Alexander Bokovoy

@t-woerner please review.

Yes, I am in the process of fixing those too. The problem I face is how to handle cases where there is *no* principal to map to and yet that...

> I would suggest a helper function for the plugin principal retrieval. There is a matching pattern and by my count there are 15 or 16 times we use it....

The remaining place to investigate is a `vault` plugin. There we have three places where `context.principal` is used to decide a DN for the vault container. We probably should be...

@rcritten so I think we can leave out vault's plugin use of `context.principal`. I think this PR is ready for review now.

@rcritten I added an experimental commit that performs auditing to the journal for every single command run in the server context. This will have a side-effect that all commands used...

Fyi, when I say 'all commands', it also means we get auditing of IPA API JSON-RPC endpoint as well: ``` # kinit admin Password for [email protected]: # ipa ping ----------------------------------------------------------------...

Here is an example, in TestSimpleReplication::install test: ``` $ curl -s http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/d2453380-0d3b-11ef-8430-fa163e030f13/test_integration-test_simple_replication.py-TestSimpleReplication-install/master.ipa.test/journal.gz |zgrep IPA.API|wc -l 193 ``` Here is the full output, without dates and hostname prefix: ``` $ curl...

I just realized I switched the labels. The idea was to put IPA.API as the program name so that `journalctl -t IPA.API` would match all IPA API log entries. Alternatively,...

Thanks. I see the same in a Fedora's 4.11.1 on F39, so this is unrelated. I think it would be nice if `console` framework would override `InteractiveConsole.showtraceback()` for IPA exceptions...