freeipa.git/ipapython, branch replace_private_samba_calls Unnamed repository; edit this file 'description' to name the repository. Ticket #2850 - Ipactl exception not handled well 2012-08-27T13:30:28+00:00 John Dennis jdennis@redhat.com 2012-08-20T20:47:52+00:00 2bf68115cea1bae09c3b45e88ed9e405c57e70d2 Ticket #2850 - Ipactl exception not handled well There were various places in ipactl which intialized IpactlError with None as the msg. If you called str() on that exception all was well because ScriptError.__str__() converted a msg with None to the empty string (IpactlError is subclassed from ScriptError). But a few places directly access e.msg which will be None if initialized that way. It's hard to tell from the stack traces but I'm pretty sure it's those places which use e.msg directly which will cause the problems seen in the bug report. I do not believe it is ever correct to initialize an exception message to None, I don't even understand what that means. On the other hand initializing to the empty string is sensible and for that matter is the default for the class. This patch makes two fixes: 1) The ScriptError initializer will now convert a msg parameter of None to the empty string. 2) All places that initialized IpactlError's msg parameter to None removed the None initializer allowing the msg parameter to default to the empty string. I don't know how to test the fix for Ticket #2850 because it's not clear how it got into that state in the first place, but I do believe initialing the msg value to None is clearly wrong and should fix the problem. 
Ticket #2850 - Ipactl exception not handled well

There were various places in ipactl which intialized IpactlError with
None as the msg. If you called str() on that exception all was well
because ScriptError.__str__() converted a msg with None to the empty
string (IpactlError is subclassed from ScriptError). But a few places
directly access e.msg which will be None if initialized that way. It's
hard to tell from the stack traces but I'm pretty sure it's those
places which use e.msg directly which will cause the problems seen in
the bug report.

I do not believe it is ever correct to initialize an exception message
to None, I don't even understand what that means. On the other hand
initializing to the empty string is sensible and for that matter is
the default for the class.

This patch makes two fixes:

1) The ScriptError initializer will now convert a msg parameter of
None to the empty string.

2) All places that initialized IpactlError's msg parameter to None
removed the None initializer allowing the msg parameter to default
to the empty string.

I don't know how to test the fix for Ticket #2850 because it's not
clear how it got into that state in the first place, but I do believe
initialing the msg value to None is clearly wrong and should fix the
problem.
Ticket #3008: DN objects hash differently depending on case 2012-08-22T14:23:12+00:00 John Dennis jdennis@redhat.com 2012-08-17T19:34:40+00:00 1328f984d060b944fb8734a51edc0946cd42bbb3 Because the attrs & values in DN's, RDN's and AVA's are comparison case- insensitive the hash value between two objects which compare as equal but differ in case must also yield the same hash value. This is critical when these objects are used as a dict key or in a set because dicts and sets use the object's __hash__ value in conjunction with the objects __eq__ method to lookup the object. The defect is the DN, RDN & AVA objects computed their hash from the case- preserving string representation thus two otherwise equal objects incorrectly yielded different hash values. The problem manifests itself when one of these objects is used as a key in a dict, for example a dn. dn1 = DN(('cn', 'Bob')) dn2 = DN(('cn', 'bob')) dn1 == dn2 --> True hash(dn1) == hash(dn2) --> False d = {} d[dn1] = x d[dn2] = y len(d) --> 2 The patch fixes the above by lower casing the string representation of the object prior to computing it's hash. The patch also corrects a spelling mistake and a bogus return value in ldapupdate.py which happened to be discovered while researching this bug. 
Because the attrs & values in DN's, RDN's and AVA's are comparison case-
insensitive the hash value between two objects which compare as equal but
differ in case must also yield the same hash value. This is critical when
these objects are used as a dict key or in a set because dicts and sets
use the object's __hash__ value in conjunction with the objects __eq__
method to lookup the object.

