freeipa.git/ipapython, branch cakeysfix FreeIPA patches Correct PyPI package dependencies 2017-04-26T10:31:11+00:00 Christian Heimes cheimes@redhat.com 2017-04-10T08:00:23+00:00 26ab51ddf47f421f3404709052db89f08c05adaa * Remove unused install requires from ipapython * Add missing requirements to ipaserver * Correct dependencies for yubico otptoken * Add explicit dependency on cffi for csrgen * Python 2 uses python-ldap, Python 3 pyldap https://pagure.io/freeipa/issue/6875 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
* Remove unused install requires from ipapython
* Add missing requirements to ipaserver
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

https://pagure.io/freeipa/issue/6875

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove publish_ca_cert() method from NSSDatabase 2017-04-03T13:06:29+00:00 Stanislav Laznicka slaznick@redhat.com 2017-03-27T08:31:36+00:00 aae9a918b68dc4f9a7b4fb9abf1bb4d26673109d NSSDatabase.publish_ca_cert() is not used anymore, remove it. https://pagure.io/freeipa/issue/6806 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
NSSDatabase.publish_ca_cert() is not used anymore, remove it.

https://pagure.io/freeipa/issue/6806

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
certdb: fix `AttributeError` in `verify_ca_cert_validity` 2017-04-03T12:40:55+00:00 Jan Cholasta jcholast@redhat.com 2017-04-03T10:20:41+00:00 720034f1b440135671d03596368ed5e9e5a0f3c3 `NSSDatabase.verify_ca_cert_validity` tries to access a property of basic constraints extension on the extension object itself rather than its value. Access the attribute on the correct object to fix the issue. Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
`NSSDatabase.verify_ca_cert_validity` tries to access a property of basic
constraints extension on the extension object itself rather than its value.

Access the attribute on the correct object to fix the issue.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
setup, pylint, spec file: drop python-nss dependency 2017-03-31T10:20:35+00:00 Jan Cholasta jcholast@redhat.com 2017-03-30T10:26:29+00:00 2b33230f669ca22d6948a4a351b4c92ba15222ab Remove the unused python-nss dependency. Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Remove the unused python-nss dependency.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
certdb: use certutil and match_hostname for cert verification 2017-03-31T10:20:35+00:00 Jan Cholasta jcholast@redhat.com 2017-01-02T12:53:18+00:00 9183cf2a7505624235b255b1406702cdaa65bb38 Use certutil and ssl.match_hostname calls instead of python-nss for certificate verification. Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Use certutil and ssl.match_hostname calls instead of python-nss for
certificate verification.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
session storage parameters must be bytes 2017-03-31T10:18:43+00:00 Christian Heimes cheimes@redhat.com 2017-03-29T07:45:05+00:00 d06315de6b1e951d6cce7d7d6495a32b44216274 Fixes TypeError: bytes or integer address expected instead of str instance Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
Fixes TypeError: bytes or integer address expected instead of str instance

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use Custodia 0.3.1 features 2017-03-28T13:02:06+00:00 Christian Heimes cheimes@redhat.com 2017-02-28T11:07:19+00:00 f5bf5466eda0de2a211b4f2682e5c50b82577701 * Use sd-notify in ipa-custodia.service * Introduce libexec/ipa/ipa-custodia script. It comes with correct default setting for IPA's config file. The new file also makes it simpler to run IPA's custodia instance with its own SELinux context. * ipapython no longer depends on custodia The patch addresses three issues: * https://bugzilla.redhat.com/show_bug.cgi?id=1430247 Forward compatibility with Custodia 0.3 in Fedora rawhide * https://pagure.io/freeipa/issue/5825 Use sd-notify * https://pagure.io/freeipa/issue/6788 Prepare for separate SELinux context Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia

The patch addresses three issues:

* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
  Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
  Use sd-notify
* https://pagure.io/freeipa/issue/6788
  Prepare for separate SELinux context

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Work around issues fetching session data 2017-03-28T11:36:30+00:00 Simo Sorce simo@redhat.com 2017-03-23T17:02:00+00:00 e07aefb886096a7d419a4f1a2dec287e5ecd1626 Unfortunately the MIT krb5 library has a severe limitation with FILE ccaches when retrieving config data. It will always only search until the first entry is found and return that one. For FILE caches MIT krb5 does not support removing old entries when a new one is stored, and storage happens only in append mode, so the end result is that even if an update is stored it is never returned with the standard krb5_cc_get_config() call. To work around this issue we simply implement what krb5_cc_get_config() does under the hood with the difference that we do not stop at the first match but keep going until all ccache entries have been checked. Related https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Unfortunately the MIT krb5 library has a severe limitation with FILE
ccaches when retrieving config data. It will always only search until
the first entry is found and return that one.

For FILE caches MIT krb5 does not support removing old entries when a
new one is stored, and storage happens only in append mode, so the end
result is that even if an update is stored it is never returned with the
standard krb5_cc_get_config() call.

To work around this issue we simply implement what krb5_cc_get_config()
does under the hood with the difference that we do not stop at the first
match but keep going until all ccache entries have been checked.

Related https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Avoid growing FILE ccaches unnecessarily 2017-03-28T11:36:30+00:00 Simo Sorce simo@redhat.com 2017-03-22T22:25:38+00:00 9a6ac74eb4421b9ffa831dc6fed067d2ddc0618e Related https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Related https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
httpinstance: clean up /etc/httpd/alias on uninstall 2017-03-22T13:58:18+00:00 Jan Cholasta jcholast@redhat.com 2017-03-08T14:24:15+00:00 e263cb46cba604421d5ed2e1dbf5dd1d66ce0221 Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias from backup on uninstall. Files modified by IPA are kept with .ipasave suffix. https://pagure.io/freeipa/issue/4639 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.

Files modified by IPA are kept with .ipasave suffix.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>