[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master-next] 183 commits: VERSION.m4: Set back to git snapshot

Timo Aaltonen gitlab at salsa.debian.org
Fri Aug 3 22:30:15 BST 2018


Timo Aaltonen pushed to branch master-next at FreeIPA packaging / freeipa


Commits:
230760ff by Rob Crittenden at 2018-05-15T19:35:26Z
VERSION.m4: Set back to git snapshot

- - - - -
a0e846f5 by Rob Crittenden at 2018-05-16T15:32:29Z
Return unique error when automount is already or not configured

Use identical return codes as ipa-client-install when uninstalling
ipa-client-automount and it is not configured, or when calling
it again to return that is ias already configured.

https://pagure.io/freeipa/issue/7396

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
a0eaa742 by Rob Crittenden at 2018-05-16T15:32:29Z
Client install should handle automount unconfigured on uninstall

ipa-client-automount now returns CLIENT_NOT_CONFIGURED when it is
not configured. Handle this in uninstall().

https://pagure.io/freeipa/issue/7396

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
c61151f6 by Alexander Bokovoy at 2018-05-17T20:55:42Z
pylint3: workaround false positives reported for W1662

Pylint3 falsely reports warning W1662: using a variable that was bound
inside a comprehension for the cases where the same name is reused for a
loop after the comprehension in question.

Rename the variable in a loop to avoid it.

If the code looks like the following:

  arr = [f for f in filters if callable(f)]
  for f in arr:
      result = result + f()

pylint3 would consider 'f' used outside of comprehension. Clearly, this
is a false-positive warning as the second 'f' use is completely
independent of the comprehension's use of 'f'.

Reviewed-By: Aleksei Slaikovskii <aslaikov at redhat.com>

- - - - -
b82af698 by Aleksei Slaikovskii at 2018-05-17T22:36:33Z
Radius proxy multiservers fix

Now radius proxy plugin allows to add more then one radius server
into radius proxy but the first one from ldap response is being
parsed (you can see ./daemons/ipa-optd/parse.c).

So this kind of behaviour is a bug, as it was determined on IRC.

This patch removes possibility to add more then one radius server
into radius proxy.

Pagure: https://pagure.io/freeipa/issue/7542
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Koksharov <akokshar at redhat.com>

- - - - -
8d508b8e by Michal Reznik at 2018-05-18T10:17:54Z
ui_tests: extend test_selinuxusermap.py suite

Extend test_selinuxusermap.py suite with new test cases. Details in
the ticket.

We also modify "add_table_associations" to handle "cancel" and
"negative" in the way other methods works.

Lastly, we start using dialog_btn=None to test keyboard confirmation
as we did use it incorrectly with "Negative=True" where it was already
confirmed by "click".

Added tests:

addselinuxusermap_MLS_singlelevel
addselinuxusermap_cancel
addselinuxusermap_disabledhbacrule
addselinuxusermap_MLS_range
addselinuxusermap_MCS_range
addselinuxusermap_MCS_commas
addselinuxusermap_MLS_singlevalue
addselinuxusermap_multiple
addandeditselinuxusermap
selinuxusermap_undo
selinuxusermap_refresh
selinuxusermap_reset
selinuxusermap_update
selinuxusermap_backlink_cancel
selinuxusermap_backlink_reset
selinuxusermap_backlink_update
selinuxusermap_deletemultiple
add_user_selinuxusermap_cancel
add_host_selinuxusermap_cancel
add_hostgroup_selinuxusermap_cancel
selinuxusermap_requiredfield
selinuxusermap_duplicate
selinuxusermap_nonexistinguser
selinuxusermap_invalidusersyntaxMCS
selinuxusermap_invalidusersyntaxMLS
add_usernegative_selinuxusermap
selinuxusermap_addNegativeHBACrule
selinuxusermap_search
selinuxusermap_searchnegative
selinuxusermap_disablemultiple
selinuxusermap_enablemultiple
selinuxusermap_deleteNegativeHBACrule
add_selinuxusermap_adder_dialog_bug910463
delete_selinuxusermap_deleter_dialog_bug910463

https://pagure.io/freeipa/issue/7544

Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
0959c476 by Michal Reznik at 2018-05-18T10:17:54Z
ui_tests: add click_undo_button() func

Add click_undo_button() function to simplify clicking on
particular`s field undo button/s.

https://pagure.io/freeipa/issue/7544

Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
3508227f by Varun Mylaraiah at 2018-05-18T11:23:00Z
Extend WebUI test_krbpolicy suite with the following test cases: test_verifying_button (verify button's action in various scenarios) test_negative_value (verify invalid values) test_verifying_measurement_unit

https://pagure.io/freeipa/issue/7540

Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>

- - - - -
3c9810e9 by Petr Čech at 2018-05-18T14:39:18Z
webui:tests: Add tests for realmd domains

This patch expands WebUI testing on realmd domains
page. The added tests are:
  test_add_single_labeled_domain
  test_dnszone_del_hooked_to_realmdomains_mod
  test_dns_reversezone_add_hooked_to_realmdomains_mod
  test_dnszone_add_hooked_to_realmdomains_mod
  test_del_domain_of_ipa_server_bug1035286
  test_add_non_dns_configured_domain_positive
  test_add_non_dns_configured_domain_negative
  test_del_domain_with_force_update
  test_del_domain_and_update
  test_del_domain_and_refresh
  test_del_domain_revert
  test_del_domain_undo_all
  test_del_domain_undo
  test_add_domain_and_update
  test_add_domain_with_trailing_space
  test_add_domain_with_leading_space
  test_add_empty_domain
  test_add_duplicate_domaini
  test_add_domain_and_revert
  test_add_domain_and_refresh
  test_add_domain_and_undo_all
  test_add_domain_and_undo
  test_add_domain_with_special_char

Reviewed-By: Felipe Volpone <felipevolpone at gmail.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>

- - - - -
d4f2f53e by amitkumar50 at 2018-05-21T18:32:38Z
ipa-advise: remove plugin config-fedora-authconfig

ipa-advise config-fedora-authconfig produces a script with authconfig
instructions for configuring Fedora 18/19 client with IPA server
without use of SSSD. Fedora 18 and 19 are not supported any more,
so the plugin could be removed.

Resolves: https://pagure.io/freeipa/issue/7533
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
75e86f2f by Christian Heimes at 2018-05-22T06:39:33Z
Run PR-CI with Fedora 28

Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
e06c7566 by amitkumar50 at 2018-05-22T15:03:06Z
ipa vault-archive overwrites an existing value without warning

Upstream ticket was raised for issuing an warning message
whenever data in ipa vault is overwritten.

In Bugzilla(1339129) its agreed upon that Current behavior is consistent
with other IPA commands. None of ipa mod commands asks for confirmation
and therefore it should be the same here.
But to document, that vault can contain only one value in ipa help vault.

This PR addresses the changes agreed in Bugzilla.

Resolves: https://pagure.io/freeipa/issue/5922
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
952b45a3 by Stanislav Laznicka at 2018-05-24T07:54:26Z
Travis: ignore 'line break after binary operator'

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
1e5c3d7c by Christian Heimes at 2018-05-25T14:26:14Z
Reproducer for issue 5923 (bytes in error response)

Error response used to contain bytes instead of text, which triggered an
exception.

See: https://pagure.io/freeipa/issue/5923
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>

- - - - -
59ea5800 by Christian Heimes at 2018-05-25T18:44:01Z
Require python-ldap >= 3.1.0

python-ldap 3.1.0 fixes a segfault caused by a reference counting bug.

See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
dbc37884 by Christian Heimes at 2018-05-27T14:05:50Z
Use GnuPG 2 for symmentric encryption

The /usr/bin/gpg command is old, legacy GnuPG 1.4 version. The
recommended version is GnuPG 2 provided by /usr/bin/gpg2. For simple
symmentric encryption, gpg2 is a drop-in replacement for gpg.

Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8e165480 by Christian Heimes at 2018-05-27T14:05:50Z
Use GnuPG 2 for backup/restore

ipa-backup and ipa-restore now use GnuPG 2 for asymmetric encryption, too.
The gpg2 command behaves a bit different and requires a gpg2 compatible
config directory. Therefore the --keyring option has been deprecated.

The backup and restore tools now use root's GPG keyring by default.
Custom configuration and keyring can be used by setting GNUPGHOME
environment variables.

Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
45d776a7 by Rob Crittenden at 2018-05-27T14:08:21Z
Don't try to set Kerberos extradata when there is no principal

This was causing ns-slapd to segfault in the password plugin.

https://pagure.io/freeipa/issue/7561

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7c5ecb8d by Rob Crittenden at 2018-05-27T14:08:21Z
Rename test class for testing simple commands, add test

The concensus in the review was that the name test_commands was
more generic than test_ipa_cli.