The defect is the DN, RDN & AVA objects computed their hash from the case-
preserving string representation thus two otherwise equal objects
incorrectly yielded different hash values.

The problem manifests itself when one of these objects is used as a key in
a dict, for example a dn.

dn1 = DN(('cn', 'Bob'))
dn2 = DN(('cn', 'bob'))

dn1 == dn2 --> True

hash(dn1) == hash(dn2) --> False

d = {}

d[dn1] = x
d[dn2] = y

len(d) --> 2

The patch fixes the above by lower casing the string representation of
the object prior to computing it's hash.

The patch also corrects a spelling mistake and a bogus return value in
ldapupdate.py which happened to be discovered while researching this
bug.
Fix winsync agreements creation 2012-08-13T03:26:16+00:00 Martin Kosek mkosek@redhat.com 2012-08-13T07:38:24+00:00 6341eff07891dfd4ed253081eb056ff6eb5aa573 Due to recent addition of ID range support to DsInstance, the class could no longer be instantiated when realm_name was passed but ID range parameters were not. This condition broke winsync agreements creation in ipa-replica-manage. Make sure that ID range computation in DsInstance does not crash in this cases so that winsync replica can be created. Also convert --binddn option of ipa-replica-manage script to IPA native DN type so that setup_agreement does not crash. https://fedorahosted.org/freeipa/ticket/2987 
Due to recent addition of ID range support to DsInstance, the class
could no longer be instantiated when realm_name was passed but
ID range parameters were not. This condition broke winsync agreements
creation in ipa-replica-manage.

Make sure that ID range computation in DsInstance does not crash in
this cases so that winsync replica can be created. Also convert --binddn
option of ipa-replica-manage script to IPA native DN type so that
setup_agreement does not crash.

