From ssorce at redhat.com  Mon Oct  1 03:42:25 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Sun, 30 Sep 2007 23:42:25 -0400
Subject: [Freeipa-devel] Milestone 4 almost done
In-Reply-To: <1191190549.28109.4.camel@laptop.local>
References: <1191013043.12112.60.camel@laptop.local>
	<1191173302.3284.3.camel@localhost.localdomain>
	<1191190549.28109.4.camel@laptop.local>
Message-ID: <1191210145.3155.11.camel@localhost.localdomain>

On Sun, 2007-09-30 at 18:15 -0400, Karl MacMillan wrote:
> On Sun, 2007-09-30 at 13:28 -0400, Simo Sorce wrote:
> > On Fri, 2007-09-28 at 16:57 -0400, Karl MacMillan wrote:
> > > I'm planning on pushing out a milestone 4 release on Monday after doing
> > > some testing. Other than some pending patches from Kevin, anything else
> > > need to be merged for this release?
> > 
> > I am still having problems with apache and kerberos
> > 
> > My debugging on the plane turns out to show that a call to the kerberos
> > library tells back that I have no delegated credentials (but klist shows
> > the ticket is forwardable).
> > 
> > It would be nice to understand if it is something in my environment that
> > is wrong or if there is a more general problem and what causes it.
> > 
> > On Monday I hope to have the time to install an F-7 from scratch and see
> > if I can install and make it working.
> > 
> 
> Have you upgraded your mod_auth_kerb and installed the new PyKerberos
> that Rob posted Fri? That (and setting my hostname correctly) fixed all
> of my problems.

I have the mod_auth_kerb (recompiled multiple times and with added debug
options to understand what was wrong as well :-)

Didn't see any new PyKerberos package, will try that eventually.

> It would be great if you could test everything on Mon. and let me know
> if it works. If it does that would mean that at least 3 of us have
> everything working - which would count as well tested at this point :)

Crossing fingers :)

> The only thing I have to do to reinstall is:
> 
> a) stop all of the ipa components
> b) delete the dirsrv instance
> 
> Does that match your experience?

IIRC yes, but we need to test more.

> We could automate that, but I hesitate
> to delete data. Maybe offer to move aside the dirsrv instance data?

Dunno, maybe tar it up.

> Also
> - do we _really_ need the guid naming for the dirsrv instance. It is
> really a pain and I'm not convinced that we need uniqueness like that.

Maybe use the REALM name for that? Would it make more sense?

> Also - do we need a convenient way to start/stop all of the IPA related
> daemons?

Not sure, do we really need that as a convenience?

> Regardless, let's put some solution on the list of things to do, but not
> delay milestone 4.

ACK

Simo.



From ssorce at redhat.com  Mon Oct  1 03:44:57 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Sun, 30 Sep 2007 23:44:57 -0400
Subject: [Freeipa-devel] new PyKerberos with delegation
In-Reply-To: <46FD664F.5080701@redhat.com>
References: <46FD664F.5080701@redhat.com>
Message-ID: <1191210297.3155.14.camel@localhost.localdomain>

On Fri, 2007-09-28 at 16:38 -0400, Rob Crittenden wrote:
> I fixed this way back at the end of August and never sent it out...
> 
> The first PyKerberos I built didn't set the GSS_C_DELEG_FLAG flag so 
> wouldn't do ticket forwarding. This one adds a patch that sets it.

I bet it was this one, I debugged mod_auth_kerb exactly to the point I
found I had no delegation accordingly to the libkrb call that finds it
out.

> If you're having problems with the IPA command-line tools try this out.

I'll do tomorrow, it is great if this is all is needed to fix my issues.

Simo.



From rcritten at redhat.com  Mon Oct  1 13:12:08 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 01 Oct 2007 09:12:08 -0400
Subject: [Freeipa-devel] Milestone 4 almost done
In-Reply-To: <1191173302.3284.3.camel@localhost.localdomain>
References: <1191013043.12112.60.camel@laptop.local>
	<1191173302.3284.3.camel@localhost.localdomain>
Message-ID: <4700F228.4050301@redhat.com>

Simo Sorce wrote:
> On Fri, 2007-09-28 at 16:57 -0400, Karl MacMillan wrote:
>> I'm planning on pushing out a milestone 4 release on Monday after doing
>> some testing. Other than some pending patches from Kevin, anything else
>> need to be merged for this release?
> 
> I am still having problems with apache and kerberos
> 
> My debugging on the plane turns out to show that a call to the kerberos
> library tells back that I have no delegated credentials (but klist shows
> the ticket is forwardable).

You need an updated PyKerberos rpm, PyKerberos-0.1735-2.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071001/cf89dbbe/attachment.bin>

From rcritten at redhat.com  Mon Oct  1 13:15:00 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 01 Oct 2007 09:15:00 -0400
Subject: [Freeipa-devel] Milestone 4 almost done
In-Reply-To: <1191190549.28109.4.camel@laptop.local>
References: <1191013043.12112.60.camel@laptop.local>	<1191173302.3284.3.camel@localhost.localdomain>
	<1191190549.28109.4.camel@laptop.local>
Message-ID: <4700F2D4.3070705@redhat.com>

Karl MacMillan wrote:
> On Sun, 2007-09-30 at 13:28 -0400, Simo Sorce wrote:
>> On Fri, 2007-09-28 at 16:57 -0400, Karl MacMillan wrote:
>>> I'm planning on pushing out a milestone 4 release on Monday after doing
>>> some testing. Other than some pending patches from Kevin, anything else
>>> need to be merged for this release?
>> I am still having problems with apache and kerberos
>>
>> My debugging on the plane turns out to show that a call to the kerberos
>> library tells back that I have no delegated credentials (but klist shows
>> the ticket is forwardable).
>>
>> It would be nice to understand if it is something in my environment that
>> is wrong or if there is a more general problem and what causes it.
>>
>> On Monday I hope to have the time to install an F-7 from scratch and see
>> if I can install and make it working.
>>
> 
> Have you upgraded your mod_auth_kerb and installed the new PyKerberos
> that Rob posted Fri? That (and setting my hostname correctly) fixed all
> of my problems.
> 
> It would be great if you could test everything on Mon. and let me know
> if it works. If it does that would mean that at least 3 of us have
> everything working - which would count as well tested at this point :)
> 
>> Another problem we have and that we ditched so far is installing on
>> dirty systems. So far we thought we should not support it because we
>> install on clean systems. Yesterday (always on the plane) I found out
>> why we are wrong: I hit ctrl-c in the middle of the installation.
>> Rerunning ipa-server-install didn't work. This is not acceptable IMO.
>> Not sure if this should impact at all Milestone 4, comments are welcome.
>>
> 
> The only thing I have to do to reinstall is:
> 
> a) stop all of the ipa components
> b) delete the dirsrv instance
> 
> Does that match your experience? We could automate that, but I hesitate
> to delete data. Maybe offer to move aside the dirsrv instance data? Also
> - do we _really_ need the guid naming for the dirsrv instance. It is
> really a pain and I'm not convinced that we need uniqueness like that.

What we can do is detect another DS instance and simply refuse to do 
anything until it is gone. Let the user delete the data.

> Also - do we need a convenient way to start/stop all of the IPA related
> daemons?

I'm not sure why one would need to do this.


> Regardless, let's put some solution on the list of things to do, but not
> delay milestone 4.
> 

I agree.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071001/2f73b0eb/attachment.bin>

From ssorce at redhat.com  Mon Oct  1 13:47:28 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 01 Oct 2007 09:47:28 -0400
Subject: [Freeipa-devel] Milestone 4 almost done
In-Reply-To: <4700F228.4050301@redhat.com>
References: <1191013043.12112.60.camel@laptop.local>
	<1191173302.3284.3.camel@localhost.localdomain>
	<4700F228.4050301@redhat.com>
Message-ID: <1191246448.3155.34.camel@localhost.localdomain>

On Mon, 2007-10-01 at 09:12 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Fri, 2007-09-28 at 16:57 -0400, Karl MacMillan wrote:
> >> I'm planning on pushing out a milestone 4 release on Monday after doing
> >> some testing. Other than some pending patches from Kevin, anything else
> >> need to be merged for this release?
> > 
> > I am still having problems with apache and kerberos
> > 
> > My debugging on the plane turns out to show that a call to the kerberos
> > library tells back that I have no delegated credentials (but klist shows
> > the ticket is forwardable).
> 
> You need an updated PyKerberos rpm, PyKerberos-0.1735-2.

Yeah that was it, as soon as I installed this new one, all worked
perfectly.
Too bad I lost hours on this, but I am glad it is solved.

Simo.



From ssorce at redhat.com  Mon Oct  1 15:53:38 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 01 Oct 2007 11:53:38 -0400
Subject: [Freeipa-devel] [PATCH] Use more krb
Message-ID: <1191254018.10954.3.camel@hopeson>

This patch changes a bit of code to rely more on kerberos.

It also changes ipa-adduser to something I think is a more useful
workflow, it does not require an email for example as we don't need it.
Instead it allows passing a principal name in case you need to create
specific one or want to avoid conflicts with an exiting one.

This patch also removes some classes we don't want to use by default for
users.

Note: this patch may not apply cleanly as a pull from upstream after the
commit required me a merge. I have the merge patch in my tree so just
ack/nack it and I will push both the patch and the merge patch at the
same time.

Simo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-223-more-krb.patch
Type: text/x-patch
Size: 15976 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071001/e767a8cf/attachment.bin>

From rcritten at redhat.com  Mon Oct  1 16:19:37 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 01 Oct 2007 12:19:37 -0400
Subject: [Freeipa-devel] [PATCH] Use more krb
In-Reply-To: <1191254018.10954.3.camel@hopeson>
References: <1191254018.10954.3.camel@hopeson>
Message-ID: <47011E19.4090007@redhat.com>

Simo Sorce wrote:
> This patch changes a bit of code to rely more on kerberos.
> 
> It also changes ipa-adduser to something I think is a more useful
> workflow, it does not require an email for example as we don't need it.
> Instead it allows passing a principal name in case you need to create
> specific one or want to avoid conflicts with an exiting one.

What about the other tools?

> This patch also removes some classes we don't want to use by default for
> users.
> 
> Note: this patch may not apply cleanly as a pull from upstream after the
> commit required me a merge. I have the merge patch in my tree so just
> ack/nack it and I will push both the patch and the merge patch at the
> same time.

I'd rather ack the actual patch that is going to be committed.

Other comments in-line in the code, marked by []


# HG changeset patch
# User Simo Sorce <ssorce at redhat.com>
# Date 1191252940 14400
# Node ID fbee5ea59a1f622aadcbf14c545c877920fd1458
# Parent  e950c62a04f9d472d287bcf91012a2a1294cb014
Rely more on kerberos.
Don't read ipa.conf to get the realm, the kerberos libs do that for you.
Use the krbPrincipalName to change passwords
Make it possible to specify the principal at user creation.
Mail is not a required attribute so far, don't require it.

[ E-mail is required in the GUI so I made it required here for 
consistency. ]

diff -r e950c62a04f9 -r fbee5ea59a1f ipa-admintools/ipa-adduser
--- a/ipa-admintools/ipa-adduser	Fri Sep 28 14:55:28 2007 -0400
+++ b/ipa-admintools/ipa-adduser	Mon Oct 01 11:35:40 2007 -0400
@@ -28,6 +28,7 @@ import ipa.config

  import xmlrpclib
  import kerberos
+import krbV
  import ldap
  import getpass

@@ -51,8 +52,10 @@ def parse_options():
                        help="Set user's login shell to shell")
      parser.add_option("-G", "--groups", dest="groups",
                        help="Add account to one or more groups 
(comma-separated)")
+    parser.add_option("-k", "--krb-principal", dest="principal",
+                      help="Set user's Kerberos Principal Name")
      parser.add_option("-M", "--mailAddress", dest="mail",
-                      help="Set uesr's e-mail address")
+                      help="Set user's e-mail address")
      parser.add_option("--usage", action="store_true",
                        help="Program usage")

@@ -66,8 +69,9 @@ def main():
      givenname = ""
      lastname = ""
      username = ""
+    principal = ""
      password = ""
-    mail = ""
+    mail = ""
      gecos = ""
      directory = ""
      shell = ""
@@ -100,7 +104,7 @@ def main():
      cont = False
      if not options.sn:
          while (cont != True):
-            lastname = raw_input(" Last name: ")
+            lastname = raw_input("Last name: ")
              if (ipavalidate.plain(lastname, notEmpty=True)):
                  print "Field is required and must be letters or '"
              else:
@@ -140,18 +144,10 @@ def main():
      else:
          password = options.sn

-    cont = False
-    if not options.mail:
-        while (cont != True):
-            mail = raw_input("E-mail addr: ")
-            if (ipavalidate.email(mail)):
-                print "Field is required and must include a user and 
domain name"
-            else:
-                cont = True
-    else:
+    if options.mail:
          mail = options.mail
          if (ipavalidate.email(mail)):
-            print "E-mail is required and must include a user and 
domain name"
+            print "The email provided seem not a valid email."
              return 1

      # Ask the questions we don't normally force. We don't require answers
@@ -168,8 +164,10 @@ def main():
          cont = False
          if not options.directory:
              while (cont != True):
-                directory = raw_input("home directory []: ")
-                if (ipavalidate.path(gecos, notEmpty=False)):
+                directory = raw_input("home directory 
[/home/"+username+"]: ")
+                if directory == "":
+                     directory = "/home/"+username

[ /home should not be hardcoded here. It is currently hardcoded on the 
server side. This needs not be hardcoded anywhere but should be stored 
in LDAP somewhere. I'd rather not have to fix both places in the future 
though. ]

+                if (ipavalidate.path(directory, notEmpty=False)):
                      print "Must be letters, numbers, spaces or '"
                  else:
                      cont = True
@@ -180,29 +178,26 @@ def main():

                  if len(shell) < 1:
                      shell = None
-                    cont = True
-        cont = False
-        if not options.groups:
-            while (cont != True):
-                g = raw_input("Add to group [blank to exit]: ")
-
-                if len(g) < 1:
-                    cont = True
-                else:
-                    if (ipavalidate.path(g, notEmpty=False)):
-                        print "Must be letters, numbers, spaces or '"
-                    else:
-                        groups = groups + "," + g

[ Why not add groups at the same time? ]

+                cont = True
+
      else:
          gecos = options.gecos
          directory = options.directory
          shell = options.shell
          groups = options.groups

+    if options.principal:
+        principal = options.principal
+    else:
+        ctx = krbV.default_context()
+        principal = username + "@" + ctx.default_realm
+
      user.setValue('givenname', givenname)
      user.setValue('sn', lastname)
      user.setValue('uid', username)
-    user.setValue('mail', mail)
+    user.setValue('krbprincipalname', principal)
+    if mail:
+        user.setValue('mail', mail)
      if gecos:
          user.setValue('gecos', gecos)
      if directory:
@@ -231,7 +226,7 @@ def main():
      # Set the User's password
      if password is not None:
          try:
-            client.modifyPassword(username, None, password)
+            client.modifyPassword(principal, None, password)
          except ipa.ipaerror.IPAError, e:
              print "User added but setting the password failed."
              print "%s" % (e.message)
diff -r e950c62a04f9 -r fbee5ea59a1f ipa-admintools/ipa-passwd
--- a/ipa-admintools/ipa-passwd	Fri Sep 28 14:55:28 2007 -0400
+++ b/ipa-admintools/ipa-passwd	Mon Oct 01 11:35:40 2007 -0400
@@ -44,12 +44,12 @@ def parse_options():

      return options, args

-def get_principal():
+def get_principal(krbctx):
      try:
-        ctx = krbV.default_context()
-        ccache = ctx.default_ccache()
+        ccache = krbctx.default_ccache()
          cprinc = ccache.principal()
      except krbV.Krb5Error, e:
+        #TODO: do a kinit
          print "Unable to get kerberos principal: %s" % e[1]
          return None

@@ -57,39 +57,47 @@ def get_principal():

  def main():
      match = False
+    username = None
+    principal = None

+    krbctx = krbV.default_context()
      options, args = parse_options()

      if len(args) == 2:
          username = args[1]
      else:
-        username = get_principal()
-        if username is None:
+        principal = get_principal(krbctx)
+        if principal is None:
              return 1

-    u = username.split('@')
-    if len(u) > 1:
-        username = u[0]
+    if not principal:
+        u = username.split('@')
+        if len(u) > 2 or len(u) == 0:
+            print "Invalid user name (%s)" % username
+        if len(u) == 1:
+            principal = username+"@"+krbctx.default_realm
+        else:
+            principal = username

-    print "Changing password for %s" % username
+    print "Changing password for %s" % principal

      while (match != True):
          # No syntax checking of the password is required because that 
is done
          # on the server side
          password = getpass.getpass("  New Password: ")
-        confirm = getpass.getpass("  New Password (again): ")
+        confirm = getpass.getpass("  Confirm Password: ")
          if (password != confirm):
              print "Passwords do not match"
              match = False
+        elif (len(password) < 1):
+            print "Password cannot be empty"
+            match = False
          else:
              match = True
-            if (len(password) < 1):
-                print "Password cannot be empty"
-                match = False

      try:
          client = ipaclient.IPAClient()
-        client.modifyPassword(username, None, password)
+        client.modifyPassword(principal, None, password)
      except ipa.ipaerror.IPAError, e:
          print "%s" % (e.message)
          return 1
diff -r e950c62a04f9 -r fbee5ea59a1f ipa-python/freeipa-python.spec
--- a/ipa-python/freeipa-python.spec	Fri Sep 28 14:55:28 2007 -0400
+++ b/ipa-python/freeipa-python.spec	Mon Oct 01 11:35:40 2007 -0400
@@ -10,7 +10,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{ve
  BuildRoot: 
%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
  BuildArch: 	noarch

-Requires: python PyKerberos python-krbV
+Requires: python PyKerberos

[ This looks like a mis-merge. python-krbV is required now ]

  %{!?python_sitelib: %define python_sitelib %(%{__python} -c "from 
distutils.sysconfig import get_python_lib; print get_python_lib()")}

diff -r e950c62a04f9 -r fbee5ea59a1f ipa-python/ipaclient.py
--- a/ipa-python/ipaclient.py	Fri Sep 28 14:55:28 2007 -0400
+++ b/ipa-python/ipaclient.py	Mon Oct 01 11:35:40 2007 -0400
@@ -34,7 +34,6 @@ class IPAClient:

      def __init__(self,local=None):
          self.local = local
-        ipa.config.init_config()
          if local:
              self.transport = funcs.IPAServer()
              # client needs to call set_principal(user at REALM)
@@ -80,8 +79,6 @@ class IPAClient:
      def add_user(self,user,user_container=None):
          """Add a user. user is a ipa.user.User object"""

-        realm = config.config.get_realm()
-
          user_dict = user.toDict()

          # dn is set on the server-side
@@ -125,30 +122,24 @@ class IPAClient:
      def update_user(self,user):
          """Update a user entry."""

-        realm = config.config.get_realm()
-
          result = self.transport.update_user(user.origDataDict(), 
user.toDict())
          return result

      def delete_user(self,uid):
          """Delete a user entry."""