Add a test to change the password for sysaccount users using
using ldappasswd to confirm that a segfault fix does not regress.

https://pagure.io/freeipa/issue/7561

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
af99032d by Florence Blanc-Renaud at 2018-05-28T19:25:47Z
ipa-server-install: publish complete cert chain in /usr/share/ipa/html/ca.crt

When IPA is installed with an externally signed CA, the master installer
does not publish the whole cert chain in /usr/share/ipa/html/ca.crt (but
/etc/ipa/ca.crt contains the full chain).

If a client is installed with a One-Time Password and without the
--ca-cert-file option, the client installer downloads the cert chain
from http://master.example.com/ipa/config/ca.crt, which is in fact
/usr/share/ipa/html/ca.crt. The client installation then fails.
Note that when the client is installed by providing admin/password,
installation succeeds because the cert chain is read from the LDAP server.

https://pagure.io/freeipa/issue/7526

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
1d70ce85 by Florence Blanc-Renaud at 2018-05-28T19:25:47Z
Test for 7526

Add a test for issue 7526: install a client with a bulk enrollment
password, enrolling to an externally-signed CA master.
Without the fix, the master does not publish the whole cert chain
in /usr/share/ipa/html/ca.crt. As the client installer downloads the
cert from this location, client installation fails.
With the fix, the whole cert chain is available and client installation
succeeds.
The test_external_ca.py::TestExternalCA now requires 1 replica and 1
client, updated .freeipa-pr-ci.yaml accordingly.

Also removed the annotation @tasks.collect_logs from test_external_ca
as it messes with test ordering (and the test collects logs even
without this annotation).

Related to:
https://pagure.io/freeipa/issue/7526

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9b8bb85e by Christian Heimes at 2018-05-29T06:51:10Z
Add test case for allow-create-keytab

A ref counting bug in python-ldap caused create and retrieve keytab
feature to fail. Additional tests verify, that
ipaallowedtoperform;write_keys attribute is handled correctly.

See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9a9c8ced by Christian Heimes at 2018-05-29T13:30:37Z
Use sane default settings for ldap connections

LDAP connections no longer depend on sane settings in global ldap.conf
and use good default settings for cert validation, CA, and SASL canonization.

https://pagure.io/freeipa/issue/7418

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
829998b1 by Christian Heimes at 2018-05-29T13:30:37Z
Apply sane LDAP settings to C code

Common LDAP code from ipa-getkeytab and ipa-join are moved to libutil.a.
The common ipa_ldap_init() and ipa_tls_ssl_init() set the same options
as ldap_initialize()

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
172df673 by Christian Heimes at 2018-05-29T13:30:37Z
Refuse PORT, HOST in /etc/openldap/ldap.conf

OpenLDAP has deprecated PORT and HOST stanzes in ldap.conf. The presence
of either option causes FreeIPA installation to fail. Refuse
installation when a deprecated and unsupported option is present.

Fixes: https://pagure.io/freeipa/issue/7418
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
0030118d by Timo Aaltonen at 2018-05-29T15:03:56Z
Create kadm5.acl if it doesn't exist

kadmind doesn't start without it, and Debian doesn't ship it by default.

Fixes: https://pagure.io/freeipa/issue/7553
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7a27651a by Timo Aaltonen at 2018-05-29T15:03:56Z
constants: Fix HTTPD_GROUP for Debian

Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
a3a3d6da by Timo Aaltonen at 2018-05-29T15:03:56Z
paths: Fix some path definitions for Debian.

Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
86ef31d7 by Timo Aaltonen at 2018-05-29T15:03:56Z
Add mkhomedir support for Debian

Fixes: https://pagure.io/freeipa/issue/7556
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
c5ee8ae5 by Timo Aaltonen at 2018-05-29T15:03:56Z
named.conf: Disable duplicate zone on debian, and modify data dir

zone already imported via default zones.

Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
ffdb20ae by Timo Aaltonen at 2018-05-29T15:03:56Z
ldapupdate: Add support for Debian multiarch

And since Fedora 28 dropped support for non-64bit, hardcode default LIBARCH as 64.

Fixes: https://pagure.io/freeipa/issue/7555
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
8c0d7bb9 by Timo Aaltonen at 2018-05-29T15:03:56Z
Fix HTTPD SSL configuration for Debian.

The site and module configs are split on Debian, server setup needs
to match that.

Fixes: https://pagure.io/freeipa/issue/7554
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
f47d86c7 by Stanislav Laznicka at 2018-05-29T15:03:56Z
Move config directives handling code

Move config directives handling code:
        ipaserver.install.installutils -> ipapython.directivesetter

Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
fb16bc93 by Christian Heimes at 2018-05-30T06:18:40Z
Require JSS 4.4.4 with fix for sub CA replication

The SQL backend of NSS behaves differently than the DBM backend.
Specifically PK11_UnwrapPrivateKey generates a different CKA_ID. JSS 4.4.4
contains a workaround for broken sub CA replication.

Note: FreeIPA doesn't depend on JSS directly. The version requirement
was added to update JSS to a working version

See: https://bugzilla.redhat.com/show_bug.cgi?id=1583140
Fixes: https://pagure.io/freeipa/issue/7536
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
2256f9ef by Rob Crittenden at 2018-05-30T06:53:12Z
Validate the Directory Manager password before starting restore

The password was only indirectly validated when trying to
disable replication agreements for the restoration.

Only validate the password if the IPA configuration is available
and dirsrv is running.

https://pagure.io/freeipa/issue/7136
https://pagure.io/freeipa/issue/7535

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
59b3eb04 by Rob Crittenden at 2018-05-30T06:53:12Z
Add tests for ipa-restore with DM password validation check

ipa-restore should validate the DM password before executing
the restoration. This adds two test cases:

1. Restore with a bad DM password
2. Restore with dirsrv down so password cannot be checked

Related: https://pagure.io/freeipa/issue/7136

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
1da3eddf by Fraser Tweedale at 2018-05-30T13:09:55Z
Handle compressed responses from Dogtag

We currently accept compressed responses for some Dogtag resources,
via an 'Accept: gzip, deflate' header.  But we don't decompress the
received data.  Inspect the response Content-Encoding header and
decompress the response body according to its value.

The `gzip.decompress` function is only available on Python 3.2 or
later.  In earlier versions, it is necessary to use StringIO and
treat the compressed data as a file.  This commit avoids this
complexity.  Therefore it should only be included in Python 3 based
releases.

Fixes: https://pagure.io/freeipa/issue/7563
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
0a87de5e by Christian Heimes at 2018-05-30T13:09:55Z
Backport gzip.decompress for Python 2

Python 2 doesn't have gzip.decompress(data: bytes) -> bytes function.
Backport the two line function from Python 3.6.

Fixes: https://pagure.io/freeipa/issue/7563
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
4274b361 by Mohammad Rizwan Yusuf at 2018-05-31T10:18:34Z
Test to check second replica installation after master restore

When master is restored from backup and replica1 is re-initialize,
second replica installation was failing. The issue was with ipa-backup
tool which was not backing up the /etc/ipa/custodia/custodia.conf and
/etc/ipa/custodia/server.keys.

    related ticket: https://pagure.io/freeipa/issue/7247

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
3e4b9cd9 by Pavel Picka at 2018-05-31T11:05:05Z
Adding WebUI Host test cases

Added test cases due to downstream test cases
- negative input
- ssh keys
- csr
- otp
- filter
- buttons

https://pagure.io/freeipa/issue/7550

Signed-off-by: Pavel Picka <ppicka at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
a2e8d989 by Robbie Harwood at 2018-05-31T15:53:25Z
Fix elements not being removed in otpd_queue_pop_msgid()

If the element being removed were not the queue head,
otpd_queue_pop_msgid() would not actually remove the element, leading
to potential double frees and request replays.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>

- - - - -
cf25823e by Christian Heimes at 2018-05-31T18:12:49Z
Print version string in installer

The server, replica, and client installer now print the current version
number on the console, before the actual installer starts. It makes it
easier to debug problems with failed installations. Users typically post
the console output in a ticket.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
816daf93 by Fraser Tweedale at 2018-06-01T13:40:33Z
Add missing space in error string

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3927b0e7 by Mohammad Rizwan Yusuf at 2018-06-01T13:42:32Z
Extended UI test for selfservice permission.

Follwoing scenario added:
 - test_add_all_attr
 - test_add_and_add_another
 - test_add_and_edit
 - test_add_and_cancel
 - test_add_permission_undo
 - test_add_permission_reset
 - test_permission_negative
 - test_del_multiple_permission
 - test_permission_using_enter_key
 - test_reset_sshkey_permsission

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
326fd6a7 by amitkuma at 2018-06-05T18:01:11Z
Match Common Name attribute in Subject

ipa cert_find command has an option called --subject.
The option is documented as --subject=STR Subject.
It is expected that a --subject option searches by X.509 subject field but it does not do so.
It searches for CN not cert subject. Hence changing content of --subject help option.

Resolves: https://pagure.io/freeipa/issue/7322
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
992a5f48 by Christian Heimes at 2018-06-05T20:34:27Z
Move client templates to separate directory

PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.