https://fedorahosted.org/freeipa/ticket/2987
Use DN objects instead of strings 2012-08-12T20:23:24+00:00 John Dennis jdennis@redhat.com 2012-05-13T11:36:35+00:00 94d457e83c172320707fbf13f7a1587dad128ece * Convert every string specifying a DN into a DN object * Every place a dn was manipulated in some fashion it was replaced by the use of DN operators * Add new DNParam parameter type for parameters which are DN's * DN objects are used 100% of the time throughout the entire data pipeline whenever something is logically a dn. * Many classes now enforce DN usage for their attributes which are dn's. This is implmented via ipautil.dn_attribute_property(). The only permitted types for a class attribute specified to be a DN are either None or a DN object. * Require that every place a dn is used it must be a DN object. This translates into lot of:: assert isinstance(dn, DN) sprinkled through out the code. Maintaining these asserts is valuable to preserve DN type enforcement. The asserts can be disabled in production. The goal of 100% DN usage 100% of the time has been realized, these asserts are meant to preserve that. The asserts also proved valuable in detecting functions which did not obey their function signatures, such as the baseldap pre and post callbacks. * Moved ipalib.dn to ipapython.dn because DN class is shared with all components, not just the server which uses ipalib. * All API's now accept DN's natively, no need to convert to str (or unicode). * Removed ipalib.encoder and encode/decode decorators. Type conversion is now explicitly performed in each IPASimpleLDAPObject method which emulates a ldap.SimpleLDAPObject method. * Entity & Entry classes now utilize DN's * Removed __getattr__ in Entity & Entity clases. There were two problems with it. It presented synthetic Python object attributes based on the current LDAP data it contained. There is no way to validate synthetic attributes using code checkers, you can't search the code to find LDAP attribute accesses (because synthetic attriutes look like Python attributes instead of LDAP data) and error handling is circumscribed. Secondly __getattr__ was hiding Python internal methods which broke class semantics. * Replace use of methods inherited from ldap.SimpleLDAPObject via IPAdmin class with IPAdmin methods. Directly using inherited methods was causing us to bypass IPA logic. Mostly this meant replacing the use of search_s() with getEntry() or getList(). Similarly direct access of the LDAP data in classes using IPAdmin were replaced with calls to getValue() or getValues(). * Objects returned by ldap2.find_entries() are now compatible with either the python-ldap access methodology or the Entity/Entry access methodology. * All ldap operations now funnel through the common IPASimpleLDAPObject giving us a single location where we interface to python-ldap and perform conversions. * The above 4 modifications means we've greatly reduced the proliferation of multiple inconsistent ways to perform LDAP operations. We are well on the way to having a single API in IPA for doing LDAP (a long range goal). * All certificate subject bases are now DN's * DN objects were enhanced thusly: - find, rfind, index, rindex, replace and insert methods were added - AVA, RDN and DN classes were refactored in immutable and mutable variants, the mutable variants are EditableAVA, EditableRDN and EditableDN. By default we use the immutable variants preserving important semantics. To edit a DN cast it to an EditableDN and cast it back to DN when done editing. These issues are fully described in other documentation. - first_key_match was removed - DN equalty comparison permits comparison to a basestring * Fixed ldapupdate to work with DN's. This work included: - Enhance test_updates.py to do more checking after applying update. Add test for update_from_dict(). Convert code to use unittest classes. - Consolidated duplicate code. - Moved code which should have been in the class into the class. - Fix the handling of the 'deleteentry' update action. It's no longer necessary to supply fake attributes to make it work. Detect case where subsequent update applies a change to entry previously marked for deletetion. General clean-up and simplification of the 'deleteentry' logic. - Rewrote a couple of functions to be clearer and more Pythonic. - Added documentation on the data structure being used. - Simplfy the use of update_from_dict() * Removed all usage of get_schema() which was being called prior to accessing the .schema attribute of an object. If a class is using internal lazy loading as an optimization it's not right to require users of the interface to be aware of internal optimization's. schema is now a property and when the schema property is accessed it calls a private internal method to perform the lazy loading. * Added SchemaCache class to cache the schema's from individual servers. This was done because of the observation we talk to different LDAP servers, each of which may have it's own schema. Previously we globally cached the schema from the first server we connected to and returned that schema in all contexts. The cache includes controls to invalidate it thus forcing a schema refresh. * Schema caching is now senstive to the run time context. During install and upgrade the schema can change leading to errors due to out-of-date cached schema. The schema cache is refreshed in these contexts. * We are aware of the LDAP syntax of all LDAP attributes. Every attribute returned from an LDAP operation is passed through a central table look-up based on it's LDAP syntax. The table key is the LDAP syntax it's value is a Python callable that returns a Python object matching the LDAP syntax. There are a handful of LDAP attributes whose syntax is historically incorrect (e.g. DistguishedNames that are defined as DirectoryStrings). The table driven conversion mechanism is augmented with a table of hard coded exceptions. Currently only the following conversions occur via the table: - dn's are converted to DN objects - binary objects are converted to Python str objects (IPA convention). - everything else is converted to unicode using UTF-8 decoding (IPA convention). However, now that the table driven conversion mechanism is in place it would be trivial to do things such as converting attributes which have LDAP integer syntax into a Python integer, etc. * Expected values in the unit tests which are a DN no longer need to use lambda expressions to promote the returned value to a DN for equality comparison. The return value is automatically promoted to a DN. The lambda expressions have been removed making the code much simpler and easier to read. * Add class level logging to a number of classes which did not support logging, less need for use of root_logger. * Remove ipaserver/conn.py, it was unused. * Consolidated duplicate code wherever it was found. * Fixed many places that used string concatenation to form a new string rather than string formatting operators. This is necessary because string formatting converts it's arguments to a string prior to building the result string. You can't concatenate a string and a non-string. * Simplify logic in rename_managed plugin. Use DN operators to edit dn's. * The live version of ipa-ldap-updater did not generate a log file. The offline version did, now both do. https://fedorahosted.org/freeipa/ticket/1670 https://fedorahosted.org/freeipa/ticket/1671 https://fedorahosted.org/freeipa/ticket/1672 https://fedorahosted.org/freeipa/ticket/1673 https://fedorahosted.org/freeipa/ticket/1674 https://fedorahosted.org/freeipa/ticket/1392 https://fedorahosted.org/freeipa/ticket/2872 
* Convert every string specifying a DN into a DN object