-        realm = config.config.get_realm()
-
          result = self.transport.delete_user(uid)
          return result

-    def modifyPassword(self,uid,oldpass,newpass):
+    def modifyPassword(self,principal,oldpass,newpass):
          """Modify a user's password"""

-        result = self.transport.modifyPassword(uid,oldpass,newpass)
+        result = self.transport.modifyPassword(principal,oldpass,newpass)

          return result

      def mark_user_deleted(self,uid):
          """Set a user as inactive by uid."""
-
-        realm = config.config.get_realm()

          result = self.transport.mark_user_deleted(uid)
          return result
@@ -181,8 +172,6 @@ class IPAClient:
      def add_group(self,group,group_container=None):
          """Add a group. group is a ipa.group.Group object"""

-        realm = config.config.get_realm()
-
          group_dict = group.toDict()

          # dn is set on the server-side
@@ -237,6 +226,8 @@ class IPAClient:

      def add_user_to_group(self, user_uid, group_cn):
          """Add a user to an existing group.
+           user is a uid of the user to add
+           group is the cn of the group to be added to
          """

          return self.transport.add_user_to_group(user_uid, group_cn)
@@ -252,6 +243,8 @@ class IPAClient:

      def remove_user_from_group(self, user_uid, group_cn):
          """Remove a user from an existing group.
+           user is a uid of the user to remove
+           group is the cn of the group to be removed from
          """

          return self.transport.remove_user_from_group(user_uid, group_cn)
diff -r e950c62a04f9 -r fbee5ea59a1f ipa-python/rpcclient.py
--- a/ipa-python/rpcclient.py	Fri Sep 28 14:55:28 2007 -0400
+++ b/ipa-python/rpcclient.py	Mon Oct 01 11:35:40 2007 -0400
@@ -212,7 +212,7 @@ class RPCClient:

          return result

-    def modifyPassword(self,uid,oldpass,newpass):
+    def modifyPassword(self,principal,oldpass,newpass):
          """Modify a user's password"""
          server = self.setup_server()

@@ -220,7 +220,7 @@ class RPCClient:
              oldpass = "__NONE__"

          try:
-            result = server.modifyPassword(uid,oldpass,newpass)
+            result = server.modifyPassword(principal,oldpass,newpass)
          except xmlrpclib.Fault, fault:
              raise ipaerror.gen_exception(fault.faultCode, 
fault.faultString)
          except socket.error, (value, msg):
diff -r e950c62a04f9 -r fbee5ea59a1f 
ipa-server/ipa-gui/ipagui/controllers.py
--- a/ipa-server/ipa-gui/ipagui/controllers.py	Fri Sep 28 14:55:28 2007 
-0400
+++ b/ipa-server/ipa-gui/ipagui/controllers.py	Mon Oct 01 11:35:40 2007 
-0400
@@ -191,7 +191,7 @@ class Root(controllers.RootController):

          try:
              if password_change:
-                rv = client.modifyPassword(kw['uid'], "", 
kw.get('userpassword'))
+                rv = client.modifyPassword(kw['krbprincipalname'], "", 
kw.get('userpassword'))
          except ipaerror.IPAError, e:
              turbogears.flash("User password change failed: " + str(e))
              return dict(form=user_edit_form, user=kw,
diff -r e950c62a04f9 -r fbee5ea59a1f ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Fri Sep 28 14:55:28 2007 -0400
+++ b/ipa-server/xmlrpc-server/funcs.py	Mon Oct 01 11:35:40 2007 -0400
@@ -20,12 +20,12 @@ import sys
  import sys
  sys.path.append("/usr/share/ipa")

+import krbV
  import ldap
  import ipaserver.dsinstance
  import ipaserver.ipaldap
  import ipa.ipautil
  import xmlrpclib
-import ipa.config
  import copy
  from ipa import ipaerror

@@ -86,11 +86,12 @@ class IPAServer:
          self.bindcert = "/usr/share/ipa/cert.pem"
          self.bindkey = "/usr/share/ipa/key.pem"
          self.bindca = "/usr/share/ipa/cacert.asc"
-
+        self.krbctx = krbV.default_context()
+        self.realm = self.krbctx.default_realm
+
          if _LDAPPool is None:
              _LDAPPool = IPAConnPool()
-        ipa.config.init_config()
-        self.basedn = 
ipa.ipautil.realm_to_suffix(ipa.config.config.get_realm())
+        self.basedn = ipa.ipautil.realm_to_suffix(self.realm)
          self.scope = ldap.SCOPE_SUBTREE
          self.princ = None
          self.krbccache = None
@@ -311,6 +312,15 @@ class IPAServer:
          filter = "(objectClass=*)"
          return self.__get_entry(dn, filter, sattrs, opts)

+    def get_user_by_principal(self, principal, sattrs=None, opts=None):
+        """Get a user entry searching by Kerberos Principal Name.
+           Return as a dict of values. Multi-valued fields are
+           represented as lists.
+        """
+
+        filter = "(krbPrincipalName="+self.__safe_filter(principal)+")"
+        return self.__get_entry(self.basedn, filter, sattrs, opts)
+
      def get_users_by_manager (self, manager_dn, sattrs=None, opts=None):
          """Gets the users that report to a particular manager.
          """
@@ -350,8 +360,7 @@ class IPAServer:
          # FIXME: What is the default group for users?
          user['gidnumber'] = '501'

-        realm = ipa.config.config.get_realm()
-        user['krbprincipalname'] = "%s@%s" % (user.get('uid'), realm)
+        user['krbprincipalname'] = "%s@%s" % (user.get('uid'), self.realm)

[ You need to check to see if krbprincipalname is already set ]

          # FIXME. This is a hack so we can request separate First and Last
          # name in the GUI.
@@ -562,31 +571,31 @@ class IPAServer:
             The memberOf plugin handles removing the user from any other
             groups.
          """
-        user_dn = self.get_user_by_uid(uid, ['dn', 'uid', 
'objectclass'], opts)
-        if user_dn is None:
+        user = self.get_user_by_uid(uid, ['dn', 'uid', 'objectclass'], 
opts)
+        if user is None:
              raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)

          conn = self.getConnection(opts)
          try:
-            res = conn.deleteEntry(user_dn['dn'])
+            res = conn.deleteEntry(user['dn'])
          finally:
              self.releaseConnection(conn)
          return res

-    def modifyPassword (self, uid, oldpass, newpass, opts=None):
+    def modifyPassword (self, principal, oldpass, newpass, opts=None):
          """Set/Reset a user's password

             uid tells us who's password to change
             oldpass is the old password (if available)
             newpass is the new password
          """
-        user_dn = self.get_user_by_uid(uid, ['dn', 'uid', 
'objectclass'], opts)
-        if user_dn is None:
+        user = self.get_user_by_principal(principal, 
['krbprincipalname'], opts)
+        if user is None or user['krbprincipalname'] != principal:
              raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)

[ If you do a search on principal how could user['principalname] ever != 
principal? ]

          conn = self.getConnection(opts)
          try:
-            res = conn.modifyPassword(user_dn['dn'], oldpass, newpass)
+            res = conn.modifyPassword(user['dn'], oldpass, newpass)
          finally:
              self.releaseConnection(conn)
          return res


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071001/2961fb4e/attachment.bin>

From kmccarth at redhat.com  Mon Oct  1 16:40:01 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 1 Oct 2007 09:40:01 -0700
Subject: [Freeipa-devel] [PATCH] Use more krb
In-Reply-To: <1191254018.10954.3.camel@hopeson>
References: <1191254018.10954.3.camel@hopeson>
Message-ID: <20071001164000.GC3697@moon.usersys.redhat.com>

Simo Sorce wrote:
> This patch changes a bit of code to rely more on kerberos.
> 
> It also changes ipa-adduser to something I think is a more useful
> workflow, it does not require an email for example as we don't need it.
> Instead it allows passing a principal name in case you need to create
> specific one or want to avoid conflicts with an exiting one.
> 
> This patch also removes some classes we don't want to use by default for
> users.
> 
> Note: this patch may not apply cleanly as a pull from upstream after the
> commit required me a merge. I have the merge patch in my tree so just
> ack/nack it and I will push both the patch and the merge patch at the
> same time.

I hadn't put the password setting code into Add User yet.  Should I be
prompting them for the principal?

If not, how shall I call modifyPassword after creating the user?  I
suppose I can query the user back after creating it to get the
principal.

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071001/b810e94b/attachment.bin>

From ssorce at redhat.com  Mon Oct  1 16:41:24 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 01 Oct 2007 12:41:24 -0400
Subject: [Freeipa-devel] [PATCH] Use more krb
In-Reply-To: <47011E19.4090007@redhat.com>
References: <1191254018.10954.3.camel@hopeson> <47011E19.4090007@redhat.com>
Message-ID: <1191256884.3155.85.camel@localhost.localdomain>

On Mon, 2007-10-01 at 12:19 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > This patch changes a bit of code to rely more on kerberos.
> > 
> > It also changes ipa-adduser to something I think is a more useful
> > workflow, it does not require an email for example as we don't need it.
> > Instead it allows passing a principal name in case you need to create
> > specific one or want to avoid conflicts with an exiting one.
> 
> What about the other tools?

Working on it while I explore the code.
Any "must do" pointers are very welcome.

> > This patch also removes some classes we don't want to use by default for
> > users.
> > 
> > Note: this patch may not apply cleanly as a pull from upstream after the
> > commit required me a merge. I have the merge patch in my tree so just
> > ack/nack it and I will push both the patch and the merge patch at the
> > same time.
> 
> I'd rather ack the actual patch that is going to be committed.
> 
> Other comments in-line in the code, marked by []
> 

> [ E-mail is required in the GUI so I made it required here for 
> consistency. ]

Ah I see, then I guess we should remove the requirement in the GUI.
Service accounts may very well not have an email anyway.

> [ /home should not be hardcoded here. It is currently hardcoded on the 
> server side. This needs not be hardcoded anywhere but should be stored 
> in LDAP somewhere. I'd rather not have to fix both places in the future 
> though. ]

Uhmmm ... make sense, I will think how to best fix this in a following patch.

> [ Why not add groups at the same time? ]

I think it is a bit too much to list groups in interactive mode.
Unattended is different.

> diff -r e950c62a04f9 -r fbee5ea59a1f ipa-python/freeipa-python.spec
> --- a/ipa-python/freeipa-python.spec	Fri Sep 28 14:55:28 2007 -0400
> +++ b/ipa-python/freeipa-python.spec	Mon Oct 01 11:35:40 2007 -0400
> @@ -10,7 +10,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{ve
>   BuildRoot: 
> %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
>   BuildArch: 	noarch
> 
> -Requires: python PyKerberos python-krbV
> +Requires: python PyKerberos
> 
> [ This looks like a mis-merge. python-krbV is required now ]

Seem it is not in the current pushed code.
Have you added this in some patches not yet pushed?

> @@ -350,8 +360,7 @@ class IPAServer:
>           # FIXME: What is the default group for users?
>           user['gidnumber'] = '501'
> 
> -        realm = ipa.config.config.get_realm()
> -        user['krbprincipalname'] = "%s@%s" % (user.get('uid'), realm)
> +        user['krbprincipalname'] = "%s@%s" % (user.get('uid'),
> self.realm)
> 
> [ You need to check to see if krbprincipalname is already set ]

Good catch thanks.

> -        user_dn = self.get_user_by_uid(uid, ['dn', 'uid', 
> 'objectclass'], opts)
> -        if user_dn is None:
> +        user = self.get_user_by_principal(principal, 
> ['krbprincipalname'], opts)
> +        if user is None or user['krbprincipalname'] != principal:
>               raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
> 
> [ If you do a search on principal how could user['principalname] ever != 
> principal? ]

Just paranoia checking :-)

Simo.



From ssorce at redhat.com  Mon Oct  1 17:57:21 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 01 Oct 2007 13:57:21 -0400
Subject: [Freeipa-devel] [PATCH] Use more krb
In-Reply-To: <20071001164000.GC3697@moon.usersys.redhat.com>
References: <1191254018.10954.3.camel@hopeson>
	<20071001164000.GC3697@moon.usersys.redhat.com>
Message-ID: <1191261441.3155.97.camel@localhost.localdomain>

On Mon, 2007-10-01 at 09:40 -0700, Kevin McCarthy wrote:
> Simo Sorce wrote:
> > This patch changes a bit of code to rely more on kerberos.
> > 
> > It also changes ipa-adduser to something I think is a more useful
> > workflow, it does not require an email for example as we don't need it.
> > Instead it allows passing a principal name in case you need to create
> > specific one or want to avoid conflicts with an exiting one.
> > 
> > This patch also removes some classes we don't want to use by default for
> > users.
> > 
> > Note: this patch may not apply cleanly as a pull from upstream after the
> > commit required me a merge. I have the merge patch in my tree so just
> > ack/nack it and I will push both the patch and the merge patch at the
> > same time.
> 
> I hadn't put the password setting code into Add User yet.  Should I be
> prompting them for the principal?

I don't think you need to prompt, but there should be an option to
change it from the default at user creation if necessary.

> If not, how shall I call modifyPassword after creating the user?  I
> suppose I can query the user back after creating it to get the
> principal.

If you can't keep around the principal name you generated, yes.
Simo.




From rcritten at redhat.com  Mon Oct  1 18:12:58 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 01 Oct 2007 14:12:58 -0400
Subject: [Freeipa-devel] [PATCH]  don't include opts in public API
Message-ID: <470138AA.6010904@redhat.com>

We use the argument 'opts' to pass stuff internally. We don't want that 
published, so remove it from any XML-RPC functions that can display the API.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-219-noopts.patch
Type: text/x-patch
Size: 1097 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071001/8a5a9205/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071001/8a5a9205/attachment-0001.bin>

From kmccarth at redhat.com  Mon Oct  1 18:24:49 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 1 Oct 2007 11:24:49 -0700
Subject: [Freeipa-devel] [PATCH] new user group management
Message-ID: <20071001182449.GE3697@moon.usersys.redhat.com>

This patch adds the group management code to the new user screen.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191263182 25200
# Node ID 23d9775392a14cb7dc860675deaec6889431b28d
# Parent  0a3bb27f723b0d70253613460b0d266aa1acb36a
Allow group selection on the create user page.

diff -r 0a3bb27f723b -r 23d9775392a1 ipa-server/ipa-gui/ipagui/controllers.py
--- a/ipa-server/ipa-gui/ipagui/controllers.py	Fri Sep 28 16:01:42 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/controllers.py	Mon Oct 01 11:26:22 2007 -0700
@@ -116,7 +116,7 @@ class Root(controllers.RootController):
         if tg_errors:
             turbogears.flash("There was a problem with the form!")
 
-        return dict(form=user_new_form)
+        return dict(form=user_new_form, user={})
 
     @expose()
     @identity.require(identity.not_anonymous())
@@ -130,8 +130,12 @@ class Root(controllers.RootController):
 
         tg_errors, kw = self.usercreatevalidate(**kw)
         if tg_errors:
-            return dict(form=user_new_form, tg_template='ipagui.templates.usernew')
-
+            return dict(form=user_new_form, user=kw,
+                    tg_template='ipagui.templates.usernew')
+
+        #
+        # Update the user itself
+        #
         try:
             new_user = ipa.user.User()
             new_user.setValue('uid', kw.get('uid'))
@@ -143,15 +147,67 @@ class Root(controllers.RootController):
                 new_user.setValue('nsAccountLock', 'true')
 
             rv = client.add_user(new_user)
-            turbogears.flash("%s added!" % kw['uid'])
-            raise turbogears.redirect('/usershow', uid=kw['uid'])
         except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE):
             turbogears.flash("Person with login '%s' already exists" %
                     kw.get('uid'))
-            return dict(form=user_new_form, tg_template='ipagui.templates.usernew')
+            return dict(form=user_new_form, user=kw,
+                    tg_template='ipagui.templates.usernew')
         except ipaerror.IPAError, e:
             turbogears.flash("User add failed: " + str(e))
-            return dict(form=user_new_form, tg_template='ipagui.templates.usernew')
+            return dict(form=user_new_form, user=kw,
+                    tg_template='ipagui.templates.usernew')
+
+        #
+        # NOTE: from here on, the user account now exists.
+        #       on any error, we redirect to the _edit_ user page.
+        #       this code does data setup, similar to useredit()
+        #
+        user = client.get_user_by_uid(kw['uid'], user_fields)
+        user_dict = user.toDict()
+
+        user_groups_dicts = []
+        user_groups_data = b64encode(dumps(user_groups_dicts))
+
+        # store a copy of the original user for the update later
+        user_data = b64encode(dumps(user_dict))
+        user_dict['user_orig'] = user_data
+        user_dict['user_groups_data'] = user_groups_data
+
+        # preserve group add info in case of errors
+        user_dict['dnadd'] = kw.get('dnadd')
+        user_dict['dn_to_info_json'] = kw.get('dn_to_info_json')
+
+        #
+        # Password change
+        # TODO
+        #
+
+        #
+        # Add groups
+        #
+        failed_adds = []
+        try:
+            dnadds = kw.get('dnadd')
+            if dnadds != None:
+                if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
+                    dnadds = [dnadds]
+                failed_adds = client.add_groups_to_user(
+                        utf8_encode_values(dnadds), user.dn)
+                kw['dnadd'] = failed_adds
+        except ipaerror.IPAError, e:
+            failed_adds = dnadds
+
+        if len(failed_adds) > 0:
+            message = "Person successfully updated.<br />"
+            message += "There was an error adding groups.<br />"
+            message += "Failures have been preserved in the add/remove lists."
+            turbogears.flash(message)
+            return dict(form=user_edit_form, user=user_dict,
+                        user_groups=user_groups_dicts,
+                        tg_template='ipagui.templates.useredit')
+
+        turbogears.flash("%s added!" % kw['uid'])
+        raise turbogears.redirect('/usershow', uid=kw['uid'])
 
     @expose("ipagui.templates.dynamiceditsearch")
     @identity.require(identity.not_anonymous())
@@ -227,6 +283,7 @@ class Root(controllers.RootController):
                         tg_template='ipagui.templates.useredit')
 
         password_change = False
+        user_modified = False
 
         #
         # Update the user itself
@@ -262,6 +319,7 @@ class Root(controllers.RootController):
             # need to make sure a subsequent submit doesn't try to update
             # the user again.
             #
+            user_modified = True
             kw['user_orig'] = b64encode(dumps(new_user.toDict()))
         except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST), e:
             # could be a password change
@@ -299,10 +357,7 @@ class Root(controllers.RootController):
                         utf8_encode_values(dnadds), new_user.dn)
                 kw['dnadd'] = failed_adds
         except ipaerror.IPAError, e:
-            turbogears.flash("Group update failed: " + str(e))
-            return dict(form=user_edit_form, user=kw,
-                        user_groups=user_groups_dicts,
-                        tg_template='ipagui.templates.useredit')
+            failed_adds = dnadds
 
         #
         # Remove groups
@@ -317,14 +372,15 @@ class Root(controllers.RootController):
                         utf8_encode_values(dndels), new_user.dn)
                 kw['dndel'] = failed_dels
         except ipaerror.IPAError, e:
-            turbogears.flash("Group update failed: " + str(e))
-            return dict(form=user_edit_form, user=kw,
-                        user_groups=user_groups_dicts,
-                        tg_template='ipagui.templates.useredit')
+            failed_dels = dndels
 
         if (len(failed_adds) > 0) or (len(failed_dels) > 0):
             message = "There was an error updating groups.<br />"
             message += "Failures have been preserved in the add/remove lists."
+            if user_modified:
+                message = "User Details successfully updated.<br />" + message
+            if password_change:
+                message = "User password successfully updated.<br />" + message
             turbogears.flash(message)
             return dict(form=user_edit_form, user=kw,
                         user_groups=user_groups_dicts,
diff -r 0a3bb27f723b -r 23d9775392a1 ipa-server/ipa-gui/ipagui/forms/user.py
--- a/ipa-server/ipa-gui/ipagui/forms/user.py	Fri Sep 28 16:01:42 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/user.py	Mon Oct 01 11:26:22 2007 -0700
@@ -46,7 +46,9 @@ class UserNewForm(widgets.Form):
     params = ['user']
 
     fields = [UserFields.uid, UserFields.givenname,
-              UserFields.sn, UserFields.mail]
+              UserFields.sn, UserFields.mail,
+              UserFields.dn_to_info_json,
+             ]
 
     validator = UserNewValidator()
 
diff -r 0a3bb27f723b -r 23d9775392a1 ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js
--- a/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js	Fri Sep 28 16:01:42 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js	Mon Oct 01 11:26:22 2007 -0700
@@ -169,3 +169,18 @@ function preSubmit() {
   $('form_dn_to_info_json').value = json;
   return true;
 }
+
+function enterDoSearch(e) {
+  var keyPressed;
+  if (window.event) {
+    keyPressed = window.event.keyCode;
+  } else {
+    keyPressed = e.which; 
+  }
+
+  if (keyPressed == 13) {
+    return doSearch();
+  } else {
+    return true;
+  }
+}
diff -r 0a3bb27f723b -r 23d9775392a1 ipa-server/ipa-gui/ipagui/templates/groupeditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Fri Sep 28 16:01:42 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Mon Oct 01 11:26:22 2007 -0700
@@ -21,21 +21,6 @@ from ipagui.helpers import ipahelper
       } else {
         gidnumberField.disabled = true;
         $('form_editprotected').value = '';
-      }
-    }
-
-    function enterDoSearch(e) {
-      var keyPressed;
-      if (window.event) {
-        keyPressed = window.event.keyCode;
-      } else {
-        keyPressed = e.which; 
-      }
-
-      if (keyPressed == 13) {
-        return doSearch();
-      } else {
-        return true;
       }
     }
 
diff -r 0a3bb27f723b -r 23d9775392a1 ipa-server/ipa-gui/ipagui/templates/usereditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Fri Sep 28 16:01:42 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Mon Oct 01 11:26:22 2007 -0700
@@ -33,21 +33,6 @@ from ipagui.helpers import ipahelper
       }
     }
 
-    function enterDoSearch(e) {
-      var keyPressed;
-      if (window.event) {
-        keyPressed = window.event.keyCode;
-      } else {
-        keyPressed = e.which; 
-      }
-
-      if (keyPressed == 13) {
-        return doSearch();
-      } else {
-        return true;
-      }
-    }
-
     function doSearch() {
       $('searchresults').update("Searching...");
       new Ajax.Updater('searchresults',
diff -r 0a3bb27f723b -r 23d9775392a1 ipa-server/ipa-gui/ipagui/templates/usernew.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usernew.kid	Fri Sep 28 16:01:42 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usernew.kid	Mon Oct 01 11:26:22 2007 -0700
@@ -8,6 +8,6 @@
 <body>
     <h2>Add Person</h2>
 
