From jdennis at redhat.com Sat Dec 1 00:17:04 2007
From: jdennis at redhat.com (John Dennis)
Date: Fri, 30 Nov 2007 19:17:04 -0500
Subject: [Freeipa-devel] more funky interface stuff
In-Reply-To: <474F2DAC.20504@redhat.com>
References: <474F1C67.3030806@redhat.com> <474F2DAC.20504@redhat.com>
Message-ID: <4750A800.10805@redhat.com>
Rob Crittenden wrote:
> Rob Crittenden wrote:
>> I've looked into some more questions raised about the interfaces.
>>
>> One is why rpcclient.py and ipaclient.py?
>>
>> ipaclient.py was created because of the ticket forwarding issue we had
>> early on. Since we didn't have a ticket for the UI we wouldn't be able
>> to use the XML-RPC interface directly, so instead we wrote a thin
>> wrapper which called into the XML-RPC backend functions directly
>> (instead of over XML-RPC which required a ticket)
>>
>> This is also why ipaclient.py has to do calls to toDict() but doesn't
>> have to unwrap binary data. Conversions that are done in XML-RPC
>> interface are not done when talking directly to the backend, hence the
>> need to, or not, do them in ipaclient.py.
>>
>> Now that we do have ticket forwarding working in TurboGears it may be
>> possible to switch to rpcclient.py. This would have the added benefit
>> of being able to move the UI code onto a separate web server at some
>> point. The downside is that it would likely slow down the UI a bit and
>> it would hit the KDC a lot harder.
>>
>> I can investigate this further if desired but it might take a day or
>> two to work out all the details (and time is already short).
>>
>> rpcclient.py is there to remove code complexity from the admin tools.
>> I needed an RPC client to make calls, it seemed to make sense to
>> mirror the XML-RPC interface in it. It also does the None -> __NONE__
>> conversion for us and handles doing the data conversions (unwrapping
>> binary data). The functions all look more or less the same, and there
>> may be a way to consolidate it down, this was the most expedient way
>> to do it. I didn't want to abstract out the XML-RPC interface, just
>> make calling it easier.
>>
>> If there are any specific things to look at just let me know. Or we
>> can do this as part of the API review.
>>
>> rob
>
> I should add that ipaclient.py is really the abstraction layer that
> determines how a request is made. If it is a "local" request it imports
> funcs.py (the XML-RPC layer) and does direct calls. If it is a "remote"
> request it uses XML-RPC and the functions in rpcclient.py.
First let me say my comments below do not address API design per se, but
are more of discussion of the current implementation of the RPC API.
Questions of API itself (e.g. which functions are exported what data
they operate on is another topic).
I think the vast majority of the code duplication in both ipaclient.py
and rpcclient.py can be eliminated with a single decorator, that would
be a huge step in simplification and consistency.
If we still want to preserve the local vs. RPC calling convention that
too could be folded into the decorator. Although I'm not sure it's
necessary for the following two reasons.
1) Working ticket forwarding might make the point moot.
2) I'm not sure why the distinction exists in the first place. If a
module is going to be making local calls it should import the local
interface, otherwise it should import the remote interface (but perhaps
I'm missing some larger issue such as needing to switch between local
and remote at run time). With decorators the decorator function could
key off of a flag set before the import and return the proper function
pointer (local vs. remote) thus not requiring a different import.
Questions/Issues:
The wrapped functions in ipaclient.py sometimes modify the input
parameters and sometimes modify the results. This just makes using the
API we've defined harder because if you're not using our library and
instead are trying to use the RPC API we've defined you may need to
aware of the various exceptions and replicate the special handling. In
fairness the majority of the special handling is the coercing of XML RPC
structs (e.g. dicts) into Python object classes. That would an
appropriate operation for a decorator to perform but it runs afoul of
one issue, if you want consolidate code and avoid duplication you'll
want to be using just one decorator, but the decorator won't know if it
needs to coerce the result, and if so then into what class? There are 3
ways one can address this:
1) Be honest about the fact you're calling an RPC function which has no
knowledge of Python. You limit the interface to what's available in XML
RPC. The advantage is simplicity, but you lose friendliness.
2) Add a decorator which defines the function signature, each arg in the
decorator defines the type of the arg which is stored with the function.
When the decorator executes it looks up the each argument type and
decides if it needs to coerce it. In the past I had written Python RPC
code and this is how I solved this issue when I ran into exactly this
problem. Here is an example:
@rpc_method('SETroubleshootDatabase')
@rpc_arg_type('SETroubleshootDatabase', SEFaultSignature, str, int, str)
def set_filter(self, sig, username, filter_type, data):
The @rpc_method decorator does the magic of turning the function into an
RPC call, the 'SETroubleshootDatabase' parameter is the interface the
method belongs to. I'm guessing we're never going to export more than
one interface so we could simplify things by eliminating the use of
interfaces.
The @rpc_arg_type decorator specifies the signature. In this instance
it's a instance of a SEFaultSignature class object followed by a string,
an int and a string. For our use with XML RPC we only need to specify
the type when it's a class instance so this could be simplified, but
hopefully you get the idea.
3) Define the signature in a table and have the decorator look the
signature up in a table. This is just a variant on (2) but avoids having
the extra decorator used to specify the signature. I don't recommend
this as my feeling is the decorator approach is much cleaner, keeps the
definitions in one obvious place (right where the function is defined)
which is one of the design goals of Python decorators.
The rest of the munging might be evidence of a problem in the API
design. Here are a few items to consider:
1) Some functions which return a list return a array with a "counter"
stuffed into the first position of the array which defines the array
length. Why? the length is implicit in length of the array and this
makes the returned array non-homogeneous (while both Python and XMLRPC
support non-homogeneous arrays it's best to avoid this construct because
it makes it difficult to interpret without a priori special knowledge of
the array contents). The reason the counter is stuffed into the front of
the array is to carry a special flag value indicating if the returned
array was truncated. Wouldn't it be better if the result were not an
array but rather a struct which contains the truncation flag and the
array? That means the arrays do not require special interpretation, the
flag is much more explicit and if need be more information could be
returned about the state of the search.
2) The functions which modify an object class perform special handling
of the before and after values so that the implementation on the server
side can compute the differences. If somebody else wants to call the RPC
API that's going to be confusing, some functions take one parameter (an
Entity class with the before and after values embedded in the class
instance) and other function signatures take two parameters passing the
before and after dictionaries explicitly. I would rather see a
consistent function signature with a pair of before and after
dictionaries to expose the logic of modification. This issue somewhat
falls into the above issue, attempting to hide the actual RPC API. I'm
not sure that's a good thing for two reasons, one, we would like to call
functions both locally and remotely, it's way easier if they look and
behave the same, two, if we really want to expose the RPC API for third
party development we too should be able to call it without wrapping it
with modifications.
3) At least one of the RPC wrappers removes an attribute from a struct
it's passing, apparently because of private knowledge about the
receiving end's requirements.
4) None Type: XMLRPC does not support the None type but it is used
extensively in our code and is extremely useful. To make our XML RPC API
interface useful and appealing to third party users we should avoid
non-standard XML RPC extensions such as (which is how None is
mapped in XML RPC) The appeal of XML RPC is that it's a language neutral
portable RPC mechanism. Using the special extension would blow
that out of the water. I have no clue how that would get mapped for a
client written in C for instance. Using None (e.g. ) is so useful
it would be hard to get rid of it, plus we use None in so many places it
might be hard not to let it "escape" through the XML RPC interface
unintentionally. Yet, on the other hand I don't think we want to make a
statement like "We have this wonderful RPC interface for you to use,
except you can't code in C or C++, or use any XML RPC library which
doesn't support the extension)
Often None is used to indicate "invalid; no result" as opposed to "valid
but empty result". That situation could be handled by returning a struct
with a flag whose value carries the interpretation of None, elsewhere in
the struct is the the return value. But that is awkward and it doesn't
handle the case where None is embedded in a complex object.
Bottom line, I don't know how to deal with the None issue. Getting rid
of it could be really hard, leaving it in could be really limiting if
the extension is not well supported in other XMLRPC libraries.
--
John Dennis
From rcritten at redhat.com Sat Dec 1 03:45:45 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 30 Nov 2007 22:45:45 -0500
Subject: [Freeipa-devel] more funky interface stuff
In-Reply-To: <4750A800.10805@redhat.com>
References: <474F1C67.3030806@redhat.com> <474F2DAC.20504@redhat.com>
<4750A800.10805@redhat.com>
Message-ID: <4750D8E9.4050909@redhat.com>
John Dennis wrote:
> Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> I've looked into some more questions raised about the interfaces.
>>>
>>> One is why rpcclient.py and ipaclient.py?
>>>
>>> ipaclient.py was created because of the ticket forwarding issue we
>>> had early on. Since we didn't have a ticket for the UI we wouldn't be
>>> able to use the XML-RPC interface directly, so instead we wrote a
>>> thin wrapper which called into the XML-RPC backend functions directly
>>> (instead of over XML-RPC which required a ticket)
>>>
>>> This is also why ipaclient.py has to do calls to toDict() but doesn't
>>> have to unwrap binary data. Conversions that are done in XML-RPC
>>> interface are not done when talking directly to the backend, hence
>>> the need to, or not, do them in ipaclient.py.
>>>
>>> Now that we do have ticket forwarding working in TurboGears it may be
>>> possible to switch to rpcclient.py. This would have the added benefit
>>> of being able to move the UI code onto a separate web server at some
>>> point. The downside is that it would likely slow down the UI a bit
>>> and it would hit the KDC a lot harder.
>>>
>>> I can investigate this further if desired but it might take a day or
>>> two to work out all the details (and time is already short).
>>>
>>> rpcclient.py is there to remove code complexity from the admin tools.
>>> I needed an RPC client to make calls, it seemed to make sense to
>>> mirror the XML-RPC interface in it. It also does the None -> __NONE__
>>> conversion for us and handles doing the data conversions (unwrapping
>>> binary data). The functions all look more or less the same, and there
>>> may be a way to consolidate it down, this was the most expedient way
>>> to do it. I didn't want to abstract out the XML-RPC interface, just
>>> make calling it easier.
>>>
>>> If there are any specific things to look at just let me know. Or we
>>> can do this as part of the API review.
>>>
>>> rob
>>
>> I should add that ipaclient.py is really the abstraction layer that
>> determines how a request is made. If it is a "local" request it
>> imports funcs.py (the XML-RPC layer) and does direct calls. If it is a
>> "remote" request it uses XML-RPC and the functions in rpcclient.py.
>
> First let me say my comments below do not address API design per se, but
> are more of discussion of the current implementation of the RPC API.
> Questions of API itself (e.g. which functions are exported what data
> they operate on is another topic).
>
> I think the vast majority of the code duplication in both ipaclient.py
> and rpcclient.py can be eliminated with a single decorator, that would
> be a huge step in simplification and consistency.
Being new to python, I still really don't know what a decorator does (I
haven't read the link you provided earlier yet). I've used it in
TurboGears but much of that is still voodoo to me.
> If we still want to preserve the local vs. RPC calling convention that
> too could be folded into the decorator. Although I'm not sure it's
> necessary for the following two reasons.
>
> 1) Working ticket forwarding might make the point moot.
The nice thing about the local calls is it saves a round-trip per call.
> 2) I'm not sure why the distinction exists in the first place. If a
> module is going to be making local calls it should import the local
> interface, otherwise it should import the remote interface (but perhaps
> I'm missing some larger issue such as needing to switch between local
> and remote at run time). With decorators the decorator function could
> key off of a flag set before the import and return the proper function
> pointer (local vs. remote) thus not requiring a different import.
We expected that the issue would resolve itself at some point thus
making the local vs remote issue moot. We designed this so that if that
happened few to no changes would be required in either client. By
forcing everything to use ipaclient.py we help ensure that the
capabilities remain the same between our two clients. It would be too
easy to let the UI make calls that the RPC layer couldn't and then our
UI and cli get out-of-sync.
> Questions/Issues:
>
> The wrapped functions in ipaclient.py sometimes modify the input
> parameters and sometimes modify the results. This just makes using the
> API we've defined harder because if you're not using our library and
> instead are trying to use the RPC API we've defined you may need to
> aware of the various exceptions and replicate the special handling. In
> fairness the majority of the special handling is the coercing of XML RPC
> structs (e.g. dicts) into Python object classes. That would an
> appropriate operation for a decorator to perform but it runs afoul of
> one issue, if you want consolidate code and avoid duplication you'll
> want to be using just one decorator, but the decorator won't know if it
> needs to coerce the result, and if so then into what class? There are 3
> ways one can address this:
>
> 1) Be honest about the fact you're calling an RPC function which has no
> knowledge of Python. You limit the interface to what's available in XML
> RPC. The advantage is simplicity, but you lose friendliness.
It is our client, we can do whatever we want with the input (or output
for that matter). Someone else writing an RPC client would likely do
something similar, to convert the raw RPC data into a local object type.
As far as I can tell the RPC server is returning data in a standard
format, it is up to the client to decode it, right?
> 2) Add a decorator which defines the function signature, each arg in the
> decorator defines the type of the arg which is stored with the function.
> When the decorator executes it looks up the each argument type and
> decides if it needs to coerce it. In the past I had written Python RPC
> code and this is how I solved this issue when I ran into exactly this
> problem. Here is an example:
>
> @rpc_method('SETroubleshootDatabase')
> @rpc_arg_type('SETroubleshootDatabase', SEFaultSignature, str, int, str)
> def set_filter(self, sig, username, filter_type, data):
>
> The @rpc_method decorator does the magic of turning the function into an
> RPC call, the 'SETroubleshootDatabase' parameter is the interface the
> method belongs to. I'm guessing we're never going to export more than
> one interface so we could simplify things by eliminating the use of
> interfaces.
>
> The @rpc_arg_type decorator specifies the signature. In this instance
> it's a instance of a SEFaultSignature class object followed by a string,
> an int and a string. For our use with XML RPC we only need to specify
> the type when it's a class instance so this could be simplified, but
> hopefully you get the idea.
Hmm. I think I need to read more about decorators.
> 3) Define the signature in a table and have the decorator look the
> signature up in a table. This is just a variant on (2) but avoids having
> the extra decorator used to specify the signature. I don't recommend
> this as my feeling is the decorator approach is much cleaner, keeps the
> definitions in one obvious place (right where the function is defined)
> which is one of the design goals of Python decorators.
>
> The rest of the munging might be evidence of a problem in the API
> design. Here are a few items to consider:
>
> 1) Some functions which return a list return a array with a "counter"
> stuffed into the first position of the array which defines the array
> length. Why? the length is implicit in length of the array and this
> makes the returned array non-homogeneous (while both Python and XMLRPC
> support non-homogeneous arrays it's best to avoid this construct because
> it makes it difficult to interpret without a priori special knowledge of
> the array contents). The reason the counter is stuffed into the front of
> the array is to carry a special flag value indicating if the returned
> array was truncated. Wouldn't it be better if the result were not an
> array but rather a struct which contains the truncation flag and the
> array? That means the arrays do not require special interpretation, the
> flag is much more explicit and if need be more information could be
> returned about the state of the search.
Either way you have a special flag. I have no particular feelings either
way about this. We could easily convert this into a dict (struct) and
return that.
> 2) The functions which modify an object class perform special handling
> of the before and after values so that the implementation on the server
> side can compute the differences. If somebody else wants to call the RPC
> API that's going to be confusing, some functions take one parameter (an
> Entity class with the before and after values embedded in the class
> instance) and other function signatures take two parameters passing the
> before and after dictionaries explicitly. I would rather see a
> consistent function signature with a pair of before and after
> dictionaries to expose the logic of modification. This issue somewhat
> falls into the above issue, attempting to hide the actual RPC API. I'm
> not sure that's a good thing for two reasons, one, we would like to call
> functions both locally and remotely, it's way easier if they look and
> behave the same, two, if we really want to expose the RPC API for third
> party development we too should be able to call it without wrapping it
> with modifications.
Yes, all of the update functions are poorly handled. I have it on my
todo list to convert it to take a single dict as input.
> 3) At least one of the RPC wrappers removes an attribute from a struct
> it's passing, apparently because of private knowledge about the
> receiving end's requirements.
Ah yes, in add_user(), add_group(), that is bad.
> 4) None Type: XMLRPC does not support the None type but it is used
> extensively in our code and is extremely useful. To make our XML RPC API
> interface useful and appealing to third party users we should avoid
> non-standard XML RPC extensions such as (which is how None is
> mapped in XML RPC) The appeal of XML RPC is that it's a language neutral
> portable RPC mechanism. Using the special extension would blow
> that out of the water. I have no clue how that would get mapped for a
> client written in C for instance. Using None (e.g. ) is so useful
> it would be hard to get rid of it, plus we use None in so many places it
> might be hard not to let it "escape" through the XML RPC interface
> unintentionally. Yet, on the other hand I don't think we want to make a
> statement like "We have this wonderful RPC interface for you to use,
> except you can't code in C or C++, or use any XML RPC library which
> doesn't support the extension)
I believe I've removed all of the None arguments. opts is special since
it is added after the RPC call is made, so you can ignore that. It is
used to pass stuff from Apache (like the principal name) into our functions.
I definitely don't want to turn on None handling.
I left my funky handling of it in for now though I don't think it is
actually used anymore (the __NONE__ stuff). The only place perhaps is
the *_container but one can pass an empty value instead and it should
work fine.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From jdennis at redhat.com Sat Dec 1 15:57:56 2007
From: jdennis at redhat.com (John Dennis)
Date: Sat, 01 Dec 2007 10:57:56 -0500
Subject: [Freeipa-devel] more funky interface stuff
In-Reply-To: <4750D8E9.4050909@redhat.com>
References: <474F1C67.3030806@redhat.com> <474F2DAC.20504@redhat.com>
<4750A800.10805@redhat.com> <4750D8E9.4050909@redhat.com>
Message-ID: <47518484.7020205@redhat.com>
Rob Crittenden wrote:
> John Dennis wrote:
>> Rob Crittenden wrote:
>>> Rob Crittenden wrote:
>> I think the vast majority of the code duplication in both ipaclient.py
>> and rpcclient.py can be eliminated with a single decorator, that would
>> be a huge step in simplification and consistency.
>
> Being new to python, I still really don't know what a decorator does (I
> haven't read the link you provided earlier yet). I've used it in
> TurboGears but much of that is still voodoo to me.
If I can dig up some time (an issue these days) I would be happy to
convert the code to use decorators. I've implemented RPC via decorators
in Python previously and could probably do it again pretty efficiently.
You're right, at first it seems like a bit of voodoo magic, but with an
understanding of function closure* (a very cool feature), the fact a
function is a full fledged object in Python and how function references
are handled it's not too bad. Unfortunately decorators are not well
documented and the first time I used decorators it took a while to wrap
my head around the concepts but when I got done I realized they're much
simpler and easy to use than one might first think.
* function closure can be seen in nested functions, it gives you the
ability to define a function within a run time scope, bind the variables
seen in that scope, let the outer function go out of scope (e.g.
return), but as long as you keep a reference to the nested function it
can be called and execute with the exact same variable bindings that
existed when it was defined. Very cool and very powerful. Asynchronous
method calls make a good example, you create an anonymous function
binding it as callback to an asynchronous RPC. When the RPC call returns
sometime in the future it executes the callback with the same variable
binding that existed when the asynchronous RPC was first called even
though that scope has vanished due to the fact the outer function has
since returned.
--
John Dennis
From mbooth at redhat.com Sun Dec 2 22:49:55 2007
From: mbooth at redhat.com (Matthew Booth)
Date: Sun, 02 Dec 2007 22:49:55 +0000
Subject: [Freeipa-devel] default email is user@foo.bar in latest build
In-Reply-To: <474FA1E8.5010607@redhat.com>
References: <474FA1E8.5010607@redhat.com>
Message-ID: <47533693.2040105@redhat.com>
David O'Brien wrote:
> I've never come across this before.
>
> Normally when I add a user the default email address is user at mydomain.com
>
> In the latest build, this has become user at foo.bar
As an (important) aside, default email addresses should be in the
example.com, example.net or example.org TLDs. See:
http://www.ietf.org/rfc/rfc2606.txt
section 3.
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL:
From david.obrien at redhat.com Mon Dec 3 00:57:25 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Mon, 03 Dec 2007 10:57:25 +1000
Subject: [Freeipa-devel] Password expired on new user
In-Reply-To: <1196445683.19881.7.camel@localhost.localdomain>
References: <474FA59F.1040003@redhat.com>
<1196445683.19881.7.camel@localhost.localdomain>
Message-ID: <47535475.4010803@redhat.com>
Simo Sorce wrote:
> On Fri, 2007-11-30 at 15:54 +1000, David O'Brien wrote:
>> I just created a new user but as soon as I did and the interface
>> returned to the View User page, it said "Password has expired". I
>> thought I saw a comment from Suzanne? about this but now I can't find it.
>>
>> Why would this happen?
>
> Because when admins change password users are required to reset them to
> a value unknown to the admin immediately.
> This is by design. And it is meant as a way to safely distribute new
> accounts as well do password resets without letting anybody else but the
> user know the final password.
> Unfortunately at this moment I don't have a way to provide a better
> message like: "the password was reset you have to change it". But that
> is the idea.
>
> Simo.
>
Yes, that part of it makes sense and is to be expected. The immediate
"password is expired" (effectively blocking out the user) was the real
eyebrow-raiser. I'll test again on a later build today and see what
happens, but as it stands I can't log in as anyone except admin using
this password policy.
--
David O'Brien
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL:
From ssorce at redhat.com Mon Dec 3 05:06:17 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 03 Dec 2007 00:06:17 -0500
Subject: [Freeipa-devel] Password expired on new user
In-Reply-To: <47535475.4010803@redhat.com>
References: <474FA59F.1040003@redhat.com>
<1196445683.19881.7.camel@localhost.localdomain>
<47535475.4010803@redhat.com>
Message-ID: <1196658377.4673.54.camel@localhost.localdomain>
Pam_krb5 should ask you to change password.
If not we need to investigate why.
Simo.
On Mon, 2007-12-03 at 10:57 +1000, David O'Brien wrote:
> Simo Sorce wrote:
> > On Fri, 2007-11-30 at 15:54 +1000, David O'Brien wrote:
> >> I just created a new user but as soon as I did and the interface
> >> returned to the View User page, it said "Password has expired". I
> >> thought I saw a comment from Suzanne? about this but now I can't find it.
> >>
> >> Why would this happen?
> >
> > Because when admins change password users are required to reset them to
> > a value unknown to the admin immediately.
> > This is by design. And it is meant as a way to safely distribute new
> > accounts as well do password resets without letting anybody else but the
> > user know the final password.
> > Unfortunately at this moment I don't have a way to provide a better
> > message like: "the password was reset you have to change it". But that
> > is the idea.
> >
> > Simo.
> >
> Yes, that part of it makes sense and is to be expected. The immediate
> "password is expired" (effectively blocking out the user) was the real
> eyebrow-raiser. I'll test again on a later build today and see what
> happens, but as it stands I can't log in as anyone except admin using
> this password policy.
>
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From david.obrien at redhat.com Mon Dec 3 06:45:48 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Mon, 03 Dec 2007 16:45:48 +1000
Subject: [Freeipa-devel] Password expired on new user
In-Reply-To: <1196658377.4673.54.camel@localhost.localdomain>
References: <474FA59F.1040003@redhat.com>
<1196445683.19881.7.camel@localhost.localdomain>
<47535475.4010803@redhat.com>
<1196658377.4673.54.camel@localhost.localdomain>
Message-ID: <4753A61C.7040008@redhat.com>
Simo Sorce wrote:
> Pam_krb5 should ask you to change password.
> If not we need to investigate why.
>
> Simo.
>
> On Mon, 2007-12-03 at 10:57 +1000, David O'Brien wrote:
>> Simo Sorce wrote:
>>> On Fri, 2007-11-30 at 15:54 +1000, David O'Brien wrote:
>>>> I just created a new user but as soon as I did and the interface
>>>> returned to the View User page, it said "Password has expired". I
>>>> thought I saw a comment from Suzanne? about this but now I can't find it.
>>>>
>>>> Why would this happen?
>>> Because when admins change password users are required to reset them to
>>> a value unknown to the admin immediately.
>>> This is by design. And it is meant as a way to safely distribute new
>>> accounts as well do password resets without letting anybody else but the
>>> user know the final password.
>>> Unfortunately at this moment I don't have a way to provide a better
>>> message like: "the password was reset you have to change it". But that
>>> is the idea.
>>>
>>> Simo.
>>>
>> Yes, that part of it makes sense and is to be expected. The immediate
>> "password is expired" (effectively blocking out the user) was the real
>> eyebrow-raiser. I'll test again on a later build today and see what
>> happens, but as it stands I can't log in as anyone except admin using
>> this password policy.
>>
I did this on the command line, just for a change.
1. added a new user jpark with password jpark1234
2. ipa-finduser jpark
Common Name: Jainey Park
Home Directory: /home/jpark
Login Shell: /bin/sh
Login: jpark
3. kinit jpark
kinit(v5): Password has expired while getting initial credentials
that's it. Drops me back to a prompt. I couldn't find anything useful in
/var/log/{messages,ipa_error,krb5kdc}.log
--
David O'Brien
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL:
From david.obrien at redhat.com Mon Dec 3 06:56:24 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Mon, 03 Dec 2007 16:56:24 +1000
Subject: [Freeipa-devel] error on Self Service of admin user
Message-ID: <4753A898.80206@redhat.com>
Using FC7/i386/2007-11-30_03_01-build/ipa.repo
I'm logged in to the webUI on the server as admin, and when I click Self
Service I get:
User show failed: no such entry for
('dc=australia,dc=com',2,u'(uid=admin at foo.bar)',['*','nsAccountLock'])
--
David O'Brien
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL:
From david.obrien at redhat.com Mon Dec 3 08:41:57 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Mon, 03 Dec 2007 18:41:57 +1000
Subject: [Freeipa-devel] inactivating yourself
In-Reply-To: <473213F1.1050803@redhat.com>
References: <473213F1.1050803@redhat.com>
Message-ID: <4753C155.1080805@redhat.com>
Rob Crittenden wrote:
> Came across and intriguing problem when working on group inactivation.
>
> With group inactivation you pick a group, select inactive and update it.
> This causes all group members, including recursively all groups, to be
> marked inactive.
>
> So what should we do if the current user happens to be a member of that
> group (or subgroup)?
>
> What currently happens is IPA throws up because once the user is
> inactivated their credentials are no longer accepted by FDS.
>
> So should we:
>
> 1. Let things go ahead and blow up (i.e. change nothing)
> 2. Do not let them deactivate anything they are a part of
> 3. Do all the deactivation except for their record
> 4. Something else
>
> Ideas?
>
> I'm leaning towards #2 myself.
>
> rob
>
did you get an answer to this?
--
David O'Brien
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL:
From david.obrien at redhat.com Mon Dec 3 08:54:24 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Mon, 03 Dec 2007 18:54:24 +1000
Subject: [Freeipa-devel] question about permissions, etc., in groups
Message-ID: <4753C440.9080500@redhat.com>
I read in a thread somewhere that if you deactivate a group, then all
members of that group are also deactivated. The exception being that if
a user is a member of another group that is active, then that user is
still active.
1: all users are members of ipauser, right? Can they be removed from
that group? If I and several hundred other users are in GroupA, GroupB,
etc., as well as in ipausers, and you deactivate all but ipausers, then
all that's happened is you've deactivated a bunch of groups. Ah... with
those groups deactivated, any permissions/delegations that were
associated with those groups go away too. (yes, I'm thinking out
loud...) Did I miss anything else?
2: If I'm in two groups with conflicting permissions, who wins? I'm in
GroupA, which means I can edit any user in France, but not in Germany.
I'm also in GroupB, which says I can edit Germany but not France. Or
should the administrator be smarter than that?
/david the user ;)
--
David O'Brien
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL:
From ssorce at redhat.com Mon Dec 3 13:15:26 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 03 Dec 2007 08:15:26 -0500
Subject: [Freeipa-devel] Password expired on new user
In-Reply-To: <4753A61C.7040008@redhat.com>
References: <474FA59F.1040003@redhat.com>
<1196445683.19881.7.camel@localhost.localdomain>
<47535475.4010803@redhat.com>
<1196658377.4673.54.camel@localhost.localdomain>
<4753A61C.7040008@redhat.com>
Message-ID: <1196687726.4673.57.camel@localhost.localdomain>
On Mon, 2007-12-03 at 16:45 +1000, David O'Brien wrote:
> Simo Sorce wrote:
> > Pam_krb5 should ask you to change password.
> > If not we need to investigate why.
> >
> > Simo.
> >
> > On Mon, 2007-12-03 at 10:57 +1000, David O'Brien wrote:
> >> Simo Sorce wrote:
> >>> On Fri, 2007-11-30 at 15:54 +1000, David O'Brien wrote:
> >>>> I just created a new user but as soon as I did and the interface
> >>>> returned to the View User page, it said "Password has expired". I
> >>>> thought I saw a comment from Suzanne? about this but now I can't find it.
> >>>>
> >>>> Why would this happen?
> >>> Because when admins change password users are required to reset them to
> >>> a value unknown to the admin immediately.
> >>> This is by design. And it is meant as a way to safely distribute new
> >>> accounts as well do password resets without letting anybody else but the
> >>> user know the final password.
> >>> Unfortunately at this moment I don't have a way to provide a better
> >>> message like: "the password was reset you have to change it". But that
> >>> is the idea.
> >>>
> >>> Simo.
> >>>
> >> Yes, that part of it makes sense and is to be expected. The immediate
> >> "password is expired" (effectively blocking out the user) was the real
> >> eyebrow-raiser. I'll test again on a later build today and see what
> >> happens, but as it stands I can't log in as anyone except admin using
> >> this password policy.
> >>
>
> I did this on the command line, just for a change.
>
> 1. added a new user jpark with password jpark1234
> 2. ipa-finduser jpark
> Common Name: Jainey Park
> Home Directory: /home/jpark
> Login Shell: /bin/sh
> Login: jpark
>
> 3. kinit jpark
> kinit(v5): Password has expired while getting initial credentials
>
> that's it. Drops me back to a prompt. I couldn't find anything useful in
> /var/log/{messages,ipa_error,krb5kdc}.log
You have for sure stuff in krb5kdc.log
Anyway in this case you should just do a kpasswd jpark and change
password.
I'd like to see you do a login on a client though, not a kinit
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From david.obrien at redhat.com Mon Dec 3 14:45:28 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Tue, 04 Dec 2007 00:45:28 +1000
Subject: [Freeipa-devel] Password expired on new user
In-Reply-To: <1196687726.4673.57.camel@localhost.localdomain>
References: <474FA59F.1040003@redhat.com>
<1196445683.19881.7.camel@localhost.localdomain>
<47535475.4010803@redhat.com>
<1196658377.4673.54.camel@localhost.localdomain>
<4753A61C.7040008@redhat.com>
<1196687726.4673.57.camel@localhost.localdomain>
Message-ID: <47541688.3060207@redhat.com>
Simo Sorce wrote:
> On Mon, 2007-12-03 at 16:45 +1000, David O'Brien wrote:
>> Simo Sorce wrote:
>>> Pam_krb5 should ask you to change password.
>>> If not we need to investigate why.
>>>
>>> Simo.
>>>
>>> On Mon, 2007-12-03 at 10:57 +1000, David O'Brien wrote:
>>>> Simo Sorce wrote:
>>>>> On Fri, 2007-11-30 at 15:54 +1000, David O'Brien wrote:
>>>>>> I just created a new user but as soon as I did and the interface
>>>>>> returned to the View User page, it said "Password has expired". I
>>>>>> thought I saw a comment from Suzanne? about this but now I can't find it.
>>>>>>
>>>>>> Why would this happen?
>>>>> Because when admins change password users are required to reset them to
>>>>> a value unknown to the admin immediately.
>>>>> This is by design. And it is meant as a way to safely distribute new
>>>>> accounts as well do password resets without letting anybody else but the
>>>>> user know the final password.
>>>>> Unfortunately at this moment I don't have a way to provide a better
>>>>> message like: "the password was reset you have to change it". But that
>>>>> is the idea.
>>>>>
>>>>> Simo.
>>>>>
>>>> Yes, that part of it makes sense and is to be expected. The immediate
>>>> "password is expired" (effectively blocking out the user) was the real
>>>> eyebrow-raiser. I'll test again on a later build today and see what
>>>> happens, but as it stands I can't log in as anyone except admin using
>>>> this password policy.
>>>>
>> I did this on the command line, just for a change.
>>
>> 1. added a new user jpark with password jpark1234
>> 2. ipa-finduser jpark
>> Common Name: Jainey Park
>> Home Directory: /home/jpark
>> Login Shell: /bin/sh
>> Login: jpark
>>
>> 3. kinit jpark
>> kinit(v5): Password has expired while getting initial credentials
>>
>> that's it. Drops me back to a prompt. I couldn't find anything useful in
>> /var/log/{messages,ipa_error,krb5kdc}.log
>
> You have for sure stuff in krb5kdc.log
Well yeah, lots, but I couldn't find anything related to jpark, password
expiration, etc.
>
> Anyway in this case you should just do a kpasswd jpark and change
> password.
Yep, did that and can login ok. Didn't notice this before, but if you
add a user via the cli it doesn't demand an email address, and this
leads to errors later.
> I'd like to see you do a login on a client though, not a kinit
>
Not sure what you mean. You mean install the client and just navigate
straight to the server without running kinit? I expect this is to see
if it prompts for a username/password. I haven't installed a client yet.
I'll do that tomorrow.
cheers
--
David O'Brien
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL:
From ssorce at redhat.com Mon Dec 3 14:50:17 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 03 Dec 2007 09:50:17 -0500
Subject: [Freeipa-devel] Password expired on new user
In-Reply-To: <47541688.3060207@redhat.com>
References: <474FA59F.1040003@redhat.com>
<1196445683.19881.7.camel@localhost.localdomain>
<47535475.4010803@redhat.com>
<1196658377.4673.54.camel@localhost.localdomain>
<4753A61C.7040008@redhat.com>
<1196687726.4673.57.camel@localhost.localdomain>
<47541688.3060207@redhat.com>
Message-ID: <1196693417.4673.66.camel@localhost.localdomain>
On Tue, 2007-12-04 at 00:45 +1000, David O'Brien wrote:
> Simo Sorce wrote:
> > On Mon, 2007-12-03 at 16:45 +1000, David O'Brien wrote:
> >> Simo Sorce wrote:
> >>> Pam_krb5 should ask you to change password.
> >>> If not we need to investigate why.
> >>>
> >>> Simo.
> >>>
> >>> On Mon, 2007-12-03 at 10:57 +1000, David O'Brien wrote:
> >>>> Simo Sorce wrote:
> >>>>> On Fri, 2007-11-30 at 15:54 +1000, David O'Brien wrote:
> >>>>>> I just created a new user but as soon as I did and the interface
> >>>>>> returned to the View User page, it said "Password has expired". I
> >>>>>> thought I saw a comment from Suzanne? about this but now I can't find it.
> >>>>>>
> >>>>>> Why would this happen?
> >>>>> Because when admins change password users are required to reset them to
> >>>>> a value unknown to the admin immediately.
> >>>>> This is by design. And it is meant as a way to safely distribute new
> >>>>> accounts as well do password resets without letting anybody else but the
> >>>>> user know the final password.
> >>>>> Unfortunately at this moment I don't have a way to provide a better
> >>>>> message like: "the password was reset you have to change it". But that
> >>>>> is the idea.
> >>>>>
> >>>>> Simo.
> >>>>>
> >>>> Yes, that part of it makes sense and is to be expected. The immediate
> >>>> "password is expired" (effectively blocking out the user) was the real
> >>>> eyebrow-raiser. I'll test again on a later build today and see what
> >>>> happens, but as it stands I can't log in as anyone except admin using
> >>>> this password policy.
> >>>>
> >> I did this on the command line, just for a change.
> >>
> >> 1. added a new user jpark with password jpark1234
> >> 2. ipa-finduser jpark
> >> Common Name: Jainey Park
> >> Home Directory: /home/jpark
> >> Login Shell: /bin/sh
> >> Login: jpark
> >>
> >> 3. kinit jpark
> >> kinit(v5): Password has expired while getting initial credentials
> >>
> >> that's it. Drops me back to a prompt. I couldn't find anything useful in
> >> /var/log/{messages,ipa_error,krb5kdc}.log
> >
> > You have for sure stuff in krb5kdc.log
>
> Well yeah, lots, but I couldn't find anything related to jpark, password
> expiration, etc.
Look for PREAUTH, but only if you did a "kinit jpark"
If you do just kinit, it will probably try something like root at REALM
which will never work.
> > Anyway in this case you should just do a kpasswd jpark and change
> > password.
>
> Yep, did that and can login ok. Didn't notice this before, but if you
> add a user via the cli it doesn't demand an email address, and this
> leads to errors later.
If by "login" you mean kinit, no that's not a login, if you mean access
to the self service page on the web page I'd rather call it so to avoid
confusion.
> > I'd like to see you do a login on a client though, not a kinit
> >
> Not sure what you mean. You mean install the client and just navigate
> straight to the server without running kinit? I expect this is to see
> if it prompts for a username/password. I haven't installed a client yet.
> I'll do that tomorrow.
I mean running ipa-client-install on a client machine and do a real GDM
login (after a reboot).
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From kmacmill at redhat.com Mon Dec 3 15:21:54 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 03 Dec 2007 10:21:54 -0500
Subject: [Freeipa-devel] [PATCH] some input validation
In-Reply-To: <4750567E.7010502@redhat.com>
References: <4750567E.7010502@redhat.com>
Message-ID: <1196695314.16318.22.camel@clapton.mentalrootkit.com>
On Fri, 2007-11-30 at 13:29 -0500, Rob Crittenden wrote:
> Require that the default users group exists
> Fix some copy-paste errors from the password policy update
I pushed this with the logging change below reverted.
[...]
>
> # FIXME: need to check the ipadebug option in ipa.conf
> -#logging.basicConfig(level=logging.DEBUG,
> -# format='%(asctime)s %(levelname)s %(message)s',
> -# stream=sys.stderr)
> +logging.basicConfig(level=logging.DEBUG,
> + format='%(asctime)s %(levelname)s %(message)s',
> + stream=sys.stderr)
>
This was commented out because it causes the logging config to change
simply on import of funcs.py. That, for example, caused all output to go
to the console during setup. We should avoid side-effects on import if
possible I think. Is there some function that this can be called from
instead?