The template is now part of a new subdirectory for client package shared
data.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f03df5fe by Felipe Barreto at 2018-06-07T15:27:38Z
Adding xfail to failing tests

The tests listed below are failing and we do not have time to debug them
and understand why. Adding xfail to keep it green.

TestInstallDNSSECLast::test_disable_reenable_signing_master
TestInstallDNSSECLast::test_disable_reenable_signing_replica
TestInstallDNSSECFirst::test_chain_of_trust

Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2b3eb5c5 by Rob Crittenden at 2018-06-07T16:55:01Z
Disable Schema Compat plugin during server upgrade

If this is enabled it can cause a deadlock with SSSD trying
to look up entries and it trying to get data on AD users
from SSSD.

When reading the entry from LDIF try to get the camel-case
nsslapd-pluginEnabled and fall back to the all lower-case
nsslapd-pluginenabled if that is not found. It would be nice
if the fetch function was case sensitive but this is likely
overkill as it is, but better safe than blowing up.

Upon restoring it will always write the camel-case version.

https://pagure.io/freeipa/issue/6721

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>

- - - - -
f976f6cf by Rob Crittenden at 2018-06-08T08:49:18Z
Use replace instead of add to set new default ipaSELinuxUserMapOrder

The add was in effect replacing whatever data was already there
causing any custom order to be lost on each run of
ipa-server-upgrade.

https://pagure.io/freeipa/issue/6610

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
b1f368c6 by Michal Reznik at 2018-06-08T12:03:30Z
ui_tests: fixes for issues with sending key and focus on element

Fixes 2 issues in WebUI tests. One issue is that we are unable to
confirm a dialog by "Enter" keyboard - "actions.click()" helps
here to get focus on the page.

Second issue is probbaly related to screen resolution as we cannot
click to some of the action buttons (buttons which are having issue
varies).

https://pagure.io/freeipa/issue/7583

Reviewed-By: Pavel Picka <ppicka at redhat.com>

- - - - -
53330738 by Christian Heimes at 2018-06-10T16:33:38Z
Use one Custodia peer to retrieve all secrets

Fix 994f71ac8a1bb7ba6bc9caf0f6e4f59af44ad9c4 was incomplete. Under some
circumstancs the DM hash and CA keys were still retrieved from two different
machines.

Custodia client now uses a single remote to upload keys and download all
secrets.

Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>

- - - - -
ed52baba by Christian Heimes at 2018-06-11T06:44:18Z
Make Python 2 build dependency optional

The specfile now uses three variables to determinate how to handle
Python support.

with_python2: build python2-ipa* packages
with_python3: build python3-ipa* packages
with_default_python: use Python 3 or 2 for commands and packages

"with_default_python=3" is the default build flavor. "with_python3=0"
implies "with_default_python=2". Python 2 packages are still built on
Fedora by default.

The patch also cleans up and fixes additional issues:

* makeapi/makeaci require Python 3
* remove checks for unsupported distros like F27
* sort dependencies and remove duplicates
* remove python3-memcached dependency
* remove svrcore-devel dependency
* don't assume that gcc, make, and pkgconfig are provided by default
* fix packaging bug with ipa-test-* commands. Unversioned ipa-run-test
  were packages with Python 2 RPMs although they had a Python 3 shebang.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1565263
Fixes: https://pagure.io/freeipa/issue/7500
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
390251d3 by Christian Heimes at 2018-06-11T06:44:18Z
Always build Python 3 packages

Remove with_python3 checks and always build Python 3 packages.

Co-authored-by: Stanislav Laznicka <slaznick at redhat.com>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ec9ea73b by Aleksei Slaikovskii at 2018-06-11T08:48:40Z
Uninstall fix for named-pkcs11

Sometimes named-pkcs11 is not being stopped or reloaded during
uninstall and it causes a lot of problems while testing, for example,
backup and restore tests are failing because of ipa-server-install
fails on checking DNS step.

Fixes backup/restore tests runs. Maybe something else.

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
283987c1 by Aleksei Slaikovskii at 2018-06-11T08:48:40Z
Revert "Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users"

This reverts commit 415578a199a221a3ed78cbf4d629c3e4ff6f39ec.

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
fe70a9e6 by Rob Crittenden at 2018-06-11T10:20:48Z
Suppress missing cn=schema compat on installation

The schema compat plugin is disabled on upgrades but it is
possible that it is not configured at all and this will
produce a rather nasty looking error message.

Check to see if it is configured at all before trying to
disable it.

https://pagure.io/freeipa/issue/6610

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
c74f65ef by Christian Heimes at 2018-06-11T16:02:55Z
Split external_ca PR-CI into two jobs

The external_ca job takes about 38 minutes of testing. Split the tests
into TestExternalCA (~17 minutes) and TestSelfExternalSelf +
TestExternalCAInstall (~20 minutes).

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>

- - - - -
f5a04da9 by Stanislav Levin at 2018-06-12T06:38:56Z
Fix translation of commands description in API Browser

The command description is taken from python docstring. Thus
commands should have them and should include the callings of
gettext to be translated.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
114e46b7 by Kaleemullah Siddiqui at 2018-06-13T20:23:18Z
Test coverage for multiservers for radius proxy

Test checks that no multiservers can be added for
radius proxy

Pagure: https://pagure.io/freeipa/issue/7542
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7d12bbb9 by Christian Heimes at 2018-06-14T07:04:06Z
Use python3-lesscpy 0.13.0

Require python-lesscpy 0.13. with Python 3 fix and use py3-lesscpy to
compile ipa.css.

python2-lesscpy was the last Python 2 dependency.

Fixes: https://pagure.io/freeipa/issue/7585
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
907e1649 by Christian Heimes at 2018-06-15T06:30:55Z
Fedora 29 renamed fedora-domainname.service

In Fedora 29, the fedora-domainname.service has been renamed to
nis-domainname.service like on RHEL. The ipaplatform service module for
Fedora now only renames the service, when it detects the presence of
fedora-domainname.service.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1588192
Fixes: https://pagure.io/freeipa/issue/7582
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f1d5ab3a by Christian Heimes at 2018-06-15T11:02:53Z
Increase WSGI process count to 5 on 64bit

Increase the WSGI daemon worker process count from 2 processes to 5
processes. This allows IPA RPC to handle more parallel requests. The
additional processes increase memory consumption by approximante 250 MB
in total.

Since memory is scarce on 32bit platforms, only 64bit platforms are
bumped to 5 workers.

Fixes: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4f4835a7 by Anuja More at 2018-06-18T12:53:32Z
Test for ipa-replica-install fails with PIN error for CA-less env.

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Aleksei Slaikovskii <aslaikov at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>

- - - - -
eda831db by Florence Blanc-Renaud at 2018-06-19T06:51:02Z
Installer: configure authselect with-sudo

authselect needs to be configured with the 'with-sudo' feature (except
when ipa-client-install is called with the option --no-sudo).

https://pagure.io/freeipa/issue/7562

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f90e137a by Christian Heimes at 2018-06-19T06:56:46Z
Sort and shuffle SRV record by priority and weight

On multiple occasions, SRV query answers were not properly sorted by
priority. Records with same priority weren't randomized and shuffled.
This caused FreeIPA to contact the same remote peer instead of
distributing the load across all available servers.

Two new helper functions now take care of SRV queries. sort_prio_weight()
sorts SRV and URI records. query_srv() combines SRV lookup with
sort_prio_weight().

Fixes: https://pagure.io/freeipa/issue/7475
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
57fd79ff by Rob Crittenden at 2018-06-19T07:09:01Z
Replace some test case adjectives

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
bdc3e3c5 by Mohammad Rizwan Yusuf at 2018-06-19T10:44:10Z
Extended UI test for Certificates

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>

- - - - -
f1c7d3c2 by Christian Heimes at 2018-06-19T12:37:53Z
Start to deprecate Python 2 and 3.5

Python 2 will reach EOL in 18 months. Start to issue deprecation
warnings on Python 2.

No longer claim support for Python 3.5. Python 3.5 is untested.

NOTE: At first I tried to raise the deprecation warning from
ipalib.__init__. This caused some unforseen side-effects with
ipaplatform namespace package on Python 2. Eventually it was easier to
raise the deprecation warning in ipaplatform. RHEL and Debian platforms
don't raise the deprecation warning yet, because they use Python 2.

Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
2d278720 by Michal Reznik at 2018-06-19T12:58:08Z
ui_tests: extend test_config.py suite

Extend test_config.py suite with new test cases.