* Every place a dn was manipulated in some fashion it was replaced by
  the use of DN operators

* Add new DNParam parameter type for parameters which are DN's

* DN objects are used 100% of the time throughout the entire data
  pipeline whenever something is logically a dn.

* Many classes now enforce DN usage for their attributes which are
  dn's. This is implmented via ipautil.dn_attribute_property(). The
  only permitted types for a class attribute specified to be a DN are
  either None or a DN object.

* Require that every place a dn is used it must be a DN object.
  This translates into lot of::

    assert isinstance(dn, DN)

  sprinkled through out the code. Maintaining these asserts is
  valuable to preserve DN type enforcement. The asserts can be
  disabled in production.

  The goal of 100% DN usage 100% of the time has been realized, these
  asserts are meant to preserve that.

  The asserts also proved valuable in detecting functions which did
  not obey their function signatures, such as the baseldap pre and
  post callbacks.

* Moved ipalib.dn to ipapython.dn because DN class is shared with all
  components, not just the server which uses ipalib.

* All API's now accept DN's natively, no need to convert to str (or
  unicode).

* Removed ipalib.encoder and encode/decode decorators. Type conversion
  is now explicitly performed in each IPASimpleLDAPObject method which
  emulates a ldap.SimpleLDAPObject method.

* Entity & Entry classes now utilize DN's

* Removed __getattr__ in Entity & Entity clases. There were two
  problems with it. It presented synthetic Python object attributes
  based on the current LDAP data it contained. There is no way to
  validate synthetic attributes using code checkers, you can't search
  the code to find LDAP attribute accesses (because synthetic
  attriutes look like Python attributes instead of LDAP data) and
  error handling is circumscribed. Secondly __getattr__ was hiding
  Python internal methods which broke class semantics.

* Replace use of methods inherited from ldap.SimpleLDAPObject via
  IPAdmin class with IPAdmin methods. Directly using inherited methods
  was causing us to bypass IPA logic. Mostly this meant replacing the
  use of search_s() with getEntry() or getList(). Similarly direct
  access of the LDAP data in classes using IPAdmin were replaced with
  calls to getValue() or getValues().

* Objects returned by ldap2.find_entries() are now compatible with
  either the python-ldap access methodology or the Entity/Entry access
  methodology.

* All ldap operations now funnel through the common
  IPASimpleLDAPObject giving us a single location where we interface
  to python-ldap and perform conversions.

* The above 4 modifications means we've greatly reduced the
  proliferation of multiple inconsistent ways to perform LDAP
  operations. We are well on the way to having a single API in IPA for
  doing LDAP (a long range goal).

* All certificate subject bases are now DN's

* DN objects were enhanced thusly:
  - find, rfind, index, rindex, replace and insert methods were added
  - AVA, RDN and DN classes were refactored in immutable and mutable
    variants, the mutable variants are EditableAVA, EditableRDN and
    EditableDN. By default we use the immutable variants preserving
    important semantics. To edit a DN cast it to an EditableDN and
    cast it back to DN when done editing. These issues are fully
    described in other documentation.
  - first_key_match was removed
  - DN equalty comparison permits comparison to a basestring