> #
> # Apache runs in multi-process mode so each process will have its own
> @@ -1380,14 +1380,22 @@ class IPAServer:
> # The LDAP routines want strings, not ints, so convert a few
> # things. Otherwise it sees a string -> int conversion as a
> change.
> try:
> - newconfig['krbmaxpwdlife'] =
> str(newconfig.get('krbmaxpwdlife'))
> - newconfig['krbminpwdlife'] =
> str(newconfig.get('krbminpwdlife'))
> - newconfig['krbpwdmindiffchars'] =
> str(newconfig.get('krbpwdmindiffchars'))
> - newconfig['krbpwdminlength'] =
> str(newconfig.get('krbpwdminlength'))
> - newconfig['krbpwdhistorylength'] =
> str(newconfig.get('krbpwdhistorylength'))
> + newconfig['ipapwdexpadvnotify'] =
> str(newconfig.get('ipapwdexpadvnotify'))
> + newconfig['ipasearchtimelimit'] =
> str(newconfig.get('ipasearchtimelimit'))
> + newconfig['ipasearchrecordslimit'] =
> str(newconfig.get('ipasearchrecordslimit'))
> + newconfig['ipamaxusernamelength'] =
> str(newconfig.get('ipamaxusernamelength'))
> except KeyError:
> # These should all be there but if not, let things
> proceed
> pass
> +
> + # Ensure that the default group for users exists
> + try:
> + group =
> self.get_entry_by_cn(newconfig.get('ipadefaultprimarygroup'), None,
> opts)
> + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
> + raise
> + except:
> + raise
> +
> return self.update_entry(oldconfig, newconfig, opts)
>
> def get_password_policy(self, opts=None):
> @@ -1413,6 +1421,9 @@ class IPAServer:
> except KeyError:
> # These should all be there but if not, let things
> proceed
> pass
> + except:
> + # Anything else raise an error
> + raise
>
> return self.update_entry(oldpolicy, newpolicy, opts)
>
From kmacmill at redhat.com Mon Dec 3 15:23:17 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 03 Dec 2007 10:23:17 -0500
Subject: [Freeipa-devel] [PATCH] fix password change after password reset
In-Reply-To: <1196460006.19208.0.camel@hopeson>
References: <1196460006.19208.0.camel@hopeson>
Message-ID: <1196695397.16318.23.camel@clapton.mentalrootkit.com>
On Fri, 2007-11-30 at 17:00 -0500, Simo Sorce wrote:
> Should fix 133
Based on my limited understanding this looks ok. Pushed.
From kmacmill at redhat.com Mon Dec 3 15:29:59 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 03 Dec 2007 10:29:59 -0500
Subject: [Freeipa-devel] [PATCH] New patch for compat
In-Reply-To: <47508838.3010209@redhat.com>
References: <47508838.3010209@redhat.com>
Message-ID: <1196695799.16318.29.camel@clapton.mentalrootkit.com>
On Fri, 2007-11-30 at 17:01 -0500, Rob Crittenden wrote:
> This addresses Karl's concerns about CalledProcessError being defined
> everywhere.
>
Pushed.
From kmacmill at redhat.com Mon Dec 3 15:31:19 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 03 Dec 2007 10:31:19 -0500
Subject: [Freeipa-devel] [PATCH] Minutiae
In-Reply-To: <1196460122.19208.5.camel@hopeson>
References: <1196460122.19208.5.camel@hopeson>
Message-ID: <1196695879.16318.31.camel@clapton.mentalrootkit.com>
On Fri, 2007-11-30 at 17:02 -0500, Simo Sorce wrote:
> Minor stuff, mostly indentation and accidental removal of stuff caught
> by my local merge
Pushed - as discussed I think this qualifies as a trivial patch that you
could have pushed directly.
Karl
From rcritten at redhat.com Mon Dec 3 15:50:37 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 03 Dec 2007 10:50:37 -0500
Subject: [Freeipa-devel] error on Self Service of admin user
In-Reply-To: <4753A898.80206@redhat.com>
References: <4753A898.80206@redhat.com>
Message-ID: <475425CD.5040500@redhat.com>
David O'Brien wrote:
> Using FC7/i386/2007-11-30_03_01-build/ipa.repo
>
> I'm logged in to the webUI on the server as admin, and when I click Self
> Service I get:
>
> User show failed: no such entry for
> ('dc=australia,dc=com',2,u'(uid=admin at foo.bar)',['*','nsAccountLock'])
>
What does the "Logged in as" show as?
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Mon Dec 3 15:51:32 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 03 Dec 2007 10:51:32 -0500
Subject: [Freeipa-devel] inactivating yourself
In-Reply-To: <4753C155.1080805@redhat.com>
References: <473213F1.1050803@redhat.com> <4753C155.1080805@redhat.com>
Message-ID: <47542604.1030606@redhat.com>
David O'Brien wrote:
> Rob Crittenden wrote:
>> Came across and intriguing problem when working on group inactivation.
>>
>> With group inactivation you pick a group, select inactive and update it.
>> This causes all group members, including recursively all groups, to be
>> marked inactive.
>>
>> So what should we do if the current user happens to be a member of that
>> group (or subgroup)?
>>
>> What currently happens is IPA throws up because once the user is
>> inactivated their credentials are no longer accepted by FDS.
>>
>> So should we:
>>
>> 1. Let things go ahead and blow up (i.e. change nothing)
>> 2. Do not let them deactivate anything they are a part of
>> 3. Do all the deactivation except for their record
>> 4. Something else
>>
>> Ideas?
>>
>> I'm leaning towards #2 myself.
>>
>> rob
>>
>
> did you get an answer to this?
>
No, it's still up in the air.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Mon Dec 3 15:53:36 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 03 Dec 2007 10:53:36 -0500
Subject: [Freeipa-devel] question about permissions, etc., in groups
In-Reply-To: <4753C440.9080500@redhat.com>
References: <4753C440.9080500@redhat.com>
Message-ID: <47542680.5060207@redhat.com>
David O'Brien wrote:
> I read in a thread somewhere that if you deactivate a group, then all
> members of that group are also deactivated. The exception being that if
> a user is a member of another group that is active, then that user is
> still active.
>
> 1: all users are members of ipauser, right? Can they be removed from
> that group? If I and several hundred other users are in GroupA, GroupB,
> etc., as well as in ipausers, and you deactivate all but ipausers, then
> all that's happened is you've deactivated a bunch of groups. Ah... with
> those groups deactivated, any permissions/delegations that were
> associated with those groups go away too. (yes, I'm thinking out
> loud...) Did I miss anything else?
Right, by deactivating those groups you deactivate all the users in
those groups as well as any groups that may be a member (and thus those
members).
> 2: If I'm in two groups with conflicting permissions, who wins? I'm in
> GroupA, which means I can edit any user in France, but not in Germany.
> I'm also in GroupB, which says I can edit Germany but not France. Or
> should the administrator be smarter than that?
I believe that deny overrules allow in FDS ACIs. So if you hit any deny
along the way of determining permission you are denied.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Mon Dec 3 16:00:02 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 03 Dec 2007 11:00:02 -0500
Subject: [Freeipa-devel] [PATCH] some input validation
In-Reply-To: <1196695314.16318.22.camel@clapton.mentalrootkit.com>
References: <4750567E.7010502@redhat.com>
<1196695314.16318.22.camel@clapton.mentalrootkit.com>
Message-ID: <47542802.9080405@redhat.com>
Karl MacMillan wrote:
> On Fri, 2007-11-30 at 13:29 -0500, Rob Crittenden wrote:
>> Require that the default users group exists
>> Fix some copy-paste errors from the password policy update
>
> I pushed this with the logging change below reverted.
>
> [...]
>
>>
>> # FIXME: need to check the ipadebug option in ipa.conf
>> -#logging.basicConfig(level=logging.DEBUG,
>> -# format='%(asctime)s %(levelname)s %(message)s',
>> -# stream=sys.stderr)
>> +logging.basicConfig(level=logging.DEBUG,
>> + format='%(asctime)s %(levelname)s %(message)s',
>> + stream=sys.stderr)
>>
>
> This was commented out because it causes the logging config to change
> simply on import of funcs.py. That, for example, caused all output to go
> to the console during setup. We should avoid side-effects on import if
> possible I think. Is there some function that this can be called from
> instead?
This was my mistake, I forgot to re-omment them.
We need a debugging capability of the XML-RPC Interface. This is my
first attempt at it. It needs to be tied into Apache so once I do that
we can uncomment this and it won't affect setup.
rob
>
>
>> #
>> # Apache runs in multi-process mode so each process will have its own
>> @@ -1380,14 +1380,22 @@ class IPAServer:
>> # The LDAP routines want strings, not ints, so convert a few
>> # things. Otherwise it sees a string -> int conversion as a
>> change.
>> try:
>> - newconfig['krbmaxpwdlife'] =
>> str(newconfig.get('krbmaxpwdlife'))
>> - newconfig['krbminpwdlife'] =
>> str(newconfig.get('krbminpwdlife'))
>> - newconfig['krbpwdmindiffchars'] =
>> str(newconfig.get('krbpwdmindiffchars'))
>> - newconfig['krbpwdminlength'] =
>> str(newconfig.get('krbpwdminlength'))
>> - newconfig['krbpwdhistorylength'] =
>> str(newconfig.get('krbpwdhistorylength'))
>> + newconfig['ipapwdexpadvnotify'] =
>> str(newconfig.get('ipapwdexpadvnotify'))
>> + newconfig['ipasearchtimelimit'] =
>> str(newconfig.get('ipasearchtimelimit'))
>> + newconfig['ipasearchrecordslimit'] =
>> str(newconfig.get('ipasearchrecordslimit'))
>> + newconfig['ipamaxusernamelength'] =
>> str(newconfig.get('ipamaxusernamelength'))
>> except KeyError:
>> # These should all be there but if not, let things
>> proceed
>> pass
>> +
>> + # Ensure that the default group for users exists
>> + try:
>> + group =
>> self.get_entry_by_cn(newconfig.get('ipadefaultprimarygroup'), None,
>> opts)
>> + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
>> + raise
>> + except:
>> + raise
>> +
>> return self.update_entry(oldconfig, newconfig, opts)
>>
>> def get_password_policy(self, opts=None):
>> @@ -1413,6 +1421,9 @@ class IPAServer:
>> except KeyError:
>> # These should all be there but if not, let things
>> proceed
>> pass
>> + except:
>> + # Anything else raise an error
>> + raise
>>
>> return self.update_entry(oldpolicy, newpolicy, opts)
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Mon Dec 3 16:15:34 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 03 Dec 2007 11:15:34 -0500
Subject: [Freeipa-devel] [PATCH] stricter ACIs
In-Reply-To: <1196460076.19208.3.camel@hopeson>
References: <1196460076.19208.3.camel@hopeson>
Message-ID: <47542BA6.8000202@redhat.com>
Simo Sorce wrote:
> Some ACIs were getting lax some other were out of sync with regard to
> what we developed recently, some other were unnecessarily strict.
>
> Please carefully check.
Except for some typos in the comments this looks ok.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From kmacmill at redhat.com Mon Dec 3 16:27:05 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 03 Dec 2007 11:27:05 -0500
Subject: [Freeipa-devel] [PATCH] stricter ACIs
In-Reply-To: <1196460076.19208.3.camel@hopeson>
References: <1196460076.19208.3.camel@hopeson>
Message-ID: <1196699225.1529.0.camel@clapton.mentalrootkit.com>
On Fri, 2007-11-30 at 17:01 -0500, Simo Sorce wrote:
> Some ACIs were getting lax some other were out of sync with regard to
> what we developed recently, some other were unnecessarily strict.
>
> Please carefully check.
Pushed.
From kmacmill at redhat.com Mon Dec 3 17:49:03 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 03 Dec 2007 12:49:03 -0500
Subject: [Freeipa-devel] [PATCH] update build requires
Message-ID: <1196704143.20701.0.camel@clapton.mentalrootkit.com>
Add libcap to the build requires - I've already pushed this patch.
Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch.txt
Type: text/x-patch
Size: 1197 bytes
Desc: not available
URL:
From rcritten at redhat.com Mon Dec 3 21:08:22 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 03 Dec 2007 16:08:22 -0500
Subject: [Freeipa-devel] [PATCH] Easier units for min/max password lifetime
Message-ID: <47547046.7070609@redhat.com>
Convert from seconds to days and hours for max and minimum password
lifetime.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-446-units.patch
Type: text/x-patch
Size: 3720 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Mon Dec 3 21:10:30 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 03 Dec 2007 16:10:30 -0500
Subject: [Freeipa-devel] [PATCH] update default max password life
Message-ID: <475470C6.9050800@redhat.com>
Pushed this patch to increase default max password life from 10 to 90 days.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-447-lifetime.patch
Type: text/x-patch
Size: 727 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From david.obrien at redhat.com Tue Dec 4 01:01:12 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Tue, 04 Dec 2007 11:01:12 +1000
Subject: [Freeipa-devel] error on Self Service of admin user
In-Reply-To: <475425CD.5040500@redhat.com>
References: <4753A898.80206@redhat.com> <475425CD.5040500@redhat.com>
Message-ID: <4754A6D8.4020408@redhat.com>
Rob Crittenden wrote:
> David O'Brien wrote:
>> Using FC7/i386/2007-11-30_03_01-build/ipa.repo
>>
>> I'm logged in to the webUI on the server as admin, and when I click Self
>> Service I get:
>>
>> User show failed: no such entry for
>> ('dc=australia,dc=com',2,u'(uid=admin at foo.bar)',['*','nsAccountLock'])
>>
>
> What does the "Logged in as" show as?
>
> rob
Logged in as: admin
Is it related to the bogus email address admin at foo.bar? I'll try to
change it with ipa-usermod and see what happens.
--
David O'Brien
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL:
From david.obrien at redhat.com Tue Dec 4 01:04:10 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Tue, 04 Dec 2007 11:04:10 +1000
Subject: [Freeipa-devel] question about permissions, etc., in groups
In-Reply-To: <47542680.5060207@redhat.com>
References: <4753C440.9080500@redhat.com> <47542680.5060207@redhat.com>
Message-ID: <4754A78A.2050104@redhat.com>
Rob Crittenden wrote:
> David O'Brien wrote:
>> I read in a thread somewhere that if you deactivate a group, then all
>> members of that group are also deactivated. The exception being that if
>> a user is a member of another group that is active, then that user is
>> still active.
>>
>> 1: all users are members of ipauser, right? Can they be removed from
>> that group? If I and several hundred other users are in GroupA, GroupB,
>> etc., as well as in ipausers, and you deactivate all but ipausers, then
>> all that's happened is you've deactivated a bunch of groups. Ah... with
>> those groups deactivated, any permissions/delegations that were
>> associated with those groups go away too. (yes, I'm thinking out
>> loud...) Did I miss anything else?
>
> Right, by deactivating those groups you deactivate all the users in
> those groups as well as any groups that may be a member (and thus those
> members).
So it's not what I thought? If I'm in GroupA and GroupB and you
deactivate either one, I'm deactivated, period? I thought you stayed
active as long as you were in an active group.
>
>> 2: If I'm in two groups with conflicting permissions, who wins? I'm in
>> GroupA, which means I can edit any user in France, but not in Germany.
>> I'm also in GroupB, which says I can edit Germany but not France. Or
>> should the administrator be smarter than that?
>
> I believe that deny overrules allow in FDS ACIs. So if you hit any deny
> along the way of determining permission you are denied.
ok, I'll write it up as such unless I hear otherwise.
thanks
--
David O'Brien
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL:
From david.obrien at redhat.com Tue Dec 4 04:47:39 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Tue, 04 Dec 2007 14:47:39 +1000
Subject: [Freeipa-devel] Password expired on new user
In-Reply-To: <1196693417.4673.66.camel@localhost.localdomain>
References: <474FA59F.1040003@redhat.com>
<1196445683.19881.7.camel@localhost.localdomain>
<47535475.4010803@redhat.com>
<1196658377.4673.54.camel@localhost.localdomain>
<4753A61C.7040008@redhat.com>
<1196687726.4673.57.camel@localhost.localdomain>
<47541688.3060207@redhat.com>
<1196693417.4673.66.camel@localhost.localdomain>
Message-ID: <4754DBEB.3050902@redhat.com>
Simo Sorce wrote:
>>> I'd like to see you do a login on a client though, not a kinit
>>>
>> Not sure what you mean. You mean install the client and just navigate
>> straight to the server without running kinit? I expect this is to see
>> if it prompts for a username/password. I haven't installed a client yet.
>> I'll do that tomorrow.
>
> I mean running ipa-client-install on a client machine and do a real GDM
> login (after a reboot).
>
> Simo.
>
Point of confusion: (sorry if I'm a bit slow here...)
If I have ipa-client installed and everything set up properly, I should
be able to log in to the box and authenticate against the ipa-server?
e.g. as ipa-User/password, not using a local account? Wouldn't I need to
modify system-config-auth to do that? Or is that supposed to occur as
part of the client install/config?
Currrently:
I have a client installed, but I'm not 100% confident with it. I hosed
my DNS so I'm using /etc/hosts for name resolution. There were a couple
of errors at the end of the client install possibly related to that.
It's disappeared now (rebooted) and there's no ipa-error.log
After the install I did kinit admin at AUSTRALIA.COM just to make sure I
could talk to the server and get a ticket. Then I set up firefox.
I rebooted and tried to do a GDM login as but that failed.
Also tried without success.
I logged in as a local user, enabled Kerberos authentication
(system-config-authentication) and logged out. Tried to log in again as
above, but haven't had any success there either. Is this the way it's
supposed to work?
I'm now logged in to the machine as "redhat", started up firefox,
navigated to darwin.australia.com (server) and got Kerberos auth
failure. I suppose it's trying to authenticate as "redhat" so that's
going to fail.
I added redhat as a user on the ipa server, logged out on the client,
logged in as redhat and again went to darwin.australia.com. Kerberos
auth failure again. I ran kinit redhat at AUSTRALIA.COM and was then able
to get to the webUI ok.
I know this is getting long-winded, but at the end of the day, I should
be able to create "newuser" on the IPA server, install ipa-client on a
separate box, and then log in to that box as "newuser", irrespective of
whether or not "newuser" has a local account?
thanks for your patience
--
David O'Brien
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL:
From ssorce at redhat.com Tue Dec 4 13:16:56 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 04 Dec 2007 08:16:56 -0500
Subject: [Freeipa-devel] Password expired on new user
In-Reply-To: <4754DBEB.3050902@redhat.com>
References: <474FA59F.1040003@redhat.com>
<1196445683.19881.7.camel@localhost.localdomain>
<47535475.4010803@redhat.com>
<1196658377.4673.54.camel@localhost.localdomain>
<4753A61C.7040008@redhat.com>
<1196687726.4673.57.camel@localhost.localdomain>
<47541688.3060207@redhat.com>
<1196693417.4673.66.camel@localhost.localdomain>
<4754DBEB.3050902@redhat.com>
Message-ID: <1196774216.17681.9.camel@localhost.localdomain>
On Tue, 2007-12-04 at 14:47 +1000, David O'Brien wrote:
> Simo Sorce wrote:
>
>
>
> >>> I'd like to see you do a login on a client though, not a kinit
> >>>
> >> Not sure what you mean. You mean install the client and just navigate
> >> straight to the server without running kinit? I expect this is to see
> >> if it prompts for a username/password. I haven't installed a client yet.
> >> I'll do that tomorrow.
> >
> > I mean running ipa-client-install on a client machine and do a real GDM
> > login (after a reboot).
> >
> > Simo.
> >
> Point of confusion: (sorry if I'm a bit slow here...)
>
> If I have ipa-client installed and everything set up properly, I should
> be able to log in to the box and authenticate against the ipa-server?
> e.g. as ipa-User/password, not using a local account? Wouldn't I need to
> modify system-config-auth to do that? Or is that supposed to occur as
> part of the client install/config?
its the whole point of ipa-client-install
> Currrently:
> I have a client installed, but I'm not 100% confident with it. I hosed
> my DNS so I'm using /etc/hosts for name resolution. There were a couple
> of errors at the end of the client install possibly related to that.
> It's disappeared now (rebooted) and there's no ipa-error.log
I want to know the errors.
> After the install I did kinit admin at AUSTRALIA.COM just to make sure I
> could talk to the server and get a ticket. Then I set up firefox.
>
> I rebooted and tried to do a GDM login as but that failed.
> Also tried without success.
>
> I logged in as a local user, enabled Kerberos authentication
> (system-config-authentication) and logged out. Tried to log in again as
> above, but haven't had any success there either. Is this the way it's
> supposed to work?
>
> I'm now logged in to the machine as "redhat", started up firefox,
> navigated to darwin.australia.com (server) and got Kerberos auth
> failure. I suppose it's trying to authenticate as "redhat" so that's
> going to fail.
>
> I added redhat as a user on the ipa server, logged out on the client,
> logged in as redhat and again went to darwin.australia.com. Kerberos
> auth failure again. I ran kinit redhat at AUSTRALIA.COM and was then able
> to get to the webUI ok.
>
> I know this is getting long-winded, but at the end of the day, I should
> be able to create "newuser" on the IPA server, install ipa-client on a
> separate box, and then log in to that box as "newuser", irrespective of
> whether or not "newuser" has a local account?
Yes.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From kmacmill at redhat.com Tue Dec 4 13:40:19 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 04 Dec 2007 08:40:19 -0500
Subject: [Freeipa-devel] question about permissions, etc., in groups
In-Reply-To: <4754A78A.2050104@redhat.com>
References: <4753C440.9080500@redhat.com> <47542680.5060207@redhat.com>
<4754A78A.2050104@redhat.com>
Message-ID: <1196775619.26806.8.camel@vai.mentalrootkit.com>
On Tue, 2007-12-04 at 11:04 +1000, David O'Brien wrote:
> Rob Crittenden wrote:
> > David O'Brien wrote:
> >> I read in a thread somewhere that if you deactivate a group, then all
> >> members of that group are also deactivated. The exception being that if
> >> a user is a member of another group that is active, then that user is
> >> still active.
> >>
> >> 1: all users are members of ipauser, right? Can they be removed from
> >> that group? If I and several hundred other users are in GroupA, GroupB,
> >> etc., as well as in ipausers, and you deactivate all but ipausers, then
> >> all that's happened is you've deactivated a bunch of groups. Ah... with
> >> those groups deactivated, any permissions/delegations that were
> >> associated with those groups go away too. (yes, I'm thinking out
> >> loud...) Did I miss anything else?
> >
> > Right, by deactivating those groups you deactivate all the users in
> > those groups as well as any groups that may be a member (and thus those
> > members).
>
> So it's not what I thought? If I'm in GroupA and GroupB and you
> deactivate either one, I'm deactivated, period? I thought you stayed
> active as long as you were in an active group.
>
> >
> >> 2: If I'm in two groups with conflicting permissions, who wins? I'm in
> >> GroupA, which means I can edit any user in France, but not in Germany.
> >> I'm also in GroupB, which says I can edit Germany but not France. Or
> >> should the administrator be smarter than that?
> >
> > I believe that deny overrules allow in FDS ACIs. So if you hit any deny
> > along the way of determining permission you are denied.
>
> ok, I'll write it up as such unless I hear otherwise.
>
But there aren't deny rules used, right? So you get the union of all of
the delegations - you would be able to edit users in France and Germany.
We should verify of course.
Karl
From rcritten at redhat.com Tue Dec 4 14:00:18 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 04 Dec 2007 09:00:18 -0500
Subject: [Freeipa-devel] question about permissions, etc., in groups
In-Reply-To: <4754A78A.2050104@redhat.com>
References: <4753C440.9080500@redhat.com> <47542680.5060207@redhat.com>
<4754A78A.2050104@redhat.com>
Message-ID: <47555D72.1050509@redhat.com>
David O'Brien wrote:
> Rob Crittenden wrote:
>> David O'Brien wrote:
>>> I read in a thread somewhere that if you deactivate a group, then all
>>> members of that group are also deactivated. The exception being that if
>>> a user is a member of another group that is active, then that user is
>>> still active.
>>>
>>> 1: all users are members of ipauser, right? Can they be removed from
>>> that group? If I and several hundred other users are in GroupA, GroupB,
>>> etc., as well as in ipausers, and you deactivate all but ipausers, then
>>> all that's happened is you've deactivated a bunch of groups. Ah... with
>>> those groups deactivated, any permissions/delegations that were
>>> associated with those groups go away too. (yes, I'm thinking out
>>> loud...) Did I miss anything else?
>> Right, by deactivating those groups you deactivate all the users in
>> those groups as well as any groups that may be a member (and thus those
>> members).
>
> So it's not what I thought? If I'm in GroupA and GroupB and you
> deactivate either one, I'm deactivated, period? I thought you stayed
> active as long as you were in an active group.
No, like deny, inactive wins. We'll need to test this but hit should work.
User U is member of Groups A and B. Group A is inactive.
Mark the user as active (this should override everything)
This should override the group inactivity.
>>> 2: If I'm in two groups with conflicting permissions, who wins? I'm in
>>> GroupA, which means I can edit any user in France, but not in Germany.
>>> I'm also in GroupB, which says I can edit Germany but not France. Or
>>> should the administrator be smarter than that?
>> I believe that deny overrules allow in FDS ACIs. So if you hit any deny
>> along the way of determining permission you are denied.
>
> ok, I'll write it up as such unless I hear otherwise.
>
> thanks
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Tue Dec 4 14:11:44 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 04 Dec 2007 09:11:44 -0500
Subject: [Freeipa-devel] question about permissions, etc., in groups
In-Reply-To: <4754A78A.2050104@redhat.com>
References: <4753C440.9080500@redhat.com> <47542680.5060207@redhat.com>
<4754A78A.2050104@redhat.com>
Message-ID: <1196777504.17681.17.camel@localhost.localdomain>
On Tue, 2007-12-04 at 11:04 +1000, David O'Brien wrote:
> Rob Crittenden wrote:
> > David O'Brien wrote:
> >> I read in a thread somewhere that if you deactivate a group, then all
> >> members of that group are also deactivated. The exception being that if
> >> a user is a member of another group that is active, then that user is
> >> still active.
> >>
> >> 1: all users are members of ipauser, right? Can they be removed from
> >> that group? If I and several hundred other users are in GroupA, GroupB,
> >> etc., as well as in ipausers, and you deactivate all but ipausers, then
> >> all that's happened is you've deactivated a bunch of groups. Ah... with
> >> those groups deactivated, any permissions/delegations that were
> >> associated with those groups go away too. (yes, I'm thinking out
> >> loud...) Did I miss anything else?
> >
> > Right, by deactivating those groups you deactivate all the users in
> > those groups as well as any groups that may be a member (and thus those
> > members).
>
> So it's not what I thought? If I'm in GroupA and GroupB and you
> deactivate either one, I'm deactivated, period? I thought you stayed
> active as long as you were in an active group.
No, it wouldn't make sense.
Think how difficult would be to be sure all members of a specific group
are inactivated if your reasoning were true.
> >
> >> 2: If I'm in two groups with conflicting permissions, who wins? I'm in
> >> GroupA, which means I can edit any user in France, but not in Germany.
> >> I'm also in GroupB, which says I can edit Germany but not France. Or
> >> should the administrator be smarter than that?
> >
> > I believe that deny overrules allow in FDS ACIs. So if you hit any deny
> > along the way of determining permission you are denied.
>
> ok, I'll write it up as such unless I hear otherwise.
Inactivation is prevalent, unless you specifically override the
attribute manually on the specific user.
(As others have said, we need to test, but if this is not what we get we
need to raise a bug)
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From kmacmill at redhat.com Tue Dec 4 14:50:55 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 04 Dec 2007 09:50:55 -0500
Subject: [Freeipa-devel] [PATCH] Easier units for min/max password lifetime
In-Reply-To: <47547046.7070609@redhat.com>
References: <47547046.7070609@redhat.com>
Message-ID: <1196779855.4207.0.camel@localhost.localdomain>
On Mon, 2007-12-03 at 16:08 -0500, Rob Crittenden wrote:
> Convert from seconds to days and hours for max and minimum password
> lifetime.
Pushed.
From kmacmill at redhat.com Tue Dec 4 14:53:47 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 04 Dec 2007 09:53:47 -0500
Subject: [Freeipa-devel] [PATCH] fix errors with CalledProcessError
Message-ID: <1196780027.4207.2.camel@localhost.localdomain>
The conversion to a single CalledProcessError had some mistakes - this
fixes those.
Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cleanups.patch
Type: text/x-patch
Size: 5617 bytes
Desc: not available
URL:
From david.obrien at redhat.com Tue Dec 4 15:26:47 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Wed, 05 Dec 2007 01:26:47 +1000
Subject: [Freeipa-devel] question about permissions, etc., in groups
In-Reply-To: <1196777504.17681.17.camel@localhost.localdomain>
References: <4753C440.9080500@redhat.com> <47542680.5060207@redhat.com>
<4754A78A.2050104@redhat.com>
<1196777504.17681.17.camel@localhost.localdomain>
Message-ID: <475571B7.6040107@redhat.com>
Simo Sorce wrote:
> On Tue, 2007-12-04 at 11:04 +1000, David O'Brien wrote:
>> Rob Crittenden wrote:
>>> David O'Brien wrote:
>>>> I read in a thread somewhere that if you deactivate a group, then all
>>>> members of that group are also deactivated. The exception being that if
>>>> a user is a member of another group that is active, then that user is
>>>> still active.
>>>>
>>>> 1: all users are members of ipauser, right? Can they be removed from
>>>> that group? If I and several hundred other users are in GroupA, GroupB,
>>>> etc., as well as in ipausers, and you deactivate all but ipausers, then
>>>> all that's happened is you've deactivated a bunch of groups. Ah... with
>>>> those groups deactivated, any permissions/delegations that were
>>>> associated with those groups go away too. (yes, I'm thinking out
>>>> loud...) Did I miss anything else?
>>> Right, by deactivating those groups you deactivate all the users in
>>> those groups as well as any groups that may be a member (and thus those
>>> members).
>> So it's not what I thought? If I'm in GroupA and GroupB and you
>> deactivate either one, I'm deactivated, period? I thought you stayed
>> active as long as you were in an active group.
>
> No, it wouldn't make sense.
> Think how difficult would be to be sure all members of a specific group
> are inactivated if your reasoning were true.
Yes, it makes sense to have it the way it's been explained above. I was
attempting to follow up on what I read (obviously not well enough) in
another thread.
>
>>>> 2: If I'm in two groups with conflicting permissions, who wins? I'm in
>>>> GroupA, which means I can edit any user in France, but not in Germany.
>>>> I'm also in GroupB, which says I can edit Germany but not France. Or
>>>> should the administrator be smarter than that?
>>> I believe that deny overrules allow in FDS ACIs. So if you hit any deny
>>> along the way of determining permission you are denied.
>> ok, I'll write it up as such unless I hear otherwise.
>
> Inactivation is prevalent, unless you specifically override the
> attribute manually on the specific user.
>
I'll make sure I include this when documenting active and inactive users
and groups.
> (As others have said, we need to test, but if this is not what we get we
> need to raise a bug)
>
I'll try to do my bit while documenting. Who's on the testing team
anyway, apart from Suzanne of the questionable wrists? ;-)
--
David O'Brien
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL:
From rcritten at redhat.com Tue Dec 4 15:52:12 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 04 Dec 2007 10:52:12 -0500
Subject: [Freeipa-devel] [PATCH] fix errors with CalledProcessError
In-Reply-To: <1196780027.4207.2.camel@localhost.localdomain>
References: <1196780027.4207.2.camel@localhost.localdomain>
Message-ID: <475577AC.7040700@redhat.com>
Karl MacMillan wrote:
> The conversion to a single CalledProcessError had some mistakes - this
> fixes those.
>
> Karl
Did it not work for you?
I had the explicit references to ipautil so people wouldn't get confused
that it was calling subprocess.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Tue Dec 4 15:59:57 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 04 Dec 2007 10:59:57 -0500
Subject: [Freeipa-devel] [PATCH] Step 1 of configurable objectclasses
Message-ID: <4755797D.7070105@redhat.com>
This patch adds the UI and attribute support for user-configurable
objectclasses. This will let and admin set the objectclasses that users
and groups will have.
It does some basic validation that the classes exist (thanks Simo) but
it doesn't do any dependency validation.
The next step is to move the current hardcoded set of classes into these
attributes and pull it in when new users/groups are added.
The final step is to handle updating existing users who may not have
everything in their list.
I tried breaking this up to prevent another humongous patch.
Unfortunately I wasn't entirely successful.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-448-objectclass.patch
Type: text/x-patch
Size: 25877 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From david.obrien at redhat.com Tue Dec 4 16:10:19 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Wed, 05 Dec 2007 02:10:19 +1000
Subject: [Freeipa-devel] errors while editing groups
Message-ID: <47557BEB.6090200@redhat.com>
I created half a dozen groups for testing/doc purposes, some with no
members. When i try to edit them some curious things happen:
1. I get "500 Internal server error" when I try to deactivate a group[1]
2. sometimes I get "there was a collision" (forget words exactly), but
the update occurs anyway.
3. Sometimes I get 'Group update failed: A database error occurred. No
such object", but again the update occurred.
Mostly I just tried to change the description or name. I think once I
saw the name update but not the description? Not very scientific of me...
Apart from 1., I couldn't find anything in the logs to indicate what
was happening.
[1] (sorry if not all of this is relevant)
2007-12-05 01:45:54,220 ipagui.controllers ERROR CherryPy 500 error (500
- Internal Server Error) for request 'POST /group/update'
Traceback (most recent call last):
File "/usr/lib/python2.5/site-packages/cherrypy/_cphttptools.py", line
105, in _run
self.main()
File "/usr/lib/python2.5/site-packages/cherrypy/_cphttptools.py", line
254, in main
body = page_handler(*virtual_path, **self.params)
File "", line 3, in update
File "/usr/lib/python2.5/site-packages/turbogears/controllers.py",
line 344, in expose
*args, **kw)
File "", line 5, in run_with_transaction
File "/usr/lib/python2.5/site-packages/turbogears/database.py", line
312, in so_rwt
retval = func(*args, **kw)
File "", line 5, in _expose
File "/usr/lib/python2.5/site-packages/turbogears/controllers.py",
line 359, in
mapping, fragment, args, kw)))
File "/usr/lib/python2.5/site-packages/turbogears/controllers.py",
line 386, in _execute_func
output = errorhandling.try_call(func, *args, **kw)
File "/usr/lib/python2.5/site-packages/turbogears/errorhandling.py",
line 72, in try_call
return func(self, *args, **kw)
File "", line 3, in update
File
"/usr/lib/python2.5/site-packages/turbogears/identity/conditions.py",
line 235, in require
return fn(self, *args, **kwargs)
File
"/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipagui/subcontrollers/group.py",
line 299, in update
File "/usr/lib/python2.5/site-packages/ipa/ipaclient.py", line 354, in
mark_group_inactive
result = self.transport.mark_group_inactive(cn)
File
"/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
line 1290, in mark_group_inactive
File
"/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
line 738, in mark_entry_inactive
File
"/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
line 357, in get_entry_by_cn
File
"/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
line 255, in __get_sub_entry
File
"/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
line 236, in __get_entry
File
"/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/ipaldap.py",
line 365, in getEntry
IPAError65539: no such entry for ('dc=australia,dc=com', 2,
'(cn=activated)', None)
--
David O'Brien
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL:
From rcritten at redhat.com Tue Dec 4 18:25:28 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 04 Dec 2007 13:25:28 -0500
Subject: [Freeipa-devel] errors while editing groups
In-Reply-To: <47557BEB.6090200@redhat.com>
References: <47557BEB.6090200@redhat.com>
Message-ID: <47559B98.901@redhat.com>
David O'Brien wrote:
> I created half a dozen groups for testing/doc purposes, some with no
> members. When i try to edit them some curious things happen:
>
> 1. I get "500 Internal server error" when I try to deactivate a group[1]
> 2. sometimes I get "there was a collision" (forget words exactly), but
> the update occurs anyway.
> 3. Sometimes I get 'Group update failed: A database error occurred. No
> such object", but again the update occurred.
>
> Mostly I just tried to change the description or name. I think once I
> saw the name update but not the description? Not very scientific of me...
>
> Apart from 1., I couldn't find anything in the logs to indicate what
> was happening.
>
> [1] (sorry if not all of this is relevant)
>
> 2007-12-05 01:45:54,220 ipagui.controllers ERROR CherryPy 500 error (500
> - Internal Server Error) for request 'POST /group/update'
> Traceback (most recent call last):
> File "/usr/lib/python2.5/site-packages/cherrypy/_cphttptools.py", line
> 105, in _run
> self.main()
> File "/usr/lib/python2.5/site-packages/cherrypy/_cphttptools.py", line
> 254, in main
> body = page_handler(*virtual_path, **self.params)
> File "", line 3, in update
> File "/usr/lib/python2.5/site-packages/turbogears/controllers.py",
> line 344, in expose
> *args, **kw)
> File "", line 5, in run_with_transaction
> File "/usr/lib/python2.5/site-packages/turbogears/database.py", line
> 312, in so_rwt
> retval = func(*args, **kw)
> File "", line 5, in _expose
> File "/usr/lib/python2.5/site-packages/turbogears/controllers.py",
> line 359, in
> mapping, fragment, args, kw)))
> File "/usr/lib/python2.5/site-packages/turbogears/controllers.py",
> line 386, in _execute_func
> output = errorhandling.try_call(func, *args, **kw)
> File "/usr/lib/python2.5/site-packages/turbogears/errorhandling.py",
> line 72, in try_call
> return func(self, *args, **kw)
> File "", line 3, in update
> File
> "/usr/lib/python2.5/site-packages/turbogears/identity/conditions.py",
> line 235, in require
> return fn(self, *args, **kwargs)
> File
> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipagui/subcontrollers/group.py",
> line 299, in update
> File "/usr/lib/python2.5/site-packages/ipa/ipaclient.py", line 354, in
> mark_group_inactive
> result = self.transport.mark_group_inactive(cn)
> File
> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
> line 1290, in mark_group_inactive
> File
> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
> line 738, in mark_entry_inactive
> File
> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
> line 357, in get_entry_by_cn
> File
> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
> line 255, in __get_sub_entry
> File
> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
> line 236, in __get_entry
> File
> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/ipaldap.py",
> line 365, in getEntry
> IPAError65539: no such entry for ('dc=australia,dc=com', 2,
> '(cn=activated)', None)
>
Where did you get your packages? It seems like the class-of-service
objects didn't get installed.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From kmacmill at redhat.com Tue Dec 4 19:43:53 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 04 Dec 2007 14:43:53 -0500
Subject: [Freeipa-devel] [PATCH] fix errors with CalledProcessError
In-Reply-To: <475577AC.7040700@redhat.com>
References: <1196780027.4207.2.camel@localhost.localdomain>
<475577AC.7040700@redhat.com>
Message-ID: <1196797433.6784.4.camel@localhost.localdomain>
On Tue, 2007-12-04 at 10:52 -0500, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > The conversion to a single CalledProcessError had some mistakes - this
> > fixes those.