Added tests:

config_email_undo
config_groupsearch_reset
groupsearchfield_blank
groupsearchfield_existing
groupsearchfield_leading_space
groupsearchfield_notallowed
groupsearchfield_trailing_space
usersearchfield_trailing_space
sizelimit_blank
sizelimit_letter
sizelimit_space
timelimit_blank
timelimit_letter
timelimit_negative
timelimit_space
userDefaultShell_blank
userDefaultShell_leading_space
userDefaultShell_new
userDefaultShell_specialchar
userDefaultShell_trailing_space
useremail_leading_space
useremail_new
useremail_trailing_space
usergroup_new
userhomedir_blank
userhomedir_leading_space
userhomedir_numbers
userhomedir_space_inbetween
userhomedir_specialchar
userhomedir_trailing_space
usermigrationmode_disable
usermigrationmode_enable
usernamelength_blank
usernamelength_letters
usernamelength_max
usernamelength_new
usernamelength_space_inbetween
usernamelength_specialchar
userpwdexpnotify_blank
userpwdexpnotify_letters
userpwdexpnotify_max
userpwdexpnotify_space_inbetween
userpwdexpnotify_specialchar
usersearchfield_blank
usersearchfield_existing
usersearchfield_leading_space
usersearchfield_new
usersearchfield_notallowed

https://pagure.io/freeipa/issue/7576

Reviewed-By: Pavel Picka <ppicka at redhat.com>

- - - - -
0b794cd4 by Florence Blanc-Renaud at 2018-06-19T16:06:56Z
fix dependency for *-domainname.service file

FreeIPA has a dependency on /usr/lib/systemd/system/*-domainname.service
file. In fedora <=28, this is provided by package 'initscripts'
but in fedora >= 29, this is provided by package 'hostname'.

Fixes:
https://pagure.io/freeipa/issue/7591

Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
b9690615 by Rob Crittenden at 2018-06-20T06:38:03Z
Improve console logging for ipa-server-install

The server installation and uninstallation overlaps both the
server and client installers. The output could be confusing
with a server uninstall finishing with the message:

The ipa-client-install command was successful

This was in part due to the fact that the server was not
configured with a console format and verbose was False which
meant that no logger messages were displayed at all.

In order to suppress client installation errors and avoid
confusion add a list of errors to ignore. If a server install
was not successful and hadn't gotten far enough to do the
client install then we shouldn't complain loudly about it.

https://pagure.io/freeipa/issue/6760

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
8ea22745 by Rob Crittenden at 2018-06-20T06:38:03Z
Drop attr defaultServerList if removing the last server

This otherwise returns a syntax error if trying to set
an empty value.

Related: https://pagure.io/freeipa/issue/6760

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
00ddb5dd by Rob Crittenden at 2018-06-20T06:38:03Z
server install: drop some print statements, change log level

The server installer had no console logger set so print
statements were used for communication. Now that a logger
is enabled the extra prints need to be dropped.

A number of logger.info statements have been upgraded
to debug since they do not need to appear on the console
by default.

https://pagure.io/freeipa/issue/6760

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
036d51d5 by Rob Crittenden at 2018-06-20T06:38:03Z
Handle subyptes in ACIs

While enabling console output in the server installation the
"Allow trust agents to retrieve keytab keys for cross realm
principals" ACI was throwing an unparseable error because
it has a subkey which broke parsing (the extra semi-colon):

userattr="ipaAllowedToPerform;read_keys#GROUPDN";

The regular expression pattern needed to be updated to handle
this case.

Related: https://pagure.io/freeipa/issue/6760

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
9ead7084 by Anuja More at 2018-06-20T08:06:39Z
Test that host can remove there own services

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
84ae625f by Ganna Kaihorodova at 2018-06-20T10:42:51Z
check nsds5ReplicaReleaseTimeout option was set

Check for nsds5ReplicaReleaseTimeout option was set

relates to: https://pagure.io/freeipa/issue/7488

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
8c3ff030 by Christian Heimes at 2018-06-21T09:49:26Z
Always set ca_host when installing replica

ipa-replica-install only set ca_host in its temporary
/etc/ipa/default.conf, when it wasn't installing a replica with CA. As a
consequence, the replica installer was picking a random CA server from
LDAP.

Always set the replication peer as ca_host. This will ensure that the
installer uses the same replication peer for CA. In case the replication
peer is not a CA master, the installer will automatically pick another
host later.

See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
f4716b69 by Stanislav Levin at 2018-06-21T13:30:58Z
Add support for format method to translation objects

For now translation classes have old style % formatting way only.
But 'format' is convenience, preferred in Python3 string formatting method.

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
854597c4 by Stanislav Levin at 2018-06-21T13:30:58Z
Use intended format() method of translation object

Translation objects have support for format(). This allows to
get rid of unicode() which is deprecated in Python3.

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
65414d14 by Stanislav Levin at 2018-06-21T13:30:58Z
Fix formatted translations in domainlevel plugin

For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable.

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
229f1608 by Stanislav Levin at 2018-06-21T13:30:58Z
Fix translation of idrange_* commands description

For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.

Also some messages to be translated at request time should
not use format().

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6f245db8 by Stanislav Levin at 2018-06-21T13:30:58Z
Fix formatted translations in trust plugin

Translation objects have support for format(). This allows to
get rid of unicode() which has been removed in Python3.

Also some messages to be translated at request time should
not use format()

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1dfdbfd8 by Stanislav Levin at 2018-06-21T13:30:58Z
Fix formatted translations of error messages in serverroles plugin

For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4b3bc490 by Stanislav Levin at 2018-06-21T13:30:58Z
Fix formatted translations of error messages in topology plugin

For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6fb45d2f by Tomas Krizek at 2018-06-21T13:54:49Z
test_dnssec: re-add named-pkcs11 workarounds

DNSSEC tests starrted to fail again, probably due to a bug in
some underlaying component.

This reverts commit 8bc677512296a7e94c29edd0c1a96aa7273f352a
and makes the xfail test check less strict - it will no longer
mark the test suite red if it passes.

Run DNSSEC tests on PR-CI

Co-authored-by: Felipe Barreto <fbarreto at redhat.com>
Related https://pagure.io/freeipa/issue/5348

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
dae4aac9 by Christian Heimes at 2018-06-21T13:54:49Z
Tests: Set default TTL for DNS zones to 1 sec

When running IPA tests, a default TTL for the zone should be set
very low to allow get rid of timeouts in the tests. Zone updates should
be propagated to the clients as soon as possible.

This is not something that should be used in production so the change is
done purely at install time within the tests. As zone information is
replicated, we only modify it when creating a master with integrated
DNS.

This change should fix a number of DNSSEC-related tests where default
TTL is longer than what a test expects and a change of DNSSEC keys
never gets noticed by the BIND. As result, DNSSEC tests never match
their expected output with what they received from the BIND.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Co-authored-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3a8f0bb1 by Christian Heimes at 2018-06-21T13:54:49Z
Remove restarted_named and xfail

With shorter TTL, several named restarts are no longer necessary to make
tests pass. The test case TestZoneSigningWithoutNamedRestart is no
longer relevant, too.

Modification of the root zone and disabling/enabling signing still seems
to need a restart. I have marked those cases as TODO.

See: https://pagure.io/freeipa/issue/5348
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
32ed10ca by Stanislav Levin at 2018-06-21T16:42:05Z
Apply validate_doc() to NO_CLI commands

This should prevent from NO_CLI commands have no translatable
description or have no one at all in Web UI API Browser.

Fixes: https://pagure.io/freeipa/issue/7592
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
c1f7a14c by Stanislav Levin at 2018-06-21T16:42:05Z
Fix some untranslatable commands in Web UI API Browser

There are some missing translatable docstrings of commands and modules.

Fixes: https://pagure.io/freeipa/issue/7592
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
de8d3081 by Armando Neto at 2018-06-21T18:42:15Z
ipaserver config plugin: Increase search records minimum limit

Check if the given search records value is greater than an arbitrary number that is not so close to zero.

https://pagure.io/freeipa/issue/6617

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
14c869b3 by Christian Heimes at 2018-06-22T11:01:55Z
Improve and fix timeout bug in wait_for_entry()

replication.wait_for_entry() now can wait for an attribute value to
appear on a replica.

Fixed timeout handling caused by bad rounding and comparison. For small
timeouts, the actual time was rounded down. For example for 60 seconds
timeout and fast replica, the query accumulated to about 0.45 seconds
plus 60 seconds sleep. 60.45 is large enough to terminate the loop
"while int(time.time()) < timeout", but not large enough to trigger the
exception in "if int(time.time()) > timeout", because int(60.65) == 60.

See: https://pagure.io/freeipa/issue/7593
Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
1b966f70 by Christian Heimes at 2018-06-22T11:01:55Z
Use common replication wait timeout of 5min

Instead of multiple timeout values all over the code base, all
replication waits now use a common timeout value from api.env of 5
minutes. Waiting for HTTP/replica principal takes 90 to 120 seconds, so
5 minutes seem like a sufficient value for slow setups.

Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
ad838c37 by Christian Heimes at 2018-06-22T11:01:55Z
Fix replication races in Dogtag admin code

DogtagInstance.setup_admin and related methods have multiple LDAP
replication race conditions. The bugs can cause parallel
ipa-replica-install to fail.