* Fixed ldapupdate to work with DN's. This work included:
  - Enhance test_updates.py to do more checking after applying
    update. Add test for update_from_dict(). Convert code to use
    unittest classes.
  - Consolidated duplicate code.
  - Moved code which should have been in the class into the class.
  - Fix the handling of the 'deleteentry' update action. It's no longer
    necessary to supply fake attributes to make it work. Detect case
    where subsequent update applies a change to entry previously marked
    for deletetion. General clean-up and simplification of the
    'deleteentry' logic.
  - Rewrote a couple of functions to be clearer and more Pythonic.
  - Added documentation on the data structure being used.
  - Simplfy the use of update_from_dict()

* Removed all usage of get_schema() which was being called prior to
  accessing the .schema attribute of an object. If a class is using
  internal lazy loading as an optimization it's not right to require
  users of the interface to be aware of internal
  optimization's. schema is now a property and when the schema
  property is accessed it calls a private internal method to perform
  the lazy loading.

* Added SchemaCache class to cache the schema's from individual
  servers. This was done because of the observation we talk to
  different LDAP servers, each of which may have it's own
  schema. Previously we globally cached the schema from the first
  server we connected to and returned that schema in all contexts. The
  cache includes controls to invalidate it thus forcing a schema
  refresh.

* Schema caching is now senstive to the run time context. During
  install and upgrade the schema can change leading to errors due to
  out-of-date cached schema. The schema cache is refreshed in these
  contexts.

* We are aware of the LDAP syntax of all LDAP attributes. Every
  attribute returned from an LDAP operation is passed through a
  central table look-up based on it's LDAP syntax. The table key is
  the LDAP syntax it's value is a Python callable that returns a
  Python object matching the LDAP syntax. There are a handful of LDAP
  attributes whose syntax is historically incorrect
  (e.g. DistguishedNames that are defined as DirectoryStrings). The
  table driven conversion mechanism is augmented with a table of
  hard coded exceptions.

  Currently only the following conversions occur via the table:

  - dn's are converted to DN objects

  - binary objects are converted to Python str objects (IPA
    convention).

  - everything else is converted to unicode using UTF-8 decoding (IPA
    convention).

  However, now that the table driven conversion mechanism is in place
  it would be trivial to do things such as converting attributes
  which have LDAP integer syntax into a Python integer, etc.

* Expected values in the unit tests which are a DN no longer need to
  use lambda expressions to promote the returned value to a DN for
  equality comparison. The return value is automatically promoted to
  a DN. The lambda expressions have been removed making the code much
  simpler and easier to read.

* Add class level logging to a number of classes which did not support
  logging, less need for use of root_logger.

* Remove ipaserver/conn.py, it was unused.

* Consolidated duplicate code wherever it was found.

* Fixed many places that used string concatenation to form a new
  string rather than string formatting operators. This is necessary
  because string formatting converts it's arguments to a string prior
  to building the result string. You can't concatenate a string and a
  non-string.

* Simplify logic in rename_managed plugin. Use DN operators to edit
  dn's.

* The live version of ipa-ldap-updater did not generate a log file.
  The offline version did, now both do.

https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
Create /etc/sysconfig/network if it doesn't exist 2012-08-03T10:09:56+00:00 Petr Viktorin pviktori@redhat.com 2012-07-19T13:07:23+00:00 c8abd24ebe612a3a0d415cece508b94a57c636fe When the --hostname option is given to ipa-client-install, we write HOSTNAME to /etc/sysconfig/network. When that file didn't exist, the installer crashed. Create the file if it doesn't exist and we need to write to it. https://fedorahosted.org/freeipa/ticket/2840 
When the --hostname option is given to ipa-client-install, we
write HOSTNAME to /etc/sysconfig/network. When that file didn't exist,
the installer crashed.