> >
> > Karl
>
> Did it not work for you?
>
No - dsinstance.py only has:
from ipa.ipautil import *
So we would need to add
from ipa import ipautil
> I had the explicit references to ipautil so people wouldn't get confused
> that it was calling subprocess.
>
I can switch to this if you would prefer.
Karl
From rcritten at redhat.com Tue Dec 4 20:09:38 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 04 Dec 2007 15:09:38 -0500
Subject: [Freeipa-devel] [PATCH] fix errors with CalledProcessError
In-Reply-To: <1196797433.6784.4.camel@localhost.localdomain>
References: <1196780027.4207.2.camel@localhost.localdomain>
<475577AC.7040700@redhat.com>
<1196797433.6784.4.camel@localhost.localdomain>
Message-ID: <4755B402.8000401@redhat.com>
Karl MacMillan wrote:
> On Tue, 2007-12-04 at 10:52 -0500, Rob Crittenden wrote:
>> Karl MacMillan wrote:
>>> The conversion to a single CalledProcessError had some mistakes - this
>>> fixes those.
>>>
>>> Karl
>> Did it not work for you?
>>
>
> No - dsinstance.py only has:
>
> from ipa.ipautil import *
>
> So we would need to add
>
> from ipa import ipautil
>
>> I had the explicit references to ipautil so people wouldn't get confused
>> that it was calling subprocess.
>>
>
> I can switch to this if you would prefer.
>
> Karl
>
I would, but I'm a neophyte python guy, so whatever people typically do
I'm fine with. But since we're subclassing a function using the same
name it seemed best to be clear about it.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From kmacmill at redhat.com Wed Dec 5 03:25:36 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 04 Dec 2007 22:25:36 -0500
Subject: [Freeipa-devel] [PATCH] fix errors with CalledProcessError
In-Reply-To: <4755B402.8000401@redhat.com>
References: <1196780027.4207.2.camel@localhost.localdomain>
<475577AC.7040700@redhat.com>
<1196797433.6784.4.camel@localhost.localdomain>
<4755B402.8000401@redhat.com>
Message-ID: <1196825136.16389.1.camel@vai.mentalrootkit.com>
On Tue, 2007-12-04 at 15:09 -0500, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > On Tue, 2007-12-04 at 10:52 -0500, Rob Crittenden wrote:
> >> Karl MacMillan wrote:
> >>> The conversion to a single CalledProcessError had some mistakes - this
> >>> fixes those.
> >>>
> >>> Karl
> >> Did it not work for you?
> >>
> >
> > No - dsinstance.py only has:
> >
> > from ipa.ipautil import *
> >
> > So we would need to add
> >
> > from ipa import ipautil
> >
> >> I had the explicit references to ipautil so people wouldn't get confused
> >> that it was calling subprocess.
> >>
> >
> > I can switch to this if you would prefer.
> >
> > Karl
> >
>
> I would, but I'm a neophyte python guy, so whatever people typically do
> I'm fine with. But since we're subclassing a function using the same
> name it seemed best to be clear about it.
>
Updated patch attached - I didn't want to use functions from ipautil in
two ways, so everything is accessed through ipautil.
BTW - if people haven't found it pychecker works well when doing these
kinds of things.
Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cleanup.patch
Type: text/x-patch
Size: 12556 bytes
Desc: not available
URL:
From david.obrien at redhat.com Wed Dec 5 03:30:16 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Wed, 05 Dec 2007 13:30:16 +1000
Subject: [Freeipa-devel] errors while editing groups
In-Reply-To: <47559B98.901@redhat.com>
References: <47557BEB.6090200@redhat.com> <47559B98.901@redhat.com>
Message-ID: <47561B48.7070804@redhat.com>
Rob Crittenden wrote:
> David O'Brien wrote:
>> I created half a dozen groups for testing/doc purposes, some with no
>> members. When i try to edit them some curious things happen:
>>
>> 1. I get "500 Internal server error" when I try to deactivate a group[1]
>> 2. sometimes I get "there was a collision" (forget words exactly), but
>> the update occurs anyway.
>> 3. Sometimes I get 'Group update failed: A database error occurred. No
>> such object", but again the update occurred.
>>
>> Mostly I just tried to change the description or name. I think once I
>> saw the name update but not the description? Not very scientific of me...
>>
>> Apart from 1., I couldn't find anything in the logs to indicate what
>> was happening.
>>
>> [1] (sorry if not all of this is relevant)
>>
>> 2007-12-05 01:45:54,220 ipagui.controllers ERROR CherryPy 500 error (500
>> - Internal Server Error) for request 'POST /group/update'
>> Traceback (most recent call last):
>> File "/usr/lib/python2.5/site-packages/cherrypy/_cphttptools.py", line
>> 105, in _run
>> self.main()
>> File "/usr/lib/python2.5/site-packages/cherrypy/_cphttptools.py", line
>> 254, in main
>> body = page_handler(*virtual_path, **self.params)
>> File "", line 3, in update
>> File "/usr/lib/python2.5/site-packages/turbogears/controllers.py",
>> line 344, in expose
>> *args, **kw)
>> File "", line 5, in run_with_transaction
>> File "/usr/lib/python2.5/site-packages/turbogears/database.py", line
>> 312, in so_rwt
>> retval = func(*args, **kw)
>> File "", line 5, in _expose
>> File "/usr/lib/python2.5/site-packages/turbogears/controllers.py",
>> line 359, in
>> mapping, fragment, args, kw)))
>> File "/usr/lib/python2.5/site-packages/turbogears/controllers.py",
>> line 386, in _execute_func
>> output = errorhandling.try_call(func, *args, **kw)
>> File "/usr/lib/python2.5/site-packages/turbogears/errorhandling.py",
>> line 72, in try_call
>> return func(self, *args, **kw)
>> File "", line 3, in update
>> File
>> "/usr/lib/python2.5/site-packages/turbogears/identity/conditions.py",
>> line 235, in require
>> return fn(self, *args, **kwargs)
>> File
>> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipagui/subcontrollers/group.py",
>>
>> line 299, in update
>> File "/usr/lib/python2.5/site-packages/ipa/ipaclient.py", line 354, in
>> mark_group_inactive
>> result = self.transport.mark_group_inactive(cn)
>> File
>> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
>> line 1290, in mark_group_inactive
>> File
>> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
>> line 738, in mark_entry_inactive
>> File
>> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
>> line 357, in get_entry_by_cn
>> File
>> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
>> line 255, in __get_sub_entry
>> File
>> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/funcs.py",
>> line 236, in __get_entry
>> File
>> "/var/tmp/ipa-server-0.5.0-1-root-root/usr/share/ipa/ipaserver/ipaldap.py",
>>
>> line 365, in getEntry
>> IPAError65539: no such entry for ('dc=australia,dc=com', 2,
>> '(cn=activated)', None)
>>
>
> Where did you get your packages? It seems like the class-of-service
> objects didn't get installed.
>
> rob
from the repo at FC7/i386/2007-11-30_03_01-build/dist
I tried the build from 3rd Dec (I think) but I got errors while
downloading packages. Something about packages not matching expected..?
I didn't write down the error, sorry.
--
David O'Brien
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL:
From rcritten at redhat.com Wed Dec 5 19:49:39 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Dec 2007 14:49:39 -0500
Subject: [Freeipa-devel] [PATCH] in UI groups should default to empty list
Message-ID: <475700D3.5070006@redhat.com>
If no user is available when logging into the UI the groups field should
be an empty list, not None.
This is likely to never be seen by anyone but it can come up during
development and it is annoying.
Pushed as a one-liner.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-452-proxygroup.patch
Type: text/x-patch
Size: 770 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Wed Dec 5 19:56:29 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Dec 2007 14:56:29 -0500
Subject: [Freeipa-devel] [PATCH] UI for service principal creation and
keytab retrieval
Message-ID: <4757026D.3070407@redhat.com>
Added UI for service principal creation and keytab retrieval.
The biggest core change is a new function to retrieve a list of service
principals. I added a check in there to not return any kadmin
principals. Don't want anyone fetching the admin credentials, even if
you have to be admin to do so.
The user will see a list of links of the available keytabs. Clicking on
a link will fire up a download of the keytab that they can save on their
desktop. It should be linkable too though I didn't test that.
I have a hardcoded list of service principal types plus an "other"
option because I can't include every possible option.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-453-keytabui.patch
Type: text/x-patch
Size: 24611 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Wed Dec 5 20:01:07 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Dec 2007 15:01:07 -0500
Subject: [Freeipa-devel] [PATCH] Notify user of truncated results
Message-ID: <47570383.3030903@redhat.com>
The UI notifies the user if the results are truncated but the
command-line did not. It does now.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-454-truncate.patch
Type: text/x-patch
Size: 1297 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Wed Dec 5 20:44:10 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Dec 2007 15:44:10 -0500
Subject: [Freeipa-devel] [PATCH] CSS update for required fields
Message-ID: <47570D9A.7040606@redhat.com>
Add back in CSS for required fields, field errors and warnings.
This will make the background of required fields a horrible pink again
but it will at least be obvious.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-455-css.patch
Type: text/x-patch
Size: 1913 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Wed Dec 5 20:50:53 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Dec 2007 15:50:53 -0500
Subject: [Freeipa-devel] [PATCH] fix CSS to show required fields
Message-ID: <47570F2D.1090003@redhat.com>
Add back in some CSS that was removed in the big UI update.
This adds back required field colors and colored error and warning msgs.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-455-css.patch
Type: text/x-patch
Size: 931 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Wed Dec 5 20:56:41 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Dec 2007 15:56:41 -0500
Subject: [Freeipa-devel] [PATCH] CSS update for required fields
In-Reply-To: <47570D9A.7040606@redhat.com>
References: <47570D9A.7040606@redhat.com>
Message-ID: <47571089.2030509@redhat.com>
Rob Crittenden wrote:
> Add back in CSS for required fields, field errors and warnings.
>
> This will make the background of required fields a horrible pink again
> but it will at least be obvious.
>
> rob
Ack, ignore this one. I forgot to remove the proxyprovider stuff. I've
sent a new mail to the list wiht a proper patch.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Wed Dec 5 21:19:47 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Dec 2007 16:19:47 -0500
Subject: [Freeipa-devel] [PATCH] fix errors with CalledProcessError
In-Reply-To: <1196825136.16389.1.camel@vai.mentalrootkit.com>
References: <1196780027.4207.2.camel@localhost.localdomain>
<475577AC.7040700@redhat.com>
<1196797433.6784.4.camel@localhost.localdomain>
<4755B402.8000401@redhat.com>
<1196825136.16389.1.camel@vai.mentalrootkit.com>
Message-ID: <475715F3.5050604@redhat.com>
Karl MacMillan wrote:
> On Tue, 2007-12-04 at 15:09 -0500, Rob Crittenden wrote:
>> Karl MacMillan wrote:
>>> On Tue, 2007-12-04 at 10:52 -0500, Rob Crittenden wrote:
>>>> Karl MacMillan wrote:
>>>>> The conversion to a single CalledProcessError had some mistakes - this
>>>>> fixes those.
>>>>>
>>>>> Karl
>>>> Did it not work for you?
>>>>
>>> No - dsinstance.py only has:
>>>
>>> from ipa.ipautil import *
>>>
>>> So we would need to add
>>>
>>> from ipa import ipautil
>>>
>>>> I had the explicit references to ipautil so people wouldn't get confused
>>>> that it was calling subprocess.
>>>>
>>> I can switch to this if you would prefer.
>>>
>>> Karl
>>>
>> I would, but I'm a neophyte python guy, so whatever people typically do
>> I'm fine with. But since we're subclassing a function using the same
>> name it seemed best to be clear about it.
>>
>
> Updated patch attached - I didn't want to use functions from ipautil in
> two ways, so everything is accessed through ipautil.
>
> BTW - if people haven't found it pychecker works well when doing these
> kinds of things.
Acked and pushed.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Wed Dec 5 21:58:34 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Dec 2007 16:58:34 -0500
Subject: [Freeipa-devel] [PATCH] fix errors in add user
Message-ID: <47571F0A.3000802@redhat.com>
Move dn removal to the XML-RPC side and remove empty attributes. Empty
lists were blowing up python-ldap.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-456-addfix.patch
Type: text/x-patch
Size: 2621 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From kmacmill at redhat.com Wed Dec 5 22:14:04 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 05 Dec 2007 17:14:04 -0500
Subject: [Freeipa-devel] [PATCH] Step 1 of configurable objectclasses
In-Reply-To: <4755797D.7070105@redhat.com>
References: <4755797D.7070105@redhat.com>
Message-ID: <1196892844.5264.0.camel@vai.mentalrootkit.com>
On Tue, 2007-12-04 at 10:59 -0500, Rob Crittenden wrote:
> This patch adds the UI and attribute support for user-configurable
> objectclasses. This will let and admin set the objectclasses that users
> and groups will have.
>
> It does some basic validation that the classes exist (thanks Simo) but
> it doesn't do any dependency validation.
>
> The next step is to move the current hardcoded set of classes into these
> attributes and pull it in when new users/groups are added.
>
> The final step is to handle updating existing users who may not have
> everything in their list.
>
> I tried breaking this up to prevent another humongous patch.
> Unfortunately I wasn't entirely successful.
>
This looks sane to me. Pushed.
BTW - I was getting some awkward line breaks on the policy page. Can we
widen that left column a bit?
Karl
From kmacmill at redhat.com Wed Dec 5 22:25:45 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 05 Dec 2007 17:25:45 -0500
Subject: [Freeipa-devel] [PATCH] UI for service principal creation and
keytab retrieval
In-Reply-To: <4757026D.3070407@redhat.com>
References: <4757026D.3070407@redhat.com>
Message-ID: <1196893545.5264.4.camel@vai.mentalrootkit.com>
On Wed, 2007-12-05 at 14:56 -0500, Rob Crittenden wrote:
> Added UI for service principal creation and keytab retrieval.
>
> The biggest core change is a new function to retrieve a list of service
> principals. I added a check in there to not return any kadmin
> principals. Don't want anyone fetching the admin credentials, even if
> you have to be admin to do so.
>
> The user will see a list of links of the available keytabs. Clicking on
> a link will fire up a download of the keytab that they can save on their
> desktop. It should be linkable too though I didn't test that.
>
> I have a hardcoded list of service principal types plus an "other"
> option because I can't include every possible option.
>
Looks very nice - glad you worked that up. Only comment is that since
getting a keytab resets the secret it probably needs a warning. I would
hate, for example, for someone to get a keytab for http on the ipa
server only to have the web ui break.
Pushed.
Karl
From kmacmill at redhat.com Wed Dec 5 22:26:25 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 05 Dec 2007 17:26:25 -0500
Subject: [Freeipa-devel] [PATCH] Notify user of truncated results
In-Reply-To: <47570383.3030903@redhat.com>
References: <47570383.3030903@redhat.com>
Message-ID: <1196893585.5264.5.camel@vai.mentalrootkit.com>
On Wed, 2007-12-05 at 15:01 -0500, Rob Crittenden wrote:
> The UI notifies the user if the results are truncated but the
> command-line did not. It does now.
>
Pushed.
From kmacmill at redhat.com Wed Dec 5 22:27:28 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 05 Dec 2007 17:27:28 -0500
Subject: [Freeipa-devel] [PATCH] fix errors in add user
In-Reply-To: <47571F0A.3000802@redhat.com>
References: <47571F0A.3000802@redhat.com>
Message-ID: <1196893648.5264.7.camel@vai.mentalrootkit.com>
On Wed, 2007-12-05 at 16:58 -0500, Rob Crittenden wrote:
> Move dn removal to the XML-RPC side and remove empty attributes. Empty
> lists were blowing up python-ldap.
>
Pushed.
From rcritten at redhat.com Wed Dec 5 22:28:12 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Dec 2007 17:28:12 -0500
Subject: [Freeipa-devel] [PATCH] Step 1 of configurable objectclasses
In-Reply-To: <1196892844.5264.0.camel@vai.mentalrootkit.com>
References: <4755797D.7070105@redhat.com>
<1196892844.5264.0.camel@vai.mentalrootkit.com>
Message-ID: <475725FC.8020603@redhat.com>
Karl MacMillan wrote:
> On Tue, 2007-12-04 at 10:59 -0500, Rob Crittenden wrote:
>> This patch adds the UI and attribute support for user-configurable
>> objectclasses. This will let and admin set the objectclasses that users
>> and groups will have.
>>
>> It does some basic validation that the classes exist (thanks Simo) but
>> it doesn't do any dependency validation.
>>
>> The next step is to move the current hardcoded set of classes into these
>> attributes and pull it in when new users/groups are added.
>>
>> The final step is to handle updating existing users who may not have
>> everything in their list.
>>
>> I tried breaking this up to prevent another humongous patch.
>> Unfortunately I wasn't entirely successful.
>>
>
> This looks sane to me. Pushed.
>
> BTW - I was getting some awkward line breaks on the policy page. Can we
> widen that left column a bit?
>
> Karl
>
Er, not sure what you mean. A screenshot would help.
A shift-reload may fix it too.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rmeggins at redhat.com Wed Dec 5 23:28:08 2007
From: rmeggins at redhat.com (Rich Megginson)
Date: Wed, 05 Dec 2007 16:28:08 -0700
Subject: [Freeipa-devel] [Fwd: [Fedora-directory-users] Integrating RADIUS
schema in Fedora-ds]
Message-ID: <47573408.1050601@redhat.com>
-------------- next part --------------
An embedded message was scrubbed...
From: "Jeff Fishbaugh"
Subject: [Fedora-directory-users] Integrating RADIUS schema in Fedora-ds
Date: Wed, 5 Dec 2007 16:00:45 -0700
Size: 49665
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From jdennis at redhat.com Thu Dec 6 00:18:23 2007
From: jdennis at redhat.com (John Dennis)
Date: Wed, 05 Dec 2007 19:18:23 -0500
Subject: [Freeipa-devel] [Fwd: [Fedora-directory-users] Integrating RADIUS
schema in Fedora-ds]
In-Reply-To: <47573408.1050601@redhat.com>
References: <47573408.1050601@redhat.com>
Message-ID: <47573FCF.6040502@redhat.com>
> Not sure if this is the best place to ask this but have been looking for
> some decent documentation on integrating RADIUS schema into Fedora-ds so
> I can authenticate against my directory. Tons of docs on doing the same
> with OpenLDAP, but slim to none with Fedora-ds (btw-- I do know about
> freeipa, but I'm not using it).
>
> I see my RADIUS schema object classes as radiusprofile and radiusobject
> profile; however, I can not seem to figure out how to get these
> integrated into my directory properly to use it with RADIUS. If I look
> at my 'addtional indexes' I only can add radiusprofile indexes such as
> radiusframedmtu. Would seem I am going to need to get
> radiusobjectprofile and its related indexes (uid, userPassword) in
> there if this is to work for authentication.
>
> Can anyone point me in the right direction with getting RADIUS schema
> properly integrated into my directory so I can point RADIUS at it and
> use it for user authentication??? I'm also a bit curious on the DESC
> field being blank for all the OIDs and whether they should go or
> populated with iinfo similar to the OID name.
>
> Appreciate any and all answers. Thank you...
I can send you the radius profile directory server schema we're using in
IPA. But the larger question is why do you think you need the schema in
the first place. You state all you want to do is authenticate against
DS, which means all you are doing is a bind, and most likely only a
simple bind with a plain text password. To accomplish that you'll need
to enable ldap in the authenticate section of /etc/raddb/radiusd.conf. I
believe you'll need to move ldap to be above any other plain text
password authentication mechanisms in the authenticate section so the
ldap module gets first crack, or disable the other mechanisms. In the
modules section you'll also need to set your basic ldap parameters, e.g.
server, filter, etc. The filter will need to be able to locate a user
by performing a search. The user's dn is derived from the successful
search result and that dn is then used to perform the bind with the
password found in the request auth packet. None of this requires schema.
If however you want to manage profiles with radius attribute/value pairs
then you'll need the schema, but that doesn't sound like what you're
asking for.
In any event, let me know if you want the schema, I'll send it to you.
--
John Dennis
From rcritten at redhat.com Thu Dec 6 04:55:59 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 05 Dec 2007 23:55:59 -0500
Subject: [Freeipa-devel] [PATCH] Finish up user-configurable objectclasses
Message-ID: <475780DF.8040900@redhat.com>
Utilize user and group objectclass lists in cn=ipaconfig
Change the syntax on user and group objectclasses in cn=ipaconfig. Looks
like I goofed the first go-around.
Move the hardcoded list into the install-time ldif
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-463-objectclass.patch
Type: text/x-patch
Size: 5116 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Thu Dec 6 14:18:03 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Dec 2007 09:18:03 -0500
Subject: [Freeipa-devel] [PATCH] UI for service principal creation and
keytab retrieval
In-Reply-To: <1196893545.5264.4.camel@vai.mentalrootkit.com>
References: <4757026D.3070407@redhat.com>
<1196893545.5264.4.camel@vai.mentalrootkit.com>
Message-ID: <4758049B.1050405@redhat.com>
Karl MacMillan wrote:
> On Wed, 2007-12-05 at 14:56 -0500, Rob Crittenden wrote:
>> Added UI for service principal creation and keytab retrieval.
>>
>> The biggest core change is a new function to retrieve a list of service
>> principals. I added a check in there to not return any kadmin
>> principals. Don't want anyone fetching the admin credentials, even if
>> you have to be admin to do so.
>>
>> The user will see a list of links of the available keytabs. Clicking on
>> a link will fire up a download of the keytab that they can save on their
>> desktop. It should be linkable too though I didn't test that.
>>
>> I have a hardcoded list of service principal types plus an "other"
>> option because I can't include every possible option.
>>
>
> Looks very nice - glad you worked that up. Only comment is that since
> getting a keytab resets the secret it probably needs a warning. I would
> hate, for example, for someone to get a keytab for http on the ipa
> server only to have the web ui break.
>
> Pushed.
Ok, that explains why my FDS instance kept breaking. I thought that was
it but I wasn't sure.
I'll add a javascript confirmation dialog.
thanks
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Thu Dec 6 16:10:16 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Dec 2007 11:10:16 -0500
Subject: [Freeipa-devel] [PATCH] warn user before retrieving keytab in UI
Message-ID: <47581EE8.6000208@redhat.com>
Prompt the user with a warning before downloading a keytab. It will
generate a new secret, breaking existing keytabs
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-464-warning.patch
Type: text/x-patch
Size: 1630 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From jeff at collectiveintellect.com Thu Dec 6 17:00:15 2007
From: jeff at collectiveintellect.com (Jeff Fishbaugh)
Date: Thu, 6 Dec 2007 12:00:15 -0500 (EST)
Subject: [Freeipa-devel] [Fwd: [Fedora-directory-users] Integrating
RADIUS schema in Fedora-ds]
In-Reply-To: <47573FCF.6040502@redhat.com>
Message-ID: <1898244726.311521196960415181.JavaMail.root@mail>
Thanks a bunch John -- very helpful. You are probably correct that short term I can possibly get away with just the bind -- I wasn't fully aware I could do that. None the less I'd still be interested in the schema your using in IPA as there is a good chance that may be where I go with our authentication and such down the road...definitely been anxious to try it, just been waiting for it to mature a bit. :-)
Send me your schema when you get a chance if you'd be so kind, and thanks again.
-Jeff
----- Original Message -----
From: "John Dennis"
To: fedora-directory-users at redhat.com
Cc: freeipa-devel at redhat.com, "Jeff Fishbaugh"
Sent: Wednesday, December 5, 2007 5:18:23 PM (GMT-0700) America/Denver
Subject: Re: [Freeipa-devel] [Fwd: [Fedora-directory-users] Integrating RADIUS schema in Fedora-ds]
> Not sure if this is the best place to ask this but have been looking for
> some decent documentation on integrating RADIUS schema into Fedora-ds so
> I can authenticate against my directory. Tons of docs on doing the same
> with OpenLDAP, but slim to none with Fedora-ds (btw-- I do know about
> freeipa, but I'm not using it).
>
> I see my RADIUS schema object classes as radiusprofile and radiusobject
> profile; however, I can not seem to figure out how to get these
> integrated into my directory properly to use it with RADIUS. If I look
> at my 'addtional indexes' I only can add radiusprofile indexes such as
> radiusframedmtu. Would seem I am going to need to get
> radiusobjectprofile and its related indexes (uid, userPassword) in
> there if this is to work for authentication.
>
> Can anyone point me in the right direction with getting RADIUS schema
> properly integrated into my directory so I can point RADIUS at it and
> use it for user authentication??? I'm also a bit curious on the DESC
> field being blank for all the OIDs and whether they should go or
> populated with iinfo similar to the OID name.
>
> Appreciate any and all answers. Thank you...
I can send you the radius profile directory server schema we're using in
IPA. But the larger question is why do you think you need the schema in
the first place. You state all you want to do is authenticate against
DS, which means all you are doing is a bind, and most likely only a
simple bind with a plain text password. To accomplish that you'll need
to enable ldap in the authenticate section of /etc/raddb/radiusd.conf. I
believe you'll need to move ldap to be above any other plain text
password authentication mechanisms in the authenticate section so the
ldap module gets first crack, or disable the other mechanisms. In the
modules section you'll also need to set your basic ldap parameters, e.g.
server, filter, etc. The filter will need to be able to locate a user
by performing a search. The user's dn is derived from the successful
search result and that dn is then used to perform the bind with the
password found in the request auth packet. None of this requires schema.
If however you want to manage profiles with radius attribute/value pairs
then you'll need the schema, but that doesn't sound like what you're
asking for.
In any event, let me know if you want the schema, I'll send it to you.
--
John Dennis
From rcritten at redhat.com Thu Dec 6 19:49:09 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Dec 2007 14:49:09 -0500
Subject: [Freeipa-devel] [PATCH] allow RDN change in UI
Message-ID: <47585235.6050801@redhat.com>
Make uid an editable field in the Edit UI so we can do RDN changes. I
pop up a javascript warning when I detect a change here to let the
updater know that the password will need to be reset. It isn't perfect
but should hit most of the time.
Fix group RDN changes and tweaked the UI to display it better. Rather
than making cn a required field it is only required if edit protected
fields is checked. This way it won't show as pink.
Remove a copy/paste error in the group UI update that caused 2 updates!?
update_group() got called twice which in itself isn't a huge problem but
when changing a group RDN it is.
Fix variable name so groups don't get user objectclasses. Oops.
Remove color CSS for field backgrounds as they override disabled field
display. The background was a baby blue but the disabled fields should
dispaly as grey. This must be handled automagically by the browser as I
could find no CSS control for detecting a javascript disabled field.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-466-rdn.patch
Type: text/x-patch
Size: 11789 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Thu Dec 6 20:57:03 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Dec 2007 15:57:03 -0500
Subject: [Freeipa-devel] [PATCH] Improve not found error reporting
Message-ID: <4758621F.1050603@redhat.com>
Improve the error message when an entry is not found.
We used to return the entire argument string ala:
('dc=freeipa,dc=org', 2, 'uid=foo', ['*'])
This adds a regex to try to try to print anything after = in the filter.
Not perfect but better.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-467-notfound.patch
Type: text/x-patch
Size: 2489 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Thu Dec 6 21:08:42 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Dec 2007 16:08:42 -0500
Subject: [Freeipa-devel] [PATCH] fix uid_hidden
Message-ID: <475864DA.2020702@redhat.com>
This patch depends on the RDN patch I sent out earlier.
The uid_hidden field needs to be retained until after validation
succeeds otherwise if it ever fails, uid_hidden will be lost which can
cause uid to not be set which cascades into lots of other errors.
uid_hidden is needed because disabled fields are not returned in a POST.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-468-hidden.patch
Type: text/x-patch
Size: 1576 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Thu Dec 6 21:16:41 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Dec 2007 16:16:41 -0500
Subject: [Freeipa-devel] [PATCH] always show edit link on your record
Message-ID: <475866B9.3080507@redhat.com>
I added code to only show the edit link for admins and editors. I've
added it back in when it is your own record. Just another way to do
self-service.
pushed the attached.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-469-editlink.patch
Type: text/x-patch
Size: 1317 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Thu Dec 6 21:58:16 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Dec 2007 16:58:16 -0500
Subject: [Freeipa-devel] [PATCH] some minor usability issues
Message-ID: <47587078.4080201@redhat.com>
I pushed the following patches that fix some minor usability issues.
1. Add an 'Edit Policy' link on the top of the IPA Policy page
2. Set the focus on the Add pages so you can immediately start typing.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-471-focus.patch
Type: text/x-patch
Size: 2367 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-470-editbutton.patch
Type: text/x-patch
Size: 951 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From kmacmill at redhat.com Thu Dec 6 22:20:41 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 06 Dec 2007 17:20:41 -0500
Subject: [Freeipa-devel] [PATCH] conver ipa-server-setupssl to python
Message-ID: <1196979641.21049.8.camel@clapton.mentalrootkit.com>
Convert the setup of ssl from a shell script to a
python module. This is in preparation for user
supplied certs.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl-setup.patch
Type: text/x-patch
Size: 18993 bytes
Desc: not available
URL:
From kmacmill at redhat.com Thu Dec 6 22:22:39 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 06 Dec 2007 17:22:39 -0500
Subject: [Freeipa-devel] [PATCH] Finish up user-configurable objectclasses
In-Reply-To: <475780DF.8040900@redhat.com>
References: <475780DF.8040900@redhat.com>
Message-ID: <1196979759.21049.10.camel@clapton.mentalrootkit.com>
On Wed, 2007-12-05 at 23:55 -0500, Rob Crittenden wrote:
> Utilize user and group objectclass lists in cn=ipaconfig
> Change the syntax on user and group objectclasses in cn=ipaconfig. Looks
> like I goofed the first go-around.
> Move the hardcoded list into the install-time ldif
>
Pushed.
From kmacmill at redhat.com Thu Dec 6 22:24:52 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 06 Dec 2007 17:24:52 -0500
Subject: [Freeipa-devel] [PATCH] allow RDN change in UI
In-Reply-To: <47585235.6050801@redhat.com>
References: <47585235.6050801@redhat.com>
Message-ID: <1196979892.21049.12.camel@clapton.mentalrootkit.com>
On Thu, 2007-12-06 at 14:49 -0500, Rob Crittenden wrote:
> Make uid an editable field in the Edit UI so we can do RDN changes. I
> pop up a javascript warning when I detect a change here to let the
> updater know that the password will need to be reset. It isn't perfect
> but should hit most of the time.
>
> Fix group RDN changes and tweaked the UI to display it better. Rather
> than making cn a required field it is only required if edit protected
> fields is checked. This way it won't show as pink.
>
> Remove a copy/paste error in the group UI update that caused 2 updates!?
> update_group() got called twice which in itself isn't a huge problem but
> when changing a group RDN it is.
>
> Fix variable name so groups don't get user objectclasses. Oops.
>
> Remove color CSS for field backgrounds as they override disabled field
> display. The background was a baby blue but the disabled fields should
> dispaly as grey. This must be handled automagically by the browser as I
> could find no CSS control for detecting a javascript disabled field.
>
Pushed.
Only comment is that the warning dialog might say password "reset"
rather than "change". Change, to me, implies something that the user
could do with their old password. Reset, on the other hand, is an admin
action. Could just be me though.
Karl
From kmacmill at redhat.com Thu Dec 6 22:26:29 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 06 Dec 2007 17:26:29 -0500
Subject: [Freeipa-devel] [PATCH] Improve not found error reporting
In-Reply-To: <4758621F.1050603@redhat.com>
References: <4758621F.1050603@redhat.com>
Message-ID: <1196979989.21049.14.camel@clapton.mentalrootkit.com>
On Thu, 2007-12-06 at 15:57 -0500, Rob Crittenden wrote:
> Improve the error message when an entry is not found.
> We used to return the entire argument string ala:
>
> ('dc=freeipa,dc=org', 2, 'uid=foo', ['*'])
>
> This adds a regex to try to try to print anything after = in the filter.
>
> Not perfect but better.
>
Pushed.
From kmacmill at redhat.com Thu Dec 6 22:27:00 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 06 Dec 2007 17:27:00 -0500
Subject: [Freeipa-devel] [PATCH] fix uid_hidden
In-Reply-To: <475864DA.2020702@redhat.com>
References: <475864DA.2020702@redhat.com>
Message-ID: <1196980020.21049.16.camel@clapton.mentalrootkit.com>
On Thu, 2007-12-06 at 16:08 -0500, Rob Crittenden wrote:
> This patch depends on the RDN patch I sent out earlier.
>
> The uid_hidden field needs to be retained until after validation
> succeeds otherwise if it ever fails, uid_hidden will be lost which can
> cause uid to not be set which cascades into lots of other errors.
>
> uid_hidden is needed because disabled fields are not returned in a POST.
>
Pushed.
From kmacmill at redhat.com Thu Dec 6 22:30:31 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 06 Dec 2007 17:30:31 -0500
Subject: [Freeipa-devel] [PATCH] fix warning about spaces in password
Message-ID: <1196980231.21049.18.camel@clapton.mentalrootkit.com>
With the ssl setup shell script removed, spaces in passwords work fine.
I pushed this patch to remove that direction.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: passwd.patch
Type: text/x-patch
Size: 766 bytes
Desc: not available
URL:
From daobrien at redhat.com Thu Dec 6 22:38:53 2007
From: daobrien at redhat.com (David O'Brien)
Date: Fri, 07 Dec 2007 08:38:53 +1000
Subject: [Freeipa-devel] [PATCH] some minor usability issues
In-Reply-To: <47587078.4080201@redhat.com>
References: <47587078.4080201@redhat.com>
Message-ID: <475879FD.30906@redhat.com>
Rob Crittenden wrote:
> I pushed the following patches that fix some minor usability issues.
>
> 1. Add an 'Edit Policy' link on the top of the IPA Policy page
> 2. Set the focus on the Add pages so you can immediately start typing.
>
wow, that was quick ~! Thanks :) (I'm assuming you noticed the bug I
raised and that you're not psychic...)
--
David O'Brien
RHCT
Red Hat is #1 in value. Again.
http://apac.redhat.com/promo/vendor/
From rcritten at redhat.com Thu Dec 6 22:48:40 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Dec 2007 17:48:40 -0500
Subject: [Freeipa-devel] [PATCH] some minor usability issues
In-Reply-To: <475879FD.30906@redhat.com>
References: <47587078.4080201@redhat.com> <475879FD.30906@redhat.com>
Message-ID: <47587C48.1090706@redhat.com>
David O'Brien wrote:
> Rob Crittenden wrote:
>> I pushed the following patches that fix some minor usability issues.
>>
>> 1. Add an 'Edit Policy' link on the top of the IPA Policy page
>> 2. Set the focus on the Add pages so you can immediately start typing.
>>
>
> wow, that was quick ~! Thanks :) (I'm assuming you noticed the bug I
> raised and that you're not psychic...)
>
Actually, I have patches for the next 2 bugs you'll find too. I don't
want to spoil the ending so I won't tell you what they are.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Fri Dec 7 04:09:49 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 06 Dec 2007 23:09:49 -0500
Subject: [Freeipa-devel] auto Firefox configuration status
Message-ID: <4758C78D.8080000@redhat.com>
I've looked into using the javacript function
netscape.security.PrivilegeManager.enablePrivilege() to allow modifying
the browser config.
Here are some notes to take away:
1. The javascript needs to be packaged as a signed jar. We can generate
a signing cert during our SSL setup step.
2. We'll need to create the javascript on the fly so we can customize it
to match the domain we're installing IPA into. The existing template
system should work fine.
3. The browser needs to trust the CA that is presenting the signed jar.
A semi- chicken and egg problem. As long as the user goes to an SSL site
signed by our temporary CA we're fine (our IPA web server, for example).
But if they get their account and hit some other SSO site their browser
will not be setup. We may have to live with this. The code should be
easily transportable though.
Alternatively they can use their own CA to sign our code.
Oh, and you get a huge, ugly, nasty time-delayed warning about having
your preferences written to.
I still have a fair bit of clean up to do before I can start integrating
it into IPA (remembering how I issued the signing cert for one). I
should have something to at least demo in the next day or two.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From j.barber at dundee.ac.uk Fri Dec 7 09:45:13 2007
From: j.barber at dundee.ac.uk (Jonathan Barber)
Date: Fri, 7 Dec 2007 09:45:13 +0000
Subject: [Freeipa-devel] ipa_pwd_extop killing FDS 1.0.4 on Centos 5.1
Message-ID: <20071207094513.GK23035@flea.lifesci.dundee.ac.uk>
Hi, I'm looking at porting the ipa_pwd_extop plugin to run on our
existing FDS 1.0.4 servers, and have got it running under Centos 5.1
fine for the kerberos hashes.
However, when the plugin comes to update the samba hashes in
ipapwd_SetPassword(), it crashes the server.
It appears (from a generous dollop of log statements) to be halting in
encode_ntlm_keys() on the first calls to either DES_set_key_unchecked()
or MD4_Init() depending on which hashes I set to be generated, so on the
face of things it would appear to be related to openssl somehow.
Needless to say, a simple program calling these functions from the
openssl library works fine on the system.
Can anyone offer insight as to what be causing the crash?
Cheers.
--
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389
From rcritten at redhat.com Fri Dec 7 14:18:38 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 07 Dec 2007 09:18:38 -0500
Subject: [Freeipa-devel] [PATCH] conver ipa-server-setupssl to python
In-Reply-To: <1196979641.21049.8.camel@clapton.mentalrootkit.com>
References: <1196979641.21049.8.camel@clapton.mentalrootkit.com>
Message-ID: <4759563E.7000200@redhat.com>
Karl MacMillan wrote:
> Convert the setup of ssl from a shell script to a
> python module. This is in preparation for user
> supplied certs.