The code from __add_admin_to_group() has been changed to use MOD_ADD
ather than search + MOD_REPLACE. The MOD_REPLACE approach can lead to
data loss, when more than one writer changes a group.

setup_admin() now waits until both admin user and group membership have
been replicated to the master peer. The method also adds a new ACI to
allow querying group member in the replication check.

Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
c7ac8b91 by Sudhir Menon at 2018-06-22T15:02:40Z
DOAP Description for IPA Project

https://pagure.io/freeipa/issue/2536

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
89ae4341 by Sudhir Menon at 2018-06-22T15:02:40Z
Adding modified DOAP file

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e90d90c5 by Mohammad Rizwan Yusuf at 2018-06-25T08:37:58Z
Check if issuer DN is updated after self-signed > external-ca

This test checks if issuer DN is updated properly after CA is
renewed from self-signed to external-ca

related ticket: https://pagure.io/freeipa/issue/7316

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>

Replaced hardcoded issuer CN for external ca with constant

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
0e21d933 by Christian Heimes at 2018-06-25T11:41:18Z
Use 4 WSGI workers on 64bit systems

Commit f1d5ab3a03191dbb02e5f95308cf8c4f1971cdcf increases WSGI worker
count to five. This turned out to be a bit much for our test systems.
Four workers are good enough and still double the old amount.

See: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
ba8cbb8c by Christian Heimes at 2018-06-27T09:05:01Z
Ensure that public cert and CA bundle are readable

In CIS hardened mode, the process umask is 027. This results in some
files not being world readable. Ensure that write_certificate_list()
calls in client installer, server installer, and upgrader create cert
bundles with permission bits 0644.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
1434f2a2 by Christian Heimes at 2018-06-27T09:05:01Z
Always make ipa.p11-kit world-readable

Ensure that ipa.p11-kit is always world-readable.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
89b2137d by Christian Heimes at 2018-06-27T09:05:01Z
Make /etc/httpd/alias world readable & executable

The directory /etc/httpd/alias contains public key material. It must be
world readable and executable, so any client can read public certs.

Note: executable for a directory means, that a process is allowed to
traverse into the directory.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c2eb0f16 by Christian Heimes at 2018-06-27T09:05:01Z
Fix permission of public files in upgrader

Make CA bundles, certs, and cert directories world-accessible in
upgrader.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
39ac5f44 by Varun Mylaraiah at 2018-06-27T11:31:54Z
ui_tests: extend test_pwpolicy.py suite

Extend WebUI test_pwpolicy suite with the following test cases
Details in the ticket https://pagure.io/freeipa/issue/7574

Added tests:
krbpwdminlength: lower range integer
krbmaxpwdlife: non-integer, abc
krbmaxpwdlife: upper range integer,2147483648
krbmaxpwdlife: lower range integer,-1
krbminpwdlife: non-integer,edf
krbminpwdlife: upper range integer,2147483648
krbminpwdlife: lower range integer,-1
krbpwdhistorylength: non-integer,HIJ
krbpwdhistorylength: upper range integer,2147483648
krbpwdhistorylength: lower range integer,-1
krbpwdmindiffchars: noon-integer,3lm
krbpwdmindiffchars: upper range integer,2147483648
krbpwdmindiffchars: lower range integer, -1
krbpwdminlength: non-integer, n0p
krbpwdminlength: upper range integer,2147483648
krbpwdminlength: lower range integer, -1
cospriority: non-integer, abc
cospriority: upper range integer,2147483648
cospriority: lower range integer,-1
krbpwdmaxfailure: non-integer
krbpwdmaxfailure: upper range integer
krbpwdmaxfailure: lower range integer
krbpwdfailurecountinterval: non-integer
krbpwdfailurecountinterval: upper range integer
krbpwdfailurecountinterval: lower range integer
krbpwdlockoutduration: non-integer
krbpwdlockoutduration: upper range integer
krbpwdlockoutduration: lower range integer
deletePolicy_with various scenario
MeasurementUnitAdded_Bug798363
Delete global password policy
add_Policy_adder_dialog_bug910463
delete_Policy_deleter_dialog_bug910463
test field: cospriority
modifyPolicy(undo/refresh/reset)
empty policy name
upper bound of data range
lower bound of data range
non integer for policy priority

Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Pavel Picka <ppicka at redhat.com>

- - - - -
81f36df7 by Alexander Bokovoy at 2018-06-27T15:49:35Z
ipaserver/dcerpc.py: handle indirect topology conflicts

When AD forest A has a trust with a forest B that claims ownership
of a domain name (TLN) owned by an IPA forest, we need to build
exclusion record for that specific TLN, not our domain name.

Use realmdomains to find a correct exclusion entry to build.

Fixes: https://pagure.io/freeipa/issue/7370
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
d622be29 by Armando Neto at 2018-06-27T18:25:39Z
Prevent the creation on users and groups with numeric characters only

Update regular expression validator to prevent user and group creation.

Fixes: https://pagure.io/freeipa/issue/7572

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a39f6563 by Florence Blanc-Renaud at 2018-06-28T09:41:17Z
ipa-client-install: enable and start oddjobd if mkhomedir

Since the switch to authselect, the service oddjobd is not
automatically enabled when ipa client is installed with
--mkhomedir.
The fix makes sure that the service is enabled/started, and
stores the pre-install state in sysrestore.state, in order
to revert to the pre-install state when uninstall is called

Fixes:
https://pagure.io/freeipa/issue/7604

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7bf99e8d by Florence Blanc-Renaud at 2018-06-28T09:41:17Z
Add test for ticket 7604: ipa-client-install --mkhomedir doesn't enable oddjobd

Add a test checking that ipa-client-install --mkhomedir
is properly enableing/starting oddjobd.

Related to:
https://pagure.io/freeipa/issue/7604

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
0128b3f9 by Anuja More at 2018-06-29T08:31:50Z
Test for ipa-client-install should not use hardcoded admin principal

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
52cdd213 by Christian Heimes at 2018-06-29T13:48:43Z
Catch ACIError instead of invalid credentials

ipaldap's LDAPClient client turns INVALID_CREDENTIAL error into
ACIError. Catch the ACIError and wait until the user has been
replicated.

Apparently no manual or automated test ran into the timeout during
testing.

Fixes: Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f8159d0b by Christian Heimes at 2018-06-29T15:20:19Z
Pythhon3.7: re module has no re._pattern_type

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4084189f by Christian Heimes at 2018-06-29T15:20:19Z
pylint: Class node has been renamed to ClassDef

nodes.Class has been removed from pylint and astroid 2.0. The new names
have been available for a while.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
627cb490 by Rob Crittenden at 2018-07-03T13:37:27Z
Extend CALessBase::installer_server to accept extra_args

Allow callers to pass abitrary extra arguments to the installer.

This is useful when using a CALess installation in order to
speed up tests that require a full install but do not require
a full PKI.

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
00dceb43 by Justin Stephenson at 2018-07-03T13:37:27Z
Skip zone overlap check with auto-reverse

Skip the existing reverse zone overlap check during DNS installation
when both --auto-reverse and --allow-zone-overlap arguments are
provided.

https://pagure.io/freeipa/issue/7239

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
dcaa62f6 by Nikhil Dehadrai at 2018-07-03T15:04:50Z
Test for improved Custodia key distribution

The test checks that custodia keys are properly
replicated from the source and are successfully
distributed amongst peer system upon successful
replica installation.

Fixes: https://pagure.io/freeipa/issue/7518

Signed-off-by: Nikhil Dehadrai <ndehadra at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
6896c90e by Christian Heimes at 2018-07-04T07:32:54Z
Extend Sub CA replication test

Test more scenarios like replication replica -> master. Verify that master
and replica have all expected certs with correct trust flags and all keys.

See: https://pagure.io/freeipa/issue/7590
See: https://pagure.io/freeipa/issue/7589
Fixes: https://pagure.io/freeipa/issue/7611
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>

- - - - -
a7627a7d by Christian Heimes at 2018-07-04T07:32:54Z
Require JSS 4.4.5 with replication fixes

JSS fixes two issues related to cert replication and trust flags. The
bugs causes the replicated NSS DB to miss public key entries.

See: https://github.com/dogtagpki/jss/pull/13
See: https://github.com/dogtagpki/jss/pull/15
Fixes: https://pagure.io/freeipa/issue/7590
Fixes: https://pagure.io/freeipa/issue/7589
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>

- - - - -
e140d198 by Michal Reznik at 2018-07-04T13:21:30Z
ui_tests: stabilization fixes

This patch aims to fix the following tests which seems to be quite
unstable recently:

test_user::test_actions - closing notification and moving to element
to have screenshot of current place.

test_user::certificates - add wait() / close_notification

Also adds missing @screenshot decorator to test_user_misc method.