Create the file if it doesn't exist and we need to write to it.

https://fedorahosted.org/freeipa/ticket/2840
Avoid redundant info message during RPM update 2012-08-02T14:14:40+00:00 Martin Kosek mkosek@redhat.com 2012-07-31T12:11:52+00:00 79a427277a12925bca3f170cc7a255a2a9e45a10 A change to ipa-ldap-updater (and thus an RPM update %post scriptlet) avoiding redundat "IPA is not configured" message in stderr introdocued in c20d4c71b87365b3b8d9c53418a79f992e68cd00 was reverted in another patch (b5c1ce88a4a3b35adb3b22bc68fb10b49322641a). Return the change back to avoid this message during every RPM update when IPA is not configured. admintool framework was also fixed to avoid print an empty line when an exception without an error message is raised. https://fedorahosted.org/freeipa/ticket/2892 
A change to ipa-ldap-updater (and thus an RPM update %post scriptlet)
avoiding redundat "IPA is not configured" message in stderr introdocued
in c20d4c71b87365b3b8d9c53418a79f992e68cd00 was reverted in another
patch (b5c1ce88a4a3b35adb3b22bc68fb10b49322641a).

Return the change back to avoid this message during every RPM update
when IPA is not configured. admintool framework was also fixed to
avoid print an empty line when an exception without an error message
is raised.

https://fedorahosted.org/freeipa/ticket/2892
Use certmonger to renew CA subsystem certificates 2012-07-30T11:39:08+00:00 Rob Crittenden rcritten@redhat.com 2012-07-11T19:51:01+00:00 03837bfd6dbf7fd1eaa437da22807d7061b99af7 Certificate renewal can be done only one one CA as the certificates need to be shared amongst them. certmonger has been trained to communicate directly with dogtag to perform the renewals. The initial CA installation is the defacto certificate renewal master. A copy of the certificate is stored in the IPA LDAP tree in cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the certificate, when a certificate is renewed. Only the most current certificate is stored. It is valid to have no certificates there, it means that no renewals have taken place. The clones are configured with a new certmonger CA type that polls this location in the IPA tree looking for an updated certificate. If one is not found then certmonger is put into the CA_WORKING state and will poll every 8 hours until an updated certificate is available. The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case. When this certificate is updated we also need to update its entry in the dogtag tree, adding the updated certificate and telling dogtag which certificate to use. This is the certificate that lets IPA issue certificates. On upgrades we check to see if the certificate tracking is already in place. If not then we need to determine if this is the master that will do the renewals or not. This decision is made based on whether it was the first master installed. It is concievable that this master is no longer available meaning that none are actually tracking renewal. We will need to document this. https://fedorahosted.org/freeipa/ticket/2803 
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803
Framework for admin/install tools, with ipa-ldap-updater 2012-07-23T03:17:56+00:00 Petr Viktorin pviktori@redhat.com 2012-04-20T08:39:59+00:00 b5c1ce88a4a3b35adb3b22bc68fb10b49322641a Currently, FreeIPA's install/admin scripts are long pieces of code that aren't very reusable, importable, or testable. They have been extended over time with features such as logging and error handling, but since each tool was extended individually, there is much inconsistency and code duplication. This patch starts a framework which the admin tools can use, and converts ipa-ldap-updater to use the framework. Common tasks the tools do -- option parsing, validation, logging setup, error handling -- are represented as methods. Individual tools can extend, override or reuse the defaults as they see fit. The ipa-ldap-updater has two modes (normal and --upgrade) that don't share much functionality. They are represented by separate classes. Option parsing, and selecting which class to run, happens before they're instantiated. All code is moved to importable modules to aid future testing. The only thing that remains in the ipa-ldap-updater script is a two-line call to the library. First part of the work for: https://fedorahosted.org/freeipa/ticket/2652 
Currently, FreeIPA's install/admin scripts are long pieces of code
that aren't very reusable, importable, or testable.
They have been extended over time with features such as logging and
error handling, but since each tool was extended individually, there
is much inconsistency and code duplication.
This patch starts a framework which the admin tools can use, and
converts ipa-ldap-updater to use the framework.

Common tasks the tools do -- option parsing, validation, logging
setup, error handling -- are represented as methods. Individual
tools can extend, override or reuse the defaults as they see fit.