>
>
A good start but there are a number of issues with this:
It shouldn't be assumed that all cert operations will be done using the
FDS cert database. For example, with the web server it uses a separate
database. Multiple servers should share the same cert database.
The -m flag sets the cert serial number. This needs to be unique for
each certificate issued by a CA. Probably need to store the last serial
# used in a file somewhere and increment with each new cert (with
locking, of course).
Would it make sense to move strings like "CA Certificate" into variables
(or arguments) so it is easier to change later?
I think the argument for certutil -v should be an argument or fixed
variable as well (this defines the number of months the cert is valid for).
I think we need to document what we are passing to the -1 and -5
certutil arguments (I'm glad you included it). They are:
-1 (Create key usage extension)
2 - Key encipherment
9 - done
n - not critical
-5 (Create netscape cert type extension)
1 - SSL Server
9 - done
n - not critical
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Fri Dec 7 15:18:45 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 07 Dec 2007 10:18:45 -0500
Subject: [Freeipa-devel] [PATCH] fix CSS to show required fields
In-Reply-To: <47570F2D.1090003@redhat.com>
References: <47570F2D.1090003@redhat.com>
Message-ID: <47596455.9010805@redhat.com>
Rob Crittenden wrote:
> Add back in some CSS that was removed in the big UI update.
> This adds back required field colors and colored error and warning msgs.
>
> rob
Pushed after discussing with Karl.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From kmacmill at redhat.com Fri Dec 7 17:20:58 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 07 Dec 2007 12:20:58 -0500
Subject: [Freeipa-devel] [PATCH] conver ipa-server-setupssl to python
In-Reply-To: <4759563E.7000200@redhat.com>
References: <1196979641.21049.8.camel@clapton.mentalrootkit.com>
<4759563E.7000200@redhat.com>
Message-ID: <1197048058.27913.0.camel@clapton.mentalrootkit.com>
On Fri, 2007-12-07 at 09:18 -0500, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > Convert the setup of ssl from a shell script to a
> > python module. This is in preparation for user
> > supplied certs.
> >
> >
>
> A good start but there are a number of issues with this:
>
Updated patch attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: certs.patch
Type: text/x-patch
Size: 20378 bytes
Desc: not available
URL:
From ssorce at redhat.com Fri Dec 7 17:55:41 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 07 Dec 2007 12:55:41 -0500
Subject: [Freeipa-devel] ipa_pwd_extop killing FDS 1.0.4 on Centos 5.1
In-Reply-To: <20071207094513.GK23035@flea.lifesci.dundee.ac.uk>
References: <20071207094513.GK23035@flea.lifesci.dundee.ac.uk>
Message-ID: <1197050141.23679.24.camel@localhost.localdomain>
On Fri, 2007-12-07 at 09:45 +0000, Jonathan Barber wrote:
> Hi, I'm looking at porting the ipa_pwd_extop plugin to run on our
> existing FDS 1.0.4 servers, and have got it running under Centos 5.1
> fine for the kerberos hashes.
>
> However, when the plugin comes to update the samba hashes in
> ipapwd_SetPassword(), it crashes the server.
Can you get a stack trace?
In my testing I never had a problem, but as samba is a lower priority at
this moment I haven't actually tested the ntlm generation since a while,
I will do some testing too.
> It appears (from a generous dollop of log statements) to be halting in
> encode_ntlm_keys() on the first calls to either DES_set_key_unchecked()
> or MD4_Init() depending on which hashes I set to be generated, so on the
> face of things it would appear to be related to openssl somehow.
Or maybe we pass a bogus pointer somewhere, a stack trace would be great
in pointing that out.
> Needless to say, a simple program calling these functions from the
> openssl library works fine on the system.
>
> Can anyone offer insight as to what be causing the crash?
Not without debugging info.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From kmacmill at redhat.com Fri Dec 7 19:37:11 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 07 Dec 2007 14:37:11 -0500
Subject: [Freeipa-devel] [RFC] certificate utilities for freeipa
Message-ID: <1197056231.27913.26.camel@clapton.mentalrootkit.com>
I'm working on a tool to simplify management of user provided certs for
IPA (partial version attached). Let me give some background on what I
think we are trying to accomplish and then ask for some specific input.
When we bootstrap an IPA server we generate a set of certs for the
directory server instance and web server from a CA cert we generate
during installation. This is to give users a working installation, but
our assumption is that many (hopefully all) users will then want to
install certs generated from a public certificate authority or from an
existing internal CA.
I'm trying to make this process easier for them. The tool I have accepts
a certificate in pkcs#12, creates a new NSS db, and imports the cert. So
something like:
ipa-server-certinstall --dirsrv mycert.p12
[This must be run on the server]
The main value here is that it is a single step and they don't need to
know anything about where the certs are installed (or muck with apache
or ds config since we did that during installation).
Questions:
1) Does this overall workflow make sense? Will it work with certs
provided by most large CAs?
2) Is the value provided really enough, or should we just document how
to use the native tools (my thought is we should provide this tool, but
I thought I would ask).
3) The pkcs#12 files I export from an NSS database seem to pull in the
whole chain (so it includes the CA cert). Is this typical? Can I
therefore have the utility only accept a single pkcs12 file?
4) After import the CA cert has different trust flags than in the
original NSS db (not certain if the change is at export or import). Any
way to control this? The main problem is that I can't use certutil -M
after the fact because I don't know the name of the CA cert (or certs)
without parsing the pkcs#12 file.
5) How should I handle pin files?
6) What about cert nicknames - we assume Server-Cert right now for both
the directory server and apache. I'm not even clear on how that nickname
is set in the pkcs#12 file when it originates from something other than
a pk12util export for an NSS db.
Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: user-certs.patch
Type: text/x-patch
Size: 3827 bytes
Desc: not available
URL:
From rcritten at redhat.com Fri Dec 7 20:02:34 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 07 Dec 2007 15:02:34 -0500
Subject: [Freeipa-devel] [PATCH] fix delegation
Message-ID: <4759A6DA.9080107@redhat.com>
Fix delegation in the UI and add a missing aci that allows writes.
Make ipa-deldelegation more user-friendly.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-472-delegation.patch
Type: text/x-patch
Size: 2846 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rmeggins at redhat.com Fri Dec 7 20:36:45 2007
From: rmeggins at redhat.com (Rich Megginson)
Date: Fri, 07 Dec 2007 13:36:45 -0700
Subject: [Freeipa-devel] Re: [RFC] certificate utilities for freeipa
In-Reply-To: <1197056231.27913.26.camel@clapton.mentalrootkit.com>
References: <1197056231.27913.26.camel@clapton.mentalrootkit.com>
Message-ID: <4759AEDD.4090509@redhat.com>
Karl MacMillan wrote:
> I'm working on a tool to simplify management of user provided certs for
> IPA (partial version attached). Let me give some background on what I
> think we are trying to accomplish and then ask for some specific input.
>
> When we bootstrap an IPA server we generate a set of certs for the
> directory server instance and web server from a CA cert we generate
> during installation. This is to give users a working installation, but
> our assumption is that many (hopefully all) users will then want to
> install certs generated from a public certificate authority or from an
> existing internal CA.
>
> I'm trying to make this process easier for them. The tool I have accepts
> a certificate in pkcs#12, creates a new NSS db, and imports the cert. So
> something like:
>
> ipa-server-certinstall --dirsrv mycert.p12
>
> [This must be run on the server]
>
> The main value here is that it is a single step and they don't need to
> know anything about where the certs are installed (or muck with apache
> or ds config since we did that during installation).
>
> Questions:
>
> 1) Does this overall workflow make sense? Will it work with certs
> provided by most large CAs?
>
I think the main way to get certs should be to generate a CSR and send
to the CA, get the signed cert from the CA, and install the signed cert.
> 2) Is the value provided really enough, or should we just document how
> to use the native tools (my thought is we should provide this tool, but
> I thought I would ask).
>
In my experience with directory server, scripts are the best solution.
Automated would be much better.
> 3) The pkcs#12 files I export from an NSS database seem to pull in the
> whole chain (so it includes the CA cert). Is this typical? Can I
> therefore have the utility only accept a single pkcs12 file?
>
Not sure. I don't know if you will have this same issue if you go the
CSR route.
> 4) After import the CA cert has different trust flags than in the
> original NSS db (not certain if the change is at export or import). Any
> way to control this? The main problem is that I can't use certutil -M
> after the fact because I don't know the name of the CA cert (or certs)
> without parsing the pkcs#12 file.
>
Hmm - don't know about this one.
> 5) How should I handle pin files?
>
You have 3 options:
1) Have a locked key db (the default) and provide the clear text pin
somewhere
2) Have an unlocked key db - use modutil -changepw
3) Use some sort of HSM or other crypto hardware
1 and 2 are similar, but 2 has fewer moving parts, so would be simpler.
I'm not sure how servers that use openssl handle this - I suppose they
just put the private key unprotected in a file and chmod 400 that file.
> 6) What about cert nicknames - we assume Server-Cert right now for both
> the directory server and apache. I'm not even clear on how that nickname
> is set in the pkcs#12 file when it originates from something other than
> a pk12util export for an NSS db.
>
I'm not sure where the name comes from either.
> Karl
>
> ------------------------------------------------------------------------
>
> # HG changeset patch
> # User "Karl MacMillan "
> # Date 1197055306 18000
> # Node ID ad0bdbb5d9352d4d77b6884e210e3471f07b34c1
> # Parent b2faa98d97a41ddce694a782b67f2d85ae03332f
> Add cert installation utility.
>
> diff -r b2faa98d97a4 -r ad0bdbb5d935 ipa-server/ipa-install/Makefile.am
> --- a/ipa-server/ipa-install/Makefile.am Fri Dec 07 12:19:29 2007 -0500
> +++ b/ipa-server/ipa-install/Makefile.am Fri Dec 07 14:21:46 2007 -0500
> @@ -8,6 +8,7 @@ sbin_SCRIPTS = \
> ipa-server-install \
> ipa-replica-install \
> ipa-replica-prepare \
> + ipa-server-certinstall \
> $(NULL)
>
> EXTRA_DIST = \
> diff -r b2faa98d97a4 -r ad0bdbb5d935 ipa-server/ipa-install/ipa-server-certinstall
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++ b/ipa-server/ipa-install/ipa-server-certinstall Fri Dec 07 14:21:46 2007 -0500
> @@ -0,0 +1,78 @@
> +#! /usr/bin/python -E
> +# Authors: Karl MacMillan
> +#
> +# Copyright (C) 2007 Red Hat
> +# see file 'COPYING' for use and warranty information
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU General Public License as
> +# published by the Free Software Foundation; version 2 or later
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program; if not, write to the Free Software
> +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> +#
> +
> +import sys
> +sys.path.append("/usr/share/ipa")
> +
> +import krbV
> +
> +from ipaserver import certs, dsinstance, httpinstance
> +
> +def get_realm_name():
> + c = krbV.default_context()
> + return c.default_realm
> +
> +def parse_options():
> + from optparse import OptionParser
> + parser = OptionParser()
> +
> + parser.add_option("-d", "--dirsrv", dest="dirsrv", action="store_true",
> + default=False, help="install certificate for the directory server")
> + parser.add_option("-w", "--http", dest="http", action="store_true",
> + default=False, help="install certificate for the http server")
> +
> +
> + options, args = parser.parse_args()
> +
> + if not options.dirsrv and not options.http:
> + parser.error("you must specify dirsrv and/or http")
> +
> + if len(args) != 1:
> + parser.error("you must provide a pkcs12 filename")
> +
> + return options, args[0]
> +
> +def import_cert(dirname, pkcs12_fname):
> + cdb = certs.CertDB(dirname)
> + cdb.create_passwd_file(False)
> + cdb.create_certdbs()
> + cdb.import_pkcs12(pkcs12_fname)
> +
> +def main():
> + options, pkcs12_fname = parse_options()
> +
> + try:
> + if options.dirsrv:
> + realm = get_realm_name()
> + dirname = dsinstance.config_dirname(realm)
> + import_cert(dirname, pkcs12_fname)
> +
> + if options.http:
> + dirname = httpinstance.NSS_DIR
> + import_cert(dirname, pkcs12_fname)
> +
> + except Exception, e:
> + print "an unexpected error occurred: %s" % str(e)
> + return 1
> +
> + return 0
> +
> +
> +sys.exit(main())
> diff -r b2faa98d97a4 -r ad0bdbb5d935 ipa-server/ipaserver/certs.py
> --- a/ipa-server/ipaserver/certs.py Fri Dec 07 12:19:29 2007 -0500
> +++ b/ipa-server/ipaserver/certs.py Fri Dec 07 14:21:46 2007 -0500
> @@ -196,6 +196,10 @@ class CertDB(object):
> f.close()
> self.set_perms(self.pin_fname)
>
> + def import_pkcs12(self, pkcs12_fname):
> + ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
> + "-i", pkcs12_fname])
> +
> def create_self_signed(self, passwd=True):
> self.create_noise_file()
> self.create_passwd_file(passwd)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Fri Dec 7 21:02:02 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 07 Dec 2007 16:02:02 -0500
Subject: [Freeipa-devel] [PATCH] rework command-line input validation
Message-ID: <4759B4CA.1070401@redhat.com>
Rework input validation to more closely match what we require in the UI
TurboGears has a PlainText and a String validator type. I had combined
them into one in the cmdline so was much stricter than the UI. Loosened
things up a bit.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-473-validate.patch
Type: text/x-patch
Size: 15277 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Fri Dec 7 22:07:08 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 07 Dec 2007 17:07:08 -0500
Subject: [Freeipa-devel] [PATCH] conver ipa-server-setupssl to python
In-Reply-To: <1197048058.27913.0.camel@clapton.mentalrootkit.com>
References: <1196979641.21049.8.camel@clapton.mentalrootkit.com>
<4759563E.7000200@redhat.com>
<1197048058.27913.0.camel@clapton.mentalrootkit.com>
Message-ID: <4759C40C.2060306@redhat.com>
Karl MacMillan wrote:
> On Fri, 2007-12-07 at 09:18 -0500, Rob Crittenden wrote:
>> Karl MacMillan wrote:
>>> Convert the setup of ssl from a shell script to a
>>> python module. This is in preparation for user
>>> supplied certs.
>>>
>>>
>> A good start but there are a number of issues with this:
>>
>
> Updated patch attached.
>
Need to put a try/except around ipautil.run calls in certs.py
Probably need to put a try/except around os.rename calls in ipautil.py
I don't think there is a need to backup any existing noise files. In
fact, we probably want to remove this when we're done generating certs.
As a style thing you have a bunch of whitespace at the end of certs.py :-)
Otherwise looks fine. I wrote a little stub program that uses this
module and it worked fine.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Sat Dec 8 00:18:29 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 07 Dec 2007 19:18:29 -0500
Subject: [Freeipa-devel] ipa_pwd_extop killing FDS 1.0.4 on Centos 5.1
In-Reply-To: <20071207094513.GK23035@flea.lifesci.dundee.ac.uk>
References: <20071207094513.GK23035@flea.lifesci.dundee.ac.uk>
Message-ID: <1197073110.6975.5.camel@localhost.localdomain>
On Fri, 2007-12-07 at 09:45 +0000, Jonathan Barber wrote:
> Hi, I'm looking at porting the ipa_pwd_extop plugin to run on our
> existing FDS 1.0.4 servers, and have got it running under Centos 5.1
> fine for the kerberos hashes.
>
> However, when the plugin comes to update the samba hashes in
> ipapwd_SetPassword(), it crashes the server.
>
> It appears (from a generous dollop of log statements) to be halting in
> encode_ntlm_keys() on the first calls to either DES_set_key_unchecked()
> or MD4_Init() depending on which hashes I set to be generated, so on the
> face of things it would appear to be related to openssl somehow.
> Needless to say, a simple program calling these functions from the
> openssl library works fine on the system.
>
> Can anyone offer insight as to what be causing the crash?
Ok it's not even a crash, the dynamic linker simply freaks out because
for some reason during the conversion to auto tools the linking with
openssl libraries was lost and the symbol is simply not found.
Working to fix this, thanks for the report.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From ssorce at redhat.com Sat Dec 8 01:20:27 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 07 Dec 2007 20:20:27 -0500
Subject: [Freeipa-devel] ipa_pwd_extop killing FDS 1.0.4 on Centos 5.1
In-Reply-To: <1197073110.6975.5.camel@localhost.localdomain>
References: <20071207094513.GK23035@flea.lifesci.dundee.ac.uk>
<1197073110.6975.5.camel@localhost.localdomain>
Message-ID: <1197076827.4368.0.camel@localhost.localdomain>
On Fri, 2007-12-07 at 19:18 -0500, Simo Sorce wrote:
> On Fri, 2007-12-07 at 09:45 +0000, Jonathan Barber wrote:
> > Hi, I'm looking at porting the ipa_pwd_extop plugin to run on our
> > existing FDS 1.0.4 servers, and have got it running under Centos 5.1
> > fine for the kerberos hashes.
> >
> > However, when the plugin comes to update the samba hashes in
> > ipapwd_SetPassword(), it crashes the server.
> >
> > It appears (from a generous dollop of log statements) to be halting in
> > encode_ntlm_keys() on the first calls to either DES_set_key_unchecked()
> > or MD4_Init() depending on which hashes I set to be generated, so on the
> > face of things it would appear to be related to openssl somehow.
> > Needless to say, a simple program calling these functions from the
> > openssl library works fine on the system.
> >
> > Can anyone offer insight as to what be causing the crash?
>
> Ok it's not even a crash, the dynamic linker simply freaks out because
> for some reason during the conversion to auto tools the linking with
> openssl libraries was lost and the symbol is simply not found.
>
> Working to fix this, thanks for the report.
Ok I committed and pushed configure.ac and Makefile.ac code that fixes
this.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From j.barber at dundee.ac.uk Mon Dec 10 14:55:14 2007
From: j.barber at dundee.ac.uk (Jonathan Barber)
Date: Mon, 10 Dec 2007 14:55:14 +0000
Subject: [Freeipa-devel] ipa_pwd_extop killing FDS 1.0.4 on Centos 5.1
In-Reply-To: <1197076827.4368.0.camel@localhost.localdomain>
References: <20071207094513.GK23035@flea.lifesci.dundee.ac.uk>
<1197073110.6975.5.camel@localhost.localdomain>
<1197076827.4368.0.camel@localhost.localdomain>
Message-ID: <20071210145514.GD16592@flea.lifesci.dundee.ac.uk>
On Fri, Dec 07, 2007 at 08:20:27PM -0500, Simo Sorce wrote:
>
> On Fri, 2007-12-07 at 19:18 -0500, Simo Sorce wrote:
> > On Fri, 2007-12-07 at 09:45 +0000, Jonathan Barber wrote:
> > > Hi, I'm looking at porting the ipa_pwd_extop plugin to run on our
> > > existing FDS 1.0.4 servers, and have got it running under Centos 5.1
> > > fine for the kerberos hashes.
> > >
> > > However, when the plugin comes to update the samba hashes in
> > > ipapwd_SetPassword(), it crashes the server.
> > >
> > > It appears (from a generous dollop of log statements) to be halting in
> > > encode_ntlm_keys() on the first calls to either DES_set_key_unchecked()
> > > or MD4_Init() depending on which hashes I set to be generated, so on the
> > > face of things it would appear to be related to openssl somehow.
> > > Needless to say, a simple program calling these functions from the
> > > openssl library works fine on the system.
> > >
> > > Can anyone offer insight as to what be causing the crash?
> >
> > Ok it's not even a crash, the dynamic linker simply freaks out because
> > for some reason during the conversion to auto tools the linking with
> > openssl libraries was lost and the symbol is simply not found.
> >
> > Working to fix this, thanks for the report.
>
> Ok I committed and pushed configure.ac and Makefile.ac code that fixes
> this.
Bargin, that worked a treat.
Cheers.
> Simo.
>
> --
> | Simo S Sorce |
> | Sr.Soft.Eng. |
> | Red Hat, Inc |
> | New York, NY |
>
--
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389
From rcritten at redhat.com Mon Dec 10 14:59:42 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Dec 2007 09:59:42 -0500
Subject: [Freeipa-devel] [PATCH] add missing files to Makefile
Message-ID: <475D545E.4080103@redhat.com>
Add some missing files related to service principal management to
ipa-server/ipa-gui/ipagui/templates/Makefile.am
I pushed this.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-466-princ.patch
Type: text/x-patch
Size: 725 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Mon Dec 10 16:53:22 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Dec 2007 11:53:22 -0500
Subject: [Freeipa-devel] [PATCH] Add default e-mail domain to cn=IPAConfig
Message-ID: <475D6F02.4040201@redhat.com>
This adds the default domain to the IPA configuration. This is used in
the UI auto-suggest for e-mail addresses.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-475-mail.patch
Type: text/x-patch
Size: 9330 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Mon Dec 10 16:55:49 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Dec 2007 11:55:49 -0500
Subject: [Freeipa-devel] [PATCH] rename some labels
Message-ID: <475D6F95.8060306@redhat.com>
It was discussed a few weeks ago to use First/Last name instead of
Given/Surname. Here is a patch to fix the UI.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-477-name.patch
Type: text/x-patch
Size: 1096 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Mon Dec 10 16:57:36 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 10 Dec 2007 11:57:36 -0500
Subject: [Freeipa-devel] [PATCH] Add default e-mail domain to cn=IPAConfig
In-Reply-To: <475D6F02.4040201@redhat.com>
References: <475D6F02.4040201@redhat.com>
Message-ID: <1197305856.31890.9.camel@localhost.localdomain>
On Mon, 2007-12-10 at 11:53 -0500, Rob Crittenden wrote:
> This adds the default domain to the IPA configuration. This is used
> in
> the UI auto-suggest for e-mail addresses.
Looks ok,
thanks.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From rcritten at redhat.com Mon Dec 10 18:34:03 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Dec 2007 13:34:03 -0500
Subject: [Freeipa-devel] [PATCH] Add default e-mail domain to cn=IPAConfig
In-Reply-To: <1197305856.31890.9.camel@localhost.localdomain>
References: <475D6F02.4040201@redhat.com>
<1197305856.31890.9.camel@localhost.localdomain>
Message-ID: <475D869B.4080608@redhat.com>
Simo Sorce wrote:
> On Mon, 2007-12-10 at 11:53 -0500, Rob Crittenden wrote:
>> This adds the default domain to the IPA configuration. This is used
>> in
>> the UI auto-suggest for e-mail addresses.
>
> Looks ok,
> thanks.
>
> Simo.
>
Thanks, pushed.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Mon Dec 10 20:20:47 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 10 Dec 2007 15:20:47 -0500
Subject: [Freeipa-devel] [PATCH] rework command-line input validation
In-Reply-To: <4759B4CA.1070401@redhat.com>
References: <4759B4CA.1070401@redhat.com>
Message-ID: <1197318047.4564.0.camel@localhost.localdomain>
On Fri, 2007-12-07 at 16:02 -0500, Rob Crittenden wrote:
> Rework input validation to more closely match what we require in the UI
>
> TurboGears has a PlainText and a String validator type. I had combined
> them into one in the cmdline so was much stricter than the UI. Loosened
> things up a bit.
Looks ok.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From ssorce at redhat.com Mon Dec 10 20:21:24 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 10 Dec 2007 15:21:24 -0500
Subject: [Freeipa-devel] [PATCH] fix delegation
In-Reply-To: <4759A6DA.9080107@redhat.com>
References: <4759A6DA.9080107@redhat.com>
Message-ID: <1197318084.4564.2.camel@localhost.localdomain>
On Fri, 2007-12-07 at 15:02 -0500, Rob Crittenden wrote:
> Fix delegation in the UI and add a missing aci that allows writes.
>
> Make ipa-deldelegation more user-friendly.
Ack.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From rcritten at redhat.com Mon Dec 10 20:44:21 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Dec 2007 15:44:21 -0500
Subject: [Freeipa-devel] [PATCH] rework command-line input validation
In-Reply-To: <1197318047.4564.0.camel@localhost.localdomain>
References: <4759B4CA.1070401@redhat.com>
<1197318047.4564.0.camel@localhost.localdomain>
Message-ID: <475DA525.7070601@redhat.com>
Simo Sorce wrote:
> On Fri, 2007-12-07 at 16:02 -0500, Rob Crittenden wrote:
>> Rework input validation to more closely match what we require in the UI
>>
>> TurboGears has a PlainText and a String validator type. I had combined
>> them into one in the cmdline so was much stricter than the UI. Loosened
>> things up a bit.
>
> Looks ok.
> Simo.
>
Pushed
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Mon Dec 10 20:44:28 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Dec 2007 15:44:28 -0500
Subject: [Freeipa-devel] [PATCH] fix delegation
In-Reply-To: <1197318084.4564.2.camel@localhost.localdomain>
References: <4759A6DA.9080107@redhat.com>
<1197318084.4564.2.camel@localhost.localdomain>
Message-ID: <475DA52C.6060800@redhat.com>
Simo Sorce wrote:
> On Fri, 2007-12-07 at 15:02 -0500, Rob Crittenden wrote:
>> Fix delegation in the UI and add a missing aci that allows writes.
>>
>> Make ipa-deldelegation more user-friendly.
>
> Ack.
>
> Simo.
>
Pushed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Mon Dec 10 21:13:03 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Dec 2007 16:13:03 -0500
Subject: [Freeipa-devel] [PATCH] simple command-line selector
Message-ID: <475DABDF.2010704@redhat.com>
Add simple UI for command-line programs to be able to select when
multiple entries are returned.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-498-select.patch
Type: text/x-patch
Size: 11220 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Mon Dec 10 21:33:36 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 10 Dec 2007 16:33:36 -0500
Subject: [Freeipa-devel] [PATCH] move dnsclient to ipa-python
Message-ID: <1197322416.5956.1.camel@hopeson>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-465-ipa.dnsclient.patch
Type: text/x-patch
Size: 25692 bytes
Desc: not available
URL:
From rcritten at redhat.com Mon Dec 10 21:36:35 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Dec 2007 16:36:35 -0500
Subject: [Freeipa-devel] [PATCH] move dnsclient to ipa-python
In-Reply-To: <1197322416.5956.1.camel@hopeson>
References: <1197322416.5956.1.camel@hopeson>
Message-ID: <475DB163.3090109@redhat.com>
Simo Sorce wrote:
>
> ------------------------------------------------------------------------
Looks ok.
Why move it, to make it more available?
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Mon Dec 10 21:52:01 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 10 Dec 2007 16:52:01 -0500
Subject: [Freeipa-devel] [PATCH] move dnsclient to ipa-python
In-Reply-To: <475DB163.3090109@redhat.com>
References: <1197322416.5956.1.camel@hopeson> <475DB163.3090109@redhat.com>
Message-ID: <1197323521.5339.0.camel@localhost.localdomain>
On Mon, 2007-12-10 at 16:36 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> >
> > ------------------------------------------------------------------------
>
> Looks ok.
>
> Why move it, to make it more available?
Implementing discovery for admin tools via ipa.config
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From rcritten at redhat.com Mon Dec 10 22:44:34 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Dec 2007 17:44:34 -0500
Subject: [Freeipa-devel] [PATCH] Use title case for labels
Message-ID: <475DC152.70902@redhat.com>
The use of case with labels wasn't consistent.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-499-labels.patch
Type: text/x-patch
Size: 2953 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Mon Dec 10 22:55:14 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 10 Dec 2007 17:55:14 -0500
Subject: [Freeipa-devel] [PATCH] Use title case for labels
In-Reply-To: <475DC152.70902@redhat.com>
References: <475DC152.70902@redhat.com>
Message-ID: <1197327314.5339.2.camel@localhost.localdomain>
On Mon, 2007-12-10 at 17:44 -0500, Rob Crittenden wrote:
> The use of case with labels wasn't consistent.
Ack.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From rcritten at redhat.com Mon Dec 10 23:06:18 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Dec 2007 18:06:18 -0500
Subject: [Freeipa-devel] [PATCH] Use title case for labels
In-Reply-To: <1197327314.5339.2.camel@localhost.localdomain>
References: <475DC152.70902@redhat.com>
<1197327314.5339.2.camel@localhost.localdomain>
Message-ID: <475DC66A.6010605@redhat.com>
Simo Sorce wrote:
> On Mon, 2007-12-10 at 17:44 -0500, Rob Crittenden wrote:
>> The use of case with labels wasn't consistent.
>
> Ack.
>
Thanks. Pushed.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Tue Dec 11 02:58:09 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 10 Dec 2007 21:58:09 -0500
Subject: [Freeipa-devel] [PATCH] move sort arrow to left of column
Message-ID: <475DFCC1.9070401@redhat.com>
This CSS change moves the sort arrow to the left of a column and gives
it some room so we don't overlap.
I've pushed this change.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-500-sort.patch
Type: text/x-patch
Size: 860 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Tue Dec 11 14:14:42 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 09:14:42 -0500
Subject: [Freeipa-devel] [PATCH] search for multiple things
Message-ID: <475E9B52.5070206@redhat.com>
There was a discussion a few weeks ago about searching for "Bill Ben"
not returning both Bill AND Ben records. Pete insisted that this was a
regression though I could find nothing in the repo history that would
have affected this. It could have been some uncommitted patch, I don't know.
In any case, I think this will fix it.
diff -r 7e77cf165b4a ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py Mon Dec 10 21:55:12 2007 -0500
+++ b/ipa-server/xmlrpc-server/funcs.py Tue Dec 11 09:13:12 2007 -0500
@@ -319,8 +319,8 @@ class IPAServer:
gen_search_pattern = lambda word: search_pattern % {'match':word}
# construct the giant match for all words
- exact_match_filter = "(&"
- partial_match_filter = "(&"
+ exact_match_filter = "(|"
+ partial_match_filter = "(|"
for word in criteria_words:
exact_match_filter += gen_search_pattern(word)
partial_match_filter += gen_search_pattern("*%s*" % word)
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Tue Dec 11 14:59:03 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 09:59:03 -0500
Subject: [Freeipa-devel] [PATCH] improved XML-RPC debugging
Message-ID: <475EA5B7.1090107@redhat.com>
Tied the debug logging to the IPADebug option in /etc/httpd/conf.d/ipa.conf.
The output goes to the Apache error log and the format is similar to
Apache's.
So now anywhere in funcs.py you can add "logging.debug(...)" and have it
spit out in the Apache error log.
I've tended to prefix errors with the string IPA: so it is easier to
find stuff but it isn't required.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-501-debug.patch
Type: text/x-patch
Size: 2800 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Tue Dec 11 15:31:10 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 10:31:10 -0500
Subject: [Freeipa-devel] XML-RPC API: update_*
Message-ID: <475EAD3E.2020600@redhat.com>
The XML-RPC interface for updating things is a bit funky. One needs to
pass in the original entry and the new one and those are diffed and
committed by the API.
Kevin liked doing it this way because it decreased the chance of mid-air
collisions.
So if admin A and admin B both edited user U at the same time but
updated different fields both commits would succeed if we send the
original record. Otherwise one would stomp on the other.
That is fine but not everyone will want to carry the original data
around merely to pass it back. I'm proposing a compromise: we provide both.
I want to make it support an empty record ('') for old. If that happens
then we look up the current record and use that as the "old" entry.
Otherwise we use the one passed in. Alternatively I could create a
separate set of calls, one that handles old and new and one that just
handles new but that might be even more confusing.
Opinions?
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From kmacmill at redhat.com Tue Dec 11 15:33:37 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 11 Dec 2007 10:33:37 -0500
Subject: [Freeipa-devel] XML-RPC API: update_*
In-Reply-To: <475EAD3E.2020600@redhat.com>
References: <475EAD3E.2020600@redhat.com>
Message-ID: <1197387217.27716.32.camel@clapton.mentalrootkit.com>
On Tue, 2007-12-11 at 10:31 -0500, Rob Crittenden wrote:
> The XML-RPC interface for updating things is a bit funky. One needs to
> pass in the original entry and the new one and those are diffed and
> committed by the API.
>
> Kevin liked doing it this way because it decreased the chance of mid-air
> collisions.
>
> So if admin A and admin B both edited user U at the same time but
> updated different fields both commits would succeed if we send the
> original record. Otherwise one would stomp on the other.
>
> That is fine but not everyone will want to carry the original data
> around merely to pass it back. I'm proposing a compromise: we provide both.
>
> I want to make it support an empty record ('') for old. If that happens
> then we look up the current record and use that as the "old" entry.
> Otherwise we use the one passed in. Alternatively I could create a
> separate set of calls, one that handles old and new and one that just
> handles new but that might be even more confusing.
>
> Opinions?
>
The empty record idea sounds good to me.
Karl
From ssorce at redhat.com Tue Dec 11 16:01:50 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 11 Dec 2007 11:01:50 -0500
Subject: [Freeipa-devel] [PATCH] Make admintools able to discover IPA servers
Message-ID: <1197388910.29168.1.camel@hopeson>
This makes it possible to completely remove ipa.conf in theory, but we
still keep it around just in case discovery fails for some reason.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-466-admintools-discovery.patch
Type: text/x-patch
Size: 3218 bytes
Desc: not available
URL:
From ssorce at redhat.com Tue Dec 11 16:17:38 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 11 Dec 2007 11:17:38 -0500
Subject: [Freeipa-devel] [PATCH] improved XML-RPC debugging
In-Reply-To: <475EA5B7.1090107@redhat.com>
References: <475EA5B7.1090107@redhat.com>
Message-ID: <1197389858.20875.3.camel@localhost.localdomain>
On Tue, 2007-12-11 at 09:59 -0500, Rob Crittenden wrote:
> Tied the debug logging to the IPADebug option
> in /etc/httpd/conf.d/ipa.conf.
>
> The output goes to the Apache error log and the format is similar to
> Apache's.
>
> So now anywhere in funcs.py you can add "logging.debug(...)" and have
> it
> spit out in the Apache error log.
>
> I've tended to prefix errors with the string IPA: so it is easier to
> find stuff but it isn't required.
Good!
Thanks!
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From ssorce at redhat.com Tue Dec 11 16:19:29 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 11 Dec 2007 11:19:29 -0500
Subject: [Freeipa-devel] [PATCH] search for multiple things
In-Reply-To: <475E9B52.5070206@redhat.com>
References: <475E9B52.5070206@redhat.com>
Message-ID: <1197389969.20875.6.camel@localhost.localdomain>
On Tue, 2007-12-11 at 09:14 -0500, Rob Crittenden wrote:
> There was a discussion a few weeks ago about searching for "Bill Ben"
> not returning both Bill AND Ben records. Pete insisted that this was a
> regression though I could find nothing in the repo history that would
> have affected this. It could have been some uncommitted patch, I don't know.
>
> In any case, I think this will fix it.
>
> diff -r 7e77cf165b4a ipa-server/xmlrpc-server/funcs.py
> --- a/ipa-server/xmlrpc-server/funcs.py Mon Dec 10 21:55:12 2007 -0500
> +++ b/ipa-server/xmlrpc-server/funcs.py Tue Dec 11 09:13:12 2007 -0500
> @@ -319,8 +319,8 @@ class IPAServer:
> gen_search_pattern = lambda word: search_pattern % {'match':word}
>
> # construct the giant match for all words
> - exact_match_filter = "(&"
> - partial_match_filter = "(&"
> + exact_match_filter = "(|"
> + partial_match_filter = "(|"
> for word in criteria_words:
> exact_match_filter += gen_search_pattern(word)
> partial_match_filter += gen_search_pattern("*%s*" % word)
Rob I have not looked at the code that encapsulate this snippet yet, but
from the names I have the sensation that he right fix would be instead:
exact_match_filter = "(&"
partial_match_filter = "(|"
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From jdennis at redhat.com Tue Dec 11 16:39:04 2007
From: jdennis at redhat.com (John Dennis)
Date: Tue, 11 Dec 2007 11:39:04 -0500
Subject: [Freeipa-devel] XML-RPC API: update_*
In-Reply-To: <475EAD3E.2020600@redhat.com>
References: <475EAD3E.2020600@redhat.com>
Message-ID: <475EBD28.9060108@redhat.com>
Rob Crittenden wrote:
> The XML-RPC interface for updating things is a bit funky. One needs to
> pass in the original entry and the new one and those are diffed and
> committed by the API.
>
> Kevin liked doing it this way because it decreased the chance of
> mid-air collisions.
>
> So if admin A and admin B both edited user U at the same time but
> updated different fields both commits would succeed if we send the
> original record. Otherwise one would stomp on the other.
>
> That is fine but not everyone will want to carry the original data
> around merely to pass it back. I'm proposing a compromise: we provide
> both.
>
> I want to make it support an empty record ('') for old. If that
> happens then we look up the current record and use that as the "old"
> entry. Otherwise we use the one passed in. Alternatively I could
> create a separate set of calls, one that handles old and new and one
> that just handles new but that might be even more confusing.
>
> Opinions?
Don't all the problems and issues go away if the API for modification
took add, modify and delete parameters? That seems easier, cleaner, and
more efficient. I'm pretty sure most callers will easily know whether
they've added, modified, or deleted an attribute. If for some reason
they don't have that knowledge we could provide a helper utility to
compute it, but I doubt that would be needed in most cases.
--
John Dennis
From jdennis at redhat.com Tue Dec 11 16:56:37 2007
From: jdennis at redhat.com (John Dennis)
Date: Tue, 11 Dec 2007 11:56:37 -0500
Subject: [Freeipa-devel] [PATCH] improved XML-RPC debugging
In-Reply-To: <475EA5B7.1090107@redhat.com>
References: <475EA5B7.1090107@redhat.com>
Message-ID: <475EC145.3050808@redhat.com>
Thanks Rob! This sure will make things easier.
--
John Dennis
From ssorce at redhat.com Tue Dec 11 17:27:53 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 11 Dec 2007 12:27:53 -0500
Subject: [Freeipa-devel] [PATCH] clear old secrets away from kpasswd.keytab
Message-ID: <1197394073.801.0.camel@hopeson>
For those that insist on not doing fresh installs :-)
Simo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-479-clear-kpasswd-keytab.patch
Type: text/x-patch
Size: 1159 bytes
Desc: not available
URL:
From kmacmill at redhat.com Tue Dec 11 17:44:01 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 11 Dec 2007 12:44:01 -0500
Subject: [Freeipa-devel] Radius changesets
Message-ID: <1197395041.27716.34.camel@clapton.mentalrootkit.com>
I merged the radius changesets. There was a small amount of merging that
I had to do in ipautil, otherwise everything imported cleanly.
