeipa-devel] [freeipa PR#458][comment] Enable Bytes and deprecation warnings In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/458 Title: #458: Enable Bytes and deprecation warnings MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a33b25dea988aa34844869a8adc57d5cd396d3aa https://fedorahosted.org/freeipa/changeset/3d9bec2e879d60e6bb7b2602084d3314765a6283 https://fedorahosted.org/freeipa/changeset/e6129a76e7093b8f9f7717e5f63ed06f9e9ef30a https://fedorahosted.org/freeipa/changeset/4965735382425356ece27e7827e2a91bc2ab2055 https://fedorahosted.org/freeipa/changeset/8d3bea8accb9814b3a973f4a606110fee78baf72 """ See the full comment at https://github.com/freeipa/freeipa/pull/458#issuecomment-278971542 From freeipa-github-notification at redhat.com Fri Feb 10 15:17:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 10 Feb 2017 16:17:14 +0100 Subject: [Freeipa-devel] [freeipa PR#458][closed] Enable Bytes and deprecation warnings In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/458 Author: tiran Title: #458: Enable Bytes and deprecation warnings Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/458/head:pr458 git checkout pr458 From freeipa-github-notification at redhat.com Fri Feb 10 15:23:33 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 10 Feb 2017 16:23:33 +0100 Subject: [Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain martbab commented: """ Well you still have some issues to fix, notably the failing Travis CI and the not-so nice multiline-string literal. """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-278973164 From freeipa-github-notification at redhat.com Fri Feb 10 15:31:08 2017 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Fri, 10 Feb 2017 16:31:08 +0100 Subject: [Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain gkaihorodova commented: """ Yes, sure I'll work on these issues """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-278975336 From freeipa-github-notification at redhat.com Fri Feb 10 15:52:14 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 10 Feb 2017 16:52:14 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 241982 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 10 15:54:59 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 10 Feb 2017 16:54:59 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ So I am not sure what is going on here, after fiddling with the failing tests to print out what was going on, they suddenly started working (and a 3 other started failing). It is not clear to me what is going on, but it may be unclean environment too.. after running testes a few times for example I found out my user KRB5CCNAME environment variable had been changed (this is not ok it's a bug in the tests and will make things unreliable). Anyway after a full rebuild and reinstall I was not able to go back to a state where I could reproduce the issues in caacl tests. I rebased the patchset on latest master and pushed it, let's see what CI says. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278981716 From freeipa-github-notification at redhat.com Fri Feb 10 17:12:17 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Fri, 10 Feb 2017 18:12:17 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ It works quite good with the following change ``` diff --git a/Makefile.am b/Makefile.am index 311f6121f..13e5a87b0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,13 +1,13 @@ ACLOCAL_AMFLAGS = -I m4 if ENABLE_SERVER - SERVER_SUBDIRS = daemons init install ipaserver + SERVER_SUBDIRS = daemons init install ipaserver ipatests else SERVER_SUBDIRS = endif IPACLIENT_SUBDIRS = ipaclient ipalib ipapython SUBDIRS = asn1 util client contrib po \ - $(IPACLIENT_SUBDIRS) ipaplatform ipatests $(SERVER_SUBDIRS) + $(IPACLIENT_SUBDIRS) ipaplatform $(SERVER_SUBDIRS) MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279003293 From freeipa-github-notification at redhat.com Sun Feb 12 00:14:10 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Sun, 12 Feb 2017 01:14:10 +0100 Subject: [Freeipa-devel] [freeipa PR#444][synchronized] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Author: redhatrises Title: #444: Allow nsaccountlock to be searched in user-find commands Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/444/head:pr444 git checkout pr444 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-444.patch Type: text/x-diff Size: 4271 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 07:39:02 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 13 Feb 2017 08:39:02 +0100 Subject: [Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Author: abbra Title: #410: ipa-kdb: support KDB DAL version 6.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/410/head:pr410 git checkout pr410 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-410.patch Type: text/x-diff Size: 9072 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 07:48:00 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 13 Feb 2017 08:48:00 +0100 Subject: [Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 abbra commented: """ I've rebased against master and added responses to inline comments in the PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-279315609 From freeipa-github-notification at redhat.com Mon Feb 13 09:06:17 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 13 Feb 2017 10:06:17 +0100 Subject: [Freeipa-devel] [freeipa PR#445][+ack] Remove is_fips_enabled checks in installers and ipactl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/445 Title: #445: Remove is_fips_enabled checks in installers and ipactl Label: +ack From freeipa-github-notification at redhat.com Mon Feb 13 09:07:12 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 13 Feb 2017 10:07:12 +0100 Subject: [Freeipa-devel] [freeipa PR#459][opened] Faster JSON encoder/decoder Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: Faster JSON encoder/decoder Action: opened PR body: """ Improve performance of FreeIPA's JSON serializer and deserializer. * Don't indent and sort keys. Both options trigger a slow path in Python's json package. Without indention and sorting, encoding mostly happens in optimized C code. * Replace O(n) type checks with O(1) type lookup and eliminate the use of isinstance(). * Check each client capability only once for every conversion. * Use decoder's obj_hook feature to traverse the object tree once and to eliminate calls to isinstance(). Closes: https://fedorahosted.org/freeipa/ticket/6655 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/459/head:pr459 git checkout pr459 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-459.patch Type: text/x-diff Size: 11973 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 09:15:29 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 13 Feb 2017 10:15:29 +0100 Subject: [Freeipa-devel] [freeipa PR#459][edited] [WIP] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: [WIP] Faster JSON encoder/decoder Action: edited Changed field: title Original value: """ Faster JSON encoder/decoder """ From freeipa-github-notification at redhat.com Mon Feb 13 09:25:06 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 13 Feb 2017 10:25:06 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ @lslebodn it works even better without your proposed changes. Parts ```ipatests``` work fine for ```--disable-server``` builds. I need the package to run tests. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279333838 From freeipa-github-notification at redhat.com Mon Feb 13 09:49:24 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 13 Feb 2017 10:49:24 +0100 Subject: [Freeipa-devel] [freeipa PR#459][synchronized] [WIP] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: [WIP] Faster JSON encoder/decoder Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/459/head:pr459 git checkout pr459 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-459.patch Type: text/x-diff Size: 13778 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 10:34:59 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Mon, 13 Feb 2017 11:34:59 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (13/02/17 01:25), Christian Heimes wrote: >@lslebodn it works even better without your proposed changes. Parts ```ipatests``` work fine for ```--disable-server``` builds. I need the package to run tests. > The old version (4.4) of `CLIENT_ONLY` build did not package ipatests. Could you describe a reason/use-case for installing `ipatests` without server? LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279349836 From freeipa-github-notification at redhat.com Mon Feb 13 11:08:06 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 13 Feb 2017 12:08:06 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ Packaging is a different issue. The PR does not provide RPM packaging for client-only build. It merely implements configuration and building without server components. For client-only builds I need ipatests to run part of the test suite to verify client code. Test suites ```test_ipapython, test_ipalib, test_pkcs10``` without ```test_ipalib.test_rpc``` work without ```ipaserver```. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279357147 From freeipa-github-notification at redhat.com Mon Feb 13 11:34:22 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Mon, 13 Feb 2017 12:34:22 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (13/02/17 03:08), Christian Heimes wrote: >Packaging is a different issue. The PR does not provide RPM packaging for client-only build. It merely implements configuration and building without server components. > I mentioned old version of `CLIENT_ONLY` build because I consider it as a referential implementation. And `ipa tests` were not installed in 4.4 for client only build. >For client-only builds I need ipatests to run part of the test suite to verify client code. Test suites ```test_ipapython, test_ipalib, test_pkcs10``` without ```test_ipalib.test_rpc``` work without ```ipaserver```. > I expected a little bit more details. Do you need to run `make install` and then run tests in installed directory? Or how do you want to "run part of the test suite". Because if you needn't run "make install" for your use-case then my proposed patch would work. BTW `ipatests` will still be part of tarball and/or git. You can run them even thought they will not be installed with `make install` LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279362399 From freeipa-github-notification at redhat.com Mon Feb 13 11:49:03 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 13 Feb 2017 12:49:03 +0100 Subject: [Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder pvoborni commented: """ Is there a way(I did not read changes thoroughly) to enable sorting and indentation, e.g. for testing purposes? """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279365267 From freeipa-github-notification at redhat.com Mon Feb 13 11:56:50 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 13 Feb 2017 12:56:50 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ Two reasons 1. ```make install``` 2. I need ipatests to be part of the build process in order to get a Python package for tox later. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279367184 From freeipa-github-notification at redhat.com Mon Feb 13 12:03:28 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Mon, 13 Feb 2017 13:03:28 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (13/02/17 03:56), Christian Heimes wrote: >Two reasons > >1. ```make install``` >2. I need ipatests to be part of the build process in order to get a Python package for tox later. > OK, thank you for explanation. Then we should install just tests from directory `ipatests` which does not require daemon for execution. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279368656 From freeipa-github-notification at redhat.com Mon Feb 13 12:04:23 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 13 Feb 2017 13:04:23 +0100 Subject: [Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder tiran commented: """ Why would you want to sort or indent the raw output? The extra verbose output of ```ipa``` just loads and dumps the output a second time. It's less efficient but who cares about minor efficiency issues of a debug feature? For browser testing, any web developer tool will give you nicely formatted JSON, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279368825 From freeipa-github-notification at redhat.com Mon Feb 13 12:09:23 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 13 Feb 2017 13:09:23 +0100 Subject: [Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder abbra commented: """ Right, as long as ipa CLI is capable to print formatted debug output, that's enough. """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279369801 From freeipa-github-notification at redhat.com Mon Feb 13 12:13:40 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 13 Feb 2017 13:13:40 +0100 Subject: [Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder pvoborni commented: """ It's usually quicker to read raw response in browser than the folded "preview" because everything is visible and no clicking is required. Same for curl testing. But for curl I can imagine piping it to some tool. """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279370915 From freeipa-github-notification at redhat.com Mon Feb 13 12:29:39 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 13 Feb 2017 13:29:39 +0100 Subject: [Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder tiran commented: """ ```curl url | python -m json.tool``` """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279375693 From freeipa-github-notification at redhat.com Mon Feb 13 12:32:00 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 13 Feb 2017 13:32:00 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ No, the test runner should either detect missing packages and skip tests automatically, or should grow an option to load and execute client tests only. It's a separate issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279376400 From freeipa-github-notification at redhat.com Mon Feb 13 12:49:11 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Mon, 13 Feb 2017 13:49:11 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (13/02/17 04:32), Christian Heimes wrote: >No, the test runner should either detect missing packages and skip tests automatically, or should grow an option to load and execute client tests only. It's a separate issue. > I have a different opinion. It is not a separate issue. For me, the name of configure option is crystall clear. It should not install anything related to daemon part; even thought it is test. Maybe we can add another option to install tests (--with-tests?? +default yes) It would work for your use-case and still allow old `CLIENT_ONLY` build (equivalent to 4.4) Or you can propose another compromise. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279381495 From freeipa-github-notification at redhat.com Mon Feb 13 13:05:13 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 13 Feb 2017 14:05:13 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ I'm following the development principals of **minimum viable product**. This PR solves a critical use case for me. With the PR I can build FreeIPA client packages in a lean and clean build container. Without the ```--disable-server``` flag I'm forced to bloat my build env with lots of additional dependencies and then throw away all the extra stuff. My changes don't solve https://fedorahosted.org/freeipa/ticket/6517 to its full extend. The PR provides enough of https://fedorahosted.org/freeipa/ticket/6517 to enable me to finish some time critical as soon as possible. RPM packaging changes and ipatests improvements for client-only builds can be implemented another time. I consider these changes sugar coating (aka stretch goals). """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279387199 From bind-dyndb-ldap-github-notification at redhat.com Mon Feb 13 13:38:26 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 13 Feb 2017 14:38:26 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#9][opened] Remove duplicate const declaration specifier Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Author: tomaskrizek Title: #9: Remove duplicate const declaration specifier Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/9/head:pr9 git checkout pr9 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-9.patch Type: text/x-diff Size: 850 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 14:13:51 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 13 Feb 2017 15:13:51 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 246599 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 14:20:22 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Mon, 13 Feb 2017 15:20:22 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands redhatrises commented: """ @MartinBasti I believe that this is ready for your review. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-279404707 From freeipa-github-notification at redhat.com Mon Feb 13 14:24:26 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Mon, 13 Feb 2017 15:24:26 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (13/02/17 05:05), Christian Heimes wrote: >I'm following the development principals of **minimum viable product**. This PR solves a critical use case for me. With the PR I can build FreeIPA client packages in a lean and clean build container. Without the ```--disable-server``` flag I'm forced to bloat my build env with lots of additional dependencies and then throw away all the extra stuff. > My comments are about semantic of this option. `--disable-server` should disable all parts which depends on server. I know that your use case is a little bit different but I do not like misusing of `--disable-server` for different use-cases (from semantic POV) That's the reason why I proposed compromise/alternative solution for installing `ipatests` which needn't be tight together with `--disable-server`. >My changes don't solve https://fedorahosted.org/freeipa/ticket/6517 to its full extend. The PR provides enough of https://fedorahosted.org/freeipa/ticket/6517 to enable me to finish some time critical as soon as possible. RPM packaging changes and ipatests improvements for client-only builds can be implemented another time. I consider these changes sugar coating (aka stretch goals). > One more time; it will be solved with my proposed change to `ipatests` + small tweak to spec file (due to python2/3 changes) That is exactly way how I tested it. A little bit hacky way but works for testing: https://paste.fedoraproject.org/556868/48699519 LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279405767 From freeipa-github-notification at redhat.com Mon Feb 13 14:43:32 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 13 Feb 2017 15:43:32 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 246605 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 15:02:38 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 13 Feb 2017 16:02:38 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 246864 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 15:06:22 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 13 Feb 2017 16:06:22 +0100 Subject: [Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-398.patch Type: text/x-diff Size: 48903 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 16:04:08 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 13 Feb 2017 17:04:08 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 247269 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Mon Feb 13 16:53:40 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 13 Feb 2017 17:53:40 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#9][comment] Remove duplicate const declaration specifier In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Title: #9: Remove duplicate const declaration specifier tomaskrizek commented: """ @pemensik Hi, could you please take a look at this PR and ACK? It's just a typo that was preventing a build on fedora rawhide to due some warnings. """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/9#issuecomment-279451102 From freeipa-github-notification at redhat.com Mon Feb 13 16:56:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Feb 2017 17:56:14 +0100 Subject: [Freeipa-devel] [freeipa PR#460][opened] [Py3] ipa-server-install, ipa-server-upgrade fixes Message-ID: URL: https://github.com/freeipa/freeipa/pull/460 Author: MartinBasti Title: #460: [Py3] ipa-server-install, ipa-server-upgrade fixes Action: opened PR body: """ ipa-server-install --setup-dns now work without BytesWarnings under python3, ipa-server-upgrade should work on IPA side but there are issues on pyldap side. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/460/head:pr460 git checkout pr460 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-460.patch Type: text/x-diff Size: 18123 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 16:56:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Feb 2017 17:56:36 +0100 Subject: [Freeipa-devel] [freeipa PR#460][synchronized] [Py3] ipa-server-install, ipa-server-upgrade fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/460 Author: MartinBasti Title: #460: [Py3] ipa-server-install, ipa-server-upgrade fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/460/head:pr460 git checkout pr460 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-460.patch Type: text/x-diff Size: 18117 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 17:08:02 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 13 Feb 2017 18:08:02 +0100 Subject: [Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-398.patch Type: text/x-diff Size: 48281 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 17:08:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Feb 2017 18:08:45 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands MartinBasti commented: """ LGTM, I'll test it later """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-279455811 From freeipa-github-notification at redhat.com Mon Feb 13 17:11:28 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Feb 2017 18:11:28 +0100 Subject: [Freeipa-devel] [freeipa PR#445][+pushed] Remove is_fips_enabled checks in installers and ipactl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/445 Title: #445: Remove is_fips_enabled checks in installers and ipactl Label: +pushed From freeipa-github-notification at redhat.com Mon Feb 13 17:11:29 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Feb 2017 18:11:29 +0100 Subject: [Freeipa-devel] [freeipa PR#445][comment] Remove is_fips_enabled checks in installers and ipactl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/445 Title: #445: Remove is_fips_enabled checks in installers and ipactl MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/08c71703a44d8aec308781351c3a9dd4a4ba94a7 """ See the full comment at https://github.com/freeipa/freeipa/pull/445#issuecomment-279456586 From freeipa-github-notification at redhat.com Mon Feb 13 17:11:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 13 Feb 2017 18:11:30 +0100 Subject: [Freeipa-devel] [freeipa PR#445][closed] Remove is_fips_enabled checks in installers and ipactl In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/445 Author: stlaz Title: #445: Remove is_fips_enabled checks in installers and ipactl Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/445/head:pr445 git checkout pr445 From freeipa-github-notification at redhat.com Mon Feb 13 17:42:58 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 13 Feb 2017 18:42:58 +0100 Subject: [Freeipa-devel] [freeipa PR#461][opened] Bump required version of bind-dyndb-ldap to 11.0-2 Message-ID: URL: https://github.com/freeipa/freeipa/pull/461 Author: tomaskrizek Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2 Action: opened PR body: """ Fedora release bind-dyndb-ldap 11.0-2 transforms existing named.conf old style API to the new style API. This package version is required to enable upgrade of existing IPA installations to new version. https://fedorahosted.org/freeipa/ticket/6565 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/461/head:pr461 git checkout pr461 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-461.patch Type: text/x-diff Size: 1039 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 17:46:05 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 13 Feb 2017 18:46:05 +0100 Subject: [Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder pvoborni commented: """ As mention on meeting, if rpcserver prettyprints into output in debug mode then it is fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279466497 From freeipa-github-notification at redhat.com Mon Feb 13 18:45:47 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 13 Feb 2017 19:45:47 +0100 Subject: [Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-398.patch Type: text/x-diff Size: 48317 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 20:35:15 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 13 Feb 2017 21:35:15 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 249411 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 21:14:45 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 13 Feb 2017 22:14:45 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 249852 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 13 22:07:47 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 13 Feb 2017 23:07:47 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ @HonzaCholasta push it before we break it again! :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279538680 From freeipa-github-notification at redhat.com Tue Feb 14 00:25:51 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 01:25:51 +0100 Subject: [Freeipa-devel] [freeipa PR#462][opened] [WIP] pylint: add custom check for forbidden imports Message-ID: URL: https://github.com/freeipa/freeipa/pull/462 Author: MartinBasti Title: #462: [WIP] pylint: add custom check for forbidden imports Action: opened PR body: """ Some modules of FreeIPA should not be imported to some other FreeIPA modules, like ipalib into ipapython This is WIP, it misses a lot of rules and I had hard time with naming variables, feedback more than welcome. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/462/head:pr462 git checkout pr462 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-462.patch Type: text/x-diff Size: 3290 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 00:39:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 01:39:12 +0100 Subject: [Freeipa-devel] [freeipa PR#462][synchronized] [WIP] pylint: add custom check for forbidden imports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/462 Author: MartinBasti Title: #462: [WIP] pylint: add custom check for forbidden imports Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/462/head:pr462 git checkout pr462 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-462.patch Type: text/x-diff Size: 3293 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 07:10:15 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Feb 2017 08:10:15 +0100 Subject: [Freeipa-devel] [freeipa PR#459][synchronized] [WIP] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: [WIP] Faster JSON encoder/decoder Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/459/head:pr459 git checkout pr459 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-459.patch Type: text/x-diff Size: 16717 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 07:20:46 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Feb 2017 08:20:46 +0100 Subject: [Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder tiran commented: """ @pvoborni I have modified the PR and added a pretty_print option. JSON is now pretty printed for verbose level 2 and higher. The old implementation converted all list to tuples. With ```obj_hook```, only lists in a JSON objects are converted at the moment. Nested lists are not fully converted, which causes a test failure. I wonder why we decided to convert lists to tuples in the first place? Can we drop the conversion and just use lists here? """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279627304 From freeipa-github-notification at redhat.com Tue Feb 14 07:29:10 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Feb 2017 08:29:10 +0100 Subject: [Freeipa-devel] [freeipa PR#462][comment] [WIP] pylint: add custom check for forbidden imports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/462 Title: #462: [WIP] pylint: add custom check for forbidden imports tiran commented: """ Can you turn module matching into a regular expression? We need bit more advanced checks, e.g. ```ipalib``` should not import from ```ipaplatform``` except for modules in ```ipalib.install```. """ See the full comment at https://github.com/freeipa/freeipa/pull/462#issuecomment-279628559 From freeipa-github-notification at redhat.com Tue Feb 14 07:57:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 08:57:11 +0100 Subject: [Freeipa-devel] [freeipa PR#462][closed] [WIP] pylint: add custom check for forbidden imports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/462 Author: MartinBasti Title: #462: [WIP] pylint: add custom check for forbidden imports Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/462/head:pr462 git checkout pr462 From freeipa-github-notification at redhat.com Tue Feb 14 07:57:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 08:57:12 +0100 Subject: [Freeipa-devel] [freeipa PR#462][comment] [WIP] pylint: add custom check for forbidden imports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/462 Title: #462: [WIP] pylint: add custom check for forbidden imports MartinBasti commented: """ @HonzaCholasta has some WIP patches for this in his drawer which may be better than this, so closing this PR in favor of Honza's patches """ See the full comment at https://github.com/freeipa/freeipa/pull/462#issuecomment-279633108 From freeipa-github-notification at redhat.com Tue Feb 14 08:03:28 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 14 Feb 2017 09:03:28 +0100 Subject: [Freeipa-devel] [freeipa PR#403][comment] Add new ipa passwd-generate command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/403 Title: #403: Add new ipa passwd-generate command abbra commented: """ Sorry for another delay too. We have discussed this proposal again and would like to have an ipa-advise implementation instead of IPA CLI command. There are multiple reasons for this: * If an IPA CLI implementation would be done, from your last comment it looks like you would be interested in supplying a generated password to another IPA command call, like 'ipa passwd'. However, to get access to password policy object, one has to have administrative privileges, while it is supposed that 'ipa passwd' command is executed under user privileges. Thus, 'ipa foobar --generate | ipa passwd' is not possible as that would require two different auth identities run in the same session space. * Implementation that only uses user's identity will see no password policy settings at all. Thus it would not be able to follow any specific password policy. * Existing 'ipa user-add --random' and 'ipa host-add --random' which set user/host password to a random value apply to situations where the passwords are of one-time use and will get changed on the first use. * Any administratively set password for IPA users will cause its change on the first authentication attempt. This is not going to change. Thus, setting a generated password as administrator is not going to honor the password that was just set. As result, a sequence of events "administrator calls IPA CLI to generate password and then sets this password to a user" is not going to work in practice to retain the generated password. * For system accounts we want to have an overall proper management. When it is implemented, we can add there an option to generate passwords. Given that system accounts aren't handled by the IPA framework right now, the source of a policy compliant password can be anything, as additing the account is done externally (via ldapadd/ldapmodify) with administrative privileges. Thus, we'd still prefer to use 'ipa-advise' plugin approach. A script that 'ipa-advise' would generate, can be run on any machine. If it couldn't be run on the target machine, it can always be run on an IPA client. An important part of this solution is that 'ipa-advise' plugins can be run with administrative privileges (ipa-advise is always run as root) and thus can read password policy settings for a specific user (or a specific password policy). """ See the full comment at https://github.com/freeipa/freeipa/pull/403#issuecomment-279634244 From freeipa-github-notification at redhat.com Tue Feb 14 08:34:02 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Feb 2017 09:34:02 +0100 Subject: [Freeipa-devel] [freeipa PR#459][synchronized] [WIP] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: [WIP] Faster JSON encoder/decoder Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/459/head:pr459 git checkout pr459 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-459.patch Type: text/x-diff Size: 21908 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 08:55:02 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Feb 2017 09:55:02 +0100 Subject: [Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-446.patch Type: text/x-diff Size: 16457 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 08:59:36 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Feb 2017 09:59:36 +0100 Subject: [Freeipa-devel] [freeipa PR#446][closed] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 From bind-dyndb-ldap-github-notification at redhat.com Tue Feb 14 09:08:24 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 14 Feb 2017 10:08:24 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#9][+ack] Remove duplicate const declaration specifier In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Title: #9: Remove duplicate const declaration specifier Label: +ack From freeipa-github-notification at redhat.com Tue Feb 14 09:11:11 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Feb 2017 10:11:11 +0100 Subject: [Freeipa-devel] [freeipa PR#446][reopened] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 From bind-dyndb-ldap-github-notification at redhat.com Tue Feb 14 09:15:58 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 14 Feb 2017 10:15:58 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#9][comment] Remove duplicate const declaration specifier In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Title: #9: Remove duplicate const declaration specifier tomaskrizek commented: """ Fixed upstream. master - f76ca3b3a4c2c030071dd23c706d8cc06e1fa2a9 """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/9#issuecomment-279650750 From bind-dyndb-ldap-github-notification at redhat.com Tue Feb 14 09:16:00 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 14 Feb 2017 10:16:00 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#9][closed] Remove duplicate const declaration specifier In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Author: tomaskrizek Title: #9: Remove duplicate const declaration specifier Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/9/head:pr9 git checkout pr9 From bind-dyndb-ldap-github-notification at redhat.com Tue Feb 14 09:16:03 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 14 Feb 2017 10:16:03 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#9][+pushed] Remove duplicate const declaration specifier In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Title: #9: Remove duplicate const declaration specifier Label: +pushed From bind-dyndb-ldap-github-notification at redhat.com Tue Feb 14 09:16:45 2017 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 14 Feb 2017 10:16:45 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#9][comment] Remove duplicate const declaration specifier In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9 Title: #9: Remove duplicate const declaration specifier tomaskrizek commented: """ @pemensik Thanks for review! """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/9#issuecomment-279650948 From freeipa-github-notification at redhat.com Tue Feb 14 09:26:19 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Feb 2017 10:26:19 +0100 Subject: [Freeipa-devel] [freeipa PR#410][+ack] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 Label: +ack From freeipa-github-notification at redhat.com Tue Feb 14 09:40:46 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 10:40:46 +0100 Subject: [Freeipa-devel] [freeipa PR#463][opened] pylint_plugins: add forbidden import checker Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Author: HonzaCholasta Title: #463: pylint_plugins: add forbidden import checker Action: opened PR body: """ Add new pylint AST checker plugin which implements a check for imports forbidden in IPA. Which imports are forbidden is configurable in pylintrc. Provide default forbidden import configuration and disable the check for existing forbidden imports in our code base. Supersedes @MartinBasti's PR #462. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/463/head:pr463 git checkout pr463 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-463.patch Type: text/x-diff Size: 39648 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 10:29:27 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Feb 2017 11:29:27 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ I'm following a different design and development philosophy. In my experience an iterative approach with small, incremental improvements is often better and faster than striving for 100% perfect PRs. Large and feature complete PRs take more time than evolutionary steps. Your object regarding semantics is valid for the ticket, but not necessarily valid for this PR as this PR only addresses a part of the problem. I don't dispute that your proposed changes to the spec file are necessary. However I argue for a separate PR. I'm not an expert in RPM packaging and I'd rather let somebody else figure out the appropriate way to deal with client-only packaging. ipatests is yet another problem that should be solved in a third PR. Ticket https://fedorahosted.org/freeipa/ticket/6517 does not, in fact it should not be solved in one PR. Please review this PR under three viewpoints: * Does it contribute to resolving ticket https://fedorahosted.org/freeipa/ticket/6517 ? * Does it enable future changes to solve the ticket? * Does it break any code or feature that is currently present? [1] [1] client-only packaging is currently not available """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279669097 From freeipa-github-notification at redhat.com Tue Feb 14 10:35:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 11:35:47 +0100 Subject: [Freeipa-devel] [freeipa PR#462][+rejected] [WIP] pylint: add custom check for forbidden imports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/462 Title: #462: [WIP] pylint: add custom check for forbidden imports Label: +rejected From freeipa-github-notification at redhat.com Tue Feb 14 10:43:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 11:43:23 +0100 Subject: [Freeipa-devel] [freeipa PR#463][synchronized] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Author: HonzaCholasta Title: #463: pylint_plugins: add forbidden import checker Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/463/head:pr463 git checkout pr463 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-463.patch Type: text/x-diff Size: 13787 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 10:55:02 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 11:55:02 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, I don't think this is the correct approach. Rather than deleting `context.session_cookie` in `RPCClient.destroy_connection()` when requested, it should be done automatically in `RPCClient.create_connection()` when the principal name in the ccache is different from the principal name of the cookie. Also, IMHO it would be preferable to keep the changes in `ipatest/util.py` in a separate commit and not mix them with the generic changes not related only to tests in `ipalib/rpc.py`. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279675537 From freeipa-github-notification at redhat.com Tue Feb 14 10:58:32 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 11:58:32 +0100 Subject: [Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker MartinBasti commented: """ > Can you turn module matching into a regular expression? We need bit more advanced checks, e.g. ipalib should not import from ipaplatform except for modules in ipalib.install. How can be the issue mentioned by @tiran solved in this PR? should regexp be used or allow rules added? """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279676228 From freeipa-github-notification at redhat.com Tue Feb 14 11:01:13 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 12:01:13 +0100 Subject: [Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker HonzaCholasta commented: """ @MartinBasti, this issue is already solved in the PR without using regular expressions. See `pylintrc` for example. """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279676848 From freeipa-github-notification at redhat.com Tue Feb 14 11:08:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 12:08:40 +0100 Subject: [Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker MartinBasti commented: """ Ok, this will not work if ipaclient/submodule allows to import any module, but seems OK for me now, can be improved when needed """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279678379 From freeipa-github-notification at redhat.com Tue Feb 14 11:10:17 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 12:10:17 +0100 Subject: [Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker HonzaCholasta commented: """ I don't know what you mean, could you give me an example? """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279678738 From freeipa-github-notification at redhat.com Tue Feb 14 11:22:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 12:22:39 +0100 Subject: [Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker MartinBasti commented: """ In this case: ``` ipaclient/:ipaclient.install:ipalib.install:ipaplatform:ipaserver, ipaclient/install/:ipaserver, ``` `ipaclient/install` allows all import everything but `ipaserver`, but I cannot currently specify a rule that allows `ipaclient/install` import everything (with `ipaserver`) But as I said this is a corner case, should be done when needed """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279681262 From freeipa-github-notification at redhat.com Tue Feb 14 11:53:50 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 12:53:50 +0100 Subject: [Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: [WIP] Faster JSON encoder/decoder MartinBasti commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-279688053 From freeipa-github-notification at redhat.com Tue Feb 14 11:57:30 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 12:57:30 +0100 Subject: [Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker HonzaCholasta commented: """ You can, using: ``` ipaclient/install/ ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279688754 From freeipa-github-notification at redhat.com Tue Feb 14 11:58:50 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 12:58:50 +0100 Subject: [Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker MartinBasti commented: """ Awesome then """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279689037 From freeipa-github-notification at redhat.com Tue Feb 14 11:59:12 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 14 Feb 2017 12:59:12 +0100 Subject: [Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ Hi @HonzaCholasta, PR updated with most of your comments, except the suggestion to use default_from. Please see my answer inline for this one. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-279689115 From freeipa-github-notification at redhat.com Tue Feb 14 12:00:11 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 13:00:11 +0100 Subject: [Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/463 Title: #463: pylint_plugins: add forbidden import checker HonzaCholasta commented: """ The format could be nicer though - suggestions are welcome. """ See the full comment at https://github.com/freeipa/freeipa/pull/463#issuecomment-279689307 From freeipa-github-notification at redhat.com Tue Feb 14 12:11:18 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Feb 2017 13:11:18 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ The changes in ipalib/rpc.py are connected to the changes in ipatest/util.py, it makes no sense to keep them separate as in eahc patch I add respecively to connect() and disconnect() arguments that are use in ipatest/util.py As for resetting session_cookie, when principal change, I am all for it, except we do not record the principal in the rpc context ... """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279691469 From freeipa-github-notification at redhat.com Tue Feb 14 12:18:46 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Feb 2017 13:18:46 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 248431 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 12:19:14 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Feb 2017 13:19:14 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ We actually record the principal, change the patch to destroy session_cookie in create_connection if the principal is different. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279692958 From freeipa-github-notification at redhat.com Tue Feb 14 12:19:33 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Feb 2017 13:19:33 +0100 Subject: [Freeipa-devel] [freeipa PR#459][synchronized] [WIP] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: [WIP] Faster JSON encoder/decoder Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/459/head:pr459 git checkout pr459 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-459.patch Type: text/x-diff Size: 23125 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 12:24:01 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Tue, 14 Feb 2017 13:24:01 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (14/02/17 02:29), Christian Heimes wrote: >I'm following a different design and development philosophy. In my experience an iterative approach with small, incremental improvements is often better and faster than striving for 100% perfect PRs. Large and feature complete PRs take more time than evolutionary steps. > I have never wrote anythig against this philosophy. All small chages can make sense from semantical point of view. Misussing names/options for different use-case just create a big mess and confuse other people. >Please review this PR under three viewpoints: > >* Does it contribute to resolving ticket https://fedorahosted.org/freeipa/ticket/6517 ? client only build and --disable-server is the same thing (at least from "make install" POV) I have never required changes to spec file. >* Does it enable future changes to solve the ticket? If you will not install ipatests (if there is a way to not install ipatest) then it will enable future changes to solve the ticket. Because solving ticket6517 would be just writing right spec file. ATM it does not enable future changes to solve the ticket. >* Does it break any code or feature that is currently present? [1] Yes, it install server related options even though they should not be installed Summary: You should realize that the name of PR is "Client-only builds with --disable-server" and your use-case is not pure client only build. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-279693909 From freeipa-github-notification at redhat.com Tue Feb 14 12:31:34 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 13:31:34 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, I don't agree, the changes in `ipalib/rpc.py` are a pre-requisite for the changes in `ipatests/util.py`, but that doesn't mean they should be in the same commit, as they affect every use of `RPCClient`, not just the one in the tests. Following your logic, the whole PR should be just a single commit, which would be equally wrong. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279695377 From freeipa-github-notification at redhat.com Tue Feb 14 12:41:03 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Feb 2017 13:41:03 +0100 Subject: [Freeipa-devel] [freeipa PR#464][opened] :arrow_up: Bump required python-cryptography version Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: :arrow_up: Bump required python-cryptography version Action: opened PR body: """ Since we started using `Certificate.serial_number` instead of `.serial` from python-cryptography (https://github.com/freeipa/freeipa/commit/3d9bec2e879d60e6bb7b2602084d3314765a6283), bump the required version to the one where the above mentioned transition happened (https://github.com/pyca/cryptography/commit/e295f3ab615775c3549b7bc2e051af5cff801619). """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/464/head:pr464 git checkout pr464 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-464.patch Type: text/x-diff Size: 2667 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 12:41:12 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Feb 2017 13:41:12 +0100 Subject: [Freeipa-devel] [freeipa PR#464][edited] :arrow_up: Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: :arrow_up: Bump required python-cryptography version Action: edited Changed field: title Original value: """ :arrow_up: Bump required python-cryptography version """ From freeipa-github-notification at redhat.com Tue Feb 14 12:45:46 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 13:45:46 +0100 Subject: [Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version HonzaCholasta commented: """ NACK, you didn't update the comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/464#issuecomment-279698054 From freeipa-github-notification at redhat.com Tue Feb 14 12:46:36 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Feb 2017 13:46:36 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 248527 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 12:53:14 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Feb 2017 13:53:14 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 248985 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 12:56:31 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Feb 2017 13:56:31 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Ok split the last stuff in 3 commits. I remove the use of private ccache for a few reasons: 1. touches environment variables. 2. will unconditionally remove a ccache even when passed in, so it may end up removing the wrong thing 3. private_ccache is used in dcerpc code and I do not want to change semantics and risk breaking tat code path 4. This fix is much smaller and removes one more yield, which is not a bad thing as it makes the code easier to read. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279700179 From freeipa-github-notification at redhat.com Tue Feb 14 13:03:20 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 14:03:20 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ OK. I didn't notice `private_ccache()` removes the ccache even if it did not create it. That's just stupid, but I guess we will have to live with it for now. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279701540 From freeipa-github-notification at redhat.com Tue Feb 14 13:26:25 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Feb 2017 14:26:25 +0100 Subject: [Freeipa-devel] [freeipa PR#464][synchronized] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: Bump required python-cryptography version Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/464/head:pr464 git checkout pr464 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-464.patch Type: text/x-diff Size: 2892 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 13:37:07 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 14:37:07 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, most of the commits do not have a ticket link, is this intentional? """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279708615 From freeipa-github-notification at redhat.com Tue Feb 14 13:42:41 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Feb 2017 14:42:41 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ For some commits I was sure what ticket to use, for some I was not, so I elected not to put a specific ticket in there. If you have a good idea of what ticket (of the External Authentication project) to apply to specific commits let me know and I can amend commit messages. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279709846 From freeipa-github-notification at redhat.com Tue Feb 14 13:57:42 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 14:57:42 +0100 Subject: [Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping HonzaCholasta commented: """ @flo-renaud, nevermind the `default_from` suggestion, I was wrong - if e.g. both `--certmapdata` and `--certificate` are specified, we want to use both, not throw away `--certificate`, which is exactly what would happen if `--certmapdata` had default derived from `--certificate`. One more issue, I think the `--certmapdata` option in `user-add-certmapdata` and friends should actually be a positional argument, as that would be more consistent with existing commands. The common pattern is that positional arguments are used to specify the literal value of the attribute (such as principal name in `user-add-principal`), but options need some preprocessing (such as conversion from UID to DN in `group-add-member`). Currently the only exception to this scheme is `user-add-cert` and friends, but that's only because the original intent was to add a certificate file positional argument, but it never happened. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-279713429 From freeipa-github-notification at redhat.com Tue Feb 14 14:05:51 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 14 Feb 2017 15:05:51 +0100 Subject: [Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-399.patch Type: text/x-diff Size: 57411 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 14:08:23 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 15:08:23 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, is there an umbrella ticket? 5959 perhaps? """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279716045 From freeipa-github-notification at redhat.com Tue Feb 14 14:28:11 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 14 Feb 2017 15:28:11 +0100 Subject: [Freeipa-devel] [freeipa PR#461][+ack] Bump required version of bind-dyndb-ldap to 11.0-2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/461 Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2 Label: +ack From freeipa-github-notification at redhat.com Tue Feb 14 14:30:37 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 15:30:37 +0100 Subject: [Freeipa-devel] [freeipa PR#461][+pushed] Bump required version of bind-dyndb-ldap to 11.0-2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/461 Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2 Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 14 14:30:38 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 15:30:38 +0100 Subject: [Freeipa-devel] [freeipa PR#461][comment] Bump required version of bind-dyndb-ldap to 11.0-2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/461 Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2 MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6cb7bca68486a5ae4be6f93c1acacb7b9890ba9a """ See the full comment at https://github.com/freeipa/freeipa/pull/461#issuecomment-279721909 From freeipa-github-notification at redhat.com Tue Feb 14 14:30:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 15:30:40 +0100 Subject: [Freeipa-devel] [freeipa PR#461][closed] Bump required version of bind-dyndb-ldap to 11.0-2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/461 Author: tomaskrizek Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/461/head:pr461 git checkout pr461 From freeipa-github-notification at redhat.com Tue Feb 14 14:49:35 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Feb 2017 15:49:35 +0100 Subject: [Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-446.patch Type: text/x-diff Size: 17533 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 14:55:30 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 15:55:30 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ I would personally go with: * Change session handling: 5959 * Generate tmpfiles config at install time: 5959 * Drop use of kinit_as_http from trust code: 5959 * Use Anonymous user to obtain FAST armor ccache: 5959 * Configure HTTPD to work via Gss-Proxy: 4189, 5959 * Separate RA cert store from the HTTP cert store: 5959 * Simplify NSSDatabase password file handling: 5959 * Always use /etc/ipa/ca.crt as CA cert file: 5959 * Add a new user to run the framework code: 5959 * Rationalize creation of RA and HTTPD NSS databases: 5959 * Fix uninstall stopping ipa.service: 5959 * Allow rpc callers to pass ccache and service names: 6543 * Explicitly pass down ccache names for connections: 6543 * Insure removal of session on identity change: 6543 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279729055 From freeipa-github-notification at redhat.com Tue Feb 14 14:59:17 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Feb 2017 15:59:17 +0100 Subject: [Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Author: stlaz Title: #396: Explicitly remove support of SSLv2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/396/head:pr396 git checkout pr396 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-396.patch Type: text/x-diff Size: 6208 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 15:15:54 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 14 Feb 2017 16:15:54 +0100 Subject: [Freeipa-devel] [freeipa PR#423][comment] dns-update-system-records: add support for nsupdate output format In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/423 Title: #423: dns-update-system-records: add support for nsupdate output format tomaskrizek commented: """ Please update the ticket in trac/JIRA to mentiond the command does not support stdout. LGTM otherwise. """ See the full comment at https://github.com/freeipa/freeipa/pull/423#issuecomment-279735139 From freeipa-github-notification at redhat.com Tue Feb 14 15:16:00 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 14 Feb 2017 16:16:00 +0100 Subject: [Freeipa-devel] [freeipa PR#423][+ack] dns-update-system-records: add support for nsupdate output format In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/423 Title: #423: dns-update-system-records: add support for nsupdate output format Label: +ack From freeipa-github-notification at redhat.com Tue Feb 14 15:26:43 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Feb 2017 16:26:43 +0100 Subject: [Freeipa-devel] [freeipa PR#446][comment] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Title: #446: No NSS database passwords in ipa-client-install stlaz commented: """ NSSDatabase now defaults its `.password_file` to `.sec_dir + 'passwd.txt'`. It's necessary to create a pwdfile.txt in system-wide cert store so that actions like CA renew function properly even with FIPS. """ See the full comment at https://github.com/freeipa/freeipa/pull/446#issuecomment-279738463 From freeipa-github-notification at redhat.com Tue Feb 14 15:29:54 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Feb 2017 16:29:54 +0100 Subject: [Freeipa-devel] [freeipa PR#446][comment] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Title: #446: No NSS database passwords in ipa-client-install stlaz commented: """ NSSDatabase now defaults its `.password_file` to `.sec_dir + 'passwd.txt'`. It's necessary to create a pwdfile.txt in Dogtag cert store so that actions like CA renew function properly even with FIPS. """ See the full comment at https://github.com/freeipa/freeipa/pull/446#issuecomment-279738463 From freeipa-github-notification at redhat.com Tue Feb 14 15:33:40 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Feb 2017 16:33:40 +0100 Subject: [Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-446.patch Type: text/x-diff Size: 17520 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 15:34:30 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 14 Feb 2017 16:34:30 +0100 Subject: [Freeipa-devel] [freeipa PR#446][comment] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Title: #446: No NSS database passwords in ipa-client-install stlaz commented: """ NSSDatabase now defaults its `.password_file` to `.sec_dir + 'passwd.txt'`. It's necessary to create a pwdfile.txt in Dogtag cert store so that actions like CA renew function properly even with FIPS. """ See the full comment at https://github.com/freeipa/freeipa/pull/446#issuecomment-279738463 From freeipa-github-notification at redhat.com Tue Feb 14 15:50:36 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 16:50:36 +0100 Subject: [Freeipa-devel] [freeipa PR#464][+ack] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version Label: +ack From freeipa-github-notification at redhat.com Tue Feb 14 15:54:10 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 16:54:10 +0100 Subject: [Freeipa-devel] [freeipa PR#464][+pushed] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 14 15:54:19 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 16:54:19 +0100 Subject: [Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5b56952a547277fab4c68da02f213d40f931a4ca """ See the full comment at https://github.com/freeipa/freeipa/pull/464#issuecomment-279747218 From freeipa-github-notification at redhat.com Tue Feb 14 15:54:21 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 14 Feb 2017 16:54:21 +0100 Subject: [Freeipa-devel] [freeipa PR#464][closed] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: Bump required python-cryptography version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/464/head:pr464 git checkout pr464 From freeipa-github-notification at redhat.com Tue Feb 14 16:09:05 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 17:09:05 +0100 Subject: [Freeipa-devel] [freeipa PR#444][+ack] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands Label: +ack From freeipa-github-notification at redhat.com Tue Feb 14 16:09:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 17:09:24 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands MartinBasti commented: """ @pvomacka IMO this may deserve webUI part too """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-279752074 From freeipa-github-notification at redhat.com Tue Feb 14 16:10:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 17:10:07 +0100 Subject: [Freeipa-devel] [freeipa PR#444][+pushed] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 14 16:10:08 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 17:10:08 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a930ec824da0337109d646ab3acb495dc1b6ba63 """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-279752284 From freeipa-github-notification at redhat.com Tue Feb 14 16:10:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 17:10:10 +0100 Subject: [Freeipa-devel] [freeipa PR#444][closed] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Author: redhatrises Title: #444: Allow nsaccountlock to be searched in user-find commands Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/444/head:pr444 git checkout pr444 From freeipa-github-notification at redhat.com Tue Feb 14 16:13:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 17:13:49 +0100 Subject: [Freeipa-devel] [freeipa PR#455][+pushed] Backup /root/kracert.p12 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/455 Title: #455: Backup /root/kracert.p12 Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 14 16:13:50 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 17:13:50 +0100 Subject: [Freeipa-devel] [freeipa PR#455][comment] Backup /root/kracert.p12 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/455 Title: #455: Backup /root/kracert.p12 MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/11ef2cacbf2ebb67f80a0cf4a3e7b39da700188b """ See the full comment at https://github.com/freeipa/freeipa/pull/455#issuecomment-279753418 From freeipa-github-notification at redhat.com Tue Feb 14 16:13:51 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 17:13:51 +0100 Subject: [Freeipa-devel] [freeipa PR#455][closed] Backup /root/kracert.p12 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/455 Author: tiran Title: #455: Backup /root/kracert.p12 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/455/head:pr455 git checkout pr455 From freeipa-github-notification at redhat.com Tue Feb 14 16:15:35 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 14 Feb 2017 17:15:35 +0100 Subject: [Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages pvoborni commented: """ I thought that I understand why this PR is needed bud in fact I don't. Ticket #6484 is closed. Why is it attached to it? How will the pypi packaging change if ipacommands package is not there? Would it be used for anything? How it should be used? """ See the full comment at https://github.com/freeipa/freeipa/pull/379#issuecomment-279753967 From freeipa-github-notification at redhat.com Tue Feb 14 16:34:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 17:34:52 +0100 Subject: [Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages MartinBasti commented: """ We need placeholder package for sure, this PR should be splitted into 2, but I'm still not endorsed to have ipa-getkeytab installable by pip """ See the full comment at https://github.com/freeipa/freeipa/pull/379#issuecomment-279760067 From freeipa-github-notification at redhat.com Tue Feb 14 16:58:04 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 14 Feb 2017 17:58:04 +0100 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing pvoborni commented: """ @tiran I have very vague idea how this is helpful. You have mentioned it during post-devconf "API meeting". But I no longer remember it and description of this PR is very general. In order to move all the pypi patches forward, we need to document(maybe design) the whole pypi workflow. This is not mentioned in http://www.freeipa.org/page/V4/Build_system_refactoring nor in http://www.freeipa.org/page/V4/Integration_Improvements I.e. how FreeIPA project will work/supply packages to PYPI and what are actually the requirements for these packages. What is expected to work and what not (like everything related to pyhbac). Right now I have no idea what are the missing blocker parts and what are just nice-to-have things. Also I don't really like the part that the patches use custom repo of python-nss. But I'm glad that you are working with @jdennis to improve it. @stlaz, with PR #367 what are the remaining usages of python-nss? Could we actually get rid of python-nss completely? """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-279767185 From freeipa-github-notification at redhat.com Tue Feb 14 16:59:52 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 14 Feb 2017 17:59:52 +0100 Subject: [Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages tiran commented: """ I don't mind to maintain my own copy of ipacommands with ```ipa-getkeytab``` until we agree on a permanent solution. """ See the full comment at https://github.com/freeipa/freeipa/pull/379#issuecomment-279767747 From freeipa-github-notification at redhat.com Tue Feb 14 17:01:52 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 14 Feb 2017 18:01:52 +0100 Subject: [Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages pvoborni commented: """ If there is reason it can be maintained in IPA, but what is the reason? """ See the full comment at https://github.com/freeipa/freeipa/pull/379#issuecomment-279768384 From freeipa-github-notification at redhat.com Tue Feb 14 17:24:19 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 14 Feb 2017 18:24:19 +0100 Subject: [Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-398.patch Type: text/x-diff Size: 49660 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 17:27:26 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 14 Feb 2017 18:27:26 +0100 Subject: [Freeipa-devel] [freeipa PR#23][+postponed] Time-Based HBAC Policies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/23 Title: #23: Time-Based HBAC Policies Label: +postponed From freeipa-github-notification at redhat.com Tue Feb 14 17:32:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 18:32:10 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands MartinBasti commented: """ I found "not-sure-if" bug, nsaccountlock is not always specified (admin has it and any user after user-enable, that's why I didn't catch it during testing of PR) in LDAP tree, so search `user-find --disabled=false` returns only admin adn user that were explicitly enabled. IMHO this is unexpected behavior for users, however expected from IPA framework POW and LDAP POW. What could we do to improve UX? Maybe on client side we should allow `--disabled` only as flag to prevent users to search in enabled users and get corrupted results. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-279776995 From freeipa-github-notification at redhat.com Tue Feb 14 17:33:08 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 18:33:08 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands MartinBasti commented: """ Or we can modify search filter on server to cover this case, but it won't be nice """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-279777252 From freeipa-github-notification at redhat.com Tue Feb 14 17:59:10 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 14 Feb 2017 18:59:10 +0100 Subject: [Freeipa-devel] [freeipa PR#215][comment] Add script to setup krb5 NFS exports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/215 Title: #215: Add script to setup krb5 NFS exports pvoborni commented: """ Justin, pasting here re-phrased mail I wrote you on Dec 5. This is a tool which integrates external host with FreeIPA. It is written in a way that it can exist completely outside of FreeIPA git repository. Thinking more about it. It might be actually better to write an Ansible module which would configure server as a NFS server and join it to FreeIPA realm. We will be working on better Ansible integration in very close future. Technical/maintenance side of the patch: tools merged in FreeIPA repository are then maintained by FreeIPA core team. Problem is that the tool is written in a way that it doesn't use any internal FreeIPA calls and thus reimplements IPA logic, it makes it hard to maintain. To make it easier to maintain it would be better to reuse IPA internal calls. But it doesn't make sense for you to spend time on rewriting it according to upstream rules nor it doesn't make sense for upstream developer to modify your code according to it (this would be faster for both sides then former review ping-pong). So it would be preferred to maintain it elsewhere. The proposal/general agreement on FreeIPA triage was: - move this script into separate git repo, e.g. on Git Hub. That way fixing the script doesn't have to rely on FreeIPA schedule. It might be your repo or maybe under FreeIPA org if you prefer it. - FreeIPA upstream will create wiki page where we will list similar contribution (like https://github.com/peterpakos/ipa_check_consistency/ ) and add it there so it would be discoverable - FreeIPA upstream will also make it discoverable from installed rpms - https://fedorahosted.org/freeipa/ticket/6536 - if the project receives high enough popularity - will be widely use it may be considered for rewrite and including it into IPA core What was not discuss but may be a good thing is to create integration travis tests in the separate repo which would test the script so it can be tested automatically. """ See the full comment at https://github.com/freeipa/freeipa/pull/215#issuecomment-279784708 From freeipa-github-notification at redhat.com Tue Feb 14 17:59:30 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 14 Feb 2017 18:59:30 +0100 Subject: [Freeipa-devel] [freeipa PR#215][+rejected] Add script to setup krb5 NFS exports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/215 Title: #215: Add script to setup krb5 NFS exports Label: +rejected From freeipa-github-notification at redhat.com Tue Feb 14 17:59:45 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 14 Feb 2017 18:59:45 +0100 Subject: [Freeipa-devel] [freeipa PR#215][closed] Add script to setup krb5 NFS exports In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/215 Author: jumitche Title: #215: Add script to setup krb5 NFS exports Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/215/head:pr215 git checkout pr215 From freeipa-github-notification at redhat.com Tue Feb 14 18:14:21 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 19:14:21 +0100 Subject: [Freeipa-devel] [freeipa PR#465][opened] Tests: search for disabled users Message-ID: URL: https://github.com/freeipa/freeipa/pull/465 Author: MartinBasti Title: #465: Tests: search for disabled users Action: opened PR body: """ Add tests for searching disabled/enabled users. XFAIL: newly created users has no 'nsaccountlock' attribute set and user-find doesn't return them as active users. This should be fixed. Partially tests: #444 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/465/head:pr465 git checkout pr465 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-465.patch Type: text/x-diff Size: 2564 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 18:22:51 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 19:22:51 +0100 Subject: [Freeipa-devel] [freeipa PR#454][comment] Move AD trust installation code to a separate module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/454 Title: #454: Move AD trust installation code to a separate module MartinBasti commented: """ LGTM, I can test it tomorrow """ See the full comment at https://github.com/freeipa/freeipa/pull/454#issuecomment-279791253 From freeipa-github-notification at redhat.com Tue Feb 14 18:33:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 19:33:26 +0100 Subject: [Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command MartinBasti commented: """ That test actually doesn't test output of command, IMO it should be xmlrpc_test. But it can be done later, shouldn't block this PR """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-279794064 From freeipa-github-notification at redhat.com Tue Feb 14 18:34:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 14 Feb 2017 19:34:06 +0100 Subject: [Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command MartinBasti commented: """ That test actually doesn't test output of command, IMO it should be xmlrpc_test. But it can be done later, shouldn't block this PR """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-279794064 From freeipa-github-notification at redhat.com Tue Feb 14 18:40:21 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 14 Feb 2017 19:40:21 +0100 Subject: [Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-398.patch Type: text/x-diff Size: 49670 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 18:41:53 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 14 Feb 2017 19:41:53 +0100 Subject: [Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ Hi @HonzaCholasta PR updated with `ipa user-add-certmapdata` using positional arg for CERTMAPDATA """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-279796224 From freeipa-github-notification at redhat.com Tue Feb 14 22:38:45 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Feb 2017 23:38:45 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 249500 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 14 22:38:49 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 14 Feb 2017 23:38:49 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Done """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279859272 From freeipa-github-notification at redhat.com Wed Feb 15 06:06:50 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Feb 2017 07:06:50 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ Thank you. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279925390 From freeipa-github-notification at redhat.com Wed Feb 15 06:07:04 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Feb 2017 07:07:04 +0100 Subject: [Freeipa-devel] [freeipa PR#314][+ack] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code Label: +ack From freeipa-github-notification at redhat.com Wed Feb 15 06:07:55 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Feb 2017 07:07:55 +0100 Subject: [Freeipa-devel] [freeipa PR#314][+pushed] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 15 06:07:56 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Feb 2017 07:07:56 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c894ebefc5c4c4c7ea340d6ddc4cd3c081917e4a https://fedorahosted.org/freeipa/changeset/38c66896de1769077cd5b057133606ec5eeaf62b https://fedorahosted.org/freeipa/changeset/b109f5d850ce13585d4392ca48896dc069a746e5 https://fedorahosted.org/freeipa/changeset/b6741d81e187fc84177c12ef8ad900d3b5cda6a4 https://fedorahosted.org/freeipa/changeset/d2f5fc304f1938d23171ae330fa20b213ceed54e https://fedorahosted.org/freeipa/changeset/d124e307f3b7d88bca53784f030ed6043b224432 https://fedorahosted.org/freeipa/changeset/f648c5631afa5e7954eee9a84fb1222d3bce3bf1 https://fedorahosted.org/freeipa/changeset/c2b1b2a36200b50babfda1eca37fb4b51fefa9c6 https://fedorahosted.org/freeipa/changeset/4fd89833ee5421b05c10329d627d0e0fc8496046 https://fedorahosted.org/freeipa/changeset/4bd2d6ad46c9151e11f9223dd5383555fdedb249 https://fedorahosted.org/freeipa/changeset/00a9d2f94dee17e28e39cdae0c32acc3d1fe51ed https://fedorahosted.org/freeipa/changeset/41c1efc44a6b809445facd4772574595029553b1 https://fedorahosted.org/freeipa/changeset/09c92e2bc1ca9db5b73d5ab8483b42dbd6b9a0e9 https://fedorahosted.org/freeipa/changeset/e4d462ad53597fd5410aa4e94a57bb15b92a3f13 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279925508 From freeipa-github-notification at redhat.com Wed Feb 15 06:07:57 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Feb 2017 07:07:57 +0100 Subject: [Freeipa-devel] [freeipa PR#314][closed] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 From freeipa-github-notification at redhat.com Wed Feb 15 07:10:29 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Feb 2017 08:10:29 +0100 Subject: [Freeipa-devel] [freeipa PR#450][comment] Add FIPS-token password of HTTPD NSS database In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Title: #450: Add FIPS-token password of HTTPD NSS database HonzaCholasta commented: """ LGTM. I guess we don't have to bother with upgrade, given that you can turn on FIPS post-install, right? """ See the full comment at https://github.com/freeipa/freeipa/pull/450#issuecomment-279933986 From freeipa-github-notification at redhat.com Wed Feb 15 07:18:08 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 15 Feb 2017 08:18:08 +0100 Subject: [Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Title: #396: Explicitly remove support of SSLv2 HonzaCholasta commented: """ LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/396#issuecomment-279935166 From freeipa-github-notification at redhat.com Wed Feb 15 08:24:06 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Wed, 15 Feb 2017 09:24:06 +0100 Subject: [Freeipa-devel] [freeipa PR#466][opened] pkinit: make sure to have proper dictionary for Kerberos instance on upgrade Message-ID: URL: https://github.com/freeipa/freeipa/pull/466 Author: abbra Title: #466: pkinit: make sure to have proper dictionary for Kerberos instance on upgrade Action: opened PR body: """ When running PKINIT upgrade we need to make sure full substitution dictionary is in place or otherwise executing LDAP updates will fail to find proper objects because $SUFFIX, $DOMAIN, and other variables will not be substituted. Fixes https://fedorahosted.org/freeipa/ticket/6670 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/466/head:pr466 git checkout pr466 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-466.patch Type: text/x-diff Size: 1747 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 08:38:57 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 15 Feb 2017 09:38:57 +0100 Subject: [Freeipa-devel] [freeipa PR#467][opened] ipaclient: schema cache: Write all schema files in concurrent-safe way Message-ID: URL: https://github.com/freeipa/freeipa/pull/467 Author: dkupka Title: #467: ipaclient: schema cache: Write all schema files in concurrent-safe way Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6668 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/467/head:pr467 git checkout pr467 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-467.patch Type: text/x-diff Size: 3889 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 08:58:16 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Feb 2017 09:58:16 +0100 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing stlaz commented: """ @pvoborni The remaining usages are server/CA certificates verification in `certdb.py` and and apparently some encryption/decryption actions in the Vault plugin. @HonzaCholasta already has patches for the former and getting rid of the latter should not be that hard as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-279953314 From freeipa-github-notification at redhat.com Wed Feb 15 08:58:32 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Feb 2017 09:58:32 +0100 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing stlaz commented: """ @pvoborni The remaining usages are server/CA certificates verification in `certdb.py` and and apparently some encryption/decryption actions in the Vault plugin. @HonzaCholasta already has patches for the former and getting rid of the latter should not be that hard as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-279953314 From freeipa-github-notification at redhat.com Wed Feb 15 09:15:13 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Feb 2017 10:15:13 +0100 Subject: [Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-446.patch Type: text/x-diff Size: 12360 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 09:16:58 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Feb 2017 10:16:58 +0100 Subject: [Freeipa-devel] [freeipa PR#446][comment] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Title: #446: No NSS database passwords in ipa-client-install stlaz commented: """ This patchset seems more like a cleanup after the privilege separation one, although adding a password to certutil calls is still the main topic here. """ See the full comment at https://github.com/freeipa/freeipa/pull/446#issuecomment-279957378 From freeipa-github-notification at redhat.com Wed Feb 15 09:17:37 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Feb 2017 10:17:37 +0100 Subject: [Freeipa-devel] [freeipa PR#446][edited] No NSS database passwords in ipa-client-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: No NSS database passwords in ipa-client-install Action: edited Changed field: title Original value: """ No NSS database passwords in ipa-client-install """ From freeipa-github-notification at redhat.com Wed Feb 15 09:22:24 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Feb 2017 10:22:24 +0100 Subject: [Freeipa-devel] [freeipa PR#450][comment] Add FIPS-token password of HTTPD NSS database In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Title: #450: Add FIPS-token password of HTTPD NSS database stlaz commented: """ You shouldn't turn FIPS on post-install (is what I think you mean), correct. """ See the full comment at https://github.com/freeipa/freeipa/pull/450#issuecomment-279958668 From freeipa-github-notification at redhat.com Wed Feb 15 09:29:32 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Feb 2017 10:29:32 +0100 Subject: [Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Author: stlaz Title: #396: Explicitly remove support of SSLv2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/396/head:pr396 git checkout pr396 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-396.patch Type: text/x-diff Size: 6184 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 09:39:56 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Feb 2017 10:39:56 +0100 Subject: [Freeipa-devel] [freeipa PR#407][synchronized] New lite-server implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/407 Author: tiran Title: #407: New lite-server implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/407/head:pr407 git checkout pr407 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-407.patch Type: text/x-diff Size: 15398 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 09:46:17 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 15 Feb 2017 10:46:17 +0100 Subject: [Freeipa-devel] [freeipa PR#400][synchronized] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Author: pvomacka Title: #400: WebUI: Certificate Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/400/head:pr400 git checkout pr400 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-400.patch Type: text/x-diff Size: 25340 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 09:49:19 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Feb 2017 10:49:19 +0100 Subject: [Freeipa-devel] [freeipa PR#450][synchronized] Add FIPS-token password of HTTPD NSS database In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Author: stlaz Title: #450: Add FIPS-token password of HTTPD NSS database Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/450/head:pr450 git checkout pr450 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-450.patch Type: text/x-diff Size: 1656 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 09:53:29 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Feb 2017 10:53:29 +0100 Subject: [Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/407 Title: #407: New lite-server implementation tiran commented: """ PR #314 has landed. I have rebased the branch and made the lite-server even more convenient to use. You can now run it with ```make lite-server``` or ```make lite-server PYTHON=python3```. It tells you how to set up a Kerberos ccache, too. With the help of the lite-server, I found issue https://github.com/pyldap/pyldap/issues/84 within ten seconds. """ See the full comment at https://github.com/freeipa/freeipa/pull/407#issuecomment-279965820 From freeipa-github-notification at redhat.com Wed Feb 15 09:59:21 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 15 Feb 2017 10:59:21 +0100 Subject: [Freeipa-devel] [freeipa PR#468][opened] Remove non-sensical kdestroy on https stop Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: opened PR body: """ This kdestroy runs as root and wipes root's own ccachs ... this is totally inappropriate. https://fedorahosted.org/freeipa/ticket/6673 Signed-off-by: Simo Sorce """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-468.patch Type: text/x-diff Size: 1475 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 10:05:33 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 15 Feb 2017 11:05:33 +0100 Subject: [Freeipa-devel] [freeipa PR#466][+ack] pkinit: make sure to have proper dictionary for Kerberos instance on upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/466 Title: #466: pkinit: make sure to have proper dictionary for Kerberos instance on upgrade Label: +ack From freeipa-github-notification at redhat.com Wed Feb 15 10:54:31 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Feb 2017 11:54:31 +0100 Subject: [Freeipa-devel] [freeipa PR#469][opened] Ignore unlink error in ipa-otpd.socket Message-ID: URL: https://github.com/freeipa/freeipa/pull/469 Author: tiran Title: #469: Ignore unlink error in ipa-otpd.socket Action: opened PR body: """ Don't fail in case the file does not exist. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/469/head:pr469 git checkout pr469 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-469.patch Type: text/x-diff Size: 836 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 11:04:50 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 15 Feb 2017 12:04:50 +0100 Subject: [Freeipa-devel] [freeipa PR#331][synchronized] WebUI: don't change casing of Auth Indicators values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/331 Author: pvomacka Title: #331: WebUI: don't change casing of Auth Indicators values Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/331/head:pr331 git checkout pr331 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-331.patch Type: text/x-diff Size: 3741 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 11:17:50 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 15 Feb 2017 12:17:50 +0100 Subject: [Freeipa-devel] [freeipa PR#331][comment] WebUI: don't change casing of Auth Indicators values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/331 Title: #331: WebUI: don't change casing of Auth Indicators values pvoborni commented: """ LGTM (reading code). """ See the full comment at https://github.com/freeipa/freeipa/pull/331#issuecomment-279984562 From freeipa-github-notification at redhat.com Wed Feb 15 11:21:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 12:21:17 +0100 Subject: [Freeipa-devel] [freeipa PR#423][comment] dns-update-system-records: add support for nsupdate output format In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/423 Title: #423: dns-update-system-records: add support for nsupdate output format MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/7eb2ef61905a5c6ddf04237f0aa84e7585e1186d https://fedorahosted.org/freeipa/changeset/5bd82174233095a3cccfbbf8524622440c31b10c """ See the full comment at https://github.com/freeipa/freeipa/pull/423#issuecomment-279985268 From freeipa-github-notification at redhat.com Wed Feb 15 11:21:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 12:21:19 +0100 Subject: [Freeipa-devel] [freeipa PR#423][+pushed] dns-update-system-records: add support for nsupdate output format In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/423 Title: #423: dns-update-system-records: add support for nsupdate output format Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 15 11:21:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 12:21:20 +0100 Subject: [Freeipa-devel] [freeipa PR#423][closed] dns-update-system-records: add support for nsupdate output format In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/423 Author: MartinBasti Title: #423: dns-update-system-records: add support for nsupdate output format Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/423/head:pr423 git checkout pr423 From freeipa-github-notification at redhat.com Wed Feb 15 11:31:52 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 15 Feb 2017 12:31:52 +0100 Subject: [Freeipa-devel] [freeipa PR#470][opened] WebUI: Size limit warning on details pages fixed Message-ID: URL: https://github.com/freeipa/freeipa/pull/470 Author: pvomacka Title: #470: WebUI: Size limit warning on details pages fixed Action: opened PR body: """ Entity select fields accepted globally set size limit and in situations when there were more entries than global size limit allows then the "Truncated" warning shows up. Also only subset of items was shown. All entity select widgets now uses find methods with sizelimit set to 0 which says get all entries. This setting is configurable using search_all_entries attribute. https://fedorahosted.org/freeipa/ticket/6618 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/470/head:pr470 git checkout pr470 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-470.patch Type: text/x-diff Size: 1650 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 11:48:35 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Feb 2017 12:48:35 +0100 Subject: [Freeipa-devel] [freeipa PR#407][synchronized] New lite-server implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/407 Author: tiran Title: #407: New lite-server implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/407/head:pr407 git checkout pr407 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-407.patch Type: text/x-diff Size: 16381 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 11:51:20 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Feb 2017 12:51:20 +0100 Subject: [Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/407 Title: #407: New lite-server implementation tiran commented: """ PR #314 has landed. I have rebased the branch and made the lite-server even more convenient to use. You can now run it with ```make lite-server``` or ```make lite-server PYTHON=python3```. It tells you how to set up a Kerberos ccache, too. With the help of the lite-server, I found issue https://github.com/pyldap/pyldap/issues/84 within ten seconds. """ See the full comment at https://github.com/freeipa/freeipa/pull/407#issuecomment-279965820 From freeipa-github-notification at redhat.com Wed Feb 15 11:57:02 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Feb 2017 12:57:02 +0100 Subject: [Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/407 Title: #407: New lite-server implementation tiran commented: """ Example of a single request profile with new lite-server: ``` 127.0.0.1 - - [15/Feb/2017 12:55:20] "POST /ipa/session/json HTTP/1.1" 200 - ipa: INFO: [jsonserver_session] admin at IPA.EXAMPLE: json_metadata(None, None, command=u'all', version=u'2.218'): SUCCESS -------------------------------------------------------------------------------- PATH: '/session/json' 6551240 function calls (4596653 primitive calls) in 1.869 seconds Ordered by: internal time, call count List reduced from 436 to 30 due to restriction <30> ncalls tottime percall cumtime percall filename:lineno(function) 2013370/405370 0.303 0.000 0.462 0.000 /usr/lib64/python2.7/json/encoder.py:341(_iterencode_dict) 1755304 0.278 0.000 0.278 0.000 {isinstance} 3556 0.201 0.000 0.446 0.000 /home/heimes/redhat/freeipa/ipalib/parameters.py:441(__init__) 187490/446 0.150 0.000 0.999 0.002 /home/heimes/redhat/freeipa/ipalib/util.py:58(json_serialize) 110038/1 0.127 0.000 0.236 0.236 /home/heimes/redhat/freeipa/ipalib/rpc.py:277(json_encode_binary) 3999 0.085 0.000 0.256 0.000 /home/heimes/redhat/freeipa/ipalib/parameters.py:954(__json__) 173558 0.075 0.000 0.075 0.000 {hasattr} 440062/395518 0.072 0.000 0.239 0.000 /usr/lib64/python2.7/json/encoder.py:288(_iterencode_list) 405370 0.057 0.000 0.520 0.000 /usr/lib64/python2.7/json/encoder.py:417(_iterencode) 143774/143772 0.052 0.000 0.052 0.000 /home/heimes/redhat/freeipa/ipalib/base.py:123(__setattr__) 104200 0.036 0.000 0.070 0.000 {setattr} 1 0.035 0.035 0.560 0.560 /usr/lib64/python2.7/json/encoder.py:186(encode) 1 0.029 0.029 0.029 0.029 {built-in method sasl_interactive_bind_s} 234842 0.026 0.000 0.026 0.000 {getattr} 4445/446 0.025 0.000 0.461 0.001 /home/heimes/redhat/freeipa/ipalib/util.py:62() 4449 0.024 0.000 0.032 0.000 {sorted} 234451 0.019 0.000 0.019 0.000 {method 'get' of 'dict' objects} 1 0.018 0.018 0.018 0.018 {method 'encode' of 'str' objects} 133044 0.016 0.000 0.016 0.000 {_json.encode_basestring_ascii} 24961 0.011 0.000 0.011 0.000 {_codecs.utf_8_decode} 24961 0.011 0.000 0.030 0.000 {method 'decode' of 'str' objects} 107753 0.010 0.000 0.010 0.000 /home/heimes/redhat/freeipa/ipalib/parameters.py:506() 3556 0.010 0.000 0.010 0.000 /home/heimes/redhat/freeipa/ipalib/parameters.py:261(parse_param_spec) 13348 0.008 0.000 0.008 0.000 {method 'items' of 'dict' objects} 7176 0.008 0.000 0.012 0.000 /home/heimes/redhat/freeipa/ipalib/text.py:248(as_unicode) 91841 0.007 0.000 0.007 0.000 /usr/lib64/python2.7/json/encoder.py:361() 24961 0.007 0.000 0.018 0.000 /usr/lib64/python2.7/encodings/utf_8.py:15(decode) 1973 0.007 0.000 0.274 0.000 /home/heimes/redhat/freeipa/ipalib/parameters.py:725(clone_retype) 7388 0.006 0.000 0.006 0.000 {method 'match' of '_sre.SRE_Pattern' objects} 77523 0.006 0.000 0.006 0.000 {method 'pop' of 'dict' objects} ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/407#issuecomment-279992368 From freeipa-github-notification at redhat.com Wed Feb 15 12:05:44 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Feb 2017 13:05:44 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 110570 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 12:10:12 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Feb 2017 13:10:12 +0100 Subject: [Freeipa-devel] [freeipa PR#450][synchronized] Add FIPS-token password of HTTPD NSS database In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Author: stlaz Title: #450: Add FIPS-token password of HTTPD NSS database Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/450/head:pr450 git checkout pr450 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-450.patch Type: text/x-diff Size: 1655 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 13:17:33 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Feb 2017 14:17:33 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code tiran commented: """ FYI, KRA and vault are broken because KRA cert is not migrated: https://fedorahosted.org/freeipa/ticket/6675 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-280008032 From freeipa-github-notification at redhat.com Wed Feb 15 13:24:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 14:24:27 +0100 Subject: [Freeipa-devel] [freeipa PR#410][+pushed] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 15 13:24:28 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 14:24:28 +0100 Subject: [Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Title: #410: ipa-kdb: support KDB DAL version 6.1 MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/593ea7da9a732647052cb56c08ad367e40be3912 """ See the full comment at https://github.com/freeipa/freeipa/pull/410#issuecomment-280009516 From freeipa-github-notification at redhat.com Wed Feb 15 13:24:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 14:24:30 +0100 Subject: [Freeipa-devel] [freeipa PR#410][closed] ipa-kdb: support KDB DAL version 6.1 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/410 Author: abbra Title: #410: ipa-kdb: support KDB DAL version 6.1 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/410/head:pr410 git checkout pr410 From freeipa-github-notification at redhat.com Wed Feb 15 13:38:10 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Feb 2017 14:38:10 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code tiran commented: """ Cookie parsing bug with FreeIPA 4.4 client: https://fedorahosted.org/freeipa/ticket/6676 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-280012485 From freeipa-github-notification at redhat.com Wed Feb 15 14:18:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 15:18:49 +0100 Subject: [Freeipa-devel] [freeipa PR#459][edited] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: Faster JSON encoder/decoder Action: edited Changed field: title Original value: """ [WIP] Faster JSON encoder/decoder """ From freeipa-github-notification at redhat.com Wed Feb 15 14:27:51 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 15:27:51 +0100 Subject: [Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug MartinBasti commented: """ This happens with python2.7 too, I reproduced it today """ See the full comment at https://github.com/freeipa/freeipa/pull/429#issuecomment-280024605 From freeipa-github-notification at redhat.com Wed Feb 15 14:35:04 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Feb 2017 15:35:04 +0100 Subject: [Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug tiran commented: """ Yeah, I reported the issue as https://fedorahosted.org/freeipa/ticket/6674 . Feel free to close it as duplicate. """ See the full comment at https://github.com/freeipa/freeipa/pull/429#issuecomment-280026495 From freeipa-github-notification at redhat.com Wed Feb 15 14:55:23 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 15 Feb 2017 15:55:23 +0100 Subject: [Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-437.patch Type: text/x-diff Size: 8744 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 15:00:51 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 15 Feb 2017 16:00:51 +0100 Subject: [Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-437.patch Type: text/x-diff Size: 8391 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 15:00:55 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Feb 2017 16:00:55 +0100 Subject: [Freeipa-devel] [freeipa PR#459][synchronized] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: Faster JSON encoder/decoder Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/459/head:pr459 git checkout pr459 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-459.patch Type: text/x-diff Size: 23118 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 15:01:54 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 15 Feb 2017 16:01:54 +0100 Subject: [Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-398.patch Type: text/x-diff Size: 49751 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 15:03:14 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 15 Feb 2017 16:03:14 +0100 Subject: [Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ @HonzaCholasta PR updated according to your comments. Thanks for the detailed review! """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-280034426 From freeipa-github-notification at redhat.com Wed Feb 15 15:18:30 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 15 Feb 2017 16:18:30 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop martbab commented: """ I would rather keep `kdestroy` there, but only really purge the apache ccache explicitly: ```diff --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -452,7 +452,8 @@ class RedHatTaskNamespace(BaseTaskNamespace): KRB5CC_HTTPD=paths.KRB5CC_HTTPD, KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG, IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY, - POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY) + POST='-{kdestroy} -c {ccache}'.format( + kdestroy=paths.KDESTROY, ccache=paths.KRB5CC_HTTPD) ) ) ``` Otherwise we will bump into regressions caused by stale HTTPD ccaches left over when backing up/restoring IPA installation. I would demonstrate it on a failing backup/restore tests but they are completely messed up right now. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280038786 From freeipa-github-notification at redhat.com Wed Feb 15 15:25:03 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Feb 2017 16:25:03 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop tiran commented: """ Why do we back up ccache in the first place? """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280040752 From freeipa-github-notification at redhat.com Wed Feb 15 15:30:11 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 15 Feb 2017 16:30:11 +0100 Subject: [Freeipa-devel] [freeipa PR#467][synchronized] ipaclient: schema cache: Write all schema files in concurrent-safe way In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/467 Author: dkupka Title: #467: ipaclient: schema cache: Write all schema files in concurrent-safe way Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/467/head:pr467 git checkout pr467 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-467.patch Type: text/x-diff Size: 4210 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 15:34:20 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 15 Feb 2017 16:34:20 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop martbab commented: """ We do not backup ccache, we back up apache keytab. During restore into installer server we back up old Kerberos keys, but without any mechanism to purge the new apache ccache acquired during the installation of new server you would end up with key mismatch and nothing would work until the ccache expires. As to why a) we backup Kerberos keys, and b) support restoring into running IPA server that is beyond me. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280043570 From freeipa-github-notification at redhat.com Wed Feb 15 15:36:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 16:36:16 +0100 Subject: [Freeipa-devel] [freeipa PR#407][+ack] New lite-server implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/407 Title: #407: New lite-server implementation Label: +ack From freeipa-github-notification at redhat.com Wed Feb 15 15:39:22 2017 From: freeipa-github-notification at redhat.com (rcritten) Date: Wed, 15 Feb 2017 16:39:22 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop rcritten commented: """ If you don't backup the keytab then how do you expect to bring the server back up? Fetch new keys for all services? Full restore is very clearly documented as a recovery from complete failure in which case the restored master is the only one so there should be no mismatch between what was backed-up and what was restored. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280045062 From freeipa-github-notification at redhat.com Wed Feb 15 15:42:31 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 15 Feb 2017 16:42:31 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop martbab commented: """ @rcritten can you please re-read my comment very slowly? I wrote that we *do* backup keytabs. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280046038 From freeipa-github-notification at redhat.com Wed Feb 15 15:50:10 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 15 Feb 2017 16:50:10 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop martbab commented: """ And indeed I can reproduce the original failure reported in https://fedorahosted.org/freeipa/ticket/5296 with this PR. If I manually remove apache ccache (kdestroy -c /var/run/httpd/ipa/krbcache/krb5ccache) I can use the framework again. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280048516 From freeipa-github-notification at redhat.com Wed Feb 15 15:53:12 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 15 Feb 2017 16:53:12 +0100 Subject: [Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-437.patch Type: text/x-diff Size: 8393 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 15:54:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 16:54:03 +0100 Subject: [Freeipa-devel] [freeipa PR#459][+ack] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: Faster JSON encoder/decoder Label: +ack From freeipa-github-notification at redhat.com Wed Feb 15 15:54:23 2017 From: freeipa-github-notification at redhat.com (rcritten) Date: Wed, 15 Feb 2017 16:54:23 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop rcritten commented: """ Rudeness is not necessary. You said: "As to why a) we backup Kerberos keys, and b) support restoring into running IPA server that is beyond me." The reason for a) is to restore an exact copy of what was backed up. As for b, the idea of restoring into a running IPA server to replace the existing install with a new one is something I discuss in some detail at http://www.freeipa.org/page/V3/Backup_and_Restore and outline the ton of problems associated with it. It was never intended to be supported due to these issues. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280049816 From slaznick at redhat.com Wed Feb 15 15:57:31 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Wed, 15 Feb 2017 16:57:31 +0100 Subject: [Freeipa-devel] Password generation in FreeIPA Python modules Message-ID: <4eda57b4-e292-c69b-e616-fa97d42a4d72@redhat.com> Hello, Please don't use any ad-hoc cruft when generating passwords throughout IPA if not really really necessary. We have a nice refreshed password generator `ipapython.ipautil.ipa_generate_password()` default config of which does the work for you. It also by default generates passwords compatible with NSS requirements for FIPS (see https://dxr.mozilla.org/nss/source/nss/lib/softoken/fipstokn.c#97 for details). Thanks! Standa From freeipa-github-notification at redhat.com Wed Feb 15 15:57:47 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 15 Feb 2017 16:57:47 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop tiran commented: """ I'm with @rcritten . If we need to clean up / remove some files during a restore, then these clean-ups should be handled by ```ipa-restore```. The service files are IMHO the wrong place. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280050792 From freeipa-github-notification at redhat.com Wed Feb 15 16:06:33 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 15 Feb 2017 17:06:33 +0100 Subject: [Freeipa-devel] [freeipa PR#450][+ack] Add FIPS-token password of HTTPD NSS database In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Title: #450: Add FIPS-token password of HTTPD NSS database Label: +ack From freeipa-github-notification at redhat.com Wed Feb 15 16:16:23 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 15 Feb 2017 17:16:23 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop pvoborni commented: """ And AFAIK b) is not supported. @martbab , does something indicate otherwise? """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280056255 From freeipa-github-notification at redhat.com Wed Feb 15 16:18:06 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 15 Feb 2017 17:18:06 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop martbab commented: """ @rcritten I apologize for sounding rude. I misread your comment and interpreted it differently than intended. That said, if the restore to a running IPA server is not intended to be supported, why do we have a number of tests for this scenario? I have tried to find some discussion in the design page you posted but did not find any discussion of restore into running server, only the steps taken. @tiran I tend to agree with you now. It seemed like a good idea to purge ccaches in the unit file when we switched from KEYRING: to FILE: for apache. However the restore use-case is not the only one which can result into stale ccache, I can also think about requesting new Apache keytab, restarting the service and be left with a stale ccache and key mismatch again. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280056786 From freeipa-github-notification at redhat.com Wed Feb 15 16:24:50 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 17:24:50 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop MartinBasti commented: """ @pvoborni this is the way how it this tested by QA, so that's why I added this kind of test to upstream. I disagree that `b)` is not supported. It is just emulation fo case when user ruined kerberos keytabs and service configuration and the one needs to restore backup on the installed server. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280059134 From freeipa-github-notification at redhat.com Wed Feb 15 16:28:15 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 17:28:15 +0100 Subject: [Freeipa-devel] [freeipa PR#459][comment] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: Faster JSON encoder/decoder MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8159c2883bf66980582d1227c364df4e592bdd7e https://fedorahosted.org/freeipa/changeset/b12b1e4c0b19a84ccffcc702ab608d818382a697 https://fedorahosted.org/freeipa/changeset/3cac0378e94efc2ee1070eff2984eb1147bcf463 https://fedorahosted.org/freeipa/changeset/2ff07b958079e5a8972b2e7a06881521361746cc https://fedorahosted.org/freeipa/changeset/1d7fcfe15d279e50d9ac29464a30f8e594db1802 """ See the full comment at https://github.com/freeipa/freeipa/pull/459#issuecomment-280060193 From freeipa-github-notification at redhat.com Wed Feb 15 16:28:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 17:28:17 +0100 Subject: [Freeipa-devel] [freeipa PR#459][+pushed] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Title: #459: Faster JSON encoder/decoder Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 15 16:28:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 17:28:19 +0100 Subject: [Freeipa-devel] [freeipa PR#459][closed] Faster JSON encoder/decoder In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/459 Author: tiran Title: #459: Faster JSON encoder/decoder Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/459/head:pr459 git checkout pr459 From freeipa-github-notification at redhat.com Wed Feb 15 16:30:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 17:30:54 +0100 Subject: [Freeipa-devel] [freeipa PR#407][+pushed] New lite-server implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/407 Title: #407: New lite-server implementation Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 15 16:30:55 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 17:30:55 +0100 Subject: [Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/407 Title: #407: New lite-server implementation MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ff6e701b0077d9c8e2aacdcaecf70f885018db92 """ See the full comment at https://github.com/freeipa/freeipa/pull/407#issuecomment-280061023 From freeipa-github-notification at redhat.com Wed Feb 15 16:30:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 17:30:57 +0100 Subject: [Freeipa-devel] [freeipa PR#407][closed] New lite-server implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/407 Author: tiran Title: #407: New lite-server implementation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/407/head:pr407 git checkout pr407 From freeipa-github-notification at redhat.com Wed Feb 15 16:54:55 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 17:54:55 +0100 Subject: [Freeipa-devel] [freeipa PR#450][+pushed] Add FIPS-token password of HTTPD NSS database In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Title: #450: Add FIPS-token password of HTTPD NSS database Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 15 16:54:56 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 17:54:56 +0100 Subject: [Freeipa-devel] [freeipa PR#450][comment] Add FIPS-token password of HTTPD NSS database In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Title: #450: Add FIPS-token password of HTTPD NSS database MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0b9b6b52d7f2e64a52ef8fd570839711311fa254 """ See the full comment at https://github.com/freeipa/freeipa/pull/450#issuecomment-280068549 From freeipa-github-notification at redhat.com Wed Feb 15 16:54:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 15 Feb 2017 17:54:57 +0100 Subject: [Freeipa-devel] [freeipa PR#450][closed] Add FIPS-token password of HTTPD NSS database In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/450 Author: stlaz Title: #450: Add FIPS-token password of HTTPD NSS database Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/450/head:pr450 git checkout pr450 From freeipa-github-notification at redhat.com Wed Feb 15 17:17:13 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Feb 2017 18:17:13 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 114189 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 17:27:03 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Feb 2017 18:27:03 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code stlaz commented: """ I would put broken KRA cert migration to lowest priority since https://github.com/freeipa/freeipa/pull/367 moves the original KRA cert anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-280078231 From freeipa-github-notification at redhat.com Wed Feb 15 18:27:14 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 15 Feb 2017 19:27:14 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 114191 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 21:51:20 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 15 Feb 2017 22:51:20 +0100 Subject: [Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-398.patch Type: text/x-diff Size: 51303 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 15 21:56:44 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 15 Feb 2017 22:56:44 +0100 Subject: [Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ PR updated with the check on domain in certmaprule-add/mod. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-280152942 From freeipa-github-notification at redhat.com Thu Feb 16 07:07:44 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 08:07:44 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 114198 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 07:10:00 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 08:10:00 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 114206 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 08:51:59 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 16 Feb 2017 09:51:59 +0100 Subject: [Freeipa-devel] [freeipa PR#466][+pushed] pkinit: make sure to have proper dictionary for Kerberos instance on upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/466 Title: #466: pkinit: make sure to have proper dictionary for Kerberos instance on upgrade Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 16 08:52:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 16 Feb 2017 09:52:01 +0100 Subject: [Freeipa-devel] [freeipa PR#466][closed] pkinit: make sure to have proper dictionary for Kerberos instance on upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/466 Author: abbra Title: #466: pkinit: make sure to have proper dictionary for Kerberos instance on upgrade Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/466/head:pr466 git checkout pr466 From freeipa-github-notification at redhat.com Thu Feb 16 08:52:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 16 Feb 2017 09:52:02 +0100 Subject: [Freeipa-devel] [freeipa PR#466][comment] pkinit: make sure to have proper dictionary for Kerberos instance on upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/466 Title: #466: pkinit: make sure to have proper dictionary for Kerberos instance on upgrade MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/14d84daf29543978c6383da10f4f2d913346f013 """ See the full comment at https://github.com/freeipa/freeipa/pull/466#issuecomment-280270827 From freeipa-github-notification at redhat.com Thu Feb 16 08:57:03 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 16 Feb 2017 09:57:03 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ You are missing the point. Obviously tests are an important part of building. I can't test the client bits when ipatests is not available. Let's do small, incremental improvements. I need the client-only builds ASAP (EOW, next week tops) for some container stuff. Client-only RPMs can be implemented later in beta phase for 4.5. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280271921 From freeipa-github-notification at redhat.com Thu Feb 16 08:57:32 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 09:57:32 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 114642 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 09:00:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 10:00:39 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ In the last update I renamed the proposed config option `ca_certfile` to `cacert_store` and made a requirement for it to be absolute path. This was done with possible future changes to it (thanks @HonzaCholasta for pointing that out). If the tests pass then this should be ready for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-280272695 From freeipa-github-notification at redhat.com Thu Feb 16 09:01:37 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 10:01:37 +0100 Subject: [Freeipa-devel] [freeipa PR#446][edited] Add password file to certutil calls in ipapython.certdb module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: Add password file to certutil calls in ipapython.certdb module Action: edited Changed field: body Original value: """ With this patchset, ipa-client-install should not ask for NSS database password. Prerequisite: https://github.com/freeipa/freeipa/pull/367 **edit:** This was a part of a bigger branch and might be missing some parts. """ From freeipa-github-notification at redhat.com Thu Feb 16 09:15:52 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 10:15:52 +0100 Subject: [Freeipa-devel] [freeipa PR#465][comment] Tests: search for disabled users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/465 Title: #465: Tests: search for disabled users stlaz commented: """ Is there a ticket for the xfail scenario? """ See the full comment at https://github.com/freeipa/freeipa/pull/465#issuecomment-280275823 From freeipa-github-notification at redhat.com Thu Feb 16 09:23:12 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Thu, 16 Feb 2017 10:23:12 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (16/02/17 00:57), Christian Heimes wrote: >You are missing the point. Obviously tests are an important part of building. I can't test the client bits when ipatests is not available. > You missed that the name of this PR is "Client-only builds with --disable-server" So this PR *MUST* implement client-only build. Your use-case is different and you need to realize that freeIPA does not have a *unit* test for client bits. All client parts are tested by integration tests which require server. >Let's do small, incremental improvements. I need the client-only builds ASAP (EOW, next week tops) for some container stuff. Client-only RPMs can be implemented later in beta phase for 4.5. > I have never requested anything related to "Client-only RPMs" I always mentioned "make install" Let's do the correct change from semantic POV. If you want to install tests with client-only build then please add new configure time option for this purpose And do not misuse option "--disable-server" Misusing options is a bad/hacky approch and we need to clean hacks from freeIPA and not create new one. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280277782 From freeipa-github-notification at redhat.com Thu Feb 16 09:53:35 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 16 Feb 2017 10:53:35 +0100 Subject: [Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket martbab commented: """ LGTM, but do we require this fix also in 4-4 branch? """ See the full comment at https://github.com/freeipa/freeipa/pull/469#issuecomment-280285004 From freeipa-github-notification at redhat.com Thu Feb 16 10:20:54 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 16 Feb 2017 11:20:54 +0100 Subject: [Freeipa-devel] [freeipa PR#471][opened] Fix some privilege separation regressions Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Author: HonzaCholasta Title: #471: Fix some privilege separation regressions Action: opened PR body: """ **client install: create /etc/ipa/nssdb with correct mode** The NSS database directory is created with mode 640, which causes the IPA client to fail to connect to any IPA server, because it is unable to read trusted CA certificates from the NSS database. Create the directory with mode 644 to fix the issue. **server upgrade: fix upgrade in CA-less** Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as /var/lib/ipa/radb is not populated in CA-less. Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in CA-less, as it might be an incorrect certificate from previous CA-ful install, and is not necessary anyway. **server upgrade: fix upgrade from pre-4.0** update_ca_renewal_master uses ipaCert certmonger tracking information to decide whether the local server is the CA renewal master or not. The information is lost when migrating from /etc/httpd/alias to /var/lib/ipa/radb in update_ra_cert_store. Make sure update_ra_cert_store is executed after update_ca_renewal_master so that correct information is used. **server upgrade: always upgrade KRA agent PEM file** Before the KRA agent PEM file is exported in server upgrade, the sysupgrade state file is consulted. This causes the KRA agent PEM file not to be exported to the new location if the upgrade was executed in the past. Do not consult the sysupgrade state file to decide whether to upgrade the KRA agent PEM file or not, the existence of the file is enough to make this decision. https://fedorahosted.org/freeipa/ticket/5959 https://fedorahosted.org/freeipa/ticket/6675 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/471/head:pr471 git checkout pr471 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-471.patch Type: text/x-diff Size: 8748 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 10:22:52 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 16 Feb 2017 11:22:52 +0100 Subject: [Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket HonzaCholasta commented: """ This will ignore all errors, not just file does not exist. Are we OK with that? """ See the full comment at https://github.com/freeipa/freeipa/pull/469#issuecomment-280291966 From freeipa-github-notification at redhat.com Thu Feb 16 10:22:54 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 16 Feb 2017 11:22:54 +0100 Subject: [Freeipa-devel] [freeipa PR#469][closed] Ignore unlink error in ipa-otpd.socket In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/469 Author: tiran Title: #469: Ignore unlink error in ipa-otpd.socket Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/469/head:pr469 git checkout pr469 From freeipa-github-notification at redhat.com Thu Feb 16 10:22:59 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 16 Feb 2017 11:22:59 +0100 Subject: [Freeipa-devel] [freeipa PR#469][reopened] Ignore unlink error in ipa-otpd.socket In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/469 Author: tiran Title: #469: Ignore unlink error in ipa-otpd.socket Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/469/head:pr469 git checkout pr469 From freeipa-github-notification at redhat.com Thu Feb 16 10:30:52 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 16 Feb 2017 11:30:52 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ Lukas, you are wasting both my and your precious time with a needless bike-shedding discussion about semantics. The ```--disable-server``` option skips all parts of the build process that are only relevant for server and not relevant for client. ```ipatests``` is relevant for both, therefore it stays. I told you that I need ```ipatests``` to run tests as part of my build process. It is not yet part of the upstream FreeIPA build process. I also told you that I will provide another PR that will take care of it and add client-only tests. This PR acts as a foundation for both my container build processes and the future PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280293802 From freeipa-github-notification at redhat.com Thu Feb 16 11:25:32 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 12:25:32 +0100 Subject: [Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Title: #471: Fix some privilege separation regressions stlaz commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/471#issuecomment-280305500 From freeipa-github-notification at redhat.com Thu Feb 16 11:30:48 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 16 Feb 2017 12:30:48 +0100 Subject: [Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Title: #396: Explicitly remove support of SSLv2 tomaskrizek commented: """ Please update the commit title and description to make it clear that it also removes support of SSLv3. """ See the full comment at https://github.com/freeipa/freeipa/pull/396#issuecomment-280306512 From freeipa-github-notification at redhat.com Thu Feb 16 13:01:31 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 14:01:31 +0100 Subject: [Freeipa-devel] [freeipa PR#443][comment] Stronger check for DM password during server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/443 Title: #443: Stronger check for DM password during server install stlaz commented: """ Closing as REJECTED, this will be sorted out in another way. """ See the full comment at https://github.com/freeipa/freeipa/pull/443#issuecomment-280324266 From freeipa-github-notification at redhat.com Thu Feb 16 13:01:40 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 14:01:40 +0100 Subject: [Freeipa-devel] [freeipa PR#443][+rejected] Stronger check for DM password during server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/443 Title: #443: Stronger check for DM password during server install Label: +rejected From freeipa-github-notification at redhat.com Thu Feb 16 13:01:41 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 14:01:41 +0100 Subject: [Freeipa-devel] [freeipa PR#443][closed] Stronger check for DM password during server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/443 Author: stlaz Title: #443: Stronger check for DM password during server install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/443/head:pr443 git checkout pr443 From freeipa-github-notification at redhat.com Thu Feb 16 13:02:31 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 16 Feb 2017 14:02:31 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server pvoborni commented: """ I think it is OK to keep the behavior of the patch and go with it provided that the behavior is properly document in the design page after push. The only reason to block it would be that it would be difficult to change it later or if it breaks any existing functionality. But AFAIK it is not the case here. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280324471 From freeipa-github-notification at redhat.com Thu Feb 16 13:13:09 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 16 Feb 2017 14:13:09 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tomaskrizek commented: """ ACK, I'm fine with pushing this PR. `make install` does install ipatests for client-only build, other server-related packages are omitted. Server build work like before and isn't affected by this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280326722 From freeipa-github-notification at redhat.com Thu Feb 16 14:15:02 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 15:15:02 +0100 Subject: [Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Title: #471: Fix some privilege separation regressions stlaz commented: """ Upgrade still fails when run for the first time during `dnf update`: http://pastebin.com/H4kt6hVb When I run it by hand after this failure, it gets a bit further, but NSSConnection fails in the `[Migrating certificate profiles to LDAP]` step: http://pastebin.com/8tBjYjkU """ See the full comment at https://github.com/freeipa/freeipa/pull/471#issuecomment-280340971 From freeipa-github-notification at redhat.com Thu Feb 16 14:15:57 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 15:15:57 +0100 Subject: [Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Title: #471: Fix some privilege separation regressions stlaz commented: """ Upgrade still fails when run for the first time during `dnf update`: http://pastebin.com/H4kt6hVb When I run it by hand after this failure, it gets a bit further, but NSSConnection fails in the `[Migrating certificate profiles to LDAP]` step: http://pastebin.com/8tBjYjkU """ See the full comment at https://github.com/freeipa/freeipa/pull/471#issuecomment-280340971 From freeipa-github-notification at redhat.com Thu Feb 16 14:29:40 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 16 Feb 2017 15:29:40 +0100 Subject: [Freeipa-devel] [freeipa PR#472][opened] Packaging: Add placeholder packages Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: opened PR body: """ The ipa and freeipa packages are placeholders to prevent PyPI squashing attacks and reserve the names for future use. `pip install ipa` installs ipaclient. Signed-off-by: Christian Heimes The new PR provides just the two placeholder packages from PR #379. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-472.patch Type: text/x-diff Size: 7203 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 14:40:24 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 16 Feb 2017 15:40:24 +0100 Subject: [Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version tiran commented: """ ```ipasetup.py.in``` hasn't been updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/464#issuecomment-280347773 From freeipa-github-notification at redhat.com Thu Feb 16 14:40:25 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 16 Feb 2017 15:40:25 +0100 Subject: [Freeipa-devel] [freeipa PR#464][reopened] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: Bump required python-cryptography version Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/464/head:pr464 git checkout pr464 From freeipa-github-notification at redhat.com Thu Feb 16 15:04:36 2017 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Thu, 16 Feb 2017 16:04:36 +0100 Subject: [Freeipa-devel] [freeipa PR#448][synchronized] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Author: gkaihorodova Title: #448: Tests: Basic coverage with tree root domain Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/448/head:pr448 git checkout pr448 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-448.patch Type: text/x-diff Size: 5865 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 15:14:25 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 16 Feb 2017 16:14:25 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop simo5 commented: """ @MartinBasti the unit files are the wrong place to destroy ccaches, especially given they run as a different user (root) and may not have access to destroy stuff when we start using KCM. If we need clear ccaches then we need a different plan, please reopen the original bug, and push this PR to fix the impeding issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280357949 From freeipa-github-notification at redhat.com Thu Feb 16 15:15:40 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 16:15:40 +0100 Subject: [Freeipa-devel] [freeipa PR#464][synchronized] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: Bump required python-cryptography version Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/464/head:pr464 git checkout pr464 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-464.patch Type: text/x-diff Size: 811 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 15:16:15 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 16:16:15 +0100 Subject: [Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version stlaz commented: """ Didn't realize we need that as well now, patch is in this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/464#issuecomment-280358488 From freeipa-github-notification at redhat.com Thu Feb 16 15:16:22 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 16:16:22 +0100 Subject: [Freeipa-devel] [freeipa PR#464][-pushed] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version Label: -pushed From freeipa-github-notification at redhat.com Thu Feb 16 15:16:24 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 16:16:24 +0100 Subject: [Freeipa-devel] [freeipa PR#464][-ack] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version Label: -ack From freeipa-github-notification at redhat.com Thu Feb 16 15:16:50 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 16 Feb 2017 16:16:50 +0100 Subject: [Freeipa-devel] [freeipa PR#454][synchronized] Move AD trust installation code to a separate module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/454 Author: martbab Title: #454: Move AD trust installation code to a separate module Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/454/head:pr454 git checkout pr454 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-454.patch Type: text/x-diff Size: 33090 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 15:20:40 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 16:20:40 +0100 Subject: [Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Author: stlaz Title: #396: Explicitly remove support of SSLv2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/396/head:pr396 git checkout pr396 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-396.patch Type: text/x-diff Size: 6221 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 15:23:05 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 16 Feb 2017 16:23:05 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop MartinBasti commented: """ @simo5 any ideas how this should be fixed? We cannot push this patch without additional fix of removing outdated ccache because it will cause permanent fail of CI for backup/restore and it will mask real issues. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280360540 From freeipa-github-notification at redhat.com Thu Feb 16 15:26:40 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 16 Feb 2017 16:26:40 +0100 Subject: [Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-468.patch Type: text/x-diff Size: 1339 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 15:42:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 16 Feb 2017 16:42:01 +0100 Subject: [Freeipa-devel] [freeipa PR#465][comment] Tests: search for disabled users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/465 Title: #465: Tests: search for disabled users MartinBasti commented: """ No because according @HonzaCholasta this is expected framework behavior """ See the full comment at https://github.com/freeipa/freeipa/pull/465#issuecomment-280366327 From freeipa-github-notification at redhat.com Thu Feb 16 15:53:42 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 16 Feb 2017 16:53:42 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop simo5 commented: """ If this is about backup/restore, add a kdestroy ccache in the restore scripts, making sue it su - apache first """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280370010 From freeipa-github-notification at redhat.com Thu Feb 16 16:02:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 16 Feb 2017 17:02:12 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop MartinBasti commented: """ how about @martbab comment? https://github.com/freeipa/freeipa/pull/468#issuecomment-280056786 > However the restore use-case is not the only one which can result into stale ccache, I can also think about requesting new Apache keytab, restarting the service and be left with a stale ccache and key mismatch again. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280372861 From freeipa-github-notification at redhat.com Thu Feb 16 16:08:17 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 17:08:17 +0100 Subject: [Freeipa-devel] [freeipa PR#465][comment] Tests: search for disabled users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/465 Title: #465: Tests: search for disabled users stlaz commented: """ Does that mean that `user-find` no longer works? """ See the full comment at https://github.com/freeipa/freeipa/pull/465#issuecomment-280374785 From freeipa-github-notification at redhat.com Thu Feb 16 16:15:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 16 Feb 2017 17:15:52 +0100 Subject: [Freeipa-devel] [freeipa PR#465][comment] Tests: search for disabled users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/465 Title: #465: Tests: search for disabled users MartinBasti commented: """ @stlaz That means the any *-find command may work unexpectedly with non-mandratory attribute. For this case you must get all active users by `user-find --disabled=false` + `user-find --disabled=` """ See the full comment at https://github.com/freeipa/freeipa/pull/465#issuecomment-280377270 From freeipa-github-notification at redhat.com Thu Feb 16 16:16:04 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 16 Feb 2017 17:16:04 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop simo5 commented: """ If you request a new keytab you should clean up the cacche ? If we have a way to run the post exec command as the right user and with the right /tmp (httpd unit file uses namepaced /tmp) we could keep this code in the unit file I guess, although it would be wasteful in most cases when ccache does not change... """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280377329 From freeipa-github-notification at redhat.com Thu Feb 16 16:22:24 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 17:22:24 +0100 Subject: [Freeipa-devel] [freeipa PR#465][+ack] Tests: search for disabled users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/465 Title: #465: Tests: search for disabled users Label: +ack From freeipa-github-notification at redhat.com Thu Feb 16 16:26:27 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 16 Feb 2017 17:26:27 +0100 Subject: [Freeipa-devel] [freeipa PR#396][+ack] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Title: #396: Explicitly remove support of SSLv2 Label: +ack From freeipa-github-notification at redhat.com Thu Feb 16 16:41:56 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 16 Feb 2017 17:41:56 +0100 Subject: [Freeipa-devel] [freeipa PR#454][synchronized] Move AD trust installation code to a separate module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/454 Author: martbab Title: #454: Move AD trust installation code to a separate module Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/454/head:pr454 git checkout pr454 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-454.patch Type: text/x-diff Size: 33622 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 16:54:43 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 16 Feb 2017 17:54:43 +0100 Subject: [Freeipa-devel] [freeipa PR#446][synchronized] Add password file to certutil calls in ipapython.certdb module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: Add password file to certutil calls in ipapython.certdb module Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-446.patch Type: text/x-diff Size: 12389 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 18:47:36 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 16 Feb 2017 19:47:36 +0100 Subject: [Freeipa-devel] [freeipa PR#473][opened] Fix session/cookie related issues introduced with the privilege separation patches Message-ID: URL: https://github.com/freeipa/freeipa/pull/473 Author: simo5 Title: #473: Fix session/cookie related issues introduced with the privilege separation patches Action: opened PR body: """ Fixes two bugs opened recently about double cookies being returned and ccache removal """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/473/head:pr473 git checkout pr473 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-473.patch Type: text/x-diff Size: 3917 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 19:09:10 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 16 Feb 2017 20:09:10 +0100 Subject: [Freeipa-devel] [freeipa PR#473][synchronized] Fix session/cookie related issues introduced with the privilege separation patches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/473 Author: simo5 Title: #473: Fix session/cookie related issues introduced with the privilege separation patches Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/473/head:pr473 git checkout pr473 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-473.patch Type: text/x-diff Size: 3920 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 16 19:12:10 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 16 Feb 2017 20:12:10 +0100 Subject: [Freeipa-devel] [freeipa PR#473][comment] Fix session/cookie related issues introduced with the privilege separation patches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/473 Title: #473: Fix session/cookie related issues introduced with the privilege separation patches abbra commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/473#issuecomment-280428547 From freeipa-github-notification at redhat.com Thu Feb 16 19:28:31 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Thu, 16 Feb 2017 20:28:31 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (16/02/17 02:30), Christian Heimes wrote: >Lukas, you are wasting both my and your precious time with a needless bike-shedding discussion about semantics. The ```--disable-server``` option skips all parts of the build process that are only relevant for server and not relevant for client. ```ipatests``` is relevant for both, therefore it stays. > It's not bikeshadig. You are adding HACKs to freeipa build system. If this PR will be pushed with cuurent state then I will need to send PR to fix client-only build and it will not install ipatests with --disable-server. I proposed you a compromise few times. Thank you very much for ignoring it. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280433054 From freeipa-github-notification at redhat.com Thu Feb 16 22:01:26 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 16 Feb 2017 23:01:26 +0100 Subject: [Freeipa-devel] [freeipa PR#473][+ack] Fix session/cookie related issues introduced with the privilege separation patches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/473 Title: #473: Fix session/cookie related issues introduced with the privilege separation patches Label: +ack From freeipa-github-notification at redhat.com Fri Feb 17 04:37:33 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 17 Feb 2017 05:37:33 +0100 Subject: [Freeipa-devel] [freeipa PR#474][opened] Update man page of ipa-server-install Message-ID: URL: https://github.com/freeipa/freeipa/pull/474 Author: Akasurde Title: #474: Update man page of ipa-server-install Action: opened PR body: """ This fix adds information about --ignore-last-of-role in ipa-server-install man page Fixes https://fedorahosted.org/freeipa/ticket/6634 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/474/head:pr474 git checkout pr474 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-474.patch Type: text/x-diff Size: 1739 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 07:19:36 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Feb 2017 08:19:36 +0100 Subject: [Freeipa-devel] [freeipa PR#474][+ack] Update man page of ipa-server-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/474 Title: #474: Update man page of ipa-server-install Label: +ack From freeipa-github-notification at redhat.com Fri Feb 17 07:45:00 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 08:45:00 +0100 Subject: [Freeipa-devel] [freeipa PR#475][opened] Add options to run only ipaclient unittests Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Author: tiran Title: #475: Add options to run only ipaclient unittests Action: opened PR body: """ A new option for ipa-run-tests makes the test runner ignore subdirectories or skips tests that depend on the ipaserver package or on a running framework for RPC integration tests. The new option enables testing of client-only builds. $ ipatests/ipa-run-tests --ipaclient-unittests ... platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1 rootdir: /home/heimes/redhat, inifile: tox.ini plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1 collected 451 items test_util.py ........ util.py .. test_ipaclient/test_csrgen.py ..............ssss... test_ipalib/test_aci.py ................... test_ipalib/test_backend.py ........ test_ipalib/test_base.py ............... test_ipalib/test_capabilities.py . test_ipalib/test_cli.py ... test_ipalib/test_config.py ............... test_ipalib/test_crud.py ............... test_ipalib/test_errors.py ....... test_ipalib/test_frontend.py ........................................ test_ipalib/test_messages.py .... test_ipalib/test_output.py ... test_ipalib/test_parameters.py ............................................................. test_ipalib/test_plugable.py ........ test_ipalib/test_rpc.py ......ssssssss test_ipalib/test_text.py ............................. test_ipalib/test_x509.py ... test_ipapython/test_cookie.py ............ test_ipapython/test_dn.py ........................... test_ipapython/test_ipautil.py .................................................................. test_ipapython/test_ipavalidate.py .......... test_ipapython/test_kerberos.py .............. test_ipapython/test_keyring.py .......... test_ipapython/test_ssh.py ............................... test_pkcs10/test_pkcs10.py ..... https://fedorahosted.org/freeipa/ticket/6517 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/475/head:pr475 git checkout pr475 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-475.patch Type: text/x-diff Size: 7611 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 07:45:33 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 08:45:33 +0100 Subject: [Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Title: #475: Add options to run only ipaclient unittests tiran commented: """ PS: I'm not attached to the new of the option. Please speak up if you can come up with a better name than ```--ipaclient-unittests```. """ See the full comment at https://github.com/freeipa/freeipa/pull/475#issuecomment-280578416 From freeipa-github-notification at redhat.com Fri Feb 17 07:45:56 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 08:45:56 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop martbab commented: """ Could we use just keep the post command as "kdestroy -c {apache_ccache_path}"? Or is everything chrooted into name-spaced /tmp and we can not access the ccache file from within the unit file? """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280578487 From freeipa-github-notification at redhat.com Fri Feb 17 07:52:09 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 08:52:09 +0100 Subject: [Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Title: #475: Add options to run only ipaclient unittests martbab commented: """ I was thinking that instead of making up more options to test runner we could reorganize the `ipatests/` directory to actually make sense from the consumer's POV, although I admit that it will take more time and also has potential to break are incredibly... fragile test handling. On the plus side, you would run the tests you want naturally by just specifying the path that interests you and let the test discovery do the rest. A silly example: ```bash $ ipa-run-tests test_ipaclient/test_units test_ipaclient/test_units/test_util.py ........ test_ipaclient/test_units/tutil.py .. test_ipaclient/test_units/test_csrgen.py ..............ssss... ... ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/475#issuecomment-280579653 From freeipa-github-notification at redhat.com Fri Feb 17 07:54:00 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 08:54:00 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ I have one very important question: Without ipatests, how are you going to automatically test client-only builds? """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280580037 From freeipa-github-notification at redhat.com Fri Feb 17 07:54:37 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 08:54:37 +0100 Subject: [Freeipa-devel] [freeipa PR#474][+pushed] Update man page of ipa-server-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/474 Title: #474: Update man page of ipa-server-install Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 17 07:54:39 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 08:54:39 +0100 Subject: [Freeipa-devel] [freeipa PR#474][closed] Update man page of ipa-server-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/474 Author: Akasurde Title: #474: Update man page of ipa-server-install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/474/head:pr474 git checkout pr474 From freeipa-github-notification at redhat.com Fri Feb 17 07:54:40 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 08:54:40 +0100 Subject: [Freeipa-devel] [freeipa PR#474][comment] Update man page of ipa-server-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/474 Title: #474: Update man page of ipa-server-install martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/08b8bfa9b59b30e1bec1fa8c1cfce992dc80c49f """ See the full comment at https://github.com/freeipa/freeipa/pull/474#issuecomment-280580147 From freeipa-github-notification at redhat.com Fri Feb 17 08:06:17 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 09:06:17 +0100 Subject: [Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Title: #475: Add options to run only ipaclient unittests tiran commented: """ My first PoC used the approach. ipa-run-tests can already takes arguments to limit tests to subdirectories. One has to remember that ipa-run-tests performs chdir()... The additional option combined with the marker have some benefits. It's not just less work and more robust, it permits us to use a cleaner and declarative way to mark test cases. The author of a test case can mark a test with pytest's standard API instead of changing some test runner options. The markers allow us to skip some test cases in a file, too. In my and your example, some tests of ```test_csrgen``` are skipped in ```--ipaclient-unittest``` mode. :) """ See the full comment at https://github.com/freeipa/freeipa/pull/475#issuecomment-280582317 From freeipa-github-notification at redhat.com Fri Feb 17 08:07:47 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 09:07:47 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server martbab commented: """ Well you won't, and they were not tested automatically before AFAIK (checked with FreeIPA 4.2.0 sources). We can agree that they *should* be, but since this eventuality was never considered before the build refactoring happened I guess we should first restore the original behavior, and then decide whether the client-only build should run those few unit tests during build. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280582586 From freeipa-github-notification at redhat.com Fri Feb 17 08:32:29 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 09:32:29 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ I have to validate client-only Python wheel packages any way. We can just reuse the same infrastructure to test client-only RPMs later. See PR #475. By the way, validation of Python wheels is the main reason I must have ```ipatests``` in the build. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280587392 From freeipa-github-notification at redhat.com Fri Feb 17 08:53:26 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 09:53:26 +0100 Subject: [Freeipa-devel] [freeipa PR#464][+ack] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version Label: +ack From freeipa-github-notification at redhat.com Fri Feb 17 08:54:42 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 17 Feb 2017 09:54:42 +0100 Subject: [Freeipa-devel] [freeipa PR#446][+ack] Add password file to certutil calls in ipapython.certdb module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Title: #446: Add password file to certutil calls in ipapython.certdb module Label: +ack From freeipa-github-notification at redhat.com Fri Feb 17 08:58:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 09:58:20 +0100 Subject: [Freeipa-devel] [freeipa PR#473][+pushed] Fix session/cookie related issues introduced with the privilege separation patches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/473 Title: #473: Fix session/cookie related issues introduced with the privilege separation patches Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 17 08:58:22 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 09:58:22 +0100 Subject: [Freeipa-devel] [freeipa PR#473][comment] Fix session/cookie related issues introduced with the privilege separation patches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/473 Title: #473: Fix session/cookie related issues introduced with the privilege separation patches MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b895f4a34bcbd0b1787d2bfc1db25f34c3584b9c https://fedorahosted.org/freeipa/changeset/d0642bfa55e9c24429675f623bc0e35824bc9fb0 """ See the full comment at https://github.com/freeipa/freeipa/pull/473#issuecomment-280593308 From freeipa-github-notification at redhat.com Fri Feb 17 08:58:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 09:58:24 +0100 Subject: [Freeipa-devel] [freeipa PR#473][closed] Fix session/cookie related issues introduced with the privilege separation patches In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/473 Author: simo5 Title: #473: Fix session/cookie related issues introduced with the privilege separation patches Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/473/head:pr473 git checkout pr473 From freeipa-github-notification at redhat.com Fri Feb 17 09:06:41 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 17 Feb 2017 10:06:41 +0100 Subject: [Freeipa-devel] [freeipa PR#474][comment] Update man page of ipa-server-install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/474 Title: #474: Update man page of ipa-server-install Akasurde commented: """ @martbab @stlaz Thanks for review """ See the full comment at https://github.com/freeipa/freeipa/pull/474#issuecomment-280595269 From freeipa-github-notification at redhat.com Fri Feb 17 09:06:46 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:06:46 +0100 Subject: [Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Title: #396: Explicitly remove support of SSLv2 MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ac6f573a3014aa09811ca1559d470afe75eadbec """ See the full comment at https://github.com/freeipa/freeipa/pull/396#issuecomment-280595283 From freeipa-github-notification at redhat.com Fri Feb 17 09:06:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:06:47 +0100 Subject: [Freeipa-devel] [freeipa PR#396][+pushed] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Title: #396: Explicitly remove support of SSLv2 Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 17 09:06:49 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:06:49 +0100 Subject: [Freeipa-devel] [freeipa PR#396][closed] Explicitly remove support of SSLv2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/396 Author: stlaz Title: #396: Explicitly remove support of SSLv2 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/396/head:pr396 git checkout pr396 From freeipa-github-notification at redhat.com Fri Feb 17 09:08:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:08:09 +0100 Subject: [Freeipa-devel] [freeipa PR#465][+pushed] Tests: search for disabled users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/465 Title: #465: Tests: search for disabled users Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 17 09:08:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:08:11 +0100 Subject: [Freeipa-devel] [freeipa PR#465][comment] Tests: search for disabled users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/465 Title: #465: Tests: search for disabled users MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/79b3fbf97d66adb1f5c960e5473b90f85cbe145a """ See the full comment at https://github.com/freeipa/freeipa/pull/465#issuecomment-280595632 From freeipa-github-notification at redhat.com Fri Feb 17 09:08:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:08:12 +0100 Subject: [Freeipa-devel] [freeipa PR#465][closed] Tests: search for disabled users In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/465 Author: MartinBasti Title: #465: Tests: search for disabled users Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/465/head:pr465 git checkout pr465 From freeipa-github-notification at redhat.com Fri Feb 17 09:12:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Feb 2017 10:12:39 +0100 Subject: [Freeipa-devel] [freeipa PR#464][synchronized] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: Bump required python-cryptography version Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/464/head:pr464 git checkout pr464 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-464.patch Type: text/x-diff Size: 857 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 09:12:45 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Feb 2017 10:12:45 +0100 Subject: [Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version stlaz commented: """ @martbab Sure, done. """ See the full comment at https://github.com/freeipa/freeipa/pull/464#issuecomment-280596751 From freeipa-github-notification at redhat.com Fri Feb 17 09:12:52 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 17 Feb 2017 10:12:52 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server pvoborni commented: """ I still fail to see why we should care about `make dist` with `configure --disable-server` this is not a combination of options which should be used together, there is no point in it except theoretical exercise. > then I will need to send PR to fix client-only build and it will not install ipatests with --disable-server. Why? """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280596786 From freeipa-github-notification at redhat.com Fri Feb 17 09:14:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:14:42 +0100 Subject: [Freeipa-devel] [freeipa PR#446][+pushed] Add password file to certutil calls in ipapython.certdb module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Title: #446: Add password file to certutil calls in ipapython.certdb module Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 17 09:14:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:14:43 +0100 Subject: [Freeipa-devel] [freeipa PR#446][comment] Add password file to certutil calls in ipapython.certdb module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Title: #446: Add password file to certutil calls in ipapython.certdb module MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ca457eb5ce12291f555f1bf771114d6d7d191987 https://fedorahosted.org/freeipa/changeset/b20b0489ea06931bfa7d46bdbd6623bc3f09219b """ See the full comment at https://github.com/freeipa/freeipa/pull/446#issuecomment-280597237 From freeipa-github-notification at redhat.com Fri Feb 17 09:14:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:14:45 +0100 Subject: [Freeipa-devel] [freeipa PR#446][closed] Add password file to certutil calls in ipapython.certdb module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: Add password file to certutil calls in ipapython.certdb module Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 From freeipa-github-notification at redhat.com Fri Feb 17 09:15:48 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 10:15:48 +0100 Subject: [Freeipa-devel] [freeipa PR#464][+pushed] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 17 09:15:50 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 10:15:50 +0100 Subject: [Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/66867319d903f7693a535471d3b81716a258ce9d """ See the full comment at https://github.com/freeipa/freeipa/pull/464#issuecomment-280597487 From freeipa-github-notification at redhat.com Fri Feb 17 09:15:51 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 10:15:51 +0100 Subject: [Freeipa-devel] [freeipa PR#464][closed] Bump required python-cryptography version In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: Bump required python-cryptography version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/464/head:pr464 git checkout pr464 From freeipa-github-notification at redhat.com Fri Feb 17 09:21:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:21:39 +0100 Subject: [Freeipa-devel] [freeipa PR#394][+ack] Add fix for ipa plugins command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command Label: +ack From freeipa-github-notification at redhat.com Fri Feb 17 09:22:45 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:22:45 +0100 Subject: [Freeipa-devel] [freeipa PR#394][+pushed] Add fix for ipa plugins command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 17 09:22:46 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:22:46 +0100 Subject: [Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b3c41f21e51e5389d95b5486dcdfdc3f9a8b0424 """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-280599222 From freeipa-github-notification at redhat.com Fri Feb 17 09:22:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:22:48 +0100 Subject: [Freeipa-devel] [freeipa PR#394][closed] Add fix for ipa plugins command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/394 Author: Akasurde Title: #394: Add fix for ipa plugins command Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/394/head:pr394 git checkout pr394 From freeipa-github-notification at redhat.com Fri Feb 17 09:28:12 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Feb 2017 10:28:12 +0100 Subject: [Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug stlaz commented: """ I don't see what this has to do with Py3. The issue is the same on Py2. Swap the ticket for the one of @tiran and I'll ack this. If this gets triaged for 4.4 as well we can backport it later. """ See the full comment at https://github.com/freeipa/freeipa/pull/429#issuecomment-280600572 From freeipa-github-notification at redhat.com Fri Feb 17 09:29:48 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 17 Feb 2017 10:29:48 +0100 Subject: [Freeipa-devel] [freeipa PR#421][synchronized] Update warning message for replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/421 Author: Akasurde Title: #421: Update warning message for replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/421/head:pr421 git checkout pr421 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-421.patch Type: text/x-diff Size: 1437 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 09:32:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:32:00 +0100 Subject: [Freeipa-devel] [freeipa PR#429][synchronized] [py3] ipactl restart: log httplib failues as debug In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/429 Author: MartinBasti Title: #429: [py3] ipactl restart: log httplib failues as debug Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/429/head:pr429 git checkout pr429 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-429.patch Type: text/x-diff Size: 1031 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 09:32:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 10:32:39 +0100 Subject: [Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug MartinBasti commented: """ Ticket corrected, commit msg ammended """ See the full comment at https://github.com/freeipa/freeipa/pull/429#issuecomment-280601652 From freeipa-github-notification at redhat.com Fri Feb 17 09:35:12 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Feb 2017 10:35:12 +0100 Subject: [Freeipa-devel] [freeipa PR#429][+ack] [py3] ipactl restart: log httplib failues as debug In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug Label: +ack From freeipa-github-notification at redhat.com Fri Feb 17 09:35:18 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Feb 2017 10:35:18 +0100 Subject: [Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug stlaz commented: """ Thanks, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/429#issuecomment-280602243 From freeipa-github-notification at redhat.com Fri Feb 17 09:36:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 10:36:49 +0100 Subject: [Freeipa-devel] [freeipa PR#475][synchronized] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Author: tiran Title: #475: Add options to run only ipaclient unittests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/475/head:pr475 git checkout pr475 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-475.patch Type: text/x-diff Size: 7652 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 09:44:56 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 17 Feb 2017 10:44:56 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop abbra commented: """ Yes, when namespaced /tmp is used, unit file does not have any view into that. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280604409 From freeipa-github-notification at redhat.com Fri Feb 17 09:46:29 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 10:46:29 +0100 Subject: [Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket tiran commented: """ Would you rather use ```/usr/bin/rm -f``` to only ignore missing files but propagate permission errors? I'm not sure why unlink was used in favor of rm. @simo5 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/469#issuecomment-280604757 From freeipa-github-notification at redhat.com Fri Feb 17 10:45:08 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 11:45:08 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop tiran commented: """ How about we use systemd PrivateTmp for temporary files? It is not only more secure but it also automatically removes all temporary files when the service is stopped: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp= """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280617436 From freeipa-github-notification at redhat.com Fri Feb 17 10:50:12 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 17 Feb 2017 11:50:12 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop abbra commented: """ @tiran we do use PrivateTmp already. This is not about PrivateTmp, though, because we don't store credentials caches in a private tmp. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280618508 From freeipa-github-notification at redhat.com Fri Feb 17 11:04:19 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Fri, 17 Feb 2017 12:04:19 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (17/02/17 01:12), Petr Vobornik wrote: >I still fail to see why we should care about `make dist` with `configure --disable-server` this is not a combination of options which should be used together, there is no point in it except theoretical exercise. > `make dist` works >> then I will need to send PR to fix client-only build and it will not install ipatests with --disable-server. > >Why? The main problem with `client-only` build and `ipatests` is that there are not test for it. * all integration test assume that server will be installed first and not that server is already available somewhere. * unit test should be run as part of build (e.g. `make check`) So there is not any reason to install `ipatests` for client only build. Client only build was tested just in downstream :-( LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280621474 From freeipa-github-notification at redhat.com Fri Feb 17 11:04:51 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 12:04:51 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop tiran commented: """ That's my point. Why is the ccache file not stored in ```PrivateTmp```? The ccache can be removed at any time. It doesn't have to be retained. ```PrivateTmp``` solves the issue for us. We just have to figure out how to combine ```tmpfiles.d``` with ```PrivateTmp``` to create ```/var/run/apache``` in private temp. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280621569 From freeipa-github-notification at redhat.com Fri Feb 17 11:08:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Feb 2017 12:08:39 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 116893 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 11:12:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 12:12:14 +0100 Subject: [Freeipa-devel] [freeipa PR#429][+pushed] [py3] ipactl restart: log httplib failues as debug In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 17 11:12:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 12:12:16 +0100 Subject: [Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/53c8e9a53f026d83d5328896d1ea0cf72690cf24 """ See the full comment at https://github.com/freeipa/freeipa/pull/429#issuecomment-280623004 From freeipa-github-notification at redhat.com Fri Feb 17 11:12:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 12:12:17 +0100 Subject: [Freeipa-devel] [freeipa PR#429][closed] [py3] ipactl restart: log httplib failues as debug In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/429 Author: MartinBasti Title: #429: [py3] ipactl restart: log httplib failues as debug Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/429/head:pr429 git checkout pr429 From freeipa-github-notification at redhat.com Fri Feb 17 11:16:50 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 17 Feb 2017 12:16:50 +0100 Subject: [Freeipa-devel] [freeipa PR#421][synchronized] Update warning message for replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/421 Author: Akasurde Title: #421: Update warning message for replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/421/head:pr421 git checkout pr421 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-421.patch Type: text/x-diff Size: 1437 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 11:18:37 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Feb 2017 12:18:37 +0100 Subject: [Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/421 Title: #421: Update warning message for replica install stlaz commented: """ Wonderful, thank you for your patch. """ See the full comment at https://github.com/freeipa/freeipa/pull/421#issuecomment-280624285 From freeipa-github-notification at redhat.com Fri Feb 17 11:18:42 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 17 Feb 2017 12:18:42 +0100 Subject: [Freeipa-devel] [freeipa PR#421][+ack] Update warning message for replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/421 Title: #421: Update warning message for replica install Label: +ack From freeipa-github-notification at redhat.com Fri Feb 17 11:20:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 12:20:03 +0100 Subject: [Freeipa-devel] [freeipa PR#421][+pushed] Update warning message for replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/421 Title: #421: Update warning message for replica install Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 17 11:20:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 12:20:04 +0100 Subject: [Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/421 Title: #421: Update warning message for replica install MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c913f810715705c560ae8bd05a33084785f59583 """ See the full comment at https://github.com/freeipa/freeipa/pull/421#issuecomment-280624523 From freeipa-github-notification at redhat.com Fri Feb 17 11:20:06 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 12:20:06 +0100 Subject: [Freeipa-devel] [freeipa PR#421][closed] Update warning message for replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/421 Author: Akasurde Title: #421: Update warning message for replica install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/421/head:pr421 git checkout pr421 From freeipa-github-notification at redhat.com Fri Feb 17 11:21:00 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 17 Feb 2017 12:21:00 +0100 Subject: [Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/421 Title: #421: Update warning message for replica install Akasurde commented: """ @stlaz Thanks for your comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/421#issuecomment-280624689 From freeipa-github-notification at redhat.com Fri Feb 17 11:21:36 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 17 Feb 2017 12:21:36 +0100 Subject: [Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/421 Title: #421: Update warning message for replica install Akasurde commented: """ @MartinBasti Thanks for your comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/421#issuecomment-280624790 From freeipa-github-notification at redhat.com Fri Feb 17 11:22:30 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 17 Feb 2017 12:22:30 +0100 Subject: [Freeipa-devel] [freeipa PR#476][opened] vault: cache the transport certificate on client Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Author: HonzaCholasta Title: #476: vault: cache the transport certificate on client Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6652 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/476/head:pr476 git checkout pr476 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-476.patch Type: text/x-diff Size: 12226 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 11:33:05 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 17 Feb 2017 12:33:05 +0100 Subject: [Freeipa-devel] [freeipa PR#25][closed] Added install check before executing ipa-* command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/25 Author: Akasurde Title: #25: Added install check before executing ipa-* command Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/25/head:pr25 git checkout pr25 From freeipa-github-notification at redhat.com Fri Feb 17 11:37:54 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 17 Feb 2017 12:37:54 +0100 Subject: [Freeipa-devel] [freeipa PR#470][comment] WebUI: Size limit warning on details pages fixed In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/470 Title: #470: WebUI: Size limit warning on details pages fixed pvoborni commented: """ Would it be better to suppress the warning and use sensible size limit. I.e. the entity select doesn't need to show all entries. I'm afraid that it might have negative performance impact. """ See the full comment at https://github.com/freeipa/freeipa/pull/470#issuecomment-280627755 From freeipa-github-notification at redhat.com Fri Feb 17 11:41:11 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 17 Feb 2017 12:41:11 +0100 Subject: [Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox pvoborni commented: """ Code LGTM, but I did not tests the behavior, so cannot give ACK now. """ See the full comment at https://github.com/freeipa/freeipa/pull/368#issuecomment-280628318 From freeipa-github-notification at redhat.com Fri Feb 17 12:31:22 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 13:31:22 +0100 Subject: [Freeipa-devel] [freeipa PR#454][+ack] Move AD trust installation code to a separate module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/454 Title: #454: Move AD trust installation code to a separate module Label: +ack From freeipa-github-notification at redhat.com Fri Feb 17 12:34:53 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 13:34:53 +0100 Subject: [Freeipa-devel] [freeipa PR#454][+pushed] Move AD trust installation code to a separate module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/454 Title: #454: Move AD trust installation code to a separate module Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 17 12:34:55 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 13:34:55 +0100 Subject: [Freeipa-devel] [freeipa PR#454][comment] Move AD trust installation code to a separate module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/454 Title: #454: Move AD trust installation code to a separate module MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/98bf0cc9663ac281247ac8d9ee8488e3ab8102eb """ See the full comment at https://github.com/freeipa/freeipa/pull/454#issuecomment-280637842 From freeipa-github-notification at redhat.com Fri Feb 17 12:34:56 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 13:34:56 +0100 Subject: [Freeipa-devel] [freeipa PR#454][closed] Move AD trust installation code to a separate module In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/454 Author: martbab Title: #454: Move AD trust installation code to a separate module Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/454/head:pr454 git checkout pr454 From freeipa-github-notification at redhat.com Fri Feb 17 13:45:53 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 17 Feb 2017 14:45:53 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop simo5 commented: """ I guess we can simply set KRB5CCNAME=/tmp/krb5_httpd in the unit file and we should be ok then. @martbab or @mbasti, can you try that ? If it solves your scenario we can change this PR to replace the POST with that Env in the unit file. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280653150 From freeipa-github-notification at redhat.com Fri Feb 17 13:53:22 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 17 Feb 2017 14:53:22 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop simo5 commented: """ Uhm I just tried setting KRB5CCNAME=/tmp/krb5_httpd in my install and ... I found out we do not actually generate an httpd ccache, so why are we trying to destroy the ccache again ? Anyway, I am going to add this Environment line to the unit file just in case, so that we can address the issue if we ever need a ccache. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280655007 From freeipa-github-notification at redhat.com Fri Feb 17 13:56:22 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 17 Feb 2017 14:56:22 +0100 Subject: [Freeipa-devel] [freeipa PR#395][+ack] Configure PKI ajp redirection to use "localhost" instead of "::1" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" Label: +ack From freeipa-github-notification at redhat.com Fri Feb 17 13:56:51 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 17 Feb 2017 14:56:51 +0100 Subject: [Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-468.patch Type: text/x-diff Size: 1573 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 13:58:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 14:58:25 +0100 Subject: [Freeipa-devel] [freeipa PR#395][+pushed] Configure PKI ajp redirection to use "localhost" instead of "::1" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 17 13:58:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 14:58:27 +0100 Subject: [Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/eaa87c75b9f57500265b2dc9480b996b2b92e1e3 """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-280656272 From freeipa-github-notification at redhat.com Fri Feb 17 13:58:28 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 14:58:28 +0100 Subject: [Freeipa-devel] [freeipa PR#395][closed] Configure PKI ajp redirection to use "localhost" instead of "::1" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/395 Author: flo-renaud Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/395/head:pr395 git checkout pr395 From freeipa-github-notification at redhat.com Fri Feb 17 13:58:52 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 14:58:52 +0100 Subject: [Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" MartinBasti commented: """ Please create a backport PR for IPA 4.4.x """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-280656391 From freeipa-github-notification at redhat.com Fri Feb 17 14:00:47 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 17 Feb 2017 15:00:47 +0100 Subject: [Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket simo5 commented: """ @tiran I do not know, @npmccallum may know. """ See the full comment at https://github.com/freeipa/freeipa/pull/469#issuecomment-280656899 From freeipa-github-notification at redhat.com Fri Feb 17 14:04:05 2017 From: freeipa-github-notification at redhat.com (npmccallum) Date: Fri, 17 Feb 2017 15:04:05 +0100 Subject: [Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket npmccallum commented: """ We shouldn't use either. We should use RemoveOnStop= now. """ See the full comment at https://github.com/freeipa/freeipa/pull/469#issuecomment-280657734 From freeipa-github-notification at redhat.com Fri Feb 17 14:11:03 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 15:11:03 +0100 Subject: [Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Title: #471: Fix some privilege separation regressions tiran commented: """ @HonzaCholasta, we got merge conflicts. """ See the full comment at https://github.com/freeipa/freeipa/pull/471#issuecomment-280659419 From freeipa-github-notification at redhat.com Fri Feb 17 14:11:51 2017 From: freeipa-github-notification at redhat.com (npmccallum) Date: Fri, 17 Feb 2017 15:11:51 +0100 Subject: [Freeipa-devel] [freeipa PR#477][opened] Use RemoveOnStop to cleanup systemd sockets Message-ID: URL: https://github.com/freeipa/freeipa/pull/477 Author: npmccallum Title: #477: Use RemoveOnStop to cleanup systemd sockets Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/477/head:pr477 git checkout pr477 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-477.patch Type: text/x-diff Size: 716 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 14:12:29 2017 From: freeipa-github-notification at redhat.com (npmccallum) Date: Fri, 17 Feb 2017 15:12:29 +0100 Subject: [Freeipa-devel] [freeipa PR#477][comment] Use RemoveOnStop to cleanup systemd sockets In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/477 Title: #477: Use RemoveOnStop to cleanup systemd sockets npmccallum commented: """ This PR supersedes PR #469. """ See the full comment at https://github.com/freeipa/freeipa/pull/477#issuecomment-280659813 From freeipa-github-notification at redhat.com Fri Feb 17 14:13:26 2017 From: freeipa-github-notification at redhat.com (npmccallum) Date: Fri, 17 Feb 2017 15:13:26 +0100 Subject: [Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket npmccallum commented: """ This PR can be closed. """ See the full comment at https://github.com/freeipa/freeipa/pull/469#issuecomment-280660092 From freeipa-github-notification at redhat.com Fri Feb 17 14:14:07 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 15:14:07 +0100 Subject: [Freeipa-devel] [freeipa PR#477][comment] Use RemoveOnStop to cleanup systemd sockets In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/477 Title: #477: Use RemoveOnStop to cleanup systemd sockets tiran commented: """ RemoveonStop was added in systemd-214. Let me figure which version is on RHEL. """ See the full comment at https://github.com/freeipa/freeipa/pull/477#issuecomment-280660280 From freeipa-github-notification at redhat.com Fri Feb 17 14:15:32 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 15:15:32 +0100 Subject: [Freeipa-devel] [freeipa PR#477][comment] Use RemoveOnStop to cleanup systemd sockets In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/477 Title: #477: Use RemoveOnStop to cleanup systemd sockets tiran commented: """ RemoveonStop was added in systemd-214. Let me figure which version is on RHEL. """ See the full comment at https://github.com/freeipa/freeipa/pull/477#issuecomment-280660280 From freeipa-github-notification at redhat.com Fri Feb 17 14:15:47 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 15:15:47 +0100 Subject: [Freeipa-devel] [freeipa PR#477][+ack] Use RemoveOnStop to cleanup systemd sockets In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/477 Title: #477: Use RemoveOnStop to cleanup systemd sockets Label: +ack From freeipa-github-notification at redhat.com Fri Feb 17 14:15:57 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 15:15:57 +0100 Subject: [Freeipa-devel] [freeipa PR#469][closed] Ignore unlink error in ipa-otpd.socket In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/469 Author: tiran Title: #469: Ignore unlink error in ipa-otpd.socket Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/469/head:pr469 git checkout pr469 From freeipa-github-notification at redhat.com Fri Feb 17 14:17:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 15:17:12 +0100 Subject: [Freeipa-devel] [freeipa PR#469][+rejected] Ignore unlink error in ipa-otpd.socket In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket Label: +rejected From freeipa-github-notification at redhat.com Fri Feb 17 14:19:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 15:19:24 +0100 Subject: [Freeipa-devel] [freeipa PR#477][+pushed] Use RemoveOnStop to cleanup systemd sockets In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/477 Title: #477: Use RemoveOnStop to cleanup systemd sockets Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 17 14:19:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 15:19:25 +0100 Subject: [Freeipa-devel] [freeipa PR#477][comment] Use RemoveOnStop to cleanup systemd sockets In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/477 Title: #477: Use RemoveOnStop to cleanup systemd sockets MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d05d1115e409962fee3576a4bfc5cecfacef4fd3 """ See the full comment at https://github.com/freeipa/freeipa/pull/477#issuecomment-280661655 From freeipa-github-notification at redhat.com Fri Feb 17 14:19:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 15:19:26 +0100 Subject: [Freeipa-devel] [freeipa PR#477][closed] Use RemoveOnStop to cleanup systemd sockets In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/477 Author: npmccallum Title: #477: Use RemoveOnStop to cleanup systemd sockets Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/477/head:pr477 git checkout pr477 From freeipa-github-notification at redhat.com Fri Feb 17 14:44:10 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 17 Feb 2017 15:44:10 +0100 Subject: [Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-468.patch Type: text/x-diff Size: 2109 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 14:46:09 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 17 Feb 2017 15:46:09 +0100 Subject: [Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-468.patch Type: text/x-diff Size: 2764 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 14:50:53 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 15:50:53 +0100 Subject: [Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox MartinBasti commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/368#issuecomment-280669975 From freeipa-github-notification at redhat.com Fri Feb 17 15:11:53 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Fri, 17 Feb 2017 16:11:53 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ It looks like @tiran does not want to move this PR forward. So here is a link to patch which does not misuse client-only build and add configure time option to install ipatests. https://paste.fedoraproject.org/paste/~u7iDljnMTvinxmLFoc25V5M1UNdIGYhyRLivL9gydE=/ As part of this work I found out that 4 dependencies can be simply moved to server only build: `libuuid`, `DIRSRV`, `libsss_idmap`, `libsss_nss_idmap`. Result => Client only build require less C-dependencies. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280675665 From freeipa-github-notification at redhat.com Fri Feb 17 15:27:14 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 16:27:14 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ Shouldn't we have build dependency on `python[3]-wheel` without it `bdist_wheel` target is not working """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-280679788 From freeipa-github-notification at redhat.com Fri Feb 17 15:30:45 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 16:30:45 +0100 Subject: [Freeipa-devel] [freeipa PR#457][synchronized] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/457 Author: martbab Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/457/head:pr457 git checkout pr457 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-457.patch Type: text/x-diff Size: 10677 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 15:32:07 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 16:32:07 +0100 Subject: [Freeipa-devel] [freeipa PR#457][comment] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/457 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab martbab commented: """ I have added some commits to cope with changes made during privliege spearation work """ See the full comment at https://github.com/freeipa/freeipa/pull/457#issuecomment-280681170 From freeipa-github-notification at redhat.com Fri Feb 17 15:35:51 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 16:35:51 +0100 Subject: [Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Author: tiran Title: #364: Client-only builds with --disable-server Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/364/head:pr364 git checkout pr364 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-364.patch Type: text/x-diff Size: 18106 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 15:37:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 17 Feb 2017 16:37:36 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ I'm not an expert about how PyPI is working, but shouldn't be there also placeholder packages for: - ipaserver - ipaplatform - ipatests How about [free]ipa-server and friends, can a bad person use this for an attack when somebody uses `pip install freeipa-server` ? """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-280682669 From freeipa-github-notification at redhat.com Fri Feb 17 15:53:54 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 16:53:54 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ Thanks for your contribution. I added your patch to my PR. On my system I ran into a minor issue. Some C99 types like ```uint8_t``` were not defined and I had to include ```stdint.h```. By the way I'm just going to ignore your snidely and snarky comment. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280687364 From freeipa-github-notification at redhat.com Fri Feb 17 15:59:18 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 17 Feb 2017 16:59:18 +0100 Subject: [Freeipa-devel] [freeipa PR#478][opened] [4.4] Do not configure PKI ajp redirection to use "::1" Message-ID: URL: https://github.com/freeipa/freeipa/pull/478 Author: flo-renaud Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1" Action: opened PR body: """ When ipa-server-install configures PKI, it provides a configuration file with the parameter pki_ajp_host set to ::1. This parameter is used to configure Tomcat redirection in /etc/pki/pki-tomcat/server.xml: ie all requests to port 8009 are redirected to port 8443 on address ::1. If the /etc/hosts config file does not define ::1 for localhost, then AJP redirection fails and replica install is not able to request a certificate for the replica. Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP redirection with "localhost", FreeIPA does not need any more to override this setting. The code now depends on pki 10.3.5-11 which provides the fix in the template and the upgrade. https://fedorahosted.org/freeipa/ticket/6575 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/478/head:pr478 git checkout pr478 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-478.patch Type: text/x-diff Size: 2405 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 16:03:33 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 17:03:33 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ At the moment wheels are not required for RPM building. python-wheel is not available on RHEL, but I can work around it. Should the RPM spec file only contain dependencies for RPM packaging or also dependencies for general development and general packaging? I can create placeholder modules for ipaserver, ipaplatform and ipatests, too. It's going to be a bit more tricky. Let's see... """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-280690085 From freeipa-github-notification at redhat.com Fri Feb 17 16:41:21 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 17 Feb 2017 17:41:21 +0100 Subject: [Freeipa-devel] [freeipa PR#368][+ack] WebUI: fix incorrect behavior of ESC button on combobox In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox Label: +ack From freeipa-github-notification at redhat.com Fri Feb 17 16:41:24 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 17 Feb 2017 17:41:24 +0100 Subject: [Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox pvoborni commented: """ ACK given that Martin did functional testing """ See the full comment at https://github.com/freeipa/freeipa/pull/368#issuecomment-280700948 From freeipa-github-notification at redhat.com Fri Feb 17 16:47:34 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 17:47:34 +0100 Subject: [Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-472.patch Type: text/x-diff Size: 26816 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 16:49:29 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 17:49:29 +0100 Subject: [Freeipa-devel] [freeipa PR#479][opened] Merge AD trust installer into composite ones Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Author: martbab Title: #479: Merge AD trust installer into composite ones Action: opened PR body: """ This PR implements setup of Samba/Winbind as a part of server/replica install. I will update installation tests in a separate PR in order not to inflate an already sizeable amount of code touched in this one. I also updated man pages of ipa-server/replica-install, but since the entries are a bit chatty, it may be a good idea to write a more terse option descriptions and provide a link to `ipa-adtrust-install` for more thorough explanation. The commits from https://github.com/freeipa/freeipa/pull/457 are on the bottom of the branch in order to provide working AD trust installer in cases where admin password is not provided. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/479/head:pr479 git checkout pr479 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-479.patch Type: text/x-diff Size: 53588 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 16:50:59 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 17:50:59 +0100 Subject: [Freeipa-devel] [freeipa PR#368][+pushed] WebUI: fix incorrect behavior of ESC button on combobox In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox Label: +pushed From freeipa-github-notification at redhat.com Fri Feb 17 16:51:00 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 17:51:00 +0100 Subject: [Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1a96e7f9e737941480436269668ccde0a50395f9 https://fedorahosted.org/freeipa/changeset/6c6c68df544ac1046741d91dfdc59ef8d96b863c """ See the full comment at https://github.com/freeipa/freeipa/pull/368#issuecomment-280703637 From freeipa-github-notification at redhat.com Fri Feb 17 16:51:02 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 17 Feb 2017 17:51:02 +0100 Subject: [Freeipa-devel] [freeipa PR#368][closed] WebUI: fix incorrect behavior of ESC button on combobox In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/368 Author: pvomacka Title: #368: WebUI: fix incorrect behavior of ESC button on combobox Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/368/head:pr368 git checkout pr368 From freeipa-github-notification at redhat.com Fri Feb 17 17:06:50 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 18:06:50 +0100 Subject: [Freeipa-devel] [freeipa PR#442][+rejected] Add option to run tests in-tree and out-of-tree mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/442 Title: #442: Add option to run tests in-tree and out-of-tree mode Label: +rejected From freeipa-github-notification at redhat.com Fri Feb 17 17:06:51 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 18:06:51 +0100 Subject: [Freeipa-devel] [freeipa PR#442][comment] Add option to run tests in-tree and out-of-tree mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/442 Title: #442: Add option to run tests in-tree and out-of-tree mode tiran commented: """ Not useful or relevant any more. """ See the full comment at https://github.com/freeipa/freeipa/pull/442#issuecomment-280708021 From freeipa-github-notification at redhat.com Fri Feb 17 17:06:52 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 18:06:52 +0100 Subject: [Freeipa-devel] [freeipa PR#442][closed] Add option to run tests in-tree and out-of-tree mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/442 Author: tiran Title: #442: Add option to run tests in-tree and out-of-tree mode Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/442/head:pr442 git checkout pr442 From freeipa-github-notification at redhat.com Fri Feb 17 17:14:47 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 17 Feb 2017 18:14:47 +0100 Subject: [Freeipa-devel] [freeipa PR#453][synchronized] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Author: tiran Title: #453: Cleanup certdb Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/453/head:pr453 git checkout pr453 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-453.patch Type: text/x-diff Size: 11908 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 17 19:53:35 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Fri, 17 Feb 2017 20:53:35 +0100 Subject: [Freeipa-devel] [freeipa PR#403][comment] Add new ipa passwd-generate command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/403 Title: #403: Add new ipa passwd-generate command redhatrises commented: """ Thanks @abbra The command would have been `ipa passwd-generate --user user1` without piping any commands to it and would have kept the initial password as well as only run as an IPA admin. I also had forgotten about using `--random`. Will look at `ipa-advise` at some point in the future. Closing this PR for now. """ See the full comment at https://github.com/freeipa/freeipa/pull/403#issuecomment-280749987 From freeipa-github-notification at redhat.com Fri Feb 17 19:53:37 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Fri, 17 Feb 2017 20:53:37 +0100 Subject: [Freeipa-devel] [freeipa PR#403][closed] Add new ipa passwd-generate command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/403 Author: redhatrises Title: #403: Add new ipa passwd-generate command Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/403/head:pr403 git checkout pr403 From tjaalton at ubuntu.com Sat Feb 18 05:47:50 2017 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Sat, 18 Feb 2017 07:47:50 +0200 Subject: [Freeipa-devel] python-ipaserver & freeipa-server-trust-ad split Message-ID: Hi, So Fedora puts all of dist-packages/ipaserver/* in python-ipaserver, but dcerpc.py imports python-samba which -ipaserver does not depend on. So I've kept dcerpc.py and adtrustinstance.py in freeipa-server-trust-ad on Debian, but now with 4.4.3 (because of fd8c17252fbc) it seems that ipa-server-install wants to import adtrustinstance and fails to run if it's not installed. Traceback (most recent call last): File "/usr/sbin/ipa-server-install", line 25, in from ipaserver.install.server import Server File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", line 8, in from .upgrade import upgrade_check, upgrade File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 49, in from ipaserver.install import adtrustinstance ImportError: cannot import name adtrustinstance So what to do here? I can't remember exactly what problems I hit when everything was in python-ipaserver while testing 4.3.0, but I think they were about the samba stuff.. and don't want to test again without asking first. Should the upgrader stuff be split? -- t From freeipa-github-notification at redhat.com Sat Feb 18 10:40:14 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Sat, 18 Feb 2017 11:40:14 +0100 Subject: [Freeipa-devel] [freeipa PR#25][reopened] Added install check before executing ipa-* command In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/25 Author: Akasurde Title: #25: Added install check before executing ipa-* command Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/25/head:pr25 git checkout pr25 From freeipa-github-notification at redhat.com Sat Feb 18 11:09:38 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Sat, 18 Feb 2017 12:09:38 +0100 Subject: [Freeipa-devel] [freeipa PR#480][opened] Add request_type doc string in cert-request Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Author: Akasurde Title: #480: Add request_type doc string in cert-request Action: opened PR body: """ Fix adds correct description to request_type argument in cert-request command help Fixes https://fedorahosted.org/freeipa/ticket/6494 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/480/head:pr480 git checkout pr480 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-480.patch Type: text/x-diff Size: 941 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Feb 19 19:07:41 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Sun, 19 Feb 2017 20:07:41 +0100 Subject: [Freeipa-devel] [freeipa PR#481][opened] Minor typo fix in DNS install plugin Message-ID: URL: https://github.com/freeipa/freeipa/pull/481 Author: Akasurde Title: #481: Minor typo fix in DNS install plugin Action: opened PR body: """ Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/481/head:pr481 git checkout pr481 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-481.patch Type: text/x-diff Size: 1368 bytes Desc: not available URL: From ftweedal at redhat.com Mon Feb 20 05:03:53 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 20 Feb 2017 15:03:53 +1000 Subject: [Freeipa-devel] FreeIPA and wildcard certificates In-Reply-To: <37f8b430-92d4-3ab2-69a2-1b96cbb5b75b@redhat.com> References: <1c7e5abb-9c33-1cdd-fd4b-221a15c85672@redhat.com> <20170208081954.c4kethc4lzjagdmp@redhat.com> <20170209011200.GA3557@dhcp-40-8.bne.redhat.com> <340637ac-a6ba-517a-e2e8-a9ddaf7e63d5@redhat.com> <20170209214418.GD3557@dhcp-40-8.bne.redhat.com> <20170210093708.GI3557@dhcp-40-8.bne.redhat.com> <37f8b430-92d4-3ab2-69a2-1b96cbb5b75b@redhat.com> Message-ID: <20170220050353.GT3557@dhcp-40-8.bne.redhat.com> On Fri, Feb 10, 2017 at 11:48:39AM +0100, Martin Kosek wrote: > On 02/10/2017 10:37 AM, Fraser Tweedale wrote: > > On Fri, Feb 10, 2017 at 09:23:10AM +0100, Martin Kosek wrote: > >> On 02/09/2017 10:44 PM, Fraser Tweedale wrote: > >>> On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote: > >>>> On 02/09/2017 02:12 AM, Fraser Tweedale wrote: > >>>>> On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: > >>>>>> On ke, 08 helmi 2017, Martin Kosek wrote: > >>>>>>> Hi Fraser and the list, > >>>>>>> > >>>>>>> I recently was in a conversation about integrating OpenShift with FreeIPA. One > >>>>>>> of the gaps was around generating a wildcard certificate by FreeIPA that will > >>>>>>> be used in the default OpenShift router for applications that do not deploy own > >>>>>>> certificates [1]. > >>>>>>> > >>>>>>> Is there any way that FreeIPA can generate it? I was thinking that uploading > >>>>>>> some custom certificate profile in FreeIPA may let us get such certificate... > >>>>>>> Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in > >>>>>>> [2]? > >>>>>> Yes, we need a new RFE. There are checks in IPA that prevent wildcard > >>>>>> certificates to be issued: > >>>>>> > >>>>>> - we ensure subject 'cn' of the certificate matches a Kerberos principal > >>>>>> specified in the request > >>>>>> > >>>>>> - we validate that host object exists in IPA when the Kerberos > >>>>>> principal is host/... > >>>>>> > >>>>>> We could lift off these two limitations for 'cn=*,$suffix' but there is > >>>>>> still a need to apply proper ACLs when issuing the cert -- e.g. some > >>>>>> object has to be used for performing access rights check. The wildcard > >>>>>> certificate does not need to be stored anywhere in the tree, but a > >>>>>> check still needs to be done. > >>>>>> > >>>>>> For example, for Kerberos PKINIT certificate which is issued to KDC we > >>>>>> don't store public certificate in LDAP either but we do two checks: > >>>>>> - a special KDC certificate profile is used to issue the cert > >>>>>> - a special hostname check is done so that only IPA masters are able to > >>>>>> request this certificate > >>>>>> > >>>>>> For the wildcard certificate I think we could have following: > >>>>>> - use a separate profile for the wildcard, associated with a sub-CA > >>>>>> - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so that > >>>>>> actual certificate ignores requested CN. > >>>>>> - a special check to be done so that only wildcard-based subject > >>>>>> alternative names can be added to a wildcard certificate request > >>>>>> - all Kerberos principal / hostname checks are skipped. > >>>>>> - actual ACL check is done by CA ACL. > >>>>>> > >>>>> Issuing wildcard certs is a deprecated practice[1]. I am not > >>>>> dismissing the needs of OpenShift (or PaaS/IaaS solutions in > >>>>> general) but I'd like to have a discussion with them about how > >>>>> they're currently dealing with certs and whether a different > >>>>> direction other than wildcard certs is feasible. Martin, who should > >>>>> I reach out to? Feel free to copy them into this discussion. > >>>> > >>>> Right now, I am talking to a Solution Architect, i.e. someone who is building > >>>> GAed solutions, not developers. This is not something we would change > >>>> short-term anyway, this is how current OpenShift v2 or v3 behaves, despite the RFC. > >>>> > >>>> While I understand why having certificate *.lab.example.com and using it for my > >>>> lab machines is a bad idea and increases the attack vector, I do not see it > >>>> that way for OpenShift. There, applications get URL like > >>>> ".myopenshift.test" and all is routed by one entity, the OpenShift > >>>> broker. So the key.cert is on one location, just serving different names that > >>>> are provisioned with OpenShift. > >>>> > >>>> I can understand that issuing a new certificate for every application > >>>> provisioned by OpenShift and then renewing it complicates the design > >>>> significantly. I am trying to be creative and see if current OpenShift could > >>>> leverage FreeIPA CA and issue the broker cert, with current profile > >>>> capabilities or with small change. > >>>> > >>> I believe OpenShift supports per-application certificates (i.e. when > >>> app developers/maintainers supply their own cert for a custom > >>> domain). So it might be possible in v2 or v3 to provision a cert > >>> for every app. > >> > >> Right, it supports this. But then issuing the certificate and renewal is a > >> responsibility of app developer, AFAIK. I do not think if OpenShift has all the > >> needed hooks to do this automatically and call certmonger for example. > >> > >> TLDR; adding a support of certmonger and issuing a certificate for every new > >> application is a whole another degree of complexity than just issuing a > >> Wildcard certificate for the router. I am not saying it should not be done, I > >> am just saying that being able to generate a wildcard certificate with FreeIPA > >> would let us integrate with OpenShift much better than now and with (hopefully) > >> low effort involved, i.e. faster. > >> > >>> An automated solution does not yet exist but that > >>> doesn't mean it can't be built out of what's currently GA. > >>> > >>>>> [1] https://tools.ietf.org/html/rfc6125#section-7.2 > >>>>> > >>>>> If we do go ahead with wildcard cert support in FreeIPA, some of my > >>>>> initial questions are: > >>>>> > >>>>> - For the OpenShift use case, what is the "parent" domain name and > >>>>> is it the same as the IPA domain name? Is it a subdomain of the > >>>>> IPA domain name? > >>>>> > >>>>> - Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard > >>>>> cert under entire IPA domain name. > >>>>> > >>>>> - Do we need to support issuing "*.