-    ${form.display(action="usercreate")}
+    ${form.display(action="usercreate", value=user)}
 </body>
 </html>
diff -r 0a3bb27f723b -r 23d9775392a1 ipa-server/ipa-gui/ipagui/templates/usernewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Fri Sep 28 16:01:42 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Mon Oct 01 11:26:22 2007 -0700
@@ -1,6 +1,41 @@
 <div xmlns:py="http://purl.org/kid/ns#"
   class="simpleroster">
-  <form action="${action}" name="${name}" method="${method}" class="tableform">
+  <form action="${action}" name="${name}" method="${method}" class="tableform"
+    onsubmit="preSubmit()">
+
+<?python
+from ipagui.helpers import ipahelper
+?>
+
+  <script type="text/javascript" charset="utf-8"
+    src="${tg.url('/static/javascript/dynamicedit.js')}"></script>
+
+  <?python searchurl = tg.url('/useredit_search') ?>
+
+  <script type="text/javascript">
+    function doSearch() {
+      $('searchresults').update("Searching...");
+      new Ajax.Updater('searchresults',
+          '${searchurl}',
+          {  asynchronous:true,
+             parameters: { criteria: $('criteria').value },
+             evalScripts: true });
+      return false;
+    }
+
+    // override dynamicedit.js version
+    // we don't need to show [group] nor italize groups
+    function renderMemberInfo(newdiv, info) {
+      if (info.type == "group") {
+        newdiv.appendChild(document.createTextNode(
+          info.name.escapeHTML() + " "));
+      }
+    }
+  </script>
+
+  <div py:for="field in hidden_fields"
+    py:replace="field.display(value_for(field), **params_for(field))" 
+    />
 
     <div class="formsection">Identity Details</div>
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
@@ -181,6 +216,28 @@
       </tr>
     </table>
 
+    <div style="clear:both">
+      <div class="formsection">Add Groups</div>
+
+      <div class="floatlist">
+        <div class="floatheader">To Add:</div>
+        <div id="newmembers">
+        </div>
+      </div>
+
+      <div>
+        <div id="search">
+          <input id="criteria" type="text" name="criteria"
+            onkeypress="return enterDoSearch(event);" />
+          <input type="button" value="Find"
+            onclick="return doSearch();"
+          />
+        </div>
+        <div id="searchresults">
+        </div>
+      </div>
+    </div>
+
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th></th>
@@ -192,4 +249,33 @@
     </table>
 
   </form>
+
+  <script type="text/javascript">
+    /*
+     * This section restores the contents of the add and remove lists
+     * dynamically if we have to refresh the page
+     */
+    if ($('form_dn_to_info_json').value != "") {
+      dn_to_info_hash = new Hash($('form_dn_to_info_json').value.evalJSON());
+    }
+  </script>
+
+  <?python
+  dnadds = value.get('dnadd', [])
+  if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
+      dnadds = [dnadds]
+  ?>
+
+  <script py:for="dnadd in dnadds">
+    <?python
+    dnadd_esc = ipahelper.javascript_string_escape(dnadd)
+    ?>
+    var dn = "${dnadd_esc}";
+    var info = dn_to_info_hash[dn];
+    var newdiv = addmember(dn, info);
+    if (newdiv != null) {
+      newdiv.style.display = 'block';
+    }
+  </script>
+
 </div>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071001/c42cc1ad/attachment.bin>

From rcritten at redhat.com  Mon Oct  1 18:45:25 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 01 Oct 2007 14:45:25 -0400
Subject: [Freeipa-devel] [PATCH] new user group management
In-Reply-To: <20071001182449.GE3697@moon.usersys.redhat.com>
References: <20071001182449.GE3697@moon.usersys.redhat.com>
Message-ID: <47014045.9060208@redhat.com>

Kevin McCarthy wrote:
> This patch adds the group management code to the new user screen.
> 
> -Kevin

Looks ok.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071001/0a0b38be/attachment.bin>

From rcritten at redhat.com  Mon Oct  1 20:44:12 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 01 Oct 2007 16:44:12 -0400
Subject: [Freeipa-devel] Kerberos ticket forwarding
Message-ID: <47015C1C.40403@redhat.com>

I started from scratch on the Kerberos ticket forwarding problem and 
mod_auth_kerb again. I have a 2-line patch that fixes it now and doesn't 
require the massive changes I currently used.

In my rush I included the F7 patch in the RHEL-5 bug :-( I also made a 
patch for that.

The patch for both can be found at:
https://bugzilla.redhat.com/show_bug.cgi?id=301061

Note that I had RHEL-5 enforcing on my RHEL-5 box and had lots of 
problems with the tickets.

The CGI I wrote to test this called klist to show that the ticket was 
forwarded properly. I got this denial:

Oct  1 16:38:18 thor setroubleshoot:      SELinux is preventing the 
/usr/kerberos/bin/klist from using potentially mislabeled files 
(/tmp/krb5cc_apache_TxNr3M).      For complete SELinux messages. run 
sealert -l 40a72116-ed45-420d-914a-ce9d56486d94

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071001/697e468a/attachment.bin>

From kmccarth at redhat.com  Mon Oct  1 20:50:33 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 1 Oct 2007 13:50:33 -0700
Subject: [Freeipa-devel] [PATCH] add group management to 'add group' page
Message-ID: <20071001205032.GA3878@moon.usersys.redhat.com>

These should be looking pretty familiar by now.  The patch adds the
group member section to the 'add group' page.  This should be the last
page for this type of patch.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191270460 25200
# Node ID 32edac7bca41673fbf399f73ddae55c08afbbf22
# Parent  23d9775392a14cb7dc860675deaec6889431b28d
Add group management to the newgroup page.

diff -r 23d9775392a1 -r 32edac7bca41 ipa-server/ipa-gui/ipagui/controllers.py
--- a/ipa-server/ipa-gui/ipagui/controllers.py	Mon Oct 01 11:26:22 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/controllers.py	Mon Oct 01 13:27:40 2007 -0700
@@ -134,7 +134,7 @@ class Root(controllers.RootController):
                     tg_template='ipagui.templates.usernew')
 
         #
-        # Update the user itself
+        # Create the user itself
         #
         try:
             new_user = ipa.user.User()
@@ -198,7 +198,7 @@ class Root(controllers.RootController):
             failed_adds = dnadds
 
         if len(failed_adds) > 0:
-            message = "Person successfully updated.<br />"
+            message = "Person successfully created.<br />"
             message += "There was an error adding groups.<br />"
             message += "Failures have been preserved in the add/remove lists."
             turbogears.flash(message)
@@ -569,7 +569,7 @@ class Root(controllers.RootController):
 
         client.set_krbccache(os.environ["KRB5CCNAME"])
 
-        return dict(form=group_new_form)
+        return dict(form=group_new_form, group={})
 
     @expose()
     @identity.require(identity.not_anonymous())
@@ -584,23 +584,73 @@ class Root(controllers.RootController):
 
         tg_errors, kw = self.groupcreatevalidate(**kw)
         if tg_errors:
-            return dict(form=group_new_form, tg_template='ipagui.templates.groupnew')
-
+            return dict(form=group_new_form, group=kw,
+                    tg_template='ipagui.templates.groupnew')
+
+        #
+        # Create the group itself
+        #
         try:
             new_group = ipa.group.Group()
             new_group.setValue('cn', kw.get('cn'))
             new_group.setValue('description', kw.get('description'))
 
             rv = client.add_group(new_group)
-            turbogears.flash("%s added!" % kw.get('cn'))
-            raise turbogears.redirect('/groupshow', cn=kw.get('cn'))
         except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE):
             turbogears.flash("Group with name '%s' already exists" %
                     kw.get('cn'))
-            return dict(form=group_new_form, tg_template='ipagui.templates.groupnew')
+            return dict(form=group_new_form, group=kw,
+                    tg_template='ipagui.templates.groupnew')
         except ipaerror.IPAError, e:
             turbogears.flash("Group add failed: " + str(e) + "<br/>" + str(e.detail))
-            return dict(form=group_new_form, tg_template='ipagui.templates.groupnew')
+            return dict(form=group_new_form, group=kw,
+                    tg_template='ipagui.templates.groupnew')
+
+        #
+        # NOTE: from here on, the group now exists.
+        #       on any error, we redirect to the _edit_ group page.
+        #       this code does data setup, similar to groupedit()
+        #
+        group = client.get_group_by_cn(kw['cn'], group_fields)
+        group_dict = group.toDict()
+        member_dicts = []
+
+        # store a copy of the original group for the update later
+        group_data = b64encode(dumps(group_dict))
+        member_data = b64encode(dumps(member_dicts))
+        group_dict['group_orig'] = group_data
+        group_dict['member_data'] = member_data
+
+        # preserve group add info in case of errors
+        group_dict['dnadd'] = kw.get('dnadd')
+        group_dict['dn_to_info_json'] = kw.get('dn_to_info_json')
+
+        #
+        # Add members
+        #
+        failed_adds = []
+        try:
+            dnadds = kw.get('dnadd')
+            if dnadds != None:
+                if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
+                    dnadds = [dnadds]
+                failed_adds = client.add_members_to_group(
+                        utf8_encode_values(dnadds), kw.get('cn'))
+                kw['dnadd'] = failed_adds
+        except ipaerror.IPAError, e:
+            failed_adds = dnadds
+
+        if len(failed_adds) > 0:
+            message = "Group successfully created.<br />"
+            message += "There was an error adding group members.<br />"
+            message += "Failures have been preserved in the add/remove lists."
+            turbogears.flash(message)
+            return dict(form=group_edit_form, group=group_dict,
+                        members=member_dicts,
+                        tg_template='ipagui.templates.groupedit')
+
+        turbogears.flash("%s added!" % kw.get('cn'))
+        raise turbogears.redirect('/groupshow', cn=kw.get('cn'))
 
     @expose("ipagui.templates.dynamiceditsearch")
     @identity.require(identity.not_anonymous())
diff -r 23d9775392a1 -r 32edac7bca41 ipa-server/ipa-gui/ipagui/forms/group.py
--- a/ipa-server/ipa-gui/ipagui/forms/group.py	Mon Oct 01 11:26:22 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/group.py	Mon Oct 01 13:27:40 2007 -0700
@@ -21,7 +21,8 @@ class GroupNewForm(widgets.Form):
 class GroupNewForm(widgets.Form):
     params = ['group']
 
-    fields = [GroupFields.cn, GroupFields.description]
+    fields = [GroupFields.cn, GroupFields.description,
+              GroupFields.dn_to_info_json]
 
     validator = GroupNewValidator()
 
diff -r 23d9775392a1 -r 32edac7bca41 ipa-server/ipa-gui/ipagui/templates/groupnew.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupnew.kid	Mon Oct 01 11:26:22 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupnew.kid	Mon Oct 01 13:27:40 2007 -0700
@@ -8,6 +8,6 @@
 <body>
     <h2>Add Group</h2>
 
-    ${form.display(action="groupcreate")}
+    ${form.display(action="groupcreate", value=group)}
 </body>
 </html>
diff -r 23d9775392a1 -r 32edac7bca41 ipa-server/ipa-gui/ipagui/templates/groupnewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupnewform.kid	Mon Oct 01 11:26:22 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupnewform.kid	Mon Oct 01 13:27:40 2007 -0700
@@ -1,6 +1,32 @@
 <div xmlns:py="http://purl.org/kid/ns#"
   class="simpleroster">
-  <form action="${action}" name="${name}" method="${method}" class="tableform">
+  <form action="${action}" name="${name}" method="${method}" class="tableform"
+      onsubmit="preSubmit()" >
+
+<?python
+from ipagui.helpers import ipahelper
+?>
+
+  <script type="text/javascript" charset="utf-8"
+    src="${tg.url('/static/javascript/dynamicedit.js')}"></script>
+
+  <?python searchurl = tg.url('/groupedit_search') ?>
+
+  <script type="text/javascript">
+    function doSearch() {
+      $('searchresults').update("Searching...");
+      new Ajax.Updater('searchresults',
+          '${searchurl}',
+          {  asynchronous:true,
+             parameters: { criteria: $('criteria').value },
+             evalScripts: true });
+      return false;
+    }
+  </script>
+
+    <div py:for="field in hidden_fields"
+      py:replace="field.display(value_for(field), **params_for(field))" 
+      />
 
     <div class="formsection">Group Details</div>
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
@@ -41,6 +67,28 @@
       </tr>
     </table>
 
+    <div style="clear:both">
+      <div class="formsection">Add Members</div>
+
+      <div class="floatlist">
+        <div class="floatheader">To Add:</div>
+        <div id="newmembers">
+        </div>
+      </div>
+
+      <div>
+        <div id="search">
+          <input id="criteria" type="text" name="criteria"
+            onkeypress="return enterDoSearch(event);" />
+          <input type="button" value="Find"
+            onclick="return doSearch();"
+          />
+        </div>
+        <div id="searchresults">
+        </div>
+      </div>
+    </div>
+
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th></th>
@@ -52,4 +100,33 @@
     </table>
 
   </form>
+
+  <script type="text/javascript">
+    /*
+     * This section restores the contents of the add and remove lists
+     * dynamically if we have to refresh the page
+     */
+    if ($('form_dn_to_info_json').value != "") {
+      dn_to_info_hash = new Hash($('form_dn_to_info_json').value.evalJSON());
+    }
+  </script>
+
+  <?python
+  dnadds = value.get('dnadd', [])
+  if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
+      dnadds = [dnadds]
+  ?>
+
+  <script py:for="dnadd in dnadds">
+    <?python
+    dnadd_esc = ipahelper.javascript_string_escape(dnadd)
+    ?>
+    var dn = "${dnadd_esc}";
+    var info = dn_to_info_hash[dn];
+    var newdiv = addmember(dn, info);
+    if (newdiv != null) {
+      newdiv.style.display = 'block';
+    }
+  </script>
+
 </div>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071001/7c57af08/attachment.bin>

From ssorce at redhat.com  Mon Oct  1 21:36:27 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 01 Oct 2007 17:36:27 -0400
Subject: [Freeipa-devel] [PATCH] Use more krb
In-Reply-To: <1191254018.10954.3.camel@hopeson>
References: <1191254018.10954.3.camel@hopeson>
Message-ID: <1191274587.14034.0.camel@hopeson>

On Mon, 2007-10-01 at 11:53 -0400, Simo Sorce wrote:
> This patch changes a bit of code to rely more on kerberos.
> 
> It also changes ipa-adduser to something I think is a more useful
> workflow, it does not require an email for example as we don't need it.
> Instead it allows passing a principal name in case you need to create
> specific one or want to avoid conflicts with an exiting one.
> 
> This patch also removes some classes we don't want to use by default for
> users.
> 
> Note: this patch may not apply cleanly as a pull from upstream after the
> commit required me a merge. I have the merge patch in my tree so just
> ack/nack it and I will push both the patch and the merge patch at the
> same time.

New patch, includes fixes from some of Rob's comments, and provides
get_user_by_principal for all interfaces.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-231-more-krb.patch
Type: text/x-patch
Size: 20089 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071001/b9af470f/attachment.bin>

From kmacmill at redhat.com  Tue Oct  2 16:43:22 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 02 Oct 2007 12:43:22 -0400
Subject: [Freeipa-devel] Milestone 4 released
Message-ID: <1191343402.2120.4.camel@laptop.local>

The next milestone release of FreeIPA is available for download at
http://freeipa.com/page/Downloads. Like the Milestone 3 release this
release is aimed primarily at developers.

This release has significant improvements in all areas and should be
stable enough for initial testing by non-developers. It is not feature
complete or stable, but most of the components are present in some form
and should work. I will work to get some installation instructions
posted soon.

Karl



From kmccarth at redhat.com  Tue Oct  2 17:47:00 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 2 Oct 2007 10:47:00 -0700
Subject: [Freeipa-devel] [PATCH] assorted small fixes
Message-ID: <20071002174700.GG24968@moon.usersys.redhat.com>

This is a collection of tiny fixes that started to pile up.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191347384 25200
# Node ID f06570e74fc46c4758dc42ca6af6bc33c5d65d61
# Parent  32edac7bca41673fbf399f73ddae55c08afbbf22
Assorted UI fixes:
- Change sort functions to be on entities, so can use on the view pages too
- Fix bug: empty ajax search on useredit blows up
- Filter illegal characters from suggest uid/email methods
- Rename first/last name fields
- Make default font family sans-serif
- Speed up effect appear/fade rendering
- Add buttons to top and bottom of pages
- Make grouplist sortable
- Add noscript warning to welcome page

diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/controllers.py
--- a/ipa-server/ipa-gui/ipagui/controllers.py	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/controllers.py	Tue Oct 02 10:49:44 2007 -0700
@@ -1,6 +1,7 @@ import random
 import random
 from pickle import dumps, loads
 from base64 import b64encode, b64decode
+import re
 
 import os
 import cherrypy
@@ -50,40 +51,40 @@ def utf8_encode(value):
 
 def sort_group_member(a, b):
     """Comparator function used for sorting group members."""
-    if a.get('uid') and b.get('uid'):
-        if a.get('givenname', '') == b.get('givenname', ''):
-            if a.get('sn', '') == b.get('sn', ''):
-                if a.get('uid') == b.get('uid'):
+    if a.getValue('uid') and b.getValue('uid'):
+        if a.getValue('givenname') == b.getValue('givenname'):
+            if a.getValue('sn') == b.getValue('sn'):
+                if a.getValue('uid') == b.getValue('uid'):
                     return 0
-                elif a.get('uid') < b.get('uid'):
+                elif a.getValue('uid') < b.getValue('uid'):
                     return -1
                 else:
                     return 1
-            elif a.get('sn', '') < b.get('sn', ''):
+            elif a.getValue('sn') < b.getValue('sn'):
                 return -1
             else:
                 return 1
-        elif a.get('givenname') < b.get('givenname'):
+        elif a.getValue('givenname') < b.getValue('givenname'):
             return -1
         else:
             return 1
-    elif a.get('uid'):
+    elif a.getValue('uid'):
         return -1
-    elif b.get('uid'):
+    elif b.getValue('uid'):
         return 1
     else:
-        if a.get('cn', '') == b.get('cn', ''):
+        if a.getValue('cn') == b.getValue('cn'):
             return 0
-        elif a.get('cn', '') < b.get('cn', ''):
+        elif a.getValue('cn') < b.getValue('cn'):
             return -1
         else:
             return 1
 
 def sort_by_cn(a, b):
     """Comparator function used for sorting groups."""
-    if a.get('cn', '') == b.get('cn', ''):
+    if a.getValue('cn') == b.getValue('cn'):
         return 0
-    elif a.get('cn', '') < b.get('cn', ''):
+    elif a.getValue('cn') < b.getValue('cn'):
         return -1
     else:
         return 1
@@ -216,7 +217,7 @@ class Root(controllers.RootController):
            This method is used for the ajax search on the user edit page."""
         client.set_krbccache(os.environ["KRB5CCNAME"])
         groups = []
-        counter = 0
+        groups_counter = 0
         searchlimit = 100
         criteria = kw.get('criteria')
         if criteria != None and len(criteria) > 0:
@@ -248,8 +249,8 @@ class Root(controllers.RootController):
                 del(user_dict['userpassword'])
 
             user_groups = client.get_groups_by_member(user.dn, ['dn', 'cn'])
+            user_groups.sort(sort_by_cn)
             user_groups_dicts = map(lambda group: group.toDict(), user_groups)
-            user_groups_dicts.sort(sort_by_cn)
             user_groups_data = b64encode(dumps(user_groups_dicts))
 
             # store a copy of the original user for the update later
@@ -421,8 +422,10 @@ class Root(controllers.RootController):
         try:
             user = client.get_user_by_uid(uid, user_fields)
             user_groups = client.get_groups_by_member(user.dn, ['cn'])
+            user_groups.sort(sort_by_cn)
             user_reports = client.get_users_by_manager(user.dn,
                     ['givenname', 'sn', 'uid'])
+            user_reports.sort(sort_group_member)
 
             user_manager = None
             try:
@@ -466,6 +469,10 @@ class Root(controllers.RootController):
     @expose()
     @identity.require(identity.not_anonymous())
     def suggest_uid(self, givenname, sn):
+        # filter illegal uid characters out
+        givenname = re.sub(r'[^a-zA-Z_\-0-9]', "", givenname)
+        sn = re.sub(r'[^a-zA-Z_\-0-9]', "", sn)
+
         if (len(givenname) == 0) or (len(sn) == 0):
             return ""
 
@@ -512,6 +519,10 @@ class Root(controllers.RootController):
     @expose()
     @identity.require(identity.not_anonymous())
     def suggest_email(self, givenname, sn):
+        # remove illegal email characters
+        givenname = re.sub(r'[^a-zA-Z0-9!#\$%\*/?\|\^\{\}`~&\'\+\-=_]', "", givenname)
+        sn = re.sub(r'[^a-zA-Z0-9!#\$%\*/?\|\^\{\}`~&\'\+\-=_]', "", sn)
+
         if (len(givenname) == 0) or (len(sn) == 0):
             return ""
 
@@ -716,11 +727,11 @@ class Root(controllers.RootController):
                     lambda dn: client.get_user_by_dn(dn, ['dn', 'givenname', 'sn',
                         'uid', 'cn']),
                     member_dns)
+            members.sort(sort_group_member)
 
             # Map users into an array of dicts, which can be serialized
             # (so we don't have to do this on each round trip)
             member_dicts = map(lambda member: member.toDict(), members)
-            member_dicts.sort(sort_group_member)
 