John - please check for problems.
Karl
From kmacmill at redhat.com Tue Dec 11 17:57:08 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 11 Dec 2007 12:57:08 -0500
Subject: [Freeipa-devel] [PATCH] conver ipa-server-setupssl to python
In-Reply-To: <1196979641.21049.8.camel@clapton.mentalrootkit.com>
References: <1196979641.21049.8.camel@clapton.mentalrootkit.com>
Message-ID: <1197395828.8999.2.camel@clapton.mentalrootkit.com>
On Thu, 2007-12-06 at 17:20 -0500, Karl MacMillan wrote:
> Convert the setup of ssl from a shell script to a
> python module. This is in preparation for user
> supplied certs.
>
Pushed this (accidentally) and then pushed the corrected version.
Karl
From kmacmill at redhat.com Tue Dec 11 17:58:32 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 11 Dec 2007 12:58:32 -0500
Subject: [Freeipa-devel] [PATCH] rename some labels
In-Reply-To: <475D6F95.8060306@redhat.com>
References: <475D6F95.8060306@redhat.com>
Message-ID: <1197395912.8999.4.camel@clapton.mentalrootkit.com>
On Mon, 2007-12-10 at 11:55 -0500, Rob Crittenden wrote:
> It was discussed a few weeks ago to use First/Last name instead of
> Given/Surname. Here is a patch to fix the UI.
>
Pushed. What about changing common name to full name? And should we
expose in the UI that that attribute is multi-valued?
Karl
From kmacmill at redhat.com Tue Dec 11 17:58:58 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 11 Dec 2007 12:58:58 -0500
Subject: [Freeipa-devel] [PATCH] warn user before retrieving keytab in UI
In-Reply-To: <47581EE8.6000208@redhat.com>
References: <47581EE8.6000208@redhat.com>
Message-ID: <1197395938.8999.6.camel@clapton.mentalrootkit.com>
On Thu, 2007-12-06 at 11:10 -0500, Rob Crittenden wrote:
> Prompt the user with a warning before downloading a keytab. It will
> generate a new secret, breaking existing keytabs
>
Pushed.
From kmacmill at redhat.com Tue Dec 11 18:00:42 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 11 Dec 2007 13:00:42 -0500
Subject: [Freeipa-devel] [PATCH] improved XML-RPC debugging
In-Reply-To: <475EA5B7.1090107@redhat.com>
References: <475EA5B7.1090107@redhat.com>
Message-ID: <1197396042.8999.8.camel@clapton.mentalrootkit.com>
On Tue, 2007-12-11 at 09:59 -0500, Rob Crittenden wrote:
> Tied the debug logging to the IPADebug option in /etc/httpd/conf.d/ipa.conf.
>
> The output goes to the Apache error log and the format is similar to
> Apache's.
>
> So now anywhere in funcs.py you can add "logging.debug(...)" and have it
> spit out in the Apache error log.
>
> I've tended to prefix errors with the string IPA: so it is easier to
> find stuff but it isn't required.
>
Pushed.
From kmacmill at redhat.com Tue Dec 11 18:02:47 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 11 Dec 2007 13:02:47 -0500
Subject: [Freeipa-devel] [PATCH] simple command-line selector
In-Reply-To: <475DABDF.2010704@redhat.com>
References: <475DABDF.2010704@redhat.com>
Message-ID: <1197396167.8999.10.camel@clapton.mentalrootkit.com>
On Mon, 2007-12-10 at 16:13 -0500, Rob Crittenden wrote:
> Add simple UI for command-line programs to be able to select when
> multiple entries are returned.
Pushed - doesn't this require Makefile changes?
Karl
From kmacmill at redhat.com Tue Dec 11 18:04:26 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 11 Dec 2007 13:04:26 -0500
Subject: [Freeipa-devel] [PATCH] Make admintools able to discover IPA
servers
In-Reply-To: <1197388910.29168.1.camel@hopeson>
References: <1197388910.29168.1.camel@hopeson>
Message-ID: <1197396266.8999.12.camel@clapton.mentalrootkit.com>
On Tue, 2007-12-11 at 11:01 -0500, Simo Sorce wrote:
> This makes it possible to completely remove ipa.conf in theory, but we
> still keep it around just in case discovery fails for some reason.
Pushed.
As for keeping the ipa.conf - this doesn't just use discovery, right? It
also uses the krb.conf file? So it is unlikely that we will need to
fallback to ipa.conf.
Karl
From kmacmill at redhat.com Tue Dec 11 18:08:47 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 11 Dec 2007 13:08:47 -0500
Subject: [Freeipa-devel] [PATCH] clear old secrets away from kpasswd.keytab
In-Reply-To: <1197394073.801.0.camel@hopeson>
References: <1197394073.801.0.camel@hopeson>
Message-ID: <1197396527.8999.14.camel@clapton.mentalrootkit.com>
On Tue, 2007-12-11 at 12:27 -0500, Simo Sorce wrote:
> For those that insist on not doing fresh installs :-)
>
Pushed, though I still cannot successfully use kpasswd.
Karl
From rcritten at redhat.com Tue Dec 11 18:24:00 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 13:24:00 -0500
Subject: [Freeipa-devel] [PATCH] rename some labels
In-Reply-To: <1197395912.8999.4.camel@clapton.mentalrootkit.com>
References: <475D6F95.8060306@redhat.com>
<1197395912.8999.4.camel@clapton.mentalrootkit.com>
Message-ID: <475ED5C0.9000801@redhat.com>
Karl MacMillan wrote:
> On Mon, 2007-12-10 at 11:55 -0500, Rob Crittenden wrote:
>> It was discussed a few weeks ago to use First/Last name instead of
>> Given/Surname. Here is a patch to fix the UI.
>>
>
> Pushed. What about changing common name to full name? And should we
> expose in the UI that that attribute is multi-valued?
>
> Karl
>
I can change that, I didn't because it wasn't in the bug and I missed it.
Any field with a set of Add/Remove links is multi-valued.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Tue Dec 11 18:24:34 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 13:24:34 -0500
Subject: [Freeipa-devel] [PATCH] simple command-line selector
In-Reply-To: <1197396167.8999.10.camel@clapton.mentalrootkit.com>
References: <475DABDF.2010704@redhat.com>
<1197396167.8999.10.camel@clapton.mentalrootkit.com>
Message-ID: <475ED5E2.2020608@redhat.com>
Karl MacMillan wrote:
> On Mon, 2007-12-10 at 16:13 -0500, Rob Crittenden wrote:
>> Add simple UI for command-line programs to be able to select when
>> multiple entries are returned.
>
> Pushed - doesn't this require Makefile changes?
>
> Karl
>
It seems that the python setup.py thinger handles it.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Tue Dec 11 18:43:46 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 11 Dec 2007 13:43:46 -0500
Subject: [Freeipa-devel] [PATCH] Make admintools able to discover IPA
servers
In-Reply-To: <1197396266.8999.12.camel@clapton.mentalrootkit.com>
References: <1197388910.29168.1.camel@hopeson>
<1197396266.8999.12.camel@clapton.mentalrootkit.com>
Message-ID: <1197398626.20875.8.camel@localhost.localdomain>
On Tue, 2007-12-11 at 13:04 -0500, Karl MacMillan wrote:
> On Tue, 2007-12-11 at 11:01 -0500, Simo Sorce wrote:
> > This makes it possible to completely remove ipa.conf in theory, but we
> > still keep it around just in case discovery fails for some reason.
>
> Pushed.
>
> As for keeping the ipa.conf - this doesn't just use discovery, right? It
> also uses the krb.conf file? So it is unlikely that we will need to
> fallback to ipa.conf.
krb.conf is used only for the realm, unfortunately there is no public
API to get the server name :(
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From ssorce at redhat.com Tue Dec 11 18:44:31 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 11 Dec 2007 13:44:31 -0500
Subject: [Freeipa-devel] [PATCH] clear old secrets away from kpasswd.keytab
In-Reply-To: <1197396527.8999.14.camel@clapton.mentalrootkit.com>
References: <1197394073.801.0.camel@hopeson>
<1197396527.8999.14.camel@clapton.mentalrootkit.com>
Message-ID: <1197398671.20875.10.camel@localhost.localdomain>
On Tue, 2007-12-11 at 13:08 -0500, Karl MacMillan wrote:
> On Tue, 2007-12-11 at 12:27 -0500, Simo Sorce wrote:
> > For those that insist on not doing fresh installs :-)
> >
>
> Pushed, though I still cannot successfully use kpasswd.
If you don't give me logs/traves or access to your machine I will put an
ignore on you :)
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From rcritten at redhat.com Tue Dec 11 18:54:37 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 13:54:37 -0500
Subject: [Freeipa-devel] XML-RPC API: update_*
In-Reply-To: <475EBD28.9060108@redhat.com>
References: <475EAD3E.2020600@redhat.com> <475EBD28.9060108@redhat.com>
Message-ID: <475EDCED.70001@redhat.com>
John Dennis wrote:
> Rob Crittenden wrote:
>> The XML-RPC interface for updating things is a bit funky. One needs to
>> pass in the original entry and the new one and those are diffed and
>> committed by the API.
>>
>> Kevin liked doing it this way because it decreased the chance of
>> mid-air collisions.
>>
>> So if admin A and admin B both edited user U at the same time but
>> updated different fields both commits would succeed if we send the
>> original record. Otherwise one would stomp on the other.
>>
>> That is fine but not everyone will want to carry the original data
>> around merely to pass it back. I'm proposing a compromise: we provide
>> both.
>>
>> I want to make it support an empty record ('') for old. If that
>> happens then we look up the current record and use that as the "old"
>> entry. Otherwise we use the one passed in. Alternatively I could
>> create a separate set of calls, one that handles old and new and one
>> that just handles new but that might be even more confusing.
>>
>> Opinions?
> Don't all the problems and issues go away if the API for modification
> took add, modify and delete parameters? That seems easier, cleaner, and
> more efficient. I'm pretty sure most callers will easily know whether
> they've added, modified, or deleted an attribute. If for some reason
> they don't have that knowledge we could provide a helper utility to
> compute it, but I doubt that would be needed in most cases.
>
The reasoning is that it saves a lot of round-trips. Each XML-RPC
request requires:
1. An SSL connection
2. A kerberos authentication
3. One or more LDAP connections
3.1 A kerberos auth
3.2 The LDAP operation
This also makes it easier for callers because they don't have to track
that stuff. Just change willy nilly in the record they have and the
server will handle doing the right thing (or last-update wins in this case).
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rmeggins at redhat.com Tue Dec 11 19:02:22 2007
From: rmeggins at redhat.com (Rich Megginson)
Date: Tue, 11 Dec 2007 12:02:22 -0700
Subject: [Freeipa-devel] Contribute code back to python-ldap?
Message-ID: <475EDEBE.4080706@redhat.com>
-------------- next part --------------
An embedded message was scrubbed...
From: =?ISO-8859-1?Q?Michael_Str=F6der?=
Subject: Re: [ANNOUNCE] python-ad
Date: Tue, 11 Dec 2007 19:51:03 +0100
Size: 3560
URL:
From rcritten at redhat.com Tue Dec 11 19:16:03 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 14:16:03 -0500
Subject: [Freeipa-devel] [PATCH] XML-RPC cleanup
Message-ID: <475EE1F3.1050506@redhat.com>
This does the following:
- Makes the old argument optional on update_*. If it doesn't exist the
current record is looked up and used for comparison.
- Checks for existence of required arguments (not always data type, that
may come next)
- Fix a slew of errors reported by pychecker
- Converted some things from C-isms to be more python-ish (return True
instead of 1)
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-502-cleanup.patch
Type: text/x-patch
Size: 33715 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Tue Dec 11 19:32:43 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 14:32:43 -0500
Subject: [Freeipa-devel] [PATCH] search for multiple things
In-Reply-To: <1197389969.20875.6.camel@localhost.localdomain>
References: <475E9B52.5070206@redhat.com>
<1197389969.20875.6.camel@localhost.localdomain>
Message-ID: <475EE5DB.8050208@redhat.com>
Simo Sorce wrote:
> On Tue, 2007-12-11 at 09:14 -0500, Rob Crittenden wrote:
>> There was a discussion a few weeks ago about searching for "Bill Ben"
>> not returning both Bill AND Ben records. Pete insisted that this was a
>> regression though I could find nothing in the repo history that would
>> have affected this. It could have been some uncommitted patch, I don't know.
>>
>> In any case, I think this will fix it.
>>
>> diff -r 7e77cf165b4a ipa-server/xmlrpc-server/funcs.py
>> --- a/ipa-server/xmlrpc-server/funcs.py Mon Dec 10 21:55:12 2007 -0500
>> +++ b/ipa-server/xmlrpc-server/funcs.py Tue Dec 11 09:13:12 2007 -0500
>> @@ -319,8 +319,8 @@ class IPAServer:
>> gen_search_pattern = lambda word: search_pattern % {'match':word}
>>
>> # construct the giant match for all words
>> - exact_match_filter = "(&"
>> - partial_match_filter = "(&"
>> + exact_match_filter = "(|"
>> + partial_match_filter = "(|"
>> for word in criteria_words:
>> exact_match_filter += gen_search_pattern(word)
>> partial_match_filter += gen_search_pattern("*%s*" % word)
>
> Rob I have not looked at the code that encapsulate this snippet yet, but
> from the names I have the sensation that he right fix would be instead:
>
> exact_match_filter = "(&"
> partial_match_filter = "(|"
>
> Simo.
>
Ok, that seems to work too. I have a user "Ben" and a user "Bill" and
when I enter "Bill Ben" I get both as expected.
Here are the filters:
exact: (&(|(uid=bill)(givenName=bill)(sn=bill)(telephoneNumber=bill)
(ou=bill)(title=bill))(|(uid=ben)(givenName=ben)(sn=ben)(telephoneNumber=ben)
(ou=ben)(title=ben)))
partial: (|(|(uid=*bill*)(givenName=*bill*)(sn=*bill*)
(telephoneNumber=*bill*)(ou=*bill*)(title=*bill*))
(|(uid=*ben*)(givenName=*ben*)(sn=*ben*)(telephoneNumber=*ben*)
(ou=*ben*)(title=*ben*)))
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Tue Dec 11 19:38:34 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 14:38:34 -0500
Subject: [Freeipa-devel] [PATCH] remove uid_hidden
Message-ID: <475EE73A.6050100@redhat.com>
Considered pushing this myself but what the heck.
disabled fields are not sent to the web server in a POST. We have uid
protected since we don't want people willy-nilly changing thier RDN.
I still need the uid to do stuff so there is a uid_hidden field. I have
to be careful not to send this to the XML-RPC Interface or it will try
to add it to the record and fail with an objectclass violation.
So I'm moving the delete to someplace that should catch it for good.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-503-hidden.patch
Type: text/x-patch
Size: 1874 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Tue Dec 11 19:41:36 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 11 Dec 2007 14:41:36 -0500
Subject: [Freeipa-devel] [PATCH] search for multiple things
In-Reply-To: <475EE5DB.8050208@redhat.com>
References: <475E9B52.5070206@redhat.com>
<1197389969.20875.6.camel@localhost.localdomain>
<475EE5DB.8050208@redhat.com>
Message-ID: <1197402096.20875.19.camel@localhost.localdomain>
On Tue, 2007-12-11 at 14:32 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Tue, 2007-12-11 at 09:14 -0500, Rob Crittenden wrote:
> >> There was a discussion a few weeks ago about searching for "Bill Ben"
> >> not returning both Bill AND Ben records. Pete insisted that this was a
> >> regression though I could find nothing in the repo history that would
> >> have affected this. It could have been some uncommitted patch, I don't know.
> >>
> >> In any case, I think this will fix it.
> >>
> >> diff -r 7e77cf165b4a ipa-server/xmlrpc-server/funcs.py
> >> --- a/ipa-server/xmlrpc-server/funcs.py Mon Dec 10 21:55:12 2007 -0500
> >> +++ b/ipa-server/xmlrpc-server/funcs.py Tue Dec 11 09:13:12 2007 -0500
> >> @@ -319,8 +319,8 @@ class IPAServer:
> >> gen_search_pattern = lambda word: search_pattern % {'match':word}
> >>
> >> # construct the giant match for all words
> >> - exact_match_filter = "(&"
> >> - partial_match_filter = "(&"
> >> + exact_match_filter = "(|"
> >> + partial_match_filter = "(|"
> >> for word in criteria_words:
> >> exact_match_filter += gen_search_pattern(word)
> >> partial_match_filter += gen_search_pattern("*%s*" % word)
> >
> > Rob I have not looked at the code that encapsulate this snippet yet, but
> > from the names I have the sensation that he right fix would be instead:
> >
> > exact_match_filter = "(&"
> > partial_match_filter = "(|"
> >
> > Simo.
> >
>
> Ok, that seems to work too. I have a user "Ben" and a user "Bill" and
> when I enter "Bill Ben" I get both as expected.
>
> Here are the filters:
>
> exact: (&(|(uid=bill)(givenName=bill)(sn=bill)(telephoneNumber=bill)
> (ou=bill)(title=bill))(|(uid=ben)(givenName=ben)(sn=ben)(telephoneNumber=ben)
> (ou=ben)(title=ben)))
>
> partial: (|(|(uid=*bill*)(givenName=*bill*)(sn=*bill*)
> (telephoneNumber=*bill*)(ou=*bill*)(title=*bill*))
> (|(uid=*ben*)(givenName=*ben*)(sn=*ben*)(telephoneNumber=*ben*)
> (ou=*ben*)(title=*ben*)))
Ok then mine is the "correct" one, as yours will always get all results
for both queries otherwise.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From rcritten at redhat.com Tue Dec 11 19:43:12 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 14:43:12 -0500
Subject: [Freeipa-devel] [PATCH] remove uid_hidden
In-Reply-To: <475EE73A.6050100@redhat.com>
References: <475EE73A.6050100@redhat.com>
Message-ID: <475EE850.10008@redhat.com>
Rob Crittenden wrote:
> Considered pushing this myself but what the heck.
>
> disabled fields are not sent to the web server in a POST. We have uid
> protected since we don't want people willy-nilly changing thier RDN.
>
> I still need the uid to do stuff so there is a uid_hidden field. I have
> to be careful not to send this to the XML-RPC Interface or it will try
> to add it to the record and fail with an objectclass violation.
>
> So I'm moving the delete to someplace that should catch it for good.
>
> rob
>
Ah crap. I did it again. I left other cruft in there before I committed.
I'll be sending a new patch shortly.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Tue Dec 11 19:59:31 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 14:59:31 -0500
Subject: [Freeipa-devel] [PATCH] remove uid_hidden
In-Reply-To: <475EE850.10008@redhat.com>
References: <475EE73A.6050100@redhat.com> <475EE850.10008@redhat.com>
Message-ID: <475EEC23.6060709@redhat.com>
Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Considered pushing this myself but what the heck.
>>
>> disabled fields are not sent to the web server in a POST. We have uid
>> protected since we don't want people willy-nilly changing thier RDN.
>>
>> I still need the uid to do stuff so there is a uid_hidden field. I
>> have to be careful not to send this to the XML-RPC Interface or it
>> will try to add it to the record and fail with an objectclass violation.
>>
>> So I'm moving the delete to someplace that should catch it for good.
>>
>> rob
>>
>
> Ah crap. I did it again. I left other cruft in there before I committed.
>
> I'll be sending a new patch shortly.
>
Oh, duh. Time to update my tree. I already fixed this.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Tue Dec 11 20:06:55 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 15:06:55 -0500
Subject: [Freeipa-devel] [PATCH] search for multiple things
In-Reply-To: <1197402096.20875.19.camel@localhost.localdomain>
References: <475E9B52.5070206@redhat.com>
<1197389969.20875.6.camel@localhost.localdomain>
<475EE5DB.8050208@redhat.com>
<1197402096.20875.19.camel@localhost.localdomain>
Message-ID: <475EEDDF.8090903@redhat.com>
Simo Sorce wrote:
> On Tue, 2007-12-11 at 14:32 -0500, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Tue, 2007-12-11 at 09:14 -0500, Rob Crittenden wrote:
>>>> There was a discussion a few weeks ago about searching for "Bill Ben"
>>>> not returning both Bill AND Ben records. Pete insisted that this was a
>>>> regression though I could find nothing in the repo history that would
>>>> have affected this. It could have been some uncommitted patch, I don't know.
>>>>
>>>> In any case, I think this will fix it.
>>>>
>>>> diff -r 7e77cf165b4a ipa-server/xmlrpc-server/funcs.py
>>>> --- a/ipa-server/xmlrpc-server/funcs.py Mon Dec 10 21:55:12 2007 -0500
>>>> +++ b/ipa-server/xmlrpc-server/funcs.py Tue Dec 11 09:13:12 2007 -0500
>>>> @@ -319,8 +319,8 @@ class IPAServer:
>>>> gen_search_pattern = lambda word: search_pattern % {'match':word}
>>>>
>>>> # construct the giant match for all words
>>>> - exact_match_filter = "(&"
>>>> - partial_match_filter = "(&"
>>>> + exact_match_filter = "(|"
>>>> + partial_match_filter = "(|"
>>>> for word in criteria_words:
>>>> exact_match_filter += gen_search_pattern(word)
>>>> partial_match_filter += gen_search_pattern("*%s*" % word)
>>> Rob I have not looked at the code that encapsulate this snippet yet, but
>>> from the names I have the sensation that he right fix would be instead:
>>>
>>> exact_match_filter = "(&"
>>> partial_match_filter = "(|"
>>>
>>> Simo.
>>>
>> Ok, that seems to work too. I have a user "Ben" and a user "Bill" and
>> when I enter "Bill Ben" I get both as expected.
>>
>> Here are the filters:
>>
>> exact: (&(|(uid=bill)(givenName=bill)(sn=bill)(telephoneNumber=bill)
>> (ou=bill)(title=bill))(|(uid=ben)(givenName=ben)(sn=ben)(telephoneNumber=ben)
>> (ou=ben)(title=ben)))
>>
>> partial: (|(|(uid=*bill*)(givenName=*bill*)(sn=*bill*)
>> (telephoneNumber=*bill*)(ou=*bill*)(title=*bill*))
>> (|(uid=*ben*)(givenName=*ben*)(sn=*ben*)(telephoneNumber=*ben*)
>> (ou=*ben*)(title=*ben*)))
>
> Ok then mine is the "correct" one, as yours will always get all results
> for both queries otherwise.
>
> Simo.
>
Ok. I've pushed the attached patch that does this then.
thanks
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-552-search.patch
Type: text/x-patch
Size: 817 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Tue Dec 11 20:14:39 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 15:14:39 -0500
Subject: [Freeipa-devel] [PATCH] rename some labels
In-Reply-To: <1197395912.8999.4.camel@clapton.mentalrootkit.com>
References: <475D6F95.8060306@redhat.com>
<1197395912.8999.4.camel@clapton.mentalrootkit.com>
Message-ID: <475EEFAF.9070409@redhat.com>
Karl MacMillan wrote:
> On Mon, 2007-12-10 at 11:55 -0500, Rob Crittenden wrote:
>> It was discussed a few weeks ago to use First/Last name instead of
>> Given/Surname. Here is a patch to fix the UI.
>>
>
> Pushed. What about changing common name to full name? And should we
> expose in the UI that that attribute is multi-valued?
>
> Karl
>
I fixed full name too and pushed this two-liner.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-553-fullname.patch
Type: text/x-patch
Size: 1132 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Tue Dec 11 20:16:05 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 11 Dec 2007 15:16:05 -0500
Subject: [Freeipa-devel] [PATCH] search for multiple things
In-Reply-To: <475EEDDF.8090903@redhat.com>
References: <475E9B52.5070206@redhat.com>
<1197389969.20875.6.camel@localhost.localdomain>
<475EE5DB.8050208@redhat.com>
<1197402096.20875.19.camel@localhost.localdomain>
<475EEDDF.8090903@redhat.com>
Message-ID: <1197404165.23807.0.camel@localhost.localdomain>
On Tue, 2007-12-11 at 15:06 -0500, Rob Crittenden wrote:
>
> Ok. I've pushed the attached patch that does this then.
Thanks.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From jdennis at redhat.com Tue Dec 11 21:02:33 2007
From: jdennis at redhat.com (John Dennis)
Date: Tue, 11 Dec 2007 16:02:33 -0500
Subject: [Freeipa-devel] XML-RPC API: update_*
In-Reply-To: <475EDCED.70001@redhat.com>
References: <475EAD3E.2020600@redhat.com> <475EBD28.9060108@redhat.com>
<475EDCED.70001@redhat.com>
Message-ID: <475EFAE9.10403@redhat.com>
Rob Crittenden wrote:
> John Dennis wrote:
>> Don't all the problems and issues go away if the API for modification
>> took add, modify and delete parameters? That seems easier, cleaner,
>> and more efficient. I'm pretty sure most callers will easily know
>> whether they've added, modified, or deleted an attribute. If for some
>> reason they don't have that knowledge we could provide a helper
>> utility to compute it, but I doubt that would be needed in most cases.
>>
>
> The reasoning is that it saves a lot of round-trips. Each XML-RPC
> request requires:
>
> 1. An SSL connection
> 2. A kerberos authentication
> 3. One or more LDAP connections
> 3.1 A kerberos auth
> 3.2 The LDAP operation
I wasn't suggesting separate calls for add, modify and delete. Rather
one call that takes add, modify and delete parameters. That means it's
the same round-trip overhead, but without the baggage of having to
manage before and after attribute dictionaries.
Question: Are we exposing the generateModList API in the python ldap
module because we concluded it is the optimal and most sensible API for
us or because it happened to be there and now we're trying to force
everything to operate that way and in the process introducing
inefficiency, complexity and special case scenarios?
If one wants to use the generateModList API in the python ldap module
(not a requirement) then I'm not sure what is being gained by not
passing the before dictionary other than a marginal reduction in the
size of the transport during update and a marginal reduction in client
memory usage to store both dictionaries, one still pays all the
round-trip costs you enumerate above. The client still has to start with
a call to query the current dictionary. If you don't have the current
dictionary I don't see how you would robustly implement the semantics of
delete. The reasoning goes like this, if the client fails to set any
attributes in the new dictionary, a likely scenario if he never queried
the current dictionary and thus does not know what the current
attributes are, then on the server the missing attribute in the new
dictionary will be interpreted as a delete operation on that attribute.
Ouch, that's not what was expected. Thus to be robust one has to have
both dictionaries, so what's the advantage? Explicitly passing what is
being added, modified, and deleted gets you out of the whole mess. Note,
add and modify could be collapsed into one parameter for greater
simplicity. But delete must be handled separately. Note delete is
fundamentally different from add/modify because add/modify pairs the
attribute with a value, but delete specifies only the attribute.
Maybe we should pop up a level and ask if generateModList is the optimal
API. I'm not convinced it is, it adds a lot of baggage and complexity
we're now trying to find ways to eliminate.
Also note at least one round trip can be completely eliminated if we
don't use generateModList, that alone is a significant performance win.
--
John Dennis
From ssorce at redhat.com Tue Dec 11 21:30:52 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 11 Dec 2007 16:30:52 -0500
Subject: [Freeipa-devel] XML-RPC API: update_*
In-Reply-To: <475EFAE9.10403@redhat.com>
References: <475EAD3E.2020600@redhat.com> <475EBD28.9060108@redhat.com>
<475EDCED.70001@redhat.com> <475EFAE9.10403@redhat.com>
Message-ID: <1197408652.24744.0.camel@localhost.localdomain>
On Tue, 2007-12-11 at 16:02 -0500, John Dennis wrote:
> Note delete is
> fundamentally different from add/modify because add/modify pairs the
> attribute with a value, but delete specifies only the attribute.
Not for LDAP at least, you can both just give the attribute or also give
the value (for multi-valued attributes), this is also use to make sure
we are deleting the right thing and not something that has been modified
meanwhile.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From ssorce at redhat.com Tue Dec 11 21:32:02 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 11 Dec 2007 16:32:02 -0500
Subject: [Freeipa-devel] XML-RPC API: update_*
In-Reply-To: <475EFAE9.10403@redhat.com>
References: <475EAD3E.2020600@redhat.com> <475EBD28.9060108@redhat.com>
<475EDCED.70001@redhat.com> <475EFAE9.10403@redhat.com>
Message-ID: <1197408722.24744.2.camel@localhost.localdomain>
On Tue, 2007-12-11 at 16:02 -0500, John Dennis wrote:
> Maybe we should pop up a level and ask if generateModList is the
> optimal
> API. I'm not convinced it is, it adds a lot of baggage and complexity
> we're now trying to find ways to eliminate.
>
> Also note at least one round trip can be completely eliminated if we
> don't use generateModList, that alone is a significant performance
> win.
Personally I prefer add/mod/delete, instead of generateModList, it is
usually much more robust, though sometimes generateModList has some nice
advantages.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From kmacmill at redhat.com Tue Dec 11 21:34:17 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 11 Dec 2007 16:34:17 -0500
Subject: [Freeipa-devel] [PATCH] user provided certs
Message-ID: <1197408857.8999.49.camel@clapton.mentalrootkit.com>
Add a utility to import user provided certs in pkcs#12 format.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: user-certs.patch
Type: text/x-patch
Size: 10663 bytes
Desc: not available
URL:
From kmacmill at redhat.com Tue Dec 11 21:42:00 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 11 Dec 2007 16:42:00 -0500
Subject: [Freeipa-devel] [PATCH] XML-RPC cleanup
In-Reply-To: <475EE1F3.1050506@redhat.com>
References: <475EE1F3.1050506@redhat.com>
Message-ID: <1197409320.8999.51.camel@clapton.mentalrootkit.com>
On Tue, 2007-12-11 at 14:16 -0500, Rob Crittenden wrote:
> This does the following:
>
> - Makes the old argument optional on update_*. If it doesn't exist the
> current record is looked up and used for comparison.
> - Checks for existence of required arguments (not always data type, that
> may come next)
> - Fix a slew of errors reported by pychecker
> - Converted some things from C-isms to be more python-ish (return True
> instead of 1)
>
Ack.
From jdennis at redhat.com Tue Dec 11 21:51:50 2007
From: jdennis at redhat.com (John Dennis)
Date: Tue, 11 Dec 2007 16:51:50 -0500
Subject: [Freeipa-devel] Radius changesets
In-Reply-To: <1197395041.27716.34.camel@clapton.mentalrootkit.com>
References: <1197395041.27716.34.camel@clapton.mentalrootkit.com>
Message-ID: <475F0676.4040002@redhat.com>
Karl MacMillan wrote:
> I merged the radius changesets. There was a small amount of merging that
> I had to do in ipautil, otherwise everything imported cleanly.
>
> John - please check for problems.
>
>
Thanks! I just did a basic sanity check, all seems well except for one
minor merge problem due to changes in ipavalidate, attached is the patch:
--
John Dennis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa.patch
Type: text/x-patch
Size: 459 bytes
Desc: not available
URL:
From kmacmill at redhat.com Tue Dec 11 21:53:45 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 11 Dec 2007 16:53:45 -0500
Subject: [Freeipa-devel] Radius changesets
In-Reply-To: <475F0676.4040002@redhat.com>
References: <1197395041.27716.34.camel@clapton.mentalrootkit.com>
<475F0676.4040002@redhat.com>
Message-ID: <1197410025.8999.59.camel@clapton.mentalrootkit.com>
On Tue, 2007-12-11 at 16:51 -0500, John Dennis wrote:
> Karl MacMillan wrote:
> > I merged the radius changesets. There was a small amount of merging that
> > I had to do in ipautil, otherwise everything imported cleanly.
> >
> > John - please check for problems.
> >
> >
> Thanks! I just did a basic sanity check, all seems well except for one
> minor merge problem due to changes in ipavalidate, attached is the patch:
>
Thanks - pushed.
From jdennis at redhat.com Tue Dec 11 22:21:01 2007
From: jdennis at redhat.com (John Dennis)
Date: Tue, 11 Dec 2007 17:21:01 -0500
Subject: [Freeipa-devel] XML-RPC API: update_*
In-Reply-To: <1197408652.24744.0.camel@localhost.localdomain>
References: <475EAD3E.2020600@redhat.com>
<475EBD28.9060108@redhat.com> <475EDCED.70001@redhat.com>
<475EFAE9.10403@redhat.com>
<1197408652.24744.0.camel@localhost.localdomain>
Message-ID: <475F0D4D.5040305@redhat.com>
Simo Sorce wrote:
> On Tue, 2007-12-11 at 16:02 -0500, John Dennis wrote:
>
>> Note delete is
>> fundamentally different from add/modify because add/modify pairs the
>> attribute with a value, but delete specifies only the attribute.
>>
>
> Not for LDAP at least, you can both just give the attribute or also give
> the value (for multi-valued attributes), this is also use to make sure
> we are deleting the right thing and not something that has been modified
> meanwhile.
>
Good point.
--
John Dennis
From rcritten at redhat.com Tue Dec 11 22:32:01 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 11 Dec 2007 17:32:01 -0500
Subject: [Freeipa-devel] [PATCH] XML-RPC cleanup
In-Reply-To: <1197409320.8999.51.camel@clapton.mentalrootkit.com>
References: <475EE1F3.1050506@redhat.com>
<1197409320.8999.51.camel@clapton.mentalrootkit.com>
Message-ID: <475F0FE1.9050005@redhat.com>
Karl MacMillan wrote:
> On Tue, 2007-12-11 at 14:16 -0500, Rob Crittenden wrote:
>> This does the following:
>>
>> - Makes the old argument optional on update_*. If it doesn't exist the
>> current record is looked up and used for comparison.
>> - Checks for existence of required arguments (not always data type, that
>> may come next)
>> - Fix a slew of errors reported by pychecker
>> - Converted some things from C-isms to be more python-ish (return True
>> instead of 1)
>>
>
> Ack.
>
Pushed
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Wed Dec 12 02:59:15 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 11 Dec 2007 21:59:15 -0500
Subject: [Freeipa-devel] [PATCH] better access control and other minor things
Message-ID: <1197428355.23597.1.camel@hopeson>
please check, although I have tested this with CLI and saw no side
effects, I have slightly restricted access that was previously
erroneously granted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-519-better-access-control.patch
Type: text/x-patch
Size: 9989 bytes
Desc: not available
URL:
From rcritten at redhat.com Wed Dec 12 14:37:23 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 09:37:23 -0500
Subject: [Freeipa-devel] [PATCH] automatic browser config
Message-ID: <475FF223.2020306@redhat.com>
Add automatic browser configuration for kerberos SSO using javascript.
This uses the UniversalPreferencesWrite function to set the browser
preferences to allow negotiation and ticket forwarding in the IPA domain.
A self-signed certificate is generated to sign the javascript.
This will only display and work on modern gecko-based browsers.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-554-automatic.patch
Type: text/x-patch
Size: 10967 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Wed Dec 12 14:48:15 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 09:48:15 -0500
Subject: [Freeipa-devel] [PATCH] better access control and other minor
things
In-Reply-To: <1197428355.23597.1.camel@hopeson>
References: <1197428355.23597.1.camel@hopeson>
Message-ID: <475FF4AF.6010809@redhat.com>
Simo Sorce wrote:
> please check, although I have tested this with CLI and saw no side
> effects, I have slightly restricted access that was previously
> erroneously granted.
Just a couple of things:
+aci: (targetfilter =
"(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr
!= "aci || userPassword || krbPrincipalKey || sambaLMPassword ||
sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins
can manage Users and Groups"; allow (add, delete, read, write) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
Should this have an & before the attributes? Is this saying admins can
manage these objectclasses OR anything without these attributes?
For the CalledProcessError we have ipautil in there explicitly so
someone doesn't think it is coming from subprocess. I wonder if we
should simply rename the function to avoid confusion instead.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From kmacmill at redhat.com Wed Dec 12 15:11:31 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 10:11:31 -0500
Subject: [Freeipa-devel] [PATCH] better error reporting from ipa-webgui
Message-ID: <1197472291.3019.21.camel@localhost.localdomain>
The ipa-webgui script was not returning errors, so the init script could
not indicate when the daemon failed to start.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-522-ipa-webgui.patch
Type: text/x-patch
Size: 3020 bytes
Desc: not available
URL:
From kmacmill at redhat.com Wed Dec 12 15:17:23 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 10:17:23 -0500
Subject: [Freeipa-devel] [PATCH] confirm before configuring client
Message-ID: <1197472643.3019.23.camel@localhost.localdomain>
Confirm before client configuration.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-523-client-confirm.patch
Type: text/x-patch
Size: 966 bytes
Desc: not available
URL:
From ssorce at redhat.com Wed Dec 12 15:28:17 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 12 Dec 2007 10:28:17 -0500
Subject: [Freeipa-devel] [PATCH] better access control and other minor
things
In-Reply-To: <475FF4AF.6010809@redhat.com>
References: <1197428355.23597.1.camel@hopeson> <475FF4AF.6010809@redhat.com>
Message-ID: <1197473297.24744.13.camel@localhost.localdomain>
On Wed, 2007-12-12 at 09:48 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > please check, although I have tested this with CLI and saw no side
> > effects, I have slightly restricted access that was previously
> > erroneously granted.
>
> Just a couple of things:
>
> +aci: (targetfilter =
> "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr
> != "aci || userPassword || krbPrincipalKey || sambaLMPassword ||
> sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins
> can manage Users and Groups"; allow (add, delete, read, write) groupdn =
> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>
> Should this have an & before the attributes? Is this saying admins can
> manage these objectclasses OR anything without these attributes?
No it means that admins can manage any attribute in any entry with these
objectclasses but access to those attributes is still forbidden.
I had to do this because admins where seeing
userPassword,krbPrincipalKey etc...
I tried with a deny acl at the start but it seem it is not possible to
use something like userdn != "" && groupdn != "" and I need both. This
made me impossible to use the deny to make double-sure nobody except
authorized can see these attrs.
I am still thinking I can add at some point a group of "not denied
access to secrets" so I can use the deny (not denied would be members of
admins group, uid=kdc and kerberosprincipalname=kadmin/changepw at REALM )
> For the CalledProcessError we have ipautil in there explicitly so
> someone doesn't think it is coming from subprocess. I wonder if we
> should simply rename the function to avoid confusion instead.
