freeipa.git/ipapython/dnssec, branch master Unnamed repository; edit this file 'description' to name the repository. Fix minor typos 2016-06-20T11:49:32+00:00 Yuri Chornoivan yurchor@ukr.net 2016-06-19T08:03:33+00:00 a95e0777ac64cc8edad152f189be5347117785ef Reviewed-By: Martin Basti <mbasti@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
Cosmetic changes to the code 2016-02-24T08:21:30+00:00 Stanislav Laznicka slaznick@redhat.com 2016-02-02T11:50:26+00:00 9757384c7c6337138b6e096d3bb926cdb3012ff6 Fixes some Coverity issues ipadiscovery.py: added assert should universe break plugins/dns.py: removed dead code dnssec/ldapkeydb.py: attribute assert in the proper object test_automount_plugin.py: fixed possible close() on None xmlrpc_test.py: Coverity does not like accessing None.__class__ https://fedorahosted.org/freeipa/ticket/5661 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
Fixes some Coverity issues

ipadiscovery.py:          added assert should universe break
plugins/dns.py:           removed dead code
dnssec/ldapkeydb.py:      attribute assert in the proper object
test_automount_plugin.py: fixed possible close() on None
xmlrpc_test.py:           Coverity does not like accessing None.__class__

https://fedorahosted.org/freeipa/ticket/5661

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipapython: port p11helper C code to Python 2016-01-21T09:21:32+00:00 Jan Cholasta jcholast@redhat.com 2016-01-06T12:10:11+00:00 500ee7e2b1fdaa9669cf136a380907cfe4f0f225 This replaces the binary _ipap11helper module with cffi-based Python code. https://fedorahosted.org/freeipa/ticket/5596 Reviewed-By: Martin Basti <mbasti@redhat.com> 
This replaces the binary _ipap11helper module with cffi-based Python code.

https://fedorahosted.org/freeipa/ticket/5596

Reviewed-By: Martin Basti <mbasti@redhat.com>
Use print_function future definition wherever print() is used 2016-01-20T10:59:21+00:00 Petr Viktorin pviktori@redhat.com 2016-01-05T12:39:39+00:00 462f4a5161185e74432cfe492ab959cc15b12711 Pylint considers `print` a statement if the __future__ import is not present, even if it's used like a function with one argument. Add the __future__ import to files `pylint --py3k` complains about. https://fedorahosted.org/freeipa/ticket/5623 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
Pylint considers `print` a statement if the __future__ import is
not present, even if it's used like a function with one argument.

Add the __future__ import to files `pylint --py3k` complains about.

https://fedorahosted.org/freeipa/ticket/5623

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal 2016-01-07T13:13:23+00:00 Petr Spacek pspacek@redhat.com 2015-12-20T18:35:55+00:00 fe263f764b9d8eabf8ae0fa284f167fec10b4a4d Command "ldap-cleanup <zone name>" is called to remove all key metadata from LDAP. This command is now called when disabling DNSSEC on a DNS zone. The stale metadata were causing problems when re-enabling DNSSEC on the same zone. https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Command "ldap-cleanup <zone name>" is called to remove all key metadata from
LDAP. This command is now called when disabling DNSSEC on a DNS zone. The stale
metadata were causing problems when re-enabling DNSSEC on the same zone.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP 2016-01-07T13:13:23+00:00 Petr Spacek pspacek@redhat.com 2015-12-20T17:36:48+00:00 43acb994f6cd78098f5dc3671c14b3ab17ca164b This filtering is useful in cases where LDAP contains DNS zones which have old metadata objects and DNSSEC disabled. Such zones must be ignored to prevent errors while calling dnssec-keyfromlabel or rndc. https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com> 
This filtering is useful in cases where LDAP contains DNS zones which
have old metadata objects and DNSSEC disabled. Such zones must be
ignored to prevent errors while calling dnssec-keyfromlabel or rndc.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP 2016-01-07T13:13:23+00:00 Petr Spacek pspacek@redhat.com 2015-12-15T14:22:45+00:00 ddf7397a4beb8095a24981998461aecc0e1ec40d Key purging has to be only only after key metadata purging so ipa-dnskeysyncd on replices does not fail while dereferencing non-existing keys. https://fedorahosted.org/freeipa/ticket/5334 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Key purging has to be only only after key metadata purging so
ipa-dnskeysyncd on replices does not fail while dereferencing
non-existing keys.

https://fedorahosted.org/freeipa/ticket/5334

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNSSEC: add debug mode to ldapkeydb.py 2016-01-07T13:13:23+00:00 Petr Spacek pspacek@redhat.com 2015-12-15T13:13:23+00:00 3c9c37cec1180fb6adcb8d59e367cf022d73aef1 ldapkeydb.py can be executed directly now. In that case it will print out key metadata as obtained using IPA LDAP API. Kerberos credential cache has to be filled with principal posessing appropriate access rights before the script is execured. https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com> 
ldapkeydb.py can be executed directly now. In that case it will print
out key metadata as obtained using IPA LDAP API.

Kerberos credential cache has to be filled with principal posessing
appropriate access rights before the script is execured.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNSSEC: remove obsolete TODO note 2016-01-07T13:13:23+00:00 Petr Spacek pspacek@redhat.com 2015-12-02T11:58:23+00:00 e9cdaa19924a16e811ebbdd04d5a305b0608304a https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNSSEC: Make sure that current key state in LDAP matches key state in BIND 2016-01-07T13:13:23+00:00 Petr Spacek pspacek@redhat.com 2015-11-26T14:19:03+00:00 21e6cc6863a0bf7d832cf04dedfc3a2bdd22a78f We have to explicitly specify "none" value to prevent dnssec-keyfromlabel utility from using current time for keys without "publish" and "activate" timestamps. Previously this lead to situation where key was in (intermediate) state "generated" in OpenDNSSEC but BIND started to use this key for signing. https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com> 
We have to explicitly specify "none" value to prevent dnssec-keyfromlabel
utility from using current time for keys without "publish" and "activate"
timestamps.

Previously this lead to situation where key was in (intermediate) state
"generated" in OpenDNSSEC but BIND started to use this key for signing.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>