             # store a copy of the original group for the update later
             group_data = b64encode(dumps(group_dict))
@@ -885,8 +896,8 @@ class Root(controllers.RootController):
                     lambda dn: client.get_user_by_dn(dn, ['dn', 'givenname', 'sn',
                         'uid', 'cn']),
                     member_dns)
+            members.sort(sort_group_member)
             member_dicts = map(lambda member: member.toDict(), members)
-            member_dicts.sort(sort_group_member)
 
             return dict(group=group_dict, fields=forms.group.GroupFields(),
                     members = member_dicts)
diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/forms/user.py
--- a/ipa-server/ipa-gui/ipagui/forms/user.py	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/user.py	Tue Oct 02 10:49:44 2007 -0700
@@ -8,9 +8,9 @@ class UserFields():
             label="Confirm Password")
     uidnumber = widgets.TextField(name="uidnumber", label="UID")
     gidnumber = widgets.TextField(name="gidnumber", label="GID")
-    givenname = widgets.TextField(name="givenname", label="First name")
-    sn = widgets.TextField(name="sn", label="Last name")
-    mail = widgets.TextField(name="mail", label="E-mail address")
+    givenname = widgets.TextField(name="givenname", label="Given Name")
+    sn = widgets.TextField(name="sn", label="Family Name")
+    mail = widgets.TextField(name="mail", label="E-mail Address")
     telephonenumber = widgets.TextField(name="telephonenumber", label="Phone")
     # nsAccountLock = widgets.CheckBox(name="nsAccountLock", label="Account Deactivated")
     nsAccountLock = widgets.SingleSelectField(name="nsAccountLock",
diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/static/css/style.css
--- a/ipa-server/ipa-gui/ipagui/static/css/style.css	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/static/css/style.css	Tue Oct 02 10:49:44 2007 -0700
@@ -7,6 +7,7 @@ html, body {
   background:#fff;
   margin: 0;
   padding: 0;
+  font-family: sans-serif;
 }
 
 body {
diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js
--- a/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js	Tue Oct 02 10:49:44 2007 -0700
@@ -102,7 +102,7 @@ function addmember(dn, info) {
   var undolink = document.createElement('a');
   undolink.setAttribute('href', '');
   undolink.setAttribute('onclick',
-    'new Effect.Fade(Element.up(this), {afterFinish: removeElement});' +
+    'new Effect.Fade(Element.up(this), {afterFinish: removeElement, duration: 0.75});' +
     'added_hash.remove("' + jsStringEscape(dn) + '");' +
     'return false;');
   undolink.appendChild(document.createTextNode("undo"));
@@ -123,8 +123,8 @@ function addmemberHandler(element, dn, i
 function addmemberHandler(element, dn, info) {
   var newdiv = addmember(dn, info)
   if (newdiv != null) {
-    new Effect.Fade(Element.up(element));
-    new Effect.Appear(newdiv);
+    new Effect.Fade(Element.up(element), {duration: 0.75});
+    new Effect.Appear(newdiv, {duration: 0.75});
     /* Element.up(element).remove(); */
   }
 }
@@ -139,8 +139,8 @@ function removemember(dn, info) {
   var undolink = document.createElement('a');
   undolink.setAttribute('href', '');
   undolink.setAttribute('onclick',
-    'new Effect.Fade(Element.up(this), {afterFinish: removeElement});' +
-    "new Effect.Appear($('" + orig_div_id + "'));" +
+    'new Effect.Fade(Element.up(this), {afterFinish: removeElement, duration: 0.75});' +
+    "new Effect.Appear($('" + orig_div_id + "'), {duration: 0.75});" +
     'return false;');
   undolink.appendChild(document.createTextNode("undo"));
   newdiv.appendChild(undolink);
@@ -159,8 +159,8 @@ function removemember(dn, info) {
 
 function removememberHandler(element, dn, info) {
   var newdiv = removemember(dn, info);
-  new Effect.Fade(Element.up(element));
-  new Effect.Appear(newdiv);
+  new Effect.Fade(Element.up(element), {duration: 0.75});
+  new Effect.Appear(newdiv, {duration: 0.75});
   /* Element.up(element).remove(); */
 }
 
diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/static/javascript/tablekit.js
--- a/ipa-server/ipa-gui/ipagui/static/javascript/tablekit.js	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/static/javascript/tablekit.js	Tue Oct 02 10:49:44 2007 -0700
@@ -291,7 +291,9 @@ TableKit.Sortable = {
 		
 		if(cell.hasClassName(op.noSortClass)) {return;}	
 		
-		order = order ? order : (cell.hasClassName(op.descendingClass) ? 1 : -1);
+		// order = order ? order : (cell.hasClassName(op.descendingClass) ? 1 : -1);
+                // kmccarth - change default sort order to ascending
+		order = order ? order : (cell.hasClassName(op.ascendingClass) ? -1 : 1);
 		var rows = TableKit.getBodyRows(table);
 
 		if(cell.hasClassName(op.ascendingClass) || cell.hasClassName(op.descendingClass)) {
@@ -843,4 +845,4 @@ if(window.FastInit) {
 	FastInit.addOnLoad(TableKit.load);
 } else {
 	Event.observe(window, 'load', TableKit.load);
-}
\ No newline at end of file
+}
diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/templates/dynamiceditsearch.kid
--- a/ipa-server/ipa-gui/ipagui/templates/dynamiceditsearch.kid	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/dynamiceditsearch.kid	Tue Oct 02 10:49:44 2007 -0700
@@ -66,7 +66,7 @@ from ipagui.helpers import ipahelper
     </div>
     <script type="text/javascript">
       if (results_counter == 0) {
-        var message = "No results found for " + search_string;
+        var message = "No results found for '" + search_string + "'";
       } else {
         var message =  results_counter + " results found:";
       }
diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/templates/groupeditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Tue Oct 02 10:49:44 2007 -0700
@@ -2,6 +2,19 @@
   class="simpleroster">
   <form action="${action}" name="${name}" method="${method}" class="tableform"
       onsubmit="preSubmit()" >
+
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th>
+          <input type="submit" class="submitbutton" name="submit"
+              value="Update Group"/>
+        </th>
+        <td>
+          <input type="submit" class="submitbutton" name="submit"
+              value="Cancel Edit" />
+        </td>
+      </tr>
+    </table>
 
 <?python
 from ipagui.helpers import ipahelper
@@ -163,8 +176,6 @@ from ipagui.helpers import ipahelper
       </div>
     </div>
 
-
-
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/templates/grouplist.kid
--- a/ipa-server/ipa-gui/ipagui/templates/grouplist.kid	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/grouplist.kid	Tue Oct 02 10:49:44 2007 -0700
@@ -6,6 +6,7 @@
 <title>Find Groups</title>
 </head>
 <body>
+    <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/tablekit.js')}"></script>
     <div id="search">
         <form action="${tg.url('/grouplist')}" method="get">
             <input id="criteria" type="text" name="criteria" value="${criteria}" />
@@ -17,15 +18,18 @@
     </div>
     <div py:if='(groups != None) and (len(groups) > 0)'>
         <h2>${len(groups)} results returned:</h2>
-        <table id="resultstable">
+        <table id="resultstable" class="sortable resizable">
+          <thead>
             <tr>
                 <th>
-                    <label class="fieldlabel" py:content="fields.cn.label" />
+                    ${fields.cn.label}
                 </th>
                 <th>
-                    <label class="fieldlabel" py:content="fields.description.label" />
+                    ${fields.description.label}
                 </th>
             </tr>
+          </thead>
+          <tbody>
             <tr py:for="group in groups">
                 <td>
                     <a href="${tg.url('/groupshow',cn=group.cn)}">${group.cn}</a>
@@ -34,6 +38,7 @@
                     ${group.description}
                 </td>
             </tr>
+          </tbody>
         </table>
     </div>
     <div py:if='(groups != None) and (len(groups) == 0)'>
diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/templates/groupnewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupnewform.kid	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupnewform.kid	Tue Oct 02 10:49:44 2007 -0700
@@ -2,6 +2,14 @@
   class="simpleroster">
   <form action="${action}" name="${name}" method="${method}" class="tableform"
       onsubmit="preSubmit()" >
+
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <td>
+          <input type="submit" class="submitbutton" name="submit" value="Add Group"/>
+        </td>
+      </tr>
+    </table>
 
 <?python
 from ipagui.helpers import ipahelper
@@ -91,7 +99,6 @@ from ipagui.helpers import ipahelper
 
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
-        <th></th>
         <td>
           <br />
           <input type="submit" class="submitbutton" name="submit" value="Add Group"/>
diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/templates/groupshow.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid	Tue Oct 02 10:49:44 2007 -0700
@@ -6,7 +6,14 @@
     <title>View Group</title>
 </head>
 <body>
+<?python
+edit_url = tg.url('/groupedit', cn=group.get('cn'))
+?>
     <h2>View Group</h2>
+
+    <input type="button"
+      onclick="document.location.href='${edit_url}'"
+      value="Edit Group" />
 
     <div class="formsection">Group Details</div>
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
@@ -61,9 +68,10 @@
     </div>
 
     <br/>
-    <br/>
 
-    <a href="${tg.url('/groupedit', cn=group.get('cn'))}">edit</a>
+    <input type="button"
+      onclick="document.location.href='${edit_url}'"
+      value="Edit Group" />
 
 </body>
 </html>
diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/templates/usereditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Tue Oct 02 10:49:44 2007 -0700
@@ -2,6 +2,20 @@
   class="simpleroster">
   <form action="${action}" name="${name}" method="${method}" class="tableform"
     onsubmit="preSubmit()">
+
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th>
+          <input type="submit" class="submitbutton" name="submit"
+              value="Update Person"/>
+        </th>
+        <td>
+          <input type="submit" class="submitbutton" name="submit"
+              value="Cancel Edit" />
+        </td>
+        <td></td>
+      </tr>
+    </table>
 
 <?python
 from ipagui.helpers import ipahelper
@@ -314,9 +328,6 @@ from ipagui.helpers import ipahelper
       </div>
     </div>
 
-
-
-
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/templates/usernewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Tue Oct 02 10:49:44 2007 -0700
@@ -2,6 +2,14 @@
   class="simpleroster">
   <form action="${action}" name="${name}" method="${method}" class="tableform"
     onsubmit="preSubmit()">
+
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <td>
+          <input type="submit" class="submitbutton" name="submit" value="Add Person"/>
+        </td>
+      </tr>
+    </table>
 
 <?python
 from ipagui.helpers import ipahelper
@@ -240,7 +248,6 @@ from ipagui.helpers import ipahelper
 
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
-        <th></th>
         <td>
           <br />
           <input type="submit" class="submitbutton" name="submit" value="Add Person"/>
diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/templates/usershow.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Tue Oct 02 10:49:44 2007 -0700
@@ -6,7 +6,14 @@
     <title>View Person</title>
 </head>
 <body>
+<?python
+edit_url = tg.url('/useredit', uid=user.get('uid'))
+?>
     <h2>View Person</h2>
+
+    <input type="button"
+      onclick="document.location.href='${edit_url}'"
+      value="Edit Person" />
 
 <?python
 from ipagui.helpers import userhelper
@@ -111,9 +118,10 @@ else:
     </div>
 
     <br/>
-    <br/>
 
-    <a href="${tg.url('/useredit', uid=user.get('uid'))}">edit</a>
+    <input type="button"
+      onclick="document.location.href='${edit_url}'"
+      value="Edit Person" />
 
 </body>
 </html>
diff -r 32edac7bca41 -r f06570e74fc4 ipa-server/ipa-gui/ipagui/templates/welcome.kid
--- a/ipa-server/ipa-gui/ipagui/templates/welcome.kid	Mon Oct 01 13:27:40 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/welcome.kid	Tue Oct 02 10:49:44 2007 -0700
@@ -10,6 +10,13 @@
         <div id="status_block" py:if="value_of('tg_flash', None)"
             py:content="XML(tg_flash)"></div>
         <h1>Welcome to Free IPA</h1>
+
+        <noscript>
+        <span class="warning_message">
+        This site makes heavy use of JavaScript.<br />
+        Please enable JavaScript in your browser to make sure all pages function properly.
+        </span>
+        </noscript>
 
         <p>
           IPA is used to manage Identity, Policy, and Auditing for your
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/0ac0bd40/attachment.bin>

From rcritten at redhat.com  Tue Oct  2 17:54:20 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 02 Oct 2007 13:54:20 -0400
Subject: [Freeipa-devel] [PATCH] assorted small fixes
In-Reply-To: <20071002174700.GG24968@moon.usersys.redhat.com>
References: <20071002174700.GG24968@moon.usersys.redhat.com>
Message-ID: <470285CC.40101@redhat.com>

Kevin McCarthy wrote:
> This is a collection of tiny fixes that started to pile up.
> 
> -Kevin

I think it looks ok.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/5ee12264/attachment.bin>

From kmccarth at redhat.com  Tue Oct  2 18:04:58 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 2 Oct 2007 11:04:58 -0700
Subject: [Freeipa-devel] [PATCH] do not allow empty passwords
In-Reply-To: <1191185407.4736.0.camel@hopeson>
References: <1191185407.4736.0.camel@hopeson>
Message-ID: <20071002180458.GH24968@moon.usersys.redhat.com>

Simo Sorce wrote:
> see $SUBJECT :)

Looks good.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/c0d3d4aa/attachment.bin>

From kmccarth at redhat.com  Tue Oct  2 18:06:33 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 2 Oct 2007 11:06:33 -0700
Subject: [Freeipa-devel] [PATCH] IPv6 support for ipa-kpasswd
In-Reply-To: <1191020724.3476.44.camel@hopeson>
References: <1191020724.3476.44.camel@hopeson>
Message-ID: <20071002180632.GI24968@moon.usersys.redhat.com>

Simo Sorce wrote:
> After listen to a talk yesterday I thought it was going to be easy (and
> necessary) to convert ipa-kpasswd to IPV6.
> It was indeed easy, this night I coded up this patch which I just tested
> and seem to work fine.

I don't know IPv6, but the changes look reasonable.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/15d07e2a/attachment.bin>

From kmccarth at redhat.com  Tue Oct  2 18:08:23 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 2 Oct 2007 11:08:23 -0700
Subject: [Freeipa-devel] [PATCH] IPv6 support for ipa-kpasswd
In-Reply-To: <20071002180632.GI24968@moon.usersys.redhat.com>
References: <1191020724.3476.44.camel@hopeson>
	<20071002180632.GI24968@moon.usersys.redhat.com>
Message-ID: <20071002180822.GJ24968@moon.usersys.redhat.com>

Kevin McCarthy wrote:
> Simo Sorce wrote:
> > After listen to a talk yesterday I thought it was going to be easy (and
> > necessary) to convert ipa-kpasswd to IPV6.
> > It was indeed easy, this night I coded up this patch which I just tested
> > and seem to work fine.
> 
> I don't know IPv6, but the changes look reasonable.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/e2408c6b/attachment.bin>

From kmccarth at redhat.com  Tue Oct  2 18:16:12 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 2 Oct 2007 11:16:12 -0700
Subject: [Freeipa-devel] [PATCH] do not allow empty passwords
In-Reply-To: <20071002180458.GH24968@moon.usersys.redhat.com>
References: <1191185407.4736.0.camel@hopeson>
	<20071002180458.GH24968@moon.usersys.redhat.com>
Message-ID: <20071002181612.GK24968@moon.usersys.redhat.com>

Kevin McCarthy wrote:
> Simo Sorce wrote:
> > see $SUBJECT :)
> 
> Looks good.

Pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/7c3eebe1/attachment.bin>

From kmccarth at redhat.com  Tue Oct  2 18:19:14 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 2 Oct 2007 11:19:14 -0700
Subject: [Freeipa-devel] [PATCH]  don't include opts in public API
In-Reply-To: <470138AA.6010904@redhat.com>
References: <470138AA.6010904@redhat.com>
Message-ID: <20071002181914.GL24968@moon.usersys.redhat.com>

Rob Crittenden wrote:
> We use the argument 'opts' to pass stuff internally. We don't want that 
> published, so remove it from any XML-RPC functions that can display the 
> API.

Looks good.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/9ed9ce82/attachment.bin>

From kmccarth at redhat.com  Tue Oct  2 18:19:52 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 2 Oct 2007 11:19:52 -0700
Subject: [Freeipa-devel] [PATCH]  don't include opts in public API
In-Reply-To: <470138AA.6010904@redhat.com>
References: <470138AA.6010904@redhat.com>
Message-ID: <20071002181952.GM24968@moon.usersys.redhat.com>

Rob Crittenden wrote:
> We use the argument 'opts' to pass stuff internally. We don't want that 
> published, so remove it from any XML-RPC functions that can display the 
> API.

Pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/780f58d5/attachment.bin>

From ssorce at redhat.com  Tue Oct  2 18:27:53 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 02 Oct 2007 14:27:53 -0400
Subject: [Freeipa-devel] [PATCH] add group management to 'add group' page
In-Reply-To: <20071001205032.GA3878@moon.usersys.redhat.com>
References: <20071001205032.GA3878@moon.usersys.redhat.com>
Message-ID: <1191349673.8632.27.camel@localhost.localdomain>

On Mon, 2007-10-01 at 13:50 -0700, Kevin McCarthy wrote:
> These should be looking pretty familiar by now.  The patch adds the
> group member section to the 'add group' page.  This should be the last
> page for this type of patch.

Looks ok.



From kmccarth at redhat.com  Tue Oct  2 18:43:35 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 2 Oct 2007 11:43:35 -0700
Subject: [Freeipa-devel] [PATCH] add group mgmt to useredit page
In-Reply-To: <20070928234632.GD10276@moon.usersys.redhat.com>
References: <20070928234632.GD10276@moon.usersys.redhat.com>
Message-ID: <20071002184335.GN24968@moon.usersys.redhat.com>

Kevin McCarthy wrote:
> This patch adds group management to the user edit page.  This allows you
> to manage "the groups a user is in" in the same way as you manage "the
> users/groups in a group".
> 
> It's pushed to demo, so feel free to take a peek.
> 
> Still need to add this to the usernew page.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/31daa7f8/attachment.bin>

From kmccarth at redhat.com  Tue Oct  2 18:44:32 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 2 Oct 2007 11:44:32 -0700
Subject: [Freeipa-devel] [PATCH] new user group management
In-Reply-To: <47014045.9060208@redhat.com>
References: <20071001182449.GE3697@moon.usersys.redhat.com>
	<47014045.9060208@redhat.com>
Message-ID: <20071002184432.GO24968@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> This patch adds the group management code to the new user screen.
>> -Kevin
>
> Looks ok.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/f569a10d/attachment.bin>

From kmccarth at redhat.com  Tue Oct  2 18:45:49 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 2 Oct 2007 11:45:49 -0700
Subject: [Freeipa-devel] [PATCH] add group management to 'add group' page
In-Reply-To: <1191349673.8632.27.camel@localhost.localdomain>
References: <20071001205032.GA3878@moon.usersys.redhat.com>
	<1191349673.8632.27.camel@localhost.localdomain>
Message-ID: <20071002184548.GP24968@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-01 at 13:50 -0700, Kevin McCarthy wrote:
> > These should be looking pretty familiar by now.  The patch adds the
> > group member section to the 'add group' page.  This should be the last
> > page for this type of patch.
> 
> Looks ok.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/87626a2e/attachment.bin>

From kmccarth at redhat.com  Tue Oct  2 18:46:47 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 2 Oct 2007 11:46:47 -0700
Subject: [Freeipa-devel] [PATCH] assorted small fixes
In-Reply-To: <470285CC.40101@redhat.com>
References: <20071002174700.GG24968@moon.usersys.redhat.com>
	<470285CC.40101@redhat.com>
Message-ID: <20071002184647.GQ24968@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> This is a collection of tiny fixes that started to pile up.
>> -Kevin
>
> I think it looks ok.

Pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/4f50efee/attachment.bin>

From kmccarth at redhat.com  Tue Oct  2 20:08:21 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 2 Oct 2007 13:08:21 -0700
Subject: [Freeipa-devel] [PATCH] Use more krb
In-Reply-To: <1191274587.14034.0.camel@hopeson>
References: <1191254018.10954.3.camel@hopeson>
	<1191274587.14034.0.camel@hopeson>
Message-ID: <20071002200821.GR24968@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-01 at 11:53 -0400, Simo Sorce wrote:
> > This patch changes a bit of code to rely more on kerberos.
> > 
> > It also changes ipa-adduser to something I think is a more useful
> > workflow, it does not require an email for example as we don't need it.
> > Instead it allows passing a principal name in case you need to create
> > specific one or want to avoid conflicts with an exiting one.
> > 
> > This patch also removes some classes we don't want to use by default for
> > users.
> > 
> > Note: this patch may not apply cleanly as a pull from upstream after the
> > commit required me a merge. I have the merge patch in my tree so just
> > ack/nack it and I will push both the patch and the merge patch at the
> > same time.
> 
> New patch, includes fixes from some of Rob's comments, and provides
> get_user_by_principal for all interfaces.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/2002fa9c/attachment.bin>

From rcritten at redhat.com  Tue Oct  2 21:05:08 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 02 Oct 2007 17:05:08 -0400
Subject: [Freeipa-devel] [PATCH] Use group DN instead of CN for operations
Message-ID: <4702B284.5060801@redhat.com>

This patch does a couple of things:

1. Use the group DN instead of CN for operations (silly me)
2. Add a new class of errors, connection errors
3. Rather than letting a failed connection fall through, raise an error. 
This should catch missing kerberos ccaches and other connection problems 
  in a more useful way.