Reviewed-By: Pavel Picka <ppicka at redhat.com>

- - - - -
79391ad8 by Armando Neto at 2018-07-04T13:21:30Z
ui_tests: fix test_config::test_size_limits

Fix a regression caused by: https://pagure.io/freeipa/issue/7606

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Pavel Picka <ppicka at redhat.com>

- - - - -
417f7486 by Michal Reznik at 2018-07-04T14:03:02Z
ipa_tests: ipa-replica-prepare stuck on user input

TestOldReplicaWorksAfterDomainUpgrade is getting stuck while
running "ipa-replica-prepare" as it is asking for user input:
"Do you want to search for missing reverse zones?". Adding
"--auto-reverse" in order to continue.

https://pagure.io/freeipa/issue/7615

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
53c54966 by Armando Neto at 2018-07-05T17:42:43Z
ipa-client-install: Update how comments are added by ipachangeconf

Due to how 'openldap-client' parses its configuration files this patch
changes how comments are added, moving them to the line above instead
of appending to the same line.

IPA doesn't want to break existing configuration, if a value already
exists it adds a comment to the modified setting and a note about that
on the line above.

New settings will be added without any note.

Issue: https://pagure.io/freeipa/issue/5202

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
198a2c61 by Christian Heimes at 2018-07-05T17:45:10Z
Import ABCs from collections.abc

Python 3 has moved all collection abstract base classes to
collections.abc. Python 3.7 started to deprecate the old aliases.

The whole import block needs to be protected with import-error and
no-name-in-module, because Python 2 doesn't have collections.abc module and
collections.abc.Mapping, while Python 3 doesn't have collections.Mapping.

Fixes: https://pagure.io/freeipa/issue/7609
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
9c86d35a by Christian Heimes at 2018-07-05T17:46:42Z
Cleanup shebang and executable bit

- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
  e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.

It's frown upon to have executable library files in site-packages.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
e8d33ccf by Armando Neto at 2018-07-05T21:09:27Z
ipa-server-install: fix zonemgr argument validator

Fix `ERROR 'str' object has no attribute 'decode'` when --zonemgr is
passed to ipa-server-install.

Solution copied from commit 75d26e1f0121f875bdb017b0636c02a6f5660e8a,
function `ipaserver.install.bindinstance.zonemgr_callback` duplicates
the behavior of the method affected by this patch.

Issue: https://pagure.io/freeipa/issue/7612

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7c2ca141 by Christian Heimes at 2018-07-06T11:26:43Z
Query for server role IPA master

server_find and server_role plugin were hiding IPA master role
information. It's now possible to fetch IPA master role information and
to filter by IPA master role, e.g. to ignore servers that have some
services configured but not (yet) enabled.

See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
10457a01 by Christian Heimes at 2018-07-06T11:26:43Z
Only create DNS SRV records for ready server

When installing multiple replicas in parallel, one replica may create
SRV entries for other replicas, although the replicas aren't fully
installed yet. This may cause some services to connect to a server, that
isn't ready to serve requests.

The DNS IPASystemRecords framework now skips all servers that aren't
ready IPA masters.

See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
7284097e by Christian Heimes at 2018-07-06T11:26:43Z
Delay enabling services until end of installer

Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer
created as enabled. Instead they are flagged as configuredService. At
the very end of the installer, the service entries are switched from
configured to enabled service.

- SRV records are created at the very end of the installer.
- Dogtag installer only picks fully installed servers
- Certmonger ignores all configured but not yet enabled servers.

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
e32cfd14 by Florence Blanc-Renaud at 2018-07-06T15:40:55Z
ipa client uninstall: clean the state store when restoring hostname

When ipa client was installed with the --hostname= option, it stores
[network]
hostname = (current hostname)
in /var/lib/ipa-client/sysrestore/sysrestore.state and changes the hostname
from (current hostname) to the value provided in --hostname.

During uninstall, the previous hostname is restored but the entry does
not get removed from sysrestore.state. As the uninstaller checks if all
entries from sysrestore.state have been restored, it warns that some
state has not been restored.

The fix calls statestore.restore_state() instead of statestore.get_state()
as this method also clears the entry.

https://pagure.io/freeipa/issue/7620

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8fa76762 by Christian Heimes at 2018-07-06T15:53:06Z
Fix CA topology warning

Commit 7284097eedef70dd556270732e6ab8e23501ce09 kept
find_providing_servers('CA') call before enable_services(). Therefore the
list of known CA servers did not contain the current replica.
ipa-replica-install on the first replica with --setup-ca still printed
the CA topology warning.

See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f2941272 by Rob Crittenden at 2018-07-06T16:25:52Z
replicainstall: DS SSL replica install pick right certmonger host

Extend fix 0f31564b35aac250456233f98730811560eda664 to also move
the DS SSL setup so that the xmlrpc_uri is configured to point
to the remote master we are configuring against.

https://pagure.io/freeipa/issue/7566

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
b274da72 by Armando Neto at 2018-07-07T08:20:01Z
Replace file.flush() calls with flush_sync() helper

Calls to `os.fsync(f.fileno())` need to be accompained by `f.flush()`.

Commit 8bbeedc93fd442cbbb9bb70e5f446011e95211db introduces the helper
`ipapython.ipautil.flush_sync()`, which handles all calls in the right
order.

However, `flush_sync()` takes as parameter a file object with fileno
and name, where name must be a path to the file, this isn't possible
in some cases where file descriptors are used.

Issue: https://pagure.io/freeipa/issue/7251

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
199d50a4 by Christian Heimes at 2018-07-09T12:36:42Z
Fix race condition in get_locations_records()

The method IPASystemRecords.get_locations_records() has a race condition.
The IPASystemRecords object creates a mapping of server names to server
data. get_locations_records() uses server_find() again to get a list of
servers, but then operates on the cached dict of server names.

In parallel replication case, the second server_find() call in
get_locations_records() can return additional servers. Since the rest of
the code operates on the cached data, the method then fails with a KeyError.

server_data is now an OrderedDict to keep same sorting as with
server_find().

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
811b0fdb by Christian Heimes at 2018-07-09T16:20:17Z
Tune DS replication settings

Tune 389-DS replication settings to improve performance and avoid
timeouts. During installation of a replica, the value of
nsDS5ReplicaBindDnGroupCheckInterval is reduced to 2 seconds. At the end
of the installation, the value is increased sensible production
settings. This avoids long delays during replication.

See: https://pagure.io/freeipa/issue/7617
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
fcb2a069 by Stanislav Levin at 2018-07-09T16:27:05Z
Fix link to browser configuration guide on Login page

There is a mismatch between 'i18n' krb_auth_msg and 'LoginScreen'
widget kerberos_msg. The former links to "unauthorized.html", but the latter
to "ssbrowser.html". Both should link to "ssbrowser.html" page.

Fixes: https://pagure.io/freeipa/issue/7624
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1fa2a7cd by Christian Heimes at 2018-07-09T18:15:18Z
Auto-retry failed certmonger requests

During parallel replica installation, a request sometimes fails with
CA_REJECTED or CA_UNREACHABLE. The error occur when the master is
either busy or some information haven't been replicated yet. Even
a stuck request can be recovered, e.g. when permission and group
information have been replicated.

A new function request_and_retry_cert() automatically resubmits failing
requests until it times out.

Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>

- - - - -
2b669c52 by Christian Heimes at 2018-07-09T18:15:18Z
Wait for client certificates

ipa-client-install --request-cert now waits until certmonger has
provided a host certificate. In case of an error, ipa-client-install no
longer pretents to success but fails with an error code.

The --request-cert option also ensures that certmonger is enabled and
running.

See: Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>

- - - - -
9222a08c by Christian Heimes at 2018-07-10T15:51:05Z
Fix DNSSEC install regression

7284097eedef70dd556270732e6ab8e23501ce09 introduced a regression in
DNSSEC master installation. For standalone and replica installation,
services have to be enabled before checking bind config.

Fixes: https://pagure.io/freeipa/issue/7635
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
b4ad0d19 by Armando Neto at 2018-07-11T08:11:38Z
Fix pylint 2.0 return-related violations

Aiming to support pylint 2.0 some functions and methods must have their
return statements updated in order to fix two new violations:

- `useless-return` (R1711):
  Useless return at end of function or method Emitted when a single
  "return" or "return None" statement is found at the end of function
  or method definition. This statement can safely be removed because
  Python will implicitly return None

- `inconsistent-return-statements` (R1710):
  Either all return statements in a function should return an
  expression, or none of them should. According to PEP8, if any return
  statement returns an expression, any return statements where no value
  is returned should explicitly state this as return None, and an
  explicit return statement should be present at the end of the
  function (if reachable)

Issue: https://pagure.io/freeipa/issue/7614

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
0c1010d6 by Christian Heimes at 2018-07-11T08:50:33Z
Mark all expected failures as strict

With strict=True, xfail() fails when the test case passes unexpectably.
This allows us to spot passing tests that are expected to fail.

Fixes: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>

- - - - -
ec65590c by Christian Heimes at 2018-07-11T08:50:33Z
Fix XPASS in test_installation

Several test cases in test_installation pass, but are marked as xfail().
Only mark the actual failing tests as failed.