I just fixed a stack trace I was getting, feel free to disambiguate it
if important.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From rcritten at redhat.com Wed Dec 12 15:36:23 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 10:36:23 -0500
Subject: [Freeipa-devel] [PATCH] update ldap:///self aci
Message-ID: <475FFFF7.3000905@redhat.com>
Add missing attributes to the ldap:///self aci
Added employeeType, businessCategory and ou
This was causing user self-service to fail.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-555-aci.patch
Type: text/x-patch
Size: 2719 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From kmacmill at redhat.com Wed Dec 12 15:38:44 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 10:38:44 -0500
Subject: [Freeipa-devel] [PATCH] separate radius configuration
Message-ID: <1197473924.3019.25.camel@vai.mentalrootkit.com>
Move radius configuration into a separate script.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-524-radius.patch
Type: text/x-patch
Size: 4550 bytes
Desc: not available
URL:
From rcritten at redhat.com Wed Dec 12 15:42:03 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 10:42:03 -0500
Subject: [Freeipa-devel] [PATCH] better error reporting from ipa-webgui
In-Reply-To: <1197472291.3019.21.camel@localhost.localdomain>
References: <1197472291.3019.21.camel@localhost.localdomain>
Message-ID: <4760014B.1080903@redhat.com>
Karl MacMillan wrote:
> The ipa-webgui script was not returning errors, so the init script could
> not indicate when the daemon failed to start.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Ack
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Wed Dec 12 15:47:28 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 10:47:28 -0500
Subject: [Freeipa-devel] [PATCH] confirm before configuring client
In-Reply-To: <1197472643.3019.23.camel@localhost.localdomain>
References: <1197472643.3019.23.camel@localhost.localdomain>
Message-ID: <47600290.9080804@redhat.com>
Karl MacMillan wrote:
> Confirm before client configuration.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
One minor suggestion: make it yesno.lower()[0] != "y":
And will it handle it if the user doesn't enter anything?
It should probably be:
if not yesno or yesno.lower()[0] != "y":
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Wed Dec 12 15:48:45 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 10:48:45 -0500
Subject: [Freeipa-devel] [PATCH] separate radius configuration
In-Reply-To: <1197473924.3019.25.camel@vai.mentalrootkit.com>
References: <1197473924.3019.25.camel@vai.mentalrootkit.com>
Message-ID: <476002DD.4060905@redhat.com>
Karl MacMillan wrote:
> Move radius configuration into a separate script.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Looks ok.
Will we be moving the radius aci's out as well?
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Wed Dec 12 15:52:03 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 10:52:03 -0500
Subject: [Freeipa-devel] [PATCH] better access control and other minor
things
In-Reply-To: <1197473297.24744.13.camel@localhost.localdomain>
References: <1197428355.23597.1.camel@hopeson> <475FF4AF.6010809@redhat.com>
<1197473297.24744.13.camel@localhost.localdomain>
Message-ID: <476003A3.9050306@redhat.com>
Simo Sorce wrote:
> On Wed, 2007-12-12 at 09:48 -0500, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> please check, although I have tested this with CLI and saw no side
>>> effects, I have slightly restricted access that was previously
>>> erroneously granted.
>> Just a couple of things:
>>
>> +aci: (targetfilter =
>> "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr
>> != "aci || userPassword || krbPrincipalKey || sambaLMPassword ||
>> sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins
>> can manage Users and Groups"; allow (add, delete, read, write) groupdn =
>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>>
>> Should this have an & before the attributes? Is this saying admins can
>> manage these objectclasses OR anything without these attributes?
>
> No it means that admins can manage any attribute in any entry with these
> objectclasses but access to those attributes is still forbidden.
> I had to do this because admins where seeing
> userPassword,krbPrincipalKey etc...
>
> I tried with a deny acl at the start but it seem it is not possible to
> use something like userdn != "" && groupdn != "" and I need both. This
> made me impossible to use the deny to make double-sure nobody except
> authorized can see these attrs.
>
> I am still thinking I can add at some point a group of "not denied
> access to secrets" so I can use the deny (not denied would be members of
> admins group, uid=kdc and kerberosprincipalname=kadmin/changepw at REALM )
>
>> For the CalledProcessError we have ipautil in there explicitly so
>> someone doesn't think it is coming from subprocess. I wonder if we
>> should simply rename the function to avoid confusion instead.
>
> I just fixed a stack trace I was getting, feel free to disambiguate it
> if important.
>
> Simo.
>
This is a better fix:
diff -r f40c9b9bc891 ipa-server/ipaserver/krbinstance.py
--- a/ipa-server/ipaserver/krbinstance.py Wed Dec 12 10:34:48 2007
-0500
+++ b/ipa-server/ipaserver/krbinstance.py Wed Dec 12 10:51:49 2007
-0500
@@ -30,7 +30,7 @@ import pwd
import pwd
import socket
import time
-import shutil
+from ipa import ipautil
import service
from ipa import ipaerror
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From kmacmill at redhat.com Wed Dec 12 15:56:02 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 10:56:02 -0500
Subject: [Freeipa-devel] [PATCH] separate radius configuration
In-Reply-To: <476002DD.4060905@redhat.com>
References: <1197473924.3019.25.camel@vai.mentalrootkit.com>
<476002DD.4060905@redhat.com>
Message-ID: <1197474962.3019.30.camel@vai.mentalrootkit.com>
On Wed, 2007-12-12 at 10:48 -0500, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > Move radius configuration into a separate script.
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> Looks ok.
>
> Will we be moving the radius aci's out as well?
>
I guess we shouldn't leave access enabled that isn't being used -
anything else?
Karl
From rcritten at redhat.com Wed Dec 12 16:05:48 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 11:05:48 -0500
Subject: [Freeipa-devel] [PATCH] user provided certs
In-Reply-To: <1197408857.8999.49.camel@clapton.mentalrootkit.com>
References: <1197408857.8999.49.camel@clapton.mentalrootkit.com>
Message-ID: <476006DC.1080507@redhat.com>
Karl MacMillan wrote:
> Add a utility to import user provided certs in pkcs#12 format.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
You are missing a close after the write in set_http_cert_name()
I'm guessing that python automatically closes it when fd goes out of
scope but still...
I'm not sure why you don't use installutils.update_file() to replace
file.append('NSSNickname').
Otherwise it looks ok.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From rcritten at redhat.com Wed Dec 12 16:06:24 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 11:06:24 -0500
Subject: [Freeipa-devel] [PATCH] separate radius configuration
In-Reply-To: <1197474962.3019.30.camel@vai.mentalrootkit.com>
References: <1197473924.3019.25.camel@vai.mentalrootkit.com>
<476002DD.4060905@redhat.com>
<1197474962.3019.30.camel@vai.mentalrootkit.com>
Message-ID: <47600700.6050308@redhat.com>
Karl MacMillan wrote:
> On Wed, 2007-12-12 at 10:48 -0500, Rob Crittenden wrote:
>> Karl MacMillan wrote:
>>> Move radius configuration into a separate script.
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> Looks ok.
>>
>> Will we be moving the radius aci's out as well?
>>
>
> I guess we shouldn't leave access enabled that isn't being used -
> anything else?
>
> Karl
>
No, it looks fine.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From kmacmill at redhat.com Wed Dec 12 16:06:37 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 11:06:37 -0500
Subject: [Freeipa-devel] [PATCH] confirm before configuring client
In-Reply-To: <47600290.9080804@redhat.com>
References: <1197472643.3019.23.camel@localhost.localdomain>
<47600290.9080804@redhat.com>
Message-ID: <1197475597.3019.32.camel@vai.mentalrootkit.com>
On Wed, 2007-12-12 at 10:47 -0500, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > Confirm before client configuration.
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> One minor suggestion: make it yesno.lower()[0] != "y":
>
> And will it handle it if the user doesn't enter anything?
>
> It should probably be:
>
> if not yesno or yesno.lower()[0] != "y":
>
Pushed with the attached patch to clean this up.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: improve-confirmation.patch
Type: text/x-patch
Size: 2126 bytes
Desc: not available
URL:
From kmacmill at redhat.com Wed Dec 12 16:08:13 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 11:08:13 -0500
Subject: [Freeipa-devel] [PATCH] user provided certs
In-Reply-To: <476006DC.1080507@redhat.com>
References: <1197408857.8999.49.camel@clapton.mentalrootkit.com>
<476006DC.1080507@redhat.com>
Message-ID: <1197475693.3019.34.camel@vai.mentalrootkit.com>
On Wed, 2007-12-12 at 11:05 -0500, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > Add a utility to import user provided certs in pkcs#12 format.
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> You are missing a close after the write in set_http_cert_name()
>
> I'm guessing that python automatically closes it when fd goes out of
> scope but still...
>
It does, but I'll fix before pushing.
> I'm not sure why you don't use installutils.update_file() to replace
> file.append('NSSNickname').
>
That can't properly handle cert nicknames with spaces.
Karl
From rcritten at redhat.com Wed Dec 12 16:11:26 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 11:11:26 -0500
Subject: [Freeipa-devel] [PATCH] user provided certs
In-Reply-To: <1197475693.3019.34.camel@vai.mentalrootkit.com>
References: <1197408857.8999.49.camel@clapton.mentalrootkit.com>
<476006DC.1080507@redhat.com>
<1197475693.3019.34.camel@vai.mentalrootkit.com>
Message-ID: <4760082E.7040007@redhat.com>
Karl MacMillan wrote:
> On Wed, 2007-12-12 at 11:05 -0500, Rob Crittenden wrote:
>> Karl MacMillan wrote:
>>> Add a utility to import user provided certs in pkcs#12 format.
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> You are missing a close after the write in set_http_cert_name()
>>
>> I'm guessing that python automatically closes it when fd goes out of
>> scope but still...
>>
>
> It does, but I'll fix before pushing.
>
>> I'm not sure why you don't use installutils.update_file() to replace
>> file.append('NSSNickname').
>>
>
> That can't properly handle cert nicknames with spaces.
>
> Karl
>
Ok, acked.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From kmacmill at redhat.com Wed Dec 12 16:17:05 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 11:17:05 -0500
Subject: [Freeipa-devel] [PATCH] separate radius configuration
In-Reply-To: <47600700.6050308@redhat.com>
References: <1197473924.3019.25.camel@vai.mentalrootkit.com>
<476002DD.4060905@redhat.com>
<1197474962.3019.30.camel@vai.mentalrootkit.com>
<47600700.6050308@redhat.com>
Message-ID: <1197476225.3019.43.camel@vai.mentalrootkit.com>
On Wed, 2007-12-12 at 11:06 -0500, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > On Wed, 2007-12-12 at 10:48 -0500, Rob Crittenden wrote:
> >> Karl MacMillan wrote:
> >>> Move radius configuration into a separate script.
> >>>
> >>>
> >>> ------------------------------------------------------------------------
> >>>
> >>> _______________________________________________
> >>> Freeipa-devel mailing list
> >>> Freeipa-devel at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> >> Looks ok.
> >>
> >> Will we be moving the radius aci's out as well?
> >>
> >
> > I guess we shouldn't leave access enabled that isn't being used -
> > anything else?
> >
> > Karl
> >
>
> No, it looks fine.
>
Pushed.
From kmacmill at redhat.com Wed Dec 12 16:17:21 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 11:17:21 -0500
Subject: [Freeipa-devel] [PATCH] better error reporting from ipa-webgui
In-Reply-To: <4760014B.1080903@redhat.com>
References: <1197472291.3019.21.camel@localhost.localdomain>
<4760014B.1080903@redhat.com>
Message-ID: <1197476241.3019.45.camel@vai.mentalrootkit.com>
On Wed, 2007-12-12 at 10:42 -0500, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > The ipa-webgui script was not returning errors, so the init script could
> > not indicate when the daemon failed to start.
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> Ack
Pushed.
From jdennis at redhat.com Wed Dec 12 16:19:11 2007
From: jdennis at redhat.com (John Dennis)
Date: Wed, 12 Dec 2007 11:19:11 -0500
Subject: [Freeipa-devel] [PATCH] better access control and other minor
things
In-Reply-To: <1197473297.24744.13.camel@localhost.localdomain>
References: <1197428355.23597.1.camel@hopeson> <475FF4AF.6010809@redhat.com>
<1197473297.24744.13.camel@localhost.localdomain>
Message-ID: <476009FF.8030704@redhat.com>
I noticed the radius aci was changed from being an aci with a target=dn
to a aci on the dn. For my own edification why is this preferred or was
it just not right in the first place?
--
John Dennis
From kmacmill at redhat.com Wed Dec 12 16:19:57 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 11:19:57 -0500
Subject: [Freeipa-devel] [PATCH] user provided certs
In-Reply-To: <4760082E.7040007@redhat.com>
References: <1197408857.8999.49.camel@clapton.mentalrootkit.com>
<476006DC.1080507@redhat.com>
<1197475693.3019.34.camel@vai.mentalrootkit.com>
<4760082E.7040007@redhat.com>
Message-ID: <1197476397.3019.47.camel@vai.mentalrootkit.com>
On Wed, 2007-12-12 at 11:11 -0500, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > On Wed, 2007-12-12 at 11:05 -0500, Rob Crittenden wrote:
> >> Karl MacMillan wrote:
> >>> Add a utility to import user provided certs in pkcs#12 format.
> >>>
> >>>
> >>> ------------------------------------------------------------------------
> >>>
> >>> _______________________________________________
> >>> Freeipa-devel mailing list
> >>> Freeipa-devel at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> >> You are missing a close after the write in set_http_cert_name()
> >>
> >> I'm guessing that python automatically closes it when fd goes out of
> >> scope but still...
> >>
> >
> > It does, but I'll fix before pushing.
> >
> >> I'm not sure why you don't use installutils.update_file() to replace
> >> file.append('NSSNickname').
> >>
> >
> > That can't properly handle cert nicknames with spaces.
> >
> > Karl
> >
>
> Ok, acked.
>
Pushed.
From ssorce at redhat.com Wed Dec 12 16:24:14 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 12 Dec 2007 11:24:14 -0500
Subject: [Freeipa-devel] [PATCH] better access control and other minor
things
In-Reply-To: <476009FF.8030704@redhat.com>
References: <1197428355.23597.1.camel@hopeson> <475FF4AF.6010809@redhat.com>
<1197473297.24744.13.camel@localhost.localdomain>
<476009FF.8030704@redhat.com>
Message-ID: <1197476654.24744.19.camel@localhost.localdomain>
On Wed, 2007-12-12 at 11:19 -0500, John Dennis wrote:
> I noticed the radius aci was changed from being an aci with a target=dn
> to a aci on the dn. For my own edification why is this preferred or was
> it just not right in the first place?
I prefer to keep ACIs on a specific tree on it's root, this helps better
understand the scope of the ACI and also goes away automatically if we
kill or the tree and moves with the tree should we decide to rename it
before release without risking to forget about it.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From kmacmill at redhat.com Wed Dec 12 16:34:21 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 11:34:21 -0500
Subject: [Freeipa-devel] [PATCH] automatic browser config
In-Reply-To: <475FF223.2020306@redhat.com>
References: <475FF223.2020306@redhat.com>
Message-ID: <1197477261.3019.50.camel@vai.mentalrootkit.com>
On Wed, 2007-12-12 at 09:37 -0500, Rob Crittenden wrote:
> Add automatic browser configuration for kerberos SSO using javascript.
>
> This uses the UniversalPreferencesWrite function to set the browser
> preferences to allow negotiation and ticket forwarding in the IPA domain.
>
> A self-signed certificate is generated to sign the javascript.
>
> This will only display and work on modern gecko-based browsers.
>
This worked for me (once a minor typo was fixed) - pushed. A few
questions:
1) How will this work when a user provides their own certs? Is there an
easy way for them to re-sign the jar or do we need to provide a tool to
help them do that?
2) Can we force a reload after configuration - currently it says success
but nothing happens.
Karl
From kmacmill at redhat.com Wed Dec 12 16:35:21 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 11:35:21 -0500
Subject: [Freeipa-devel] [Fwd: Python Eggs & distutils in Rawhide]
Message-ID: <1197477321.3019.52.camel@vai.mentalrootkit.com>
Do we need to do anything based on this about how we package our eggs?
Karl
-------- Forwarded Message --------
> From: Toshio Kuratomi
> Reply-To: fedora-devel-list at redhat.com
> To: fedora-devel-announce at redhat.com
> Subject: Python Eggs & distutils in Rawhide
> Date: Mon, 10 Dec 2007 14:20:26 -0800
>
> Just a small heads up for those of you packaging python modules.
> python-2.5.1-18, just built for rawhide, has reverted a small patch we
> were carrying that disabled generation of egg-info for modules created
> by distutils. That means that python modules built against rawhide will
> now create an extra file of metadata in the python_sitelib and
> python_sitearch directories. You'll need to include those in your
> %files section if it's not already pulled in via a wildcard.
>
> For more information on what these files give us, take a look at the
> Python Egg Guidelines on:
>
> http://fedoraproject.org/wiki/Packaging/Python/Eggs
>
> -Toshio
>
> _______________________________________________
> Fedora-devel-announce mailing list
> Fedora-devel-announce at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-announce
> -- fedora-devel-list mailing list fedora-devel-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
From rcritten at redhat.com Wed Dec 12 16:39:00 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 11:39:00 -0500
Subject: [Freeipa-devel] [PATCH] automatic browser config
In-Reply-To: <1197477261.3019.50.camel@vai.mentalrootkit.com>
References: <475FF223.2020306@redhat.com>
<1197477261.3019.50.camel@vai.mentalrootkit.com>
Message-ID: <47600EA4.3050509@redhat.com>
Karl MacMillan wrote:
> On Wed, 2007-12-12 at 09:37 -0500, Rob Crittenden wrote:
>> Add automatic browser configuration for kerberos SSO using javascript.
>>
>> This uses the UniversalPreferencesWrite function to set the browser
>> preferences to allow negotiation and ticket forwarding in the IPA domain.
>>
>> A self-signed certificate is generated to sign the javascript.
>>
>> This will only display and work on modern gecko-based browsers.
>>
>
> This worked for me (once a minor typo was fixed) - pushed. A few
> questions:
>
> 1) How will this work when a user provides their own certs? Is there an
> easy way for them to re-sign the jar or do we need to provide a tool to
> help them do that?
I guess we'd need to add the ability to import a pkcs#12 signing cert
too. Then write a short script to do the signing.
> 2) Can we force a reload after configuration - currently it says success
> but nothing happens.
I might be able to redirect them after the dismiss the alert box. I'll
look into it.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From kmacmill at redhat.com Wed Dec 12 17:05:02 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 12:05:02 -0500
Subject: [Freeipa-devel] [PATCH] add a man page for ipa-getkeytab
Message-ID: <1197479102.3019.58.camel@vai.mentalrootkit.com>
Add a man page for ipa-getkeytab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-getkeytab-man.patch
Type: text/x-patch
Size: 3099 bytes
Desc: not available
URL:
From ssorce at redhat.com Wed Dec 12 19:06:21 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 12 Dec 2007 14:06:21 -0500
Subject: [Freeipa-devel] [PATCH] better access control and other minor
things
In-Reply-To: <1197428355.23597.1.camel@hopeson>
References: <1197428355.23597.1.camel@hopeson>
Message-ID: <1197486381.22001.2.camel@hopeson>
On Tue, 2007-12-11 at 21:59 -0500, Simo Sorce wrote:
> please check, although I have tested this with CLI and saw no side
> effects, I have slightly restricted access that was previously
> erroneously granted.
Pushed,
with attached patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-520-krbinstance-ipautil.patch
Type: text/x-patch
Size: 7689 bytes
Desc: not available
URL:
From ssorce at redhat.com Wed Dec 12 19:09:45 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 12 Dec 2007 14:09:45 -0500
Subject: [Freeipa-devel] [PATCH] spec fixes for update/remove of rpms
Message-ID: <1197486585.22001.5.camel@hopeson>
As discussed to support stopping/restarteing daemons
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-521-spec-fixes.patch
Type: text/x-patch
Size: 1906 bytes
Desc: not available
URL:
From ssorce at redhat.com Wed Dec 12 19:18:44 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 12 Dec 2007 14:18:44 -0500
Subject: [Freeipa-devel] [PATCH] Separate out another radius ACI
Message-ID: <1197487124.22774.0.camel@hopeson>
This will let us better understand anything related to it.
Simo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-522-separate-radius-aci.patch
Type: text/x-patch
Size: 3758 bytes
Desc: not available
URL:
From rcritten at redhat.com Wed Dec 12 19:22:11 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 14:22:11 -0500
Subject: [Freeipa-devel] XML-RPC API: update_*
In-Reply-To: <475EFAE9.10403@redhat.com>
References: <475EAD3E.2020600@redhat.com> <475EBD28.9060108@redhat.com>
<475EDCED.70001@redhat.com> <475EFAE9.10403@redhat.com>
Message-ID: <476034E3.7030105@redhat.com>
John Dennis wrote:
> Rob Crittenden wrote:
>> John Dennis wrote:
>>> Don't all the problems and issues go away if the API for modification
>>> took add, modify and delete parameters? That seems easier, cleaner,
>>> and more efficient. I'm pretty sure most callers will easily know
>>> whether they've added, modified, or deleted an attribute. If for some
>>> reason they don't have that knowledge we could provide a helper
>>> utility to compute it, but I doubt that would be needed in most cases.
>>>
>>
>> The reasoning is that it saves a lot of round-trips. Each XML-RPC
>> request requires:
>>
>> 1. An SSL connection
>> 2. A kerberos authentication
>> 3. One or more LDAP connections
>> 3.1 A kerberos auth
>> 3.2 The LDAP operation
>
> I wasn't suggesting separate calls for add, modify and delete. Rather
> one call that takes add, modify and delete parameters. That means it's
> the same round-trip overhead, but without the baggage of having to
> manage before and after attribute dictionaries.
>
> Question: Are we exposing the generateModList API in the python ldap
> module because we concluded it is the optimal and most sensible API for
> us or because it happened to be there and now we're trying to force
> everything to operate that way and in the process introducing
> inefficiency, complexity and special case scenarios?
>
> If one wants to use the generateModList API in the python ldap module
> (not a requirement) then I'm not sure what is being gained by not
> passing the before dictionary other than a marginal reduction in the
> size of the transport during update and a marginal reduction in client
> memory usage to store both dictionaries, one still pays all the
> round-trip costs you enumerate above. The client still has to start with
> a call to query the current dictionary. If you don't have the current
> dictionary I don't see how you would robustly implement the semantics of
> delete. The reasoning goes like this, if the client fails to set any
> attributes in the new dictionary, a likely scenario if he never queried
> the current dictionary and thus does not know what the current
> attributes are, then on the server the missing attribute in the new
> dictionary will be interpreted as a delete operation on that attribute.
> Ouch, that's not what was expected. Thus to be robust one has to have
> both dictionaries, so what's the advantage? Explicitly passing what is
> being added, modified, and deleted gets you out of the whole mess. Note,
> add and modify could be collapsed into one parameter for greater
> simplicity. But delete must be handled separately. Note delete is
> fundamentally different from add/modify because add/modify pairs the
> attribute with a value, but delete specifies only the attribute.
>
> Maybe we should pop up a level and ask if generateModList is the optimal
> API. I'm not convinced it is, it adds a lot of baggage and complexity
> we're now trying to find ways to eliminate.
>
> Also note at least one round trip can be completely eliminated if we
> don't use generateModList, that alone is a significant performance win.
>
Well, I think perhaps we could support both. One for those that want
total control and one API for those who want the system to figure it out.
The generateModList function is not exported. There is no way to see
what has changed in an object other than doing would generateModList
would do.
There is no round-trip for generating the mod list. That is done within
the XML-RPC layer (because the python-ldap one was broken IIRC).
Not sure I'll get to this before the end of the year though.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Wed Dec 12 19:23:57 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 12 Dec 2007 14:23:57 -0500
Subject: [Freeipa-devel] [PATCH] update ldap:///self aci
In-Reply-To: <475FFFF7.3000905@redhat.com>
References: <475FFFF7.3000905@redhat.com>
Message-ID: <1197487437.24744.23.camel@localhost.localdomain>
On Wed, 2007-12-12 at 10:36 -0500, Rob Crittenden wrote:
> Add missing attributes to the ldap:///self aci
>
> Added employeeType, businessCategory and ou
>
> This was causing user self-service to fail.
Sounds ok, please let me merge this in once I get the ack for the other
radius related aci patch
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From rcritten at redhat.com Wed Dec 12 20:18:50 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 15:18:50 -0500
Subject: [Freeipa-devel] [PATCH] fix delegation validation UI
Message-ID: <4760422A.1020905@redhat.com>
The source and target entry fields weren't highlighted as required so I
fixed that.
The huge checklist WAS highlighted and it looked really, really bad.
Fixed that too.
I had to tweak some TG internals to get this working properly.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-556-delegateui.patch
Type: text/x-patch
Size: 3269 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Wed Dec 12 21:12:16 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 12 Dec 2007 16:12:16 -0500
Subject: [Freeipa-devel] [PATCH] create host keytab automatically
Message-ID: <1197493936.27878.0.camel@hopeson>
This make it possible for example to immediately login via ssh+gssapi to
the server.
Simo.
From ssorce at redhat.com Wed Dec 12 21:14:49 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 12 Dec 2007 16:14:49 -0500
Subject: [Freeipa-devel] [PATCH] create host keytab automatically
In-Reply-To: <1197493936.27878.0.camel@hopeson>
References: <1197493936.27878.0.camel@hopeson>
Message-ID: <1197494089.27878.2.camel@hopeson>
On Wed, 2007-12-12 at 16:12 -0500, Simo Sorce wrote:
> This make it possible for example to immediately login via ssh+gssapi to
> the server.
With the patch ...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-523-create-host-keytab.patch
Type: text/x-patch
Size: 2338 bytes
Desc: not available
URL:
From kmacmill at redhat.com Wed Dec 12 21:19:35 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 16:19:35 -0500
Subject: [Freeipa-devel] [PATCH] create host keytab automatically
In-Reply-To: <1197493936.27878.0.camel@hopeson>
References: <1197493936.27878.0.camel@hopeson>
Message-ID: <1197494375.3019.102.camel@vai.mentalrootkit.com>
On Wed, 2007-12-12 at 16:12 -0500, Simo Sorce wrote:
> This make it possible for example to immediately login via ssh+gssapi to
> the server.
>
-ENOPATCH
From ssorce at redhat.com Wed Dec 12 21:20:13 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 12 Dec 2007 16:20:13 -0500
Subject: [Freeipa-devel] [PATCH] create host keytab automatically
In-Reply-To: <1197493936.27878.0.camel@hopeson>
References: <1197493936.27878.0.camel@hopeson>
Message-ID: <1197494413.28356.0.camel@hopeson>
On Wed, 2007-12-12 at 16:12 -0500, Simo Sorce wrote:
> This make it possible for example to immediately login via ssh+gssapi to
> the server.
With the patch ...
-EGAIN
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-523-create-host-keytab.patch
Type: text/x-patch
Size: 2338 bytes
Desc: not available
URL:
From kmacmill at redhat.com Wed Dec 12 21:35:13 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 16:35:13 -0500
Subject: [Freeipa-devel] [PATCH] add a man page for ipa-getkeytab
In-Reply-To: <1197479102.3019.58.camel@vai.mentalrootkit.com>
References: <1197479102.3019.58.camel@vai.mentalrootkit.com>
Message-ID: <1197495313.3019.107.camel@vai.mentalrootkit.com>
On Wed, 2007-12-12 at 12:05 -0500, Karl MacMillan wrote:
> Add a man page for ipa-getkeytab
Pushed.
From kmacmill at redhat.com Wed Dec 12 21:36:51 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 16:36:51 -0500
Subject: [Freeipa-devel] [PATCH] spec fixes for update/remove of rpms
In-Reply-To: <1197486585.22001.5.camel@hopeson>
References: <1197486585.22001.5.camel@hopeson>
Message-ID: <1197495411.3019.109.camel@vai.mentalrootkit.com>
On Wed, 2007-12-12 at 14:09 -0500, Simo Sorce wrote:
> As discussed to support stopping/restarteing daemons
Pushed.
From kmacmill at redhat.com Wed Dec 12 21:37:45 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 16:37:45 -0500
Subject: [Freeipa-devel] [PATCH] Separate out another radius ACI
In-Reply-To: <1197487124.22774.0.camel@hopeson>
References: <1197487124.22774.0.camel@hopeson>
Message-ID: <1197495465.3019.111.camel@vai.mentalrootkit.com>
On Wed, 2007-12-12 at 14:18 -0500, Simo Sorce wrote:
> This will let us better understand anything related to it.
>
Pushed.
From ssorce at redhat.com Wed Dec 12 21:46:57 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 12 Dec 2007 16:46:57 -0500
Subject: [Freeipa-devel] [PATCH] update ldap:///self aci
In-Reply-To: <475FFFF7.3000905@redhat.com>
References: <475FFFF7.3000905@redhat.com>
Message-ID: <1197496017.24744.25.camel@localhost.localdomain>
On Wed, 2007-12-12 at 10:36 -0500, Rob Crittenden wrote:
> Add missing attributes to the ldap:///self aci
>
> Added employeeType, businessCategory and ou
>
> This was causing user self-service to fail.
Merged and pushed, I also found that you added gecos, title and
secretary, is that right ?
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From kmacmill at redhat.com Wed Dec 12 23:10:34 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 18:10:34 -0500
Subject: [Freeipa-devel] [PATCH] move radius server components to separate
package
Message-ID: <1197501034.3019.113.camel@vai.mentalrootkit.com>
To make radius optional, move the server components to a separate
package. The same will need to be done for the admintools.
Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-radius-server.patch
Type: text/x-patch
Size: 40396 bytes
Desc: not available
URL:
From ssorce at redhat.com Wed Dec 12 23:15:50 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 12 Dec 2007 18:15:50 -0500
Subject: [Freeipa-devel] [PATCH] move radius server components to
separate package
In-Reply-To: <1197501034.3019.113.camel@vai.mentalrootkit.com>
References: <1197501034.3019.113.camel@vai.mentalrootkit.com>
Message-ID: <1197501350.24744.29.camel@localhost.localdomain>
Ack, and as agreed we'll wait for you to push this from your tree given
the number of renames and other things going on.
Simo.
On Wed, 2007-12-12 at 18:10 -0500, Karl MacMillan wrote:
> To make radius optional, move the server components to a separate
> package. The same will need to be done for the admintools.
>
> Karl
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From kmacmill at redhat.com Wed Dec 12 23:18:53 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 12 Dec 2007 18:18:53 -0500
Subject: [Freeipa-devel] [PATCH] move radius server components to
separate package
In-Reply-To: <1197501350.24744.29.camel@localhost.localdomain>
References: <1197501034.3019.113.camel@vai.mentalrootkit.com>
<1197501350.24744.29.camel@localhost.localdomain>
Message-ID: <1197501533.3019.119.camel@vai.mentalrootkit.com>
On Wed, 2007-12-12 at 18:15 -0500, Simo Sorce wrote:
> Ack, and as agreed we'll wait for you to push this from your tree given
> the number of renames and other things going on.
>
Pushed.
From rcritten at redhat.com Thu Dec 13 04:04:32 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 12 Dec 2007 23:04:32 -0500
Subject: [Freeipa-devel] [PATCH] Allow for direct entry of group names when
creating delegations
Message-ID: <4760AF50.8050003@redhat.com>
Allow for direct entry of group names when creating delegations.
This requires a bit of trickery. I use the onblur() javascript function
to note when the field is left and store whatever was entered there.
Then when the page is submitted if a dn doesn't exist for that field
but they did enter something, do a lookup to see if there is a group by
that name.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-557-delegate.patch
Type: text/x-patch
Size: 3889 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From markmc at redhat.com Thu Dec 13 09:35:05 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 13 Dec 2007 09:35:05 +0000
Subject: [Freeipa-devel] [PATCH 3 of 7] More ipautil fixing
In-Reply-To:
Message-ID:
# HG changeset patch
# User Mark McLoughlin
# Date 1197538288 0
# Node ID cea59d38c4e7ac0e89e81d0f4bdea1d8bf61e760
# Parent 923f20a9c99d57329b40e85fec99d1b92ff0ab77
More ipautil fixing
Recently, dsinstance and krbinstance was fixed to
not import * from ipautil; do the same for the
rest of ipaserver.
Signed-off-by: Mark McLoughlin
diff -r 923f20a9c99d -r cea59d38c4e7 ipa-radius-server/plugins/radiusinstance.py
--- a/ipa-radius-server/plugins/radiusinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-radius-server/plugins/radiusinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -29,7 +29,7 @@ import pwd
import pwd
import time
import sys
-from ipa.ipautil import *
+from ipa import ipautil
from ipa import radius_util
from ipaserver import service
@@ -46,7 +46,7 @@ from ipaserver.funcs import DefaultUserC
def ldap_mod(fd, dn, pwd):
args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
- run(args)
+ ipautil.run(args)
def get_radius_version():
version = None
@@ -76,7 +76,7 @@ class RadiusInstance(service.Service):
def create_instance(self, realm_name, host_name, ldap_server):
self.realm = realm_name.upper()
- self.suffix = realm_to_suffix(self.realm)
+ self.suffix = ipautil.realm_to_suffix(self.realm)
self.fqdn = host_name
self.ldap_server = ldap_server
self.principal = "%s/%s@%s" % (radius_util.RADIUS_SERVICE_NAME, self.fqdn, self.realm)
@@ -119,7 +119,7 @@ class RadiusInstance(service.Service):
'SUFFIX' : self.suffix,
}
try:
- radiusd_conf = template_file(radius_util.RADIUSD_CONF_TEMPLATE_FILEPATH, sub_dict)
+ radiusd_conf = ipautil.template_file(radius_util.RADIUSD_CONF_TEMPLATE_FILEPATH, sub_dict)
radiusd_fd = open(radius_util.RADIUSD_CONF_FILEPATH, 'w+')
radiusd_fd.write(radiusd_conf)
radiusd_fd.close()
@@ -129,7 +129,7 @@ class RadiusInstance(service.Service):
def __create_radius_keytab(self):
self.step("creating a keytab for radiusd")
try:
- if file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH):
+ if ipautil.file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH):
os.remove(radius_util.RADIUS_IPA_KEYTAB_FILEPATH)
except os.error:
logging.error("Failed to remove %s", radius_util.RADIUS_IPA_KEYTAB_FILEPATH)
@@ -145,7 +145,7 @@ class RadiusInstance(service.Service):
# give kadmin time to actually write the file before we go on
retry = 0
- while not file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH):
+ while not ipautil.file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH):
time.sleep(1)
retry += 1
if retry > 15:
@@ -161,11 +161,11 @@ class RadiusInstance(service.Service):
def __set_ldap_encrypted_attributes(self):
ldif_file = 'encrypted_attribute.ldif'
self.step("setting ldap encrypted attributes")
- ldif_txt = template_file(SHARE_DIR + ldif_file, {'ENCRYPTED_ATTRIBUTE':'radiusClientSecret'})
- ldif_fd = write_tmp_file(ldif_txt)
+ ldif_txt = ipautil.template_file(ipautil.SHARE_DIR + ldif_file, {'ENCRYPTED_ATTRIBUTE':'radiusClientSecret'})
+ ldif_fd = ipautil.write_tmp_file(ldif_txt)
try:
ldap_mod(ldif_fd, "cn=Directory Manager", self.dm_password)
- except subprocess.CalledProcessError, e:
+ except ipautil.CalledProcessError, e:
logging.critical("Failed to load %s: %s" % (ldif_file, str(e)))
ldif_fd.close()
diff -r 923f20a9c99d -r cea59d38c4e7 ipa-server/ipaserver/bindinstance.py
--- a/ipa-server/ipaserver/bindinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/bindinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -23,10 +23,13 @@ import shutil
import shutil
import os
import socket
-from ipa.ipautil import *
-class BindInstance:
+import service
+from ipa import ipautil
+
+class BindInstance(service.Service):
def __init__(self):
+ service.Service.__init__(self, "named")
self.fqdn = None
self.domain = None
self.host = None
@@ -52,7 +55,7 @@ class BindInstance:
return True
def create_sample_bind_zone(self):
- bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict)
+ bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict)
[bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
os.write(bind_fd, bind_txt)
os.close(bind_fd)
@@ -73,15 +76,6 @@ class BindInstance:
except:
print "named service failed to start"
- def stop(self):
- run(["/sbin/service", "named", "stop"])
-
- def start(self):
- run(["/sbin/service", "named", "start"])
-
- def restart(self):
- run(["/sbin/service", "named", "restart"])
-
def __setup_sub_dict(self):
self.sub_dict = dict(FQDN=self.fqdn,
IP=self.ip_address,
@@ -90,7 +84,7 @@ class BindInstance:
REALM=self.realm)
def __setup_zone(self):
- zone_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict)
+ zone_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict)
zone_fd = open('/var/named/'+self.domain+'.zone.db', 'w')
zone_fd.write(zone_txt)
zone_fd.close()
@@ -98,7 +92,7 @@ class BindInstance:
def __setup_named_conf(self):
if os.path.exists('/etc/named.conf'):
shutil.copy2('/etc/named.conf', '/etc/named.conf.ipabkp')
- named_txt = template_file(SHARE_DIR + "bind.named.conf.template", self.sub_dict)
+ named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict)
named_fd = open('/etc/named.conf', 'w')
named_fd.seek(0)
named_fd.truncate(0)
diff -r 923f20a9c99d -r cea59d38c4e7 ipa-server/ipaserver/httpinstance.py
--- a/ipa-server/ipaserver/httpinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/httpinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -17,6 +17,8 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
+import os
+import os.path
import subprocess
import string
import tempfile
@@ -31,7 +33,7 @@ import certs
import certs
import dsinstance
import installutils
-from ipa.ipautil import *
+from ipa import ipautil
HTTPD_DIR = "/etc/httpd"
SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
@@ -77,7 +79,7 @@ class HTTPInstance(service.Service):
selinux=0
try:
if (os.path.exists('/usr/sbin/selinuxenabled')):
- run(["/usr/sbin/selinuxenabled"])
+ ipautil.run(["/usr/sbin/selinuxenabled"])
selinux=1
except ipautil.CalledProcessError:
# selinuxenabled returns 1 if not enabled
@@ -87,14 +89,14 @@ class HTTPInstance(service.Service):
# Allow apache to connect to the turbogears web gui
# This can still fail even if selinux is enabled
try:
- run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
+ ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
except:
self.print_msg(selinux_warning)
def __create_http_keytab(self):
self.step("creating a keytab for httpd")
try:
- if file_exists("/etc/httpd/conf/ipa.keytab"):
+ if ipautil.file_exists("/etc/httpd/conf/ipa.keytab"):
os.remove("/etc/httpd/conf/ipa.keytab")
except os.error:
print "Failed to remove /etc/httpd/conf/ipa.keytab."