I also updated one of the LDAP error messages.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-239-groupdn.patch
Type: text/x-patch
Size: 11157 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/c57fe358/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/c57fe358/attachment-0001.bin>

From ssorce at redhat.com  Tue Oct  2 21:10:29 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 02 Oct 2007 17:10:29 -0400
Subject: [Freeipa-devel] [PATCH] Use group DN instead of CN for operations
In-Reply-To: <4702B284.5060801@redhat.com>
References: <4702B284.5060801@redhat.com>
Message-ID: <1191359429.8632.33.camel@localhost.localdomain>

On Tue, 2007-10-02 at 17:05 -0400, Rob Crittenden wrote:
> This patch does a couple of things:
> 
> 1. Use the group DN instead of CN for operations (silly me)
> 2. Add a new class of errors, connection errors
> 3. Rather than letting a failed connection fall through, raise an
> error. 
> This should catch missing kerberos ccaches and other connection
> problems 
>   in a more useful way.
> 
> I also updated one of the LDAP error messages.
> 
> rob


Looks good.



From rcritten at redhat.com  Tue Oct  2 21:38:08 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 02 Oct 2007 17:38:08 -0400
Subject: [Freeipa-devel] [PATCH] fix some groups
Message-ID: <4702BA40.7040607@redhat.com>

I broke 2 groups functions with my last patch. This addresses that.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-240-fixgroup.patch
Type: text/x-patch
Size: 1679 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/2478e405/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/2478e405/attachment-0001.bin>

From kmccarth at redhat.com  Tue Oct  2 21:41:46 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 2 Oct 2007 14:41:46 -0700
Subject: [Freeipa-devel] [PATCH] fix some groups
In-Reply-To: <4702BA40.7040607@redhat.com>
References: <4702BA40.7040607@redhat.com>
Message-ID: <20071002214145.GS24968@moon.usersys.redhat.com>

Rob Crittenden wrote:
> I broke 2 groups functions with my last patch. This addresses that.

Looks great.  Thanks, Rob!

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071002/a6f256a0/attachment.bin>

From pasik at iki.fi  Wed Oct  3 10:27:50 2007
From: pasik at iki.fi (Pasi =?iso-8859-1?Q?K=E4rkk=E4inen?=)
Date: Wed, 3 Oct 2007 13:27:50 +0300
Subject: [Freeipa-devel] Milestone 4 released
In-Reply-To: <1191343402.2120.4.camel@laptop.local>
References: <1191343402.2120.4.camel@laptop.local>
Message-ID: <20071003102750.GA5028@edu.joroinen.fi>

On Tue, Oct 02, 2007 at 12:43:22PM -0400, Karl MacMillan wrote:
> The next milestone release of FreeIPA is available for download at
> http://freeipa.com/page/Downloads. Like the Milestone 3 release this
> release is aimed primarily at developers.
> 
> This release has significant improvements in all areas and should be
> stable enough for initial testing by non-developers. It is not feature
> complete or stable, but most of the components are present in some form
> and should work. I will work to get some installation instructions
> posted soon.
> 

http://freeipa.com/page/Roadmap

Roadmap page is missing Milestone 4.. 

Just to let you know :)

-- Pasi



From ssorce at redhat.com  Wed Oct  3 12:50:06 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 03 Oct 2007 08:50:06 -0400
Subject: [Freeipa-devel] Milestone 4 released
In-Reply-To: <20071003102750.GA5028@edu.joroinen.fi>
References: <1191343402.2120.4.camel@laptop.local>
	<20071003102750.GA5028@edu.joroinen.fi>
Message-ID: <1191415806.8632.48.camel@localhost.localdomain>

On Wed, 2007-10-03 at 13:27 +0300, Pasi K?rkk?inen wrote:
> On Tue, Oct 02, 2007 at 12:43:22PM -0400, Karl MacMillan wrote:
> > The next milestone release of FreeIPA is available for download at
> > http://freeipa.com/page/Downloads. Like the Milestone 3 release this
> > release is aimed primarily at developers.
> > 
> > This release has significant improvements in all areas and should be
> > stable enough for initial testing by non-developers. It is not feature
> > complete or stable, but most of the components are present in some form
> > and should work. I will work to get some installation instructions
> > posted soon.
> > 
> 
> http://freeipa.com/page/Roadmap
> 
> Roadmap page is missing Milestone 4.. 
> 
> Just to let you know :)

We will fix asap.
Kiitos Pasi.

Simo.



From rcritten at redhat.com  Wed Oct  3 14:27:46 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 03 Oct 2007 10:27:46 -0400
Subject: [Freeipa-devel] [PATCH] Use group DN instead of CN for operations
In-Reply-To: <1191359429.8632.33.camel@localhost.localdomain>
References: <4702B284.5060801@redhat.com>
	<1191359429.8632.33.camel@localhost.localdomain>
Message-ID: <4703A6E2.1060701@redhat.com>

Simo Sorce wrote:
> On Tue, 2007-10-02 at 17:05 -0400, Rob Crittenden wrote:
>> This patch does a couple of things:
>>
>> 1. Use the group DN instead of CN for operations (silly me)
>> 2. Add a new class of errors, connection errors
>> 3. Rather than letting a failed connection fall through, raise an
>> error. 
>> This should catch missing kerberos ccaches and other connection
>> problems 
>>   in a more useful way.
>>
>> I also updated one of the LDAP error messages.
>>
>> rob
> 
> 
> Looks good.

Pushed, thanks.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/0dad748b/attachment.bin>

From rcritten at redhat.com  Wed Oct  3 14:28:43 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 03 Oct 2007 10:28:43 -0400
Subject: [Freeipa-devel] [PATCH] fix some groups
In-Reply-To: <20071002214145.GS24968@moon.usersys.redhat.com>
References: <4702BA40.7040607@redhat.com>
	<20071002214145.GS24968@moon.usersys.redhat.com>
Message-ID: <4703A71B.9030908@redhat.com>

Kevin McCarthy wrote:
> Rob Crittenden wrote:
>> I broke 2 groups functions with my last patch. This addresses that.
> 
> Looks great.  Thanks, Rob!
> 
> -Kevin
> 

Pushed.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/66924073/attachment.bin>

From rcritten at redhat.com  Wed Oct  3 15:36:54 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 03 Oct 2007 11:36:54 -0400
Subject: [Freeipa-devel] Kerberos ticket forwarding
In-Reply-To: <47015C1C.40403@redhat.com>
References: <47015C1C.40403@redhat.com>
Message-ID: <4703B716.3050503@redhat.com>

Rob Crittenden wrote:
> I started from scratch on the Kerberos ticket forwarding problem and 
> mod_auth_kerb again. I have a 2-line patch that fixes it now and doesn't 
> require the massive changes I currently used.
> 
> In my rush I included the F7 patch in the RHEL-5 bug :-( I also made a 
> patch for that.
> 
> The patch for both can be found at:
> https://bugzilla.redhat.com/show_bug.cgi?id=301061
> 
> Note that I had RHEL-5 enforcing on my RHEL-5 box and had lots of 
> problems with the tickets.
> 
> The CGI I wrote to test this called klist to show that the ticket was 
> forwarded properly. I got this denial:
> 
> Oct  1 16:38:18 thor setroubleshoot:      SELinux is preventing the 
> /usr/kerberos/bin/klist from using potentially mislabeled files 
> (/tmp/krb5cc_apache_TxNr3M).      For complete SELinux messages. run 
> sealert -l 40a72116-ed45-420d-914a-ce9d56486d94
> 
> rob
>

Attached is the new SRPM if anyone wants to give it a go.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_auth_kerb-5.3-5.ipa.src.rpm
Type: application/x-redhat-package-manager
Size: 84823 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/a21ac383/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/a21ac383/attachment-0001.bin>

From mccann at jhu.edu  Wed Oct  3 17:00:49 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Wed, 3 Oct 2007 13:00:49 -0400
Subject: [Freeipa-devel] [PATCH] install dies if selinux is disabled
Message-ID: <939dd5750710031000i4fe658f2kf94720915dc74b9d@mail.gmail.com>

Hi,

Tiny patch to fix the installer crashing if selinux is disabled.  Also
changes the exception to contain the complete command.

FYI: the installer goes kinda wonky if you have run it multiple times
and you don't apply this:
https://bugzilla.redhat.com/show_bug.cgi?id=317071

Perhaps we can make it more robust to dirsrv failing to start.

Jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-noselinux.diff
Type: text/x-diff
Size: 1084 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/e6a504a2/attachment.bin>

From rcritten at redhat.com  Wed Oct  3 17:26:42 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 03 Oct 2007 13:26:42 -0400
Subject: [Freeipa-devel] [PATCH] install dies if selinux is disabled
In-Reply-To: <939dd5750710031000i4fe658f2kf94720915dc74b9d@mail.gmail.com>
References: <939dd5750710031000i4fe658f2kf94720915dc74b9d@mail.gmail.com>
Message-ID: <4703D0D2.9070208@redhat.com>

William Jon McCann wrote:
> Hi,
> 
> Tiny patch to fix the installer crashing if selinux is disabled.  Also
> changes the exception to contain the complete command.
> 
> FYI: the installer goes kinda wonky if you have run it multiple times
> and you don't apply this:
> https://bugzilla.redhat.com/show_bug.cgi?id=317071
> 
> Perhaps we can make it more robust to dirsrv failing to start.
> 
> Jon

Yeah, we've been working under the assumption that we're working on a 
virginal machine which probably isn't the safest thing to do.

I think what we should do is look for any existing dirsrv instances and 
punt if any are already installed. We aren't quite ready to support 
importing the necessary configuration into an existing directory server 
yet AFAIK. The idea is that one would install IPA, and then migrate to 
it, rather than integrating IPA into an existing DS server.

There are some other appending issues too, such as the location of the 
FDS keytab in /etc/sysconfig/dirsrv. Mine currently has 3 exports :-)

Rather than using a try/except I wonder if we should check the return 
value of selinuxenabled and use that to determine whether we need to run 
setsebool. Still, we should probably have a try/except around every 
single call to run since it can throw an error.

Karl. Will this boolean get reset if someone does a relabels? Most of my 
experience with SELinux is quite dated (back to RHEL-4).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/225e33d5/attachment.bin>

From ssorce at redhat.com  Wed Oct  3 17:59:46 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 03 Oct 2007 13:59:46 -0400
Subject: [Freeipa-devel] [PATCH] install dies if selinux is disabled
In-Reply-To: <939dd5750710031000i4fe658f2kf94720915dc74b9d@mail.gmail.com>
References: <939dd5750710031000i4fe658f2kf94720915dc74b9d@mail.gmail.com>
Message-ID: <1191434386.26778.3.camel@localhost.localdomain>

On Wed, 2007-10-03 at 13:00 -0400, William Jon McCann wrote:
> Hi,
> 
> Tiny patch to fix the installer crashing if selinux is disabled.  Also
> changes the exception to contain the complete command.
> 
> FYI: the installer goes kinda wonky if you have run it multiple times
> and you don't apply this:
> https://bugzilla.redhat.com/show_bug.cgi?id=317071
> 
> Perhaps we can make it more robust to dirsrv failing to start.

Thanks, yeah at this stage we still don't support interrupting the
install script.
We are still thinking on which is the best way to handle it. I think we
will probably prompt a very alarming message about deleting your
existing directory configuration and data and then wipe it out if you
really want to.
We are also considering using the realm name instead of a UUID in the
file names so that it will make it possible to better detect the
intentions (create a new server vs replacing an existing one).

Simo.





From mccann at jhu.edu  Wed Oct  3 18:07:20 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Wed, 3 Oct 2007 14:07:20 -0400
Subject: [Freeipa-devel] [PATCH] install dies if selinux is disabled
In-Reply-To: <1191434386.26778.3.camel@localhost.localdomain>
References: <939dd5750710031000i4fe658f2kf94720915dc74b9d@mail.gmail.com>
	<1191434386.26778.3.camel@localhost.localdomain>
Message-ID: <939dd5750710031107n7f946fc3g896fc927e1f19f89@mail.gmail.com>

On 10/3/07, Simo Sorce <ssorce at redhat.com> wrote:
> On Wed, 2007-10-03 at 13:00 -0400, William Jon McCann wrote:
> > Hi,
> >
> > Tiny patch to fix the installer crashing if selinux is disabled.  Also
> > changes the exception to contain the complete command.
> >
> > FYI: the installer goes kinda wonky if you have run it multiple times
> > and you don't apply this:
> > https://bugzilla.redhat.com/show_bug.cgi?id=317071
> >
> > Perhaps we can make it more robust to dirsrv failing to start.
>
> Thanks, yeah at this stage we still don't support interrupting the
> install script.
> We are still thinking on which is the best way to handle it. I think we
> will probably prompt a very alarming message about deleting your
> existing directory configuration and data and then wipe it out if you
> really want to.
> We are also considering using the realm name instead of a UUID in the
> file names so that it will make it possible to better detect the
> intentions (create a new server vs replacing an existing one).

Yeah, that would work for me.  I figured out that I need to do the
following before running the install script:
sudo rm -rf /var/lib/dirsrv/slapd-* /var/lock/dirsrv/* /etc/dirsrv/slapd-*
sudo pkill -U dirsrv

The only part that was missing was the chown of /var/run/dirsrv.

I guess we should also try to clean up the configurations when the
script doesn't run to completion...

Thanks,
Jon



From ssorce at redhat.com  Wed Oct  3 18:20:31 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 03 Oct 2007 14:20:31 -0400
Subject: [Freeipa-devel] [PATCH] install dies if selinux is disabled
In-Reply-To: <939dd5750710031107n7f946fc3g896fc927e1f19f89@mail.gmail.com>
References: <939dd5750710031000i4fe658f2kf94720915dc74b9d@mail.gmail.com>
	<1191434386.26778.3.camel@localhost.localdomain>
	<939dd5750710031107n7f946fc3g896fc927e1f19f89@mail.gmail.com>
Message-ID: <1191435631.26778.9.camel@localhost.localdomain>

On Wed, 2007-10-03 at 14:07 -0400, William Jon McCann wrote:
> On 10/3/07, Simo Sorce <ssorce at redhat.com> wrote:
> > On Wed, 2007-10-03 at 13:00 -0400, William Jon McCann wrote:
> > > Hi,
> > >
> > > Tiny patch to fix the installer crashing if selinux is disabled.  Also
> > > changes the exception to contain the complete command.
> > >
> > > FYI: the installer goes kinda wonky if you have run it multiple times
> > > and you don't apply this:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=317071
> > >
> > > Perhaps we can make it more robust to dirsrv failing to start.
> >
> > Thanks, yeah at this stage we still don't support interrupting the
> > install script.
> > We are still thinking on which is the best way to handle it. I think we
> > will probably prompt a very alarming message about deleting your
> > existing directory configuration and data and then wipe it out if you
> > really want to.
> > We are also considering using the realm name instead of a UUID in the
> > file names so that it will make it possible to better detect the
> > intentions (create a new server vs replacing an existing one).
> 
> Yeah, that would work for me.  I figured out that I need to do the
> following before running the install script:
> sudo rm -rf /var/lib/dirsrv/slapd-* /var/lock/dirsrv/* /etc/dirsrv/slapd-*
> sudo pkill -U dirsrv
> 
> The only part that was missing was the chown of /var/run/dirsrv.
> 
> I guess we should also try to clean up the configurations when the
> script doesn't run to completion...

Uhmm that would mean catching ctrl+c and signals, not sure how it works
with python, may be it is just simpler to clean up on each start-up, it
will also catch legitimate existing cruft :)

Simo.

> 
> Thanks,
> Jon



From mccann at jhu.edu  Wed Oct  3 20:11:42 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Wed, 3 Oct 2007 16:11:42 -0400
Subject: [Freeipa-devel] [PATCH] install dies if selinux is disabled
In-Reply-To: <1191435631.26778.9.camel@localhost.localdomain>
References: <939dd5750710031000i4fe658f2kf94720915dc74b9d@mail.gmail.com>
	<1191434386.26778.3.camel@localhost.localdomain>
	<939dd5750710031107n7f946fc3g896fc927e1f19f89@mail.gmail.com>
	<1191435631.26778.9.camel@localhost.localdomain>
Message-ID: <939dd5750710031311qc9c5588meda2c916dee43481@mail.gmail.com>

Hey,

On 10/3/07, Simo Sorce <ssorce at redhat.com> wrote:
> On Wed, 2007-10-03 at 14:07 -0400, William Jon McCann wrote:
> > On 10/3/07, Simo Sorce <ssorce at redhat.com> wrote:
> > > On Wed, 2007-10-03 at 13:00 -0400, William Jon McCann wrote:
> > > > Hi,
> > > >
> > > > Tiny patch to fix the installer crashing if selinux is disabled.  Also
> > > > changes the exception to contain the complete command.
> > > >
> > > > FYI: the installer goes kinda wonky if you have run it multiple times
> > > > and you don't apply this:
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=317071
> > > >
> > > > Perhaps we can make it more robust to dirsrv failing to start.
> > >
> > > Thanks, yeah at this stage we still don't support interrupting the
> > > install script.
> > > We are still thinking on which is the best way to handle it. I think we
> > > will probably prompt a very alarming message about deleting your
> > > existing directory configuration and data and then wipe it out if you
> > > really want to.
> > > We are also considering using the realm name instead of a UUID in the
> > > file names so that it will make it possible to better detect the
> > > intentions (create a new server vs replacing an existing one).
> >
> > Yeah, that would work for me.  I figured out that I need to do the
> > following before running the install script:
> > sudo rm -rf /var/lib/dirsrv/slapd-* /var/lock/dirsrv/* /etc/dirsrv/slapd-*
> > sudo pkill -U dirsrv
> >
> > The only part that was missing was the chown of /var/run/dirsrv.
> >
> > I guess we should also try to clean up the configurations when the
> > script doesn't run to completion...
>
> Uhmm that would mean catching ctrl+c and signals, not sure how it works
> with python, may be it is just simpler to clean up on each start-up, it
> will also catch legitimate existing cruft :)

Here's an updated patch that does both.  And adds a check to make sure
it is running as root.

Jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-install-fixes.diff
Type: text/x-diff
Size: 2909 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/b38d85ff/attachment.bin>

From rcritten at redhat.com  Wed Oct  3 20:13:29 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 03 Oct 2007 16:13:29 -0400
Subject: [Freeipa-devel] [PATCH] more robust installation error handling
Message-ID: <4703F7E9.8090002@redhat.com>

This needs more work but it is a first crack at trying to catch more 
error conditions during installation. What it currently lacks is 
completely bailing out, offering the user a choice to continue and/or 
doing a rollback.

I also didn't add any code to exit out if an existing DS is found. Not 
sure if we want to do that or not.

I also incorporated most of the patch to handle when SELinux is disabled 
from Jon McCann. I just do the selinux check slightly differently.

I also noticed an error when I had old service keytabs and included 
something to handle SASL/GSSAPI authentication failures when getting a 
connection.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-242-install.patch
Type: text/x-patch
Size: 14211 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/0d9ae39e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/0d9ae39e/attachment-0001.bin>

From ssorce at redhat.com  Wed Oct  3 20:39:33 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 03 Oct 2007 16:39:33 -0400
Subject: [Freeipa-devel] [PATCH] install dies if selinux is disabled
In-Reply-To: <939dd5750710031311qc9c5588meda2c916dee43481@mail.gmail.com>
References: <939dd5750710031000i4fe658f2kf94720915dc74b9d@mail.gmail.com>
	<1191434386.26778.3.camel@localhost.localdomain>
	<939dd5750710031107n7f946fc3g896fc927e1f19f89@mail.gmail.com>
	<1191435631.26778.9.camel@localhost.localdomain>
	<939dd5750710031311qc9c5588meda2c916dee43481@mail.gmail.com>
Message-ID: <1191443973.26778.50.camel@localhost.localdomain>

On Wed, 2007-10-03 at 16:11 -0400, William Jon McCann wrote:
> 
> Here's an updated patch that does both.  And adds a check to make sure
> it is running as root.

Looks good as a first step to me.

Simo.



From kmccarth at redhat.com  Wed Oct  3 20:45:49 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 3 Oct 2007 13:45:49 -0700
Subject: [Freeipa-devel] [PATCH] add the rest of the user fields
Message-ID: <20071003204549.GA23064@moon.usersys.redhat.com>

Pete and I took a crack at picking out the fields that should go on the
user forms.  I've added them here.  Some of these need to be
multi-value, but I'm not handling that yet (first need to get rebuilding
the demo server).