The ipa-ldap-updater has two modes (normal and --upgrade) that
don't share much functionality. They are represented by separate
classes. Option parsing, and selecting which class to run, happens
before they're instantiated.

All code is moved to importable modules to aid future testing. The
only thing that remains in the ipa-ldap-updater script is a two-line
call to the library.

First part of the work for:
https://fedorahosted.org/freeipa/ticket/2652
Improve address family handling in sockets 2012-07-13T12:25:18+00:00 Martin Kosek mkosek@redhat.com 2012-07-03T14:49:10+00:00 4879c68d68634715b9d08a08a4c7be882634409f Many functions use low-level socket interface for connection or various checks. However, most of the time we don't respect automatic address family detection but rather try to force our values. This may cause either redundat connection tries when an address family is disabled on system tries or even crashes when socket exceptions are not properly caught. Instead of forcing address families to socket, rather use getaddrinfo interface to automatically retrieve a list of all relevant address families and other connection settings when connecting to remote/local machine or binding to a local port. Now, we will also fill correctly all connection parameters like flowinfo and scopeid for IPv6 connections which will for example prevent issues with scoped IPv6 addresses. bind_port_responder function was changed to at first try to bind to IPv6 wildcard address before IPv4 as IPv6 socket is able to accept both IPv4 and IPv6 connections (unlike IPv4 socket). nsslib connection was refactored to use nss.io.AddrInfo class to get all the available connections. Socket is now not created by default in NSSConnection class initializer, but rather when the actual connection is being made, becase we do not an address family where connection is successful. https://fedorahosted.org/freeipa/ticket/2913 https://fedorahosted.org/freeipa/ticket/2695 
Many functions use low-level socket interface for connection or
various checks. However, most of the time we don't respect
automatic address family detection but rather try to force our
values. This may cause either redundat connection tries when an
address family is disabled on system tries or even crashes
when socket exceptions are not properly caught.

Instead of forcing address families to socket, rather use
getaddrinfo interface to automatically retrieve a list of all
relevant address families and other connection settings when
connecting to remote/local machine or binding to a local port.
Now, we will also fill correctly all connection parameters like
flowinfo and scopeid for IPv6 connections which will for example
prevent issues with scoped IPv6 addresses.

bind_port_responder function was changed to at first try to bind
to IPv6 wildcard address before IPv4 as IPv6 socket is able to
accept both IPv4 and IPv6 connections (unlike IPv4 socket).

nsslib connection was refactored to use nss.io.AddrInfo class to
get all the available connections. Socket is now not created by
default in NSSConnection class initializer, but rather when the
actual connection is being made, becase we do not an address family
where connection is successful.

https://fedorahosted.org/freeipa/ticket/2913
https://fedorahosted.org/freeipa/ticket/2695
Centralize timeout for waiting for servers to start. 2012-07-02T21:08:58+00:00 Rob Crittenden rcritten@redhat.com 2012-05-24T15:23:36+00:00 e5b6260008a3a7132fdaef99d800406eb8872316 All service start/restart currently go through ipapython/platform so move the "wait for service to start" code there as well. A dictionary of known services and ports to wait on is defined in base.py This is referenced by the platforms by instance name to determine what to wait for. For the case of dirsrv if we get that as a plain name (no specific instance) it is assumed to be the main IPA service. https://fedorahosted.org/freeipa/ticket/2375 https://fedorahosted.org/freeipa/ticket/2610 
All service start/restart currently go through ipapython/platform so
move the "wait for service to start" code there as well.

A dictionary of known services and ports to wait on is defined in base.py
This is referenced by the platforms by instance name to determine what
to wait for. For the case of dirsrv if we get that as a plain name
(no specific instance) it is assumed to be the main IPA service.

https://fedorahosted.org/freeipa/ticket/2375
https://fedorahosted.org/freeipa/ticket/2610