${IPA_HOSTNAME}"? i.e. wildcard > >>>>> certs under names of IPA host principals. > >>>> > >>>> I do not know, but I can ask if it is important for you :-) > >>>> > >>> It's important to know what I actually need to do if we proceed with > >>> implementing this :) > >> > >> We do not need to jump on implementing it right away, you already have a lot on > >> your plate. Right now, I must just want to know: > >> > >> - is there any way how I can generate wildcard cert with current FreeIPA, using > >> a custom certificate profile. I assume the answer is no. > >> > > I have an idea. > > > > - Assume there exists a FreeIPA host `foo.example.com', the "parent" > > domain name for the desired wildcard name `*.foo.example.com'. > > > > - Create a profile with the config: > > > > policyset.serverCertSet..constraint.class_id=subjectNameConstraintImpl > > policyset.serverCertSet..constraint.name=Subject Name Constraint > > policyset.serverCertSet..constraint.params.accept=true > > policyset.serverCertSet..constraint.params.pattern=CN=[^,]+,.+ > > policyset.serverCertSet..default.class_id=subjectNameDefaultImpl > > policyset.serverCertSet..default.name=Subject Name Default > > policyset.serverCertSet..default.params.name=CN=*.$request.req_subject_name.cn$, o=EXAMPLE.COM > > > > - Set up CA ACLs to constrain use of this profile for issuance only > > to hosts for which a wildcard cert *under* their hostname is > > allowed. > > > > - Issue wildcard cert. > > > > I'm not 100% sure if that last directive from the snippet above is > > valid. Worth a shot. > > This is exactly what I was looking for, as a workaround! Do you think you would > be able to try it (not necessarily right now, but in several days)? Just so > that we know it would work. > It works. I wrote it up in a blog post: http://blog-ftweedal.rhcloud.com/2017/02/wildcard-certificates-in-freeipa/ > >> - how complex would it be to add support of Wildcard certificate support to > >> FreeIPA (rough scope). > >> > > It really depends on the answers to my earlier questions :) Need to > > know *exactly* what is needed for OpenShift in terms of how the > > domain(s) to include in the cert relate to IPA domain or > > host/service principals defined therein. > > We should not make feature too specific to OpenShift anyway, so I do not think > the answers to these questions need to come from OpenShift, but rather from our > understanding of how to make this feature useful for FreeIPA users. > > But if you check OpenShift documentation: > https://docs.openshift.com/container-platform/3.4/install_config/router/default_haproxy_router.html#using-wildcard-certificates > you will see that the domain for the wildcard is configurable. So AFAIK, the > OpenShift may join a realm EXAMPLE.COM and have the wildcard cert for > '*.cloudapps.example.com. > After my exploration of what we can do with FreeIPA, I'd now be surprised if we need to do anything else at all, besides perhaps some official doc e.g. a KBase article. Please pass the info along and see if the OpenShift folks are happy with what they can do with a custom profile. Cheers, Fraser From freeipa-github-notification at redhat.com Mon Feb 20 08:02:51 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Feb 2017 09:02:51 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages HonzaCholasta commented: """ Is this really the right thing to do? IMO it does not make much sense to have placeholders for every `ipa*` package, as it does not scale at all - nothing is preventing a potential attacker to register their own `ipa*` package, which will confuse PyPI users all the same and will prevent us to use that name ourselves in the future, should we want to. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281011551 From freeipa-github-notification at redhat.com Mon Feb 20 08:03:54 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Feb 2017 09:03:54 +0100 Subject: [Freeipa-devel] [freeipa PR#471][synchronized] Fix some privilege separation regressions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Author: HonzaCholasta Title: #471: Fix some privilege separation regressions Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/471/head:pr471 git checkout pr471 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-471.patch Type: text/x-diff Size: 9947 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 20 08:05:07 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Feb 2017 09:05:07 +0100 Subject: [Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Title: #471: Fix some privilege separation regressions HonzaCholasta commented: """ @stlaz, not sure what's going on there, but not my fault, these failures happen even without this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/471#issuecomment-281011963 From freeipa-github-notification at redhat.com Mon Feb 20 08:35:33 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 20 Feb 2017 09:35:33 +0100 Subject: [Freeipa-devel] [freeipa PR#481][+ack] Minor typo fix in DNS install plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/481 Title: #481: Minor typo fix in DNS install plugin Label: +ack From freeipa-github-notification at redhat.com Mon Feb 20 08:56:36 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Feb 2017 09:56:36 +0100 Subject: [Freeipa-devel] [freeipa PR#478][+ack] [4.4] Do not configure PKI ajp redirection to use "::1" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/478 Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1" Label: +ack From freeipa-github-notification at redhat.com Mon Feb 20 09:25:51 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 20 Feb 2017 10:25:51 +0100 Subject: [Freeipa-devel] [freeipa PR#478][comment] [4.4] Do not configure PKI ajp redirection to use "::1" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/478 Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1" martbab commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/4a30e9d53475d60fb76242a098f1d969d6b19f75 """ See the full comment at https://github.com/freeipa/freeipa/pull/478#issuecomment-281027818 From freeipa-github-notification at redhat.com Mon Feb 20 09:25:52 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 20 Feb 2017 10:25:52 +0100 Subject: [Freeipa-devel] [freeipa PR#478][+pushed] [4.4] Do not configure PKI ajp redirection to use "::1" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/478 Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1" Label: +pushed From freeipa-github-notification at redhat.com Mon Feb 20 09:25:54 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 20 Feb 2017 10:25:54 +0100 Subject: [Freeipa-devel] [freeipa PR#478][closed] [4.4] Do not configure PKI ajp redirection to use "::1" In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/478 Author: flo-renaud Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1" Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/478/head:pr478 git checkout pr478 From freeipa-github-notification at redhat.com Mon Feb 20 09:32:45 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 20 Feb 2017 10:32:45 +0100 Subject: [Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Title: #471: Fix some privilege separation regressions stlaz commented: """ Note that `KRA_AGENT_PEM` will not be moved to the correct folder if KRA is not installed but that's fine with me. `/bin/systemctl status ipa_memcached.service` still shows the service as `running` although there's the strange line `Loaded: not-found (Reason: No such file or directory)`. That does not seem ok, should we stop the service as well? """ See the full comment at https://github.com/freeipa/freeipa/pull/471#issuecomment-281029398 From freeipa-github-notification at redhat.com Mon Feb 20 10:49:01 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 20 Feb 2017 11:49:01 +0100 Subject: [Freeipa-devel] [freeipa PR#482][opened] Don't count service/host/user cert md5 fprints in FIPS Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Author: stlaz Title: #482: Don't count service/host/user cert md5 fprints in FIPS Action: opened PR body: """ To be "backward compatible" we cannot remove `md5_fingerprint` so we at least supply the reason why it can't be counted. https://fedorahosted.org/freeipa/ticket/5695 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/482/head:pr482 git checkout pr482 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-482.patch Type: text/x-diff Size: 8498 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 20 10:49:37 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 20 Feb 2017 11:49:37 +0100 Subject: [Freeipa-devel] [freeipa PR#482][edited] Don't count service/host/user cert md5 fprints in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Author: stlaz Title: #482: Don't count service/host/user cert md5 fprints in FIPS Action: edited Changed field: body Original value: """ To be "backward compatible" we cannot remove `md5_fingerprint` so we at least supply the reason why it can't be counted. https://fedorahosted.org/freeipa/ticket/5695 """ From freeipa-github-notification at redhat.com Mon Feb 20 10:59:44 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Feb 2017 11:59:44 +0100 Subject: [Freeipa-devel] [freeipa PR#483][opened] lite-server: validate LDAP connection and cache schema Message-ID: URL: https://github.com/freeipa/freeipa/pull/483 Author: tiran Title: #483: lite-server: validate LDAP connection and cache schema Action: opened PR body: """ The LDAP schema cache makes the lite-server behave more like mod_wsgi. See https://fedorahosted.org/freeipa/ticket/6679 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/483/head:pr483 git checkout pr483 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-483.patch Type: text/x-diff Size: 3145 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 20 11:33:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Feb 2017 12:33:10 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ We want to prevent others to have packages in PyPI with the same names as used for IPA. This is reasonable for protecting users to get attacker code from PyPI and rewrite working modules installed from rpms. In case that somebody install `ipamodulefromhell` we really cannot help this user """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281056392 From freeipa-github-notification at redhat.com Mon Feb 20 11:34:34 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 20 Feb 2017 12:34:34 +0100 Subject: [Freeipa-devel] [freeipa PR#484][opened] FIPS: Remove pkispawn cruft Message-ID: URL: https://github.com/freeipa/freeipa/pull/484 Author: stlaz Title: #484: FIPS: Remove pkispawn cruft Action: opened PR body: """ `pkispawn` leaves some ugly files after its successful run. This patch: a) makes sure the files are removed (say no to `__del__` in `DogtagInstance`) b) prevents special requirements for DM password in FIPS as this was for some reason used to create an NSS database for `pkispawn` """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/484/head:pr484 git checkout pr484 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-484.patch Type: text/x-diff Size: 11858 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 20 11:43:21 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Feb 2017 12:43:21 +0100 Subject: [Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Add request_type doc string in cert-request MartinBasti commented: """ Ticket is `Enumerate all available request type options in ipa cert-request help` but your commit doesn't enumerate all possible certtypes """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-281058427 From freeipa-github-notification at redhat.com Mon Feb 20 11:43:41 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Feb 2017 12:43:41 +0100 Subject: [Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Add request_type doc string in cert-request MartinBasti commented: """ Ticket is `Enumerate all available request type options in ipa cert-request help` but your commit doesn't enumerate all possible certtypes """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-281058427 From freeipa-github-notification at redhat.com Mon Feb 20 11:51:59 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Feb 2017 12:51:59 +0100 Subject: [Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft MartinBasti commented: """ ``` ************* Module ipaserver.install.cainstance ipaserver/install/cainstance.py:685: [E1101(no-member), CAInstance.import_ra_cert] Instance of 'CAInstance' has no 'ra_agent_db' member) ipaserver/install/cainstance.py:685: [E1101(no-member), CAInstance.import_ra_cert] Instance of 'CAInstance' has no 'ra_agent_pwd' member) ipaserver/install/cainstance.py:831: [E1101(no-member), CAInstance.__request_ra_certificate] Instance of 'CAInstance' has no 'ra_agent_db' member) ipaserver/install/cainstance.py:834: [E1101(no-member), CAInstance.__request_ra_certificate] Instance of 'CAInstance' has no 'ra_agent_pwd' member) ************* Module ipaserver.install.dogtaginstance ipaserver/install/dogtaginstance.py:78: [E0602(undefined-variable), export_kra_agent_pem] Undefined variable 'tempfile') ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/484#issuecomment-281060112 From freeipa-github-notification at redhat.com Mon Feb 20 11:57:57 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 20 Feb 2017 12:57:57 +0100 Subject: [Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft stlaz commented: """ Hm, originally had this over the nsslib removal patchset but the rebase was not as successful as I thought, will fix the issues. """ See the full comment at https://github.com/freeipa/freeipa/pull/484#issuecomment-281061194 From freeipa-github-notification at redhat.com Mon Feb 20 12:09:44 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Feb 2017 13:09:44 +0100 Subject: [Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft tiran commented: """ Or you could always clean up ```/root/.dogtag``` and remove the tmp dir when the var is not None. By the way do you clean up ```/root/.dogtag``` during update? """ See the full comment at https://github.com/freeipa/freeipa/pull/484#issuecomment-281063403 From freeipa-github-notification at redhat.com Mon Feb 20 12:16:06 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Feb 2017 13:16:06 +0100 Subject: [Freeipa-devel] [freeipa PR#471][synchronized] Fix some privilege separation regressions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Author: HonzaCholasta Title: #471: Fix some privilege separation regressions Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/471/head:pr471 git checkout pr471 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-471.patch Type: text/x-diff Size: 10662 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 20 12:43:36 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 20 Feb 2017 13:43:36 +0100 Subject: [Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft stlaz commented: """ Always tend to forget about the upgrade part, will do, thanks ? """ See the full comment at https://github.com/freeipa/freeipa/pull/484#issuecomment-281069900 From freeipa-github-notification at redhat.com Mon Feb 20 12:53:35 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 20 Feb 2017 13:53:35 +0100 Subject: [Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Title: #471: Fix some privilege separation regressions stlaz commented: """ The raised issues seem to have been fixed. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/471#issuecomment-281071960 From freeipa-github-notification at redhat.com Mon Feb 20 12:53:42 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 20 Feb 2017 13:53:42 +0100 Subject: [Freeipa-devel] [freeipa PR#471][+ack] Fix some privilege separation regressions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Title: #471: Fix some privilege separation regressions Label: +ack From freeipa-github-notification at redhat.com Mon Feb 20 12:55:00 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Feb 2017 13:55:00 +0100 Subject: [Freeipa-devel] [freeipa PR#471][+pushed] Fix some privilege separation regressions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Title: #471: Fix some privilege separation regressions Label: +pushed From freeipa-github-notification at redhat.com Mon Feb 20 12:55:02 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Feb 2017 13:55:02 +0100 Subject: [Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Title: #471: Fix some privilege separation regressions HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b4fa354f500bcf3ac23ee3805f2c166c6a635b92 https://fedorahosted.org/freeipa/changeset/ba8a10fbdb39cab672038e1a6dc9c7507070cdf9 https://fedorahosted.org/freeipa/changeset/97e838e10da3b42e3605d230e0b8e01b9148876f https://fedorahosted.org/freeipa/changeset/0862e320916e0123df7e8505ba61229db0cb1e4a https://fedorahosted.org/freeipa/changeset/6d34c2169fcd520cc726e58e01d008ae3637aad4 """ See the full comment at https://github.com/freeipa/freeipa/pull/471#issuecomment-281072241 From freeipa-github-notification at redhat.com Mon Feb 20 12:55:03 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 20 Feb 2017 13:55:03 +0100 Subject: [Freeipa-devel] [freeipa PR#471][closed] Fix some privilege separation regressions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/471 Author: HonzaCholasta Title: #471: Fix some privilege separation regressions Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/471/head:pr471 git checkout pr471 From freeipa-github-notification at redhat.com Mon Feb 20 13:09:38 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Feb 2017 14:09:38 +0100 Subject: [Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft tiran commented: """ pylint needs some attention, too. ``` ************* Module ipaserver.install.cainstance ipaserver/install/cainstance.py:685: [E1101(no-member), CAInstance.import_ra_cert] Instance of 'CAInstance' has no 'ra_agent_db' member) ipaserver/install/cainstance.py:685: [E1101(no-member), CAInstance.import_ra_cert] Instance of 'CAInstance' has no 'ra_agent_pwd' member) ipaserver/install/cainstance.py:831: [E1101(no-member), CAInstance.__request_ra_certificate] Instance of 'CAInstance' has no 'ra_agent_db' member) ipaserver/install/cainstance.py:834: [E1101(no-member), CAInstance.__request_ra_certificate] Instance of 'CAInstance' has no 'ra_agent_pwd' member) ************* Module ipaserver.install.dogtaginstance ipaserver/install/dogtaginstance.py:78: [E0602(undefined-variable), export_kra_agent_pem] Undefined variable 'tempfile') ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/484#issuecomment-281075216 From freeipa-github-notification at redhat.com Mon Feb 20 14:02:19 2017 From: freeipa-github-notification at redhat.com (rcritten) Date: Mon, 20 Feb 2017 15:02:19 +0100 Subject: [Freeipa-devel] [freeipa PR#482][comment] Don't count service/host/user cert md5 fprints in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Don't count service/host/user cert md5 fprints in FIPS rcritten commented: """ In service.py the error isn't wrapped in _(). You should use the same message in both. Given the different messages I'm surprised this didn't pop up as a test failure. """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-281086821 From freeipa-github-notification at redhat.com Mon Feb 20 14:14:39 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Feb 2017 15:14:39 +0100 Subject: [Freeipa-devel] [freeipa PR#482][comment] Don't count service/host/user cert md5 fprints in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Don't count service/host/user cert md5 fprints in FIPS MartinBasti commented: """ I don't think that this is a good way how to handle backward compatibility. With FIPS mode enabled there is no md5 backward compatibility and users should adapt their automation. In case that IPA API is used directly it will contain a garbage and it may not be catched faster enough by any automation on user side. We should not provide anything related to md5 under FIPS mode and let any possible automation using IPA API to fail early on missing values. """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-281089720 From freeipa-github-notification at redhat.com Mon Feb 20 14:22:22 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 20 Feb 2017 15:22:22 +0100 Subject: [Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-398.patch Type: text/x-diff Size: 50955 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 20 14:26:56 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 20 Feb 2017 15:26:56 +0100 Subject: [Freeipa-devel] [freeipa PR#482][comment] Don't count service/host/user cert md5 fprints in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Don't count service/host/user cert md5 fprints in FIPS MartinBasti commented: """ I don't think that this is a good way how to handle backward compatibility. With FIPS mode enabled there is no md5 backward compatibility and users should adapt their automation. In case that IPA API is used directly it will contain a garbage and it may not be catched faster enough by any automation on user side. We should not provide anything related to md5 under FIPS mode and let any possible automation using IPA API to fail early on missing values. """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-281089720 From freeipa-github-notification at redhat.com Mon Feb 20 15:13:03 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 20 Feb 2017 16:13:03 +0100 Subject: [Freeipa-devel] [freeipa PR#484][synchronized] FIPS: Remove pkispawn cruft In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/484 Author: stlaz Title: #484: FIPS: Remove pkispawn cruft Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/484/head:pr484 git checkout pr484 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-484.patch Type: text/x-diff Size: 14177 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 20 15:18:38 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Feb 2017 16:18:38 +0100 Subject: [Freeipa-devel] [freeipa PR#482][comment] Don't count service/host/user cert md5 fprints in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Don't count service/host/user cert md5 fprints in FIPS tomaskrizek commented: """ @rcritten Currently, the tests fail because we need #437 merged. It would be caught. @MartinBasti The only other option I see is to provide `None`. We can't remove the md5 fingerprint from API - or can we? """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-281105590 From freeipa-github-notification at redhat.com Mon Feb 20 15:29:19 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 20 Feb 2017 16:29:19 +0100 Subject: [Freeipa-devel] [freeipa PR#482][comment] Don't count service/host/user cert md5 fprints in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Don't count service/host/user cert md5 fprints in FIPS stlaz commented: """ I am fine with not providing `md5_fingerprint` at all but that would require the tests to be fixed as well and I am not sure how to easily do that in this case. """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-281108279 From freeipa-github-notification at redhat.com Mon Feb 20 15:33:32 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 20 Feb 2017 16:33:32 +0100 Subject: [Freeipa-devel] [freeipa PR#482][comment] Don't count service/host/user cert md5 fprints in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Don't count service/host/user cert md5 fprints in FIPS tomaskrizek commented: """ Actually, we don't need to provide `md5_fingerprint` at all in FIPS, since the attribute is marked as `vritual_attribute`. """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-281109356 From freeipa-github-notification at redhat.com Mon Feb 20 16:15:41 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 20 Feb 2017 17:15:41 +0100 Subject: [Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft stlaz commented: """ All should be fixed now. """ See the full comment at https://github.com/freeipa/freeipa/pull/484#issuecomment-281120295 From freeipa-github-notification at redhat.com Mon Feb 20 17:52:21 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 20 Feb 2017 18:52:21 +0100 Subject: [Freeipa-devel] [freeipa PR#485][opened] Fix session logout Message-ID: URL: https://github.com/freeipa/freeipa/pull/485 Author: simo5 Title: #485: Fix session logout Action: opened PR body: """ There were 2 issues with session logouts, one is that the logout_cookie was checked and acted on in the wrong place, the other is that the wrong value was set in the IPASESSION header. Fixes https://fedorahosted.org/freeipa/ticket/6685 Signed-off-by: Simo Sorce """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/485/head:pr485 git checkout pr485 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-485.patch Type: text/x-diff Size: 2023 bytes Desc: not available URL: From abokovoy at redhat.com Mon Feb 20 18:24:14 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 20 Feb 2017 20:24:14 +0200 Subject: [Freeipa-devel] python-ipaserver & freeipa-server-trust-ad split In-Reply-To: References: Message-ID: <20170220182414.bqfml46eyynydpj6@redhat.com> On la, 18 helmi 2017, Timo Aaltonen wrote: > >Hi, > >So Fedora puts all of dist-packages/ipaserver/* in python-ipaserver, >but dcerpc.py imports python-samba which -ipaserver does not depend on. >So I've kept dcerpc.py and adtrustinstance.py in freeipa-server-trust-ad >on Debian, but now with 4.4.3 (because of fd8c17252fbc) it seems that >ipa-server-install wants to import adtrustinstance and fails to run if >it's not installed. > >Traceback (most recent call last): > File "/usr/sbin/ipa-server-install", line 25, in > from ipaserver.install.server import Server > File >"/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", >line 8, in > from .upgrade import upgrade_check, upgrade > File >"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", >line 49, in > from ipaserver.install import adtrustinstance >ImportError: cannot import name adtrustinstance > > >So what to do here? I can't remember exactly what problems I hit when >everything was in python-ipaserver while testing 4.3.0, but I think they >were about the samba stuff.. and don't want to test again without asking >first. Should the upgrader stuff be split? I think we simply can move ipa_smb_conf_exists() to ipapython or ipalib. It only needs to read a config file and check a signature. Signature could be moved to constants. Then ipa_smb_conf_exists() can be imported in both upgrade tool and in adtrustinstance. Want to make a PR? -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Mon Feb 20 19:08:10 2017 From: freeipa-github-notification at redhat.com (npmccallum) Date: Mon, 20 Feb 2017 20:08:10 +0100 Subject: [Freeipa-devel] [freeipa PR#486][opened] Migrate OTP import script to python-cryptography Message-ID: URL: https://github.com/freeipa/freeipa/pull/486 Author: npmccallum Title: #486: Migrate OTP import script to python-cryptography Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/5192 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/486/head:pr486 git checkout pr486 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-486.patch Type: text/x-diff Size: 13969 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 20 19:08:23 2017 From: freeipa-github-notification at redhat.com (npmccallum) Date: Mon, 20 Feb 2017 20:08:23 +0100 Subject: [Freeipa-devel] [freeipa PR#486][comment] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/486 Title: #486: Migrate OTP import script to python-cryptography npmccallum commented: """ This is an old patch I found on my system that doesn't appear to be merged. """ See the full comment at https://github.com/freeipa/freeipa/pull/486#issuecomment-281159669 From freeipa-github-notification at redhat.com Mon Feb 20 19:11:37 2017 From: freeipa-github-notification at redhat.com (npmccallum) Date: Mon, 20 Feb 2017 20:11:37 +0100 Subject: [Freeipa-devel] [freeipa PR#487][opened] Limit request sizes to /KdcProxy Message-ID: URL: https://github.com/freeipa/freeipa/pull/487 Author: npmccallum Title: #487: Limit request sizes to /KdcProxy Action: opened PR body: """ Related: CVE-2015-5159 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/487/head:pr487 git checkout pr487 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-487.patch Type: text/x-diff Size: 700 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 20 19:12:11 2017 From: freeipa-github-notification at redhat.com (npmccallum) Date: Mon, 20 Feb 2017 20:12:11 +0100 Subject: [Freeipa-devel] [freeipa PR#487][comment] Limit request sizes to /KdcProxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/487 Title: #487: Limit request sizes to /KdcProxy npmccallum commented: """ I found this old patch on my system. I don't remember if it is relevant any more. Maybe @tiran knows? """ See the full comment at https://github.com/freeipa/freeipa/pull/487#issuecomment-281160380 From freeipa-github-notification at redhat.com Mon Feb 20 19:20:06 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Feb 2017 20:20:06 +0100 Subject: [Freeipa-devel] [freeipa PR#488][opened] Speed up client schema cache Message-ID: URL: https://github.com/freeipa/freeipa/pull/488 Author: tiran Title: #488: Speed up client schema cache Action: opened PR body: """ It's inefficient to open a zip file over and over again. By loading all members of the schema cache file at once, the ipa CLI script starts about 25 to 30% faster for simple cases like help and ping. Before: ``` $ time for i in {1..20}; do ./ipa ping >/dev/null; done real 0m13.608s user 0m10.316s sys 0m1.121s ``` After: ``` $ time for i in {1..20}; do ./ipa ping >/dev/null; done real 0m9.330s user 0m7.635s sys 0m1.146s ``` https://fedorahosted.org/freeipa/ticket/6690 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/488/head:pr488 git checkout pr488 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-488.patch Type: text/x-diff Size: 2864 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 20 19:24:16 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Feb 2017 20:24:16 +0100 Subject: [Freeipa-devel] [freeipa PR#487][comment] Limit request sizes to /KdcProxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/487 Title: #487: Limit request sizes to /KdcProxy tiran commented: """ You fixed the issue in summer 2015. https://github.com/latchset/kdcproxy/commit/f274aa6787cb8b3ec1cc12c440a56665b7231882 """ See the full comment at https://github.com/freeipa/freeipa/pull/487#issuecomment-281162623 From freeipa-github-notification at redhat.com Mon Feb 20 19:27:56 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Feb 2017 20:27:56 +0100 Subject: [Freeipa-devel] [freeipa PR#486][comment] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/486 Title: #486: Migrate OTP import script to python-cryptography tiran commented: """ Thanks Indiana Nathaniel, good code archaeology. The ticket aligns nicely with https://fedorahosted.org/freeipa/ticket/6650 """ See the full comment at https://github.com/freeipa/freeipa/pull/486#issuecomment-281163303 From freeipa-github-notification at redhat.com Mon Feb 20 19:28:01 2017 From: freeipa-github-notification at redhat.com (npmccallum) Date: Mon, 20 Feb 2017 20:28:01 +0100 Subject: [Freeipa-devel] [freeipa PR#487][comment] Limit request sizes to /KdcProxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/487 Title: #487: Limit request sizes to /KdcProxy npmccallum commented: """ @tiran Indeed, I did. Thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/487#issuecomment-281163319 From freeipa-github-notification at redhat.com Mon Feb 20 19:28:04 2017 From: freeipa-github-notification at redhat.com (npmccallum) Date: Mon, 20 Feb 2017 20:28:04 +0100 Subject: [Freeipa-devel] [freeipa PR#487][closed] Limit request sizes to /KdcProxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/487 Author: npmccallum Title: #487: Limit request sizes to /KdcProxy Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/487/head:pr487 git checkout pr487 From freeipa-github-notification at redhat.com Mon Feb 20 19:28:13 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 20 Feb 2017 20:28:13 +0100 Subject: [Freeipa-devel] [freeipa PR#487][+rejected] Limit request sizes to /KdcProxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/487 Title: #487: Limit request sizes to /KdcProxy Label: +rejected From freeipa-github-notification at redhat.com Tue Feb 21 00:00:22 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 21 Feb 2017 01:00:22 +0100 Subject: [Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Add request_type doc string in cert-request frasertweedale commented: """ I would like to NACK this. We instead want to hide or remove the option, because we only support PKCS #10 and this is unlikely to change any time soon. There is already a ticket for that: https://fedorahosted.org/freeipa/ticket/5734 """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-281209123 From freeipa-github-notification at redhat.com Tue Feb 21 06:57:48 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Tue, 21 Feb 2017 07:57:48 +0100 Subject: [Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Add request_type doc string in cert-request Akasurde commented: """ @frasertweedale What do you recommend to hide this option ? does removing this option has detrimental effect on `cert-request` command ? """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-281260868 From freeipa-github-notification at redhat.com Tue Feb 21 07:47:06 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 08:47:06 +0100 Subject: [Freeipa-devel] [freeipa PR#486][comment] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/486 Title: #486: Migrate OTP import script to python-cryptography stlaz commented: """ Thanks for the patch, less `nss` is always good. It seems that python-cryptography might have added the `backend` attribute to some constructors since the patch was created, our tests found two of such spots, if you could perhaps add it there. I personally don't care much for the pep8 errors, IMHO the code reads better this way. """ See the full comment at https://github.com/freeipa/freeipa/pull/486#issuecomment-281268640 From freeipa-github-notification at redhat.com Tue Feb 21 08:54:20 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 09:54:20 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 120103 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 08:54:37 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 09:54:37 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ Rebased on current master. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-281281981 From freeipa-github-notification at redhat.com Tue Feb 21 08:55:39 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 09:55:39 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ Yes, it is the right thing to do. You can trust in the expert with a decade of experience with Python packaging (formerly known as cheese shop). """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281282232 From freeipa-github-notification at redhat.com Tue Feb 21 09:21:02 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 10:21:02 +0100 Subject: [Freeipa-devel] [freeipa PR#489][opened] Fix error in ca_cert_files validator Message-ID: URL: https://github.com/freeipa/freeipa/pull/489 Author: stlaz Title: #489: Fix error in ca_cert_files validator Action: opened PR body: """ ClientInstall expects a single ca_cert_file as a string but the framework gives it a list. https://fedorahosted.org/freeipa/ticket/6694 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/489/head:pr489 git checkout pr489 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-489.patch Type: text/x-diff Size: 1043 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 09:24:21 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 10:24:21 +0100 Subject: [Freeipa-devel] [freeipa PR#490][opened] [WIP] certdb: use certutil and match_hostname for cert verification Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Author: HonzaCholasta Title: #490: [WIP] certdb: use certutil and match_hostname for cert verification Action: opened PR body: """ Use certutil and ssl.match_hostname calls instead of python-nss for certificate verification. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/490/head:pr490 git checkout pr490 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-490.patch Type: text/x-diff Size: 8754 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 09:29:21 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 10:29:21 +0100 Subject: [Freeipa-devel] [freeipa PR#491][opened] Don't prepend option names with additional '--' Message-ID: URL: https://github.com/freeipa/freeipa/pull/491 Author: stlaz Title: #491: Don't prepend option names with additional '--' Action: opened PR body: """ The options now have '--' prepended by their names already, don't add it. https://fedorahosted.org/freeipa/ticket/6392 The issue example: running `ipa-client-install --ca-cert-file /home/cartman/nonexistent_file` gives ``` Usage: ipa-client-install [options] ipa-client-install: error: option ----ca-cert-file: '/home/slaznick/pokus' is not a valid certificate file ``` """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/491/head:pr491 git checkout pr491 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-491.patch Type: text/x-diff Size: 1046 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 09:42:59 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 10:42:59 +0100 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing tiran commented: """ @pvoborni The main reason for this PR is explained in the initial PR message. I like to run an IPA framework server with specially instrumented Python builds for profiling or for debugging. The special builds are powerful and incredible useful tools to find bugs or hot spots. Profile and debug builds have a different ABI than standard builds. Therefore I have to compile all C extensions myself to make them compatible with the new ABI. It is much easier than it sounds, because distutils, setuptools and pip just take care of all the complicated bits and pieces. But this works only for native Python packages. SSSD uses its own build system and has no packages on PyPI. It would take too much time and effort to change SSSD now. Commits 1f195bb4 and c69c30c2 make pyhbac and other SSSD components optional. Commit 905118a1 allows me to build all ipaserver wheel and full ipaclient wheels with ```install``` subpackage for local testing. These packages are not meant to be uploaded to PyPI. They are really just for local testing. Last but not least 5710587f is a workaround for a python-nss packaging issue. @jdennis is aware of the problem and will address it in due time. We can't get rid of python-nss. Dogtag PKI's Python modules depend on python-nss. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-281293368 From freeipa-github-notification at redhat.com Tue Feb 21 09:47:04 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 10:47:04 +0100 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing tiran commented: """ To clarify and emphasis, this PR has nothing to do with the PyPI packaging effort. Zero. Zip. Nada. Nilch! The sole intent of this PR is debugging and profiling. It gives us tools to find bugs, to increase performance and to reduce memory usage. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-281294344 From freeipa-github-notification at redhat.com Tue Feb 21 09:52:25 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 10:52:25 +0100 Subject: [Freeipa-devel] [freeipa PR#489][comment] Fix error in ca_cert_files validator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/489 Title: #489: Fix error in ca_cert_files validator tiran commented: """ tentative ack, see comment """ See the full comment at https://github.com/freeipa/freeipa/pull/489#issuecomment-281295634 From freeipa-github-notification at redhat.com Tue Feb 21 10:06:33 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 11:06:33 +0100 Subject: [Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-472.patch Type: text/x-diff Size: 26863 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 10:34:25 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 11:34:25 +0100 Subject: [Freeipa-devel] [freeipa PR#490][comment] [WIP] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: [WIP] certdb: use certutil and match_hostname for cert verification tiran commented: """ Do we ensure that the function is always called with an IDN A-Label encoded hostname? ```ssl.match_hostname``` assumes that all parts are A-labels, not U-labels. """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-281305611 From freeipa-github-notification at redhat.com Tue Feb 21 10:40:08 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 11:40:08 +0100 Subject: [Freeipa-devel] [freeipa PR#476][synchronized] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Author: HonzaCholasta Title: #476: vault: cache the transport certificate on client Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/476/head:pr476 git checkout pr476 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-476.patch Type: text/x-diff Size: 11276 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 10:51:40 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 11:51:40 +0100 Subject: [Freeipa-devel] [freeipa PR#489][+ack] Fix error in ca_cert_files validator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/489 Title: #489: Fix error in ca_cert_files validator Label: +ack From freeipa-github-notification at redhat.com Tue Feb 21 10:54:46 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 11:54:46 +0100 Subject: [Freeipa-devel] [freeipa PR#491][+ack] Don't prepend option names with additional '--' In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/491 Title: #491: Don't prepend option names with additional '--' Label: +ack From freeipa-github-notification at redhat.com Tue Feb 21 10:59:32 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 11:59:32 +0100 Subject: [Freeipa-devel] [freeipa PR#482][synchronized] Don't count service/host/user cert md5 fprints in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Author: stlaz Title: #482: Don't count service/host/user cert md5 fprints in FIPS Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/482/head:pr482 git checkout pr482 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-482.patch Type: text/x-diff Size: 15981 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 11:00:00 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 12:00:00 +0100 Subject: [Freeipa-devel] [freeipa PR#482][edited] Don't count service/host/user cert md5 fprints in FIPS In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Author: stlaz Title: #482: Don't count service/host/user cert md5 fprints in FIPS Action: edited Changed field: title Original value: """ Don't count service/host/user cert md5 fprints in FIPS """ From freeipa-github-notification at redhat.com Tue Feb 21 11:02:05 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 12:02:05 +0100 Subject: [Freeipa-devel] [freeipa PR#482][comment] Remove MD5 certificate fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Remove MD5 certificate fingerprints stlaz commented: """ @rcritten thanks for noticing the discrepancy in the previous version of the commit, it was a leftover from previous implementation. I reworked the commit to remove MD5 certificate fingerprints completely, leaving just SHA1. Is a requirement to accept this patch to announce this on freeipa-devel/users? """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-281311697 From freeipa-github-notification at redhat.com Tue Feb 21 11:03:08 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 12:03:08 +0100 Subject: [Freeipa-devel] [freeipa PR#476][synchronized] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Author: HonzaCholasta Title: #476: vault: cache the transport certificate on client Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/476/head:pr476 git checkout pr476 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-476.patch Type: text/x-diff Size: 11497 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 11:12:13 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 12:12:13 +0100 Subject: [Freeipa-devel] [freeipa PR#490][comment] [WIP] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: [WIP] certdb: use certutil and match_hostname for cert verification HonzaCholasta commented: """ @tiran, how do I ensure that? """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-281313807 From freeipa-github-notification at redhat.com Tue Feb 21 11:18:35 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 12:18:35 +0100 Subject: [Freeipa-devel] [freeipa PR#490][comment] [WIP] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: [WIP] certdb: use certutil and match_hostname for cert verification tiran commented: """ The hostname must be ASCII text. Something like ```hostname.encode('ascii')``` should catch non-ASCII text and Python 3 bytes. """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-281315108 From freeipa-github-notification at redhat.com Tue Feb 21 11:22:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 12:22:25 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ I talked with Honza how to handle the build dependency for pypi, and we may to remove the commit that adds python-wheel or add new option to specfile that will install pypi related packages `with_pypi` or so. Do you plan to have more dependencies related only to pypi? """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281315896 From freeipa-github-notification at redhat.com Tue Feb 21 11:29:38 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 12:29:38 +0100 Subject: [Freeipa-devel] [freeipa PR#490][synchronized] [WIP] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Author: HonzaCholasta Title: #490: [WIP] certdb: use certutil and match_hostname for cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/490/head:pr490 git checkout pr490 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-490.patch Type: text/x-diff Size: 8731 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 11:30:55 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 12:30:55 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ You requsted a dependency in the first place :) If you are going to add a special build or dependency flavor for PyPI packaging, please also add ```python[23]-twine```. It's the uploader tool we are going to use to upload packages to PyPI. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281317542 From freeipa-github-notification at redhat.com Tue Feb 21 11:45:16 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 21 Feb 2017 12:45:16 +0100 Subject: [Freeipa-devel] [freeipa PR#482][comment] Remove MD5 certificate fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Remove MD5 certificate fingerprints tomaskrizek commented: """ @stlaz I think it'd be good to discuss this change on freeipa-devel. Also, since we're removing md5, I'd consider adding sha256. """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-281320504 From freeipa-github-notification at redhat.com Tue Feb 21 11:45:18 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 21 Feb 2017 12:45:18 +0100 Subject: [Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Add request_type doc string in cert-request frasertweedale commented: """ @Akasurde if we just want to hide it, I think you use a client override for the `cert_request` command and filter out the option. @HonzaCholasta can confirm. OTOH if we just want to remove it altogether, that is straightforward. It will break any clients that explicitly pass the option. I suspect it's unlikely that there are such clients out there, but we cannot know for sure, so as much as I'd like to remove it, I'm hesitant. """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-281320509 From slaznick at redhat.com Tue Feb 21 11:59:40 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Tue, 21 Feb 2017 12:59:40 +0100 Subject: [Freeipa-devel] MD5 certificate fingerprints removal Message-ID: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> Hello, Since we're trying to make FreeIPA work in FIPS we got to the point where we need to do something with MD5 fingerprints in the cert plugin. Eventually we came to a realization that it'd be best to get rid of them as a whole. These are counted by the framework and are not stored anywhere. Note that alongside with these fingerprints SHA1 fingerprints are also counted and those are there to stay. The question for this ML is, then - is it OK to remove these or would you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a grandpa and I think it should go. Standa From freeipa-github-notification at redhat.com Tue Feb 21 12:34:11 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 13:34:11 +0100 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing HonzaCholasta commented: """ I can't say I agree with this approach. If this is just for testing, surely you can work around the missing `pyhbac` in some isolated spot rather than make the import optional all over the place, when it is in fact required. Maybe inject an empty module into `sys.modules` if it's missing? Or reach out to the SSSD guys and help them add `pyhbac` to PyPI? """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-281332519 From freeipa-github-notification at redhat.com Tue Feb 21 12:37:20 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 13:37:20 +0100 Subject: [Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check HonzaCholasta commented: """ LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-281333137 From freeipa-github-notification at redhat.com Tue Feb 21 12:44:04 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 21 Feb 2017 13:44:04 +0100 Subject: [Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-398.patch Type: text/x-diff Size: 50729 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 12:52:32 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 13:52:32 +0100 Subject: [Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check stlaz commented: """ 3 LGTM + tests passing seems like a good enough reason for ACK to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-281336192 From freeipa-github-notification at redhat.com Tue Feb 21 12:52:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 13:52:39 +0100 Subject: [Freeipa-devel] [freeipa PR#437][+ack] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check Label: +ack From freeipa-github-notification at redhat.com Tue Feb 21 12:57:33 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 13:57:33 +0100 Subject: [Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping HonzaCholasta commented: """ LGTM. @flo-renaud, don't forget to register the new OIDs. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-281337299 From freeipa-github-notification at redhat.com Tue Feb 21 13:52:12 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 21 Feb 2017 14:52:12 +0100 Subject: [Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-398.patch Type: text/x-diff Size: 50747 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 14:04:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 15:04:42 +0100 Subject: [Freeipa-devel] [freeipa PR#482][comment] Remove MD5 certificate fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Remove MD5 certificate fingerprints MartinBasti commented: """ +1 for sha256 """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-281352849 From freeipa-github-notification at redhat.com Tue Feb 21 14:18:56 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 21 Feb 2017 15:18:56 +0100 Subject: [Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Author: flo-renaud Title: #398: Support for Certificate Identity Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/398/head:pr398 git checkout pr398 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-398.patch Type: text/x-diff Size: 50749 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 21 14:23:12 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Feb 2017 09:23:12 -0500 Subject: [Freeipa-devel] MD5 certificate fingerprints removal In-Reply-To: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> References: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> Message-ID: Standa Laznicka wrote: > Hello, > > Since we're trying to make FreeIPA work in FIPS we got to the point > where we need to do something with MD5 fingerprints in the cert plugin. > Eventually we came to a realization that it'd be best to get rid of them > as a whole. These are counted by the framework and are not stored > anywhere. Note that alongside with these fingerprints SHA1 fingerprints > are also counted and those are there to stay. > > The question for this ML is, then - is it OK to remove these or would > you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a > grandpa and I think it should go. I based the values displayed on what certutil displayed at the time (7 years ago). I don't know that anyone uses these fingerprints. The OpenSSL equivalent doesn't include them by default. You may be able to deprecate fingerprints altogether. rob From freeipa-github-notification at redhat.com Tue Feb 21 14:30:55 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 15:30:55 +0100 Subject: [Freeipa-devel] [freeipa PR#492][opened] [WIP] config: remove meaningless defaults Message-ID: URL: https://github.com/freeipa/freeipa/pull/492 Author: HonzaCholasta Title: #492: [WIP] config: remove meaningless defaults Action: opened PR body: """ **ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri** Domain, realm, basedn, xmlrpc_uri, ldap_uri do not have any reasonable default. This patch removes hardcoded default so the so the code which depends on these values blows up early and does not do crazy stuff with default values instead of real ones. This should help to uncover issues caused by improper ipalib initialization. **config: provide defaults for `xmlrpc_uri`, `ldap_uri` and `basedn`** Derive the default value of `xmlrpc_uri` and `ldap_uri` from `server`. Derive the default value of `basedn` from `domain`. This supersedes @pspacek's PR #113. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/492/head:pr492 git checkout pr492 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-492.patch Type: text/x-diff Size: 7201 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 14:31:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 15:31:04 +0100 Subject: [Freeipa-devel] [freeipa PR#491][+pushed] Don't prepend option names with additional '--' In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/491 Title: #491: Don't prepend option names with additional '--' Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 21 14:31:05 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 15:31:05 +0100 Subject: [Freeipa-devel] [freeipa PR#491][comment] Don't prepend option names with additional '--' In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/491 Title: #491: Don't prepend option names with additional '--' MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9ac068ad04a2323192f9447986a3d1c5431f1e50 """ See the full comment at https://github.com/freeipa/freeipa/pull/491#issuecomment-281360005 From freeipa-github-notification at redhat.com Tue Feb 21 14:31:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 15:31:07 +0100 Subject: [Freeipa-devel] [freeipa PR#491][closed] Don't prepend option names with additional '--' In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/491 Author: stlaz Title: #491: Don't prepend option names with additional '--' Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/491/head:pr491 git checkout pr491 From freeipa-github-notification at redhat.com Tue Feb 21 14:31:53 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 15:31:53 +0100 Subject: [Freeipa-devel] [freeipa PR#113][+rejected] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/113 Title: #113: ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri Label: +rejected From freeipa-github-notification at redhat.com Tue Feb 21 14:31:57 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 15:31:57 +0100 Subject: [Freeipa-devel] [freeipa PR#113][comment] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/113 Title: #113: ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri HonzaCholasta commented: """ Superseded by #492. """ See the full comment at https://github.com/freeipa/freeipa/pull/113#issuecomment-281360258 From freeipa-github-notification at redhat.com Tue Feb 21 14:31:59 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 15:31:59 +0100 Subject: [Freeipa-devel] [freeipa PR#113][closed] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/113 Author: pspacek Title: #113: ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/113/head:pr113 git checkout pr113 From freeipa-github-notification at redhat.com Tue Feb 21 14:32:28 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 15:32:28 +0100 Subject: [Freeipa-devel] [freeipa PR#489][+pushed] Fix error in ca_cert_files validator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/489 Title: #489: Fix error in ca_cert_files validator Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 21 14:32:30 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 15:32:30 +0100 Subject: [Freeipa-devel] [freeipa PR#489][comment] Fix error in ca_cert_files validator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/489 Title: #489: Fix error in ca_cert_files validator MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0fffeabe0249d9c3c11e522fccf22ddeb1197b64 """ See the full comment at https://github.com/freeipa/freeipa/pull/489#issuecomment-281360382 From freeipa-github-notification at redhat.com Tue Feb 21 14:32:31 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 15:32:31 +0100 Subject: [Freeipa-devel] [freeipa PR#489][closed] Fix error in ca_cert_files validator In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/489 Author: stlaz Title: #489: Fix error in ca_cert_files validator Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/489/head:pr489 git checkout pr489 From freeipa-github-notification at redhat.com Tue Feb 21 14:33:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 15:33:40 +0100 Subject: [Freeipa-devel] [freeipa PR#481][+pushed] Minor typo fix in DNS install plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/481 Title: #481: Minor typo fix in DNS install plugin Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 21 14:33:42 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 15:33:42 +0100 Subject: [Freeipa-devel] [freeipa PR#481][comment] Minor typo fix in DNS install plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/481 Title: #481: Minor typo fix in DNS install plugin MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/cc446fb44870592f73af9c0dc2a35c5d37ce7a5c """ See the full comment at https://github.com/freeipa/freeipa/pull/481#issuecomment-281360728 From freeipa-github-notification at redhat.com Tue Feb 21 14:33:43 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 15:33:43 +0100 Subject: [Freeipa-devel] [freeipa PR#481][closed] Minor typo fix in DNS install plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/481 Author: Akasurde Title: #481: Minor typo fix in DNS install plugin Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/481/head:pr481 git checkout pr481 From freeipa-github-notification at redhat.com Tue Feb 21 14:35:47 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 15:35:47 +0100 Subject: [Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check MartinBasti commented: """ Needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-281361284 From freeipa-github-notification at redhat.com Tue Feb 21 15:05:20 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 16:05:20 +0100 Subject: [Freeipa-devel] [freeipa PR#492][comment] [WIP] config: remove meaningless defaults In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/492 Title: #492: [WIP] config: remove meaningless defaults tiran commented: """ https://github.com/HonzaCholasta/freeipa/blob/4ebf4b907213c9951eb9cbd276e0460552563fb1/ipalib/config.py#L579 initializes server from jsonrpc_uri. Does it make sense move this block before your new code? """ See the full comment at https://github.com/freeipa/freeipa/pull/492#issuecomment-281369964 From freeipa-github-notification at redhat.com Tue Feb 21 15:19:15 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 16:19:15 +0100 Subject: [Freeipa-devel] [freeipa PR#492][comment] [WIP] config: remove meaningless defaults In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/492 Title: #492: [WIP] config: remove meaningless defaults HonzaCholasta commented: """ @tiran, not really, the order does not matter here. """ See the full comment at https://github.com/freeipa/freeipa/pull/492#issuecomment-281373944 From freeipa-github-notification at redhat.com Tue Feb 21 15:20:18 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 21 Feb 2017 16:20:18 +0100 Subject: [Freeipa-devel] [freeipa PR#399][comment] Certificate mapping test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/399 Title: #399: Certificate mapping test martbab commented: """ I have some inline comments. I was also thinking about the nomenclature of the Tracker mixins and I think we should name them based on the noun of the action that is being tracked, e.g: RetrievalTracker SearchTracker CreationTracker ModificationTracker """ See the full comment at https://github.com/freeipa/freeipa/pull/399#issuecomment-281374272 From tkrizek at redhat.com Tue Feb 21 15:24:08 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Tue, 21 Feb 2017 16:24:08 +0100 Subject: [Freeipa-devel] MD5 certificate fingerprints removal In-Reply-To: References: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> Message-ID: <5bd6a65a-4e30-1e06-fe46-7f6ec349c374@redhat.com> On 02/21/2017 03:23 PM, Rob Crittenden wrote: > Standa Laznicka wrote: >> Hello, >> >> Since we're trying to make FreeIPA work in FIPS we got to the point >> where we need to do something with MD5 fingerprints in the cert plugin. >> Eventually we came to a realization that it'd be best to get rid of them >> as a whole. These are counted by the framework and are not stored >> anywhere. Note that alongside with these fingerprints SHA1 fingerprints >> are also counted and those are there to stay. >> >> The question for this ML is, then - is it OK to remove these or would >> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a >> grandpa and I think it should go. > I based the values displayed on what certutil displayed at the time (7 > years ago). I don't know that anyone uses these fingerprints. The > OpenSSL equivalent doesn't include them by default. > > You may be able to deprecate fingerprints altogether. > > rob I think it's useful to display the certificate's fingerprint. I'm in favor of removing md5 and adding sha256 instead. -- Tomas Krizek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Tue Feb 21 15:36:17 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 16:36:17 +0100 Subject: [Freeipa-devel] [freeipa PR#492][comment] [WIP] config: remove meaningless defaults In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/492 Title: #492: [WIP] config: remove meaningless defaults tiran commented: """ It does matter. In the current version ```if 'server' not in self:``` is checked and ```self.server``` is checked a couple of lines after ```if 'ldap_uri' not in self and 'server' in self:```. """ See the full comment at https://github.com/freeipa/freeipa/pull/492#issuecomment-281379332 From freeipa-github-notification at redhat.com Tue Feb 21 15:48:18 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Tue, 21 Feb 2017 16:48:18 +0100 Subject: [Freeipa-devel] [freeipa PR#481][comment] Minor typo fix in DNS install plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/481 Title: #481: Minor typo fix in DNS install plugin Akasurde commented: """ @stlaz Thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/481#issuecomment-281383157 From freeipa-github-notification at redhat.com Tue Feb 21 15:50:12 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 21 Feb 2017 16:50:12 +0100 Subject: [Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-437.patch Type: text/x-diff Size: 8302 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 16:09:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 17:09:24 +0100 Subject: [Freeipa-devel] [freeipa PR#437][+pushed] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 21 16:09:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 17:09:26 +0100 Subject: [Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Title: #437: FIPS: replica install check MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/3372ad2766c0d182fa88c8bc28cf43477dc4cb3b https://fedorahosted.org/freeipa/changeset/7292890042677ae40faa44753ebf570db6c19e7c https://fedorahosted.org/freeipa/changeset/62e884ff7f037a28a15d61cc9fa9c46e5c40cda5 https://fedorahosted.org/freeipa/changeset/397ca71e897b42a23ed4ef294fca367c1542a2aa https://fedorahosted.org/freeipa/changeset/cf25ea7e300cdada57bd964acb4393cc11ad333e """ See the full comment at https://github.com/freeipa/freeipa/pull/437#issuecomment-281390101 From freeipa-github-notification at redhat.com Tue Feb 21 16:09:27 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 21 Feb 2017 17:09:27 +0100 Subject: [Freeipa-devel] [freeipa PR#437][closed] FIPS: replica install check In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437 From freeipa-github-notification at redhat.com Tue Feb 21 16:11:50 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 17:11:50 +0100 Subject: [Freeipa-devel] [freeipa PR#379][synchronized] Packaging: Add placeholder and IPA commands packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/379 Author: tiran Title: #379: Packaging: Add placeholder and IPA commands packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/379/head:pr379 git checkout pr379 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-379.patch Type: text/x-diff Size: 40696 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 16:13:23 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 17:13:23 +0100 Subject: [Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Author: tiran Title: #397: Improve wheel building and provide ipaserver wheel for local testing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/397/head:pr397 git checkout pr397 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-397.patch Type: text/x-diff Size: 11621 bytes Desc: not available URL: From flo at redhat.com Tue Feb 21 16:15:05 2017 From: flo at redhat.com (Florence Blanc-Renaud) Date: Tue, 21 Feb 2017 17:15:05 +0100 Subject: [Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users Message-ID: <3d07fbf9-25aa-e5e9-58a4-c4bf24e389df@redhat.com> Hi, related to the Certificate Identity Mapping feature, a new CLI will be needed to find all the users matching a given certificate. I propose to provide this as: ipa certmaptest --certificate --------------- 2 users matched --------------- Matched user login: test1 Matched user login: test2 ---------------------------- Number of entries returned 2 ---------------------------- Please provide any comments, suggestions on the CLI or the output. Thanks, Flo. From freeipa-github-notification at redhat.com Tue Feb 21 16:19:16 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 17:19:16 +0100 Subject: [Freeipa-devel] [freeipa PR#453][comment] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Title: #453: Cleanup certdb tiran commented: """ @stlaz You did most work with NSS and certdb recently. Can you have a look at this collection of fixes. Iis it useful for you or do you plan to rip out the module soonish? Either way please feel free to merge or close this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/453#issuecomment-281393254 From slaznick at redhat.com Tue Feb 21 16:23:07 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Tue, 21 Feb 2017 17:23:07 +0100 Subject: [Freeipa-devel] MD5 certificate fingerprints removal In-Reply-To: <5bd6a65a-4e30-1e06-fe46-7f6ec349c374@redhat.com> References: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> <5bd6a65a-4e30-1e06-fe46-7f6ec349c374@redhat.com> Message-ID: On 02/21/2017 04:24 PM, Tomas Krizek wrote: > On 02/21/2017 03:23 PM, Rob Crittenden wrote: >> Standa Laznicka wrote: >>> Hello, >>> >>> Since we're trying to make FreeIPA work in FIPS we got to the point >>> where we need to do something with MD5 fingerprints in the cert plugin. >>> Eventually we came to a realization that it'd be best to get rid of them >>> as a whole. These are counted by the framework and are not stored >>> anywhere. Note that alongside with these fingerprints SHA1 fingerprints >>> are also counted and those are there to stay. >>> >>> The question for this ML is, then - is it OK to remove these or would >>> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a >>> grandpa and I think it should go. >> I based the values displayed on what certutil displayed at the time (7 >> years ago). I don't know that anyone uses these fingerprints. The >> OpenSSL equivalent doesn't include them by default. >> >> You may be able to deprecate fingerprints altogether. >> >> rob > I think it's useful to display the certificate's fingerprint. I'm in > favor of removing md5 and adding sha256 instead. > Rob, thank you for sharing the information of where the cert fingerprints are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays SHA-256 and SHA1 fingerprints for certificates so I propose going that way too. From freeipa-github-notification at redhat.com Tue Feb 21 16:24:13 2017 From: freeipa-github-notification at redhat.com (mkosek) Date: Tue, 21 Feb 2017 17:24:13 +0100 Subject: [Freeipa-devel] [freeipa PR#493][opened] Update Contributors.txt Message-ID: URL: https://github.com/freeipa/freeipa/pull/493 Author: mkosek Title: #493: Update Contributors.txt Action: opened PR body: """ Update mailmap with the new mistyped authors and generate a new Contributors list. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/493/head:pr493 git checkout pr493 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-493.patch Type: text/x-diff Size: 3760 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 16:28:50 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 17:28:50 +0100 Subject: [Freeipa-devel] [freeipa PR#453][comment] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Title: #453: Cleanup certdb stlaz commented: """ @tiran Thanks for reminding me. I was waiting for some of my fixes to get pushed as well, I will go through your PR first thing tomorrow. """ See the full comment at https://github.com/freeipa/freeipa/pull/453#issuecomment-281396402 From freeipa-github-notification at redhat.com Tue Feb 21 16:47:57 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 17:47:57 +0100 Subject: [Freeipa-devel] [freeipa PR#485][+ack] Fix session logout In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/485 Title: #485: Fix session logout Label: +ack From freeipa-github-notification at redhat.com Tue Feb 21 16:48:04 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 17:48:04 +0100 Subject: [Freeipa-devel] [freeipa PR#485][comment] Fix session logout In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/485 Title: #485: Fix session logout stlaz commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/485#issuecomment-281402720 From freeipa-github-notification at redhat.com Tue Feb 21 16:59:09 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 21 Feb 2017 17:59:09 +0100 Subject: [Freeipa-devel] [freeipa PR#492][comment] [WIP] config: remove meaningless defaults In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/492 Title: #492: [WIP] config: remove meaningless defaults HonzaCholasta commented: """ I stand corrected, but it does not make sense to reorder the code as you suggested anyway, as it would change the current default of `server` when only `xmlrpc_uri` is specified in the configuration from "use the hostname from `xmlrpc_uri`" do "do not set a default value". """ See the full comment at https://github.com/freeipa/freeipa/pull/492#issuecomment-281406314 From pvoborni at redhat.com Tue Feb 21 17:12:23 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Feb 2017 18:12:23 +0100 Subject: [Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users In-Reply-To: <3d07fbf9-25aa-e5e9-58a4-c4bf24e389df@redhat.com> References: <3d07fbf9-25aa-e5e9-58a4-c4bf24e389df@redhat.com> Message-ID: <5b18f58b-1d8e-f060-d7a4-a4ec61b82227@redhat.com> On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote: > Hi, > > related to the Certificate Identity Mapping feature, a new CLI will be > needed to find all the users matching a given certificate. > > I propose to provide this as: > > ipa certmaptest --certificate > --------------- > 2 users matched > --------------- > Matched user login: test1 > Matched user login: test2 > ---------------------------- > Number of entries returned 2 > ---------------------------- > > > Please provide any comments, suggestions on the CLI or the output. > Thanks, > Flo. > Thanks Flo for sharing it. I don't like the command name. It is not self explanatory. It says it is testing something, it is not clear what and the actual result is users who match the map configuration or have the cert in their user's entry. Better would be: $ ipa certmap-match --certificate Pasting user story to give context if somebody is not familiar with it: """ As a Security Officer, I want to present IdM Server with an Employee Smart Card certificate and list all Employees with a matching role account, so that I can validate the configuration is correct Note: In FreeIPA 4.4, user-find --certificate can already find users linked with a certificate blob Acceptance criteria: * I can perform the administrative task both via IdM Web UI and CLI * When asking IdM for the information, I should always receive the same list that would be matched in client authentication workflows (by SSSD) * The list of users should include both users linked via standard certificate blob and other generically mapped users """ -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat, Inc. From freeipa-github-notification at redhat.com Tue Feb 21 17:54:51 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 21 Feb 2017 18:54:51 +0100 Subject: [Freeipa-devel] [freeipa PR#482][comment] Remove MD5 certificate fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Remove MD5 certificate fingerprints tomaskrizek commented: """ Btw, I think sha256 can be added in a separate PR. Let's just wait if there are any concerns about removing md5 on the freeipa-devel. """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-281423417 From freeipa-github-notification at redhat.com Tue Feb 21 19:06:44 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 21 Feb 2017 20:06:44 +0100 Subject: [Freeipa-devel] [freeipa PR#482][comment] Remove MD5 certificate fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Remove MD5 certificate fingerprints stlaz commented: """ I don't have a problem adding it in this PR, it needs to be resolved according to the outcome of the freeipa-devel thread anyway. > On 21 Feb 2017, at 18:54, Tomas Krizek wrote: > > Btw, I think sha256 can be added in a separate PR. Let's just wait if there are any concerns about removing md5 on the freeipa-devel. > > ? > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub, or mute the thread. > """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-281445393 From freeipa-github-notification at redhat.com Tue Feb 21 20:57:43 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 21:57:43 +0100 Subject: [Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Author: tiran Title: #364: Client-only builds with --disable-server Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/364/head:pr364 git checkout pr364 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-364.patch Type: text/x-diff Size: 20644 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 21 20:58:51 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 21:58:51 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ Now ```-without-ipatests``` argument for @lslebodn """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281478186 From freeipa-github-notification at redhat.com Tue Feb 21 20:59:01 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 21 Feb 2017 21:59:01 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ Now ```-without-ipatests``` argument for @lslebodn """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281478186 From ftweedal at redhat.com Tue Feb 21 23:28:38 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 22 Feb 2017 09:28:38 +1000 Subject: [Freeipa-devel] MD5 certificate fingerprints removal In-Reply-To: References: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> <5bd6a65a-4e30-1e06-fe46-7f6ec349c374@redhat.com> Message-ID: <20170221232838.GU3557@dhcp-40-8.bne.redhat.com> On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: > On 02/21/2017 04:24 PM, Tomas Krizek wrote: > > On 02/21/2017 03:23 PM, Rob Crittenden wrote: > > > Standa Laznicka wrote: > > > > Hello, > > > > > > > > Since we're trying to make FreeIPA work in FIPS we got to the point > > > > where we need to do something with MD5 fingerprints in the cert plugin. > > > > Eventually we came to a realization that it'd be best to get rid of them > > > > as a whole. These are counted by the framework and are not stored > > > > anywhere. Note that alongside with these fingerprints SHA1 fingerprints > > > > are also counted and those are there to stay. > > > > > > > > The question for this ML is, then - is it OK to remove these or would > > > > you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a > > > > grandpa and I think it should go. > > > I based the values displayed on what certutil displayed at the time (7 > > > years ago). I don't know that anyone uses these fingerprints. The > > > OpenSSL equivalent doesn't include them by default. > > > > > > You may be able to deprecate fingerprints altogether. > > > > > > rob > > I think it's useful to display the certificate's fingerprint. I'm in > > favor of removing md5 and adding sha256 instead. > > > Rob, thank you for sharing the information of where the cert fingerprints > are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays > SHA-256 and SHA1 fingerprints for certificates so I propose going that way > too. > IMO we should remove MD5 and SHA-1, and add SHA-256. But we should also make no API stability guarantee w.r.t. the fingerprint attributes, i.e. to allow us to move to newer digests in future (and remove broken/no-longer-secure ones). We should advise that if a customer has a hard requirement on a particular digest that they should compute it themselves from the certificate. Cheers, Fraser From ftweedal at redhat.com Tue Feb 21 23:43:35 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 22 Feb 2017 09:43:35 +1000 Subject: [Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users In-Reply-To: <5b18f58b-1d8e-f060-d7a4-a4ec61b82227@redhat.com> References: <3d07fbf9-25aa-e5e9-58a4-c4bf24e389df@redhat.com> <5b18f58b-1d8e-f060-d7a4-a4ec61b82227@redhat.com> Message-ID: <20170221234335.GV3557@dhcp-40-8.bne.redhat.com> On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote: > On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote: > > Hi, > > > > related to the Certificate Identity Mapping feature, a new CLI will be > > needed to find all the users matching a given certificate. > > > > I propose to provide this as: > > > > ipa certmaptest --certificate > > --------------- > > 2 users matched > > --------------- > > Matched user login: test1 > > Matched user login: test2 > > ---------------------------- > > Number of entries returned 2 > > ---------------------------- > > > > > > Please provide any comments, suggestions on the CLI or the output. > > Thanks, > > Flo. > > > > Thanks Flo for sharing it. > > I don't like the command name. It is not self explanatory. It says it is > testing something, it is not clear what and the actual result is users who > match the map configuration or have the cert in their user's entry. > > Better would be: > $ ipa certmap-match --certificate > How about `ipa certmap-find-user ...'? Doesn't get more obvious than that, IMO. > > Pasting user story to give context if somebody is not familiar with it: > """ > As a Security Officer, I want to present IdM Server with an Employee Smart > Card certificate and list all Employees with a matching role account, so > that I can validate the configuration is correct > > Note: In FreeIPA 4.4, user-find --certificate can already find users linked > with a certificate blob > > Acceptance criteria: > * I can perform the administrative task both via IdM Web UI and CLI > * When asking IdM for the information, I should always receive the same list > that would be matched in client authentication workflows (by SSSD) > * The list of users should include both users linked via standard > certificate blob and other generically mapped users > """ > -- > Petr Vobornik > > Associate Manager, Engineering, Identity Management > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From freeipa-github-notification at redhat.com Wed Feb 22 06:41:26 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 22 Feb 2017 07:41:26 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server HonzaCholasta commented: """ @tiran, not just for @lslebodn, `--without-ipatests` will be very useful to me for RHEL and Arch Linux packaging as well ?. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281583597 From freeipa-github-notification at redhat.com Wed Feb 22 07:58:27 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 22 Feb 2017 08:58:27 +0100 Subject: [Freeipa-devel] [freeipa PR#301][comment] scripts, tests: explicitly set confdir in the rest of server code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code stlaz commented: """ This PR implements the stuff that was agreed on in later comments in https://github.com/freeipa/freeipa/pull/280 and actually requested by @pvoborni. Currently, I do not see the reason why this PR should not be accepted, if IPA_CONFDIR is required in either of these scripts for some reason, we can implement it later and add the justification to it. """ See the full comment at https://github.com/freeipa/freeipa/pull/301#issuecomment-281595996 From freeipa-github-notification at redhat.com Wed Feb 22 07:58:35 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 22 Feb 2017 08:58:35 +0100 Subject: [Freeipa-devel] [freeipa PR#301][+ack] scripts, tests: explicitly set confdir in the rest of server code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code Label: +ack From freeipa-github-notification at redhat.com Wed Feb 22 08:01:57 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 22 Feb 2017 09:01:57 +0100 Subject: [Freeipa-devel] [freeipa PR#301][comment] scripts, tests: explicitly set confdir in the rest of server code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/fe6f2b6f6effcf9f3c58e1e3f6d0874609c10c25 """ See the full comment at https://github.com/freeipa/freeipa/pull/301#issuecomment-281596634 From freeipa-github-notification at redhat.com Wed Feb 22 08:01:59 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 22 Feb 2017 09:01:59 +0100 Subject: [Freeipa-devel] [freeipa PR#301][+pushed] scripts, tests: explicitly set confdir in the rest of server code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 22 08:02:01 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 22 Feb 2017 09:02:01 +0100 Subject: [Freeipa-devel] [freeipa PR#301][closed] scripts, tests: explicitly set confdir in the rest of server code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/301 Author: HonzaCholasta Title: #301: scripts, tests: explicitly set confdir in the rest of server code Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/301/head:pr301 git checkout pr301 From freeipa-github-notification at redhat.com Wed Feb 22 08:02:15 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 09:02:15 +0100 Subject: [Freeipa-devel] [freeipa PR#301][comment] scripts, tests: explicitly set confdir in the rest of server code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code tiran commented: """ My philosophy is: _Don't fix it it it ain't broken._ """ See the full comment at https://github.com/freeipa/freeipa/pull/301#issuecomment-281596691 From freeipa-github-notification at redhat.com Wed Feb 22 08:02:30 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 09:02:30 +0100 Subject: [Freeipa-devel] [freeipa PR#301][comment] scripts, tests: explicitly set confdir in the rest of server code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code tiran commented: """ My philosophy is: _Don't fix it it it ain't broken._ """ See the full comment at https://github.com/freeipa/freeipa/pull/301#issuecomment-281596691 From freeipa-github-notification at redhat.com Wed Feb 22 08:05:43 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 09:05:43 +0100 Subject: [Freeipa-devel] [freeipa PR#492][comment] [WIP] config: remove meaningless defaults In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/492 Title: #492: [WIP] config: remove meaningless defaults tiran commented: """ Can you add a comment to explain the order of checks and assignments? Without explanation, it's going to confuse the next poor developer. """ See the full comment at https://github.com/freeipa/freeipa/pull/492#issuecomment-281597346 From freeipa-github-notification at redhat.com Wed Feb 22 08:06:19 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 22 Feb 2017 09:06:19 +0100 Subject: [Freeipa-devel] [freeipa PR#492][comment] [WIP] config: remove meaningless defaults In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/492 Title: #492: [WIP] config: remove meaningless defaults HonzaCholasta commented: """ Sure. """ See the full comment at https://github.com/freeipa/freeipa/pull/492#issuecomment-281597461 From freeipa-github-notification at redhat.com Wed Feb 22 08:21:48 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 09:21:48 +0100 Subject: [Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-472.patch Type: text/x-diff Size: 28056 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 22 08:24:11 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 09:24:11 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ OK, you got ```with_wheels``` in ```freeipa.spec.in``` now. ```with_wheels``` is more logical than ```with_pypi``` because wheels have more uses than just PyPI upload. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281600990 From freeipa-github-notification at redhat.com Wed Feb 22 08:40:20 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 09:40:20 +0100 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing tiran commented: """ @HonzaCholasta FreeIPA has conditional imports for SSSD modules in several places, e.g. in the trust plugin. 96f614e closes the gap and applies the same technique to the last unconditional import from SSSD. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-281604493 From freeipa-github-notification at redhat.com Wed Feb 22 08:43:59 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 09:43:59 +0100 Subject: [Freeipa-devel] [freeipa PR#494][opened] Support client-only build Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Author: lslebodn Title: #494: Support client-only build Action: opened PR body: """ How to test: * autoreconf -if * ./configure --disable-server * make srpms * mock --rebuild dist/rpms/freeipa-4.4.90.*.src.rpm --resultdir . * mock --rebuild dist/rpms/freeipa-4.4.90.*.src.rpm --resultdir . --without=server """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/494/head:pr494 git checkout pr494 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-494.patch Type: text/x-diff Size: 62012 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 22 08:48:32 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 09:48:32 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ >Thanks for your contribution. I added your patch to my PR. On my system I ran into a minor issue. >Some C99 types like uint8_t were not defined and I had to include stdint.h. This change is not enough; there is still warning: ``` ipa_pwd_ntlm.c: In function 'encode_nt_key': ipa_pwd_ntlm.c:58:5: warning: implicit declaration of function 'strlen' [-Wimplicit-function-declaration] il = strlen(newPasswd); ^ ipa_pwd_ntlm.c:58:10: warning: incompatible implicit declaration of built-in function 'strlen' il = strlen(newPasswd); ^ ``` >By the way I'm just going to ignore your snidely and snarky comment. No problem. I am going to forget that my proposal for compromise was ignored for 12 days. The latest version is a small improvement; but there are still problems small issues because this PR was not create with intention to use tox. I know you are busy. So I wrote client-only implementation from scratch. This PR is superseded by #494 """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281606346 From freeipa-github-notification at redhat.com Wed Feb 22 08:59:54 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Feb 2017 09:59:54 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tomaskrizek commented: """ I'm not able to run autoreconf, it fails with the following error: ``` configure.ac:447: error: required file 'init/tmpfilesd/Makefile.in' not found asn1/Makefile.am: installing './depcomp' parallel-tests: installing './test-driver' autoreconf: automake failed with exit status: 1 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281608826 From freeipa-github-notification at redhat.com Wed Feb 22 09:00:46 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 10:00:46 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ >Thanks for your contribution. I added your patch to my PR. On my system I ran into a minor issue. >Some C99 types like uint8_t were not defined and I had to include stdint.h. This change is not enough; there is still warning: ``` ipa_pwd_ntlm.c: In function 'encode_nt_key': ipa_pwd_ntlm.c:58:5: warning: implicit declaration of function 'strlen' [-Wimplicit-function-declaration] il = strlen(newPasswd); ^ ipa_pwd_ntlm.c:58:10: warning: incompatible implicit declaration of built-in function 'strlen' il = strlen(newPasswd); ^ ``` >By the way I'm just going to ignore your snidely and snarky comment. No problem. I am going to forget that my proposal for compromise was ignored for 12 days. The latest version is a small improvement; but there are still problems small issues because this PR was not create with intention to use tox. I know you are busy. So I wrote client-only implementation from scratch. This PR is superseded by #494 """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281606346 From pvoborni at redhat.com Wed Feb 22 09:02:24 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 22 Feb 2017 10:02:24 +0100 Subject: [Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users In-Reply-To: <20170221234335.GV3557@dhcp-40-8.bne.redhat.com> References: <3d07fbf9-25aa-e5e9-58a4-c4bf24e389df@redhat.com> <5b18f58b-1d8e-f060-d7a4-a4ec61b82227@redhat.com> <20170221234335.GV3557@dhcp-40-8.bne.redhat.com> Message-ID: <7d13238c-6dd1-1da3-7e1a-c2d13b748b81@redhat.com> On 02/22/2017 12:43 AM, Fraser Tweedale wrote: > On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote: >> On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote: >>> Hi, >>> >>> related to the Certificate Identity Mapping feature, a new CLI will be >>> needed to find all the users matching a given certificate. >>> >>> I propose to provide this as: >>> >>> ipa certmaptest --certificate >>> --------------- >>> 2 users matched >>> --------------- >>> Matched user login: test1 >>> Matched user login: test2 >>> ---------------------------- >>> Number of entries returned 2 >>> ---------------------------- >>> >>> >>> Please provide any comments, suggestions on the CLI or the output. >>> Thanks, >>> Flo. >>> >> >> Thanks Flo for sharing it. >> >> I don't like the command name. It is not self explanatory. It says it is >> testing something, it is not clear what and the actual result is users who >> match the map configuration or have the cert in their user's entry. >> >> Better would be: >> $ ipa certmap-match --certificate >> > How about `ipa certmap-find-user ...'? Doesn't get more obvious > than that, IMO. Was thinking about that as well but I think that the command might, in future, return also something else then user object, e.g. ID override. > >> >> Pasting user story to give context if somebody is not familiar with it: >> """ >> As a Security Officer, I want to present IdM Server with an Employee Smart >> Card certificate and list all Employees with a matching role account, so >> that I can validate the configuration is correct >> >> Note: In FreeIPA 4.4, user-find --certificate can already find users linked >> with a certificate blob >> >> Acceptance criteria: >> * I can perform the administrative task both via IdM Web UI and CLI >> * When asking IdM for the information, I should always receive the same list >> that would be matched in client authentication workflows (by SSSD) >> * The list of users should include both users linked via standard >> certificate blob and other generically mapped users >> """ >> -- >> Petr Vobornik >> >> Associate Manager, Engineering, Identity Management >> Red Hat, Inc. >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat, Inc. From freeipa-github-notification at redhat.com Wed Feb 22 09:08:00 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 10:08:00 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 00:59), Tomas Krizek wrote: >I'm not able to run autoreconf, it fails with the following error: > >``` >configure.ac:447: error: required file 'init/tmpfilesd/Makefile.in' not found >asn1/Makefile.am: installing './depcomp' >parallel-tests: installing './test-driver' >autoreconf: automake failed with exit status: 1 >``` I cannot see such file in git :-( ``` sh$ git clean -fdx sh$ ls init/ ipa-dnskeysyncd ipa-ods-exporter Makefile.am systemd ``` and it isn't in configure either ``` sh$ grep "/tmpfilesd" configure.ac *.m4 sh$ $echo $? 1 ``` LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281610715 From freeipa-github-notification at redhat.com Wed Feb 22 09:09:18 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 10:09:18 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ BTW I tested client-only build on fedora24, fedora25, fedora rawhide, epel7, debian stable, debian testing, debian unstable """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281611039 From freeipa-github-notification at redhat.com Wed Feb 22 09:16:14 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Feb 2017 10:16:14 +0100 Subject: [Freeipa-devel] [freeipa PR#485][+pushed] Fix session logout In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/485 Title: #485: Fix session logout Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 22 09:16:16 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Feb 2017 10:16:16 +0100 Subject: [Freeipa-devel] [freeipa PR#485][comment] Fix session logout In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/485 Title: #485: Fix session logout martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/908d2eaba46f5f123b49af400a8b696545c62b54 """ See the full comment at https://github.com/freeipa/freeipa/pull/485#issuecomment-281612684 From freeipa-github-notification at redhat.com Wed Feb 22 09:16:17 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Feb 2017 10:16:17 +0100 Subject: [Freeipa-devel] [freeipa PR#485][closed] Fix session logout In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/485 Author: simo5 Title: #485: Fix session logout Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/485/head:pr485 git checkout pr485 From freeipa-github-notification at redhat.com Wed Feb 22 09:16:44 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 22 Feb 2017 10:16:44 +0100 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing HonzaCholasta commented: """ The trust plugin and other trust bits are optional. The cert plugin, which depends on `pyhbac`, is *not* optional, so you can't apply the same logic to it. An acceptable compromise would be to skip the cert plugin entirely if `pyhbac` is not available: ```python try: import pyhbac except ImportError: raise errors.SkipPluginModule(reason=_('pyhbac is not installed')) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-281612799 From mkosek at redhat.com Wed Feb 22 09:17:32 2017 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 22 Feb 2017 10:17:32 +0100 Subject: [Freeipa-devel] FreeIPA and wildcard certificates In-Reply-To: <20170220050353.GT3557@dhcp-40-8.bne.redhat.com> References: <1c7e5abb-9c33-1cdd-fd4b-221a15c85672@redhat.com> <20170208081954.c4kethc4lzjagdmp@redhat.com> <20170209011200.GA3557@dhcp-40-8.bne.redhat.com> <340637ac-a6ba-517a-e2e8-a9ddaf7e63d5@redhat.com> <20170209214418.GD3557@dhcp-40-8.bne.redhat.com> <20170210093708.GI3557@dhcp-40-8.bne.redhat.com> <37f8b430-92d4-3ab2-69a2-1b96cbb5b75b@redhat.com> <20170220050353.GT3557@dhcp-40-8.bne.redhat.com> Message-ID: On 02/20/2017 06:03 AM, Fraser Tweedale wrote: > On Fri, Feb 10, 2017 at 11:48:39AM +0100, Martin Kosek wrote: >> On 02/10/2017 10:37 AM, Fraser Tweedale wrote: >>> On Fri, Feb 10, 2017 at 09:23:10AM +0100, Martin Kosek wrote: >>>> On 02/09/2017 10:44 PM, Fraser Tweedale wrote: >>>>> On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote: >>>>>> On 02/09/2017 02:12 AM, Fraser Tweedale wrote: >>>>>>> On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote: >>>>>>>> On ke, 08 helmi 2017, Martin Kosek wrote: >>>>>>>>> Hi Fraser and the list, >>>>>>>>> >>>>>>>>> I recently was in a conversation about integrating OpenShift with FreeIPA. One >>>>>>>>> of the gaps was around generating a wildcard certificate by FreeIPA that will >>>>>>>>> be used in the default OpenShift router for applications that do not deploy own >>>>>>>>> certificates [1]. >>>>>>>>> >>>>>>>>> Is there any way that FreeIPA can generate it? I was thinking that uploading >>>>>>>>> some custom certificate profile in FreeIPA may let us get such certificate... >>>>>>>>> Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in >>>>>>>>> [2]? >>>>>>>> Yes, we need a new RFE. There are checks in IPA that prevent wildcard >>>>>>>> certificates to be issued: >>>>>>>> >>>>>>>> - we ensure subject 'cn' of the certificate matches a Kerberos principal >>>>>>>> specified in the request >>>>>>>> >>>>>>>> - we validate that host object exists in IPA when the Kerberos >>>>>>>> principal is host/... >>>>>>>> >>>>>>>> We could lift off these two limitations for 'cn=*,$suffix' but there is >>>>>>>> still a need to apply proper ACLs when issuing the cert -- e.g. some >>>>>>>> object has to be used for performing access rights check. The wildcard >>>>>>>> certificate does not need to be stored anywhere in the tree, but a >>>>>>>> check still needs to be done. >>>>>>>> >>>>>>>> For example, for Kerberos PKINIT certificate which is issued to KDC we >>>>>>>> don't store public certificate in LDAP either but we do two checks: >>>>>>>> - a special KDC certificate profile is used to issue the cert >>>>>>>> - a special hostname check is done so that only IPA masters are able to >>>>>>>> request this certificate >>>>>>>> >>>>>>>> For the wildcard certificate I think we could have following: >>>>>>>> - use a separate profile for the wildcard, associated with a sub-CA >>>>>>>> - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so that >>>>>>>> actual certificate ignores requested CN. >>>>>>>> - a special check to be done so that only wildcard-based subject >>>>>>>> alternative names can be added to a wildcard certificate request >>>>>>>> - all Kerberos principal / hostname checks are skipped. >>>>>>>> - actual ACL check is done by CA ACL. >>>>>>>> >>>>>>> Issuing wildcard certs is a deprecated practice[1]. I am not >>>>>>> dismissing the needs of OpenShift (or PaaS/IaaS solutions in >>>>>>> general) but I'd like to have a discussion with them about how >>>>>>> they're currently dealing with certs and whether a different >>>>>>> direction other than wildcard certs is feasible. Martin, who should >>>>>>> I reach out to? Feel free to copy them into this discussion. >>>>>> >>>>>> Right now, I am talking to a Solution Architect, i.e. someone who is building >>>>>> GAed solutions, not developers. This is not something we would change >>>>>> short-term anyway, this is how current OpenShift v2 or v3 behaves, despite the RFC. >>>>>> >>>>>> While I understand why having certificate *.lab.example.com and using it for my >>>>>> lab machines is a bad idea and increases the attack vector, I do not see it >>>>>> that way for OpenShift. There, applications get URL like >>>>>> ".myopenshift.test" and all is routed by one entity, the OpenShift >>>>>> broker. So the key.cert is on one location, just serving different names that >>>>>> are provisioned with OpenShift. >>>>>> >>>>>> I can understand that issuing a new certificate for every application >>>>>> provisioned by OpenShift and then renewing it complicates the design >>>>>> significantly. I am trying to be creative and see if current OpenShift could >>>>>> leverage FreeIPA CA and issue the broker cert, with current profile >>>>>> capabilities or with small change. >>>>>> >>>>> I believe OpenShift supports per-application certificates (i.e. when >>>>> app developers/maintainers supply their own cert for a custom >>>>> domain). So it might be possible in v2 or v3 to provision a cert >>>>> for every app. >>>> >>>> Right, it supports this. But then issuing the certificate and renewal is a >>>> responsibility of app developer, AFAIK. I do not think if OpenShift has all the >>>> needed hooks to do this automatically and call certmonger for example. >>>> >>>> TLDR; adding a support of certmonger and issuing a certificate for every new >>>> application is a whole another degree of complexity than just issuing a >>>> Wildcard certificate for the router. I am not saying it should not be done, I >>>> am just saying that being able to generate a wildcard certificate with FreeIPA >>>> would let us integrate with OpenShift much better than now and with (hopefully) >>>> low effort involved, i.e. faster. >>>> >>>>> An automated solution does not yet exist but that >>>>> doesn't mean it can't be built out of what's currently GA. >>>>> >>>>>>> [1] https://tools.ietf.org/html/rfc6125#section-7.2 >>>>>>> >>>>>>> If we do go ahead with wildcard cert support in FreeIPA, some of my >>>>>>> initial questions are: >>>>>>> >>>>>>> - For the OpenShift use case, what is the "parent" domain name and >>>>>>> is it the same as the IPA domain name? Is it a subdomain of the >>>>>>> IPA domain name? >>>>>>> >>>>>>> - Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard >>>>>>> cert under entire IPA domain name. >>>>>>> >>>>>>> - Do we need to support issuing "*.${IPA_HOSTNAME}"? i.e. wildcard >>>>>>> certs under names of IPA host principals. >>>>>> >>>>>> I do not know, but I can ask if it is important for you :-) >>>>>> >>>>> It's important to know what I actually need to do if we proceed with >>>>> implementing this :) >>>> >>>> We do not need to jump on implementing it right away, you already have a lot on >>>> your plate. Right now, I must just want to know: >>>> >>>> - is there any way how I can generate wildcard cert with current FreeIPA, using >>>> a custom certificate profile. I assume the answer is no. >>>> >>> I have an idea. >>> >>> - Assume there exists a FreeIPA host `foo.example.com', the "parent" >>> domain name for the desired wildcard name `*.foo.example.com'. >>> >>> - Create a profile with the config: >>> >>> policyset.serverCertSet..constraint.class_id=subjectNameConstraintImpl >>> policyset.serverCertSet..constraint.name=Subject Name Constraint >>> policyset.serverCertSet..constraint.params.accept=true >>> policyset.serverCertSet..constraint.params.pattern=CN=[^,]+,.+ >>> policyset.serverCertSet..default.class_id=subjectNameDefaultImpl >>> policyset.serverCertSet..default.name=Subject Name Default >>> policyset.serverCertSet..default.params.name=CN=*.$request.req_subject_name.cn$, o=EXAMPLE.COM >>> >>> - Set up CA ACLs to constrain use of this profile for issuance only >>> to hosts for which a wildcard cert *under* their hostname is >>> allowed. >>> >>> - Issue wildcard cert. >>> >>> I'm not 100% sure if that last directive from the snippet above is >>> valid. Worth a shot. >> >> This is exactly what I was looking for, as a workaround! Do you think you would >> be able to try it (not necessarily right now, but in several days)? Just so >> that we know it would work. >> > It works. I wrote it up in a blog post: > http://blog-ftweedal.rhcloud.com/2017/02/wildcard-certificates-in-freeipa/ I knew that will be a procedure like that! :-) Thanks for writing it down. >>>> - how complex would it be to add support of Wildcard certificate support to >>>> FreeIPA (rough scope). >>>> >>> It really depends on the answers to my earlier questions :) Need to >>> know *exactly* what is needed for OpenShift in terms of how the >>> domain(s) to include in the cert relate to IPA domain or >>> host/service principals defined therein. >> >> We should not make feature too specific to OpenShift anyway, so I do not think >> the answers to these questions need to come from OpenShift, but rather from our >> understanding of how to make this feature useful for FreeIPA users. >> >> But if you check OpenShift documentation: >> https://docs.openshift.com/container-platform/3.4/install_config/router/default_haproxy_router.html#using-wildcard-certificates >> you will see that the domain for the wildcard is configurable. So AFAIK, the >> OpenShift may join a realm EXAMPLE.COM and have the wildcard cert for >> '*.cloudapps.example.com. >> > After my exploration of what we can do with FreeIPA, I'd now be > surprised if we need to do anything else at all, besides perhaps > some official doc e.g. a KBase article. > > Please pass the info along and see if the OpenShift folks are happy > with what they can do with a custom profile. I will definitely pass this information. As for any follow on FreeIPA side, I think it would be fine to add this procedure as an official FreeIPA Howto, just to make sure it does not disappear. I saw you linked it from http://www.freeipa.org/page/HowTos but I think it would make sense having this also on the official project wiki. Martin From freeipa-github-notification at redhat.com Wed Feb 22 09:23:50 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Feb 2017 10:23:50 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ Thank you. I see errors reported by pylint ``` ************* Module ipaserver.install.installutils ipaserver/install/installutils.py:1209: [E1101(no-member), store_version] Module 'ipaplatform' has no 'NAME' member) ipaserver/install/installutils.py:1221: [E1101(no-member), check_version] Module 'ipaplatform' has no 'NAME' member) ipaserver/install/installutils.py:1224: [E1101(no-member), check_version] Module 'ipaplatform' has no 'NAME' member) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281614386 From freeipa-github-notification at redhat.com Wed Feb 22 09:42:31 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 22 Feb 2017 10:42:31 +0100 Subject: [Freeipa-devel] [freeipa PR#476][synchronized] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Author: HonzaCholasta Title: #476: vault: cache the transport certificate on client Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/476/head:pr476 git checkout pr476 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-476.patch Type: text/x-diff Size: 12003 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 22 09:43:22 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 10:43:22 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tiran commented: """ NACK on aece4c3c We compromised on ```--without-ipatests``` with installation of ipatests defaulting to true. The compromose was already ACKed by @simo5 """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281619180 From freeipa-github-notification at redhat.com Wed Feb 22 09:52:31 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Feb 2017 10:52:31 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tomaskrizek commented: """ @lslebodn My bad, there was some leftover stuff that `git clean -dfx` didn't clear for some reason. Nevertheless, this does work and allows a client only, as well as installing tests with `--with-tests` option. The mock build when run with `--without=server` does install less dependencies. But I'm not acking, because of the controversy with the `--with-tests` option (see #364). """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281621335 From freeipa-github-notification at redhat.com Wed Feb 22 09:54:12 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 22 Feb 2017 10:54:12 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tomaskrizek commented: """ The PR works and the `--without-ipatests` option omits the ipatests directory. However, #494 doesn't install extra dependencies with `mock --without=server`. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281621714 From freeipa-github-notification at redhat.com Wed Feb 22 10:02:50 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 11:02:50 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 01:43), Christian Heimes wrote: >NACK on aece4c3c > >We compromised on ```--without-ipatests``` with installation of ipatests defaulting to true. The compromose was already ACKed by @simo5 > Default is true; because --enable-server has default value true. So NACK should not count. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281623863 From freeipa-github-notification at redhat.com Wed Feb 22 10:09:28 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 11:09:28 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tiran commented: """ There are two reasons we decided on ```--without-ipatests```: * ```--with-tests``` / ```--without-tests``` is technically not correct. We still compile C tests. The flag is about the component ```ipatests```, so let's call it ```--without-ipatests```. * ```--with-ipatests``` / ```--without-ipatests``` is only relevant for downstream packaging to make the life of a packager a bit easier. FreeIPA is an upstream first project. The default settings for configure should be convenient and user-friendly for upstream developers and users. The final decision has been made. """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281625456 From freeipa-github-notification at redhat.com Wed Feb 22 10:16:25 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 11:16:25 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tiran commented: """ NACK on 42fb9b1c * Either use ```--with-ipaplatform=redhat``` on CentOS * Or implement a proper way to fill ipaplatfrom from ```/etc/os-relase``` value ```ID_LIKE```, https://www.freedesktop.org/software/systemd/man/os-release.html Either way, this should be handled by a separate PR and not mixed with client-only builds. """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281627091 From freeipa-github-notification at redhat.com Wed Feb 22 10:26:45 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 11:26:45 +0100 Subject: [Freeipa-devel] [freeipa PR#494][synchronized] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Author: lslebodn Title: #494: Support client-only build Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/494/head:pr494 git checkout pr494 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-494.patch Type: text/x-diff Size: 62036 bytes Desc: not available URL: From sbose at redhat.com Wed Feb 22 10:28:53 2017 From: sbose at redhat.com (Sumit Bose) Date: Wed, 22 Feb 2017 11:28:53 +0100 Subject: [Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users In-Reply-To: <7d13238c-6dd1-1da3-7e1a-c2d13b748b81@redhat.com> References: <3d07fbf9-25aa-e5e9-58a4-c4bf24e389df@redhat.com> <5b18f58b-1d8e-f060-d7a4-a4ec61b82227@redhat.com> <20170221234335.GV3557@dhcp-40-8.bne.redhat.com> <7d13238c-6dd1-1da3-7e1a-c2d13b748b81@redhat.com> Message-ID: <20170222102853.GB3404@p.Speedport_W_724V_Typ_A_05011603_00_011> On Wed, Feb 22, 2017 at 10:02:24AM +0100, Petr Vobornik wrote: > On 02/22/2017 12:43 AM, Fraser Tweedale wrote: > > On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote: > > > On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote: > > > > Hi, > > > > > > > > related to the Certificate Identity Mapping feature, a new CLI will be > > > > needed to find all the users matching a given certificate. > > > > > > > > I propose to provide this as: > > > > > > > > ipa certmaptest --certificate > > > > --------------- > > > > 2 users matched > > > > --------------- > > > > Matched user login: test1 > > > > Matched user login: test2 > > > > ---------------------------- > > > > Number of entries returned 2 > > > > ---------------------------- > > > > > > > > > > > > Please provide any comments, suggestions on the CLI or the output. > > > > Thanks, > > > > Flo. > > > > > > > > > > Thanks Flo for sharing it. > > > > > > I don't like the command name. It is not self explanatory. It says it is > > > testing something, it is not clear what and the actual result is users who > > > match the map configuration or have the cert in their user's entry. > > > > > > Better would be: > > > $ ipa certmap-match --certificate > > > > > How about `ipa certmap-find-user ...'? Doesn't get more obvious > > than that, IMO. > > Was thinking about that as well but I think that the command might, in > future, return also something else then user object, e.g. ID override. No, since the ID override is related to a user the user should be returned not the override. bye, Sumit > > > > > > > > > Pasting user story to give context if somebody is not familiar with it: > > > """ > > > As a Security Officer, I want to present IdM Server with an Employee Smart > > > Card certificate and list all Employees with a matching role account, so > > > that I can validate the configuration is correct > > > > > > Note: In FreeIPA 4.4, user-find --certificate can already find users linked > > > with a certificate blob > > > > > > Acceptance criteria: > > > * I can perform the administrative task both via IdM Web UI and CLI > > > * When asking IdM for the information, I should always receive the same list > > > that would be matched in client authentication workflows (by SSSD) > > > * The list of users should include both users linked via standard > > > certificate blob and other generically mapped users > > > """ > > > -- > > > Petr Vobornik > > > > > > Associate Manager, Engineering, Identity Management > > > Red Hat, Inc. > > > > > > -- > > > Manage your subscription for the Freeipa-devel mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > > -- > Petr Vobornik > > Associate Manager, Engineering, Identity Management > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From freeipa-github-notification at redhat.com Wed Feb 22 10:29:48 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 11:29:48 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 02:16), Christian Heimes wrote: >NACK on 42fb9b1c > >* Either use ```--with-ipaplatform=redhat``` on CentOS >* Or implement a proper way to fill ipaplatfrom from ```/etc/os-relase``` value ```ID_LIKE```, https://www.freedesktop.org/software/systemd/man/os-release.html > ID_LIKE is multivalue on centos; it cannot be used. ``` sh# cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" ``` >Either way, this should be handled by a separate PR and not mixed with client-only builds. > The purpose of client only build is to make life of packars simpler. This patch improves UX so it need to be part of this PR. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281630224 From freeipa-github-notification at redhat.com Wed Feb 22 10:33:14 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 11:33:14 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 02:23), Christian Heimes wrote: >tiran requested changes on this pull request. > >see comments > >> -CFLAGS="$bck_cflags" >- >-LIBPDB_NAME="" >-AC_CHECK_LIB([samba-passdb], >- [make_pdb_method], >- [LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1], >- [LIBPDB_NAME="pdb"], >- [$SAMBA40EXTRA_LIBPATH]) >- >-if test "x$LIB_PDB_NAME" = "xpdb" ; then >- AC_CHECK_LIB([$LIBPDB_NAME], >- [make_pdb_method], >- [HAVE_LIBPDB=1], >- [AC_MSG_ERROR([Neither libpdb nor libsamba-passdb does have make_pdb_method])], >- [$SAMBA40EXTRA_LIBPATH]) >+AC_MSG_CHECKING($(basename $PYTHON) module setuptools ) > >Please put this in a separate PR. This is not related to --disable-server. > refactoring/cleaning is requred for minimising dependencies before split. Otherwise git log would be confusing. >+AM_CONDITIONAL([ENABLE_SERVER], [test x"$enable_server" = xyes]) >+if test x"$enable_server" = xyes; then >+ m4_include([server.m4]) >+fi >+ >+AC_ARG_WITH([tests], >+ [AC_HELP_STRING([--with-tests], > >NACK, ```without-ipatests``` > already changed. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281631097 From jcholast at redhat.com Wed Feb 22 10:44:12 2017 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 22 Feb 2017 11:44:12 +0100 Subject: [Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users In-Reply-To: <20170222102853.GB3404@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <3d07fbf9-25aa-e5e9-58a4-c4bf24e389df@redhat.com> <5b18f58b-1d8e-f060-d7a4-a4ec61b82227@redhat.com> <20170221234335.GV3557@dhcp-40-8.bne.redhat.com> <7d13238c-6dd1-1da3-7e1a-c2d13b748b81@redhat.com> <20170222102853.GB3404@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: On 22.2.2017 11:28, Sumit Bose wrote: > On Wed, Feb 22, 2017 at 10:02:24AM +0100, Petr Vobornik wrote: >> On 02/22/2017 12:43 AM, Fraser Tweedale wrote: >>> On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote: >>>> On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote: >>>>> Hi, >>>>> >>>>> related to the Certificate Identity Mapping feature, a new CLI will be >>>>> needed to find all the users matching a given certificate. >>>>> >>>>> I propose to provide this as: >>>>> >>>>> ipa certmaptest --certificate >>>>> --------------- >>>>> 2 users matched >>>>> --------------- >>>>> Matched user login: test1 >>>>> Matched user login: test2 >>>>> ---------------------------- >>>>> Number of entries returned 2 >>>>> ---------------------------- >>>>> >>>>> >>>>> Please provide any comments, suggestions on the CLI or the output. >>>>> Thanks, >>>>> Flo. >>>>> >>>> >>>> Thanks Flo for sharing it. >>>> >>>> I don't like the command name. It is not self explanatory. It says it is >>>> testing something, it is not clear what and the actual result is users who >>>> match the map configuration or have the cert in their user's entry. >>>> >>>> Better would be: >>>> $ ipa certmap-match --certificate >>>> >>> How about `ipa certmap-find-user ...'? Doesn't get more obvious >>> than that, IMO. >> >> Was thinking about that as well but I think that the command might, in >> future, return also something else then user object, e.g. ID override. > > No, since the ID override is related to a user the user should be > returned not the override. "user" in IPA means IPA user, so there will be a difference between IPA users and external users, which I think was Petr's point. I agree with him that certmap-find-user is not the right name for the command, because it suggests that it returns only IPA users. > > bye, > Sumit > >> >>> >>>> >>>> Pasting user story to give context if somebody is not familiar with it: >>>> """ >>>> As a Security Officer, I want to present IdM Server with an Employee Smart >>>> Card certificate and list all Employees with a matching role account, so >>>> that I can validate the configuration is correct >>>> >>>> Note: In FreeIPA 4.4, user-find --certificate can already find users linked >>>> with a certificate blob >>>> >>>> Acceptance criteria: >>>> * I can perform the administrative task both via IdM Web UI and CLI >>>> * When asking IdM for the information, I should always receive the same list >>>> that would be matched in client authentication workflows (by SSSD) >>>> * The list of users should include both users linked via standard >>>> certificate blob and other generically mapped users >>>> """ >>>> -- >>>> Petr Vobornik >>>> >>>> Associate Manager, Engineering, Identity Management >>>> Red Hat, Inc. >>>> >>>> -- >>>> Manage your subscription for the Freeipa-devel mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> >> >> -- >> Petr Vobornik >> >> Associate Manager, Engineering, Identity Management >> Red Hat, Inc. >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -- Jan Cholasta From freeipa-github-notification at redhat.com Wed Feb 22 10:42:42 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 11:42:42 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 02:09), Christian Heimes wrote: >There are two reasons we decided on ```--without-ipatests```: > >* ```--with-tests``` / ```--without-tests``` is technically not correct. We still compile C tests. The flag is about the component ```ipatests```, so let's call it ```--without-ipatests```. >* ```--with-ipatests``` / ```--without-ipatests``` is only relevant for downstream packaging to make the life of a packager a bit easier. FreeIPA is an upstream first project. The default settings for configure should be convenient and user-friendly for upstream developers and users. > `without-tests` was changed to `without-ipatests` freeip-4.4 has a weird build system and all downstream packages had to do many tricks/workaround to install it an package. The intention of build-refactoring was to make packaging as simple as possible. The purpose of client only build https://fedorahosted.org/freeipa/ticket/6517 Is to allow package just client parts on distriutions which does not have systemd or they do not want to depend on systemd. Because ipa-client install just configure sssd, certmonger which still can be compiled without systemd support. So the `--disable-server` must disable all parts which requires anything with server dependencies. Therefore it disable js-lint, pylint and installation of ipatest. There is a still possiblility to enable them with client-only build. e.g. `./configure --disable-server --with-ipatests --enable-pylint` >The final decision has been made. > The decission was made that there will be `--without-ipatests` for tox use-case. Becasue tox use-case is not a client only build. Therefore explicit enabling `ipatests` is required for tox use-case. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281633229 From freeipa-github-notification at redhat.com Wed Feb 22 10:50:51 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Feb 2017 11:50:51 +0100 Subject: [Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones martbab commented: """ Bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-281635086 From freeipa-github-notification at redhat.com Wed Feb 22 10:51:12 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Feb 2017 11:51:12 +0100 Subject: [Freeipa-devel] [freeipa PR#457][comment] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/457 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab martbab commented: """ Bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/457#issuecomment-281635160 From freeipa-github-notification at redhat.com Wed Feb 22 10:51:14 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 11:51:14 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tiran commented: """ You assumption is incorrect. ```ipatests``` does not depend on ```ipaserver```, https://github.com/freeipa/freeipa/blob/master/ipatests/setup.py#L61 ``` install_requires=[ "cryptography", "dnspython", "gssapi", "ipaclient", "ipalib", "ipaplatform", "ipapython", "nose", "polib", "pyldap", "pytest", "pytest_multihost", "python-nss", "six", ], ``` Only some subcomponents of ```ipatests``` do depend on the ```ipaserver``` package or a running server for integration tests, https://github.com/freeipa/freeipa/blob/master/ipatests/setup.py#L77 ``` extras_require={ "integration": ["dbus-python", "pyyaml", "ipaserver"], "ipaserver": ["ipaserver"], "webui": ["selenium", "pyyaml", "ipaserver"], "xmlrpc": ["ipaserver"], } ``` Regarding pylint and jsl, neither of the components should be a build requirement. But that's off-topic for this PR. Please discuss the matter in https://fedorahosted.org/freeipa/ticket/6604 . """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281635162 From freeipa-github-notification at redhat.com Wed Feb 22 10:56:18 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 11:56:18 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 02:51), Christian Heimes wrote: >You assumption is incorrect. ```ipatests``` does not depend on ```ipaserver```, https://github.com/freeipa/freeipa/blob/master/ipatests/setup.py#L61 > >``` > install_requires=[ > "cryptography", > "dnspython", > "gssapi", > "ipaclient", > "ipalib", > "ipaplatform", > "ipapython", > "nose", > "polib", > "pyldap", > "pytest", > "pytest_multihost", > "python-nss", > "six", >], >``` > >Only some subcomponents of ```ipatests``` do depend on the ```ipaserver``` package or a running server for integration tests, https://github.com/freeipa/freeipa/blob/master/ipatests/setup.py#L77 > >``` > extras_require={ > "integration": ["dbus-python", "pyyaml", "ipaserver"], > "ipaserver": ["ipaserver"], > "webui": ["selenium", "pyyaml", "ipaserver"], > "xmlrpc": ["ipaserver"], >} >``` > Packagers can run unit tests in-tree. And that's a usual way how packagers run unit tests. e.g. ``` PYTHONPATH=$PWD/ \ $PYTHON ./ipatests/ipa-run-tests -vvv --tb=native \ $PWD/ipatests/test_ipaclient/ \ $PWD/ipatests/test_ipalib \ $PWD/ipatests/test_ipapython \ $PWD/ipatests/test_util.py \ $PWD/ipatests/util.py ``` Tox is a special case. Therefore installation of tests is disabled for `--disable-server` But for tox it is possible to overrride it. e.g. `./configure --disable-server --with-tests` LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281636358 From Oucema.Bellagha at hotmail.com Wed Feb 22 10:59:36 2017 From: Oucema.Bellagha at hotmail.com (Oucema Bellagha) Date: Wed, 22 Feb 2017 10:59:36 +0000 Subject: [Freeipa-devel] Requiring simultaneous authentication to Linux resources Message-ID: I want to figure out a solution which allow user"a" to authenticate to a host only when user"b" is accessing the host for security reasons. Easy explanation: authenticate to hostx needs (user a + user b) I'm brainstorming some ideas using Yubikey or ssh-keys.. Is there any application which allow us to access a host only when 2 users are present cause putty doesn't have this feature which can be a step to solve this problem .. Or in applying some specified rules in IPA itself ? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Wed Feb 22 11:04:25 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 12:04:25 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tiran commented: """ You are aware that your example code checks the wrong code? It is testing in-tree sources, not the actual sources that get packaged and installed. """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281638202 From freeipa-github-notification at redhat.com Wed Feb 22 11:11:28 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 12:11:28 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 03:04), Christian Heimes wrote: >You are aware that your example code checks the wrong code? It is testing in-tree sources, not the actual sources that get packaged and installed. > Yes, because unit tests are not usually installed with package. e.g. `rpm -ql python3-requests | grep tests` and unit tests are executed as part of build http://pkgs.fedoraproject.org/cgit/rpms/python-requests.git/tree/python-requests.spec#n158 And I know that your use-case is different. Therefore there is a configure time option `--with-ipatests` LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281639897 From freeipa-github-notification at redhat.com Wed Feb 22 11:20:54 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 12:20:54 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ >Thanks for your contribution. I added your patch to my PR. On my system I ran into a minor issue. >Some C99 types like uint8_t were not defined and I had to include stdint.h. This change is not enough; there is still warning: ``` ipa_pwd_ntlm.c: In function 'encode_nt_key': ipa_pwd_ntlm.c:58:5: warning: implicit declaration of function 'strlen' [-Wimplicit-function-declaration] il = strlen(newPasswd); ^ ipa_pwd_ntlm.c:58:10: warning: incompatible implicit declaration of built-in function 'strlen' il = strlen(newPasswd); ^ ``` >By the way I'm just going to ignore your snidely and snarky comment. No problem. I am going to forget that my proposal for compromise was ignored for 12 days. The latest version is a small improvement; but there are still problems/small issues because this PR was created with intention to use tox. I know you are busy. So I wrote client-only implementation from scratch. This PR is superseded by #494 """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281606346 From freeipa-github-notification at redhat.com Wed Feb 22 11:24:46 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 12:24:46 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build tiran commented: """ python-requests is a bad example because it suffers from the same issue as IPA. A better example is any other modern Python project like cryptography. It runs tests with installed files, not in-tree files. """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281642853 From freeipa-github-notification at redhat.com Wed Feb 22 11:42:58 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 22 Feb 2017 12:42:58 +0100 Subject: [Freeipa-devel] [freeipa PR#495][opened] Fix ipa-server-upgrade Message-ID: URL: https://github.com/freeipa/freeipa/pull/495 Author: stlaz Title: #495: Fix ipa-server-upgrade Action: opened PR body: """ I was to eager to ACK https://github.com/freeipa/freeipa/pull/471. Running ipa-server-upgrade would fail to stop ipa_memcached if it's already uninstalled. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/495/head:pr495 git checkout pr495 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-495.patch Type: text/x-diff Size: 855 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 22 11:51:32 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 12:51:32 +0100 Subject: [Freeipa-devel] [freeipa PR#495][comment] Fix ipa-server-upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade tiran commented: """ Looks totally reasonable. I checked, ```SimpleServiceInstance('ipa_memcached')``` does not raise an exception if systemd has no service file for IPA memcached at all. """ See the full comment at https://github.com/freeipa/freeipa/pull/495#issuecomment-281648585 From freeipa-github-notification at redhat.com Wed Feb 22 11:51:40 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 12:51:40 +0100 Subject: [Freeipa-devel] [freeipa PR#495][+ack] Fix ipa-server-upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade Label: +ack From freeipa-github-notification at redhat.com Wed Feb 22 11:54:41 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 12:54:41 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 03:24), Christian Heimes wrote: >python-requests is a bad example because it suffers from the same issue as IPA. > >A better example is any other modern Python project like cryptography. It runs tests with installed files, not in-tree files. > I check few other quite new projects which were written by RH python guys. https://admin.fedoraproject.org/pkgdb/package/rpms/devassistant/ https://admin.fedoraproject.org/pkgdb/package/rpms/python-pytest-multihost/ They run unit tests as part of build process and unit tests are not installed. But maybe I was not just lucky enough to find modern Python project. Anyway `ipatests` are installed by default with freeipa. If you want to use non-defalt option for client-only build then it is possible to install `ipatests` as well. Thank you for your comments. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281649262 From freeipa-github-notification at redhat.com Wed Feb 22 11:59:31 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Feb 2017 12:59:31 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop martbab commented: """ I have also noticed that the ccache is not created there, strange. However I think it is better to explicitly specify file-based ccache anyway just to be one the safe side. Otherwise everything seems to work as expected, even `ipa-restore to live server` scenario. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-281650232 From freeipa-github-notification at redhat.com Wed Feb 22 11:59:47 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Feb 2017 12:59:47 +0100 Subject: [Freeipa-devel] [freeipa PR#468][+ack] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop Label: +ack From freeipa-github-notification at redhat.com Wed Feb 22 12:04:57 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Feb 2017 13:04:57 +0100 Subject: [Freeipa-devel] [freeipa PR#479][synchronized] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Author: martbab Title: #479: Merge AD trust installer into composite ones Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/479/head:pr479 git checkout pr479 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-479.patch Type: text/x-diff Size: 58517 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 22 12:06:55 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Feb 2017 13:06:55 +0100 Subject: [Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones martbab commented: """ I have added a basic integration tests for the built-in AD trust installation, you can run them on 3 machines (master + 2 replicas) by running ```bash # ipa-run-tests --verbose /usr/lib/python2.7/site-packages/ipatests/test_integration/test_installation.py -k TestADTrustInstall ``` and having a properly configured test config. """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-281651733 From slaznick at redhat.com Wed Feb 22 12:24:40 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Wed, 22 Feb 2017 13:24:40 +0100 Subject: [Freeipa-devel] MD5 certificate fingerprints removal In-Reply-To: <20170221232838.GU3557@dhcp-40-8.bne.redhat.com> References: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> <5bd6a65a-4e30-1e06-fe46-7f6ec349c374@redhat.com> <20170221232838.GU3557@dhcp-40-8.bne.redhat.com> Message-ID: <9ecb7bc5-b47b-4331-8888-996a148a7b6f@redhat.com> On 02/22/2017 12:28 AM, Fraser Tweedale wrote: > On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: >> On 02/21/2017 04:24 PM, Tomas Krizek wrote: >>> On 02/21/2017 03:23 PM, Rob Crittenden wrote: >>>> Standa Laznicka wrote: >>>>> Hello, >>>>> >>>>> Since we're trying to make FreeIPA work in FIPS we got to the point >>>>> where we need to do something with MD5 fingerprints in the cert plugin. >>>>> Eventually we came to a realization that it'd be best to get rid of them >>>>> as a whole. These are counted by the framework and are not stored >>>>> anywhere. Note that alongside with these fingerprints SHA1 fingerprints >>>>> are also counted and those are there to stay. >>>>> >>>>> The question for this ML is, then - is it OK to remove these or would >>>>> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a >>>>> grandpa and I think it should go. >>>> I based the values displayed on what certutil displayed at the time (7 >>>> years ago). I don't know that anyone uses these fingerprints. The >>>> OpenSSL equivalent doesn't include them by default. >>>> >>>> You may be able to deprecate fingerprints altogether. >>>> >>>> rob >>> I think it's useful to display the certificate's fingerprint. I'm in >>> favor of removing md5 and adding sha256 instead. >>> >> Rob, thank you for sharing the information of where the cert fingerprints >> are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays >> SHA-256 and SHA1 fingerprints for certificates so I propose going that way >> too. >> > IMO we should remove MD5 and SHA-1, and add SHA-256. But we should > also make no API stability guarantee w.r.t. the fingerprint > attributes, i.e. to allow us to move to newer digests in future (and > remove broken/no-longer-secure ones). We should advise that if a > customer has a hard requirement on a particular digest that they > should compute it themselves from the certificate. > > Cheers, > Fraser That's something I would like but am not sure whether we can just go ahead and do. I, personally, wouldn't mind it. From freeipa-github-notification at redhat.com Wed Feb 22 12:28:15 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 22 Feb 2017 13:28:15 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ Besides what I wrote in inline comments, we need to get rid of `/var/lib/ipa/radb` now that it's unused. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-281655830 From tkrizek at redhat.com Wed Feb 22 12:41:22 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Wed, 22 Feb 2017 13:41:22 +0100 Subject: [Freeipa-devel] MD5 certificate fingerprints removal In-Reply-To: <20170221232838.GU3557@dhcp-40-8.bne.redhat.com> References: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> <5bd6a65a-4e30-1e06-fe46-7f6ec349c374@redhat.com> <20170221232838.GU3557@dhcp-40-8.bne.redhat.com> Message-ID: On 02/22/2017 12:28 AM, Fraser Tweedale wrote: > On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: >> On 02/21/2017 04:24 PM, Tomas Krizek wrote: >>> On 02/21/2017 03:23 PM, Rob Crittenden wrote: >>>> Standa Laznicka wrote: >>>>> Hello, >>>>> >>>>> Since we're trying to make FreeIPA work in FIPS we got to the point >>>>> where we need to do something with MD5 fingerprints in the cert plugin. >>>>> Eventually we came to a realization that it'd be best to get rid of them >>>>> as a whole. These are counted by the framework and are not stored >>>>> anywhere. Note that alongside with these fingerprints SHA1 fingerprints >>>>> are also counted and those are there to stay. >>>>> >>>>> The question for this ML is, then - is it OK to remove these or would >>>>> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a >>>>> grandpa and I think it should go. >>>> I based the values displayed on what certutil displayed at the time (7 >>>> years ago). I don't know that anyone uses these fingerprints. The >>>> OpenSSL equivalent doesn't include them by default. >>>> >>>> You may be able to deprecate fingerprints altogether. >>>> >>>> rob >>> I think it's useful to display the certificate's fingerprint. I'm in >>> favor of removing md5 and adding sha256 instead. >>> >> Rob, thank you for sharing the information of where the cert fingerprints >> are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays >> SHA-256 and SHA1 fingerprints for certificates so I propose going that way >> too. >> > IMO we should remove MD5 and SHA-1, and add SHA-256. But we should > also make no API stability guarantee w.r.t. the fingerprint > attributes, i.e. to allow us to move to newer digests in future (and > remove broken/no-longer-secure ones). We should advise that if a > customer has a hard requirement on a particular digest that they > should compute it themselves from the certificate. > > Cheers, > Fraser What is the motivation to remove SHA-1? Are there any attacks besides theoretical ones on SHA-1? Do other libraries already deprecate SHA-1? -- Tomas Krizek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From ftweedal at redhat.com Wed Feb 22 12:44:32 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 22 Feb 2017 22:44:32 +1000 Subject: [Freeipa-devel] MD5 certificate fingerprints removal In-Reply-To: References: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> <5bd6a65a-4e30-1e06-fe46-7f6ec349c374@redhat.com> <20170221232838.GU3557@dhcp-40-8.bne.redhat.com> Message-ID: <20170222124432.GZ3557@dhcp-40-8.bne.redhat.com> On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: > On 02/22/2017 12:28 AM, Fraser Tweedale wrote: > > On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: > >> On 02/21/2017 04:24 PM, Tomas Krizek wrote: > >>> On 02/21/2017 03:23 PM, Rob Crittenden wrote: > >>>> Standa Laznicka wrote: > >>>>> Hello, > >>>>> > >>>>> Since we're trying to make FreeIPA work in FIPS we got to the point > >>>>> where we need to do something with MD5 fingerprints in the cert plugin. > >>>>> Eventually we came to a realization that it'd be best to get rid of them > >>>>> as a whole. These are counted by the framework and are not stored > >>>>> anywhere. Note that alongside with these fingerprints SHA1 fingerprints > >>>>> are also counted and those are there to stay. > >>>>> > >>>>> The question for this ML is, then - is it OK to remove these or would > >>>>> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a > >>>>> grandpa and I think it should go. > >>>> I based the values displayed on what certutil displayed at the time (7 > >>>> years ago). I don't know that anyone uses these fingerprints. The > >>>> OpenSSL equivalent doesn't include them by default. > >>>> > >>>> You may be able to deprecate fingerprints altogether. > >>>> > >>>> rob > >>> I think it's useful to display the certificate's fingerprint. I'm in > >>> favor of removing md5 and adding sha256 instead. > >>> > >> Rob, thank you for sharing the information of where the cert fingerprints > >> are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays > >> SHA-256 and SHA1 fingerprints for certificates so I propose going that way > >> too. > >> > > IMO we should remove MD5 and SHA-1, and add SHA-256. But we should > > also make no API stability guarantee w.r.t. the fingerprint > > attributes, i.e. to allow us to move to newer digests in future (and > > remove broken/no-longer-secure ones). We should advise that if a > > customer has a hard requirement on a particular digest that they > > should compute it themselves from the certificate. > > > > Cheers, > > Fraser > What is the motivation to remove SHA-1? Are there any attacks besides > theoretical ones on SHA-1? > > Do other libraries already deprecate SHA-1? > Come to think of it, I was thinking about SHA-1 signatures (which are completely forbidden in the public PKI nowadays). But for fingerprints it is not so bad (for now). Thanks, Fraser From freeipa-github-notification at redhat.com Wed Feb 22 13:17:08 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 14:17:08 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 03:24), Christian Heimes wrote: >python-requests is a bad example because it suffers from the same issue as IPA. > >A better example is any other modern Python project like cryptography. It runs tests with installed files, not in-tree files. > hmm; I probably missed something. ``` sh$ rpm -ql rpm -ql python3-cryptography | grep test /usr/share/doc/python3-cryptography/docs/development/test-vectors.rst ``` ``` sh$ wget --content-disposition https://github.com/pyca/cryptography/archive/1.7.2.tar.gz 2017-02-22 14:10:00 (9.86 MB/s) - ?cryptography-1.7.2.tar.gz? saved [27131190] sh$ tar -xzf cryptography-1.7.2.tar.gz sh$ find cryptography-1.7.2/ -name "*test*" cryptography-1.7.2/vectors/cryptography_vectors/keywrap/kwtestvectors cryptography-1.7.2/vectors/cryptography_vectors/hashes/whirlpool/iso-test-vectors.txt cryptography-1.7.2/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/testrsa.pem cryptography-1.7.2/vectors/cryptography_vectors/asymmetric/Traditional_OpenSSL_Serialization/testrsa-encrypted.pem cryptography-1.7.2/vectors/cryptography_vectors/asymmetric/DER_Serialization/testrsa.der cryptography-1.7.2/tests cryptography-1.7.2/tests/test_x509_revokedcertbuilder.py cryptography-1.7.2/tests/test_x509_ext.py cryptography-1.7.2/tests/test_x509_crlbuilder.py cryptography-1.7.2/tests/test_x509.py cryptography-1.7.2/tests/test_warnings.py cryptography-1.7.2/tests/test_utils.py cryptography-1.7.2/tests/test_interfaces.py cryptography-1.7.2/tests/test_fernet.py cryptography-1.7.2/tests/test_cryptography_utils.py cryptography-1.7.2/tests/hypothesis/test_padding.py cryptography-1.7.2/tests/hypothesis/test_fernet.py cryptography-1.7.2/tests/hazmat/primitives/twofactor/test_totp.py cryptography-1.7.2/tests/hazmat/primitives/twofactor/test_hotp.py cryptography-1.7.2/tests/hazmat/primitives/test_x963kdf.py cryptography-1.7.2/tests/hazmat/primitives/test_x963_vectors.py cryptography-1.7.2/tests/hazmat/primitives/test_serialization.py cryptography-1.7.2/tests/hazmat/primitives/test_seed.py cryptography-1.7.2/tests/hazmat/primitives/test_scrypt.py cryptography-1.7.2/tests/hazmat/primitives/test_rsa.py cryptography-1.7.2/tests/hazmat/primitives/test_pbkdf2hmac_vectors.py cryptography-1.7.2/tests/hazmat/primitives/test_pbkdf2hmac.py cryptography-1.7.2/tests/hazmat/primitives/test_padding.py cryptography-1.7.2/tests/hazmat/primitives/test_keywrap.py cryptography-1.7.2/tests/hazmat/primitives/test_kbkdf_vectors.py cryptography-1.7.2/tests/hazmat/primitives/test_kbkdf.py cryptography-1.7.2/tests/hazmat/primitives/test_idea.py cryptography-1.7.2/tests/hazmat/primitives/test_hmac_vectors.py cryptography-1.7.2/tests/hazmat/primitives/test_hmac.py cryptography-1.7.2/tests/hazmat/primitives/test_hkdf_vectors.py cryptography-1.7.2/tests/hazmat/primitives/test_hkdf.py cryptography-1.7.2/tests/hazmat/primitives/test_hashes.py cryptography-1.7.2/tests/hazmat/primitives/test_hash_vectors.py cryptography-1.7.2/tests/hazmat/primitives/test_ec.py cryptography-1.7.2/tests/hazmat/primitives/test_dsa.py cryptography-1.7.2/tests/hazmat/primitives/test_dh.py cryptography-1.7.2/tests/hazmat/primitives/test_constant_time.py cryptography-1.7.2/tests/hazmat/primitives/test_concatkdf.py cryptography-1.7.2/tests/hazmat/primitives/test_cmac.py cryptography-1.7.2/tests/hazmat/primitives/test_ciphers.py cryptography-1.7.2/tests/hazmat/primitives/test_cast5.py cryptography-1.7.2/tests/hazmat/primitives/test_camellia.py cryptography-1.7.2/tests/hazmat/primitives/test_blowfish.py cryptography-1.7.2/tests/hazmat/primitives/test_block.py cryptography-1.7.2/tests/hazmat/primitives/test_asym_utils.py cryptography-1.7.2/tests/hazmat/primitives/test_arc4.py cryptography-1.7.2/tests/hazmat/primitives/test_aes.py cryptography-1.7.2/tests/hazmat/primitives/test_3des.py cryptography-1.7.2/tests/hazmat/bindings/test_openssl.py cryptography-1.7.2/tests/hazmat/bindings/test_commoncrypto.py cryptography-1.7.2/tests/hazmat/backends/test_openssl.py cryptography-1.7.2/tests/hazmat/backends/test_multibackend.py cryptography-1.7.2/tests/hazmat/backends/test_commoncrypto.py cryptography-1.7.2/tests/hazmat/backends/test_backendinit.py cryptography-1.7.2/tests/conftest.py cryptography-1.7.2/docs/development/test-vectors.rst ``` and unit test are exeuted as part of rpm-build. ``` http://pkgs.fedoraproject.org/cgit/rpms/python-cryptography.git/tree/python-cryptography.spec#n133 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281666168 From freeipa-github-notification at redhat.com Wed Feb 22 14:10:07 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 22 Feb 2017 15:10:07 +0100 Subject: [Freeipa-devel] [freeipa PR#434][comment] csrgen: Automate full cert request flow In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/434 Title: #434: csrgen: Automate full cert request flow HonzaCholasta commented: """ Thank you. LGTM, but please squash the fixup commit. """ See the full comment at https://github.com/freeipa/freeipa/pull/434#issuecomment-281679144 From freeipa-github-notification at redhat.com Wed Feb 22 14:16:39 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 22 Feb 2017 15:16:39 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server simo5 commented: """ So this is the reasoning and why I am approving this PR and not #494. When you build all components, including server bits, tests are installed, therefore when we build just client bits tets that are relevant to client bits also need to be installed for consistency. Any switch should default to the same behavior regardless of whether server build is enabled. It is confusing if the --with[out]-[ipa]tests switch changes default based on a different switch passed to configure. As far as I understand this PR maintains the same default for either server or client only builds, so it gets my approval. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281680804 From freeipa-github-notification at redhat.com Wed Feb 22 14:16:51 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 22 Feb 2017 15:16:51 +0100 Subject: [Freeipa-devel] [freeipa PR#364][+ack] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server Label: +ack From freeipa-github-notification at redhat.com Wed Feb 22 14:30:32 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Wed, 22 Feb 2017 15:30:32 +0100 Subject: [Freeipa-devel] [freeipa PR#490][synchronized] [WIP] certdb: use certutil and match_hostname for cert verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/490 Author: HonzaCholasta Title: #490: [WIP] certdb: use certutil and match_hostname for cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/490/head:pr490 git checkout pr490 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-490.patch Type: text/x-diff Size: 10823 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 22 14:36:34 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 15:36:34 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build lslebodn commented: """ On (22/02/17 01:52), Tomas Krizek wrote: >@lslebodn My bad, there was some leftover stuff that `git clean -dfx` didn't clear for some reason. > >Nevertheless, this does work and allows a client only, as well as installing tests with `--with-tests` option. The mock build when run with `--without=server` does install less dependencies. > >But I'm not acking, because of the controversy with the `--with-tests` option (see #364). > @tomaskrizek FYI `rpmbuild` accepts also parameter `--without server` but it is not simple to pass it through `make rpms` and it would not check minimal dependencies in spec file. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281686378 From freeipa-github-notification at redhat.com Wed Feb 22 14:41:40 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 15:41:40 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (22/02/17 06:16), Simo Sorce wrote: >So this is the reasoning and why I am approving this PR and not #494. > >When you build all components, including server bits, tests are installed, therefore when we build just client bits tets that are relevant to client bits also need to be installed for consistency. > >Any switch should default to the same behavior regardless of whether server build is enabled. It is confusing if the --with[out]-[ipa]tests switch changes default based on a different switch passed to configure. > >As far as I understand this PR maintains the same default for either server or client only builds, so it gets my approval. > Neither of python packages which I mention in #494 package unit test in fedora. So there is not a reason to package them by default for client only build. And integration tests require server therefore must not be installed by default with client-only build. Result: This PR has wrong default for instalation of ipatests with client-only build. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281687875 From freeipa-github-notification at redhat.com Wed Feb 22 14:49:00 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 22 Feb 2017 15:49:00 +0100 Subject: [Freeipa-devel] [freeipa PR#364][+pushed] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 22 14:49:02 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 22 Feb 2017 15:49:02 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server pvoborni commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/70554938d4f9ba5b347cd4bc8001428e905198e4 https://fedorahosted.org/freeipa/changeset/41d7ae54fafc6deb602e1a990eaec37c6ae4880b https://fedorahosted.org/freeipa/changeset/20c1eb9844223d892da47da1ea10662d37953ff8 https://fedorahosted.org/freeipa/changeset/2747f2ad782c7640ecc6949098f0d43411182255 """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281689932 From freeipa-github-notification at redhat.com Wed Feb 22 14:49:03 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 22 Feb 2017 15:49:03 +0100 Subject: [Freeipa-devel] [freeipa PR#364][closed] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Author: tiran Title: #364: Client-only builds with --disable-server Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/364/head:pr364 git checkout pr364 From freeipa-github-notification at redhat.com Wed Feb 22 14:51:12 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Feb 2017 15:51:12 +0100 Subject: [Freeipa-devel] [freeipa PR#468][+pushed] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 22 14:51:14 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Feb 2017 15:51:14 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b8f304c66994ae82ea484a4e8bd057d4ccf1e6bd """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-281690573 From freeipa-github-notification at redhat.com Wed Feb 22 14:51:15 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Feb 2017 15:51:15 +0100 Subject: [Freeipa-devel] [freeipa PR#468][closed] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468 From freeipa-github-notification at redhat.com Wed Feb 22 14:51:45 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 22 Feb 2017 15:51:45 +0100 Subject: [Freeipa-devel] [freeipa PR#494][+rejected] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build Label: +rejected From freeipa-github-notification at redhat.com Wed Feb 22 14:52:05 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 22 Feb 2017 15:52:05 +0100 Subject: [Freeipa-devel] [freeipa PR#494][comment] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Title: #494: Support client-only build pvoborni commented: """ #364 was pushed. """ See the full comment at https://github.com/freeipa/freeipa/pull/494#issuecomment-281690828 From freeipa-github-notification at redhat.com Wed Feb 22 14:52:06 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 22 Feb 2017 15:52:06 +0100 Subject: [Freeipa-devel] [freeipa PR#494][closed] Support client-only build In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/494 Author: lslebodn Title: #494: Support client-only build Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/494/head:pr494 git checkout pr494 From freeipa-github-notification at redhat.com Wed Feb 22 14:53:54 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 22 Feb 2017 15:53:54 +0100 Subject: [Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop martbab commented: """ @pvoborni should the fix go also into 4-4 branch? see https://fedorahosted.org/freeipa/ticket/6673#comment:3 """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-281691344 From freeipa-github-notification at redhat.com Wed Feb 22 14:58:14 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Wed, 22 Feb 2017 15:58:14 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server pvoborni commented: """ Also I added section to FreeIPA wiki: http://www.freeipa.org/page/V4/Build_system_refactoring#Packager_-_client_only_build """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281692728 From simo at redhat.com Wed Feb 22 15:00:04 2017 From: simo at redhat.com (Simo Sorce) Date: Wed, 22 Feb 2017 10:00:04 -0500 Subject: [Freeipa-devel] Requiring simultaneous authentication to Linux resources In-Reply-To: References: Message-ID: <1487775604.1893.95.camel@redhat.com> On Wed, 2017-02-22 at 10:59 +0000, Oucema Bellagha wrote: > I want to figure out a solution which allow user"a" to authenticate to > a host only when user"b" is accessing the host for security reasons. > > > Easy explanation: authenticate to hostx needs (user a + user b) > > > I'm brainstorming some ideas using Yubikey or ssh-keys.. Is there any > application which allow us to access a host only when 2 users are > present cause putty doesn't have this feature which can be a step to > solve this problem .. > > > Or in applying some specified rules in IPA itself ? As explained, there is no such concept in Unix/Linux to start with, but maybe you mean that you want to check credentials of 2 different users to allow privileged login, like root login ? Or is this something else ? It'd be nice if you can describe precisely what actions and results you expect to see. Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Wed Feb 22 15:53:32 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 22 Feb 2017 16:53:32 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 122307 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 22 15:54:35 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 22 Feb 2017 16:54:35 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ First set of fixes to comments arrived, throwing it to Travis. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-281710491 From freeipa-github-notification at redhat.com Wed Feb 22 17:50:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Feb 2017 18:50:10 +0100 Subject: [Freeipa-devel] [freeipa PR#457][+ack] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/457 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab Label: +ack From freeipa-github-notification at redhat.com Wed Feb 22 17:50:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Feb 2017 18:50:58 +0100 Subject: [Freeipa-devel] [freeipa PR#457][+pushed] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/457 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab Label: +pushed From freeipa-github-notification at redhat.com Wed Feb 22 17:50:59 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Feb 2017 18:50:59 +0100 Subject: [Freeipa-devel] [freeipa PR#457][comment] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/457 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/af998c4d30175fb3ecc148e1b3a7aca03ef9239a https://fedorahosted.org/freeipa/changeset/6c0baa6208c2bf97b5ed7ea6e9836963dced64b0 https://fedorahosted.org/freeipa/changeset/ce3baf28ce81458e1c5bf57188858d3d120ec3dd https://fedorahosted.org/freeipa/changeset/8bac62b7f5d01ceb20388599e8549b1b222f283e """ See the full comment at https://github.com/freeipa/freeipa/pull/457#issuecomment-281747015 From freeipa-github-notification at redhat.com Wed Feb 22 17:51:01 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Feb 2017 18:51:01 +0100 Subject: [Freeipa-devel] [freeipa PR#457][closed] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/457 Author: martbab Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/457/head:pr457 git checkout pr457 From freeipa-github-notification at redhat.com Wed Feb 22 17:57:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Feb 2017 18:57:17 +0100 Subject: [Freeipa-devel] [freeipa PR#495][comment] Fix ipa-server-upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade MartinBasti commented: """ Does this belong to any ticket which caused this regression? """ See the full comment at https://github.com/freeipa/freeipa/pull/495#issuecomment-281748907 From freeipa-github-notification at redhat.com Wed Feb 22 17:59:15 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Wed, 22 Feb 2017 18:59:15 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ LGTM, please rebase and I will test it. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281749499 From freeipa-github-notification at redhat.com Wed Feb 22 18:33:03 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 19:33:03 +0100 Subject: [Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-472.patch Type: text/x-diff Size: 28458 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Feb 22 18:33:58 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 19:33:58 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ @MartinBasti I have rebased the branch and added wheel + placeholder building to make check. The pylint violations have disappeared. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281759354 From freeipa-github-notification at redhat.com Wed Feb 22 18:37:32 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 22 Feb 2017 19:37:32 +0100 Subject: [Freeipa-devel] [freeipa PR#492][comment] [WIP] config: remove meaningless defaults In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/492 Title: #492: [WIP] config: remove meaningless defaults tiran commented: """ It's probably easier to always define options like ```'ldap_uri``` but use ```None``` as default. ``` cd .; ./makeaci --validate ./makeaci: ipaserver/plugins/dogtag.py:244: ignoring ImportError: No module named backports_abc ./makeaci: ipaserver/plugins/dogtag.py:244: ignoring ImportError: No module named rnc2rng Traceback (most recent call last): File "./makeaci", line 134, in main(options) File "./makeaci", line 107, in main api.finalize() File "/freeipa/ipalib/plugable.py", line 747, in finalize self._get(plugin) File "/freeipa/ipalib/plugable.py", line 776, in _get instance = self.__instances[plugin] = plugin(self) File "/freeipa/ipaserver/plugins/ldap2.py", line 72, in __init__ ldap_uri = api.env.ldap_uri AttributeError: 'Env' object has no attribute 'ldap_uri' Exception AttributeError: "'ldap2' object has no attribute 'id'" in ignored make: *** [acilint] Error 1 Makefile:1108: recipe for target 'acilint' failed ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/492#issuecomment-281760358 From freeipa-github-notification at redhat.com Wed Feb 22 19:51:38 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Wed, 22 Feb 2017 20:51:38 +0100 Subject: [Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ >Thanks for your contribution. I added your patch to my PR. On my system I ran into a minor issue. >Some C99 types like uint8_t were not defined and I had to include stdint.h. This change is not enough; there is still warning: ``` ipa_pwd_ntlm.c: In function 'encode_nt_key': ipa_pwd_ntlm.c:58:5: warning: implicit declaration of function 'strlen' [-Wimplicit-function-declaration] il = strlen(newPasswd); ^ ipa_pwd_ntlm.c:58:10: warning: incompatible implicit declaration of built-in function 'strlen' il = strlen(newPasswd); ^ ``` The latest version is a small improvement; but there are still problems/small issues because this PR was created with intention to use tox. I know you are busy. So I wrote client-only implementation from scratch. This PR is superseded by #494 """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281606346 From freeipa-github-notification at redhat.com Wed Feb 22 20:12:21 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Wed, 22 Feb 2017 21:12:21 +0100 Subject: [Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping sumit-bose commented: """ It looks like the ACis on the latest version do not allow hosts to access the rules. When I do 'kinit -k' on the IPA server or a client and call ldapsearch -H ldap://ipa-server.ipa.devel '(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))' -Y GSSAPI I do not get any results. When I call 'kinit admin' and use the same ldapsearch I get my rule returned. Can you confirm this or is my test system broken? """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-281788601 From freeipa-github-notification at redhat.com Wed Feb 22 20:37:18 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 22 Feb 2017 21:37:18 +0100 Subject: [Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping flo-renaud commented: """ Hi @sumit-bose , I am not able to reproduce this issue: `[root at vm-161 ~]# kinit -k [root at vm-161 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_h6XRpeK Default principal: host/vm-161.example.com at DOM-161.EXAMPLE.COM Valid starting Expires Service principal 02/22/2017 21:30:10 02/23/2017 21:30:10 krbtgt/DOM-161.EXAMPLE.COM at DOM-161.EXAMPLE.COM [root at vm-161 ~]# ldapsearch -H ldap://vm-161 '(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))' -Y GSSAPI -LLL SASL/GSSAPI authentication started SASL username: host/vm-161.example.com at DOM-161.EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. dn: cn=rule1,cn=certmaprules,cn=certmap,dc=dom-161,dc=example,dc=com objectClass: ipacertmaprule objectClass: top cn: rule1 description: d1 ipaEnabledFlag: TRUE ` Do you have the ACI "permission:System: Read Certmap Rules" defined on dn: cn=certmaprules,cn=certmap,$BASEDN? It should grant access to ldap:///all """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-281795345 From ftweedal at redhat.com Wed Feb 22 22:55:51 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 23 Feb 2017 08:55:51 +1000 Subject: [Freeipa-devel] Requiring simultaneous authentication to Linux resources In-Reply-To: <1487775604.1893.95.camel@redhat.com> References: <1487775604.1893.95.camel@redhat.com> Message-ID: <20170222225551.GC3557@dhcp-40-8.bne.redhat.com> On Wed, Feb 22, 2017 at 10:00:04AM -0500, Simo Sorce wrote: > On Wed, 2017-02-22 at 10:59 +0000, Oucema Bellagha wrote: > > I want to figure out a solution which allow user"a" to authenticate to > > a host only when user"b" is accessing the host for security reasons. > > > > > > Easy explanation: authenticate to hostx needs (user a + user b) > > > > > > I'm brainstorming some ideas using Yubikey or ssh-keys.. Is there any > > application which allow us to access a host only when 2 users are > > present cause putty doesn't have this feature which can be a step to > > solve this problem .. > > > > > > Or in applying some specified rules in IPA itself ? > > As explained, there is no such concept in Unix/Linux to start with, but > maybe you mean that you want to check credentials of 2 different users > to allow privileged login, like root login ? > If this is the use case, it could be an interesting application for clevis. > Or is this something else ? > > It'd be nice if you can describe precisely what actions and results you > expect to see. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From freeipa-github-notification at redhat.com Thu Feb 23 06:20:21 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 23 Feb 2017 07:20:21 +0100 Subject: [Freeipa-devel] [freeipa PR#495][comment] Fix ipa-server-upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade HonzaCholasta commented: """ @MartinBasti, https://fedorahosted.org/freeipa/ticket/5959. """ See the full comment at https://github.com/freeipa/freeipa/pull/495#issuecomment-281905518 From freeipa-github-notification at redhat.com Thu Feb 23 07:07:15 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Feb 2017 08:07:15 +0100 Subject: [Freeipa-devel] [freeipa PR#495][synchronized] Fix ipa-server-upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/495 Author: stlaz Title: #495: Fix ipa-server-upgrade Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/495/head:pr495 git checkout pr495 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-495.patch Type: text/x-diff Size: 901 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 07:07:25 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Feb 2017 08:07:25 +0100 Subject: [Freeipa-devel] [freeipa PR#495][comment] Fix ipa-server-upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade stlaz commented: """ I see where this is going, added the ticket to the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/495#issuecomment-281912763 From freeipa-github-notification at redhat.com Thu Feb 23 07:14:48 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Feb 2017 08:14:48 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 122298 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 07:25:22 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Feb 2017 08:25:22 +0100 Subject: [Freeipa-devel] [freeipa PR#496][opened] Use newer Certificate.serial_number in krainstance.py Message-ID: URL: https://github.com/freeipa/freeipa/pull/496 Author: stlaz Title: #496: Use newer Certificate.serial_number in krainstance.py Action: opened PR body: """ This bit was missed in https://github.com/freeipa/freeipa/pull/458 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/496/head:pr496 git checkout pr496 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-496.patch Type: text/x-diff Size: 875 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 08:23:17 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 09:23:17 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ Is really needed to have this is make check? It makes build dependencies of wheel mandratory not optional ``` error: invalid command 'bdist_wheel' make[5]: *** [bdist_wheel] Error 1 Makefile:591: recipe for target 'bdist_wheel' failed make[5]: Leaving directory '/freeipa/rpmbuild/BUILD/freeipa-4.4.90.dev201702221837+git07cd377/pypi/freeipa' Makefile:1192: recipe for target 'wheel_placeholder' failed make[4]: *** [wheel_placeholder] Error 1 make[4]: *** Waiting for unfinished jobs.... usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...] or: setup.py --help [cmd1 cmd2 ...] or: setup.py --help-commands or: setup.py cmd --help ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281926018 From freeipa-github-notification at redhat.com Thu Feb 23 08:23:31 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 09:23:31 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ Is really needed to have this is make check? It makes build dependencies of wheel mandratory not optional ``` error: invalid command 'bdist_wheel' make[5]: *** [bdist_wheel] Error 1 Makefile:591: recipe for target 'bdist_wheel' failed make[5]: Leaving directory '/freeipa/rpmbuild/BUILD/freeipa-4.4.90.dev201702221837+git07cd377/pypi/freeipa' Makefile:1192: recipe for target 'wheel_placeholder' failed make[4]: *** [wheel_placeholder] Error 1 make[4]: *** Waiting for unfinished jobs.... usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...] or: setup.py --help [cmd1 cmd2 ...] or: setup.py --help-commands or: setup.py cmd --help ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281926018 From freeipa-github-notification at redhat.com Thu Feb 23 08:33:05 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 09:33:05 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ I'm open to suggestions here, but I like to have automatic validation of packaging. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281928143 From freeipa-github-notification at redhat.com Thu Feb 23 08:33:51 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 23 Feb 2017 09:33:51 +0100 Subject: [Freeipa-devel] [freeipa PR#496][comment] Use newer Certificate.serial_number in krainstance.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/496 Title: #496: Use newer Certificate.serial_number in krainstance.py flo-renaud commented: """ Hi @stlaz , the warning `/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py:316: DeprecationWarning: Certificate serial is deprecated, use serial_number instead. ` is not present anymore. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/496#issuecomment-281928293 From freeipa-github-notification at redhat.com Thu Feb 23 08:33:58 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 23 Feb 2017 09:33:58 +0100 Subject: [Freeipa-devel] [freeipa PR#496][+ack] Use newer Certificate.serial_number in krainstance.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/496 Title: #496: Use newer Certificate.serial_number in krainstance.py Label: +ack From freeipa-github-notification at redhat.com Thu Feb 23 08:40:27 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Thu, 23 Feb 2017 09:40:27 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages lslebodn commented: """ I agree with @MartinBasti it is not a unit test. IMHO better approach is to test it in CI/travis/... """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281929628 From freeipa-github-notification at redhat.com Thu Feb 23 08:46:44 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 09:46:44 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ That's not the point here. We are arguing about a new build dependency (python-wheel). """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281930993 From freeipa-github-notification at redhat.com Thu Feb 23 08:48:20 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 23 Feb 2017 09:48:20 +0100 Subject: [Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/412 Title: #412: Define template version in certmap.conf flo-renaud commented: """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/412#issuecomment-281931336 From freeipa-github-notification at redhat.com Thu Feb 23 08:51:50 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 09:51:50 +0100 Subject: [Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing tiran commented: """ I didn't know about the ```SkipPluginModule``` feature. I agree with you, your solution is more elegant. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-281932095 From freeipa-github-notification at redhat.com Thu Feb 23 08:59:29 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Thu, 23 Feb 2017 09:59:29 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages lslebodn commented: """ FYI: At the moment, `make check` run just C-based unit test and all of them are optional. If required dependency is not found at configure time then test is not build/executed. The reason is that required dependencies are not in some downstream distributions and IIRC python-wheel is not there either. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281933816 From freeipa-github-notification at redhat.com Thu Feb 23 09:01:14 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Feb 2017 10:01:14 +0100 Subject: [Freeipa-devel] [freeipa PR#493][comment] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/493 Title: #493: Update Contributors.txt stlaz commented: """ I don't give two poops and a popsicle about the order of names in the Contributors.txt file. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/493#issuecomment-281934226 From freeipa-github-notification at redhat.com Thu Feb 23 09:01:20 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Feb 2017 10:01:20 +0100 Subject: [Freeipa-devel] [freeipa PR#493][+ack] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/493 Title: #493: Update Contributors.txt Label: +ack From freeipa-github-notification at redhat.com Thu Feb 23 09:02:47 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 23 Feb 2017 10:02:47 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages pvoborni commented: """ Some distros like RHEL doesn't have python-wheel packaged. It can be disabled by downstream patch, but better would be to remove it or make it configurable. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281934554 From freeipa-github-notification at redhat.com Thu Feb 23 09:04:59 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Thu, 23 Feb 2017 10:04:59 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages lslebodn commented: """ NACK for downstream patch. The intentin of build system refactoring was make packaging in downstream simpler. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281935052 From freeipa-github-notification at redhat.com Thu Feb 23 09:05:06 2017 From: freeipa-github-notification at redhat.com (lslebodn) Date: Thu, 23 Feb 2017 10:05:06 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages lslebodn commented: """ NACK for downstream patch. The intentin of build system refactoring was make packaging in downstream simpler. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281935052 From freeipa-github-notification at redhat.com Thu Feb 23 09:08:40 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 10:08:40 +0100 Subject: [Freeipa-devel] [freeipa PR#460][+postponed] [Py3] ipa-server-install, ipa-server-upgrade fixes In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/460 Title: #460: [Py3] ipa-server-install, ipa-server-upgrade fixes Label: +postponed From freeipa-github-notification at redhat.com Thu Feb 23 09:08:59 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 10:08:59 +0100 Subject: [Freeipa-devel] [freeipa PR#439][+postponed] [WIP] [Py3] testing both py2/py3 in travis In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/439 Title: #439: [WIP] [Py3] testing both py2/py3 in travis Label: +postponed From freeipa-github-notification at redhat.com Thu Feb 23 09:14:23 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 10:14:23 +0100 Subject: [Freeipa-devel] [freeipa PR#496][+pushed] Use newer Certificate.serial_number in krainstance.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/496 Title: #496: Use newer Certificate.serial_number in krainstance.py Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 23 09:14:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 10:14:25 +0100 Subject: [Freeipa-devel] [freeipa PR#496][closed] Use newer Certificate.serial_number in krainstance.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/496 Author: stlaz Title: #496: Use newer Certificate.serial_number in krainstance.py Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/496/head:pr496 git checkout pr496 From freeipa-github-notification at redhat.com Thu Feb 23 09:14:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 10:14:26 +0100 Subject: [Freeipa-devel] [freeipa PR#496][comment] Use newer Certificate.serial_number in krainstance.py In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/496 Title: #496: Use newer Certificate.serial_number in krainstance.py MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8c2cd66269d7be976ae7fc990343ed8e9b5282a3 """ See the full comment at https://github.com/freeipa/freeipa/pull/496#issuecomment-281937212 From freeipa-github-notification at redhat.com Thu Feb 23 09:15:23 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 10:15:23 +0100 Subject: [Freeipa-devel] [freeipa PR#495][+pushed] Fix ipa-server-upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 23 09:15:24 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 10:15:24 +0100 Subject: [Freeipa-devel] [freeipa PR#495][comment] Fix ipa-server-upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/495 Title: #495: Fix ipa-server-upgrade MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/32076df10231b381a80c9ef850c2c31d7a25feb8 """ See the full comment at https://github.com/freeipa/freeipa/pull/495#issuecomment-281937465 From freeipa-github-notification at redhat.com Thu Feb 23 09:15:26 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 10:15:26 +0100 Subject: [Freeipa-devel] [freeipa PR#495][closed] Fix ipa-server-upgrade In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/495 Author: stlaz Title: #495: Fix ipa-server-upgrade Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/495/head:pr495 git checkout pr495 From freeipa-github-notification at redhat.com Thu Feb 23 09:17:04 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 10:17:04 +0100 Subject: [Freeipa-devel] [freeipa PR#493][+pushed] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/493 Title: #493: Update Contributors.txt Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 23 09:17:05 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 10:17:05 +0100 Subject: [Freeipa-devel] [freeipa PR#493][comment] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/493 Title: #493: Update Contributors.txt MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b367c3a622c8c8b96777e4ce50334d2a4477bbe7 """ See the full comment at https://github.com/freeipa/freeipa/pull/493#issuecomment-281937859 From freeipa-github-notification at redhat.com Thu Feb 23 09:17:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 10:17:07 +0100 Subject: [Freeipa-devel] [freeipa PR#493][closed] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/493 Author: mkosek Title: #493: Update Contributors.txt Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/493/head:pr493 git checkout pr493 From freeipa-github-notification at redhat.com Thu Feb 23 09:17:59 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 10:17:59 +0100 Subject: [Freeipa-devel] [freeipa PR#493][comment] Update Contributors.txt In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/493 Title: #493: Update Contributors.txt MartinBasti commented: """ If script for generating contributors file was published it may be documented in releasing page and it may be part of each release. """ See the full comment at https://github.com/freeipa/freeipa/pull/493#issuecomment-281938080 From freeipa-github-notification at redhat.com Thu Feb 23 09:24:09 2017 From: freeipa-github-notification at redhat.com (sumit-bose) Date: Thu, 23 Feb 2017 10:24:09 +0100 Subject: [Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/398 Title: #398: Support for Certificate Identity Mapping sumit-bose commented: """ Ok, sorry for the noise, I tested on a fresh install again and now it is working as expected. I guess I shouldn't have tried to update from an older version of your patch to a newer one. """ See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-281939524 From tjaalton at ubuntu.com Thu Feb 23 09:26:49 2017 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Thu, 23 Feb 2017 11:26:49 +0200 Subject: [Freeipa-devel] python-ipaserver & freeipa-server-trust-ad split In-Reply-To: <20170220182414.bqfml46eyynydpj6@redhat.com> References: <20170220182414.bqfml46eyynydpj6@redhat.com> Message-ID: <774f338a-a897-91fe-376b-4c16cea161ac@ubuntu.com> On 20.02.2017 20:24, Alexander Bokovoy wrote: > On la, 18 helmi 2017, Timo Aaltonen wrote: >> >> Hi, >> >> So Fedora puts all of dist-packages/ipaserver/* in python-ipaserver, >> but dcerpc.py imports python-samba which -ipaserver does not depend on. >> So I've kept dcerpc.py and adtrustinstance.py in freeipa-server-trust-ad >> on Debian, but now with 4.4.3 (because of fd8c17252fbc) it seems that >> ipa-server-install wants to import adtrustinstance and fails to run if >> it's not installed. >> >> Traceback (most recent call last): >> File "/usr/sbin/ipa-server-install", line 25, in >> from ipaserver.install.server import Server >> File >> "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", >> line 8, in >> from .upgrade import upgrade_check, upgrade >> File >> "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", >> line 49, in >> from ipaserver.install import adtrustinstance >> ImportError: cannot import name adtrustinstance >> >> >> So what to do here? I can't remember exactly what problems I hit when >> everything was in python-ipaserver while testing 4.3.0, but I think they >> were about the samba stuff.. and don't want to test again without asking >> first. Should the upgrader stuff be split? > I think we simply can move ipa_smb_conf_exists() to ipapython or ipalib. > It only needs to read a config file and check a signature. Signature > could be > moved to constants. Then ipa_smb_conf_exists() can be imported in both > upgrade tool and in adtrustinstance. > > Want to make a PR? Well, maybe I'll first try moving adtrustinstance/dcerpc stuff back to python-ipaserver and see if something breaks with the current version and then perhaps fix that instead. t From freeipa-github-notification at redhat.com Thu Feb 23 09:41:41 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 10:41:41 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ @tiran I thought we agreed on having `with_wheels` in specfile and install dependencies only when you want to build wheel packages, what is not the case of RHEL. So what is the issue with python-wheel? My only concern it to not run wheel build in make check """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281943814 From freeipa-github-notification at redhat.com Thu Feb 23 09:49:32 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 10:49:32 +0100 Subject: [Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/397 Author: tiran Title: #397: Improve wheel building and provide ipaserver wheel for local testing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/397/head:pr397 git checkout pr397 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-397.patch Type: text/x-diff Size: 13290 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 09:52:35 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 10:52:35 +0100 Subject: [Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-472.patch Type: text/x-diff Size: 27794 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 09:54:24 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 10:54:24 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ @MartinBasti I dropped the last commit. make check no longer checks wheel packages. I'm going to open a new ticket for @martbab and ask him to add to add a proper test for wheel building to his awesome container magic. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281946900 From freeipa-github-notification at redhat.com Thu Feb 23 10:06:52 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Feb 2017 11:06:52 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 123240 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 10:07:30 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Feb 2017 11:07:30 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ Some more fixes for Travis to check. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-281950085 From freeipa-github-notification at redhat.com Thu Feb 23 10:10:42 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 23 Feb 2017 11:10:42 +0100 Subject: [Freeipa-devel] [freeipa PR#492][synchronized] [WIP] config: remove meaningless defaults In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/492 Author: HonzaCholasta Title: #492: [WIP] config: remove meaningless defaults Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/492/head:pr492 git checkout pr492 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-492.patch Type: text/x-diff Size: 19277 bytes Desc: not available URL: From mkosek at redhat.com Thu Feb 23 11:31:07 2017 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 23 Feb 2017 12:31:07 +0100 Subject: [Freeipa-devel] Release: script for updating contributors Message-ID: <105263ba-7290-e1c7-fc38-ea329ad75d63@redhat.com> Hi all, Based on my recent Contributors.txt update and on Martin Basti's request in the pull request: https://github.com/freeipa/freeipa/pull/493#issuecomment-281938080 I added my (hacky) script for updating the file in the freeipa-tools repo and updated our Release page: http://www.freeipa.org/page/Release#Update_Contributors.txt HTH! -- Martin Kosek Manager, Software Engineering - Identity Management Team Red Hat, Inc. From mbasti at redhat.com Thu Feb 23 11:39:11 2017 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Feb 2017 12:39:11 +0100 Subject: [Freeipa-devel] Release: script for updating contributors In-Reply-To: <105263ba-7290-e1c7-fc38-ea329ad75d63@redhat.com> References: <105263ba-7290-e1c7-fc38-ea329ad75d63@redhat.com> Message-ID: On 23.02.2017 12:31, Martin Kosek wrote: > Hi all, > > Based on my recent Contributors.txt update and on Martin Basti's request in the > pull request: > https://github.com/freeipa/freeipa/pull/493#issuecomment-281938080 > > I added my (hacky) script for updating the file in the freeipa-tools repo and > updated our Release page: > > http://www.freeipa.org/page/Release#Update_Contributors.txt > > HTH! > +1, Thank you! From freeipa-github-notification at redhat.com Thu Feb 23 11:43:46 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 12:43:46 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ The old pylint issue is back ``` ************* Module ipaserver.install.installutils ipaserver/install/installutils.py:1209: [E1101(no-member), store_version] Module 'ipaplatform' has no 'NAME' member) ipaserver/install/installutils.py:1221: [E1101(no-member), check_version] Module 'ipaplatform' has no 'NAME' member) ipaserver/install/installutils.py:1224: [E1101(no-member), check_version] Module 'ipaplatform' has no 'NAME' member) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281970741 From freeipa-github-notification at redhat.com Thu Feb 23 11:53:24 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 23 Feb 2017 12:53:24 +0100 Subject: [Freeipa-devel] [freeipa PR#476][synchronized] vault: cache the transport certificate on client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/476 Author: HonzaCholasta Title: #476: vault: cache the transport certificate on client Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/476/head:pr476 git checkout pr476 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-476.patch Type: text/x-diff Size: 12086 bytes Desc: not available URL: From cheimes at redhat.com Thu Feb 23 12:07:22 2017 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 23 Feb 2017 13:07:22 +0100 Subject: [Freeipa-devel] make causes unsolicited changes to PO files Message-ID: Hi, for a while make causes unsolicited modifications to all translation files. I have to reset all PO files a couple of times a day during development: git checkout -- po/*.po It's slowly wearing me off. I opened ticket https://fedorahosted.org/freeipa/ticket/6605 a while ago. It contains more details and a reproducer. Regards, Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Thu Feb 23 12:28:46 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Feb 2017 13:28:46 +0100 Subject: [Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft tomaskrizek commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/484#issuecomment-281979229 From freeipa-github-notification at redhat.com Thu Feb 23 12:28:50 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Feb 2017 13:28:50 +0100 Subject: [Freeipa-devel] [freeipa PR#484][+ack] FIPS: Remove pkispawn cruft In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft Label: +ack From freeipa-github-notification at redhat.com Thu Feb 23 12:49:27 2017 From: freeipa-github-notification at redhat.com (tscherf) Date: Thu, 23 Feb 2017 13:49:27 +0100 Subject: [Freeipa-devel] [freeipa PR#497][opened] added more meaningful help for --external-ca-type option Message-ID: URL: https://github.com/freeipa/freeipa/pull/497 Author: tscherf Title: #497: added more meaningful help for --external-ca-type option Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/497/head:pr497 git checkout pr497 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-497.patch Type: text/x-diff Size: 1137 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 12:51:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 13:51:20 +0100 Subject: [Freeipa-devel] [freeipa PR#497][comment] added more meaningful help for --external-ca-type option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/497 Title: #497: added more meaningful help for --external-ca-type option MartinBasti commented: """ This is already fixed in master, however it missed what is the default value ``` --external-ca-type={generic,ms-cs} Type of the external CA ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/497#issuecomment-281983727 From freeipa-github-notification at redhat.com Thu Feb 23 12:53:33 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 13:53:33 +0100 Subject: [Freeipa-devel] [freeipa PR#497][comment] added more meaningful help for --external-ca-type option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/497 Title: #497: added more meaningful help for --external-ca-type option MartinBasti commented: """ This is already fixed in master, however it missed what is the default value ``` --external-ca-type={generic,ms-cs} Type of the external CA ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/497#issuecomment-281983727 From freeipa-github-notification at redhat.com Thu Feb 23 13:04:02 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Thu, 23 Feb 2017 14:04:02 +0100 Subject: [Freeipa-devel] [freeipa PR#498][opened] compat: fix `Any` params in `batch` and `dnsrecord` Message-ID: URL: https://github.com/freeipa/freeipa/pull/498 Author: HonzaCholasta Title: #498: compat: fix `Any` params in `batch` and `dnsrecord` Action: opened PR body: """ The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord` were incorrectly defined as `Str` instead of `Any`. https://fedorahosted.org/freeipa/ticket/6647 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/498/head:pr498 git checkout pr498 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-498.patch Type: text/x-diff Size: 4401 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 13:05:40 2017 From: freeipa-github-notification at redhat.com (tscherf) Date: Thu, 23 Feb 2017 14:05:40 +0100 Subject: [Freeipa-devel] [freeipa PR#497][closed] added more meaningful help for --external-ca-type option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/497 Author: tscherf Title: #497: added more meaningful help for --external-ca-type option Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/497/head:pr497 git checkout pr497 From freeipa-github-notification at redhat.com Thu Feb 23 13:11:07 2017 From: freeipa-github-notification at redhat.com (tscherf) Date: Thu, 23 Feb 2017 14:11:07 +0100 Subject: [Freeipa-devel] [freeipa PR#499][opened] added help about default value for --external-ca-type option Message-ID: URL: https://github.com/freeipa/freeipa/pull/499 Author: tscherf Title: #499: added help about default value for --external-ca-type option Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/499/head:pr499 git checkout pr499 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-499.patch Type: text/x-diff Size: 1092 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 13:15:29 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 14:15:29 +0100 Subject: [Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-472.patch Type: text/x-diff Size: 30072 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 13:17:20 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Feb 2017 14:17:20 +0100 Subject: [Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/412 Title: #412: Define template version in certmap.conf tomaskrizek commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/412#issuecomment-281988884 From freeipa-github-notification at redhat.com Thu Feb 23 13:17:25 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Feb 2017 14:17:25 +0100 Subject: [Freeipa-devel] [freeipa PR#412][+ack] Define template version in certmap.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/412 Title: #412: Define template version in certmap.conf Label: +ack From freeipa-github-notification at redhat.com Thu Feb 23 13:18:09 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 14:18:09 +0100 Subject: [Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ Commit 1f8326aa fixes an issue in ```Makefile.python.am```. I think the issue caused ```ipaplatform``` and ```pypi/ipaplatform``` to cross streams. """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-281989060 From freeipa-github-notification at redhat.com Thu Feb 23 13:47:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 14:47:07 +0100 Subject: [Freeipa-devel] [freeipa PR#499][comment] added help about default value for --external-ca-type option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/499 Title: #499: added help about default value for --external-ca-type option MartinBasti commented: """ Thanks! Next time please use 'git push --force' to update current pull request instead a creating a new one. """ See the full comment at https://github.com/freeipa/freeipa/pull/499#issuecomment-281995320 From freeipa-github-notification at redhat.com Thu Feb 23 13:47:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 14:47:11 +0100 Subject: [Freeipa-devel] [freeipa PR#499][+ack] added help about default value for --external-ca-type option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/499 Title: #499: added help about default value for --external-ca-type option Label: +ack From freeipa-github-notification at redhat.com Thu Feb 23 13:47:58 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 14:47:58 +0100 Subject: [Freeipa-devel] [freeipa PR#497][comment] added more meaningful help for --external-ca-type option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/497 Title: #497: added more meaningful help for --external-ca-type option MartinBasti commented: """ Replaced by #499 """ See the full comment at https://github.com/freeipa/freeipa/pull/497#issuecomment-281995516 From freeipa-github-notification at redhat.com Thu Feb 23 13:48:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 14:48:02 +0100 Subject: [Freeipa-devel] [freeipa PR#497][+rejected] added more meaningful help for --external-ca-type option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/497 Title: #497: added more meaningful help for --external-ca-type option Label: +rejected From freeipa-github-notification at redhat.com Thu Feb 23 13:49:48 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 14:49:48 +0100 Subject: [Freeipa-devel] [freeipa PR#499][comment] added help about default value for --external-ca-type option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/499 Title: #499: added help about default value for --external-ca-type option MartinBasti commented: """ Thanks! Next time please use `git push --force` to update current pull request instead creating a new one. """ See the full comment at https://github.com/freeipa/freeipa/pull/499#issuecomment-281995320 From freeipa-github-notification at redhat.com Thu Feb 23 13:55:11 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 23 Feb 2017 14:55:11 +0100 Subject: [Freeipa-devel] [freeipa PR#484][+pushed] FIPS: Remove pkispawn cruft In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 23 13:55:13 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 23 Feb 2017 14:55:13 +0100 Subject: [Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/484 Title: #484: FIPS: Remove pkispawn cruft pvoborni commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/728a6bd4229ba170b2e94f216127b19d5d94e2ba https://fedorahosted.org/freeipa/changeset/a39effed7603d66acd238e3142f4df8081ff7bc8 """ See the full comment at https://github.com/freeipa/freeipa/pull/484#issuecomment-281997170 From freeipa-github-notification at redhat.com Thu Feb 23 13:55:14 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 23 Feb 2017 14:55:14 +0100 Subject: [Freeipa-devel] [freeipa PR#484][closed] FIPS: Remove pkispawn cruft In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/484 Author: stlaz Title: #484: FIPS: Remove pkispawn cruft Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/484/head:pr484 git checkout pr484 From tkrizek at redhat.com Thu Feb 23 14:09:52 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Thu, 23 Feb 2017 15:09:52 +0100 Subject: [Freeipa-devel] MD5 certificate fingerprints removal In-Reply-To: <20170222124432.GZ3557@dhcp-40-8.bne.redhat.com> References: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> <5bd6a65a-4e30-1e06-fe46-7f6ec349c374@redhat.com> <20170221232838.GU3557@dhcp-40-8.bne.redhat.com> <20170222124432.GZ3557@dhcp-40-8.bne.redhat.com> Message-ID: <46c10c51-2639-50ae-986b-cd0e9983ea32@redhat.com> On 02/22/2017 01:44 PM, Fraser Tweedale wrote: > On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: >> On 02/22/2017 12:28 AM, Fraser Tweedale wrote: >>> On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: >>>> On 02/21/2017 04:24 PM, Tomas Krizek wrote: >>>>> On 02/21/2017 03:23 PM, Rob Crittenden wrote: >>>>>> Standa Laznicka wrote: >>>>>>> Hello, >>>>>>> >>>>>>> Since we're trying to make FreeIPA work in FIPS we got to the point >>>>>>> where we need to do something with MD5 fingerprints in the cert plugin. >>>>>>> Eventually we came to a realization that it'd be best to get rid of them >>>>>>> as a whole. These are counted by the framework and are not stored >>>>>>> anywhere. Note that alongside with these fingerprints SHA1 fingerprints >>>>>>> are also counted and those are there to stay. >>>>>>> >>>>>>> The question for this ML is, then - is it OK to remove these or would >>>>>>> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a >>>>>>> grandpa and I think it should go. >>>>>> I based the values displayed on what certutil displayed at the time (7 >>>>>> years ago). I don't know that anyone uses these fingerprints. The >>>>>> OpenSSL equivalent doesn't include them by default. >>>>>> >>>>>> You may be able to deprecate fingerprints altogether. >>>>>> >>>>>> rob >>>>> I think it's useful to display the certificate's fingerprint. I'm in >>>>> favor of removing md5 and adding sha256 instead. >>>>> >>>> Rob, thank you for sharing the information of where the cert fingerprints >>>> are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays >>>> SHA-256 and SHA1 fingerprints for certificates so I propose going that way >>>> too. >>>> >>> IMO we should remove MD5 and SHA-1, and add SHA-256. But we should >>> also make no API stability guarantee w.r.t. the fingerprint >>> attributes, i.e. to allow us to move to newer digests in future (and >>> remove broken/no-longer-secure ones). We should advise that if a >>> customer has a hard requirement on a particular digest that they >>> should compute it themselves from the certificate. >>> >>> Cheers, >>> Fraser >> What is the motivation to remove SHA-1? Are there any attacks besides >> theoretical ones on SHA-1? >> >> Do other libraries already deprecate SHA-1? >> > Come to think of it, I was thinking about SHA-1 signatures (which > are completely forbidden in the public PKI nowadays). But for > fingerprints it is not so bad (for now). > > Thanks, > Fraser Actually, there's been a practical SHA1 attack just published [1]. Computational complexity was 9,223,372,036,854,775,808 SHA1 computations, which takes about 110 years on a single GPU. Therefore, I'm in favor to deprecate SHA1 as well and provide only SHA256. [1] - https://shattered.io/ -- Tomas Krizek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Thu Feb 23 14:15:00 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 15:15:00 +0100 Subject: [Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-472.patch Type: text/x-diff Size: 30074 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 15:00:00 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Feb 2017 16:00:00 +0100 Subject: [Freeipa-devel] [freeipa PR#482][comment] Remove MD5 certificate fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Remove MD5 certificate fingerprints tomaskrizek commented: """ ACK, there is no disagreement on the freeipa-devel. I'm already working on replacing SHA1 with SHA256 given the [recent events](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html). """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-282014171 From freeipa-github-notification at redhat.com Thu Feb 23 15:00:05 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Feb 2017 16:00:05 +0100 Subject: [Freeipa-devel] [freeipa PR#482][+ack] Remove MD5 certificate fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Remove MD5 certificate fingerprints Label: +ack From freeipa-github-notification at redhat.com Thu Feb 23 15:33:31 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 16:33:31 +0100 Subject: [Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-472.patch Type: text/x-diff Size: 31831 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 16:31:53 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 17:31:53 +0100 Subject: [Freeipa-devel] [freeipa PR#379][+postponed] Packaging: Add placeholder and IPA commands packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages Label: +postponed From freeipa-github-notification at redhat.com Thu Feb 23 16:32:21 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 17:32:21 +0100 Subject: [Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add placeholder and IPA commands packages tiran commented: """ I have postponed the ```ipacommands``` part. Placeholders are covered by #472. """ See the full comment at https://github.com/freeipa/freeipa/pull/379#issuecomment-282044669 From freeipa-github-notification at redhat.com Thu Feb 23 16:34:23 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 17:34:23 +0100 Subject: [Freeipa-devel] [freeipa PR#483][comment] lite-server: validate LDAP connection and cache schema In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/483 Title: #483: lite-server: validate LDAP connection and cache schema MartinBasti commented: """ Code looks good to me, as far as this is just code for developers I assume that @tiran tested it enough, so ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/483#issuecomment-282045305 From freeipa-github-notification at redhat.com Thu Feb 23 16:34:57 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 17:34:57 +0100 Subject: [Freeipa-devel] [freeipa PR#483][+ack] lite-server: validate LDAP connection and cache schema In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/483 Title: #483: lite-server: validate LDAP connection and cache schema Label: +ack From freeipa-github-notification at redhat.com Thu Feb 23 17:02:04 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 18:02:04 +0100 Subject: [Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management tiran commented: """ @MartinBasti you approved this PR a month ago but it has neither the ACK flag nor was it merged. @pvomacka Your work would be useful for my Custodia Vault work. Can you rebase this PR to master to verify it still works? """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-282053796 From freeipa-github-notification at redhat.com Thu Feb 23 17:25:50 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 23 Feb 2017 18:25:50 +0100 Subject: [Freeipa-devel] [freeipa PR#139][synchronized] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Author: pvomacka Title: #139: WebUI: Vault Management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/139/head:pr139 git checkout pr139 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-139.patch Type: text/x-diff Size: 86490 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 17:26:42 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 23 Feb 2017 18:26:42 +0100 Subject: [Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management pvomacka commented: """ @tiran Yes, rebased. """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-282060928 From freeipa-github-notification at redhat.com Thu Feb 23 17:28:35 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 23 Feb 2017 18:28:35 +0100 Subject: [Freeipa-devel] [freeipa PR#479][synchronized] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Author: martbab Title: #479: Merge AD trust installer into composite ones Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/479/head:pr479 git checkout pr479 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-479.patch Type: text/x-diff Size: 47735 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 17:32:50 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 23 Feb 2017 18:32:50 +0100 Subject: [Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-472.patch Type: text/x-diff Size: 32107 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 17:53:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:53:16 +0100 Subject: [Freeipa-devel] [freeipa PR#498][comment] compat: fix `Any` params in `batch` and `dnsrecord` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/498 Title: #498: compat: fix `Any` params in `batch` and `dnsrecord` MartinBasti commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/498#issuecomment-282068296 From freeipa-github-notification at redhat.com Thu Feb 23 17:53:19 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:53:19 +0100 Subject: [Freeipa-devel] [freeipa PR#498][+ack] compat: fix `Any` params in `batch` and `dnsrecord` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/498 Title: #498: compat: fix `Any` params in `batch` and `dnsrecord` Label: +ack From freeipa-github-notification at redhat.com Thu Feb 23 17:54:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:54:11 +0100 Subject: [Freeipa-devel] [freeipa PR#498][comment] compat: fix `Any` params in `batch` and `dnsrecord` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/498 Title: #498: compat: fix `Any` params in `batch` and `dnsrecord` MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/19060db1b8fa9d1d3e8f3ac3fcd1f387e9a39c94 """ See the full comment at https://github.com/freeipa/freeipa/pull/498#issuecomment-282068566 From freeipa-github-notification at redhat.com Thu Feb 23 17:54:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:54:12 +0100 Subject: [Freeipa-devel] [freeipa PR#498][+pushed] compat: fix `Any` params in `batch` and `dnsrecord` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/498 Title: #498: compat: fix `Any` params in `batch` and `dnsrecord` Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 23 17:54:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:54:13 +0100 Subject: [Freeipa-devel] [freeipa PR#498][closed] compat: fix `Any` params in `batch` and `dnsrecord` In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/498 Author: HonzaCholasta Title: #498: compat: fix `Any` params in `batch` and `dnsrecord` Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/498/head:pr498 git checkout pr498 From freeipa-github-notification at redhat.com Thu Feb 23 17:55:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:55:10 +0100 Subject: [Freeipa-devel] [freeipa PR#499][comment] added help about default value for --external-ca-type option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/499 Title: #499: added help about default value for --external-ca-type option MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/573a0f1ffe5035b75fb88ee7752029e34c6b37af """ See the full comment at https://github.com/freeipa/freeipa/pull/499#issuecomment-282068837 From freeipa-github-notification at redhat.com Thu Feb 23 17:55:12 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:55:12 +0100 Subject: [Freeipa-devel] [freeipa PR#499][+pushed] added help about default value for --external-ca-type option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/499 Title: #499: added help about default value for --external-ca-type option Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 23 17:55:13 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:55:13 +0100 Subject: [Freeipa-devel] [freeipa PR#499][closed] added help about default value for --external-ca-type option In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/499 Author: tscherf Title: #499: added help about default value for --external-ca-type option Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/499/head:pr499 git checkout pr499 From freeipa-github-notification at redhat.com Thu Feb 23 17:56:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:56:00 +0100 Subject: [Freeipa-devel] [freeipa PR#483][comment] lite-server: validate LDAP connection and cache schema In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/483 Title: #483: lite-server: validate LDAP connection and cache schema MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/dcb618152572ca013a447336e13d24399b5f7960 """ See the full comment at https://github.com/freeipa/freeipa/pull/483#issuecomment-282069082 From freeipa-github-notification at redhat.com Thu Feb 23 17:56:02 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:56:02 +0100 Subject: [Freeipa-devel] [freeipa PR#483][+pushed] lite-server: validate LDAP connection and cache schema In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/483 Title: #483: lite-server: validate LDAP connection and cache schema Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 23 17:56:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:56:03 +0100 Subject: [Freeipa-devel] [freeipa PR#483][closed] lite-server: validate LDAP connection and cache schema In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/483 Author: tiran Title: #483: lite-server: validate LDAP connection and cache schema Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/483/head:pr483 git checkout pr483 From freeipa-github-notification at redhat.com Thu Feb 23 17:57:10 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:57:10 +0100 Subject: [Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/412 Title: #412: Define template version in certmap.conf MartinBasti commented: """ needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/412#issuecomment-282069402 From freeipa-github-notification at redhat.com Thu Feb 23 17:59:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:59:20 +0100 Subject: [Freeipa-devel] [freeipa PR#482][+pushed] Remove MD5 certificate fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Remove MD5 certificate fingerprints Label: +pushed From freeipa-github-notification at redhat.com Thu Feb 23 17:59:22 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:59:22 +0100 Subject: [Freeipa-devel] [freeipa PR#482][comment] Remove MD5 certificate fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Title: #482: Remove MD5 certificate fingerprints MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/e2d1b21c5049f68d0336dcaf3f8657b214a34e2b """ See the full comment at https://github.com/freeipa/freeipa/pull/482#issuecomment-282070010 From freeipa-github-notification at redhat.com Thu Feb 23 17:59:23 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Thu, 23 Feb 2017 18:59:23 +0100 Subject: [Freeipa-devel] [freeipa PR#482][closed] Remove MD5 certificate fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/482 Author: stlaz Title: #482: Remove MD5 certificate fingerprints Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/482/head:pr482 git checkout pr482 From mbasti at redhat.com Thu Feb 23 18:06:10 2017 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Feb 2017 19:06:10 +0100 Subject: [Freeipa-devel] MD5 certificate fingerprints removal In-Reply-To: <46c10c51-2639-50ae-986b-cd0e9983ea32@redhat.com> References: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> <5bd6a65a-4e30-1e06-fe46-7f6ec349c374@redhat.com> <20170221232838.GU3557@dhcp-40-8.bne.redhat.com> <20170222124432.GZ3557@dhcp-40-8.bne.redhat.com> <46c10c51-2639-50ae-986b-cd0e9983ea32@redhat.com> Message-ID: <557fc2ab-3371-7cf2-7da8-650b7dd4f2a6@redhat.com> On 23.02.2017 15:09, Tomas Krizek wrote: > On 02/22/2017 01:44 PM, Fraser Tweedale wrote: >> On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: >>> On 02/22/2017 12:28 AM, Fraser Tweedale wrote: >>>> On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: >>>>> On 02/21/2017 04:24 PM, Tomas Krizek wrote: >>>>>> On 02/21/2017 03:23 PM, Rob Crittenden wrote: >>>>>>> Standa Laznicka wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> Since we're trying to make FreeIPA work in FIPS we got to the point >>>>>>>> where we need to do something with MD5 fingerprints in the cert plugin. >>>>>>>> Eventually we came to a realization that it'd be best to get rid of them >>>>>>>> as a whole. These are counted by the framework and are not stored >>>>>>>> anywhere. Note that alongside with these fingerprints SHA1 fingerprints >>>>>>>> are also counted and those are there to stay. >>>>>>>> >>>>>>>> The question for this ML is, then - is it OK to remove these or would >>>>>>>> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a >>>>>>>> grandpa and I think it should go. >>>>>>> I based the values displayed on what certutil displayed at the time (7 >>>>>>> years ago). I don't know that anyone uses these fingerprints. The >>>>>>> OpenSSL equivalent doesn't include them by default. >>>>>>> >>>>>>> You may be able to deprecate fingerprints altogether. >>>>>>> >>>>>>> rob >>>>>> I think it's useful to display the certificate's fingerprint. I'm in >>>>>> favor of removing md5 and adding sha256 instead. >>>>>> >>>>> Rob, thank you for sharing the information of where the cert fingerprints >>>>> are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays >>>>> SHA-256 and SHA1 fingerprints for certificates so I propose going that way >>>>> too. >>>>> >>>> IMO we should remove MD5 and SHA-1, and add SHA-256. But we should >>>> also make no API stability guarantee w.r.t. the fingerprint >>>> attributes, i.e. to allow us to move to newer digests in future (and >>>> remove broken/no-longer-secure ones). We should advise that if a >>>> customer has a hard requirement on a particular digest that they >>>> should compute it themselves from the certificate. >>>> >>>> Cheers, >>>> Fraser >>> What is the motivation to remove SHA-1? Are there any attacks besides >>> theoretical ones on SHA-1? >>> >>> Do other libraries already deprecate SHA-1? >>> >> Come to think of it, I was thinking about SHA-1 signatures (which >> are completely forbidden in the public PKI nowadays). But for >> fingerprints it is not so bad (for now). >> >> Thanks, >> Fraser > Actually, there's been a practical SHA1 attack just published [1]. > Computational complexity was > 9,223,372,036,854,775,808 SHA1 computations, which takes about 110 years > on a single GPU. > > Therefore, I'm in favor to deprecate SHA1 as well and provide only SHA256. > > [1] - https://shattered.io/ > > > I think we should wait with removal SHA1, don't remove it prematurely. As MD5 is deprecated for very long time, SHA1 is not and we are not using it for any cryptographic operation nor certificates. It is just informational fingerprint. -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Thu Feb 23 18:12:41 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Feb 2017 19:12:41 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 132571 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Feb 23 18:17:13 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 23 Feb 2017 19:17:13 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ Hopefully all issues were addressed + `radb` removed. If the Travis check passes then this is ready for review again. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282074914 From freeipa-github-notification at redhat.com Thu Feb 23 18:22:40 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Thu, 23 Feb 2017 19:22:40 +0100 Subject: [Freeipa-devel] [freeipa PR#500][opened] Replace sha1 fingerprints with sha256 Message-ID: URL: https://github.com/freeipa/freeipa/pull/500 Author: tomaskrizek Title: #500: Replace sha1 fingerprints with sha256 Action: opened PR body: """ - we probably want to keep SHA1 for DNS SSHFP (along with SHA256) - removing SHA1 from RSA-OAEP probably doesn't have any benefits http://security.stackexchange.com/questions/112029/should-sha-1-be-used-with-rsa-oaep - SHA1 for otp will be handled in a separate PR """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/500/head:pr500 git checkout pr500 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-500.patch Type: text/x-diff Size: 18634 bytes Desc: not available URL: From jcholast at redhat.com Fri Feb 24 07:29:07 2017 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 24 Feb 2017 08:29:07 +0100 Subject: [Freeipa-devel] MD5 certificate fingerprints removal In-Reply-To: <557fc2ab-3371-7cf2-7da8-650b7dd4f2a6@redhat.com> References: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> <5bd6a65a-4e30-1e06-fe46-7f6ec349c374@redhat.com> <20170221232838.GU3557@dhcp-40-8.bne.redhat.com> <20170222124432.GZ3557@dhcp-40-8.bne.redhat.com> <46c10c51-2639-50ae-986b-cd0e9983ea32@redhat.com> <557fc2ab-3371-7cf2-7da8-650b7dd4f2a6@redhat.com> Message-ID: <18c62c02-3f3d-5f33-05ee-596be7b21b49@redhat.com> On 23.2.2017 19:06, Martin Basti wrote: > > > On 23.02.2017 15:09, Tomas Krizek wrote: >> On 02/22/2017 01:44 PM, Fraser Tweedale wrote: >>> On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: >>>> On 02/22/2017 12:28 AM, Fraser Tweedale wrote: >>>>> On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: >>>>>> On 02/21/2017 04:24 PM, Tomas Krizek wrote: >>>>>>> On 02/21/2017 03:23 PM, Rob Crittenden wrote: >>>>>>>> Standa Laznicka wrote: >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> Since we're trying to make FreeIPA work in FIPS we got to the point >>>>>>>>> where we need to do something with MD5 fingerprints in the cert plugin. >>>>>>>>> Eventually we came to a realization that it'd be best to get rid of them >>>>>>>>> as a whole. These are counted by the framework and are not stored >>>>>>>>> anywhere. Note that alongside with these fingerprints SHA1 fingerprints >>>>>>>>> are also counted and those are there to stay. >>>>>>>>> >>>>>>>>> The question for this ML is, then - is it OK to remove these or would >>>>>>>>> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a >>>>>>>>> grandpa and I think it should go. >>>>>>>> I based the values displayed on what certutil displayed at the time (7 >>>>>>>> years ago). I don't know that anyone uses these fingerprints. The >>>>>>>> OpenSSL equivalent doesn't include them by default. >>>>>>>> >>>>>>>> You may be able to deprecate fingerprints altogether. >>>>>>>> >>>>>>>> rob >>>>>>> I think it's useful to display the certificate's fingerprint. I'm in >>>>>>> favor of removing md5 and adding sha256 instead. >>>>>>> >>>>>> Rob, thank you for sharing the information of where the cert fingerprints >>>>>> are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays >>>>>> SHA-256 and SHA1 fingerprints for certificates so I propose going that way >>>>>> too. >>>>>> >>>>> IMO we should remove MD5 and SHA-1, and add SHA-256. But we should >>>>> also make no API stability guarantee w.r.t. the fingerprint >>>>> attributes, i.e. to allow us to move to newer digests in future (and >>>>> remove broken/no-longer-secure ones). We should advise that if a >>>>> customer has a hard requirement on a particular digest that they >>>>> should compute it themselves from the certificate. >>>>> >>>>> Cheers, >>>>> Fraser >>>> What is the motivation to remove SHA-1? Are there any attacks besides >>>> theoretical ones on SHA-1? >>>> >>>> Do other libraries already deprecate SHA-1? >>>> >>> Come to think of it, I was thinking about SHA-1 signatures (which >>> are completely forbidden in the public PKI nowadays). But for >>> fingerprints it is not so bad (for now). >>> >>> Thanks, >>> Fraser >> Actually, there's been a practical SHA1 attack just published [1]. >> Computational complexity was >> 9,223,372,036,854,775,808 SHA1 computations, which takes about 110 years >> on a single GPU. >> >> Therefore, I'm in favor to deprecate SHA1 as well and provide only SHA256. >> >> [1] - https://shattered.io/ >> >> >> > > I think we should wait with removal SHA1, don't remove it prematurely. > As MD5 is deprecated for very long time, SHA1 is not and we are not > using it for any cryptographic operation nor certificates. It is just > informational fingerprint. +1 -- Jan Cholasta From freeipa-github-notification at redhat.com Fri Feb 24 07:25:10 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 24 Feb 2017 08:25:10 +0100 Subject: [Freeipa-devel] [freeipa PR#501][opened] C compilation fixes and hardening Message-ID: URL: https://github.com/freeipa/freeipa/pull/501 Author: tiran Title: #501: C compilation fixes and hardening Action: opened PR body: """ Fix "implicit declaration of function ?strlen?" in ipa_pwd_ntlm.c, credits to Lukas. Add -Werror=implicit-function-declaration to CFLAGS to point developers to missing includes. It causes compilation to fail when a developer forgets to add a required include. The problem is no longer hidden in a massive wall of text from make. Silence a harmless error from 389-DS slapi.h until the bug is fixed in downstream, https://pagure.io/389-ds-base/issue/48979 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/501/head:pr501 git checkout pr501 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-501.patch Type: text/x-diff Size: 1539 bytes Desc: not available URL: From slaznick at redhat.com Fri Feb 24 07:34:37 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Fri, 24 Feb 2017 08:34:37 +0100 Subject: [Freeipa-devel] MD5 certificate fingerprints removal In-Reply-To: <18c62c02-3f3d-5f33-05ee-596be7b21b49@redhat.com> References: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> <5bd6a65a-4e30-1e06-fe46-7f6ec349c374@redhat.com> <20170221232838.GU3557@dhcp-40-8.bne.redhat.com> <20170222124432.GZ3557@dhcp-40-8.bne.redhat.com> <46c10c51-2639-50ae-986b-cd0e9983ea32@redhat.com> <557fc2ab-3371-7cf2-7da8-650b7dd4f2a6@redhat.com> <18c62c02-3f3d-5f33-05ee-596be7b21b49@redhat.com> Message-ID: <85faf53a-5605-4eba-1da7-3d2255efa388@redhat.com> On 02/24/2017 08:29 AM, Jan Cholasta wrote: > On 23.2.2017 19:06, Martin Basti wrote: >> >> >> On 23.02.2017 15:09, Tomas Krizek wrote: >>> On 02/22/2017 01:44 PM, Fraser Tweedale wrote: >>>> On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: >>>>> On 02/22/2017 12:28 AM, Fraser Tweedale wrote: >>>>>> On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: >>>>>>> On 02/21/2017 04:24 PM, Tomas Krizek wrote: >>>>>>>> On 02/21/2017 03:23 PM, Rob Crittenden wrote: >>>>>>>>> Standa Laznicka wrote: >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> Since we're trying to make FreeIPA work in FIPS we got to the >>>>>>>>>> point >>>>>>>>>> where we need to do something with MD5 fingerprints in the >>>>>>>>>> cert plugin. >>>>>>>>>> Eventually we came to a realization that it'd be best to get >>>>>>>>>> rid of them >>>>>>>>>> as a whole. These are counted by the framework and are not >>>>>>>>>> stored >>>>>>>>>> anywhere. Note that alongside with these fingerprints SHA1 >>>>>>>>>> fingerprints >>>>>>>>>> are also counted and those are there to stay. >>>>>>>>>> >>>>>>>>>> The question for this ML is, then - is it OK to remove these >>>>>>>>>> or would >>>>>>>>>> you rather have them replaced with SHA-256 alongside the >>>>>>>>>> SHA-1? MD5 is a >>>>>>>>>> grandpa and I think it should go. >>>>>>>>> I based the values displayed on what certutil displayed at the >>>>>>>>> time (7 >>>>>>>>> years ago). I don't know that anyone uses these fingerprints. The >>>>>>>>> OpenSSL equivalent doesn't include them by default. >>>>>>>>> >>>>>>>>> You may be able to deprecate fingerprints altogether. >>>>>>>>> >>>>>>>>> rob >>>>>>>> I think it's useful to display the certificate's fingerprint. >>>>>>>> I'm in >>>>>>>> favor of removing md5 and adding sha256 instead. >>>>>>>> >>>>>>> Rob, thank you for sharing the information of where the cert >>>>>>> fingerprints >>>>>>> are originated! `certutil` shipped with nss-3.27.0-1.3 currently >>>>>>> displays >>>>>>> SHA-256 and SHA1 fingerprints for certificates so I propose >>>>>>> going that way >>>>>>> too. >>>>>>> >>>>>> IMO we should remove MD5 and SHA-1, and add SHA-256. But we should >>>>>> also make no API stability guarantee w.r.t. the fingerprint >>>>>> attributes, i.e. to allow us to move to newer digests in future (and >>>>>> remove broken/no-longer-secure ones). We should advise that if a >>>>>> customer has a hard requirement on a particular digest that they >>>>>> should compute it themselves from the certificate. >>>>>> >>>>>> Cheers, >>>>>> Fraser >>>>> What is the motivation to remove SHA-1? Are there any attacks besides >>>>> theoretical ones on SHA-1? >>>>> >>>>> Do other libraries already deprecate SHA-1? >>>>> >>>> Come to think of it, I was thinking about SHA-1 signatures (which >>>> are completely forbidden in the public PKI nowadays). But for >>>> fingerprints it is not so bad (for now). >>>> >>>> Thanks, >>>> Fraser >>> Actually, there's been a practical SHA1 attack just published [1]. >>> Computational complexity was >>> 9,223,372,036,854,775,808 SHA1 computations, which takes about 110 >>> years >>> on a single GPU. >>> >>> Therefore, I'm in favor to deprecate SHA1 as well and provide only >>> SHA256. >>> >>> [1] - https://shattered.io/ >>> >>> >>> >> >> I think we should wait with removal SHA1, don't remove it prematurely. >> As MD5 is deprecated for very long time, SHA1 is not and we are not >> using it for any cryptographic operation nor certificates. It is just >> informational fingerprint. > > +1 > +1, I don't favour the http://new2.fjcdn.com/gifs/Everybody_d72014_61779.gif approach. From freeipa-github-notification at redhat.com Fri Feb 24 07:42:50 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 24 Feb 2017 08:42:50 +0100 Subject: [Freeipa-devel] [freeipa PR#502][opened] Make pylint and jsl optional Message-ID: URL: https://github.com/freeipa/freeipa/pull/502 Author: tiran Title: #502: Make pylint and jsl optional Action: opened PR body: """ ./configure no longer fails when pylint or jsl are not available. The make targets for pylint and jsl are no longer defined without the tools. Rational: pylint and jsl are not required to build FreeIPA. Both are useful developer tools. It's more user friendly to make both components optionally with default config arguments. There is no reason to fail building on a build system without development tools. It's still possible to enforce dependency checks with --with-jslint and --enable-pylint. https://fedorahosted.org/freeipa/ticket/6604 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/502/head:pr502 git checkout pr502 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-502.patch Type: text/x-diff Size: 4763 bytes Desc: not available URL: From tkrizek at redhat.com Fri Feb 24 07:46:57 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Fri, 24 Feb 2017 08:46:57 +0100 Subject: [Freeipa-devel] MD5 certificate fingerprints removal In-Reply-To: <85faf53a-5605-4eba-1da7-3d2255efa388@redhat.com> References: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> <5bd6a65a-4e30-1e06-fe46-7f6ec349c374@redhat.com> <20170221232838.GU3557@dhcp-40-8.bne.redhat.com> <20170222124432.GZ3557@dhcp-40-8.bne.redhat.com> <46c10c51-2639-50ae-986b-cd0e9983ea32@redhat.com> <557fc2ab-3371-7cf2-7da8-650b7dd4f2a6@redhat.com> <18c62c02-3f3d-5f33-05ee-596be7b21b49@redhat.com> <85faf53a-5605-4eba-1da7-3d2255efa388@redhat.com> Message-ID: <852fcc04-c3a8-a1cd-1541-b1d8df0d7272@redhat.com> On 02/24/2017 08:34 AM, Standa Laznicka wrote: > On 02/24/2017 08:29 AM, Jan Cholasta wrote: >> On 23.2.2017 19:06, Martin Basti wrote: >>> >>> >>> On 23.02.2017 15:09, Tomas Krizek wrote: >>>> On 02/22/2017 01:44 PM, Fraser Tweedale wrote: >>>>> On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: >>>>>> On 02/22/2017 12:28 AM, Fraser Tweedale wrote: >>>>>>> On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: >>>>>>>> On 02/21/2017 04:24 PM, Tomas Krizek wrote: >>>>>>>>> On 02/21/2017 03:23 PM, Rob Crittenden wrote: >>>>>>>>>> Standa Laznicka wrote: >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> Since we're trying to make FreeIPA work in FIPS we got to >>>>>>>>>>> the point >>>>>>>>>>> where we need to do something with MD5 fingerprints in the >>>>>>>>>>> cert plugin. >>>>>>>>>>> Eventually we came to a realization that it'd be best to get >>>>>>>>>>> rid of them >>>>>>>>>>> as a whole. These are counted by the framework and are not >>>>>>>>>>> stored >>>>>>>>>>> anywhere. Note that alongside with these fingerprints SHA1 >>>>>>>>>>> fingerprints >>>>>>>>>>> are also counted and those are there to stay. >>>>>>>>>>> >>>>>>>>>>> The question for this ML is, then - is it OK to remove these >>>>>>>>>>> or would >>>>>>>>>>> you rather have them replaced with SHA-256 alongside the >>>>>>>>>>> SHA-1? MD5 is a >>>>>>>>>>> grandpa and I think it should go. >>>>>>>>>> I based the values displayed on what certutil displayed at >>>>>>>>>> the time (7 >>>>>>>>>> years ago). I don't know that anyone uses these fingerprints. >>>>>>>>>> The >>>>>>>>>> OpenSSL equivalent doesn't include them by default. >>>>>>>>>> >>>>>>>>>> You may be able to deprecate fingerprints altogether. >>>>>>>>>> >>>>>>>>>> rob >>>>>>>>> I think it's useful to display the certificate's fingerprint. >>>>>>>>> I'm in >>>>>>>>> favor of removing md5 and adding sha256 instead. >>>>>>>>> >>>>>>>> Rob, thank you for sharing the information of where the cert >>>>>>>> fingerprints >>>>>>>> are originated! `certutil` shipped with nss-3.27.0-1.3 >>>>>>>> currently displays >>>>>>>> SHA-256 and SHA1 fingerprints for certificates so I propose >>>>>>>> going that way >>>>>>>> too. >>>>>>>> >>>>>>> IMO we should remove MD5 and SHA-1, and add SHA-256. But we should >>>>>>> also make no API stability guarantee w.r.t. the fingerprint >>>>>>> attributes, i.e. to allow us to move to newer digests in future >>>>>>> (and >>>>>>> remove broken/no-longer-secure ones). We should advise that if a >>>>>>> customer has a hard requirement on a particular digest that they >>>>>>> should compute it themselves from the certificate. >>>>>>> >>>>>>> Cheers, >>>>>>> Fraser >>>>>> What is the motivation to remove SHA-1? Are there any attacks >>>>>> besides >>>>>> theoretical ones on SHA-1? >>>>>> >>>>>> Do other libraries already deprecate SHA-1? >>>>>> >>>>> Come to think of it, I was thinking about SHA-1 signatures (which >>>>> are completely forbidden in the public PKI nowadays). But for >>>>> fingerprints it is not so bad (for now). >>>>> >>>>> Thanks, >>>>> Fraser >>>> Actually, there's been a practical SHA1 attack just published [1]. >>>> Computational complexity was >>>> 9,223,372,036,854,775,808 SHA1 computations, which takes about 110 >>>> years >>>> on a single GPU. >>>> >>>> Therefore, I'm in favor to deprecate SHA1 as well and provide only >>>> SHA256. >>>> >>>> [1] - https://shattered.io/ >>>> >>>> >>>> >>> >>> I think we should wait with removal SHA1, don't remove it prematurely. >>> As MD5 is deprecated for very long time, SHA1 is not and we are not >>> using it for any cryptographic operation nor certificates. It is just >>> informational fingerprint. >> >> +1 >> > +1, I don't favour the > http://new2.fjcdn.com/gifs/Everybody_d72014_61779.gif approach. > People will most likely be using the software even years after its upstream release, so I think its best to address these issues sooner rather than later. SHA256 fingerprints should be added even if we decide to keep SHA1 for now. -- Tomas Krizek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Fri Feb 24 07:54:29 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 24 Feb 2017 08:54:29 +0100 Subject: [Freeipa-devel] [freeipa PR#503][opened] [WIP] Update testcase for cert plugin Message-ID: URL: https://github.com/freeipa/freeipa/pull/503 Author: Akasurde Title: #503: [WIP] Update testcase for cert plugin Action: opened PR body: """ Fixes https://fedorahosted.org/freeipa/ticket/6275 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/503/head:pr503 git checkout pr503 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-503.patch Type: text/x-diff Size: 5885 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 24 08:03:45 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 24 Feb 2017 09:03:45 +0100 Subject: [Freeipa-devel] [freeipa PR#500][comment] Replace sha1 fingerprints with sha256 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/500 Title: #500: Replace sha1 fingerprints with sha256 tiran commented: """ Let's step on the breaks first and do a proper threat analysis. Is it really necessary to drop SHA-1 like a hot potato and go for SHA-256 right now? It still takes a lot of effort to create a SHA-1 collision. It hasn't been shown for certificates yet. * SHA-1 in OTP is fine. OTP uses HMAC and truncated hashes. The attack doesn't apply to HMAC-SHA1. There are also severe compatibility issues. Some commonly used OTP generators do not support SHA1. Before we change OTP, we must make sure that our own OTP generator, Google's OTP generator, and Yubico's OTP generator in all Yubikey's work. (I'm using Yubico Authenticator over NFC). * Is SHA-256 the correct answer? What about SHA-224 or SHA-384 or a totally different approach like SHA3-256? MD5, SHA-1 and SHA-2 have a similar design (Merkle-Damgard construct but different compression function). * Should we replace SHA-1 with SHA-2 in a hard cut or can we safely offer both hashes for a while to go through a proper deprecation cycle? Do users or customers depend on SHA-1 hash values? """ See the full comment at https://github.com/freeipa/freeipa/pull/500#issuecomment-282228908 From freeipa-github-notification at redhat.com Fri Feb 24 08:18:33 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 24 Feb 2017 09:18:33 +0100 Subject: [Freeipa-devel] [freeipa PR#500][comment] Replace sha1 fingerprints with sha256 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/500 Title: #500: Replace sha1 fingerprints with sha256 tiran commented: """ Let's step on the breaks first and do a proper threat analysis. Is it really necessary to drop SHA-1 like a hot potato and go for SHA-256 right now? It still takes a lot of effort to create a SHA-1 collision. It hasn't been shown for certificates yet. * SHA-1 in OTP is fine. OTP uses HMAC and truncated hashes. The attack doesn't apply to HMAC-SHA1. There are also severe compatibility issues. Some commonly used OTP generators do not support SHA1. Before we change OTP, we must make sure that our own OTP generator, Google's OTP generator, and Yubico's OTP generator in all Yubikey's work. (I'm using Yubico Authenticator over NFC). * Is SHA-256 the correct answer? What about SHA-224 or SHA-384 or a totally different approach like SHA3-256? MD5, SHA-1 and SHA-2 have a similar design (Merkle-Damgard construct but different compression function). * Should we replace SHA-1 with SHA-2 in a hard cut or can we safely offer both hashes for a while to go through a proper deprecation cycle? Do users or customers depend on SHA-1 hash values? """ See the full comment at https://github.com/freeipa/freeipa/pull/500#issuecomment-282228908 From mbasti at redhat.com Fri Feb 24 08:44:41 2017 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Feb 2017 09:44:41 +0100 Subject: [Freeipa-devel] MD5 certificate fingerprints removal In-Reply-To: <852fcc04-c3a8-a1cd-1541-b1d8df0d7272@redhat.com> References: <9a900970-0725-f942-c4ff-3b42ac430c63@redhat.com> <5bd6a65a-4e30-1e06-fe46-7f6ec349c374@redhat.com> <20170221232838.GU3557@dhcp-40-8.bne.redhat.com> <20170222124432.GZ3557@dhcp-40-8.bne.redhat.com> <46c10c51-2639-50ae-986b-cd0e9983ea32@redhat.com> <557fc2ab-3371-7cf2-7da8-650b7dd4f2a6@redhat.com> <18c62c02-3f3d-5f33-05ee-596be7b21b49@redhat.com> <85faf53a-5605-4eba-1da7-3d2255efa388@redhat.com> <852fcc04-c3a8-a1cd-1541-b1d8df0d7272@redhat.com> Message-ID: <0fc420f4-0bcd-eafe-d815-3e7971e9bfba@redhat.com> On 24.02.2017 08:46, Tomas Krizek wrote: > On 02/24/2017 08:34 AM, Standa Laznicka wrote: >> On 02/24/2017 08:29 AM, Jan Cholasta wrote: >>> On 23.2.2017 19:06, Martin Basti wrote: >>>> >>>> On 23.02.2017 15:09, Tomas Krizek wrote: >>>>> On 02/22/2017 01:44 PM, Fraser Tweedale wrote: >>>>>> On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote: >>>>>>> On 02/22/2017 12:28 AM, Fraser Tweedale wrote: >>>>>>>> On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: >>>>>>>>> On 02/21/2017 04:24 PM, Tomas Krizek wrote: >>>>>>>>>> On 02/21/2017 03:23 PM, Rob Crittenden wrote: >>>>>>>>>>> Standa Laznicka wrote: >>>>>>>>>>>> Hello, >>>>>>>>>>>> >>>>>>>>>>>> Since we're trying to make FreeIPA work in FIPS we got to >>>>>>>>>>>> the point >>>>>>>>>>>> where we need to do something with MD5 fingerprints in the >>>>>>>>>>>> cert plugin. >>>>>>>>>>>> Eventually we came to a realization that it'd be best to get >>>>>>>>>>>> rid of them >>>>>>>>>>>> as a whole. These are counted by the framework and are not >>>>>>>>>>>> stored >>>>>>>>>>>> anywhere. Note that alongside with these fingerprints SHA1 >>>>>>>>>>>> fingerprints >>>>>>>>>>>> are also counted and those are there to stay. >>>>>>>>>>>> >>>>>>>>>>>> The question for this ML is, then - is it OK to remove these >>>>>>>>>>>> or would >>>>>>>>>>>> you rather have them replaced with SHA-256 alongside the >>>>>>>>>>>> SHA-1? MD5 is a >>>>>>>>>>>> grandpa and I think it should go. >>>>>>>>>>> I based the values displayed on what certutil displayed at >>>>>>>>>>> the time (7 >>>>>>>>>>> years ago). I don't know that anyone uses these fingerprints. >>>>>>>>>>> The >>>>>>>>>>> OpenSSL equivalent doesn't include them by default. >>>>>>>>>>> >>>>>>>>>>> You may be able to deprecate fingerprints altogether. >>>>>>>>>>> >>>>>>>>>>> rob >>>>>>>>>> I think it's useful to display the certificate's fingerprint. >>>>>>>>>> I'm in >>>>>>>>>> favor of removing md5 and adding sha256 instead. >>>>>>>>>> >>>>>>>>> Rob, thank you for sharing the information of where the cert >>>>>>>>> fingerprints >>>>>>>>> are originated! `certutil` shipped with nss-3.27.0-1.3 >>>>>>>>> currently displays >>>>>>>>> SHA-256 and SHA1 fingerprints for certificates so I propose >>>>>>>>> going that way >>>>>>>>> too. >>>>>>>>> >>>>>>>> IMO we should remove MD5 and SHA-1, and add SHA-256. But we should >>>>>>>> also make no API stability guarantee w.r.t. the fingerprint >>>>>>>> attributes, i.e. to allow us to move to newer digests in future >>>>>>>> (and >>>>>>>> remove broken/no-longer-secure ones). We should advise that if a >>>>>>>> customer has a hard requirement on a particular digest that they >>>>>>>> should compute it themselves from the certificate. >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Fraser >>>>>>> What is the motivation to remove SHA-1? Are there any attacks >>>>>>> besides >>>>>>> theoretical ones on SHA-1? >>>>>>> >>>>>>> Do other libraries already deprecate SHA-1? >>>>>>> >>>>>> Come to think of it, I was thinking about SHA-1 signatures (which >>>>>> are completely forbidden in the public PKI nowadays). But for >>>>>> fingerprints it is not so bad (for now). >>>>>> >>>>>> Thanks, >>>>>> Fraser >>>>> Actually, there's been a practical SHA1 attack just published [1]. >>>>> Computational complexity was >>>>> 9,223,372,036,854,775,808 SHA1 computations, which takes about 110 >>>>> years >>>>> on a single GPU. >>>>> >>>>> Therefore, I'm in favor to deprecate SHA1 as well and provide only >>>>> SHA256. >>>>> >>>>> [1] - https://shattered.io/ >>>>> >>>>> >>>>> >>>> I think we should wait with removal SHA1, don't remove it prematurely. >>>> As MD5 is deprecated for very long time, SHA1 is not and we are not >>>> using it for any cryptographic operation nor certificates. It is just >>>> informational fingerprint. >>> +1 >>> >> +1, I don't favour the >> http://new2.fjcdn.com/gifs/Everybody_d72014_61779.gif approach. >> > People will most likely be using the software even years after its > upstream release, so I think its best to address these issues sooner > rather than later. > > SHA256 fingerprints should be added even if we decide to keep SHA1 for now. > +1 for adding SHA256 From freeipa-github-notification at redhat.com Fri Feb 24 08:57:07 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Feb 2017 09:57:07 +0100 Subject: [Freeipa-devel] [freeipa PR#500][closed] Replace sha1 fingerprints with sha256 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/500 Author: tomaskrizek Title: #500: Replace sha1 fingerprints with sha256 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/500/head:pr500 git checkout pr500 From freeipa-github-notification at redhat.com Fri Feb 24 08:57:09 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Feb 2017 09:57:09 +0100 Subject: [Freeipa-devel] [freeipa PR#500][comment] Replace sha1 fingerprints with sha256 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/500 Title: #500: Replace sha1 fingerprints with sha256 MartinBasti commented: """ https://www.redhat.com/archives/freeipa-devel/2017-February/msg01083.html This was discussed in that thread and resolution is to not remove sha1 @tiran sha256 is already used in some IPA parts so we are closing the circle to have it everywhere, if you want additional fingerprints feel free to open discussion on freeipa-devel """ See the full comment at https://github.com/freeipa/freeipa/pull/500#issuecomment-282239159 From freeipa-github-notification at redhat.com Fri Feb 24 08:57:11 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Feb 2017 09:57:11 +0100 Subject: [Freeipa-devel] [freeipa PR#500][+rejected] Replace sha1 fingerprints with sha256 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/500 Title: #500: Replace sha1 fingerprints with sha256 Label: +rejected From freeipa-github-notification at redhat.com Fri Feb 24 09:16:18 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 24 Feb 2017 10:16:18 +0100 Subject: [Freeipa-devel] [freeipa PR#504][opened] Add SHA256 fingerprints Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Author: tomaskrizek Title: #504: Add SHA256 fingerprints Action: opened PR body: """ As discussed on the [devel list](https://www.redhat.com/archives/freeipa-devel/2017-February/msg01095.html), adding SHA256 fingerprints for certs and keeping SHA1 as well. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/504/head:pr504 git checkout pr504 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-504.patch Type: text/x-diff Size: 14810 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 24 09:20:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Feb 2017 10:20:25 +0100 Subject: [Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin MartinBasti commented: """ I left some inline comments, this improves the test but it still misses several features to be tested. You can finish these improvements and it can be pushed and add more improvements in a new PR """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282243835 From freeipa-github-notification at redhat.com Fri Feb 24 09:22:02 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Feb 2017 10:22:02 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints stlaz commented: """ As discussed about hundred times before, do not touch `install/share/copy-schema-to-ca.py`. """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-282244201 From freeipa-github-notification at redhat.com Fri Feb 24 09:23:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Feb 2017 10:23:25 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints MartinBasti commented: """ Do not touch `install/share/copy-schema-to-ca.py` ever (this will be removed soon from master, just waiting for ACKs) """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-282244496 From freeipa-github-notification at redhat.com Fri Feb 24 09:27:22 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 24 Feb 2017 10:27:22 +0100 Subject: [Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin Akasurde commented: """ @MartinBasti I working on other improvements and will update this PR accordingly. """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282245287 From freeipa-github-notification at redhat.com Fri Feb 24 09:34:14 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 24 Feb 2017 10:34:14 +0100 Subject: [Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin Akasurde commented: """ @MartinBasti I working on other improvements and will update this PR accordingly. """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282245287 From freeipa-github-notification at redhat.com Fri Feb 24 09:34:17 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 24 Feb 2017 10:34:17 +0100 Subject: [Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin Akasurde commented: """ @MartinBasti I am working on other improvements and will update this PR accordingly. - [ ] Issuing CA - [ ] Subject - [ ] Issuer - [ ] Serial number - [ ] Serial number (hex) - [ ] Status - [ ] Revoked """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282245287 From freeipa-github-notification at redhat.com Fri Feb 24 09:34:18 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 24 Feb 2017 10:34:18 +0100 Subject: [Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin Akasurde commented: """ @MartinBasti I am working on other improvements and will update this PR accordingly. - [x] Issuing CA - [ ] Subject - [ ] Issuer - [ ] Serial number - [ ] Serial number (hex) - [ ] Status - [ ] Revoked """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282245287 From freeipa-github-notification at redhat.com Fri Feb 24 09:34:39 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 24 Feb 2017 10:34:39 +0100 Subject: [Freeipa-devel] [freeipa PR#504][synchronized] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Author: tomaskrizek Title: #504: Add SHA256 fingerprints Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/504/head:pr504 git checkout pr504 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-504.patch Type: text/x-diff Size: 12372 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 24 09:36:56 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 24 Feb 2017 10:36:56 +0100 Subject: [Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Title: #504: Add SHA256 fingerprints tomaskrizek commented: """ I've dropped the commit that modified the deprecated file. """ See the full comment at https://github.com/freeipa/freeipa/pull/504#issuecomment-282247242 From freeipa-github-notification at redhat.com Fri Feb 24 09:37:25 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Feb 2017 10:37:25 +0100 Subject: [Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin MartinBasti commented: """ @Akasurde what is your opinion about creating a Tracker class for certificate? """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282247368 From freeipa-github-notification at redhat.com Fri Feb 24 09:58:29 2017 From: freeipa-github-notification at redhat.com (Akasurde) Date: Fri, 24 Feb 2017 10:58:29 +0100 Subject: [Freeipa-devel] [freeipa PR#503][comment] [WIP] Update testcase for cert plugin In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/503 Title: #503: [WIP] Update testcase for cert plugin Akasurde commented: """ @MartinBasti Will implement tracker class in different PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/503#issuecomment-282251828 From freeipa-github-notification at redhat.com Fri Feb 24 09:58:55 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 24 Feb 2017 10:58:55 +0100 Subject: [Freeipa-devel] [freeipa PR#505][opened] dns: fix `dnsrecord_add` interactive mode Message-ID: URL: https://github.com/freeipa/freeipa/pull/505 Author: HonzaCholasta Title: #505: dns: fix `dnsrecord_add` interactive mode Action: opened PR body: """ `dnsrecord_add` interactive mode might prompt for value of non-existent arguments `a_part_create_reverse` and `aaaa_part_create_reverse`. This happens because `dnsrecord_add` extra flags are incorrectly defined as parts of the respective DNS records. Remove extra flags from DNS record parts to fix the interactive mode on old clients talking to new servers. Skip non-existent arguments in the interactive mode to fix new clients talking to old servers. https://fedorahosted.org/freeipa/ticket/6457 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/505/head:pr505 git checkout pr505 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-505.patch Type: text/x-diff Size: 2140 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 24 10:00:31 2017 From: freeipa-github-notification at redhat.com (tscherf) Date: Fri, 24 Feb 2017 11:00:31 +0100 Subject: [Freeipa-devel] [freeipa PR#506][opened] added ssl verification Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: added ssl verification Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/506/head:pr506 git checkout pr506 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-506.patch Type: text/x-diff Size: 746 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 24 10:06:43 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 24 Feb 2017 11:06:43 +0100 Subject: [Freeipa-devel] [freeipa PR#506][comment] added ssl verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tiran commented: """ Why do you propose to change the settings? By default python-requests enforces certificate validation. Without additional settings, it uses the system trust store. The IPA root CA is injected into the system trust store. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282253632 From freeipa-github-notification at redhat.com Fri Feb 24 10:09:26 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Fri, 24 Feb 2017 11:09:26 +0100 Subject: [Freeipa-devel] [freeipa PR#506][comment] added ssl verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification HonzaCholasta commented: """ We don't want to trust certificates issued by random internet CAs, this is how it should have been from the beginning. A commit message would be nice though. @tscherf, please add this ticket URL to the commit message: https://fedorahosted.org/freeipa/ticket/6686 """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282254224 From freeipa-github-notification at redhat.com Fri Feb 24 10:18:19 2017 From: freeipa-github-notification at redhat.com (tscherf) Date: Fri, 24 Feb 2017 11:18:19 +0100 Subject: [Freeipa-devel] [freeipa PR#506][synchronized] added ssl verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: added ssl verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/506/head:pr506 git checkout pr506 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-506.patch Type: text/x-diff Size: 791 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 24 10:35:41 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 24 Feb 2017 11:35:41 +0100 Subject: [Freeipa-devel] [freeipa PR#506][comment] added ssl verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tiran commented: """ Please change the title of the commit, too. It's implies that we did not verify certs in the past. In the future please don't call the system trust store a random collection of CAs. It's diminishing and vilifying the hard work of the security team to provide a secure selection of CA certs. This change is purely an attempt to harden IPA and use the same selection of CAs everywhere. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282259839 From freeipa-github-notification at redhat.com Fri Feb 24 10:50:28 2017 From: freeipa-github-notification at redhat.com (tscherf) Date: Fri, 24 Feb 2017 11:50:28 +0100 Subject: [Freeipa-devel] [freeipa PR#506][comment] added ssl verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tscherf commented: """ When the system wide trust store is supposed to be used here, then something else must be broken somewhere in the verification code. Without explicitly using the IPA trust anchor stored in IPA_CA_CRT, the installer failed with an "[SSL: CERTIFICATE_VERIFY_FAILED]" error. We have seen this in CA-less and chained CA setups. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282262743 From freeipa-github-notification at redhat.com Fri Feb 24 10:50:49 2017 From: freeipa-github-notification at redhat.com (tscherf) Date: Fri, 24 Feb 2017 11:50:49 +0100 Subject: [Freeipa-devel] [freeipa PR#506][closed] added ssl verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: added ssl verification Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/506/head:pr506 git checkout pr506 From freeipa-github-notification at redhat.com Fri Feb 24 10:50:52 2017 From: freeipa-github-notification at redhat.com (tscherf) Date: Fri, 24 Feb 2017 11:50:52 +0100 Subject: [Freeipa-devel] [freeipa PR#506][synchronized] added ssl verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: added ssl verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/506/head:pr506 git checkout pr506 From freeipa-github-notification at redhat.com Fri Feb 24 10:55:14 2017 From: freeipa-github-notification at redhat.com (tscherf) Date: Fri, 24 Feb 2017 11:55:14 +0100 Subject: [Freeipa-devel] [freeipa PR#506][comment] added ssl verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tscherf commented: """ Sorry, closed this by mistake. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282263664 From freeipa-github-notification at redhat.com Fri Feb 24 10:55:16 2017 From: freeipa-github-notification at redhat.com (tscherf) Date: Fri, 24 Feb 2017 11:55:16 +0100 Subject: [Freeipa-devel] [freeipa PR#506][synchronized] added ssl verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: added ssl verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/506/head:pr506 git checkout pr506 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-506.patch Type: text/x-diff Size: 814 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 24 10:55:18 2017 From: freeipa-github-notification at redhat.com (tscherf) Date: Fri, 24 Feb 2017 11:55:18 +0100 Subject: [Freeipa-devel] [freeipa PR#506][reopened] added ssl verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: added ssl verification Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/506/head:pr506 git checkout pr506 From freeipa-github-notification at redhat.com Fri Feb 24 10:56:45 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 24 Feb 2017 11:56:45 +0100 Subject: [Freeipa-devel] [freeipa PR#504][synchronized] Add SHA256 fingerprints In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/504 Author: tomaskrizek Title: #504: Add SHA256 fingerprints Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/504/head:pr504 git checkout pr504 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-504.patch Type: text/x-diff Size: 12391 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 24 11:40:48 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Feb 2017 12:40:48 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 140258 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 24 11:43:24 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 24 Feb 2017 12:43:24 +0100 Subject: [Freeipa-devel] [freeipa PR#506][comment] added ssl verification In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: added ssl verification tiran commented: """ LGTM, but I want @simo5 to give the final ACK. Since Custodia is only used during replica installation on an enrolled system, ipa-client-install has already provided the certificate. I don't see any issue in the proposed fix. ```ipaserver.secrets.client``` does not yet use Custodia's own client library. I'll keep the problem in mind once we have updated to recent Custodia version. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282272478 From freeipa-github-notification at redhat.com Fri Feb 24 12:00:55 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 24 Feb 2017 13:00:55 +0100 Subject: [Freeipa-devel] [freeipa PR#507][opened] Use https to get security domain from Dogtag Message-ID: URL: https://github.com/freeipa/freeipa/pull/507 Author: tiran Title: #507: Use https to get security domain from Dogtag Action: opened PR body: """ Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/507/head:pr507 git checkout pr507 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-507.patch Type: text/x-diff Size: 990 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 24 12:05:31 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 24 Feb 2017 13:05:31 +0100 Subject: [Freeipa-devel] [freeipa PR#506][edited] Use IPA CA cert in Custodia secrets client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: Use IPA CA cert in Custodia secrets client Action: edited Changed field: title Original value: """ added ssl verification """ From freeipa-github-notification at redhat.com Fri Feb 24 12:14:57 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Feb 2017 13:14:57 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 141671 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 24 12:16:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Feb 2017 13:16:39 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ The issues from the previous build should be resolved now, can be reviewed, hopefully the build passes. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282277991 From freeipa-github-notification at redhat.com Fri Feb 24 12:30:55 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 24 Feb 2017 13:30:55 +0100 Subject: [Freeipa-devel] [freeipa PR#507][comment] Use https to get security domain from Dogtag In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/507 Title: #507: Use https to get security domain from Dogtag pvoborni commented: """ What is a context of this patch? Is something broken only in master. Or also 4.4, Fedora, RHEL,...? """ See the full comment at https://github.com/freeipa/freeipa/pull/507#issuecomment-282280330 From freeipa-github-notification at redhat.com Fri Feb 24 12:35:18 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 24 Feb 2017 13:35:18 +0100 Subject: [Freeipa-devel] [freeipa PR#507][comment] Use https to get security domain from Dogtag In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/507 Title: #507: Use https to get security domain from Dogtag pvoborni commented: """ I.e. I want to know if something needs to be or should be backported. """ See the full comment at https://github.com/freeipa/freeipa/pull/507#issuecomment-282281077 From freeipa-github-notification at redhat.com Fri Feb 24 12:38:19 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 24 Feb 2017 13:38:19 +0100 Subject: [Freeipa-devel] [freeipa PR#507][comment] Use https to get security domain from Dogtag In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/507 Title: #507: Use https to get security domain from Dogtag tiran commented: """ The patch hardens the installer a bit. It would be a good idea to backport the patch to 4.4. It's not critical since it's a read operation on localhost. """ See the full comment at https://github.com/freeipa/freeipa/pull/507#issuecomment-282281583 From freeipa-github-notification at redhat.com Fri Feb 24 12:46:17 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 24 Feb 2017 13:46:17 +0100 Subject: [Freeipa-devel] [freeipa PR#506][comment] Use IPA CA cert in Custodia secrets client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: Use IPA CA cert in Custodia secrets client simo5 commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282282986 From freeipa-github-notification at redhat.com Fri Feb 24 13:09:11 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 24 Feb 2017 14:09:11 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 141691 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Feb 24 15:02:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Feb 2017 16:02:36 +0100 Subject: [Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones MartinBasti commented: """ Works for me, except, ipa-server-install --setup-adtrust works even without freeipa-server-trust-ad package. Please fix this in a new PR in way how DNS is done. """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-282312799 From freeipa-github-notification at redhat.com Fri Feb 24 15:02:54 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Fri, 24 Feb 2017 16:02:54 +0100 Subject: [Freeipa-devel] [freeipa PR#479][+ack] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones Label: +ack From Oucema.Bellagha at hotmail.com Fri Feb 24 16:26:13 2017 From: Oucema.Bellagha at hotmail.com (Oucema Bellagha) Date: Fri, 24 Feb 2017 16:26:13 +0000 Subject: [Freeipa-devel] Adding a User-Managed YubiKey Hardware Token valueerror: no backend available Message-ID: while I'm trying to add an ipa token to freeipa server: ipa otptoken-add-yubikey --slot=2 I got the following error: ipa: ERROR: non-public: ValueError: No backend available Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 137, in execute result = self.Command[_name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipaclient/plugins/otptoken_yubikey.py", line 120, in forward yk = yubico.find_yubikey() File "/usr/lib/python2.7/site-packages/yubico/yubikey.py", line 229, in find_key YK = YubiKeyUSBHID(debug=debug, skip=skip) File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 165, in __init__ if not self._open(skip): File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 447, in _open usb_device = self._get_usb_device(skip) File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 497, in _get_usb_device find_all=True, idVendor=_YUBICO_VID)] File "/usr/lib/python2.7/site-packages/usb/core.py", line 864, in find raise ValueError('No backend available') ValueError: No backend available ipa: ERROR: an internal error has occurred how can I fix this? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Feb 24 16:42:53 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 24 Feb 2017 18:42:53 +0200 Subject: [Freeipa-devel] Adding a User-Managed YubiKey Hardware Token valueerror: no backend available In-Reply-To: References: Message-ID: <20170224164253.lmjebamqbsqukkta@redhat.com> On pe, 24 helmi 2017, Oucema Bellagha wrote: >while I'm trying to add an ipa token to freeipa server: ipa otptoken-add-yubikey --slot=2 >I got the following error: > >ipa: ERROR: non-public: ValueError: No backend available >Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 137, in execute > result = self.Command[_name](*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__ > return self.__do_call(*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call > ret = self.run(*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run > return self.forward(*args, **options) > File "/usr/lib/python2.7/site-packages/ipaclient/plugins/otptoken_yubikey.py", line 120, in forward > yk = yubico.find_yubikey() > File "/usr/lib/python2.7/site-packages/yubico/yubikey.py", line 229, in find_key > YK = YubiKeyUSBHID(debug=debug, skip=skip) > File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 165, in __init__ > if not self._open(skip): > File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 447, in _open > usb_device = self._get_usb_device(skip) > File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 497, in _get_usb_device > find_all=True, idVendor=_YUBICO_VID)] > File "/usr/lib/python2.7/site-packages/usb/core.py", line 864, in find > raise ValueError('No backend available') >ValueError: No backend available >ipa: ERROR: an internal error has occurred > >how can I fix this? Install actual libusb package? pyusb is designed to work against various usb library implementations. In Fedora there are at least two: libusbx and libusb. Install one of them. What the following small python script does return on your system? ------ from usb.libloader import locate_library print locate_library(('usb-1.0', 'libusb-1.0', 'usb')) print locate_library(('usb-0.1', 'libusb-0.1', 'usb')) ------- -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Fri Feb 24 22:47:13 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 24 Feb 2017 23:47:13 +0100 Subject: [Freeipa-devel] [freeipa PR#508][opened] Fix ipa.service unit re. gssproxy Message-ID: URL: https://github.com/freeipa/freeipa/pull/508 Author: flo-renaud Title: #508: Fix ipa.service unit re. gssproxy Action: opened PR body: """ ipa.service unit defines Requires=gssproxy. Because of this, during ipa-server-upgrade, the restart of gssproxy triggers a restart of ipa unit (hence stopping LDAP server and breaking the connection api.Backend.ldap2). Calls using this connection after gssproxy restart fail and ipa-server-upgrade exits on failure. The fix defines Wants=gssproxy to avoid the restart of ipa.service https://fedorahosted.org/freeipa/ticket/6705 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/508/head:pr508 git checkout pr508 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-508.patch Type: text/x-diff Size: 1064 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Feb 25 07:49:17 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Sat, 25 Feb 2017 08:49:17 +0100 Subject: [Freeipa-devel] [freeipa PR#508][comment] Fix ipa.service unit re. gssproxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy abbra commented: """ LGTM. Thank you finding and fixing this issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/508#issuecomment-282467859 From freeipa-github-notification at redhat.com Sat Feb 25 07:49:33 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Sat, 25 Feb 2017 08:49:33 +0100 Subject: [Freeipa-devel] [freeipa PR#508][+ack] Fix ipa.service unit re. gssproxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy Label: +ack From freeipa-github-notification at redhat.com Sat Feb 25 08:26:52 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Sat, 25 Feb 2017 09:26:52 +0100 Subject: [Freeipa-devel] [freeipa PR#412][synchronized] Define template version in certmap.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/412 Author: flo-renaud Title: #412: Define template version in certmap.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/412/head:pr412 git checkout pr412 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-412.patch Type: text/x-diff Size: 2402 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Feb 25 08:27:41 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Sat, 25 Feb 2017 09:27:41 +0100 Subject: [Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/412 Title: #412: Define template version in certmap.conf flo-renaud commented: """ Hi @MartinBasti , patch rebased """ See the full comment at https://github.com/freeipa/freeipa/pull/412#issuecomment-282469593 From freeipa-github-notification at redhat.com Sat Feb 25 15:10:37 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Sat, 25 Feb 2017 16:10:37 +0100 Subject: [Freeipa-devel] [freeipa PR#509][opened] Migrate OTP import script to python-cryptography Message-ID: URL: https://github.com/freeipa/freeipa/pull/509 Author: tiran Title: #509: Migrate OTP import script to python-cryptography Action: opened PR body: """ Supersedes @npmccallum PR #486 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/509/head:pr509 git checkout pr509 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-509.patch Type: text/x-diff Size: 20407 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Feb 25 15:11:27 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Sat, 25 Feb 2017 16:11:27 +0100 Subject: [Freeipa-devel] [freeipa PR#510][opened] Vault: port key wrapping to python-cryptography Message-ID: URL: https://github.com/freeipa/freeipa/pull/510 Author: tiran Title: #510: Vault: port key wrapping to python-cryptography Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6650 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/510/head:pr510 git checkout pr510 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-510.patch Type: text/x-diff Size: 7237 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sat Feb 25 15:15:54 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Sat, 25 Feb 2017 16:15:54 +0100 Subject: [Freeipa-devel] [freeipa PR#509][synchronized] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/509 Author: tiran Title: #509: Migrate OTP import script to python-cryptography Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/509/head:pr509 git checkout pr509 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-509.patch Type: text/x-diff Size: 20389 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Sun Feb 26 09:37:31 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Sun, 26 Feb 2017 10:37:31 +0100 Subject: [Freeipa-devel] [freeipa PR#509][synchronized] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/509 Author: tiran Title: #509: Migrate OTP import script to python-cryptography Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/509/head:pr509 git checkout pr509 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-509.patch Type: text/x-diff Size: 22644 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 02:11:45 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 27 Feb 2017 03:11:45 +0100 Subject: [Freeipa-devel] [freeipa PR#506][comment] Use IPA CA cert in Custodia secrets client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: Use IPA CA cert in Custodia secrets client frasertweedale commented: """ @tiran FYI custodia is also used for Lightweight CA key replication, at any time a new LWCA gets created, to propagate its signing key among replicas. So this is a useful change. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282611303 From freeipa-github-notification at redhat.com Mon Feb 27 02:12:18 2017 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 27 Feb 2017 03:12:18 +0100 Subject: [Freeipa-devel] [freeipa PR#506][comment] Use IPA CA cert in Custodia secrets client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: Use IPA CA cert in Custodia secrets client frasertweedale commented: """ @tiran FYI custodia is also used for Lightweight CA key replication, at any time a new LWCA gets created, to propagate its signing key among replicas. So this is a useful change. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282611303 From freeipa-github-notification at redhat.com Mon Feb 27 07:04:35 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 08:04:35 +0100 Subject: [Freeipa-devel] [freeipa PR#486][+rejected] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/486 Title: #486: Migrate OTP import script to python-cryptography Label: +rejected From freeipa-github-notification at redhat.com Mon Feb 27 07:04:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 08:04:39 +0100 Subject: [Freeipa-devel] [freeipa PR#486][closed] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/486 Author: npmccallum Title: #486: Migrate OTP import script to python-cryptography Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/486/head:pr486 git checkout pr486 From freeipa-github-notification at redhat.com Mon Feb 27 07:04:40 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 08:04:40 +0100 Subject: [Freeipa-devel] [freeipa PR#486][comment] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/486 Title: #486: Migrate OTP import script to python-cryptography stlaz commented: """ Fixed in https://github.com/freeipa/freeipa/issues/509 """ See the full comment at https://github.com/freeipa/freeipa/pull/486#issuecomment-282643547 From freeipa-github-notification at redhat.com Mon Feb 27 07:32:17 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 27 Feb 2017 08:32:17 +0100 Subject: [Freeipa-devel] [freeipa PR#492][synchronized] [WIP] config: remove meaningless defaults In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/492 Author: HonzaCholasta Title: #492: [WIP] config: remove meaningless defaults Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/492/head:pr492 git checkout pr492 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-492.patch Type: text/x-diff Size: 21327 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 07:34:37 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 08:34:37 +0100 Subject: [Freeipa-devel] [freeipa PR#506][+ack] Use IPA CA cert in Custodia secrets client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: Use IPA CA cert in Custodia secrets client Label: +ack From freeipa-github-notification at redhat.com Mon Feb 27 07:47:16 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 27 Feb 2017 08:47:16 +0100 Subject: [Freeipa-devel] [freeipa PR#506][+pushed] Use IPA CA cert in Custodia secrets client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: Use IPA CA cert in Custodia secrets client Label: +pushed From freeipa-github-notification at redhat.com Mon Feb 27 07:47:17 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 27 Feb 2017 08:47:17 +0100 Subject: [Freeipa-devel] [freeipa PR#506][comment] Use IPA CA cert in Custodia secrets client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: Use IPA CA cert in Custodia secrets client HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/16dac0252e52c8de07fd8a6a86ec0896074cbe9d """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282649660 From freeipa-github-notification at redhat.com Mon Feb 27 07:47:19 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 27 Feb 2017 08:47:19 +0100 Subject: [Freeipa-devel] [freeipa PR#506][closed] Use IPA CA cert in Custodia secrets client In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/506 Author: tscherf Title: #506: Use IPA CA cert in Custodia secrets client Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/506/head:pr506 git checkout pr506 From freeipa-github-notification at redhat.com Mon Feb 27 08:18:49 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 27 Feb 2017 09:18:49 +0100 Subject: [Freeipa-devel] [freeipa PR#511][opened] Bump required version of gssproxy to 0.6.2 Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Author: dkupka Title: #511: Bump required version of gssproxy to 0.6.2 Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6698 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/511/head:pr511 git checkout pr511 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-511.patch Type: text/x-diff Size: 827 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 08:30:57 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 09:30:57 +0100 Subject: [Freeipa-devel] [freeipa PR#510][synchronized] Vault: port key wrapping to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/510 Author: tiran Title: #510: Vault: port key wrapping to python-cryptography Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/510/head:pr510 git checkout pr510 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-510.patch Type: text/x-diff Size: 10160 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 08:42:35 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 09:42:35 +0100 Subject: [Freeipa-devel] [freeipa PR#453][synchronized] Cleanup certdb In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/453 Author: tiran Title: #453: Cleanup certdb Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/453/head:pr453 git checkout pr453 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-453.patch Type: text/x-diff Size: 10527 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 08:43:45 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 09:43:45 +0100 Subject: [Freeipa-devel] [freeipa PR#511][+ack] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 Label: +ack From freeipa-github-notification at redhat.com Mon Feb 27 08:44:39 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 09:44:39 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 stlaz commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-282659959 From freeipa-github-notification at redhat.com Mon Feb 27 08:45:48 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 09:45:48 +0100 Subject: [Freeipa-devel] [freeipa PR#511][-ack] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 Label: -ack From freeipa-github-notification at redhat.com Mon Feb 27 08:46:15 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 09:46:15 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 stlaz commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-282659959 From freeipa-github-notification at redhat.com Mon Feb 27 08:48:03 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 09:48:03 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 stlaz commented: """ Unfortunately, we can't push this until we find a way to provide the rpm for Travis. """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-282660623 From freeipa-github-notification at redhat.com Mon Feb 27 09:07:45 2017 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Mon, 27 Feb 2017 10:07:45 +0100 Subject: [Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain gkaihorodova commented: """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-282664683 From freeipa-github-notification at redhat.com Mon Feb 27 09:07:52 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Mon, 27 Feb 2017 10:07:52 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 HonzaCholasta commented: """ @stlaz, https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/build/519196/ """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-282664702 From freeipa-github-notification at redhat.com Mon Feb 27 09:12:54 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 10:12:54 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 stlaz commented: """ @HonzaCholasta Thank you, please kick Travis once the build is done """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-282665763 From freeipa-github-notification at redhat.com Mon Feb 27 09:40:52 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 10:40:52 +0100 Subject: [Freeipa-devel] [freeipa PR#507][synchronized] Use https to get security domain from Dogtag In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/507 Author: tiran Title: #507: Use https to get security domain from Dogtag Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/507/head:pr507 git checkout pr507 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-507.patch Type: text/x-diff Size: 1056 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 09:44:32 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 10:44:32 +0100 Subject: [Freeipa-devel] [freeipa PR#510][comment] Vault: port key wrapping to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/510 Title: #510: Vault: port key wrapping to python-cryptography tiran commented: """ @simo5 Do I remember correctly that PKCS1v1.5 side channel attacks applies only to unpadding and not to padding? """ See the full comment at https://github.com/freeipa/freeipa/pull/510#issuecomment-282672980 From freeipa-github-notification at redhat.com Mon Feb 27 10:03:06 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 11:03:06 +0100 Subject: [Freeipa-devel] [freeipa PR#510][comment] Vault: port key wrapping to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/510 Title: #510: Vault: port key wrapping to python-cryptography tiran commented: """ I can answer the question myself. The side channel attack on RSAEP PKCS1 v1.5 is a chosen-ciphertext attack Bleichenbacher attack. It applies to unpadding and RSA decryption, because its only a danger to the side that owns the private key. Therefore """ See the full comment at https://github.com/freeipa/freeipa/pull/510#issuecomment-282677448 From freeipa-github-notification at redhat.com Mon Feb 27 10:06:54 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 11:06:54 +0100 Subject: [Freeipa-devel] [freeipa PR#501][synchronized] C compilation fixes and hardening In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/501 Author: tiran Title: #501: C compilation fixes and hardening Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/501/head:pr501 git checkout pr501 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-501.patch Type: text/x-diff Size: 1480 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 10:48:47 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 11:48:47 +0100 Subject: [Freeipa-devel] [freeipa PR#509][comment] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/509 Title: #509: Migrate OTP import script to python-cryptography tiran commented: """ The importer uses RSAES-PKCS1 v1.5 to decrypt a session key. PKCS1 v1.5 is potentially vulnerable to CCA Bleichenbacher. In my professional opinion, the OTP importer cannot be abused as an oracle. The script is used as a one-shot importer and not run as an interactive service. """ See the full comment at https://github.com/freeipa/freeipa/pull/509#issuecomment-282687544 From freeipa-github-notification at redhat.com Mon Feb 27 10:49:20 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 27 Feb 2017 11:49:20 +0100 Subject: [Freeipa-devel] [freeipa PR#509][comment] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/509 Title: #509: Migrate OTP import script to python-cryptography MartinBasti commented: """ @stlaz Why is this closed? I don't see any push/commit here """ See the full comment at https://github.com/freeipa/freeipa/pull/509#issuecomment-282687686 From freeipa-github-notification at redhat.com Mon Feb 27 10:53:00 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Mon, 27 Feb 2017 11:53:00 +0100 Subject: [Freeipa-devel] [freeipa PR#509][comment] Migrate OTP import script to python-cryptography In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/509 Title: #509: Migrate OTP import script to python-cryptography MartinBasti commented: """ @stlaz Why is this closed? I don't see any push/commit here """ See the full comment at https://github.com/freeipa/freeipa/pull/509#issuecomment-282687686 From freeipa-github-notification at redhat.com Mon Feb 27 11:22:23 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 12:22:23 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 150725 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 11:25:46 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 12:25:46 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ All the raised issues should've been addressed in the latest PR. Except for the NSS DB creation, please answer the question in `ipaserver/install/server/install.py` """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282695105 From freeipa-github-notification at redhat.com Mon Feb 27 11:29:12 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 12:29:12 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 150753 bytes Desc: not available URL: From pvoborni at redhat.com Mon Feb 27 11:46:08 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 27 Feb 2017 12:46:08 +0100 Subject: [Freeipa-devel] Migration of FreeIPA issue tracker - Trac and git repo to pagure.io Message-ID: Hello list, today and tomorrow a migration of FreeIPA issue tracker[1] and git repo will take place. It is due to FedoraHosted sunset [2]. Both will be migrated to pagure.io [3]. During this migration it won't be possible to add new tickets and comments to Trac or Pagure. [1] https://fedorahosted.org/freeipa/ [2] https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ [3] https://pagure.io/ Thank you for understanding, -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat, Inc. From freeipa-github-notification at redhat.com Mon Feb 27 12:06:35 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 13:06:35 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 150870 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 12:10:38 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 13:10:38 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ NSS DB creation removed from server install, did not realize it does not matter anymore. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282703536 From freeipa-github-notification at redhat.com Mon Feb 27 12:11:34 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 13:11:34 +0100 Subject: [Freeipa-devel] [freeipa PR#511][+ack] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 Label: +ack From freeipa-github-notification at redhat.com Mon Feb 27 12:23:31 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 27 Feb 2017 13:23:31 +0100 Subject: [Freeipa-devel] [freeipa PR#512][opened] test_config: fix fips_mode key in Env Message-ID: URL: https://github.com/freeipa/freeipa/pull/512 Author: tomaskrizek Title: #512: test_config: fix fips_mode key in Env Action: opened PR body: """ Setting fips_mode to object would fail if ipaplatform.tasks module wasn't present. https://fedorahosted.org/freeipa/ticket/5695 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/512/head:pr512 git checkout pr512 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-512.patch Type: text/x-diff Size: 2048 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 13:08:58 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 27 Feb 2017 14:08:58 +0100 Subject: [Freeipa-devel] [freeipa PR#479][-ack] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones Label: -ack From freeipa-github-notification at redhat.com Mon Feb 27 13:11:52 2017 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 27 Feb 2017 14:11:52 +0100 Subject: [Freeipa-devel] [freeipa PR#512][synchronized] test_config: fix fips_mode key in Env In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/512 Author: tomaskrizek Title: #512: test_config: fix fips_mode key in Env Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/512/head:pr512 git checkout pr512 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-512.patch Type: text/x-diff Size: 2032 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 14:11:16 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 27 Feb 2017 15:11:16 +0100 Subject: [Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones martbab commented: """ I have noticed that the check for installed dependencies is buggy, I will have to fix it before pushing. Also we would need to move the 'editors' group addition to the LDAP update phase since it remains with missing SID during ipa-server-install when `add_sids` knob is set to False. @abbra @rcritten is that ok with you? Please see inline comment for more details. """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-282730945 From freeipa-github-notification at redhat.com Mon Feb 27 14:16:44 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 15:16:44 +0100 Subject: [Freeipa-devel] [freeipa PR#513][opened] certdb: Don't restore_context() of new NSSDB Message-ID: URL: https://github.com/freeipa/freeipa/pull/513 Author: tiran Title: #513: certdb: Don't restore_context() of new NSSDB Action: opened PR body: """ It's not necesary to restore the context of newly created files. SELinux ensures that new files have the correct permission. An explicit restore_context() is only required when either policies have changed or the context was changed manually. Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/513/head:pr513 git checkout pr513 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-513.patch Type: text/x-diff Size: 1808 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 14:17:24 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 15:17:24 +0100 Subject: [Freeipa-devel] [freeipa PR#513][comment] certdb: Don't restore_context() of new NSSDB In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/513 Title: #513: certdb: Don't restore_context() of new NSSDB tiran commented: """ I also dropped =1 check. http://man7.org/linux/man-pages/man2/chown.2.html > If the owner or group is specified as -1, then that ID is not changed. """ See the full comment at https://github.com/freeipa/freeipa/pull/513#issuecomment-282732501 From freeipa-github-notification at redhat.com Mon Feb 27 14:18:37 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 15:18:37 +0100 Subject: [Freeipa-devel] [freeipa PR#512][+ack] test_config: fix fips_mode key in Env In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/512 Title: #512: test_config: fix fips_mode key in Env Label: +ack From freeipa-github-notification at redhat.com Mon Feb 27 14:43:27 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 27 Feb 2017 15:43:27 +0100 Subject: [Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones abbra commented: """ If you can differentiate how the installer is being run, then for composite installer always run add_sids. """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-282739260 From freeipa-github-notification at redhat.com Mon Feb 27 15:43:01 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 27 Feb 2017 16:43:01 +0100 Subject: [Freeipa-devel] [freeipa PR#508][comment] Fix ipa.service unit re. gssproxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy simo5 commented: """ Should we also change the Requires on network.target ? Do we really want to have a restart of IPa if someone restarts the network ? """ See the full comment at https://github.com/freeipa/freeipa/pull/508#issuecomment-282756694 From freeipa-github-notification at redhat.com Mon Feb 27 15:45:47 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 27 Feb 2017 16:45:47 +0100 Subject: [Freeipa-devel] [freeipa PR#508][comment] Fix ipa.service unit re. gssproxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy abbra commented: """ Good point. I think we shouldn't restart ourselves as we anyway are listening on all interfaces with 0.0.0.0. """ See the full comment at https://github.com/freeipa/freeipa/pull/508#issuecomment-282757529 From freeipa-github-notification at redhat.com Mon Feb 27 15:46:33 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 16:46:33 +0100 Subject: [Freeipa-devel] [freeipa PR#511][-ack] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 Label: -ack From freeipa-github-notification at redhat.com Mon Feb 27 15:46:52 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 27 Feb 2017 16:46:52 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 stlaz commented: """ There's going to be 0.6.3 version fixing some more issues. """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-282757858 From freeipa-github-notification at redhat.com Mon Feb 27 15:54:04 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 27 Feb 2017 16:54:04 +0100 Subject: [Freeipa-devel] [freeipa PR#514][opened] Limit sessions to 30 minutes by default Message-ID: URL: https://github.com/freeipa/freeipa/pull/514 Author: simo5 Title: #514: Limit sessions to 30 minutes by default Action: opened PR body: """ When we changed the session handling code we unintentinally extended sessions expiraion time to the whole ticket lifetime of 24h. Related to https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/514/head:pr514 git checkout pr514 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-514.patch Type: text/x-diff Size: 915 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 15:57:47 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 27 Feb 2017 16:57:47 +0100 Subject: [Freeipa-devel] [freeipa PR#508][comment] Fix ipa.service unit re. gssproxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy flo-renaud commented: """ @simo5 @abbra I agree but this should be tracked in a separate issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/508#issuecomment-282761362 From rcritten at redhat.com Mon Feb 27 16:10:18 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Feb 2017 11:10:18 -0500 Subject: [Freeipa-devel] python-pyasn1 updated in F-25/rawhide Message-ID: <7ae7275e-cfce-3a9a-3360-8157235c4e6b@redhat.com> Rawhide has an updated python-pyasn1, v0.2,3, and F-25 will soon have it in updates-testing. It worked in my limited testing in IPA. It is primarily a performance release but includes some fixes from 0.2.2 which I never pushed into Fedora. rob From freeipa-github-notification at redhat.com Mon Feb 27 16:14:56 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 27 Feb 2017 17:14:56 +0100 Subject: [Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones martbab commented: """ @abbra I think that I am confused by the way sidgen plugin works. During LDAP configuration I can see that sidgen/extdom plugins are activated. e.g: ``` ... [43/47]: enabling compatibility plugin [44/47]: activating sidgen plugin [45/47]: activating extdom plugin ... ``` Yet unless I install AD trust related bits, there are no SIDs generated on entries I am added (user or groups). When the AD trust installer is run, I see that the sidgen task is activated: ``` ... [13/21]: activating sidgen task [14/21]: configuring smbd to start on boot ... ``` The admin user now has SID added by installer, yet the existing POSIX groups (editors) have no SIDs associated with them, only the new user I add afterwards. Do we have a documentation about the semantics of different sidgen-related operations somewhere? If not, can you please explain the behavior I am seeing here? """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-282766662 From freeipa-github-notification at redhat.com Mon Feb 27 16:18:16 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 17:18:16 +0100 Subject: [Freeipa-devel] [freeipa PR#515][opened] Re-add ipapython.config.config for backwards compatibilty Message-ID: URL: https://github.com/freeipa/freeipa/pull/515 Author: tiran Title: #515: Re-add ipapython.config.config for backwards compatibilty Action: opened PR body: """ IPAConfig, config and init_config were removed in rev 7b966e85. Ipsilon uses ipapython.config to get realm, domain and server of an enrolled host. Re-add a simplified version that reads settings from api.env. init_config() does not perform DNS discovery. Depends on PR #492 to get meaningful defaults. https://fedorahosted.org/freeipa/ticket/6707 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/515/head:pr515 git checkout pr515 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-515.patch Type: text/x-diff Size: 3636 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 16:22:57 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 17:22:57 +0100 Subject: [Freeipa-devel] [freeipa PR#514][comment] Limit sessions to 30 minutes by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/514 Title: #514: Limit sessions to 30 minutes by default tiran commented: """ Would it makes sense to add https://httpd.apache.org/docs/trunk/mod/mod_session.html#sessionexpiryupdateinterval and set it to a small value like 30 seconds? > The SessionExpiryUpdateInterval directive allows sessions to avoid the cost associated with writing the session each request when only the expiry time has changed. This can be used to make a website more efficient or reduce load on a database when using mod_session_dbd. """ See the full comment at https://github.com/freeipa/freeipa/pull/514#issuecomment-282769334 From freeipa-github-notification at redhat.com Mon Feb 27 16:27:41 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 27 Feb 2017 17:27:41 +0100 Subject: [Freeipa-devel] [freeipa PR#508][comment] Fix ipa.service unit re. gssproxy In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy simo5 commented: """ Seemed worth fixing at the same time, but I won't insist. """ See the full comment at https://github.com/freeipa/freeipa/pull/508#issuecomment-282770785 From freeipa-github-notification at redhat.com Mon Feb 27 16:28:43 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 27 Feb 2017 17:28:43 +0100 Subject: [Freeipa-devel] [freeipa PR#514][comment] Limit sessions to 30 minutes by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/514 Title: #514: Limit sessions to 30 minutes by default simo5 commented: """ No, we do not store sessions in a session db, so that setting is not useful to us. """ See the full comment at https://github.com/freeipa/freeipa/pull/514#issuecomment-282771191 From freeipa-github-notification at redhat.com Mon Feb 27 16:32:07 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 17:32:07 +0100 Subject: [Freeipa-devel] [freeipa PR#514][+ack] Limit sessions to 30 minutes by default In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/514 Title: #514: Limit sessions to 30 minutes by default Label: +ack From freeipa-github-notification at redhat.com Mon Feb 27 16:48:08 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 27 Feb 2017 17:48:08 +0100 Subject: [Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones abbra commented: """ Unless you specified --add-sids to ipa-adtrust-install (or `add_sids=True` in ADTrustInstance.setup() call), no task would be run. 'Activating sidgen task' only adds configuration to allow the task to be run. """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-282777294 From freeipa-github-notification at redhat.com Mon Feb 27 17:10:52 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 27 Feb 2017 18:10:52 +0100 Subject: [Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones martbab commented: """ OK I will then hard-code `add_sids=True` in ipa-server-install """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-282784419 From freeipa-github-notification at redhat.com Mon Feb 27 17:36:25 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Feb 2017 18:36:25 +0100 Subject: [Freeipa-devel] [freeipa PR#400][synchronized] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Author: pvomacka Title: #400: WebUI: Certificate Mapping Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/400/head:pr400 git checkout pr400 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-400.patch Type: text/x-diff Size: 29458 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Feb 27 17:38:21 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 27 Feb 2017 18:38:21 +0100 Subject: [Freeipa-devel] [freeipa PR#400][comment] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Title: #400: WebUI: Certificate Mapping pvomacka commented: """ Hello @flo-renaud and @pvoborni thank you for reviews, all proposed changes are done in last commits, please look at them. Thank you very much. """ See the full comment at https://github.com/freeipa/freeipa/pull/400#issuecomment-282792393 From freeipa-github-notification at redhat.com Mon Feb 27 18:57:06 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 27 Feb 2017 19:57:06 +0100 Subject: [Freeipa-devel] [freeipa PR#501][edited] C compilation fixes and hardening In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/501 Author: tiran Title: #501: C compilation fixes and hardening Action: edited Changed field: body Original value: """ Fix "implicit declaration of function ?strlen?" in ipa_pwd_ntlm.c, credits to Lukas. Add -Werror=implicit-function-declaration to CFLAGS to point developers to missing includes. It causes compilation to fail when a developer forgets to add a required include. The problem is no longer hidden in a massive wall of text from make. Silence a harmless error from 389-DS slapi.h until the bug is fixed in downstream, https://pagure.io/389-ds-base/issue/48979 Signed-off-by: Christian Heimes """ From freeipa-github-notification at redhat.com Tue Feb 28 02:36:52 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Tue, 28 Feb 2017 03:36:52 +0100 Subject: [Freeipa-devel] [freeipa PR#434][synchronized] csrgen: Automate full cert request flow In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/434 Author: LiptonB Title: #434: csrgen: Automate full cert request flow Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/434/head:pr434 git checkout pr434 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-434.patch Type: text/x-diff Size: 10601 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 28 03:29:02 2017 From: freeipa-github-notification at redhat.com (LiptonB) Date: Tue, 28 Feb 2017 04:29:02 +0100 Subject: [Freeipa-devel] [freeipa PR#434][comment] csrgen: Automate full cert request flow In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/434 Title: #434: csrgen: Automate full cert request flow LiptonB commented: """ @HonzaCholasta thanks, updated! """ See the full comment at https://github.com/freeipa/freeipa/pull/434#issuecomment-282931634 From freeipa-github-notification at redhat.com Tue Feb 28 07:08:48 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Feb 2017 08:08:48 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ Upgrade from 4.3 fails with: ``` 2017-02-28T07:07:18Z DEBUG Starting external process 2017-02-28T07:07:18Z DEBUG args=/usr/bin/pk12util -d /etc/httpd/alias -o (6, '/etc/httpd/alias/tmpFNEJrK') -n ipaCert -k /etc/httpd/alias/pwdfile.txt 2017-02-28T07:07:18Z DEBUG Process execution failed 2017-02-28T07:07:18Z DEBUG Destroyed connection context.ldap2_139873144635088 2017-02-28T07:07:18Z ERROR Upgrade failed with coercing to Unicode: need string or buffer, tuple found 2017-02-28T07:07:18Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 219, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 911, in update self._run_updates(all_updates) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 883, in _run_updates self._run_update_plugin(update['plugin']) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 859, in _run_update_plugin restart_ds, updates = self.api.Updater[plugin_name]() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1470, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_ra_cert_store.py", line 47, in execute certdb.export_pkcs12(ra_nick, p12file) File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 232, in export_pkcs12 ipautil.run(args) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 442, in run preexec_fn=preexec_fn) File "/usr/lib64/python2.7/subprocess.py", line 390, in __init__ errread, errwrite) File "/usr/lib64/python2.7/subprocess.py", line 1024, in _execute_child raise child_exception TypeError: coercing to Unicode: need string or buffer, tuple found 2017-02-28T07:07:18Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 423, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 413, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 227, in __upgrade raise RuntimeError(e) RuntimeError: coercing to Unicode: need string or buffer, tuple found 2017-02-28T07:07:18Z DEBUG [error] RuntimeError: coercing to Unicode: need string or buffer, tuple found ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282960429 From freeipa-github-notification at redhat.com Tue Feb 28 07:26:55 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Feb 2017 08:26:55 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ CA-less to CA-full `ipa-ca-install` fails with: ``` 2017-02-28T07:24:47Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 892, in run_script return_value = main_function() File "/sbin/ipa-ca-install", line 304, in main promote(safe_options, options, filename) File "/sbin/ipa-ca-install", line 270, in promote install_master(safe_options, options) File "/sbin/ipa-ca-install", line 235, in install_master ca.install(True, None, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 204, in install install_step_1(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 325, in install_step_1 config_ipa=True, config_compat=True) File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 410, in put_ca_cert_nss config_ipa, config_compat) File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 233, in put_ca_cert config_ipa=config_ipa, config_compat=config_compat) File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 160, in update_ca_cert subject, issuer_serial, public_key = _parse_cert(dercert) File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 39, in _parse_cert raise ValueError("failed to decode certificate: %s" % e) 2017-02-28T07:24:47Z DEBUG The ipa-ca-install command failed, exception: ValueError: failed to decode certificate: Unable to load certificate ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282963327 From freeipa-github-notification at redhat.com Tue Feb 28 07:45:55 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Feb 2017 08:45:55 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA HonzaCholasta commented: """ `ipa-replica-install` with `--setup-ca` fails with: ``` 2017-02-28T07:38:41Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 336, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 328, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 352, in execute for _nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 423, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 413, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 384, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 381, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 618, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 423, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 481, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 413, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 478, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 413, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 384, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 381, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 595, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 398, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1455, in install ca.install(False, config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 203, in install install_step_0(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 282, in install_step_0 use_ldaps=standalone) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 478, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 423, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 413, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 289, in wrapper ra_cert_retrieval(cls, *args) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 729, in __import_ra_key custodia.import_ra_key(self.master_host) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 119, in import_ra_key cli.fetch_key('ra/ipaCert') File "/usr/lib/python2.7/site-packages/ipaserver/secrets/client.py", line 100, in fetch_key r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 844, in raise_for_status raise HTTPError(http_error_msg, response=self) 2017-02-28T07:38:41Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 404 Client Error: Not Found for url: https://vm-226.abc.idm.lab.eng.brq.redhat.com/ipa/keys/ra/ipaCert?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.UbDCRVumiqN3YDwxdfHGvkzDakB0Isbq3dTZ9tMVe5NK_wuvGmtBYGUfO46IQmBsqto0N28WJUcselfuY8Q3uSOEPb0HximzbmnJm-S1TrF9KMsHgozwhNjXDAXapXSmiFqyKiTPAvxLzx0OKq052oIbnUsprk3s6R_mQ5AWrP52DsVqM9EovOHa6RM3t4xasamhJ_at1eR647TGqS8pamulRkSilK-kxyPQnN7Rphz_cyr0yIlG93xnfQTsCJ9WcodWmVPrPgP3PvKh8OaINHqUsfT-gUR0IR3hXkN5slAYSxOdmNYwLVR-wtc6Yh3jf4LpRgbHhfmuNx8rTU3nuw.-xfhG2UGKLBU7D6UzO4d5g.zG5YCUsskbqiYRYEFGqDwbx0JghL2Yo-oioFM8KBVoxvfVNtrUzN96TU-aQn08WXS2GFvAdXo7-EpOMtrFwPEGiWfXhLDjYAhVCAmu69YYjptCDokSEY8PK1HtUJanVTb0LtcPlp78yNyM-ZGC42-PfMiiG66rlWMMpWtAWPHugxDa8EcV8AlTFdqtqFHwzRYxISXUbuiwGD_h8pht2irYGdSeJ6Aa6Fwk54ZQdQshb24njjBt-MIrgy1YKlTkF4nPhuPhH0o70IWFoQSQ24R7GVfofMc3xnoUCtPlv-QLnaOucnvCDZPUBx33JGRJP5Y7Acpp_MJTkWqmSWvmXlhNouWXtpe3oTakKNYqqurNieJtHaGmIyuyn0yzQcv4w1re8aEn9Zv2TIZvSfq5qxMqUvlhiyhej6ZCRQ1FdLaslPbFuullik95Ik-pF7BBtvn3d5LKnZJgYnQg2n3yzi73zdMdync_rovg5abmWKLAM_SrRVgeoJ9-TQrJ18HvuViIoz1n14-TQyGKaw8hsbNGJZE0vrPx0gVTl4-HJK9PLP8M1jUylSxtVRC-Xv1bny4LkLQotJuV0wbZDKHg77gk3xolAUAZ6ZrWD8xUVprdJlYW423NYyX_t-2-c6HUQBlmZqkv_lYrgaZ5WZ5mw2U1MwVxf_KU6SnwYM3kPQm3a13KkeoK9IdmnZv3YAvrKOjtekmUwCjaItX74FAg2IJA.eoL7I4gO67k_Ejt9ttgKFnw29RC3Uzz1Ykn6-mA4DsM ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-282966570 From freeipa-github-notification at redhat.com Tue Feb 28 08:56:27 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Feb 2017 09:56:27 +0100 Subject: [Freeipa-devel] [freeipa PR#434][+ack] csrgen: Automate full cert request flow In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/434 Title: #434: csrgen: Automate full cert request flow Label: +ack From freeipa-github-notification at redhat.com Tue Feb 28 08:56:53 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Feb 2017 09:56:53 +0100 Subject: [Freeipa-devel] [freeipa PR#434][closed] csrgen: Automate full cert request flow In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/434 Author: LiptonB Title: #434: csrgen: Automate full cert request flow Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/434/head:pr434 git checkout pr434 From freeipa-github-notification at redhat.com Tue Feb 28 08:56:54 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Feb 2017 09:56:54 +0100 Subject: [Freeipa-devel] [freeipa PR#434][comment] csrgen: Automate full cert request flow In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/434 Title: #434: csrgen: Automate full cert request flow HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/39a5d9c5aae77687f67d9be02457733bdfb99ead https://fedorahosted.org/freeipa/changeset/4350dcdea22fd2284836315d0ae7d38733a7620e https://fedorahosted.org/freeipa/changeset/ada91c20588046bb147fc701718d3da4d2c080ca """ See the full comment at https://github.com/freeipa/freeipa/pull/434#issuecomment-282980759 From freeipa-github-notification at redhat.com Tue Feb 28 08:56:56 2017 From: freeipa-github-notification at redhat.com (HonzaCholasta) Date: Tue, 28 Feb 2017 09:56:56 +0100 Subject: [Freeipa-devel] [freeipa PR#434][+pushed] csrgen: Automate full cert request flow In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/434 Title: #434: csrgen: Automate full cert request flow Label: +pushed From freeipa-github-notification at redhat.com Tue Feb 28 09:07:45 2017 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 28 Feb 2017 10:07:45 +0100 Subject: [Freeipa-devel] [freeipa PR#488][comment] Speed up client schema cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/488 Title: #488: Speed up client schema cache dkupka commented: """ @tiran Currently the file is first copied into BytesIO and then all reading is done from it. Your modification IMO supersedes the need for the BytesIO copy because everything is read into memory at once. Could you remove it? """ See the full comment at https://github.com/freeipa/freeipa/pull/488#issuecomment-282983152 From freeipa-github-notification at redhat.com Tue Feb 28 09:34:46 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 28 Feb 2017 10:34:46 +0100 Subject: [Freeipa-devel] [freeipa PR#400][comment] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Title: #400: WebUI: Certificate Mapping flo-renaud commented: """ Hi @pvomacka Thank you for the updated PR. I probably wongly advised you to replace 'usercertificate' with 'certificate' in one extra place where it was not needed, because now the "Certificates" field of the user details page does not display any more the full certificates. My bad... Apart from that, everything works as expected. Thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/400#issuecomment-282989454 From freeipa-github-notification at redhat.com Tue Feb 28 09:43:14 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 28 Feb 2017 10:43:14 +0100 Subject: [Freeipa-devel] [freeipa PR#488][synchronized] Speed up client schema cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/488 Author: tiran Title: #488: Speed up client schema cache Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/488/head:pr488 git checkout pr488 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-488.patch Type: text/x-diff Size: 6950 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 28 09:44:19 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 28 Feb 2017 10:44:19 +0100 Subject: [Freeipa-devel] [freeipa PR#488][comment] Speed up client schema cache In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/488 Title: #488: Speed up client schema cache tiran commented: """ @dkupka Makes sense, I dropped the temporary buffer and replaced the file locking logic with tempfile + os.rename. """ See the full comment at https://github.com/freeipa/freeipa/pull/488#issuecomment-282991714 From freeipa-github-notification at redhat.com Tue Feb 28 09:49:21 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 28 Feb 2017 10:49:21 +0100 Subject: [Freeipa-devel] [freeipa PR#516][opened] IdM Server: list all Employees with matching Smart Card Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Author: flo-renaud Title: #516: IdM Server: list all Employees with matching Smart Card Action: opened PR body: """ Implement a new IPA command allowing to retrieve the list of users matching the provided certificate. The command is using SSSD Dbus interface, thus including users from IPA domain and from trusted domains. This requires sssd-dbus package to be installed on IPA server. https://fedorahosted.org/freeipa/ticket/6646 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/516/head:pr516 git checkout pr516 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-516.patch Type: text/x-diff Size: 60503 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 28 09:51:01 2017 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 28 Feb 2017 10:51:01 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card flo-renaud commented: """ Note: this PR is work in progress. It requires PR#398 Support for Certificate Identity Mapping and sssd patches not pushed yet. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-282993240 From freeipa-github-notification at redhat.com Tue Feb 28 10:34:53 2017 From: freeipa-github-notification at redhat.com (abbra) Date: Tue, 28 Feb 2017 11:34:53 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card abbra commented: """ One thing I don't like is that SELinux policy requirements aren't mentioned. To allow ipaapi user to talk to SSSD dbus interface, you have to have a policy that allows this. """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283003886 From pvoborni at redhat.com Tue Feb 28 11:00:12 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 28 Feb 2017 12:00:12 +0100 Subject: [Freeipa-devel] Migration of FreeIPA issue tracker - Trac and git repo to pagure.io In-Reply-To: References: Message-ID: On 02/27/2017 12:46 PM, Petr Vobornik wrote: > Hello list, > > today and tomorrow a migration of FreeIPA issue tracker[1] and git repo > will take place. > > It is due to FedoraHosted sunset [2]. Both will be migrated to pagure.io > [3]. > > During this migration it won't be possible to add new tickets and > comments to Trac or Pagure. > > [1] https://fedorahosted.org/freeipa/ > [2] https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ > [3] https://pagure.io/ > > Thank you for understanding, Issue tracker and git repo were migrated. They can be used now. https://pagure.io/freeipa Additional steps will follow - redirection of old URLs to new - sync with github -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat, Inc. From pvoborni at redhat.com Tue Feb 28 11:03:34 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 28 Feb 2017 12:03:34 +0100 Subject: [Freeipa-devel] Migration of FreeIPA issue tracker - Trac and git repo to pagure.io In-Reply-To: References: Message-ID: <02a8b922-498d-dcdc-d946-66f57966c4eb@redhat.com> On 02/28/2017 12:00 PM, Petr Vobornik wrote: > On 02/27/2017 12:46 PM, Petr Vobornik wrote: >> Hello list, >> >> today and tomorrow a migration of FreeIPA issue tracker[1] and git repo >> will take place. >> >> It is due to FedoraHosted sunset [2]. Both will be migrated to pagure.io >> [3]. >> >> During this migration it won't be possible to add new tickets and >> comments to Trac or Pagure. >> >> [1] https://fedorahosted.org/freeipa/ >> [2] >> https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ >> [3] https://pagure.io/ >> >> Thank you for understanding, > > Issue tracker and git repo were migrated. They can be used now. > > https://pagure.io/freeipa > > Additional steps will follow > - redirection of old URLs to new > - sync with github > Also we need to setup rights for the repo. I've created group 'freeipa'. My proposal is to add all people who had git commit rights to the group. Set the group to have 'commit' right on 'freeipa' pagure project. Former admins can be added as admins to the project directly. Martin2 is working on setting up sync with Git Hub: - https://pagure.io/fedora-infrastructure/issue/5844 -- Petr Vobornik From freeipa-github-notification at redhat.com Tue Feb 28 11:14:39 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 28 Feb 2017 12:14:39 +0100 Subject: [Freeipa-devel] [freeipa PR#517][opened] [WIP] Use Custodia 0.3 features Message-ID: URL: https://github.com/freeipa/freeipa/pull/517 Author: tiran Title: #517: [WIP] Use Custodia 0.3 features Action: opened PR body: """ * Use sd-notify in ipa-custodia.service * Introduce libexec/ipa/ipa-custodia script. It comes with correct default setting for IPA's config file. The new file also makes it simpler to run IPA's custodia instance with its own SELinux context. Signed-off-by: Christian Heimes PR depends on new custodia release. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/517/head:pr517 git checkout pr517 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-517.patch Type: text/x-diff Size: 5424 bytes Desc: not available URL: From mbasti at redhat.com Tue Feb 28 11:17:40 2017 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Feb 2017 12:17:40 +0100 Subject: [Freeipa-devel] Migration of FreeIPA issue tracker - Trac and git repo to pagure.io In-Reply-To: <02a8b922-498d-dcdc-d946-66f57966c4eb@redhat.com> References: <02a8b922-498d-dcdc-d946-66f57966c4eb@redhat.com> Message-ID: <1462262e-b920-5e61-156f-80b7dcc26699@redhat.com> On 28.02.2017 12:03, Petr Vobornik wrote: > On 02/28/2017 12:00 PM, Petr Vobornik wrote: >> On 02/27/2017 12:46 PM, Petr Vobornik wrote: >>> Hello list, >>> >>> today and tomorrow a migration of FreeIPA issue tracker[1] and git repo >>> will take place. >>> >>> It is due to FedoraHosted sunset [2]. Both will be migrated to >>> pagure.io >>> [3]. >>> >>> During this migration it won't be possible to add new tickets and >>> comments to Trac or Pagure. >>> >>> [1] https://fedorahosted.org/freeipa/ >>> [2] >>> https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ >>> [3] https://pagure.io/ >>> >>> Thank you for understanding, >> >> Issue tracker and git repo were migrated. They can be used now. >> >> https://pagure.io/freeipa >> >> Additional steps will follow >> - redirection of old URLs to new >> - sync with github >> > > Also we need to setup rights for the repo. > > I've created group 'freeipa'. My proposal is to add all people who had > git commit rights to the group. Set the group to have 'commit' right > on 'freeipa' pagure project. > > Former admins can be added as admins to the project directly. > > Martin2 is working on setting up sync with Git Hub: > - https://pagure.io/fedora-infrastructure/issue/5844 > and https://pagure.io/fedora-infrastructure/issue/5845 Please do NOT push to old repository, for users of ipatool change your repositories to pagure and would be good to postpone pushing until mirroring to github is enabled. Martin^2 From lslebodn at redhat.com Tue Feb 28 11:38:36 2017 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 28 Feb 2017 12:38:36 +0100 Subject: [Freeipa-devel] Migration of FreeIPA issue tracker - Trac and git repo to pagure.io In-Reply-To: <1462262e-b920-5e61-156f-80b7dcc26699@redhat.com> References: <02a8b922-498d-dcdc-d946-66f57966c4eb@redhat.com> <1462262e-b920-5e61-156f-80b7dcc26699@redhat.com> Message-ID: <20170228113836.GB26011@10.4.128.1> On (28/02/17 12:17), Martin Basti wrote: > > >On 28.02.2017 12:03, Petr Vobornik wrote: >> On 02/28/2017 12:00 PM, Petr Vobornik wrote: >> > On 02/27/2017 12:46 PM, Petr Vobornik wrote: >> > > Hello list, >> > > >> > > today and tomorrow a migration of FreeIPA issue tracker[1] and git repo >> > > will take place. >> > > >> > > It is due to FedoraHosted sunset [2]. Both will be migrated to >> > > pagure.io >> > > [3]. >> > > >> > > During this migration it won't be possible to add new tickets and >> > > comments to Trac or Pagure. >> > > >> > > [1] https://fedorahosted.org/freeipa/ >> > > [2] >> > > https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ >> > > [3] https://pagure.io/ >> > > >> > > Thank you for understanding, >> > >> > Issue tracker and git repo were migrated. They can be used now. >> > >> > https://pagure.io/freeipa >> > >> > Additional steps will follow >> > - redirection of old URLs to new >> > - sync with github >> > >> >> Also we need to setup rights for the repo. >> >> I've created group 'freeipa'. My proposal is to add all people who had >> git commit rights to the group. Set the group to have 'commit' right on >> 'freeipa' pagure project. >> >> Former admins can be added as admins to the project directly. >> >> Martin2 is working on setting up sync with Git Hub: >> - https://pagure.io/fedora-infrastructure/issue/5844 >> > >and > >https://pagure.io/fedora-infrastructure/issue/5845 > >Please do NOT push to old repository, for users of ipatool change your >repositories to pagure and would be good to postpone pushing until mirroring >to github is enabled. > The best is to asg on fedora-infrastructure to chown the git repo on fedorahosted, so no one can push changes there. LS From mbasti at redhat.com Tue Feb 28 11:48:35 2017 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Feb 2017 12:48:35 +0100 Subject: [Freeipa-devel] Migration of FreeIPA issue tracker - Trac and git repo to pagure.io In-Reply-To: <20170228113836.GB26011@10.4.128.1> References: <02a8b922-498d-dcdc-d946-66f57966c4eb@redhat.com> <1462262e-b920-5e61-156f-80b7dcc26699@redhat.com> <20170228113836.GB26011@10.4.128.1> Message-ID: On 28.02.2017 12:38, Lukas Slebodnik wrote: > On (28/02/17 12:17), Martin Basti wrote: >> >> On 28.02.2017 12:03, Petr Vobornik wrote: >>> On 02/28/2017 12:00 PM, Petr Vobornik wrote: >>>> On 02/27/2017 12:46 PM, Petr Vobornik wrote: >>>>> Hello list, >>>>> >>>>> today and tomorrow a migration of FreeIPA issue tracker[1] and git repo >>>>> will take place. >>>>> >>>>> It is due to FedoraHosted sunset [2]. Both will be migrated to >>>>> pagure.io >>>>> [3]. >>>>> >>>>> During this migration it won't be possible to add new tickets and >>>>> comments to Trac or Pagure. >>>>> >>>>> [1] https://fedorahosted.org/freeipa/ >>>>> [2] >>>>> https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ >>>>> [3] https://pagure.io/ >>>>> >>>>> Thank you for understanding, >>>> Issue tracker and git repo were migrated. They can be used now. >>>> >>>> https://pagure.io/freeipa >>>> >>>> Additional steps will follow >>>> - redirection of old URLs to new >>>> - sync with github >>>> >>> Also we need to setup rights for the repo. >>> >>> I've created group 'freeipa'. My proposal is to add all people who had >>> git commit rights to the group. Set the group to have 'commit' right on >>> 'freeipa' pagure project. >>> >>> Former admins can be added as admins to the project directly. >>> >>> Martin2 is working on setting up sync with Git Hub: >>> - https://pagure.io/fedora-infrastructure/issue/5844 >>> >> and >> >> https://pagure.io/fedora-infrastructure/issue/5845 >> >> Please do NOT push to old repository, for users of ipatool change your >> repositories to pagure and would be good to postpone pushing until mirroring >> to github is enabled. >> > The best is to asg on fedora-infrastructure to chown the git repo on > fedorahosted, so no one can push changes there. > > LS Petr1 has a reason why it cannot be done, something with copr IIRC From pvoborni at redhat.com Tue Feb 28 11:59:00 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 28 Feb 2017 12:59:00 +0100 Subject: [Freeipa-devel] Migration of FreeIPA issue tracker - Trac and git repo to pagure.io In-Reply-To: References: <02a8b922-498d-dcdc-d946-66f57966c4eb@redhat.com> <1462262e-b920-5e61-156f-80b7dcc26699@redhat.com> <20170228113836.GB26011@10.4.128.1> Message-ID: <87897286-7856-98c1-2f59-48492003edf6@redhat.com> On 02/28/2017 12:48 PM, Martin Basti wrote: > > > On 28.02.2017 12:38, Lukas Slebodnik wrote: >> On (28/02/17 12:17), Martin Basti wrote: >>> >>> On 28.02.2017 12:03, Petr Vobornik wrote: >>>> On 02/28/2017 12:00 PM, Petr Vobornik wrote: >>>>> On 02/27/2017 12:46 PM, Petr Vobornik wrote: >>>>>> Hello list, >>>>>> >>>>>> today and tomorrow a migration of FreeIPA issue tracker[1] and git >>>>>> repo >>>>>> will take place. >>>>>> >>>>>> It is due to FedoraHosted sunset [2]. Both will be migrated to >>>>>> pagure.io >>>>>> [3]. >>>>>> >>>>>> During this migration it won't be possible to add new tickets and >>>>>> comments to Trac or Pagure. >>>>>> >>>>>> [1] https://fedorahosted.org/freeipa/ >>>>>> [2] >>>>>> https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ >>>>>> >>>>>> [3] https://pagure.io/ >>>>>> >>>>>> Thank you for understanding, >>>>> Issue tracker and git repo were migrated. They can be used now. >>>>> >>>>> https://pagure.io/freeipa >>>>> >>>>> Additional steps will follow >>>>> - redirection of old URLs to new >>>>> - sync with github >>>>> >>>> Also we need to setup rights for the repo. >>>> >>>> I've created group 'freeipa'. My proposal is to add all people who had >>>> git commit rights to the group. Set the group to have 'commit' right on >>>> 'freeipa' pagure project. >>>> >>>> Former admins can be added as admins to the project directly. >>>> >>>> Martin2 is working on setting up sync with Git Hub: >>>> - https://pagure.io/fedora-infrastructure/issue/5844 >>>> >>> and >>> >>> https://pagure.io/fedora-infrastructure/issue/5845 >>> >>> Please do NOT push to old repository, for users of ipatool change your >>> repositories to pagure and would be good to postpone pushing until >>> mirroring >>> to github is enabled. >>> >> The best is to asg on fedora-infrastructure to chown the git repo on >> fedorahosted, so no one can push changes there. >> >> LS > > Petr1 has a reason why it cannot be done, something with copr IIRC > It's something different. My solution was remove people from gitfreeipa group so they won't be able to push but that would also remove the rights to add packages to our COPR repository. But IMO, until the sync with github is working, we should allow to push to fedora hosted, but only in a 'sync' way: pull from pagure, push to fedorahosted -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat, Inc. From mbabinsk at redhat.com Tue Feb 28 12:29:50 2017 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 28 Feb 2017 13:29:50 +0100 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft Message-ID: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> Hello list, I have put together a draft of design page describing server-side implementation of user short name -> fully-qualified name resolution.[1] In the end I have taken the liberty to change a few aspects of the design we have agreed on before and I will be grad if we can discuss them further. Me and Honza have discussed the object that should hold the domain resolution order and given the fact that IPA domain can also be a part of this list, we have decided that this information is no longer bound to trust configuration and should be a part of the global config instead. Also we have purposefully cut down the API only to a raw manipulation of the attribute using an option of `ipa config-mod`. The reasons for this are twofold: * the developer resources are quite scarce and it may be good to follow YAGNI[2] principle to implement the dumbest API now and not to invest into more high-level interface unless there is a demand for it * we can imagine that the manipulation of the domain resolution order is a rare operation (ideally only once all trusts are established), so I am not convinced that it is worth investing into designing higher-level API I propose we first develop the "dumber" parts first to unblock the SSSD part. If we have spare cycle afterwards then we can design and implement more bells-and-whistles afterwards. [1] https://www.freeipa.org/page/V4/AD_User_Short_Names [2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Tue Feb 28 12:36:21 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Feb 2017 13:36:21 +0100 Subject: [Freeipa-devel] [freeipa PR#518][opened] README to README.md Message-ID: URL: https://github.com/freeipa/freeipa/pull/518 Author: stlaz Title: #518: README to README.md Action: opened PR body: """ Pagure can't cope with README very well, move to README.md in spirit of [SSSD#eed5bc53](https://pagure.io/SSSD/sssd/c/eed5bc53a0c823276523d32e76bc1c264db3837e?branch=master) """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/518/head:pr518 git checkout pr518 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-518.patch Type: text/x-diff Size: 7495 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 28 12:39:59 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Feb 2017 13:39:59 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 151617 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 28 12:40:54 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Feb 2017 13:40:54 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ The issues should hopefully be fixed """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283028836 From abokovoy at redhat.com Tue Feb 28 12:48:02 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Feb 2017 14:48:02 +0200 Subject: [Freeipa-devel] Please review: V4/AD user short names design draft In-Reply-To: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> References: <92623f03-bb8c-9931-ff54-3024bdb3077d@redhat.com> Message-ID: <20170228124802.krupsj2xa7fo3ewn@redhat.com> On ti, 28 helmi 2017, Martin Babinsky wrote: >Hello list, > >I have put together a draft of design page describing server-side >implementation of user short name -> fully-qualified name >resolution.[1] > >In the end I have taken the liberty to change a few aspects of the >design we have agreed on before and I will be grad if we can discuss >them further. > >Me and Honza have discussed the object that should hold the domain >resolution order and given the fact that IPA domain can also be a part >of this list, we have decided that this information is no longer bound >to trust configuration and should be a part of the global config >instead. > >Also we have purposefully cut down the API only to a raw manipulation >of the attribute using an option of `ipa config-mod`. The reasons for >this are twofold: > > * the developer resources are quite scarce and it may be good to >follow YAGNI[2] principle to implement the dumbest API now and not to >invest into more high-level interface unless there is a demand for it > > * we can imagine that the manipulation of the domain resolution >order is a rare operation (ideally only once all trusts are >established), so I am not convinced that it is worth investing into >designing higher-level API > >I propose we first develop the "dumber" parts first to unblock the >SSSD part. If we have spare cycle afterwards then we can design and >implement more bells-and-whistles afterwards. Looks mostly OK, but there are few comments I have: - I do not see you mention how validation of the ipaDomainResolutionOrder is done. This is important to avoid hard to debug issues because SSSD will ignore domains it doesn't know about. - Space separator initially caused me to look up DNS RFCs as strictly speaking domain names can contain any 8-bit octet (while host names should follow LDH rule). But then [1] does explicitly say space is not allowed in AD domain names. - "If ipaDomainResolutionOrder is empty then *all* users must use fully qualified names." This is not correct with regards to the current behavior. I think we should change this to "if ipaDomainResolutionOrder is empty, then standard SSSD configuration logic applies on each client." This would make current behavior compatible with either empty or ipaDomainResolutionOrder value of a single IPA domain name. - There are typos in the page. [1] https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers,-domains,-sites,-and-ous -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Tue Feb 28 12:53:00 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 28 Feb 2017 13:53:00 +0100 Subject: [Freeipa-devel] [freeipa PR#420][synchronized] WIP: Allow login to WebUI using Kerberos aliases/enterprise principals In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/420 Author: martbab Title: #420: WIP: Allow login to WebUI using Kerberos aliases/enterprise principals Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/420/head:pr420 git checkout pr420 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-420.patch Type: text/x-diff Size: 5515 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 28 12:53:40 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 28 Feb 2017 13:53:40 +0100 Subject: [Freeipa-devel] [freeipa PR#420][edited] Allow login to WebUI using Kerberos aliases/enterprise principals In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/420 Author: martbab Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals Action: edited Changed field: title Original value: """ WIP: Allow login to WebUI using Kerberos aliases/enterprise principals """ From freeipa-github-notification at redhat.com Tue Feb 28 12:54:20 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 28 Feb 2017 13:54:20 +0100 Subject: [Freeipa-devel] [freeipa PR#420][comment] Allow login to WebUI using Kerberos aliases/enterprise principals In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/420 Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals martbab commented: """ Now that privilege separation was implemented I have rebased the PR and request a proper review of this patch. """ See the full comment at https://github.com/freeipa/freeipa/pull/420#issuecomment-283031432 From freeipa-github-notification at redhat.com Tue Feb 28 13:01:52 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 28 Feb 2017 14:01:52 +0100 Subject: [Freeipa-devel] [freeipa PR#479][synchronized] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Author: martbab Title: #479: Merge AD trust installer into composite ones Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/479/head:pr479 git checkout pr479 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-479.patch Type: text/x-diff Size: 48824 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 28 13:03:22 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 28 Feb 2017 14:03:22 +0100 Subject: [Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones martbab commented: """ I have added a commit that fixes the choeck for missing dependencies in composite installers. """ See the full comment at https://github.com/freeipa/freeipa/pull/479#issuecomment-283033182 From freeipa-github-notification at redhat.com Tue Feb 28 13:04:15 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Feb 2017 14:04:15 +0100 Subject: [Freeipa-devel] [freeipa PR#519][opened] WebUI: add sizelimit:0 to cert-find Message-ID: URL: https://github.com/freeipa/freeipa/pull/519 Author: pvomacka Title: #519: WebUI: add sizelimit:0 to cert-find Action: opened PR body: """ It was not possible to get all arbitrary certificates which were added using {user|host|service|idview}-add-cert method. Adding sizelimit:0 to this cert-find command fix the issue. It set sizelimit to unlimited. https://pagure.io/freeipa/issue/6712 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/519/head:pr519 git checkout pr519 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-519.patch Type: text/x-diff Size: 2393 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 28 13:13:23 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Feb 2017 14:13:23 +0100 Subject: [Freeipa-devel] [freeipa PR#518][comment] README to README.md In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/518 Title: #518: README to README.md stlaz commented: """ I stopped the Travis jobs so that it does not eat the resources it for the needy. """ See the full comment at https://github.com/freeipa/freeipa/pull/518#issuecomment-283035128 From freeipa-github-notification at redhat.com Tue Feb 28 13:58:30 2017 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 28 Feb 2017 14:58:30 +0100 Subject: [Freeipa-devel] [freeipa PR#400][comment] WebUI: Certificate Mapping In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/400 Title: #400: WebUI: Certificate Mapping pvomacka commented: """ Hi @flo-renaud Thank you for review. The issue about certificates is different and here is the fix: https://github.com/freeipa/freeipa/pull/519 """ See the full comment at https://github.com/freeipa/freeipa/pull/400#issuecomment-283045651 From freeipa-github-notification at redhat.com Tue Feb 28 14:33:28 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 28 Feb 2017 15:33:28 +0100 Subject: [Freeipa-devel] [freeipa PR#448][+ack] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain Label: +ack From freeipa-github-notification at redhat.com Tue Feb 28 14:33:30 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 28 Feb 2017 15:33:30 +0100 Subject: [Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain martbab commented: """ The patch looks ok, let's hope that our CI will play nice with it. """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-283054583 From freeipa-github-notification at redhat.com Tue Feb 28 14:44:01 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Feb 2017 15:44:01 +0100 Subject: [Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-367.patch Type: text/x-diff Size: 151617 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 28 14:44:15 2017 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Tue, 28 Feb 2017 15:44:15 +0100 Subject: [Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/448 Title: #448: Tests: Basic coverage with tree root domain gkaihorodova commented: """ Thanks you for review. Let's hope for the best . """ See the full comment at https://github.com/freeipa/freeipa/pull/448#issuecomment-283057505 From freeipa-github-notification at redhat.com Tue Feb 28 14:45:35 2017 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 28 Feb 2017 15:45:35 +0100 Subject: [Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ Fixed another issue with CA-less to CA-full upgrade. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-283057864 From freeipa-github-notification at redhat.com Tue Feb 28 15:37:40 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Tue, 28 Feb 2017 16:37:40 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands redhatrises commented: """ @MartinBasti sorry for the late reply, but yes, this is a bug. If 'nsaccountlock' doesn't exist, it should return as `Account disabled = False`. I know this PR is already closed, but should be add 'nsaccountlock' on `ipa user-add`? """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-283073133 From freeipa-github-notification at redhat.com Tue Feb 28 15:37:42 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 28 Feb 2017 16:37:42 +0100 Subject: [Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Title: #475: Add options to run only ipaclient unittests martbab commented: """ I am not a big fan of mixing filename matching and markers in this PR. I feel that using only one of those approaches is a more cleaner solution and it seems that marking all the tests and then running a subset using the pytest's marker selection API loks like the easiest road. It seems like a daunting task but it may actually be easier given that you can mark whole modules[1] or even generate marker dynamically by introspecting node IDs during test collection[2]. You can ultimately provide an option as an alias for selecting/deselecting markers as needed if you like but the underlying implementation will be cleaner as result. [1] http://doc.pytest.org/en/latest/example/markers.html#marking-whole-classes-or-modules [2] http://doc.pytest.org/en/latest/example/markers.html#automatically-adding-markers-based-on-test-names """ See the full comment at https://github.com/freeipa/freeipa/pull/475#issuecomment-283073142 From freeipa-github-notification at redhat.com Tue Feb 28 15:58:49 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 28 Feb 2017 16:58:49 +0100 Subject: [Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Title: #475: Add options to run only ipaclient unittests tiran commented: """ I'm not a big fan either. Can you come up with a better solution that does not result in import errors? Because the module marker or class markers still import the whole module. For client-only tests, ipaserver is not available. For Python packaging builds, neither ipaserver nor ipaplatform are available. """ See the full comment at https://github.com/freeipa/freeipa/pull/475#issuecomment-283079924 From freeipa-github-notification at redhat.com Tue Feb 28 16:11:38 2017 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 28 Feb 2017 17:11:38 +0100 Subject: [Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Title: #475: Add options to run only ipaclient unittests martbab commented: """ Oh my, every time I think about something nice that should work there is some corner case that ruins it. I guess that one way to work around it would be to keep the `try: ... except importError` guards in the offending modules and add skip markers like `@pytest.mark.skipif(ipaserver is None, "ipaserver module unavailable")` or skip whole modules. As a side note, I really wish that our test suite would be a little less... um, special. """ See the full comment at https://github.com/freeipa/freeipa/pull/475#issuecomment-283084101 From freeipa-github-notification at redhat.com Tue Feb 28 16:49:36 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 28 Feb 2017 17:49:36 +0100 Subject: [Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands MartinBasti commented: """ @redhatrises IMO for new users we can always create that attribute in LDAP, that should limit bad behavior. I wouldn't add it to user-add, usually you wants to create an enabled user, for disabled you can use stage-user. I hope that activating of stage user creates this attribute in LDAP as well. However this need a discussion, if it is a proper approach is the right. BTW you can open a new PR we shouldn't continue here. """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-283096060 From freeipa-github-notification at redhat.com Tue Feb 28 16:51:15 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 28 Feb 2017 17:51:15 +0100 Subject: [Freeipa-devel] [freeipa PR#519][comment] WebUI: add sizelimit:0 to cert-find In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/519 Title: #519: WebUI: add sizelimit:0 to cert-find pvoborni commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/519#issuecomment-283096563 From freeipa-github-notification at redhat.com Tue Feb 28 16:56:08 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 28 Feb 2017 17:56:08 +0100 Subject: [Freeipa-devel] [freeipa PR#475][synchronized] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Author: tiran Title: #475: Add options to run only ipaclient unittests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/475/head:pr475 git checkout pr475 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-475.patch Type: text/x-diff Size: 14309 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 28 16:56:16 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 28 Feb 2017 17:56:16 +0100 Subject: [Freeipa-devel] [freeipa PR#515][comment] Re-add ipapython.config.config for backwards compatibilty In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/515 Title: #515: Re-add ipapython.config.config for backwards compatibilty MartinBasti commented: """ IIRC we agreed that there should be warning that this is deprecated and `api.env` should be used instead. """ See the full comment at https://github.com/freeipa/freeipa/pull/515#issuecomment-283098177 From freeipa-github-notification at redhat.com Tue Feb 28 16:57:40 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 28 Feb 2017 17:57:40 +0100 Subject: [Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/475 Title: #475: Add options to run only ipaclient unittests tiran commented: """ I pushed an alternative approach that checks for the option and raises skip in packages. It needs some extra workaround in the integration plugin. """ See the full comment at https://github.com/freeipa/freeipa/pull/475#issuecomment-283098644 From freeipa-github-notification at redhat.com Tue Feb 28 16:59:45 2017 From: freeipa-github-notification at redhat.com (puiterwijk) Date: Tue, 28 Feb 2017 17:59:45 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 puiterwijk commented: """ Perhaps it'd be an idea to update the ticket link in the code to https://pagure.io/freeipa/issue/6698 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-283099335 From freeipa-github-notification at redhat.com Tue Feb 28 17:27:03 2017 From: freeipa-github-notification at redhat.com (MartinBasti) Date: Tue, 28 Feb 2017 18:27:03 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 MartinBasti commented: """ @puiterwijk It shouldn't be an issue with https://pagure.io/fedora-infrastructure/issue/5845 fixed :) but yes since this is not acked yet commit should be updated """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-283107213 From freeipa-github-notification at redhat.com Tue Feb 28 17:30:04 2017 From: freeipa-github-notification at redhat.com (puiterwijk) Date: Tue, 28 Feb 2017 18:30:04 +0100 Subject: [Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 puiterwijk commented: """ @MartinBasti Yeah, I know. I just figured that since it's not merged yet, we might as well just change it :). """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-283108095 From freeipa-github-notification at redhat.com Tue Feb 28 18:45:37 2017 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 28 Feb 2017 19:45:37 +0100 Subject: [Freeipa-devel] [freeipa PR#515][comment] Re-add ipapython.config.config for backwards compatibilty In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/515 Title: #515: Re-add ipapython.config.config for backwards compatibilty tiran commented: """ I can add a deprecation warning after we have agreed upon a new API. What's the official way to get the values w/o requiring credentials? """ See the full comment at https://github.com/freeipa/freeipa/pull/515#issuecomment-283111844 From freeipa-github-notification at redhat.com Tue Feb 28 18:50:36 2017 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 28 Feb 2017 19:50:36 +0100 Subject: [Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card simo5 commented: """ Why do we need to talk to SSSD to do this? Don't we have all the needed data in LDAP already ? """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283115629 From freeipa-github-notification at redhat.com Tue Feb 28 18:54:04 2017 From: freeipa-github-notification at redhat.com (pvoborni) Date: Tue, 28 Feb 2017 19:54:04 +0100 Subject: [Freeipa-devel] [freeipa PR#520][opened] Change README to use Markdown Message-ID: URL: https://github.com/freeipa/freeipa/pull/520 Author: pvoborni Title: #520: Change README to use Markdown Action: opened PR body: """ So that it will be nicely formatted on FreeIPA Pagure landing page. https://pagure.io/freeipa Some links were updated as other projects also moved to Pagure.io. Temporary preview on: https://pagure.io/pvoborni-test """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/520/head:pr520 git checkout pr520 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-520.patch Type: text/x-diff Size: 6719 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 28 21:00:01 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Tue, 28 Feb 2017 22:00:01 +0100 Subject: [Freeipa-devel] [freeipa PR#521][opened] Add nsaccountlock to user attributes when a new user is created Message-ID: URL: https://github.com/freeipa/freeipa/pull/521 Author: redhatrises Title: #521: Add nsaccountlock to user attributes when a new user is created Action: opened PR body: """ This adds a the `nsaccountlock` attribute to a user upon account creation. This addresses newly created accounts; however, it does not address the issue of existing accounts. If `nsaccountlock` does not exist for a user, `ipa user-find --disabled=False` should return `Accounts disabled: False`. So, the question is how to deal with `nsaccountlock` missing in existing user accounts? I am not sure how to extend the framework to return `Accounts disabled: False` if `nsaccountlock` is NoneType. For more info, see @MartinBasti's post merge comments in #444 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/521/head:pr521 git checkout pr521 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-521.patch Type: text/x-diff Size: 872 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Feb 28 21:00:41 2017 From: freeipa-github-notification at redhat.com (redhatrises) Date: Tue, 28 Feb 2017 22:00:41 +0100 Subject: [Freeipa-devel] [freeipa PR#521][edited] Add nsaccountlock to user attributes when a new user is created In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/521 Author: redhatrises Title: #521: Add nsaccountlock to user attributes when a new user is created Action: edited Changed field: body Original value: """ This adds a the `nsaccountlock` attribute to a user upon account creation. This addresses newly created accounts; however, it does not address the issue of existing accounts. If `nsaccountlock` does not exist for a user, `ipa user-find --disabled=False` should return `Accounts disabled: False`. So, the question is how to deal with `nsaccountlock` missing in existing user accounts? I am not sure how to extend the framework to return `Accounts disabled: False` if `nsaccountlock` is NoneType. For more info, see @MartinBasti's post merge comments in #444 """