@@ -109,7 +111,7 @@ class HTTPInstance(service.Service):
# give kadmin time to actually write the file before we go on
retry = 0
- while not file_exists("/etc/httpd/conf/ipa.keytab"):
+ while not ipautil.file_exists("/etc/httpd/conf/ipa.keytab"):
time.sleep(1)
retry += 1
if retry > 15:
@@ -121,7 +123,7 @@ class HTTPInstance(service.Service):
def __configure_http(self):
self.step("configuring httpd")
- http_txt = template_file(SHARE_DIR + "ipa.conf", self.sub_dict)
+ http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
http_fd.write(http_txt)
http_fd.close()
@@ -147,7 +149,7 @@ class HTTPInstance(service.Service):
ca.create_signing_cert("Signing-Cert", "cn=%s,ou=Signing Certificate,o=Identity Policy Audit" % self.fqdn, ds_ca)
def __setup_autoconfig(self):
- prefs_txt = template_file(SHARE_DIR + "preferences.html.template", self.sub_dict)
+ prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
prefs_fd = open("/usr/share/ipa/html/preferences.html", "w")
prefs_fd.write(prefs_txt)
prefs_fd.close()
diff -r 923f20a9c99d -r cea59d38c4e7 ipa-server/ipaserver/ntpinstance.py
--- a/ipa-server/ipaserver/ntpinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/ntpinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -17,10 +17,10 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
-from ipa.ipautil import *
import shutil
import service
+from ipa import ipautil
class NTPInstance(service.Service):
def __init__(self):
@@ -36,9 +36,9 @@ class NTPInstance(service.Service):
# or fedora pools. Other distros should be added in the future
# or we can get our own pool.
os = ""
- if file_exists("/etc/fedora-release"):
+ if ipautil.file_exists("/etc/fedora-release"):
os = "fedora."
- elif file_exists("/etc/redhat-release"):
+ elif ipautil.file_exists("/etc/redhat-release"):
os = "rhel."
sub_dict = { }
@@ -46,7 +46,7 @@ class NTPInstance(service.Service):
sub_dict["SERVERB"] = "1.%spool.ntp.org" % os
sub_dict["SERVERC"] = "2.%spool.ntp.org" % os
- ntp_conf = template_file(SHARE_DIR + "ntp.conf.server.template", sub_dict)
+ ntp_conf = ipautil.template_file(ipautil.SHARE_DIR + "ntp.conf.server.template", sub_dict)
shutil.copy("/etc/ntp.conf", "/etc/ntp.conf.ipasave")
diff -r 923f20a9c99d -r cea59d38c4e7 ipa-server/ipaserver/service.py
--- a/ipa-server/ipaserver/service.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/service.py Thu Dec 13 09:31:28 2007 +0000
@@ -17,24 +17,24 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
-from ipa.ipautil import *
import logging, sys
+from ipa import ipautil
def stop(service_name):
- run(["/sbin/service", service_name, "stop"])
+ ipautil.run(["/sbin/service", service_name, "stop"])
def start(service_name):
- run(["/sbin/service", service_name, "start"])
+ ipautil.run(["/sbin/service", service_name, "start"])
def restart(service_name):
- run(["/sbin/service", service_name, "restart"])
+ ipautil.run(["/sbin/service", service_name, "restart"])
def chkconfig_on(service_name):
- run(["/sbin/chkconfig", service_name, "on"])
+ ipautil.run(["/sbin/chkconfig", service_name, "on"])
def chkconfig_off(service_name):
- run(["/sbin/chkconfig", service_name, "off"])
+ ipautil.run(["/sbin/chkconfig", service_name, "off"])
def print_msg(message, output_fd=sys.stdout):
logging.debug(message)
diff -r 923f20a9c99d -r cea59d38c4e7 ipa-server/ipaserver/webguiinstance.py
--- a/ipa-server/ipaserver/webguiinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/webguiinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -17,9 +17,6 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
-import logging
-
-from ipa.ipautil import *
import service
class WebGuiInstance(service.Service):
From markmc at redhat.com Thu Dec 13 09:35:08 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 13 Dec 2007 09:35:08 +0000
Subject: [Freeipa-devel] [PATCH 6 of 7] Don't template files which don't
contain variables
In-Reply-To:
Message-ID: <4bed312bb3beab8e50ef.1197538508@localhost.localdomain>
# HG changeset patch
# User Mark McLoughlin
# Date 1197538288 0
# Node ID 4bed312bb3beab8e50ef2c8b7ff38d4d1a51472f
# Parent 10a22bc1b861450ef04568fc773c5b2bc2f7a4a6
Don't template files which don't contain variables
The following files hav no template variables, so don't
bother templating them:
- memberof-conf.ldif
- referint-conf.ldif
- dna-conf.ldif
- certmap.conf.template
Signed-off-by: Mark McLoughlin
diff -r 10a22bc1b861 -r 4bed312bb3be ipa-server/ipaserver/dsinstance.py
--- a/ipa-server/ipaserver/dsinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/dsinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -225,39 +225,50 @@ class DsInstance(service.Service):
shutil.copyfile(ipautil.SHARE_DIR + "60ipaconfig.ldif",
schema_dirname(self.realm_name) + "60ipaconfig.ldif")
- def __ldap_mod(self, step, ldif):
+ def __ldap_mod(self, step, ldif, sub_dict = None):
self.step(step)
- txt = ipautil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict)
- fd = ipautil.write_tmp_file(txt)
+ fd = None
+ path = ipautil.SHARE_DIR + ldif
+
+ if not sub_dict is None:
+ txt = ipautil.template_file(path, sub_dict)
+ fd = ipautil.write_tmp_file(txt)
+ path = fd.name
args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv",
- "-D", "cn=Directory Manager", "-w", self.dm_password, "-f", fd.name]
+ "-D", "cn=Directory Manager", "-w", self.dm_password, "-f", path]
try:
ipautil.run(args)
except ipautil.CalledProcessError, e:
logging.critical("Failed to load %s: %s" % (ldif, str(e)))
- fd.close()
+ if not fd is None:
+ fd.close()
def __add_memberof_module(self):
self.__ldap_mod("enabling memberof plugin", "memberof-conf.ldif")
def __init_memberof(self):
- self.__ldap_mod("initializing group membership", "memberof-task.ldif")
+ self.__ldap_mod("initializing group membership",
+ "memberof-task.ldif", self.sub_dict)
def __add_referint_module(self):
- self.__ldap_mod("enabling referential integrity plugin", "referint-conf.ldif")
+ self.__ldap_mod("enabling referential integrity plugin",
+ "referint-conf.ldif")
def __add_dna_module(self):
- self.__ldap_mod("enabling distributed numeric assignment plugin", "dna-conf.ldif")
+ self.__ldap_mod("enabling distributed numeric assignment plugin",
+ "dna-conf.ldif")
def __config_uidgid_gen_first_master(self):
- self.__ldap_mod("configuring Posix uid/gid generation as first master", "dna-posix.ldif")
+ self.__ldap_mod("configuring Posix uid/gid generation as first master",
+ "dna-posix.ldif", self.sub_dict)
def __add_master_entry_first_master(self):
- self.__ldap_mod("adding master entry as first master", "master-entry.ldif")
+ self.__ldap_mod("adding master entry as first master",
+ "master-entry.ldif", self.sub_dict)
def __enable_ssl(self):
self.step("configuring ssl for ds instance")
@@ -294,18 +305,16 @@ class DsInstance(service.Service):
conn.unbind()
def __add_default_layout(self):
- self.__ldap_mod("adding default layout", "bootstrap-template.ldif")
+ self.__ldap_mod("adding default layout",
+ "bootstrap-template.ldif", self.sub_dict)
def __create_indeces(self):
self.__ldap_mod("creating indeces", "indeces.ldif")
def __certmap_conf(self):
self.step("configuring certmap.conf")
- dirname = config_dirname(self.realm_name)
- certmap_conf = ipautil.template_file(ipautil.SHARE_DIR + "certmap.conf.template", self.sub_dict)
- certmap_fd = open(dirname+"certmap.conf", "w+")
- certmap_fd.write(certmap_conf)
- certmap_fd.close()
+ shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template",
+ config_dirname(self.realm_name) + "certmap.conf")
def change_admin_password(self, password):
logging.debug("Changing admin password")
From markmc at redhat.com Thu Dec 13 09:35:06 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 13 Dec 2007 09:35:06 +0000
Subject: [Freeipa-devel] [PATCH 4 of 7] Only update key/value files if
necessary
In-Reply-To:
Message-ID:
# HG changeset patch
# User Mark McLoughlin
# Date 1197538288 0
# Node ID ad30235886a86e1ef06b65c50b0ed84df4ad6840
# Parent cea59d38c4e7ac0e89e81d0f4bdea1d8bf61e760
Only update key/value files if necessary
update_key_val_in_file() shouldn't try and write to
a file if the key is already set to the given value
in the file
Rationale here is that if we write these files out
while building a system image, ipa-server-install
shouldn't need to re-write them and, therefore,
they don't need to be writable.
Signed-off-by: Mark McLoughlin
diff -r cea59d38c4e7 -r ad30235886a8 ipa-server/ipaserver/krbinstance.py
--- a/ipa-server/ipaserver/krbinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/krbinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -58,6 +58,14 @@ def ldap_mod(fd, dn, pwd):
def update_key_val_in_file(filename, key, val):
if os.path.exists(filename):
+ pattern = "^[\s#]*%s\s*=\s*%s\s*" % (re.escape(key), re.escape(val))
+ p = re.compile(pattern)
+ for line in fileinput.input(filename):
+ if p.search(line):
+ fileinput.close()
+ return
+ fileinput.close()
+
pattern = "^[\s#]*%s\s*=" % re.escape(key)
p = re.compile(pattern)
for line in fileinput.input(filename, inplace=1):
From markmc at redhat.com Thu Dec 13 09:35:09 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 13 Dec 2007 09:35:09 +0000
Subject: [Freeipa-devel] [PATCH 7 of 7] Refactor krbinstance and dsinstance
creation steps
In-Reply-To:
Message-ID: <6c3e3fc434183954662d.1197538509@localhost.localdomain>
# HG changeset patch
# User Mark McLoughlin
# Date 1197538288 0
# Node ID 6c3e3fc434183954662d7baf1f935923ca84359a
# Parent 4bed312bb3beab8e50ef2c8b7ff38d4d1a51472f
Refactor krbinstance and dsinstance creation steps
Creation steps are currently done with:
self.start_creation(2, "Create foo")
self.step("do foo")
self.foo()
self.step("do bar")
self.bar()
self.done_creation()
This patch refactors that into the much more
straightforward:
self.step("do foo", self.foo)
self.step("do bar", self.bar)
self.start_creation("Create foo")
Signed-off-by: Mark McLoughlin
diff -r 4bed312bb3be -r 6c3e3fc43418 ipa-radius-server/plugins/radiusinstance.py
--- a/ipa-radius-server/plugins/radiusinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-radius-server/plugins/radiusinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -79,7 +79,6 @@ class RadiusInstance(service.Service):
self.basedn = self.suffix
self.user_basedn = "%s,%s" % (DefaultUserContainer, self.basedn) # FIXME, should be utility to get this
self.radius_version = get_radius_version()
- self.start_creation(4, "Configuring radiusd")
try:
self.stop()
@@ -87,22 +86,23 @@ class RadiusInstance(service.Service):
# It could have been not running
pass
- self.__create_radius_keytab()
- self.__radiusd_conf()
+ self.step("create radiusd keytab", self.__create_radius_keytab)
+ self.step("configuring radiusd.conf for radius instance", self.__radiusd_conf)
+ self.step("starting radiusd", self.__start_instance)
+ self.step("configuring radiusd to start on boot", self.chkconfig_on)
+ # FIXME:
+ # self.step("setting ldap encrypted attributes", self.__set_ldap_encrypted_attributes)
+
+ self.start_creation("Configuring radiusd")
+
+ def __start_instance(self):
try:
- self.step("starting radiusd")
self.start()
except:
logging.error("radiusd service failed to start")
- self.step("configuring radiusd to start on boot")
- self.chkconfig_on()
-
-
def __radiusd_conf(self):
- self.step('configuring radiusd.conf for radius instance')
-
version = 'IPA_RADIUS_VERSION=%s FREE_RADIUS_VERSION=%s' % (IPA_RADIUS_VERSION, self.radius_version)
sub_dict = {'CONFIG_FILE_VERSION_INFO' : version,
'LDAP_SERVER' : self.ldap_server,
@@ -123,7 +123,6 @@ class RadiusInstance(service.Service):
logging.error("could not create %s: %s", radius_util.RADIUSD_CONF_FILEPATH, e)
def __create_radius_keytab(self):
- self.step("creating a keytab for radiusd")
try:
if ipautil.file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH):
os.remove(radius_util.RADIUS_IPA_KEYTAB_FILEPATH)
@@ -153,9 +152,7 @@ class RadiusInstance(service.Service):
except Exception, e:
logging.error("could not chown on %s to %s: %s", radius_util.RADIUS_IPA_KEYTAB_FILEPATH, radius_util.RADIUS_USER, e)
- def __ldap_mod(self, step, ldif):
- self.step(step)
-
+ def __ldap_mod(self, ldif):
txt = iputil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict)
fd = ipautil.write_tmp_file(txt)
@@ -171,8 +168,7 @@ class RadiusInstance(service.Service):
#FIXME, should use IPAdmin method
def __set_ldap_encrypted_attributes(self):
- self.__ldap_mod("setting ldap encrypted attributes",
- "encrypted_attribute.ldif", {"ENCRYPTED_ATTRIBUTE" : "radiusClientSecret"})
+ self.__ldap_mod("encrypted_attribute.ldif", {"ENCRYPTED_ATTRIBUTE" : "radiusClientSecret"})
#-------------------------------------------------------------------------------
diff -r 4bed312bb3be -r 6c3e3fc43418 ipa-server/ipaserver/dsinstance.py
--- a/ipa-server/ipaserver/dsinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/dsinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -135,38 +135,29 @@ class DsInstance(service.Service):
self.domain = host_name[host_name.find(".")+1:]
self.__setup_sub_dict()
- if ro_replica:
- self.start_creation(15, "Configuring directory server:")
- else:
- self.start_creation(15, "Configuring directory server:")
+ self.step("creating directory server user", self.__create_ds_user)
+ self.step("creating directory server instance", self.__create_instance)
+ self.step("adding default schema", self.__add_default_schemas)
+ if not ro_replica:
+ self.step("enabling memberof plugin", self.__add_memberof_module)
+ self.step("enabling referential integrity plugin", self.__add_referint_module)
+ self.step("enabling distributed numeric assignment plugin", self.__add_dna_module)
+ self.step("creating indeces", self.__create_indeces)
+ self.step("configuring ssl for ds instance", self.__enable_ssl)
+ self.step("configuring certmap.conf", self.__certmap_conf)
+ self.step("restarting directory server", self.__restart_instance)
+ self.step("adding default layout", self.__add_default_layout)
+ if not ro_replica:
+ self.step("configuring Posix uid/gid generation as first master",
+ self.__config_uidgid_gen_first_master)
+ self.step("adding master entry as first master",
+ self.__add_master_entry_first_master)
+ self.step("initializing group membership",
+ self.__init_memberof)
- self.__create_ds_user()
- self.__create_instance()
- self.__add_default_schemas()
- if not ro_replica:
- self.__add_memberof_module()
- self.__add_referint_module()
- self.__add_dna_module()
- self.__create_indeces()
- self.__enable_ssl()
- self.__certmap_conf()
- try:
- self.step("restarting directory server")
- self.restart()
- except:
- # TODO: roll back here?
- logging.critical("Failed to restart the ds instance")
- self.__add_default_layout()
- if not ro_replica:
- self.__config_uidgid_gen_first_master()
- self.__add_master_entry_first_master()
- self.__init_memberof()
+ self.step("configuring directory to start on boot", self.chkconfig_on)
-
- self.step("configuring directoy to start on boot")
- self.chkconfig_on()
-
- self.done_creation()
+ self.start_creation("Configuring directory server:")
def __setup_sub_dict(self):
server_root = find_server_root()
@@ -176,7 +167,6 @@ class DsInstance(service.Service):
SERVER_ROOT=server_root, DOMAIN=self.domain)
def __create_ds_user(self):
- self.step("creating directory server user")
try:
pwd.getpwnam(self.ds_user)
logging.debug("ds user %s exists" % self.ds_user)
@@ -190,7 +180,6 @@ class DsInstance(service.Service):
logging.critical("failed to add user %s" % e)
def __create_instance(self):
- self.step("creating directory server instance")
inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
logging.debug(inf_txt)
inf_fd = ipautil.write_tmp_file(inf_txt)
@@ -215,7 +204,6 @@ class DsInstance(service.Service):
logging.debug("failed to restart ds instance %s" % e)
def __add_default_schemas(self):
- self.step("adding default schema")
shutil.copyfile(ipautil.SHARE_DIR + "60kerberos.ldif",
schema_dirname(self.realm_name) + "60kerberos.ldif")
shutil.copyfile(ipautil.SHARE_DIR + "60samba.ldif",
@@ -225,9 +213,14 @@ class DsInstance(service.Service):
shutil.copyfile(ipautil.SHARE_DIR + "60ipaconfig.ldif",
schema_dirname(self.realm_name) + "60ipaconfig.ldif")
- def __ldap_mod(self, step, ldif, sub_dict = None):
- self.step(step)
+ def __restart_instance(self):
+ try:
+ self.restart()
+ except:
+ # TODO: roll back here?
+ logging.critical("Failed to restart the ds instance")
+ def __ldap_mod(self, ldif, sub_dict = None):
fd = None
path = ipautil.SHARE_DIR + ldif
@@ -248,30 +241,24 @@ class DsInstance(service.Service):
fd.close()
def __add_memberof_module(self):
- self.__ldap_mod("enabling memberof plugin", "memberof-conf.ldif")
+ self.__ldap_mod("memberof-conf.ldif")
def __init_memberof(self):
- self.__ldap_mod("initializing group membership",
- "memberof-task.ldif", self.sub_dict)
+ self.__ldap_mod("memberof-task.ldif", self.sub_dict)
def __add_referint_module(self):
- self.__ldap_mod("enabling referential integrity plugin",
- "referint-conf.ldif")
+ self.__ldap_mod("referint-conf.ldif")
def __add_dna_module(self):
- self.__ldap_mod("enabling distributed numeric assignment plugin",
- "dna-conf.ldif")
+ self.__ldap_mod("dna-conf.ldif")
def __config_uidgid_gen_first_master(self):
- self.__ldap_mod("configuring Posix uid/gid generation as first master",
- "dna-posix.ldif", self.sub_dict)
+ self.__ldap_mod("dna-posix.ldif", self.sub_dict)
def __add_master_entry_first_master(self):
- self.__ldap_mod("adding master entry as first master",
- "master-entry.ldif", self.sub_dict)
+ self.__ldap_mod("master-entry.ldif", self.sub_dict)
def __enable_ssl(self):
- self.step("configuring ssl for ds instance")
dirname = config_dirname(self.realm_name)
ca = certs.CertDB(dirname)
ca.create_self_signed()
@@ -305,14 +292,12 @@ class DsInstance(service.Service):
conn.unbind()
def __add_default_layout(self):
- self.__ldap_mod("adding default layout",
- "bootstrap-template.ldif", self.sub_dict)
+ self.__ldap_mod("bootstrap-template.ldif", self.sub_dict)
def __create_indeces(self):
- self.__ldap_mod("creating indeces", "indeces.ldif")
+ self.__ldap_mod("indeces.ldif")
def __certmap_conf(self):
- self.step("configuring certmap.conf")
shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template",
config_dirname(self.realm_name) + "certmap.conf")
diff -r 4bed312bb3be -r 6c3e3fc43418 ipa-server/ipaserver/httpinstance.py
--- a/ipa-server/ipaserver/httpinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/httpinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -57,25 +57,19 @@ class HTTPInstance(service.Service):
self.domain = fqdn[fqdn.find(".")+1:]
self.sub_dict = { "REALM" : realm, "FQDN": fqdn, "DOMAIN" : self.domain }
- self.start_creation(7, "Configuring the web interface")
-
- self.__disable_mod_ssl()
- self.__set_mod_nss_port()
- self.__configure_http()
- self.__create_http_keytab()
- self.__setup_ssl()
- self.__setup_autoconfig()
+ self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
+ self.step("Setting mod_nss port to 443", self.__set_mod_nss_port)
+ self.step("configuring httpd", self.__configure_http)
+ self.step("creating a keytab for httpd", self.__create_http_keytab)
+ self.step("Setting up ssl", self.__setup_ssl)
+ self.step("Setting up browser autoconfig", self.__setup_autoconfig)
+ self.step("configuring SELinux for httpd", self.__selinux_config)
+ self.step("restarting httpd", self.restart)
+ self.step("configuring httpd to start on boot", self.chkconfig_on)
- self.step("restarting httpd")
- self.restart()
-
- self.step("configuring httpd to start on boot")
- self.chkconfig_on()
-
- self.done_creation()
+ self.start_creation("Configuring the web interface")
def __selinux_config(self):
- self.step("configuring SELinux for httpd")
selinux=0
try:
if (os.path.exists('/usr/sbin/selinuxenabled')):
@@ -94,7 +88,6 @@ class HTTPInstance(service.Service):
self.print_msg(selinux_warning)
def __create_http_keytab(self):
- self.step("creating a keytab for httpd")
try:
if ipautil.file_exists("/etc/httpd/conf/ipa.keytab"):
os.remove("/etc/httpd/conf/ipa.keytab")
@@ -122,7 +115,6 @@ class HTTPInstance(service.Service):
os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
def __configure_http(self):
- self.step("configuring httpd")
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
http_fd.write(http_txt)
@@ -130,17 +122,14 @@ class HTTPInstance(service.Service):
def __disable_mod_ssl(self):
- self.step("disabling mod_ssl in httpd")
if os.path.exists(SSL_CONF):
os.rename(SSL_CONF, "%s.moved_by_ipa" % SSL_CONF)
def __set_mod_nss_port(self):
- self.step("Setting mod_nss port to 443")
if installutils.update_file(NSS_CONF, '8443', '443') != 0:
print "Updating %s failed." % NSS_CONF
def __setup_ssl(self):
- self.step("Setting up ssl")
ds_ca = certs.CertDB(dsinstance.config_dirname(self.realm))
ca = certs.CertDB(NSS_DIR)
ds_ca.cur_serial = 2000
diff -r 4bed312bb3be -r 6c3e3fc43418 ipa-server/ipaserver/krbinstance.py
--- a/ipa-server/ipaserver/krbinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/krbinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -114,58 +114,42 @@ class KrbInstance(service.Service):
pass
def __common_post_setup(self):
- try:
- self.step("starting the KDC")
- self.start()
- except:
- logging.critical("krb5kdc service failed to start")
-
- self.step("configuring KDC to start on boot")
- self.chkconfig_on()
-
- self.step("configuring ipa-kpasswd to start on boot")
- service.chkconfig_on("ipa-kpasswd")
-
- self.step("starting ipa-kpasswd")
- service.start("ipa-kpasswd")
-
+ self.step("starting the KDC", self.__start_instance)
+ self.step("configuring KDC to start on boot", self.chkconfig_on)
+ self.step("enabling and starting ipa-kpasswd", self.__enable_kpasswd)
def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password):
self.master_password = master_password
self.__common_setup(ds_user, realm_name, host_name, admin_password)
- self.start_creation(12, "Configuring Kerberos KDC")
-
- self.__configure_kdc_account_password()
- self.__configure_sasl_mappings()
- self.__add_krb_entries()
- self.__create_instance()
- self.__create_ds_keytab()
- self.__export_kadmin_changepw_keytab()
- self.__add_pwd_extop_module()
+ self.step("setting KDC account password", self.__configure_kdc_account_password)
+ self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
+ self.step("adding kerberos entries to the DS", self.__add_krb_entries)
+ self.step("adding defalt ACIs", self.__add_default_acis)
+ self.step("configuring KDC", self.__create_instance)
+ self.step("creating a keytab for the directory", self.__create_ds_keytab)
+ self.step("exporting the kadmin keytab", self.__export_kadmin_changepw_keytab)
+ self.step("adding the password extenstion to the directory", self.__add_pwd_extop_module)
self.__common_post_setup()
- self.done_creation()
-
+ self.start_creation("Configuring Kerberos KDC")
def create_replica(self, ds_user, realm_name, host_name, admin_password, ldap_passwd_filename):
-
+ self.__copy_ldap_passwd(ldap_passwd_filename)
+
self.__common_setup(ds_user, realm_name, host_name, admin_password)
- self.start_creation(9, "Configuring Kerberos KDC")
- self.__copy_ldap_passwd(ldap_passwd_filename)
- self.__configure_sasl_mappings()
- self.__write_stash_from_ds()
- self.__create_instance(replica=True)
- self.__create_ds_keytab()
- self.__export_kadmin_changepw_keytab()
+ self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
+ self.step("writing stash file from DS", self.__write_stash_from_ds)
+ self.step("configuring KDC", self.__create_replica_instance)
+ self.step("creating a keytab for the directory", self.__create_ds_keytab)
+ self.step("exporting the kadmin keytab", self.__export_kadmin_changepw_keytab)
self.__common_post_setup()
- self.done_creation()
-
+ self.start_creation("Configuring Kerberos KDC")
def __copy_ldap_passwd(self, filename):
shutil.copy(filename, "/var/kerberos/krb5kdc/ldappwd")
@@ -173,7 +157,6 @@ class KrbInstance(service.Service):
def __configure_kdc_account_password(self):
- self.step("setting KDC account password")
hexpwd = ''
for x in self.kdc_password:
hexpwd += (hex(ord(x))[2:])
@@ -181,6 +164,16 @@ class KrbInstance(service.Service):
pwd_fd.write("uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix+"#{HEX}"+hexpwd+"\n")
pwd_fd.close()
os.chmod("/var/kerberos/krb5kdc/ldappwd", 0600)
+
+ def __start_instance(self):
+ try:
+ self.start()
+ except:
+ logging.critical("krb5kdc service failed to start")
+
+ def __enable_kpasswd(self):
+ service.chkconfig_on("ipa-kpasswd")
+ service.start("ipa-kpasswd")
def __setup_sub_dict(self):
self.sub_dict = dict(FQDN=self.fqdn,
@@ -191,9 +184,7 @@ class KrbInstance(service.Service):
HOST=self.host,
REALM=self.realm)
- def __ldap_mod(self, step, ldif):
- self.step(step)
-
+ def __ldap_mod(self, ldif):
txt = ipautil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict)
fd = ipautil.write_tmp_file(txt)
@@ -208,7 +199,6 @@ class KrbInstance(service.Service):
fd.close()
def __configure_sasl_mappings(self):
- self.step("adding sasl mappings to the directory")
# we need to remove any existing SASL mappings in the directory as otherwise they
# they may conflict. There is no way to define the order they are used in atm.
@@ -258,13 +248,16 @@ class KrbInstance(service.Service):
raise e
def __add_krb_entries(self):
- self.__ldap_mod("adding kerberos entries to the DS", "kerberos.ldif")
+ self.__ldap_mod("kerberos.ldif")
+ def __add_default_acis(self):
#Change the default ACL to avoid anonimous access to kerberos keys and othe hashes
- self.__ldap_mod("adding defalt ACIs", "default-aci.ldif")
+ self.__ldap_mod("default-aci.ldif")
+
+ def __create_replica_instance(self):
+ self.__create_instance(replace=True)
def __create_instance(self, replica=False):
- self.step("configuring KDC")
kdc_conf = ipautil.template_file(ipautil.SHARE_DIR+"kdc.conf.template", self.sub_dict)
kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+")
kdc_fd.write(kdc_conf)
@@ -300,7 +293,6 @@ class KrbInstance(service.Service):
print "Failed to populate the realm structure in kerberos", e
def __write_stash_from_ds(self):
- self.step("writing stash file from DS")
try:
entry = self.conn.getEntry("cn=%s, cn=kerberos, %s" % (self.realm, self.suffix), ldap.SCOPE_SUBTREE)
except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND), e:
@@ -322,7 +314,7 @@ class KrbInstance(service.Service):
#add the password extop module
def __add_pwd_extop_module(self):
- self.__ldap_mod("adding the password extenstion to the directory", "pwd-extop-conf.ldif")
+ self.__ldap_mod("pwd-extop-conf.ldif")
#get the Master Key from the stash file
try:
@@ -351,7 +343,6 @@ class KrbInstance(service.Service):
raise e
def __create_ds_keytab(self):
- self.step("creating a keytab for the directory")
try:
if ipautil.file_exists("/etc/dirsrv/ds.keytab"):
os.remove("/etc/dirsrv/ds.keytab")
@@ -380,7 +371,6 @@ class KrbInstance(service.Service):
os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid)
def __export_kadmin_changepw_keytab(self):
- self.step("exporting the kadmin keytab")
try:
if ipautil.file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"):
os.remove("/var/kerberos/krb5kdc/kpasswd.keytab")
diff -r 4bed312bb3be -r 6c3e3fc43418 ipa-server/ipaserver/ntpinstance.py
--- a/ipa-server/ipaserver/ntpinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/ntpinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -25,11 +25,8 @@ class NTPInstance(service.Service):
class NTPInstance(service.Service):
def __init__(self):
service.Service.__init__(self, "ntpd")
-
- def create_instance(self):
- self.start_creation(3, "Configuring ntpd")
- self.step("writing configuration")
+ def __write_config(self):
# The template sets the config to point towards ntp.pool.org, but
# they request that software not point towards the default pool.
# We use the OS variable to point it towards either the rhel
@@ -54,11 +51,13 @@ class NTPInstance(service.Service):
fd.write(ntp_conf)
fd.close()
+ def create_instance(self):
+ self.step("writing configuration", self.__write_config)
+
# we might consider setting the date manually using ntpd -qg in case
# the current time is very far off.
- self.step("starting ntpd")
- self.start()
-
- self.step("configuring ntpd to start on boot")
- self.chkconfig_on()
+ self.step("starting ntpd", self.start)
+ self.step("configuring ntpd to start on boot", self.chkconfig_on)
+
+ self.start_creation("Configuring ntpd")
diff -r 4bed312bb3be -r 6c3e3fc43418 ipa-server/ipaserver/service.py
--- a/ipa-server/ipaserver/service.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/service.py Thu Dec 13 09:31:28 2007 +0000
@@ -45,8 +45,7 @@ class Service:
class Service:
def __init__(self, service_name):
self.service_name = service_name
- self.num_steps = -1
- self.current_step = -1
+ self.steps = []
self.output_fd = sys.stdout
def set_output(self, fd):
@@ -69,18 +68,19 @@ class Service:
def print_msg(self, message):
print_msg(message, self.output_fd)
-
- def start_creation(self, num_steps, message):
- self.num_steps = num_steps
- self.cur_step = 0
+
+ def step(self, message, method):
+ self.steps.append((message, method))
+
+ def start_creation(self, message):
self.print_msg(message)
- def step(self, message):
- self.cur_step += 1
- self.print_msg(" [%d/%d]: %s" % (self.cur_step, self.num_steps, message))
-
- def done_creation(self):
- self.cur_step = -1
- self.num_steps = -1
+ step = 0
+ for (message, method) in self.steps:
+ self.print_msg(" [%d/%d]: %s" % (step, len(self.steps), message))
+ method()
+ step += 1
+
self.print_msg("done configuring %s." % self.service_name)
+ self.steps = []
diff -r 4bed312bb3be -r 6c3e3fc43418 ipa-server/ipaserver/webguiinstance.py
--- a/ipa-server/ipaserver/webguiinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/webguiinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -24,14 +24,6 @@ class WebGuiInstance(service.Service):
service.Service.__init__(self, "ipa-webgui")
def create_instance(self):
- self.start_creation(2, "Configuring ipa-webgui")
-
- self.step("starting ipa-webgui")
- service.start("ipa-webgui")
-
- self.step("configuring ipa-webgui to start on boot")
- service.chkconfig_on("ipa-webgui")
-
- self.done_creation()
-
-
+ self.step("starting ipa-webgui", self.start)
+ self.step("configuring ipa-webgui to start on boot", self.chkconfig_on)
+ self.start_creation("Configuring ipa-webgui")
From markmc at redhat.com Thu Dec 13 09:35:07 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 13 Dec 2007 09:35:07 +0000
Subject: [Freeipa-devel] [PATCH 5 of 7] Refactor dsinstance ldap modify code
In-Reply-To:
Message-ID: <10a22bc1b861450ef045.1197538507@localhost.localdomain>
# HG changeset patch
# User Mark McLoughlin
# Date 1197538288 0
# Node ID 10a22bc1b861450ef04568fc773c5b2bc2f7a4a6
# Parent ad30235886a86e1ef06b65c50b0ed84df4ad6840
Refactor dsinstance ldap modify code
Just a patch to refactor lots of similar code in
dsinstance and krbinstance using a simple helper
method.
Note, there are some differences:
- Some code used to call ldapmodify without -h 127.0.0.1
- Some of the code used to just print an error rather than
using logging.critical()
- Some code used to log some extra debug
Signed-off-by: Mark McLoughlin
diff -r ad30235886a8 -r 10a22bc1b861 ipa-radius-server/plugins/radiusinstance.py
--- a/ipa-radius-server/plugins/radiusinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-radius-server/plugins/radiusinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -43,10 +43,6 @@ from ipaserver.funcs import DefaultUserC
from ipaserver.funcs import DefaultUserContainer, DefaultGroupContainer
#-------------------------------------------------------------------------------
-
-def ldap_mod(fd, dn, pwd):
- args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
- ipautil.run(args)
def get_radius_version():
version = None
@@ -157,17 +153,26 @@ class RadiusInstance(service.Service):
except Exception, e:
logging.error("could not chown on %s to %s: %s", radius_util.RADIUS_IPA_KEYTAB_FILEPATH, radius_util.RADIUS_USER, e)
+ def __ldap_mod(self, step, ldif):
+ self.step(step)
+
+ txt = iputil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict)
+ fd = ipautil.write_tmp_file(txt)
+
+ args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv",
+ "-D", "cn=Directory Manager", "-w", self.dm_password, "-f", fd.name]
+
+ try:
+ ipautil.run(args)
+ except ipautil.CalledProcessError, e:
+ logging.critical("Failed to load %s: %s" % (ldif, str(e)))
+
+ fd.close()
+
#FIXME, should use IPAdmin method
def __set_ldap_encrypted_attributes(self):
- ldif_file = 'encrypted_attribute.ldif'
- self.step("setting ldap encrypted attributes")
- ldif_txt = ipautil.template_file(ipautil.SHARE_DIR + ldif_file, {'ENCRYPTED_ATTRIBUTE':'radiusClientSecret'})
- ldif_fd = ipautil.write_tmp_file(ldif_txt)
- try:
- ldap_mod(ldif_fd, "cn=Directory Manager", self.dm_password)
- except ipautil.CalledProcessError, e:
- logging.critical("Failed to load %s: %s" % (ldif_file, str(e)))
- ldif_fd.close()
+ self.__ldap_mod("setting ldap encrypted attributes",
+ "encrypted_attribute.ldif", {"ENCRYPTED_ATTRIBUTE" : "radiusClientSecret"})
#-------------------------------------------------------------------------------
diff -r ad30235886a8 -r 10a22bc1b861 ipa-server/ipaserver/dsinstance.py
--- a/ipa-server/ipaserver/dsinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/dsinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -34,10 +34,6 @@ import ipaldap, ldap
SERVER_ROOT_64 = "/usr/lib64/dirsrv"
SERVER_ROOT_32 = "/usr/lib/dirsrv"
-
-def ldap_mod(fd, dn, pwd):
- args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
- ipautil.run(args)
def realm_to_suffix(realm_name):
s = realm_name.split(".")
