freeipa.git/ipaclient, branch cachetickets FreeIPA patches Vault: port key wrapping to python-cryptography 2017-03-02T13:22:11+00:00 Christian Heimes cheimes@redhat.com 2017-02-25T12:09:11+00:00 ed7a03a1af8b556247b929635e2972be4f2b32e4 https://fedorahosted.org/freeipa/ticket/6650 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
https://fedorahosted.org/freeipa/ticket/6650

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Drop in-memory copy of schema zip file 2017-03-01T11:50:43+00:00 Christian Heimes cheimes@redhat.com 2017-02-28T09:38:07+00:00 3be696c92f6948ea0ced9784920600b73703e414 The schema cache used a BytesIO buffer to read/write schema cache before it got flushed to disk. Since the schema cache is now loaded in one go, the temporary buffer is no longer needed. File locking has been replaced with a temporary file and atomic rename. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
The schema cache used a BytesIO buffer to read/write schema cache before
it got flushed to disk. Since the schema cache is now loaded in one go,
the temporary buffer is no longer needed.

File locking has been replaced with a temporary file and atomic rename.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Speed up client schema cache 2017-03-01T11:50:43+00:00 Christian Heimes cheimes@redhat.com 2017-02-20T19:09:13+00:00 332dbab1ff09eb719eb9e0a7a90bbf5b6e69ddc9 It's inefficient to open a zip file over and over again. By loading all members of the schema cache file at once, the ipa CLI script starts about 25 to 30% faster for simple cases like help and ping. Before: $ time for i in {1..20}; do ./ipa ping >/dev/null; done real 0m13.608s user 0m10.316s sys 0m1.121s After: $ time for i in {1..20}; do ./ipa ping >/dev/null; done real 0m9.330s user 0m7.635s sys 0m1.146s https://fedorahosted.org/freeipa/ticket/6690 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
It's inefficient to open a zip file over and over again. By loading all
members of the schema cache file at once, the ipa CLI script starts
about 25 to 30% faster for simple cases like help and ping.

Before:

$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real    0m13.608s
user    0m10.316s
sys     0m1.121s

After:

$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real    0m9.330s
user    0m7.635s
sys     0m1.146s

https://fedorahosted.org/freeipa/ticket/6690

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Moving ipaCert from HTTPD_ALIAS_DIR 2017-03-01T09:43:41+00:00 Stanislav Laznicka slaznick@redhat.com 2017-01-13T08:08:42+00:00 5ab85b365ae886558b1f077b0d039a0d24bebfa7 The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove NSSConnection from otptoken plugin 2017-03-01T09:43:41+00:00 Stanislav Laznicka slaznick@redhat.com 2017-01-03T12:31:01+00:00 2a9d1fb7d9dda0299c6f7cd75a715182d15e04df Replace NSSConnection with httplib.HTTPSConenction to be able to remove NSSConnection for good. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Replace NSSConnection with httplib.HTTPSConenction to be able to remove
NSSConnection for good.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
csrgen: Support encrypted private keys 2017-02-28T09:02:49+00:00 Ben Lipton blipton@redhat.com 2017-02-09T01:56:37+00:00 ada91c20588046bb147fc701718d3da4d2c080ca https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
csrgen: Allow overriding the CSR generation profile 2017-02-28T09:02:49+00:00 Ben Lipton blipton@redhat.com 2017-02-04T15:25:42+00:00 4350dcdea22fd2284836315d0ae7d38733a7620e In case users want multiple CSR generation profiles that work with the same dogtag profile, or in case the profiles are not named the same, this flag allows specifying an alternative CSR generation profile. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
In case users want multiple CSR generation profiles that work with the
same dogtag profile, or in case the profiles are not named the same,
this flag allows specifying an alternative CSR generation profile.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
csrgen: Automate full cert request flow 2017-02-28T09:02:49+00:00 Ben Lipton blipton@redhat.com 2016-08-22T14:46:02+00:00 39a5d9c5aae77687f67d9be02457733bdfb99ead Allows the `ipa cert-request` command to generate its own CSR. It no longer requires a CSR passed on the command line, instead it creates a config (bash script) with `cert-get-requestdata`, then runs it to build a CSR, and submits that CSR. Example usage (NSS database): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs Example usage (PEM private key file): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Allows the `ipa cert-request` command to generate its own CSR. It no
longer requires a CSR passed on the command line, instead it creates a
config (bash script) with `cert-get-requestdata`, then runs it to build
a CSR, and submits that CSR.

Example usage (NSS database):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs

Example usage (PEM private key file):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
compat: fix `Any` params in `batch` and `dnsrecord` 2017-02-23T17:53:50+00:00 Jan Cholasta jcholast@redhat.com 2017-02-23T13:04:19+00:00 19060db1b8fa9d1d3e8f3ac3fcd1f387e9a39c94 The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord` were incorrectly defined as `Str` instead of `Any`. https://fedorahosted.org/freeipa/ticket/6647 Reviewed-By: Martin Basti <mbasti@redhat.com> 
The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord`
were incorrectly defined as `Str` instead of `Any`.

https://fedorahosted.org/freeipa/ticket/6647

Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix error in ca_cert_files validator 2017-02-21T14:31:54+00:00 Stanislav Laznicka slaznick@redhat.com 2017-02-21T09:16:46+00:00 0fffeabe0249d9c3c11e522fccf22ddeb1197b64 ClientInstall expects a single ca_cert_file as a string but the framework gives it a list. https://fedorahosted.org/freeipa/ticket/6694 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
ClientInstall expects a single ca_cert_file as a string but the
framework gives it a list.

https://fedorahosted.org/freeipa/ticket/6694

Reviewed-By: Christian Heimes <cheimes@redhat.com>