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191444794 25200
# Node ID ee2e41c50353e74f94b049f70178a4f31b4d236e
# Parent  0ab2c326750088d0011ebc41ecf7572abc0ba510
Add the rest of the user fields to the user pages.

diff -r 0ab2c3267500 -r ee2e41c50353 ipa-server/ipa-gui/ipagui/controllers.py
--- a/ipa-server/ipa-gui/ipagui/controllers.py	Wed Oct 03 10:23:47 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/controllers.py	Wed Oct 03 13:53:14 2007 -0700
@@ -139,11 +139,41 @@ class Root(controllers.RootController):
         #
         try:
             new_user = ipa.user.User()
-            new_user.setValue('uid', kw.get('uid'))
+            new_user.setValue('title', kw.get('title'))
             new_user.setValue('givenname', kw.get('givenname'))
             new_user.setValue('sn', kw.get('sn'))
+            new_user.setValue('cn', kw.get('cn'))
+            new_user.setValue('displayname', kw.get('displayname'))
+            new_user.setValue('initials', kw.get('initials'))
+
+            new_user.setValue('uid', kw.get('uid'))
+            new_user.setValue('loginshell', kw.get('loginshell'))
+            new_user.setValue('gecos', kw.get('gecos'))
+
             new_user.setValue('mail', kw.get('mail'))
             new_user.setValue('telephonenumber', kw.get('telephonenumber'))
+            new_user.setValue('facsimiletelephonenumber',
+                    kw.get('facsimiletelephonenumber'))
+            new_user.setValue('mobile', kw.get('mobile'))
+            new_user.setValue('pager', kw.get('pager'))
+            new_user.setValue('homephone', kw.get('homephone'))
+
+            new_user.setValue('street', kw.get('street'))
+            new_user.setValue('l', kw.get('l'))
+            new_user.setValue('st', kw.get('st'))
+            new_user.setValue('postalcode', kw.get('postalcode'))
+
+            new_user.setValue('ou', kw.get('ou'))
+            new_user.setValue('businesscategory', kw.get('businesscategory'))
+            new_user.setValue('description', kw.get('description'))
+            new_user.setValue('employeetype', kw.get('employeetype'))
+            # new_user.setValue('manager', kw.get('manager'))
+            new_user.setValue('roomnumber', kw.get('roomnumber'))
+            # new_user.setValue('secretary', kw.get('secretary'))
+
+            new_user.setValue('carlicense', kw.get('carlicense'))
+            new_user.setValue('labeleduri', kw.get('labeleduri'))
+
             if kw.get('nsAccountLock'):
                 new_user.setValue('nsAccountLock', 'true')
 
@@ -293,10 +323,41 @@ class Root(controllers.RootController):
             orig_user_dict = loads(b64decode(kw.get('user_orig')))
 
             new_user = ipa.user.User(orig_user_dict)
+            new_user.setValue('title', kw.get('title'))
             new_user.setValue('givenname', kw.get('givenname'))
             new_user.setValue('sn', kw.get('sn'))
+            new_user.setValue('cn', kw.get('cn'))
+            new_user.setValue('displayname', kw.get('displayname'))
+            new_user.setValue('initials', kw.get('initials'))
+
+            new_user.setValue('loginshell', kw.get('loginshell'))
+            new_user.setValue('gecos', kw.get('gecos'))
+
             new_user.setValue('mail', kw.get('mail'))
             new_user.setValue('telephonenumber', kw.get('telephonenumber'))
+            new_user.setValue('facsimiletelephonenumber',
+                    kw.get('facsimiletelephonenumber'))
+            new_user.setValue('mobile', kw.get('mobile'))
+            new_user.setValue('pager', kw.get('pager'))
+            new_user.setValue('homephone', kw.get('homephone'))
+
+            new_user.setValue('street', kw.get('street'))
+            new_user.setValue('l', kw.get('l'))
+            new_user.setValue('st', kw.get('st'))
+            new_user.setValue('postalcode', kw.get('postalcode'))
+
+            new_user.setValue('ou', kw.get('ou'))
+            new_user.setValue('businesscategory', kw.get('businesscategory'))
+            new_user.setValue('description', kw.get('description'))
+            new_user.setValue('employeetype', kw.get('employeetype'))
+            # new_user.setValue('manager', kw.get('manager'))
+            new_user.setValue('roomnumber', kw.get('roomnumber'))
+            # new_user.setValue('secretary', kw.get('secretary'))
+
+            new_user.setValue('carlicense', kw.get('carlicense'))
+            new_user.setValue('labeleduri', kw.get('labeleduri'))
+
+
             if kw.get('nsAccountLock'):
                 new_user.setValue('nsAccountLock', 'true')
             else:
@@ -306,13 +367,7 @@ class Root(controllers.RootController):
                     password_change = True
                 new_user.setValue('uidnumber', str(kw.get('uidnumber')))
                 new_user.setValue('gidnumber', str(kw.get('gidnumber')))
-
-            #
-            # this is a hack until we decide on the policy for names/cn/sn/givenName
-            #
-            new_user.setValue('cn',
-                           "%s %s" % (new_user.getValue('givenname'),
-                                      new_user.getValue('sn')))
+                new_user.setValue('homedirectory', str(kw.get('homedirectory')))
 
             rv = client.update_user(new_user)
             #
diff -r 0ab2c3267500 -r ee2e41c50353 ipa-server/ipa-gui/ipagui/forms/user.py
--- a/ipa-server/ipa-gui/ipagui/forms/user.py	Wed Oct 03 10:23:47 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/user.py	Wed Oct 03 13:53:14 2007 -0700
@@ -2,17 +2,47 @@ from turbogears import validators, widge
 from turbogears import validators, widgets
 
 class UserFields():
+    givenname = widgets.TextField(name="givenname", label="Given Name")
+    sn = widgets.TextField(name="sn", label="Family Name")
+    cn = widgets.TextField(name="cn", label="Common Names")
+    title = widgets.TextField(name="title", label="Title")
+    displayname = widgets.TextField(name="displayname", label="Display Name")
+    initials = widgets.TextField(name="initials", label="Initials")
+
     uid = widgets.TextField(name="uid", label="Login")
     userpassword = widgets.PasswordField(name="userpassword", label="Password")
     userpassword_confirm = widgets.PasswordField(name="userpassword_confirm",
             label="Confirm Password")
     uidnumber = widgets.TextField(name="uidnumber", label="UID")
     gidnumber = widgets.TextField(name="gidnumber", label="GID")
-    givenname = widgets.TextField(name="givenname", label="Given Name")
-    sn = widgets.TextField(name="sn", label="Family Name")
+    homedirectory = widgets.TextField(name="homedirectory", label="Home Directory")
+    loginshell = widgets.TextField(name="loginshell", label="Login Shell")
+    gecos = widgets.TextField(name="gecos", label="GECOS")
+
     mail = widgets.TextField(name="mail", label="E-mail Address")
-    telephonenumber = widgets.TextField(name="telephonenumber", label="Phone")
-    # nsAccountLock = widgets.CheckBox(name="nsAccountLock", label="Account Deactivated")
+    telephonenumber = widgets.TextField(name="telephonenumber", label="Work Number")
+    facsimiletelephonenumber = widgets.TextField(name="facsimiletelephonenumber",
+            label="Fax Number")
+    mobile = widgets.TextField(name="mobile", label="Cell Number")
+    pager = widgets.TextField(name="pager", label="Pager Number")
+    homephone = widgets.TextField(name="homephone", label="Home Number")
+
+    street = widgets.TextField(name="street", label="Street Address")
+    l = widgets.TextField(name="l", label="City")
+    st = widgets.TextField(name="st", label="State")
+    postalcode = widgets.TextField(name="postalcode", label="ZIP")
+
+    ou = widgets.TextField(name="ou", label="Org Unit")
+    businesscategory = widgets.TextField(name="businesscategory", label="Tags")
+    description = widgets.TextField(name="description", label="Description")
+    employeetype = widgets.TextField(name="employeetype", label="Employee Type")
+    manager = widgets.TextField(name="manager", label="Manager")
+    roomnumber = widgets.TextField(name="roomnumber", label="Room Number")
+    secretary = widgets.TextField(name="secretary", label="Secretary")
+
+    carlicense = widgets.TextField(name="carlicense", label="Car License")
+    labeleduri = widgets.TextField(name="labeleduri", label="Home Page")
+
     nsAccountLock = widgets.SingleSelectField(name="nsAccountLock",
             label="Account Status",
             options = [("", "active"), ("true", "inactive")])
@@ -34,8 +64,6 @@ class UserNewValidator(validators.Schema
     givenname = validators.String(not_empty=True)
     sn = validators.String(not_empty=True)
     mail = validators.Email(not_empty=True)
-    #  validators.PhoneNumber may be a bit too picky, requiring an area code
-    # telephonenumber = validators.PlainText(not_empty=False)
 
     chained_validators = [
       validators.FieldsMatch('userpassword', 'userpassword_confirm')
@@ -45,10 +73,9 @@ class UserNewForm(widgets.Form):
 class UserNewForm(widgets.Form):
     params = ['user']
 
-    fields = [UserFields.uid, UserFields.givenname,
-              UserFields.sn, UserFields.mail,
-              UserFields.dn_to_info_json,
-             ]
+    hidden_fields = [
+      UserFields.dn_to_info_json,
+    ]
 
     validator = UserNewValidator()
 
@@ -59,10 +86,6 @@ class UserNewForm(widgets.Form):
 
     def update_params(self, params):
         super(UserNewForm,self).update_params(params)
-        params['has_foo'] = self.has_foo
-
-    def has_foo(self):
-        return False
 
 class UserEditValidator(validators.Schema):
     userpassword = validators.String(not_empty=False)
@@ -72,8 +95,6 @@ class UserEditValidator(validators.Schem
     mail = validators.Email(not_empty=True)
     uidnumber = validators.Int(not_empty=False)
     gidnumber = validators.Int(not_empty=False)
-    #  validators.PhoneNumber may be a bit too picky, requiring an area code
-    # telephonenumber = validators.PlainText(not_empty=False)
 
     pre_validators = [
       validators.RequireIfPresent(required='uidnumber', present='editprotected'),
@@ -87,14 +108,13 @@ class UserEditForm(widgets.Form):
 class UserEditForm(widgets.Form):
     params = ['user']
 
-    fields = [UserFields.givenname, UserFields.sn, UserFields.mail,
-              UserFields.uid_hidden, UserFields.user_orig,
-              UserFields.uidnumber, UserFields.gidnumber,
-              UserFields.krbPasswordExpiration_hidden,
-              UserFields.editprotected_hidden,
-              UserFields.user_groups_data,
-              UserFields.dn_to_info_json,
-              ]
+    hidden_fields = [
+      UserFields.uid_hidden, UserFields.user_orig,
+      UserFields.krbPasswordExpiration_hidden,
+      UserFields.editprotected_hidden,
+      UserFields.user_groups_data,
+      UserFields.dn_to_info_json,
+    ]
 
     validator = UserEditValidator()
 
diff -r 0ab2c3267500 -r ee2e41c50353 ipa-server/ipa-gui/ipagui/templates/usereditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Wed Oct 03 10:23:47 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Wed Oct 03 13:53:14 2007 -0700
@@ -32,17 +32,20 @@ from ipagui.helpers import ipahelper
       passwordConfirmField = document.getElementById('form_userpassword_confirm');
       uidnumberField = document.getElementById('form_uidnumber');
       gidnumberField = document.getElementById('form_gidnumber');
+      homedirectoryField = document.getElementById('form_homedirectory');
       if (checkbox.checked) {
         passwordField.disabled = false;
         passwordConfirmField.disabled = false;
         uidnumberField.disabled = false;
         gidnumberField.disabled = false;
+        homedirectoryField.disabled = false;
         $('form_editprotected').value = 'true';
       } else {
         passwordField.disabled = true;
         passwordConfirmField.disabled = true;
         uidnumberField.disabled = true;
         gidnumberField.disabled = true;
+        homedirectoryField.disabled = true;
         $('form_editprotected').value = '';
       }
     }
@@ -76,6 +79,19 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
+          <label class="fieldlabel" for="${user.title.field_id}"
+            py:content="user.title.label" />:
+        </th>
+        <td>
+          <span py:replace="user.title.display(value_for(user.title))" />
+          <span py:if="tg.errors.get('title')" class="fielderror"
+              py:content="tg.errors.get('title')" />
+
+        </td>
+      </tr>
+
+      <tr>
+        <th>
           <label class="fieldlabel" for="${user.givenname.field_id}"
             py:content="user.givenname.label" />:
         </th>
@@ -98,10 +114,60 @@ from ipagui.helpers import ipahelper
               py:content="tg.errors.get('sn')" />
         </td>
       </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.cn.field_id}"
+            py:content="user.cn.label" />:
+        </th>
+        <td>
+          <span py:replace="user.cn.display(value_for(user.cn))" />
+          <span py:if="tg.errors.get('cn')" class="fielderror"
+              py:content="tg.errors.get('cn')" />
+
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.displayname.field_id}"
+            py:content="user.displayname.label" />:
+        </th>
+        <td>
+          <span py:replace="user.displayname.display(value_for(user.displayname))" />
+          <span py:if="tg.errors.get('displayname')" class="fielderror"
+              py:content="tg.errors.get('displayname')" />
+
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.initials.field_id}"
+            py:content="user.initials.label" />:
+        </th>
+        <td>
+          <span py:replace="user.initials.display(value_for(user.initials))" />
+          <span py:if="tg.errors.get('initials')" class="fielderror"
+              py:content="tg.errors.get('initials')" />
+
+        </td>
+      </tr>
     </table>
 
     <div class="formsection">Account Details</div>
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.nsAccountLock.field_id}"
+            py:content="user.nsAccountLock.label" />:
+        </th>
+        <td>
+          <span py:replace="user.nsAccountLock.display(value_for(user.nsAccountLock))" />
+          <span py:if="tg.errors.get('nsAccountLock')" class="fielderror"
+                    py:content="tg.errors.get('nsAccountLock')" />
+        </td>
+      </tr>
       <tr>
         <th>
           <label class="fieldlabel" for="${user.uid.field_id}"
@@ -213,6 +279,49 @@ from ipagui.helpers import ipahelper
           </script>
         </td>
       </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.homedirectory.field_id}"
+            py:content="user.homedirectory.label" />:
+        </th>
+        <td>
+          <span py:replace="user.homedirectory.display(
+               value_for(user.homedirectory))" />
+          <span py:if="tg.errors.get('homedirectory')" class="fielderror"
+              py:content="tg.errors.get('homedirectory')" />
+
+          <script type="text/javascript">
+              document.getElementById('form_homedirectory').disabled = true;
+          </script>
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.loginshell.field_id}"
+            py:content="user.loginshell.label" />:
+        </th>
+        <td>
+          <span py:replace="user.loginshell.display(
+              value_for(user.loginshell))" />
+          <span py:if="tg.errors.get('loginshell')" class="fielderror"
+              py:content="tg.errors.get('loginshell')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.gecos.field_id}"
+            py:content="user.gecos.label" />:
+        </th>
+        <td>
+          <span py:replace="user.gecos.display(
+              value_for(user.gecos))" />
+          <span py:if="tg.errors.get('gecos')" class="fielderror"
+              py:content="tg.errors.get('gecos')" />
+        </td>
+      </tr>
     </table>
 
     <div class="formsection">Contact Details</div>
@@ -228,6 +337,7 @@ from ipagui.helpers import ipahelper
               py:content="tg.errors.get('mail')" />
         </td>
       </tr>
+
       <tr>
         <th>
           <label class="fieldlabel" for="${user.telephonenumber.field_id}"
@@ -239,22 +349,216 @@ from ipagui.helpers import ipahelper
               py:content="tg.errors.get('telephonenumber')" />
         </td>
       </tr>
-    </table>
-
-    <div class="formsection">Account Status</div>
-    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
-      <tr>
-        <th>
-          <label class="fieldlabel" for="${user.nsAccountLock.field_id}"
-            py:content="user.nsAccountLock.label" />:
-        </th>
-        <td>
-          <span py:replace="user.nsAccountLock.display(value_for(user.nsAccountLock))" />
-          <span py:if="tg.errors.get('nsAccountLock')" class="fielderror"
-                    py:content="tg.errors.get('nsAccountLock')" />
-        </td>
-      </tr>
-    </table>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.facsimiletelephonenumber.field_id}"
+            py:content="user.facsimiletelephonenumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user.facsimiletelephonenumber.display(value_for(user.facsimiletelephonenumber))" />
+          <span py:if="tg.errors.get('facsimiletelephonenumber')" class="fielderror"
+              py:content="tg.errors.get('facsimiletelephonenumber')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.mobile.field_id}"
+            py:content="user.mobile.label" />:
+        </th>
+        <td>
+          <span py:replace="user.mobile.display(value_for(user.mobile))" />
+          <span py:if="tg.errors.get('mobile')" class="fielderror"
+              py:content="tg.errors.get('mobile')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.pager.field_id}"
+            py:content="user.pager.label" />:
+        </th>
+        <td>
+          <span py:replace="user.pager.display(value_for(user.pager))" />
+          <span py:if="tg.errors.get('pager')" class="fielderror"
+              py:content="tg.errors.get('pager')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.homephone.field_id}"
+            py:content="user.homephone.label" />:
+        </th>
+        <td>
+          <span py:replace="user.homephone.display(value_for(user.homephone))" />
+          <span py:if="tg.errors.get('homephone')" class="fielderror"
+              py:content="tg.errors.get('homephone')" />
+        </td>
+      </tr>
+    </table>
+
+    <div class="formsection">Mailing Address</div>
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.street.field_id}"
+            py:content="user.street.label" />:
+        </th>
+        <td>
+          <span py:replace="user.street.display(value_for(user.street))" />
+          <span py:if="tg.errors.get('street')" class="fielderror"
+              py:content="tg.errors.get('street')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.l.field_id}"
+            py:content="user.l.label" />:
+        </th>
+        <td>
+          <span py:replace="user.l.display(value_for(user.l))" />
+          <span py:if="tg.errors.get('l')" class="fielderror"
+              py:content="tg.errors.get('l')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.st.field_id}"
+            py:content="user.st.label" />:
+        </th>
+        <td>
+          <span py:replace="user.st.display(value_for(user.st))" />
+          <span py:if="tg.errors.get('st')" class="fielderror"
+              py:content="tg.errors.get('st')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.postalcode.field_id}"
+            py:content="user.postalcode.label" />:
+        </th>
+        <td>
+          <span py:replace="user.postalcode.display(value_for(user.postalcode))" />
+          <span py:if="tg.errors.get('postalcode')" class="fielderror"
+              py:content="tg.errors.get('postalcode')" />
+        </td>
+      </tr>
+    </table>
+
+    <div class="formsection">Employee Information</div>
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.ou.field_id}"
+            py:content="user.ou.label" />:
+        </th>
+        <td>
+          <span py:replace="user.ou.display(value_for(user.ou))" />
+          <span py:if="tg.errors.get('ou')" class="fielderror"
+              py:content="tg.errors.get('ou')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.businesscategory.field_id}"
+            py:content="user.businesscategory.label" />:
+        </th>
+        <td>
+          <span py:replace="user.businesscategory.display(value_for(user.businesscategory))" />
+          <span py:if="tg.errors.get('businesscategory')" class="fielderror"
+              py:content="tg.errors.get('businesscategory')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.description.field_id}"
+            py:content="user.description.label" />:
+        </th>
+        <td>
+          <span py:replace="user.description.display(value_for(user.description))" />
+          <span py:if="tg.errors.get('description')" class="fielderror"
+              py:content="tg.errors.get('description')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.employeetype.field_id}"
+            py:content="user.employeetype.label" />:
+        </th>
+        <td>
+          <span py:replace="user.employeetype.display(value_for(user.employeetype))" />
+          <span py:if="tg.errors.get('employeetype')" class="fielderror"
+              py:content="tg.errors.get('employeetype')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.manager.field_id}"
+            py:content="user.manager.label" />:
+        </th>
+        <td>
+           TODO
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.roomnumber.field_id}"
+            py:content="user.roomnumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user.roomnumber.display(value_for(user.roomnumber))" />
+          <span py:if="tg.errors.get('roomnumber')" class="fielderror"
+              py:content="tg.errors.get('roomnumber')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.secretary.field_id}"
+            py:content="user.secretary.label" />:
+        </th>
+        <td>
+           TODO
+        </td>
+      </tr>
+    </table>
+
+    <div class="formsection">Misc Information</div>
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.carlicense.field_id}"
+            py:content="user.carlicense.label" />:
+        </th>
+        <td>
+          <span py:replace="user.carlicense.display(value_for(user.carlicense))" />
+          <span py:if="tg.errors.get('carlicense')" class="fielderror"
+              py:content="tg.errors.get('carlicense')" />
+        </td>
+      </tr>
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.labeleduri.field_id}"
+            py:content="user.labeleduri.label" />:
+        </th>
+        <td>
+          <span py:replace="user.labeleduri.display(value_for(user.labeleduri))" />
+          <span py:if="tg.errors.get('labeleduri')" class="fielderror"
+              py:content="tg.errors.get('labeleduri')" />
+        </td>
+      </tr>
+    </table>
+
 