@@ -229,65 +225,39 @@ class DsInstance(service.Service):
shutil.copyfile(ipautil.SHARE_DIR + "60ipaconfig.ldif",
schema_dirname(self.realm_name) + "60ipaconfig.ldif")
+ def __ldap_mod(self, step, ldif):
+ self.step(step)
+
+ txt = ipautil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict)
+ fd = ipautil.write_tmp_file(txt)
+
+ args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv",
+ "-D", "cn=Directory Manager", "-w", self.dm_password, "-f", fd.name]
+
+ try:
+ ipautil.run(args)
+ except ipautil.CalledProcessError, e:
+ logging.critical("Failed to load %s: %s" % (ldif, str(e)))
+
+ fd.close()
+
def __add_memberof_module(self):
- self.step("enabling memboerof plugin")
- memberof_txt = ipautil.template_file(ipautil.SHARE_DIR + "memberof-conf.ldif", self.sub_dict)
- memberof_fd = ipautil.write_tmp_file(memberof_txt)
- try:
- ldap_mod(memberof_fd, "cn=Directory Manager", self.dm_password)
- except ipautil.CalledProcessError, e:
- logging.critical("Failed to load memberof-conf.ldif: %s" % str(e))
- memberof_fd.close()
+ self.__ldap_mod("enabling memberof plugin", "memberof-conf.ldif")
def __init_memberof(self):
- self.step("initializing group membership")
- memberof_txt = ipautil.template_file(ipautil.SHARE_DIR + "memberof-task.ldif", self.sub_dict)
- memberof_fd = ipautil.write_tmp_file(memberof_txt)
- try:
- ldap_mod(memberof_fd, "cn=Directory Manager", self.dm_password)
- except ipautil.CalledProcessError, e:
- logging.critical("Failed to load memberof-conf.ldif: %s" % str(e))
- memberof_fd.close()
+ self.__ldap_mod("initializing group membership", "memberof-task.ldif")
def __add_referint_module(self):
- self.step("enabling referential integrity plugin")
- referint_txt = ipautil.template_file(ipautil.SHARE_DIR + "referint-conf.ldif", self.sub_dict)
- referint_fd = ipautil.write_tmp_file(referint_txt)
- try:
- ldap_mod(referint_fd, "cn=Directory Manager", self.dm_password)
- except ipautil.CalledProcessError, e:
- print "Failed to load referint-conf.ldif", e
- referint_fd.close()
+ self.__ldap_mod("enabling referential integrity plugin", "referint-conf.ldif")
def __add_dna_module(self):
- self.step("enabling distributed numeric assignment plugin")
- dna_txt = ipautil.template_file(ipautil.SHARE_DIR + "dna-conf.ldif", self.sub_dict)
- dna_fd = ipautil.write_tmp_file(dna_txt)
- try:
- ldap_mod(dna_fd, "cn=Directory Manager", self.dm_password)
- except ipautil.CalledProcessError, e:
- print "Failed to load dna-conf.ldif", e
- dna_fd.close()
+ self.__ldap_mod("enabling distributed numeric assignment plugin", "dna-conf.ldif")
def __config_uidgid_gen_first_master(self):
- self.step("configuring Posix uid/gid generation as first master")
- dna_txt = ipautil.template_file(ipautil.SHARE_DIR + "dna-posix.ldif", self.sub_dict)
- dna_fd = ipautil.write_tmp_file(dna_txt)
- try:
- ldap_mod(dna_fd, "cn=Directory Manager", self.dm_password)
- except ipautil.CalledProcessError, e:
- print "Failed to configure Posix uid/gid generation with dna-posix.ldif", e
- dna_fd.close()
+ self.__ldap_mod("configuring Posix uid/gid generation as first master", "dna-posix.ldif")
def __add_master_entry_first_master(self):
- self.step("adding master entry as first master")
- master_txt = ipautil.template_file(ipautil.SHARE_DIR + "master-entry.ldif", self.sub_dict)
- master_fd = ipautil.write_tmp_file(master_txt)
- try:
- ldap_mod(master_fd, "cn=Directory Manager", self.dm_password)
- except ipautil.CalledProcessError, e:
- print "Failed to add master-entry.ldif", e
- master_fd.close()
+ self.__ldap_mod("adding master entry as first master", "master-entry.ldif")
def __enable_ssl(self):
self.step("configuring ssl for ds instance")
@@ -324,31 +294,10 @@ class DsInstance(service.Service):
conn.unbind()
def __add_default_layout(self):
- self.step("adding default layout")
- txt = ipautil.template_file(ipautil.SHARE_DIR + "bootstrap-template.ldif", self.sub_dict)
- inf_fd = ipautil.write_tmp_file(txt)
- logging.debug("adding default dfrom ipa.ipautil import *s layout")
- args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager",
- "-w", self.dm_password, "-f", inf_fd.name]
- try:
- ipautil.run(args)
- logging.debug("done adding default ds layout")
- except ipautil.CalledProcessError, e:
- print "Failed to add default ds layout", e
- logging.critical("Failed to add default ds layout %s" % e)
+ self.__ldap_mod("adding default layout", "bootstrap-template.ldif")
def __create_indeces(self):
- self.step("creating indeces")
- txt = ipautil.template_file(ipautil.SHARE_DIR + "indeces.ldif", self.sub_dict)
- inf_fd = ipautil.write_tmp_file(txt)
- logging.debug("adding/updating indeces")
- args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager",
- "-w", self.dm_password, "-f", inf_fd.name]
- try:
- ipautil.run(args)
- logging.debug("done adding/updating indeces")
- except ipautil.CalledProcessError, e:
- logging.critical("Failed to add/update indeces %s" % str(e))
+ self.__ldap_mod("creating indeces", "indeces.ldif")
def __certmap_conf(self):
self.step("configuring certmap.conf")
diff -r ad30235886a8 -r 10a22bc1b861 ipa-server/ipaserver/krbinstance.py
--- a/ipa-server/ipaserver/krbinstance.py Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipaserver/krbinstance.py Thu Dec 13 09:31:28 2007 +0000
@@ -51,10 +51,6 @@ def host_to_domain(fqdn):
def host_to_domain(fqdn):
s = fqdn.split(".")
return ".".join(s[1:])
-
-def ldap_mod(fd, dn, pwd):
- args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
- ipautil.run(args)
def update_key_val_in_file(filename, key, val):
if os.path.exists(filename):
@@ -139,7 +135,7 @@ class KrbInstance(service.Service):
self.__common_setup(ds_user, realm_name, host_name, admin_password)
- self.start_creation(11, "Configuring Kerberos KDC")
+ self.start_creation(12, "Configuring Kerberos KDC")
self.__configure_kdc_account_password()
self.__configure_sasl_mappings()
@@ -194,6 +190,22 @@ class KrbInstance(service.Service):
DOMAIN=self.domain,
HOST=self.host,
REALM=self.realm)
+
+ def __ldap_mod(self, step, ldif):
+ self.step(step)
+
+ txt = ipautil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict)
+ fd = ipautil.write_tmp_file(txt)
+
+ args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv",
+ "-D", "cn=Directory Manager", "-w", self.admin_password, "-f", fd.name]
+
+ try:
+ ipautil.run(args)
+ except ipautil.CalledProcessError, e:
+ logging.critical("Failed to load %s: %s" % (ldif, str(e)))
+
+ fd.close()
def __configure_sasl_mappings(self):
self.step("adding sasl mappings to the directory")
@@ -246,25 +258,10 @@ class KrbInstance(service.Service):
raise e
def __add_krb_entries(self):
- self.step("adding kerberos entries to the DS")
-
- #TODO: test that the ldif is ok with any random charcter we may use in the password
- kerberos_txt = ipautil.template_file(ipautil.SHARE_DIR + "kerberos.ldif", self.sub_dict)
- kerberos_fd = ipautil.write_tmp_file(kerberos_txt)
- try:
- ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
- except ipautil.CalledProcessError, e:
- logging.critical("Failed to load kerberos.ldif: %s" % str(e))
- kerberos_fd.close()
+ self.__ldap_mod("adding kerberos entries to the DS", "kerberos.ldif")
#Change the default ACL to avoid anonimous access to kerberos keys and othe hashes
- aci_txt = ipautil.template_file(ipautil.SHARE_DIR + "default-aci.ldif", self.sub_dict)
- aci_fd = ipautil.write_tmp_file(aci_txt)
- try:
- ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
- except ipautil.CalledProcessError, e:
- logging.critical("Failed to load default-aci.ldif: %s" % str(e))
- aci_fd.close()
+ self.__ldap_mod("adding defalt ACIs", "default-aci.ldif")
def __create_instance(self, replica=False):
self.step("configuring KDC")
@@ -325,14 +322,7 @@ class KrbInstance(service.Service):
#add the password extop module
def __add_pwd_extop_module(self):
- self.step("adding the password extenstion to the directory")
- extop_txt = ipautil.template_file(ipautil.SHARE_DIR + "pwd-extop-conf.ldif", self.sub_dict)
- extop_fd = ipautil.write_tmp_file(extop_txt)
- try:
- ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
- except ipautil.CalledProcessError, e:
- logging.critical("Failed to load pwd-extop-conf.ldif: %s" % str(e))
- extop_fd.close()
+ self.__ldap_mod("adding the password extenstion to the directory", "pwd-extop-conf.ldif")
#get the Master Key from the stash file
try:
From markmc at redhat.com Thu Dec 13 09:35:03 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 13 Dec 2007 09:35:03 +0000
Subject: [Freeipa-devel] [PATCH 1 of 7] Fix ipa-python packaging
In-Reply-To:
Message-ID:
# HG changeset patch
# User Mark McLoughlin
# Date 1197538288 0
# Node ID b8e1fbcf87d528c0c3b6d89d5306bea0bdb942c1
# Parent 13d59a930d719d396b6849d6b103467c75da1a68
Fix ipa-python packaging
Latest Fedora 9 python distutils generates .egg-info files;
follow the recommendation at:
http://fedoraproject.org/wiki/Packaging/Python/Eggs
and just package everything under %{python_sitelib}/
Signed-off-by: Mark McLoughlin
diff -r 13d59a930d71 -r b8e1fbcf87d5 ipa-python/ipa-python.spec
--- a/ipa-python/ipa-python.spec Wed Dec 12 18:18:34 2007 -0500
+++ b/ipa-python/ipa-python.spec Thu Dec 13 09:31:28 2007 +0000
@@ -13,8 +13,6 @@ Requires: PyKerberos
Requires: PyKerberos
%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
-
-%define pkgpythondir %{python_sitelib}/ipa
%description
Ipa is a server for identity, policy, and audit.
@@ -33,8 +31,7 @@ rm -rf %{buildroot}
%files
%defattr(-,root,root,-)
-%dir %{pkgpythondir}
-%{pkgpythondir}/*
+%{python_sitelib}/*
%config(noreplace) %{_sysconfdir}/ipa/ipa.conf
%changelog
diff -r 13d59a930d71 -r b8e1fbcf87d5 ipa-python/ipa-python.spec.in
--- a/ipa-python/ipa-python.spec.in Wed Dec 12 18:18:34 2007 -0500
+++ b/ipa-python/ipa-python.spec.in Thu Dec 13 09:31:28 2007 +0000
@@ -13,8 +13,6 @@ Requires: PyKerberos
Requires: PyKerberos
%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
-
-%define pkgpythondir %{python_sitelib}/ipa
%description
Ipa is a server for identity, policy, and audit.
@@ -33,8 +31,7 @@ rm -rf %{buildroot}
%files
%defattr(-,root,root,-)
-%dir %{pkgpythondir}
-%{pkgpythondir}/*
+%{python_sitelib}/*
%config(noreplace) %{_sysconfdir}/ipa/ipa.conf
%changelog
diff -r 13d59a930d71 -r b8e1fbcf87d5 ipa-python/setup.py
--- a/ipa-python/setup.py Wed Dec 12 18:18:34 2007 -0500
+++ b/ipa-python/setup.py Thu Dec 13 09:31:28 2007 +0000
@@ -34,7 +34,7 @@ def setup_package():
try:
setup(
- name = "freeipa-python",
+ name = "ipa",
version = "0.5.0",
license = "GPL",
author = "Karl MacMillan, et.al.",
From markmc at redhat.com Thu Dec 13 09:35:04 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 13 Dec 2007 09:35:04 +0000
Subject: [Freeipa-devel] [PATCH 2 of 7] Fix ldif to work with ldapmodify in
openldap-2.4.x
In-Reply-To:
Message-ID: <923f20a9c99d57329b40.1197538504@localhost.localdomain>
# HG changeset patch
# User Mark McLoughlin
# Date 1197538288 0
# Node ID 923f20a9c99d57329b40e85fec99d1b92ff0ab77
# Parent b8e1fbcf87d528c0c3b6d89d5306bea0bdb942c1
Fix ldif to work with ldapmodify in openldap-2.4.x
It seems that in openldap-2.4.x ldapmodify has gotten somewhat
more picky about the ldif it accepts. See here for more details:
https://bugzilla.redhat.com/422251
Not sure whether ldapmodify will be fixed, but for now just
fix the ldif.
Signed-off-by: Mark McLoughlin
diff -r b8e1fbcf87d5 -r 923f20a9c99d ipa-server/ipa-install/share/bootstrap-template.ldif
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif Thu Dec 13 09:31:28 2007 +0000
@@ -2,6 +2,8 @@ changetype: modify
changetype: modify
add: objectClass
objectClass: pilotObject
+-
+add: info
info: IPA V1.0
dn: cn=accounts,$SUFFIX
diff -r b8e1fbcf87d5 -r 923f20a9c99d ipa-server/ipa-install/share/referint-conf.ldif
--- a/ipa-server/ipa-install/share/referint-conf.ldif Thu Dec 13 09:31:28 2007 +0000
+++ b/ipa-server/ipa-install/share/referint-conf.ldif Thu Dec 13 09:31:28 2007 +0000
@@ -2,6 +2,10 @@ changetype: modify
changetype: modify
replace: nsslapd-pluginenabled
nsslapd-pluginenabled: on
+-
+add: nsslapd-pluginArg7
nsslapd-pluginArg7: manager
+-
+add: nsslapd-pluginArg8
nsslapd-pluginArg8: secretary
From markmc at redhat.com Thu Dec 13 09:35:02 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 13 Dec 2007 09:35:02 +0000
Subject: [Freeipa-devel] [PATCH 0 of 7] Some fairly miscellaneous patches
Message-ID:
Hi,
Here's a few patches consisting of:
- Fixes required to work with latest rawhide
- Other pretty straightfoward fixes
- Patches to refactor (and hopefully improve) bits
of ipa-server
Cheers,
Mark.
From rcritten at redhat.com Thu Dec 13 14:26:53 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 13 Dec 2007 09:26:53 -0500
Subject: [Freeipa-devel] [PATCH] update ldap:///self aci
In-Reply-To: <1197496017.24744.25.camel@localhost.localdomain>
References: <475FFFF7.3000905@redhat.com>
<1197496017.24744.25.camel@localhost.localdomain>
Message-ID: <4761412D.70505@redhat.com>
Simo Sorce wrote:
> On Wed, 2007-12-12 at 10:36 -0500, Rob Crittenden wrote:
>> Add missing attributes to the ldap:///self aci
>>
>> Added employeeType, businessCategory and ou
>>
>> This was causing user self-service to fail.
>
> Merged and pushed, I also found that you added gecos, title and
> secretary, is that right ?
>
> Simo.
>
Oh right. I tried to keep the order similar to the order in the form.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Thu Dec 13 19:34:47 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 13 Dec 2007 14:34:47 -0500
Subject: [Freeipa-devel] [PATCH 0 of 7] Some fairly miscellaneous patches
In-Reply-To:
References:
Message-ID: <1197574487.27361.0.camel@hopeson>
On Thu, 2007-12-13 at 09:35 +0000, Mark McLoughlin wrote:
> Hi,
> Here's a few patches consisting of:
>
> - Fixes required to work with latest rawhide
> - Other pretty straightfoward fixes
> - Patches to refactor (and hopefully improve) bits
> of ipa-server
Wow,
very good stuff Mark,
thanks!
I am reviewing patches one by one, and pushing them right away.
Simo.
From ssorce at redhat.com Thu Dec 13 20:12:59 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 13 Dec 2007 15:12:59 -0500
Subject: [Freeipa-devel] [PATCH 0 of 7] Some fairly miscellaneous patches
In-Reply-To: <1197574487.27361.0.camel@hopeson>
References:
<1197574487.27361.0.camel@hopeson>
Message-ID: <1197576779.27361.2.camel@hopeson>
On Thu, 2007-12-13 at 14:34 -0500, Simo Sorce wrote:
> On Thu, 2007-12-13 at 09:35 +0000, Mark McLoughlin wrote:
> > Hi,
> > Here's a few patches consisting of:
> >
> > - Fixes required to work with latest rawhide
> > - Other pretty straightfoward fixes
> > - Patches to refactor (and hopefully improve) bits
> > of ipa-server
>
> Wow,
> very good stuff Mark,
> thanks!
>
> I am reviewing patches one by one, and pushing them right away.
I like every single patch, and they merged in flawlessly.
Pushed them all, very good stuff.
Thanks.
Simo.
From ssorce at redhat.com Thu Dec 13 20:51:55 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 13 Dec 2007 15:51:55 -0500
Subject: [Freeipa-devel] [PATCH] fix delegation validation UI
In-Reply-To: <4760422A.1020905@redhat.com>
References: <4760422A.1020905@redhat.com>
Message-ID: <1197579115.27361.4.camel@hopeson>
On Wed, 2007-12-12 at 15:18 -0500, Rob Crittenden wrote:
> The source and target entry fields weren't highlighted as required so I
> fixed that.
>
> The huge checklist WAS highlighted and it looked really, really bad.
> Fixed that too.
>
> I had to tweak some TG internals to get this working properly.
Pushed,
Simo.
From ssorce at redhat.com Thu Dec 13 20:52:21 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 13 Dec 2007 15:52:21 -0500
Subject: [Freeipa-devel] [PATCH] Allow for direct entry of group names
when creating delegations
In-Reply-To: <4760AF50.8050003@redhat.com>
References: <4760AF50.8050003@redhat.com>
Message-ID: <1197579141.27361.6.camel@hopeson>
On Wed, 2007-12-12 at 23:04 -0500, Rob Crittenden wrote:
> Allow for direct entry of group names when creating delegations.
>
> This requires a bit of trickery. I use the onblur() javascript function
> to note when the field is left and store whatever was entered there.
>
> Then when the page is submitted if a dn doesn't exist for that field
> but they did enter something, do a lookup to see if there is a group by
> that name.
Pushed,
Simo.
From rcritten at redhat.com Thu Dec 13 20:56:15 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 13 Dec 2007 15:56:15 -0500
Subject: [Freeipa-devel] [PATCH] create host keytab automatically
In-Reply-To: <1197494413.28356.0.camel@hopeson>
References: <1197493936.27878.0.camel@hopeson>
<1197494413.28356.0.camel@hopeson>
Message-ID: <47619C6F.2040804@redhat.com>
Simo Sorce wrote:
> On Wed, 2007-12-12 at 16:12 -0500, Simo Sorce wrote:
>> This make it possible for example to immediately login via ssh+gssapi to
>> the server.
>
> With the patch ...
>
> -EGAIN
>
>
Looks ok but are you missing a chown? Who normally owns and can read
this file?
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL:
From ssorce at redhat.com Thu Dec 13 21:49:20 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 13 Dec 2007 16:49:20 -0500
Subject: [Freeipa-devel] [PATCH] create host keytab automatically
In-Reply-To: <47619C6F.2040804@redhat.com>
References: <1197493936.27878.0.camel@hopeson>
<1197494413.28356.0.camel@hopeson> <47619C6F.2040804@redhat.com>
Message-ID: <1197582560.27361.9.camel@hopeson>
On Thu, 2007-12-13 at 15:56 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Wed, 2007-12-12 at 16:12 -0500, Simo Sorce wrote:
> >> This make it possible for example to immediately login via ssh+gssapi to
> >> the server.
> >
> > With the patch ...
> >
> > -EGAIN
> >
> >
>
> Looks ok but are you missing a chown? Who normally owns and can read
> this file?
Right,
merged with Mark patches changes and pushed the attached one that makes
sure it is readable by root only.
Simo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-549-host-keytab-merge.patch
Type: text/x-patch
Size: 2976 bytes
Desc: not available
URL:
From markmc at redhat.com Mon Dec 17 10:17:32 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Mon, 17 Dec 2007 10:17:32 +0000
Subject: [Freeipa-devel] [PATCH] Fix error caused by creation steps patch
merge
Message-ID:
# HG changeset patch
# User Mark McLoughlin
# Date 1197886644 0
# Node ID e1e9b979aa2ad8e4cd6fa157641a2913b4458d29
# Parent 62186565605b2d1ae71918514a0518d9c1cef6e1
Fix error caused by creation steps patch merge
Merging the "host keytab" and "creation steps" patchs left
a stray old-style call to Service.step()
Signed-off-by: Mark McLoughlin
diff -r 62186565605b -r e1e9b979aa2a ipa-server/ipaserver/krbinstance.py
--- a/ipa-server/ipaserver/krbinstance.py Thu Dec 13 16:44:57 2007 -0500
+++ b/ipa-server/ipaserver/krbinstance.py Mon Dec 17 10:17:24 2007 +0000
@@ -373,7 +373,6 @@ class KrbInstance(service.Service):
os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid)
def __create_host_keytab(self):
- self.step("creating a keytab for the machine (sshd use this)")
try:
if ipautil.file_exists("/etc/krb5.keytab"):
os.remove("/etc/krb5.keytab")
From markmc at redhat.com Mon Dec 17 12:00:48 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Mon, 17 Dec 2007 12:00:48 +0000
Subject: [Freeipa-devel] [PATCH] Restart ipa-webgui in create_instance()
Message-ID:
# HG changeset patch
# User Mark McLoughlin
# Date 1197892833 0
# Node ID e0e677ea16396ea8ef72610cec14afeaed5e2d0a
# Parent e1e9b979aa2ad8e4cd6fa157641a2913b4458d29
Restart ipa-webgui in create_instance()
Just in case there is an existing ipa-webgui running
before ipa-server-install, restart the instance rather
than just starting it.
Signed-off-by: Mark McLoughlin
diff -r e1e9b979aa2a -r e0e677ea1639 ipa-server/ipaserver/webguiinstance.py
--- a/ipa-server/ipaserver/webguiinstance.py Mon Dec 17 10:17:24 2007 +0000
+++ b/ipa-server/ipaserver/webguiinstance.py Mon Dec 17 12:00:33 2007 +0000
@@ -24,6 +24,6 @@ class WebGuiInstance(service.Service):
service.Service.__init__(self, "ipa-webgui")
def create_instance(self):
- self.step("starting ipa-webgui", self.start)
+ self.step("starting ipa-webgui", self.restart)
self.step("configuring ipa-webgui to start on boot", self.chkconfig_on)
self.start_creation("Configuring ipa-webgui")
From ssorce at redhat.com Tue Dec 18 16:13:28 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 18 Dec 2007 11:13:28 -0500
Subject: [Freeipa-devel] [PATCH] Retrieve keytabs via LDAP
Message-ID: <1197994408.29896.3.camel@hopeson>
This patch adds a new extended operation (uses the RH-IPA OID space) to
retrieve keytabs directly from LDAP, simplifying management of keytabs.
There are still some rough edges but it basically works and can generate
a new keytab on request.
Provided also an example program to test it, unfortunately python-ldap
does not wrap the extended operations calls so C is the only way for
now.
Simo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-550-get-keytab.patch
Type: text/x-patch
Size: 35881 bytes
Desc: not available
URL:
From ssorce at redhat.com Tue Dec 18 17:43:06 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 18 Dec 2007 12:43:06 -0500
Subject: [Freeipa-devel] [PATCH] Fix error caused by creation steps
patch merge
In-Reply-To:
References:
Message-ID: <1197999786.19318.58.camel@localhost.localdomain>
On Mon, 2007-12-17 at 10:17 +0000, Mark McLoughlin wrote:
> # HG changeset patch
> # User Mark McLoughlin
> # Date 1197886644 0
> # Node ID e1e9b979aa2ad8e4cd6fa157641a2913b4458d29
> # Parent 62186565605b2d1ae71918514a0518d9c1cef6e1
> Fix error caused by creation steps patch merge
>
> Merging the "host keytab" and "creation steps" patchs left
> a stray old-style call to Service.step()
Good one,
pushed.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From ssorce at redhat.com Tue Dec 18 17:43:26 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 18 Dec 2007 12:43:26 -0500
Subject: [Freeipa-devel] [PATCH] Restart ipa-webgui in create_instance()
In-Reply-To:
References:
Message-ID: <1197999806.19318.60.camel@localhost.localdomain>
On Mon, 2007-12-17 at 12:00 +0000, Mark McLoughlin wrote:
> # HG changeset patch
> # User Mark McLoughlin
> # Date 1197892833 0
> # Node ID e0e677ea16396ea8ef72610cec14afeaed5e2d0a
> # Parent e1e9b979aa2ad8e4cd6fa157641a2913b4458d29
> Restart ipa-webgui in create_instance()
>
> Just in case there is an existing ipa-webgui running
> before ipa-server-install, restart the instance rather
> than just starting it.
Pushed.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From markmc at redhat.com Tue Dec 18 19:16:40 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Tue, 18 Dec 2007 19:16:40 +0000
Subject: [Freeipa-devel] [PATCH] Refactor keytab creation
Message-ID: <13d484285e734080056a.1198005400@localhost.localdomain>
# HG changeset patch
# User Mark McLoughlin
# Date 1198001014 0
# Node ID 13d484285e734080056a379a6ed9a406ecef973d
# Parent e36901f77b15d1a0920dcfc49d590db937a6e478
Refactor keytab creation
There's a few places where we spawn of kadmin to add/modify
principals and create keytabs.
Refactor all that code into installutils.
Signed-off-by: Mark McLoughlin
diff -r e36901f77b15 -r 13d484285e73 ipa-server/ipaserver/httpinstance.py
--- a/ipa-server/ipaserver/httpinstance.py Mon Dec 17 17:30:14 2007 +0000
+++ b/ipa-server/ipaserver/httpinstance.py Tue Dec 18 18:03:34 2007 +0000
@@ -26,7 +26,6 @@ import pwd
import pwd
import fileinput
import sys
-import time
import shutil
import service
@@ -88,28 +87,9 @@ class HTTPInstance(service.Service):
self.print_msg(selinux_warning)
def __create_http_keytab(self):
- try:
- if ipautil.file_exists("/etc/httpd/conf/ipa.keytab"):
- os.remove("/etc/httpd/conf/ipa.keytab")
- except os.error:
- print "Failed to remove /etc/httpd/conf/ipa.keytab."
- (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
- kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n")
- kwrite.flush()
- kwrite.write("ktadd -k /etc/httpd/conf/ipa.keytab HTTP/"+self.fqdn+"@"+self.realm+"\n")
- kwrite.flush()
- kwrite.close()
- kread.close()
- kerr.close()
-
- # give kadmin time to actually write the file before we go on
- retry = 0
- while not ipautil.file_exists("/etc/httpd/conf/ipa.keytab"):
- time.sleep(1)
- retry += 1
- if retry > 15:
- print "Error timed out waiting for kadmin to finish operations\n"
- sys.exit(1)
+ http_principal = "HTTP/" + self.fqdn + "@" + self.realm
+ installutils.kadmin_addprinc(http_principal)
+ installutils.create_keytab("/etc/httpd/conf/ipa.keytab", http_principal)
pent = pwd.getpwnam("apache")
os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
diff -r e36901f77b15 -r 13d484285e73 ipa-server/ipaserver/installutils.py
--- a/ipa-server/ipaserver/installutils.py Mon Dec 17 17:30:14 2007 +0000
+++ b/ipa-server/ipaserver/installutils.py Tue Dec 18 18:03:34 2007 +0000
@@ -25,6 +25,9 @@ import re
import re
import fileinput
import sys
+import time
+
+from ipa import ipautil
def get_fqdn():
fqdn = ""
@@ -124,4 +127,36 @@ def update_file(filename, orig, subst):
print "File %s doesn't exist." % filename
return 1
+def kadmin(command):
+ (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
+ kwrite.write(command)
+ kwrite.write("\n")
+ kwrite.flush()
+
+ for k in (kwrite, kread, kerr):
+ k.close()
+
+def kadmin_addprinc(principal):
+ kadmin("addprinc -randkey " + principal)
+
+def kadmin_modprinc(principal, options):
+ kadmin("modprinc " + options + " " + principal)
+
+def create_keytab(path, principal):
+ try:
+ if ipautil.file_exists(path):
+ os.remove(path)
+ except os.error:
+ logging.critical("Failed to remove %s." % path)
+
+ kadmin("ktadd -k " + path + " " + principal)
+
+ # give kadmin time to actually write the file before we go on
+ retry = 0
+ while not ipautil.file_exists(path):
+ time.sleep(1)
+ retry += 1
+ if retry > 15:
+ logging.critical("Error timed out waiting for kadmin to finish operations")
+ sys.exit(1)
diff -r e36901f77b15 -r 13d484285e73 ipa-server/ipaserver/krbinstance.py
--- a/ipa-server/ipaserver/krbinstance.py Mon Dec 17 17:30:14 2007 +0000
+++ b/ipa-server/ipaserver/krbinstance.py Tue Dec 18 18:03:34 2007 +0000
@@ -29,10 +29,10 @@ import os
import os
import pwd
import socket
-import time
import shutil
import service
+import installutils
from ipa import ipautil
from ipa import ipaerror
@@ -345,89 +345,26 @@ class KrbInstance(service.Service):
raise e
def __create_ds_keytab(self):
- try:
- if ipautil.file_exists("/etc/dirsrv/ds.keytab"):
- os.remove("/etc/dirsrv/ds.keytab")
- except os.error:
- logging.critical("Failed to remove /etc/dirsrv/ds.keytab.")
- (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
- kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
- kwrite.flush()
- kwrite.write("ktadd -k /etc/dirsrv/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n")
- kwrite.flush()
- kwrite.close()
- kread.close()
- kerr.close()
-
- # give kadmin time to actually write the file before we go on
- retry = 0
- while not ipautil.file_exists("/etc/dirsrv/ds.keytab"):
- time.sleep(1)
- retry += 1
- if retry > 15:
- logging.critical("Error timed out waiting for kadmin to finish operations")
- sys.exit(1)
+ ldap_principal = "ldap/" + self.fqdn + "@" + self.realm
+ installutils.kadmin_addprinc(ldap_principal)
+ installutils.create_keytab("/etc/dirsrv/ds.keytab", ldap_principal)
update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
pent = pwd.getpwnam(self.ds_user)
os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid)
def __create_host_keytab(self):
- try:
- if ipautil.file_exists("/etc/krb5.keytab"):
- os.remove("/etc/krb5.keytab")
- except os.error:
- logging.critical("Failed to remove /etc/krb5.keytab.")
- (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
- kwrite.write("addprinc -randkey host/"+self.fqdn+"@"+self.realm+"\n")
- kwrite.flush()
- kwrite.write("ktadd -k /etc/krb5.keytab host/"+self.fqdn+"@"+self.realm+"\n")
- kwrite.flush()
- kwrite.close()
- kread.close()
- kerr.close()
-
- # give kadmin time to actually write the file before we go on
- retry = 0
- while not ipautil.file_exists("/etc/krb5.keytab"):
- time.sleep(1)
- retry += 1
- if retry > 15:
- logging.critical("Error timed out waiting for kadmin to finish operations")
- sys.exit(1)
+ host_principal = "host/" + self.fqdn + "@" + self.realm
+ installutils.kadmin_addprinc(host_principal)
+ installutils.create_keytab("/etc/krb5.keytab", host_principal)
# Make sure access is strictly reserved to root only for now
os.chown("/etc/krb5.keytab", 0, 0)
os.chmod("/etc/krb5.keytab", 0600)
def __export_kadmin_changepw_keytab(self):
- try:
- if ipautil.file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"):
- os.remove("/var/kerberos/krb5kdc/kpasswd.keytab")
- except os.error:
- logging.critical("Failed to remove /var/kerberos/krb5kdc/kpasswd.keytab.")
- (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
- kwrite.write("modprinc +requires_preauth kadmin/changepw\n")
- kwrite.flush()
- kwrite.close()
- kread.close()
- kerr.close()
-
- (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
- kwrite.write("ktadd -k /var/kerberos/krb5kdc/kpasswd.keytab kadmin/changepw\n")
- kwrite.flush()
- kwrite.close()
- kread.close()
- kerr.close()
-
- # give kadmin time to actually write the file before we go on
- retry = 0
- while not ipautil.file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"):
- time.sleep(1)
- retry += 1
- if retry > 15:
- logging.critical("Error timed out waiting for kadmin to finish operations")
- sys.exit(1)
+ installutils.kadmin_modprinc("kadmin/changepw", "+requires_preauth")
+ installutils.create_keytab("/var/kerberos/krb5kdc/kpasswd.keytab", "kadmin/changepw")
update_key_val_in_file("/etc/sysconfig/ipa-kpasswd", "export KRB5_KTNAME", "/var/kerberos/krb5kdc/kpasswd.keytab")
pent = pwd.getpwnam(self.ds_user)
From abartlet at samba.org Tue Dec 18 21:57:40 2007
From: abartlet at samba.org (Andrew Bartlett)
Date: Wed, 19 Dec 2007 08:57:40 +1100
Subject: [Freeipa-devel] [PATCH] Retrieve keytabs via LDAP
In-Reply-To: <1197994408.29896.3.camel@hopeson>
References: <1197994408.29896.3.camel@hopeson>
Message-ID: <1198015060.2828.1.camel@naomi>
On Tue, 2007-12-18 at 11:13 -0500, Simo Sorce wrote:
> This patch adds a new extended operation (uses the RH-IPA OID space) to
> retrieve keytabs directly from LDAP, simplifying management of keytabs.
>
> There are still some rough edges but it basically works and can generate
> a new keytab on request.
>
> Provided also an example program to test it, unfortunately python-ldap
> does not wrap the extended operations calls so C is the only way for
> now.
This could be a useful thing to add to Samba4's LDAP server at some
point...
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
From ssorce at redhat.com Tue Dec 18 22:28:23 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 18 Dec 2007 17:28:23 -0500
Subject: [Freeipa-devel] [PATCH] Retrieve keytabs via LDAP
In-Reply-To: <1198015060.2828.1.camel@naomi>
References: <1197994408.29896.3.camel@hopeson> <1198015060.2828.1.camel@naomi>
Message-ID: <1198016903.19318.71.camel@localhost.localdomain>
On Wed, 2007-12-19 at 08:57 +1100, Andrew Bartlett wrote:
> On Tue, 2007-12-18 at 11:13 -0500, Simo Sorce wrote:
> > This patch adds a new extended operation (uses the RH-IPA OID space) to
> > retrieve keytabs directly from LDAP, simplifying management of keytabs.
> >
> > There are still some rough edges but it basically works and can generate
> > a new keytab on request.
> >
> > Provided also an example program to test it, unfortunately python-ldap
> > does not wrap the extended operations calls so C is the only way for
> > now.
>
> This could be a useful thing to add to Samba4's LDAP server at some
> point...
Actually I am rewriting this and changing approach, more details later
(may still be useful for samba4, new approach will also make it easier
to adapt prolly as it offloads some unnecessary work from the server),
stay tuned.
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
From daobrien at redhat.com Wed Dec 19 12:48:43 2007
From: daobrien at redhat.com (David O'Brien)
Date: Wed, 19 Dec 2007 22:48:43 +1000
Subject: [Freeipa-devel] [PATCH] Allow for direct entry of group names
when creating delegations
In-Reply-To: <4760AF50.8050003@redhat.com>
References: <4760AF50.8050003@redhat.com>
Message-ID: <4769132B.8050200@redhat.com>
Rob Crittenden wrote:
> Allow for direct entry of group names when creating delegations.
>
> This requires a bit of trickery. I use the onblur() javascript function
> to note when the field is left and store whatever was entered there.
>
> Then when the page is submitted if a dn doesn't exist for that field
> but they did enter something, do a lookup to see if there is a group by
> that name.
>
> rob
That's good, thanks for doing that.
--
David O'Brien
RHCT
Red Hat is #1 in value. Again.
http://apac.redhat.com/promo/vendor/
From kmacmill at redhat.com Wed Dec 19 17:17:52 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 19 Dec 2007 12:17:52 -0500
Subject: [Freeipa-devel] [PATCH] Refactor keytab creation
In-Reply-To: <13d484285e734080056a.1198005400@localhost.localdomain>
References: <13d484285e734080056a.1198005400@localhost.localdomain>
Message-ID: <1198084672.19154.4.camel@clapton.mentalrootkit.com>
On Tue, 2007-12-18 at 19:16 +0000, Mark McLoughlin wrote:
> # HG changeset patch
> # User Mark McLoughlin
> # Date 1198001014 0
> # Node ID 13d484285e734080056a379a6ed9a406ecef973d
> # Parent e36901f77b15d1a0920dcfc49d590db937a6e478
> Refactor keytab creation
>
> There's a few places where we spawn of kadmin to add/modify
> principals and create keytabs.
>
> Refactor all that code into installutils.
>
Pushed.
The attached patch simplifies things further by using the -q command
line flag to kadmin so that we don't have to communicate over stdin.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kadmin.patch
Type: text/x-patch
Size: 1317 bytes
Desc: not available
URL:
From kmacmill at redhat.com Wed Dec 19 17:20:27 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 19 Dec 2007 12:20:27 -0500
Subject: [Freeipa-devel] [PATCH] separate out radius-admintools
Message-ID: <1198084827.19154.7.camel@clapton.mentalrootkit.com>
This patch separates the radius admintools like we separated the server
portion. Unfortunately, I accidentally pushed this, so I just need an
ack or issues that I can address via separate patches.
Kar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius-admintools.patch
Type: text/x-patch
Size: 108493 bytes
Desc: not available
URL:
From markmc at redhat.com Wed Dec 19 18:01:12 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Wed, 19 Dec 2007 18:01:12 +0000
Subject: [Freeipa-devel] [PATCH] Refactor keytab creation
In-Reply-To: <1198084672.19154.4.camel@clapton.mentalrootkit.com>
References: <13d484285e734080056a.1198005400@localhost.localdomain>
<1198084672.19154.4.camel@clapton.mentalrootkit.com>
Message-ID: <1198087272.21854.0.camel@blaa>
On Wed, 2007-12-19 at 12:17 -0500, Karl MacMillan wrote:
> The attached patch simplifies things further by using the -q command
> line flag to kadmin so that we don't have to communicate over stdin.
Sweet, much better.
Mark.
From kmacmill at redhat.com Wed Dec 19 18:20:15 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 19 Dec 2007 13:20:15 -0500
Subject: [Freeipa-devel] [PATCH] Refactor keytab creation
In-Reply-To: <1198087272.21854.0.camel@blaa>
References: <13d484285e734080056a.1198005400@localhost.localdomain>
<1198084672.19154.4.camel@clapton.mentalrootkit.com>
<1198087272.21854.0.camel@blaa>
Message-ID: <1198088415.19154.15.camel@clapton.mentalrootkit.com>
On Wed, 2007-12-19 at 18:01 +0000, Mark McLoughlin wrote:
> On Wed, 2007-12-19 at 12:17 -0500, Karl MacMillan wrote:
>
> > The attached patch simplifies things further by using the -q command
> > line flag to kadmin so that we don't have to communicate over stdin.
>
> Sweet, much better.
Pushed.
From jdennis at redhat.com Wed Dec 19 18:30:17 2007
From: jdennis at redhat.com (John Dennis)
Date: Wed, 19 Dec 2007 13:30:17 -0500
Subject: [Freeipa-devel] [PATCH] separate out radius-admintools
In-Reply-To: <1198084827.19154.7.camel@clapton.mentalrootkit.com>
References: <1198084827.19154.7.camel@clapton.mentalrootkit.com>
Message-ID: <47696339.3070209@redhat.com>
Karl MacMillan wrote:
> This patch separates the radius admintools like we separated the server
> portion. Unfortunately, I accidentally pushed this, so I just need an
> ack or issues that I can address via separate patches.
You just moved them to a different directory with a separate
configure/install, right? Or is there something more going on than that?
--
John Dennis