See: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>

- - - - -
f48f00c6 by Christian Heimes at 2018-07-11T12:35:55Z
pylint 2.0: node.path is a list

In pylint 2.0 and astroid 2.0, node.path has become a list. It's usually
a list of one element unless namespace packages are involved.

See https://github.com/PyCQA/astroid/commit/7f46f9341cc54bbe6763409c4ca7ea3adfec098a#diff-f0ac879524bcb98964f7d8738a084820

See: https://pagure.io/freeipa/issue/7614
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
ba954efa by Armando Neto at 2018-07-12T06:49:43Z
Fix pylint 2.0 conditional-related violations

In order to support pylint 2.0 the following violations must be fixed:

- `chained-comparison` (R1716):
  Simplify chained comparison between the operands This message is
  emitted when pylint encounters boolean operation like
  "a < b and b < c", suggesting instead to refactor it to "a < b < c".

- `consider-using-in` (R1714):
  Consider merging these comparisons with "in" to %r To check if a
  variable is equal to one of many values,combine the values into a
  tuple and check if the variable is contained "in" it instead of
  checking for equality against each of the values.This is faster
  and less verbose.

Issue: https://pagure.io/freeipa/issue/7614

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
f89e501e by Christian Heimes at 2018-07-12T13:26:25Z
Handle races in replica config

When multiple replicas are installed in parallel, two replicas may try
to create the cn=replica entry at the same time. This leads to a
conflict on one of the replicas. replica_config() and
ensure_replication_managers() now handle conflicts.

ipaldap now maps TYPE_OR_VALUE_EXISTS to DuplicateEntry(). The type or
value exists exception is raised, when an attribute value or type is
already set.

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>

- - - - -
ca7cece1 by Petr Vobornik at 2018-07-12T13:38:01Z
WebUI build: replace uglifyjs with system package

UgligyJS is packaged in Fedora and other OSes it is no longer required
to carry our own version. This will lower the maintanance burden - the
code doesn't need to be updated and it is less code to have in repo.

On some configuration usage of the budled UglifyJS 1 produces
"JavaScript throw: java.lang.StackOverflowError" exception. Usage of more
recent version should fix it.

Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
df95ba59 by Petr Vobornik at 2018-07-12T13:38:01Z
WebUI build: use NodeJS instead of Rhino

Rhino is no longer mainstream, nor is Nashorn. In addition it is quite
slow (about 10x) in comparison to NodeJS. Over the years NodeJS became
common part of OSes, thus one of the original reasons why use Rhino
went away.

The change in 01-Make-dojo-builder-buildable-by-itself.patch fixes
an incorrect change of the patch (it was not processing input options
well).

Removing configRhino.js and adding configNode.js are prerequisites
for Dojo Builder. These files are copied from Dojo project. Without
them it doesn̈́'t run. In long run, it would be good to replace Dojo
builder with something else but that is outside of this commit/PR.

Last changes are preparation for update to latest stable version of
Dojo 1. The updated Dojo and Dojo builder are in subsequent commit.

Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
19c3f173 by Petr Vobornik at 2018-07-12T13:38:01Z
Update Dojo and Dojo builder to 1.13.0

This is a result of the previous commits. Building the Dojo builder
was bit more complex as it was:
1. patched Dojo sources
2. built from Dojo builder sources.
3. moved to it's location in FreeIPA project
4. built by util/make-builder.sh (does minimazation and replaces
   itself)

Then Dojo layer is built by just:
1. util/make-dojo.sh

This process was documented some time ago at:

https://www.freeipa.org/page/V3/WebUI_build

Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
10de2f37 by Christian Heimes at 2018-07-12T16:19:34Z
Add tab completion and history to ipa console

ipa console is a useful tool to use FreeIPA's API in an interactive
Python console. The patch adds readline tab completion and history
support.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5affc9b9 by Christian Heimes at 2018-07-12T16:19:34Z
Create helper function to upload to temp file

upload_temp_contents() generates a temporary file on the remote side and
uploads content to that temporary file. The file name is returned.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
87904b8f by Christian Heimes at 2018-07-12T16:19:34Z
Fix ipa console filename

THe ipa console command takes an optional filename argument. The
filename argument was broken, because the implementation passed a file
object to exec() instead of a string or compiled object.

ipa console now uses compile() to compile the code with print_function
__future__ feature.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4fc7f726 by Christian Heimes at 2018-07-13T17:56:03Z
Teach pylint how our api works

pylint 2.0 is more strict and complains about several aspects of
ipalib.api. It turns out that AstroidBuilder.string_build() can be used
to easily teach pylint about object attributes and attribute values.
Although the assignment wouldn't work with the actual implementation,
the string builder assignments shows pylint the names and values of
members. It works without additional transformation.

See: https://pagure.io/freeipa/issue/7614
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
aacf185f by Christian Heimes at 2018-07-13T17:56:03Z
Add pylint ignore to magic config.Env attributes

pylinti 2 is having a hard time to handle name mangled, magic attributes
correctly. Double under attributes like __d are internally renamed to
_Env__d. After multiple failed attempts, it was easier to just add more
pylint disable to the implementation.

pylint 2 also thinkgs that Env.server is defined much later or the env
doesn't have that member at all. Ignore the false warnings, too.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
d1357194 by Armando Neto at 2018-07-14T10:04:19Z
Fix Pylint 2.0 violations

Fix the following violations aiming to support Pylint 2.0

- `unneeded-not` (C0113):
  Consider changing "not item in items" to "item not in items" used
  when a boolean expression contains an unneeded negation.

- `useless-import-alias` (C0414):
  Import alias does not rename original package Used when an import
  alias is same as original package.e.g using import numpy as numpy
  instead of import numpy as np

- `raising-format-tuple` (W0715):
  Exception arguments suggest string formatting might be intended Used
  when passing multiple arguments to an exception constructor, the
  first of them a string literal containing what appears to be
  placeholders intended for formatting

- `bad-continuation` (C0330):
  This was already included on the disable list, although with current
  version of pylint (2.0.0.dev2) violations at the end of the files
  are not being ignored.
  See: https://github.com/PyCQA/pylint/issues/2278

- `try-except-raise` (E0705):
  The except handler raises immediately Used when an except handler
  uses raise as its first or only operator. This is useless because it
  raises back the exception immediately. Remove the raise operator or
  the entire try-except-raise block!

- `consider-using-set-comprehension` (R1718):
  Consider using a set comprehension Although there is nothing
  syntactically wrong with this code, it is hard to read and can be
  simplified to a set comprehension.Also it is faster since you don't
  need to create another transient list

- `dict-keys-not-iterating` (W1655):
  dict.keys referenced when not iterating Used when dict.keys is
  referenced in a non-iterating context (returns an iterator in
  Python 3)

- `comprehension-escape` (W1662):
  Using a variable that was bound inside a comprehension Emitted when
  using a variable, that was bound in a comprehension handler, outside
  of the comprehension itself. On Python 3 these variables will be
  deleted outside of the comprehension.

Issue: https://pagure.io/freeipa/issue/7614

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
6a2e6864 by Christian Heimes at 2018-07-16T10:23:48Z
Fedora 29: No longer build python2-ipaserver

Some Python 2 dependencies such as python2-pki are no longer available
on Fedora 29. The pki package is a required dependency of
python2-ipaserver. It's not yet feasible to remove all Python 2
packages, since fleetcommander is not fully ported to Python 3 yet.

On Fedora 29, python2-ipaserver and python2-ipatests are no longer
built. The Python 3 packages replace the Python 2 packages.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3ccd512d by Armando Neto at 2018-07-16T15:03:35Z
Disable Pylint 2.0 violations

Globally disabling the following violations:

- `assignment-from-no-return` (E1111):
  Assigning to function call which doesn't return. Used when an
  assignment is done on a function call but the inferred function
  doesn't return anything.

- `keyword-arg-before-vararg` (W1113):
  Keyword argument before variable positional arguments list in the
  definition of %s function When defining a keyword argument before
  variable positional arguments, one can end up in having multiple
  values passed for the aforementioned parameter in case the method is
  called with keyword arguments.

Locally disabling the following:

- `subprocess-popen-preexec-fn` (W1509):
  Using preexec_fn keyword which may be unsafe in the presence of
  threads The preexec_fn parameter is not safe to use in the presence
  of threads in your application. The child process could deadlock
  before exec is called. If you must use it, keep it trivial! Minimize
  the number of libraries you call into.
  https://docs.python.org/3/library/subprocess.html#popen-constructor

Fixed violations:

- `bad-mcs-classmethod-argument` (C0204):
  Metaclass class method %s should have %s as first argument Used when
  a metaclass class method has a first argument named differently than
  the value specified in valid-metaclass-classmethod-first-arg option
  (default to "mcs"), recommended to easily differentiate them from
  regular instance methods.
  - Note: Actually `cls` is the default first arg for `__new__`.