     <div>
       <div class="formsection">Groups</div>
diff -r 0ab2c3267500 -r ee2e41c50353 ipa-server/ipa-gui/ipagui/templates/usernewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Wed Oct 03 10:23:47 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Wed Oct 03 13:53:14 2007 -0700
@@ -49,6 +49,19 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
+          <label class="fieldlabel" for="${user.title.field_id}"
+            py:content="user.title.label" />:
+        </th>
+        <td>
+          <span py:replace="user.title.display(value_for(user.title))" />
+          <span py:if="tg.errors.get('title')" class="fielderror"
+              py:content="tg.errors.get('title')" />
+
+        </td>
+      </tr>
+
+      <tr>
+        <th>
           <label class="fieldlabel" for="${user.givenname.field_id}"
             py:content="user.givenname.label" />:
         </th>
@@ -70,17 +83,25 @@ from ipagui.helpers import ipahelper
           <span py:if="tg.errors.get('sn')" class="fielderror"
               py:content="tg.errors.get('sn')" />
           <script type="text/javascript">
-            var uid_suggest = ""
-            var mail_suggest = ""
+            var uid_suggest = "";
+            var mail_suggest = "";
+            var cn_suggest = "";
+            var displayname_suggest = "";
+            var initials_suggest = "";
 
             function autofill(self) {
-              givenname = document.getElementById('form_givenname');
-              sn = document.getElementById('form_sn');
+              var givenname = $('form_givenname');
+              var sn = $('form_sn');
               if ((givenname.value == "") || (sn.value == "")) {
                 return;
               }
-              uid = document.getElementById('form_uid');
-              mail = document.getElementById('form_mail');
+
+              var uid = $('form_uid');
+              var mail = $('form_mail');
+              var cn = $('form_cn');
+              var displayname = $('form_displayname');
+              var initials = $('form_initials');
+
               if ((uid.value == "") || (uid.value == uid_suggest)) {
                 new Ajax.Request('${tg.url('/suggest_uid')}', {
                     method: 'get',
@@ -92,6 +113,7 @@ from ipagui.helpers import ipahelper
                       }
                     });
               }
+
               if ((mail.value == "") || (mail.value == mail_suggest)) {
                 new Ajax.Request('${tg.url('/suggest_email')}', {
                     method: 'get',
@@ -103,16 +125,87 @@ from ipagui.helpers import ipahelper
                       }
                     });
               }
+
+              if ((cn.value == "") || (cn.value == cn_suggest)) {
+                cn.value = givenname.value + " " + sn.value;
+                cn_suggest = cn.value;
+                new Effect.Highlight(cn);
+              }
+
+              if ((displayname.value == "") ||
+                  (displayname.value == displayname_suggest)) {
+                displayname.value = givenname.value + " " + sn.value;
+                displayname_suggest = displayname.value;
+                new Effect.Highlight(displayname);
+              }
+
+              if ((displayname.value == "") ||
+                  (displayname.value == displayname_suggest)) {
+                initials.value = givenname.value[0] + sn.value[0];
+                initials_suggest = initials.value;
+                new Effect.Highlight(initials);
+              }
             }
-            document.getElementById('form_givenname').onchange = autofill
-            document.getElementById('form_sn').onchange = autofill
+
+            document.getElementById('form_givenname').onchange = autofill;
+            document.getElementById('form_sn').onchange = autofill;
           </script>
         </td>
       </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.cn.field_id}"
+            py:content="user.cn.label" />:
+        </th>
+        <td>
+          <span py:replace="user.cn.display(value_for(user.cn))" />
+          <span py:if="tg.errors.get('cn')" class="fielderror"
+              py:content="tg.errors.get('cn')" />
+
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.displayname.field_id}"
+            py:content="user.displayname.label" />:
+        </th>
+        <td>
+          <span py:replace="user.displayname.display(value_for(user.displayname))" />
+          <span py:if="tg.errors.get('displayname')" class="fielderror"
+              py:content="tg.errors.get('displayname')" />
+
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.initials.field_id}"
+            py:content="user.initials.label" />:
+        </th>
+        <td>
+          <span py:replace="user.initials.display(value_for(user.initials))" />
+          <span py:if="tg.errors.get('initials')" class="fielderror"
+              py:content="tg.errors.get('initials')" />
+
+        </td>
+      </tr>
     </table>
 
     <div class="formsection">Account Details</div>
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.nsAccountLock.field_id}"
+            py:content="user.nsAccountLock.label" />:
+        </th>
+        <td>
+          <span py:replace="user.nsAccountLock.display(value_for(user.nsAccountLock))" />
+          <span py:if="tg.errors.get('nsAccountLock')" class="fielderror"
+                    py:content="tg.errors.get('nsAccountLock')" />
+        </td>
+      </tr>
       <tr>
         <th>
           <label class="fieldlabel" for="${user.uid.field_id}"
@@ -181,6 +274,42 @@ from ipagui.helpers import ipahelper
           Generated by server
         </td>
       </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.homedirectory.field_id}"
+            py:content="user.homedirectory.label" />:
+        </th>
+        <td>
+          Generated by server
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.loginshell.field_id}"
+            py:content="user.loginshell.label" />:
+        </th>
+        <td>
+          <span py:replace="user.loginshell.display(
+              value_for(user.loginshell))" />
+          <span py:if="tg.errors.get('loginshell')" class="fielderror"
+              py:content="tg.errors.get('loginshell')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.gecos.field_id}"
+            py:content="user.gecos.label" />:
+        </th>
+        <td>
+          <span py:replace="user.gecos.display(
+              value_for(user.gecos))" />
+          <span py:if="tg.errors.get('gecos')" class="fielderror"
+              py:content="tg.errors.get('gecos')" />
+        </td>
+      </tr>
     </table>
 
     <div class="formsection">Contact Details</div>
@@ -196,6 +325,7 @@ from ipagui.helpers import ipahelper
               py:content="tg.errors.get('mail')" />
         </td>
       </tr>
+
       <tr>
         <th>
           <label class="fieldlabel" for="${user.telephonenumber.field_id}"
@@ -207,19 +337,212 @@ from ipagui.helpers import ipahelper
               py:content="tg.errors.get('telephonenumber')" />
         </td>
       </tr>
-    </table>
-
-    <div class="formsection">Account Status</div>
-    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
-      <tr>
-        <th>
-          <label class="fieldlabel" for="${user.nsAccountLock.field_id}"
-            py:content="user.nsAccountLock.label" />:
-        </th>
-        <td>
-          <span py:replace="user.nsAccountLock.display(value_for(user.nsAccountLock))" />
-          <span py:if="tg.errors.get('nsAccountLock')" class="fielderror"
-                    py:content="tg.errors.get('nsAccountLock')" />
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.facsimiletelephonenumber.field_id}"
+            py:content="user.facsimiletelephonenumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user.facsimiletelephonenumber.display(value_for(user.facsimiletelephonenumber))" />
+          <span py:if="tg.errors.get('facsimiletelephonenumber')" class="fielderror"
+              py:content="tg.errors.get('facsimiletelephonenumber')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.mobile.field_id}"
+            py:content="user.mobile.label" />:
+        </th>
+        <td>
+          <span py:replace="user.mobile.display(value_for(user.mobile))" />
+          <span py:if="tg.errors.get('mobile')" class="fielderror"
+              py:content="tg.errors.get('mobile')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.pager.field_id}"
+            py:content="user.pager.label" />:
+        </th>
+        <td>
+          <span py:replace="user.pager.display(value_for(user.pager))" />
+          <span py:if="tg.errors.get('pager')" class="fielderror"
+              py:content="tg.errors.get('pager')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.homephone.field_id}"
+            py:content="user.homephone.label" />:
+        </th>
+        <td>
+          <span py:replace="user.homephone.display(value_for(user.homephone))" />
+          <span py:if="tg.errors.get('homephone')" class="fielderror"
+              py:content="tg.errors.get('homephone')" />
+        </td>
+      </tr>
+    </table>
+
+    <div class="formsection">Mailing Address</div>
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.street.field_id}"
+            py:content="user.street.label" />:
+        </th>
+        <td>
+          <span py:replace="user.street.display(value_for(user.street))" />
+          <span py:if="tg.errors.get('street')" class="fielderror"
+              py:content="tg.errors.get('street')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.l.field_id}"
+            py:content="user.l.label" />:
+        </th>
+        <td>
+          <span py:replace="user.l.display(value_for(user.l))" />
+          <span py:if="tg.errors.get('l')" class="fielderror"
+              py:content="tg.errors.get('l')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.st.field_id}"
+            py:content="user.st.label" />:
+        </th>
+        <td>
+          <span py:replace="user.st.display(value_for(user.st))" />
+          <span py:if="tg.errors.get('st')" class="fielderror"
+              py:content="tg.errors.get('st')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.postalcode.field_id}"
+            py:content="user.postalcode.label" />:
+        </th>
+        <td>
+          <span py:replace="user.postalcode.display(value_for(user.postalcode))" />
+          <span py:if="tg.errors.get('postalcode')" class="fielderror"
+              py:content="tg.errors.get('postalcode')" />
+        </td>
+      </tr>
+    </table>
+
+    <div class="formsection">Employee Information</div>
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.ou.field_id}"
+            py:content="user.ou.label" />:
+        </th>
+        <td>
+          <span py:replace="user.ou.display(value_for(user.ou))" />
+          <span py:if="tg.errors.get('ou')" class="fielderror"
+              py:content="tg.errors.get('ou')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.businesscategory.field_id}"
+            py:content="user.businesscategory.label" />:
+        </th>
+        <td>
+          <span py:replace="user.businesscategory.display(value_for(user.businesscategory))" />
+          <span py:if="tg.errors.get('businesscategory')" class="fielderror"
+              py:content="tg.errors.get('businesscategory')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.description.field_id}"
+            py:content="user.description.label" />:
+        </th>
+        <td>
+          <span py:replace="user.description.display(value_for(user.description))" />
+          <span py:if="tg.errors.get('description')" class="fielderror"
+              py:content="tg.errors.get('description')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.employeetype.field_id}"
+            py:content="user.employeetype.label" />:
+        </th>
+        <td>
+          <span py:replace="user.employeetype.display(value_for(user.employeetype))" />
+          <span py:if="tg.errors.get('employeetype')" class="fielderror"
+              py:content="tg.errors.get('employeetype')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.manager.field_id}"
+            py:content="user.manager.label" />:
+        </th>
+        <td>
+           TODO
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.roomnumber.field_id}"
+            py:content="user.roomnumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user.roomnumber.display(value_for(user.roomnumber))" />
+          <span py:if="tg.errors.get('roomnumber')" class="fielderror"
+              py:content="tg.errors.get('roomnumber')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.secretary.field_id}"
+            py:content="user.secretary.label" />:
+        </th>
+        <td>
+           TODO
+        </td>
+      </tr>
+    </table>
+
+    <div class="formsection">Misc Information</div>
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.carlicense.field_id}"
+            py:content="user.carlicense.label" />:
+        </th>
+        <td>
+          <span py:replace="user.carlicense.display(value_for(user.carlicense))" />
+          <span py:if="tg.errors.get('carlicense')" class="fielderror"
+              py:content="tg.errors.get('carlicense')" />
+        </td>
+      </tr>
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${user.labeleduri.field_id}"
+            py:content="user.labeleduri.label" />:
+        </th>
+        <td>
+          <span py:replace="user.labeleduri.display(value_for(user.labeleduri))" />
+          <span py:if="tg.errors.get('labeleduri')" class="fielderror"
+              py:content="tg.errors.get('labeleduri')" />
         </td>
       </tr>
     </table>
diff -r 0ab2c3267500 -r ee2e41c50353 ipa-server/ipa-gui/ipagui/templates/usershow.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Wed Oct 03 10:23:47 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Wed Oct 03 13:53:14 2007 -0700
@@ -37,6 +37,12 @@ else:
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
         <tr>
           <th>
+            <label class="fieldlabel" py:content="fields.title.label" />:
+          </th>
+          <td>${user.get("title")}</td>
+        </tr>
+        <tr>
+          <th>
             <label class="fieldlabel" py:content="fields.givenname.label" />:
           </th>
           <td>${user.get("givenname")}</td>
@@ -47,12 +53,36 @@ else:
           </th>
           <td>${user.get("sn")}</td>
         </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.cn.label" />:
+          </th>
+          <td>${user.get("cn")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.displayname.label" />:
+          </th>
+          <td>${user.get("displayname")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.initials.label" />:
+          </th>
+          <td>${user.get("initials")}</td>
+        </tr>
     </table>
 
     <div class="formsection">Account Details</div>
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
         <tr>
           <th>
+            <label class="fieldlabel" py:content="fields.nsAccountLock.label" />:
+          </th>
+          <td>${userhelper.account_status_display(user.get("nsAccountLock"))}</td>
+        </tr>
+        <tr>
+          <th>
             <label class="fieldlabel" py:content="fields.uid.label" />:
           </th>
           <td>${user.get("uid")}</td>
@@ -69,6 +99,24 @@ else:
           </th>
           <td>${user.get("gidnumber")}</td>
         </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.homedirectory.label" />:
+          </th>
+          <td>${user.get("homedirectory")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.loginshell.label" />:
+          </th>
+          <td>${user.get("loginshell")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.gecos.label" />:
+          </th>
+          <td>${user.get("gecos")}</td>
+        </tr>
     </table>
 
     <div class="formsection">Contact Details</div>
@@ -84,6 +132,86 @@ else:
             <label class="fieldlabel" py:content="fields.telephonenumber.label" />:
           </th>
           <td>${user.get("telephonenumber")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.facsimiletelephonenumber.label" />:
+          </th>
+          <td>${user.get("facsimiletelephonenumber")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.mobile.label" />:
+          </th>
+          <td>${user.get("mobile")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.pager.label" />:
+          </th>
+          <td>${user.get("pager")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.homephone.label" />:
+          </th>
+          <td>${user.get("homephone")}</td>
+        </tr>
+    </table>
+
+    <div class="formsection">Mailing Address</div>
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.street.label" />:
+          </th>
+          <td>${user.get("street")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.l.label" />:
+          </th>
+          <td>${user.get("l")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.st.label" />:
+          </th>
+          <td>${user.get("st")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.postalcode.label" />:
+          </th>
+          <td>${user.get("postalcode")}</td>
+        </tr>
+    </table>
+
+    <div class="formsection">Employee Information</div>
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.ou.label" />:
+          </th>
+          <td>${user.get("ou")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.businesscategory.label" />:
+          </th>
+          <td>${user.get("businesscategory")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.description.label" />:
+          </th>
+          <td>${user.get("description")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.employeetype.label" />:
+          </th>
+          <td>${user.get("employeetype")}</td>
         </tr>
         <tr py:if='user_manager'>
           <th>
@@ -94,16 +222,34 @@ else:
               >${user_manager.givenname} ${user_manager.sn}</a>
           </td>
         </tr>
-    </table>
-
-    <div class="formsection">Account Status</div>
-    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
-      <tr>
-        <th>
-          <label class="fieldlabel" py:content="fields.nsAccountLock.label" />:
-        </th>
-        <td>${userhelper.account_status_display(user.get("nsAccountLock"))}</td>
-      </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.roomnumber.label" />:
+          </th>
+          <td>${user.get("roomnumber")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.secretary.label" />:
+          </th>
+          <td>TODO</td>
+        </tr>
+    </table>
+
+    <div class="formsection">Misc Information</div>
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.carlicense.label" />:
+          </th>
+          <td>${user.get("carlicense")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.labeleduri.label" />:
+          </th>
+          <td>${user.get("labeleduri")}</td>
+        </tr>
     </table>
 
     <div class="formsection" py:if='len(user_reports) &gt; 0'>Direct Reports</div>
diff -r 0ab2c3267500 -r ee2e41c50353 ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Wed Oct 03 10:23:47 2007 -0700
+++ b/ipa-server/xmlrpc-server/funcs.py	Wed Oct 03 13:53:14 2007 -0700
@@ -352,7 +352,7 @@ class IPAServer:
         # Let us add in some missing attributes
         if user.get('homedirectory') is None:
             user['homedirectory'] = '/home/%s' % user.get('uid')
-        if not user.get('gecos') is None:
+        if user.get('gecos') is None:
             user['gecos'] = user['uid']
 
         # FIXME: This can be removed once the DS plugin is installed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/2c9c11a3/attachment.bin>

From rcritten at redhat.com  Wed Oct  3 20:52:50 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 03 Oct 2007 16:52:50 -0400
Subject: [Freeipa-devel] [PATCH] install dies if selinux is disabled
In-Reply-To: <1191443973.26778.50.camel@localhost.localdomain>
References: <939dd5750710031000i4fe658f2kf94720915dc74b9d@mail.gmail.com>	<1191434386.26778.3.camel@localhost.localdomain>	<939dd5750710031107n7f946fc3g896fc927e1f19f89@mail.gmail.com>	<1191435631.26778.9.camel@localhost.localdomain>	<939dd5750710031311qc9c5588meda2c916dee43481@mail.gmail.com>
	<1191443973.26778.50.camel@localhost.localdomain>
Message-ID: <47040122.4010505@redhat.com>

Simo Sorce wrote:
> On Wed, 2007-10-03 at 16:11 -0400, William Jon McCann wrote:
>> Here's an updated patch that does both.  And adds a check to make sure
>> it is running as root.
> 
> Looks good as a first step to me.
> 
> Simo.

Pushed. I modified the question when removing the DS instances so the 
user knows what it is they are agreeing to.

I'll rework my patch to apply cleanly against this and resubmit.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/0d6be7c6/attachment.bin>

From ssorce at redhat.com  Wed Oct  3 21:02:56 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 03 Oct 2007 17:02:56 -0400
Subject: [Freeipa-devel] [PATCH] install dies if selinux is disabled
In-Reply-To: <47040122.4010505@redhat.com>
References: <939dd5750710031000i4fe658f2kf94720915dc74b9d@mail.gmail.com>
	<1191434386.26778.3.camel@localhost.localdomain>
	<939dd5750710031107n7f946fc3g896fc927e1f19f89@mail.gmail.com>
	<1191435631.26778.9.camel@localhost.localdomain>
	<939dd5750710031311qc9c5588meda2c916dee43481@mail.gmail.com>
	<1191443973.26778.50.camel@localhost.localdomain>
	<47040122.4010505@redhat.com>
Message-ID: <1191445376.26778.57.camel@localhost.localdomain>

On Wed, 2007-10-03 at 16:52 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Wed, 2007-10-03 at 16:11 -0400, William Jon McCann wrote:
> >> Here's an updated patch that does both.  And adds a check to make sure
> >> it is running as root.
> > 
> > Looks good as a first step to me.
> > 
> > Simo.
> 
> Pushed. I modified the question when removing the DS instances so the 
> user knows what it is they are agreeing to.
> 
> I'll rework my patch to apply cleanly against this and resubmit.


Great,
thanks.



From ssorce at redhat.com  Wed Oct  3 21:27:37 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 03 Oct 2007 17:27:37 -0400
Subject: [Freeipa-devel] [PATCH] more robust installation error handling
In-Reply-To: <4703F7E9.8090002@redhat.com>
References: <4703F7E9.8090002@redhat.com>
Message-ID: <1191446857.26778.66.camel@localhost.localdomain>

On Wed, 2007-10-03 at 16:13 -0400, Rob Crittenden wrote:
> This needs more work but it is a first crack at trying to catch more 
> error conditions during installation. What it currently lacks is 
> completely bailing out, offering the user a choice to continue and/or 
> doing a rollback.
> 
> I also didn't add any code to exit out if an existing DS is found.
> Not 
> sure if we want to do that or not.
> 
> I also incorporated most of the patch to handle when SELinux is
> disabled 
> from Jon McCann. I just do the selinux check slightly differently.
> 
> I also noticed an error when I had old service keytabs and included 
> something to handle SASL/GSSAPI authentication failures when getting
> a 
> connection. 


Looks very good.

Simo.



From ssorce at redhat.com  Wed Oct  3 21:43:15 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 03 Oct 2007 17:43:15 -0400
Subject: [Freeipa-devel] [PATCH] add the rest of the user fields
In-Reply-To: <20071003204549.GA23064@moon.usersys.redhat.com>
References: <20071003204549.GA23064@moon.usersys.redhat.com>
Message-ID: <1191447795.26778.68.camel@localhost.localdomain>

On Wed, 2007-10-03 at 13:45 -0700, Kevin McCarthy wrote:
> Pete and I took a crack at picking out the fields that should go on the
> user forms.  I've added them here.  Some of these need to be
> multi-value, but I'm not handling that yet (first need to get rebuilding
> the demo server).

Looks sane.

Simo.



From kmccarth at redhat.com  Wed Oct  3 21:45:34 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 3 Oct 2007 14:45:34 -0700
Subject: [Freeipa-devel] [PATCH] add the rest of the user fields
In-Reply-To: <1191447795.26778.68.camel@localhost.localdomain>
References: <20071003204549.GA23064@moon.usersys.redhat.com>
	<1191447795.26778.68.camel@localhost.localdomain>
Message-ID: <20071003214534.GB23064@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Wed, 2007-10-03 at 13:45 -0700, Kevin McCarthy wrote:
> > Pete and I took a crack at picking out the fields that should go on the
> > user forms.  I've added them here.  Some of these need to be
> > multi-value, but I'm not handling that yet (first need to get rebuilding
> > the demo server).
> 
> Looks sane.