- `consider-using-get` (R1715):
  Consider using dict.get for getting values from a dict if a key is
  present or a default if not Using the builtin dict.get for getting a
  value from a dictionary if a key is present or a default if not, is
  simpler and considered more idiomatic, although sometimes a bit slower

Issue: https://pagure.io/freeipa/issue/7614

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
4edcf8e5 by Michal Reznik at 2018-07-17T13:14:48Z
Mark DL0 TestReplicaManageDel tests as xfail

Mark failing DL0 TestReplicaManageDel tests as xfail until
issue 7622 is fixed.

https://pagure.io/freeipa/issue/7622

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7dadedc1 by Christian Heimes at 2018-07-17T14:52:31Z
Use python2_sitelib in spec file

%{python_sitelib} has been deprecated in favor of %{python2_sitelib}.
F29 rawhide no longer defines %{python_sitelib}.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
904458a4 by Christian Heimes at 2018-07-17T14:52:31Z
Update builddep command in BUILD.txt

It's no longer necessary to specify "with_python3" to get Python 3
dependencies.

python3-tox pulls in Python 2.6, 3.3, 3.4, 3.5, and pypy as weak
dependency. Use --setopt=install_weak_deps=False to make a build
environment leaner.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
653f327b by Christian Heimes at 2018-07-17T14:52:31Z
Add more RHEL customizations to spec file

- Handle name / alt name for Fedora and RHEL. On Fedora, the packages
  are named "freeipa-*" with alternative names "ipa-*". On RHEL it is
  the other way around.
- Don't build ipatests on RHEL.
- Use latest versions of KRB5 on RHEL

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
34fe4b1d by Christian Heimes at 2018-07-17T14:52:31Z
Remove needless use of %defatt

Original patch by Jason Tibbitts <tibbs at math.uh.edu>
See: https://src.fedoraproject.org/rpms/freeipa/c/9cdadfb7d0d60982dfdadbb9655f44dc43b01549?branch=master
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ab0835f9 by Stanislav Levin at 2018-07-17T19:32:28Z
Add endpoint for serving i18n requests

For now JSON service is not available without authentication
to IPA. But some of Web UI pages expect translations before
or without Login process. This endpoint serves i18n requests
only.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
86b57236 by Stanislav Levin at 2018-07-17T19:32:28Z
Disable authentication to endpoint for serving i18n requests

For now JSON service is not available without authentication
to IPA. But some of Web UI pages expect translations before
or without Login process.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
de58b808 by Stanislav Levin at 2018-07-17T19:32:28Z
Implement "translations" AMD

This module is used to get translated messages via JSON
request in a synchronous manner. To ensure translatability
i18n messages should be initialized before any other JS code
interacted with user is run.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
9492fb7f by Stanislav Levin at 2018-07-17T19:32:28Z
Add dependency to "translations" module

To ensure translatability i18n messages should be
initialized before any other JS code interacted with user
is run.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
c0c6b21b by Stanislav Levin at 2018-07-17T19:32:28Z
Stop fetching translations at metadata phase

Now i18n data is loaded at "translations" module resolve,
on which "text" module depends. Therefore, there is no
need to do it twice.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
5d8fde0a by Stanislav Levin at 2018-07-17T19:32:28Z
Fix translations at LoginScreen widget

To be translatable title and label fields should be marked
with @i18n. Also these messages should be provided by
i18n_messages.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
2a81ec3b by Stanislav Levin at 2018-07-17T19:32:28Z
Fix translations at login plugin

To be translatable text field should be marked
with @i18n. Also these messages should be provided by
i18n_messages.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
6bc37150 by Stanislav Levin at 2018-07-17T19:32:28Z
Fix translations at load_page plugin

To be translatable text field should be marked
with @i18n. Also these messages should be provided by
i18n_messages.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
7f9f59ba by Stanislav Levin at 2018-07-17T19:32:28Z
Fix translation of profile menu

To be translatable label field should be marked
with @i18n. Also these messages should be provided by
i18n_messages.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
c4467aae by Stanislav Levin at 2018-07-17T19:32:28Z
Add static JSON dump of i18n_messages request

The JSON test data is needed to UI unit tests.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
b8607e24 by Stanislav Levin at 2018-07-17T19:32:28Z
Fix Web UI 'get_entity_param' test

"IPA.init()" is no longer responsible for "IPA.messages".
So "ipa_init" test JSON data must not contain "texts".

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
0dace623 by Stanislav Levin at 2018-07-17T19:32:28Z
Add support for JSON request in HTTP test class

"urllib.parse.urlencode()" brokes JSON request's data.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
0908e80d by Stanislav Levin at 2018-07-17T19:32:28Z
Add support for Accept-Language in HTTP test class

"Accept-Language" is used to test translations.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
f49fac7b by Stanislav Levin at 2018-07-17T19:32:28Z
Add tests for "i18n_messages" end point

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
bb67eea1 by Stanislav Levin at 2018-07-17T19:32:28Z
Fix Web UI "details lifecycle" test

IPA doesn't provide "messages" anymore.
"text" module should be used instead.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
4b2af257 by Stanislav Levin at 2018-07-17T19:32:28Z
Stop usage of "IPA.messages" in Web UI "utils" tests

IPA doesn't provide "messages" anymore.
But actually ones are no needed for these tests.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
717d59e2 by Armando Neto at 2018-07-18T07:53:53Z
Fix regression: Handle unicode where str is expected

Regression caused by 947ac4bc1f6f4016cf5baf2ecb4577e893bc3948 when
trying to fix a similar issue for clients running Python 3. However,
that fix broke Python 2 clients.

Issue: https://pagure.io/freeipa/issue/7626

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
759e8355 by Rob Crittenden at 2018-07-18T07:54:58Z
Update 4.7 translations

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
47e6f00a by Rob Crittenden at 2018-07-19T06:39:15Z
Update Contributors.txt

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
59ef5371 by Christian Heimes at 2018-07-19T06:40:33Z
Turn multihost config problems into errors

The pytest multihost plugin skips tests, when there is a problem with a
test configuration. Configuration bugs like missing resources are not
considered a problem.

The IPA pytest multihost config object now turns FilterError into a
fatal error, so make_multihost_fixture() fails a test instead of
skipping.

Fixes: https://pagure.io/freeipa/issue/7638
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Ganna Kaihorodova <gkaihoro at redhat.com>

- - - - -
d4732786 by Stanislav Laznicka at 2018-07-19T06:42:33Z
ipatests: add installer framework testing

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
530da69e by Christian Heimes at 2018-07-19T13:44:46Z
Fix KRA replica installation from CA master

ipa-replica-install --kra-install can fail when the topology already has
a KRA, but replica is installed from a master with just CA. In that
case, Custodia may pick a machine that doesn't have the KRA auditing and
signing certs in its NSSDB.

Example:
 * master with CA
 * replica1 with CA and KRA
 * new replica gets installed from master

The replica installer now always picks a KRA peer.

The change fixes test scenario TestInstallWithCA1::()::test_replica2_ipa_dns_install

Fixes: https://pagure.io/freeipa/issue/7518
See: https://pagure.io/freeipa/issue/7008
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f84b3f39 by Rob Crittenden at 2018-07-19T15:27:02Z
Become IPA 4.7.0

- - - - -
0724fdb1 by Timo Aaltonen at 2018-08-03T21:00:55Z
Merge branch 'upstream-next' into master-next

- - - - -
b93b62a7 by Timo Aaltonen at 2018-08-03T21:01:15Z
update changelog

- - - - -
2107952c by Timo Aaltonen at 2018-08-03T21:27:26Z
drop upstreamed patches, refresh others

- - - - -


30 changed files:

- .freeipa-pr-ci.yaml
- .test_runner_config.yaml
- .test_runner_config_py3_temp.yaml
- .travis_run_task.sh
- API.txt
- BUILD.txt
- Contributors.txt
- VERSION.m4
- client/Makefile.am
- client/ipa-client-automount
- client/ipa-getkeytab.c
- client/ipa-join.c
- client/man/ipa-client-automount.1
- + client/share/Makefile.am
- install/share/freeipa.template → client/share/freeipa.template
- configure.ac
- daemons/ipa-otpd/queue.c
- daemons/ipa-otpd/test.py
- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
- daemons/ipa-slapi-plugins/topology/ipa-topology-conf.ldif
- debian/changelog
- − debian/patches/Create-kadm5.acl-if-it-doesn-t-exist.diff
- debian/patches/create-sysconfig-ods.diff
- − debian/patches/dont-allow-compressed-certs.diff
- − debian/patches/fix-apache-ssl-setup.diff
- debian/patches/fix-fontawesome-path.diff
- − debian/patches/fix-httpd-group.diff
- − debian/patches/fix-named-conf-template.diff
- debian/patches/fix-opendnssec-setup.diff
- − debian/patches/fix-paths.diff


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/c27a35ea0b250c09300a100dc20f0b308a68df7e...2107952c2b76f0159db90d6a07f949219fbeae07

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/c27a35ea0b250c09300a100dc20f0b308a68df7e...2107952c2b76f0159db90d6a07f949219fbeae07
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20180803/a0923593/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list