Pushed.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/5a3f6ccd/attachment.bin>

From rcritten at redhat.com  Wed Oct  3 21:50:17 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 03 Oct 2007 17:50:17 -0400
Subject: [Freeipa-devel] [PATCH] more robust installation error handling
In-Reply-To: <1191446857.26778.66.camel@localhost.localdomain>
References: <4703F7E9.8090002@redhat.com>
	<1191446857.26778.66.camel@localhost.localdomain>
Message-ID: <47040E99.9010209@redhat.com>

Simo Sorce wrote:
> On Wed, 2007-10-03 at 16:13 -0400, Rob Crittenden wrote:
>> This needs more work but it is a first crack at trying to catch more 
>> error conditions during installation. What it currently lacks is 
>> completely bailing out, offering the user a choice to continue and/or 
>> doing a rollback.
>>
>> I also didn't add any code to exit out if an existing DS is found.
>> Not 
>> sure if we want to do that or not.
>>
>> I also incorporated most of the patch to handle when SELinux is
>> disabled 
>> from Jon McCann. I just do the selinux check slightly differently.
>>
>> I also noticed an error when I had old service keytabs and included 
>> something to handle SASL/GSSAPI authentication failures when getting
>> a 
>> connection. 
> 
> 
> Looks very good.
>

Pushed. The patch I pushed out removes the selinux test that Jon added 
and replaces it with one that uses /usr/sbin/selinuxenabled to determine 
if SELinux is available or not.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/212da55a/attachment.bin>

From mccann at jhu.edu  Thu Oct  4 00:53:12 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Wed, 3 Oct 2007 20:53:12 -0400
Subject: [Freeipa-devel] [PATCH] don't append values multiple times to
	configuration files
Message-ID: <939dd5750710031753m3a03f970we42f2c154552cc57@mail.gmail.com>

Hi,

After playing with the install (repeatedly) I ended up with a lot of
duplicate values in:
/etc/sysconfig/dirsrv
/etc/sysconfig/ipa-kpasswd

Here is a patch that should fix this.  It modifies the file "in-place"
and removes lines that matching the key (or commented key) and then
appends the new key=value.

Jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-no-key-dups.diff
Type: text/x-diff
Size: 2066 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/713346a1/attachment.bin>

From kmccarth at redhat.com  Thu Oct  4 01:23:41 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 3 Oct 2007 18:23:41 -0700
Subject: [Freeipa-devel] [PATCH] fix group api param names, controller calls
Message-ID: <20071004012341.GC23064@moon.usersys.redhat.com>

This patch trickles the group_cn to group_dn rename down through to
ipaclient.

It also fixes the calls in controller.py (don't know why I didn't think
of that earlier...)

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191460901 25200
# Node ID a2dfae790baec6be81220e0b0a8f970939851fc0
# Parent  64b5a772eb8fec1c635d8ea9b626a661a75f23ea
Trickle the group_cn to group_dn down the layers.  Fix controller calls.

diff -r 64b5a772eb8f -r a2dfae790bae ipa-python/ipaclient.py
--- a/ipa-python/ipaclient.py	Wed Oct 03 18:13:35 2007 -0700
+++ b/ipa-python/ipaclient.py	Wed Oct 03 18:21:41 2007 -0700
@@ -202,69 +202,69 @@ class IPAClient:
 
         return groups
 
-    def add_member_to_group(self, member_dn, group_cn):
+    def add_member_to_group(self, member_dn, group_dn):
         """Add a member to an existing group.
         """
 
-        return self.transport.add_member_to_group(member_dn, group_cn)
-
-    def add_members_to_group(self, member_dns, group_cn):
+        return self.transport.add_member_to_group(member_dn, group_dn)
+
+    def add_members_to_group(self, member_dns, group_dn):
         """Add several members to an existing group.
            member_dns is a list of dns to add
 
            Returns a list of the dns that were not added.
         """
 
-        return self.transport.add_members_to_group(member_dns, group_cn)
-
-    def remove_member_from_group(self, member_dn, group_cn):
+        return self.transport.add_members_to_group(member_dns, group_dn)
+
+    def remove_member_from_group(self, member_dn, group_dn):
         """Remove a member from an existing group.
         """
 
-        return self.transport.remove_member_from_group(member_dn, group_cn)
-
-    def remove_members_from_group(self, member_dns, group_cn):
+        return self.transport.remove_member_from_group(member_dn, group_dn)
+
+    def remove_members_from_group(self, member_dns, group_dn):
         """Remove several members from an existing group.
            member_dns is a list of dns to remove
 
            Returns a list of the dns that were not removed.
         """
 
-        return self.transport.remove_members_from_group(member_dns, group_cn)
-
-    def add_user_to_group(self, user_uid, group_cn):
+        return self.transport.remove_members_from_group(member_dns, group_dn)
+
+    def add_user_to_group(self, user_uid, group_dn):
         """Add a user to an existing group.
            user is a uid of the user to add
            group is the cn of the group to be added to
         """
 
-        return self.transport.add_user_to_group(user_uid, group_cn)
-
-    def add_users_to_group(self, user_uids, group_cn):
+        return self.transport.add_user_to_group(user_uid, group_dn)
+
+    def add_users_to_group(self, user_uids, group_dn):
         """Add several users to an existing group.
            user_uids is a list of uids of the users to add
 
            Returns a list of the user uids that were not added.
         """
 
-        return self.transport.add_users_to_group(user_uids, group_cn)
-
-    def remove_user_from_group(self, user_uid, group_cn):
+        return self.transport.add_users_to_group(user_uids, group_dn)
+
+    def remove_user_from_group(self, user_uid, group_dn):
         """Remove a user from an existing group.
            user is a uid of the user to remove
            group is the cn of the group to be removed from
         """
 
-        return self.transport.remove_user_from_group(user_uid, group_cn)
-
-    def remove_users_from_group(self, user_uids, group_cn):
+        return self.transport.remove_user_from_group(user_uid, group_dn)
+
+    def remove_users_from_group(self, user_uids, group_dn):
         """Remove several users from an existing group.
            user_uids is a list of uids of the users to remove
 
            Returns a list of the user uids that were not removed.
         """
 
-        return self.transport.remove_users_from_group(user_uids, group_cn)
+        return self.transport.remove_users_from_group(user_uids, group_dn)
 
     def add_groups_to_user(self, group_dns, user_dn):
         """Given a list of group dn's add them to the user.
diff -r 64b5a772eb8f -r a2dfae790bae ipa-python/rpcclient.py
--- a/ipa-python/rpcclient.py	Wed Oct 03 18:13:35 2007 -0700
+++ b/ipa-python/rpcclient.py	Wed Oct 03 18:21:41 2007 -0700
@@ -342,20 +342,20 @@ class RPCClient:
     
         return ipautil.unwrap_binary_data(result)
 
-    def add_member_to_group(self, member_dn, group_cn):
+    def add_member_to_group(self, member_dn, group_dn):
         """Add a new member to an existing group.
         """
         server = self.setup_server()
         try:
-            result = server.add_member_to_group(member_dn, group_cn)
-        except xmlrpclib.Fault, fault:
-            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
-        except socket.error, (value, msg):
-            raise xmlrpclib.Fault(value, msg)
-
-        return ipautil.unwrap_binary_data(result)
-
-    def add_members_to_group(self, member_dns, group_cn):
+            result = server.add_member_to_group(member_dn, group_dn)
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return ipautil.unwrap_binary_data(result)
+
+    def add_members_to_group(self, member_dns, group_dn):
         """Add several members to an existing group.
            member_dns is a list of the dns to add
 
@@ -363,56 +363,56 @@ class RPCClient:
         """
         server = self.setup_server()
         try:
-            result = server.add_members_to_group(member_dns, group_cn)
-        except xmlrpclib.Fault, fault:
-            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
-        except socket.error, (value, msg):
-            raise xmlrpclib.Fault(value, msg)
-
-        return ipautil.unwrap_binary_data(result)
-
-    def remove_member_from_group(self, member_dn, group_cn):
+            result = server.add_members_to_group(member_dns, group_dn)
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return ipautil.unwrap_binary_data(result)
+
+    def remove_member_from_group(self, member_dn, group_dn):
         """Remove a member from an existing group.
         """
         server = self.setup_server()
         try:
-            result = server.remove_member_from_group(member_dn, group_cn)
-        except xmlrpclib.Fault, fault:
-            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
-        except socket.error, (value, msg):
-            raise xmlrpclib.Fault(value, msg)
-
-        return ipautil.unwrap_binary_data(result)
-
-    def remove_members_from_group(self, member_dns, group_cn):
+            result = server.remove_member_from_group(member_dn, group_dn)
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return ipautil.unwrap_binary_data(result)
+
+    def remove_members_from_group(self, member_dns, group_dn):
         """Remove several members from an existing group.
 
            Returns a list of the dns that were not removed.
         """
         server = self.setup_server()
         try:
-            result = server.remove_members_from_group(member_dns, group_cn)
-        except xmlrpclib.Fault, fault:
-            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
-        except socket.error, (value, msg):
-            raise xmlrpclib.Fault(value, msg)
-
-        return ipautil.unwrap_binary_data(result)
-
-    def add_user_to_group(self, user_uid, group_cn):
+            result = server.remove_members_from_group(member_dns, group_dn)
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return ipautil.unwrap_binary_data(result)
+
+    def add_user_to_group(self, user_uid, group_dn):
         """Add a user to an existing group.
         """
         server = self.setup_server()
         try:
-            result = server.add_user_to_group(user_uid, group_cn)
-        except xmlrpclib.Fault, fault:
-            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
-        except socket.error, (value, msg):
-            raise xmlrpclib.Fault(value, msg)
-
-        return ipautil.unwrap_binary_data(result)
-
-    def add_users_to_group(self, user_uids, group_cn):
+            result = server.add_user_to_group(user_uid, group_dn)
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return ipautil.unwrap_binary_data(result)
+
+    def add_users_to_group(self, user_uids, group_dn):
         """Add several users to an existing group.
            user_uids is a list of the uids of the users to add
 
@@ -420,28 +420,28 @@ class RPCClient:
         """
         server = self.setup_server()
         try:
-            result = server.add_users_to_group(user_uids, group_cn)
-        except xmlrpclib.Fault, fault:
-            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
-        except socket.error, (value, msg):
-            raise xmlrpclib.Fault(value, msg)
-
-        return ipautil.unwrap_binary_data(result)
-
-    def remove_user_from_group(self, user_uid, group_cn):
+            result = server.add_users_to_group(user_uids, group_dn)
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return ipautil.unwrap_binary_data(result)
+
+    def remove_user_from_group(self, user_uid, group_dn):
         """Remove a user from an existing group.
         """
         server = self.setup_server()
         try:
-            result = server.remove_user_from_group(user_uid, group_cn)
-        except xmlrpclib.Fault, fault:
-            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
-        except socket.error, (value, msg):
-            raise xmlrpclib.Fault(value, msg)
-    
-        return ipautil.unwrap_binary_data(result)
-
-    def remove_users_from_group(self, user_uids, group_cn):
+            result = server.remove_user_from_group(user_uid, group_dn)
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+    
+        return ipautil.unwrap_binary_data(result)
+
+    def remove_users_from_group(self, user_uids, group_dn):
         """Remove several users from an existing group.
            user_uids is a list of the uids of the users to remove
 
@@ -449,7 +449,7 @@ class RPCClient:
         """
         server = self.setup_server()
         try:
-            result = server.remove_users_from_group(user_uids, group_cn)
+            result = server.remove_users_from_group(user_uids, group_dn)
         except xmlrpclib.Fault, fault:
             raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
         except socket.error, (value, msg):
diff -r 64b5a772eb8f -r a2dfae790bae ipa-server/ipa-gui/ipagui/controllers.py
--- a/ipa-server/ipa-gui/ipagui/controllers.py	Wed Oct 03 18:13:35 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/controllers.py	Wed Oct 03 18:21:41 2007 -0700
@@ -701,7 +701,7 @@ class Root(controllers.RootController):
                 if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
                     dnadds = [dnadds]
                 failed_adds = client.add_members_to_group(
-                        utf8_encode_values(dnadds), kw.get('cn'))
+                        utf8_encode_values(dnadds), group.dn)
                 kw['dnadd'] = failed_adds
         except ipaerror.IPAError, e:
             failed_adds = dnadds
@@ -797,7 +797,7 @@ class Root(controllers.RootController):
             return dict(form=group_edit_form, group=group_dict, members=member_dicts)
         except ipaerror.IPAError, e:
             turbogears.flash("Group edit failed: " + str(e))
-            raise turbogears.redirect('/groupshow', uid=kw.get('cn'))
+            raise turbogears.redirect('/groupshow', uid=cn)
 
     @expose()
     @identity.require(identity.not_anonymous())
@@ -859,7 +859,7 @@ class Root(controllers.RootController):
                 if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
                     dnadds = [dnadds]
                 failed_adds = client.add_members_to_group(
-                        utf8_encode_values(dnadds), kw.get('cn'))
+                        utf8_encode_values(dnadds), new_group.dn)
                 kw['dnadd'] = failed_adds
         except ipaerror.IPAError, e:
             turbogears.flash("Group update failed: " + str(e))
@@ -876,7 +876,7 @@ class Root(controllers.RootController):
                 if not(isinstance(dndels,list) or isinstance(dndels,tuple)):
                     dndels = [dndels]
                 failed_dels = client.remove_members_from_group(
-                        utf8_encode_values(dndels), kw.get('cn'))
+                        utf8_encode_values(dndels), new_group.dn)
                 kw['dndel'] = failed_dels
         except ipaerror.IPAError, e:
             turbogears.flash("Group update failed: " + str(e))
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/69613999/attachment.bin>

From mccann at jhu.edu  Thu Oct  4 01:25:50 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Wed, 3 Oct 2007 21:25:50 -0400
Subject: [Freeipa-devel] [PATCH] install dies if selinux is disabled
In-Reply-To: <47040122.4010505@redhat.com>
References: <939dd5750710031000i4fe658f2kf94720915dc74b9d@mail.gmail.com>
	<1191434386.26778.3.camel@localhost.localdomain>
	<939dd5750710031107n7f946fc3g896fc927e1f19f89@mail.gmail.com>
	<1191435631.26778.9.camel@localhost.localdomain>
	<939dd5750710031311qc9c5588meda2c916dee43481@mail.gmail.com>
	<1191443973.26778.50.camel@localhost.localdomain>
	<47040122.4010505@redhat.com>
Message-ID: <939dd5750710031825x3db8dd1cq7fc9857e4b181c8@mail.gmail.com>

Hi Rob,

On 10/3/07, Rob Crittenden <rcritten at redhat.com> wrote:
> Pushed. I modified the question when removing the DS instances so the
> user knows what it is they are agreeing to.
>
> I'll rework my patch to apply cleanly against this and resubmit.

Unfortunately, I let a copy/paste bug slip in.  Really sorry about
that.  Fix attached.

Thanks,
Jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-typo.diff
Type: text/x-diff
Size: 488 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/c3c6adbb/attachment.bin>

From rcritten at redhat.com  Thu Oct  4 01:45:47 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 03 Oct 2007 21:45:47 -0400
Subject: [Freeipa-devel] [PATCH] install dies if selinux is disabled
In-Reply-To: <939dd5750710031825x3db8dd1cq7fc9857e4b181c8@mail.gmail.com>
References: <939dd5750710031000i4fe658f2kf94720915dc74b9d@mail.gmail.com>	
	<1191434386.26778.3.camel@localhost.localdomain>	
	<939dd5750710031107n7f946fc3g896fc927e1f19f89@mail.gmail.com>	
	<1191435631.26778.9.camel@localhost.localdomain>	
	<939dd5750710031311qc9c5588meda2c916dee43481@mail.gmail.com>	
	<1191443973.26778.50.camel@localhost.localdomain>	
	<47040122.4010505@redhat.com>
	<939dd5750710031825x3db8dd1cq7fc9857e4b181c8@mail.gmail.com>
Message-ID: <470445CB.4040601@redhat.com>

William Jon McCann wrote:
> Hi Rob,
> 
> On 10/3/07, Rob Crittenden <rcritten at redhat.com> wrote:
>> Pushed. I modified the question when removing the DS instances so the
>> user knows what it is they are agreeing to.
>>
>> I'll rework my patch to apply cleanly against this and resubmit.
> 
> Unfortunately, I let a copy/paste bug slip in.  Really sorry about
> that.  Fix attached.
> 
> Thanks,
> Jon
> 

Acked and pushed.

I should have looked at the original patch closer myself.

cheers

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071003/90b18b6e/attachment.bin>

From rcritten at redhat.com  Thu Oct  4 13:27:49 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 04 Oct 2007 09:27:49 -0400
Subject: [Freeipa-devel] [PATCH] don't append values multiple times to
	configuration files
In-Reply-To: <939dd5750710031753m3a03f970we42f2c154552cc57@mail.gmail.com>
References: <939dd5750710031753m3a03f970we42f2c154552cc57@mail.gmail.com>
Message-ID: <4704EA55.5030505@redhat.com>

William Jon McCann wrote:
> Hi,
> 
> After playing with the install (repeatedly) I ended up with a lot of
> duplicate values in:
> /etc/sysconfig/dirsrv
> /etc/sysconfig/ipa-kpasswd
> 
> Here is a patch that should fix this.  It modifies the file "in-place"
> and removes lines that matching the key (or commented key) and then
> appends the new key=value.
> 
> Jon

Cool, I've wanted to fix this for a while (and recently aborted a switch 
from open with "a" to "w").

What happens if the file doesn't exist yet? Do we need to wrap the 
fileinput loop in either a try/except or just look to see if the file 
exists first (my vote)?

Something like:

def update_key_val_in_file(filename, key, val):
     if os.path.exists(filename):
         pattern = "^[\s#]*%s\s*=" % re.escape(key)
         p = re.compile(pattern)
         for line in fileinput.input(filename, inplace=1):
             if not p.search(line):
                 sys.stdout.write(line)
         fileinput.close()
     f = open(filename, "a")
     f.write("%s=%s\n" % (key, val))
     f.close()

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071004/c33e8dd9/attachment.bin>

From rcritten at redhat.com  Thu Oct  4 13:44:33 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 04 Oct 2007 09:44:33 -0400
Subject: [Freeipa-devel] [PATCH] fix group api param names, controller
	calls
In-Reply-To: <20071004012341.GC23064@moon.usersys.redhat.com>
References: <20071004012341.GC23064@moon.usersys.redhat.com>
Message-ID: <4704EE41.8040304@redhat.com>

Kevin McCarthy wrote:
> This patch trickles the group_cn to group_dn rename down through to
> ipaclient.
> 
> It also fixes the calls in controller.py (don't know why I didn't think
> of that earlier...)
> 
> -Kevin

Looks good.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071004/e2b5a281/attachment.bin>

From kmacmill at redhat.com  Thu Oct  4 14:12:10 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 04 Oct 2007 10:12:10 -0400
Subject: [Freeipa-devel] Kerberos ticket forwarding
In-Reply-To: <4703B716.3050503@redhat.com>
References: <47015C1C.40403@redhat.com>  <4703B716.3050503@redhat.com>
Message-ID: <1191507130.3175.12.camel@dhcp-64-223.iad.redhat.com>

On Wed, 2007-10-03 at 11:36 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > I started from scratch on the Kerberos ticket forwarding problem and 
> > mod_auth_kerb again. I have a 2-line patch that fixes it now and doesn't 
> > require the massive changes I currently used.
> > 
> > In my rush I included the F7 patch in the RHEL-5 bug :-( I also made a 
> > patch for that.
> > 
> > The patch for both can be found at:
> > https://bugzilla.redhat.com/show_bug.cgi?id=301061
> > 
> > Note that I had RHEL-5 enforcing on my RHEL-5 box and had lots of 
> > problems with the tickets.
> > 
> > The CGI I wrote to test this called klist to show that the ticket was 
> > forwarded properly. I got this denial:
> > 
> > Oct  1 16:38:18 thor setroubleshoot:      SELinux is preventing the 
> > /usr/kerberos/bin/klist from using potentially mislabeled files 
> > (/tmp/krb5cc_apache_TxNr3M).      For complete SELinux messages. run 
> > sealert -l 40a72116-ed45-420d-914a-ce9d56486d94
> > 
> > rob
> >
> 

Can you get me the full SELinux message with that sealert command? That
message normally means there is something wrong with the labeling of
your system.

Karl



From kmacmill at redhat.com  Thu Oct  4 14:17:14 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 04 Oct 2007 10:17:14 -0400
Subject: [Freeipa-devel] [PATCH] more robust installation error handling
In-Reply-To: <47040E99.9010209@redhat.com>
References: <4703F7E9.8090002@redhat.com>
	<1191446857.26778.66.camel@localhost.localdomain>
	<47040E99.9010209@redhat.com>
Message-ID: <1191507434.3175.16.camel@dhcp-64-223.iad.redhat.com>

On Wed, 2007-10-03 at 17:50 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Wed, 2007-10-03 at 16:13 -0400, Rob Crittenden wrote:
> >> This needs more work but it is a first crack at trying to catch more 
> >> error conditions during installation. What it currently lacks is 
> >> completely bailing out, offering the user a choice to continue and/or 
> >> doing a rollback.
> >>
> >> I also didn't add any code to exit out if an existing DS is found.
> >> Not 
> >> sure if we want to do that or not.
> >>
> >> I also incorporated most of the patch to handle when SELinux is
> >> disabled 
> >> from Jon McCann. I just do the selinux check slightly differently.
> >>
> >> I also noticed an error when I had old service keytabs and included 
> >> something to handle SASL/GSSAPI authentication failures when getting
> >> a 
> >> connection. 
> > 
> > 
> > Looks very good.
> >
> 
> Pushed. The patch I pushed out removes the selinux test that Jon added 
> and replaces it with one that uses /usr/sbin/selinuxenabled to determine 
> if SELinux is available or not.

Either one is likely fine, but I think checking for enabled like you do
is preferred. That will allow other errors to crop up (if the policy is
drastically different from expected for example).

Karl



From kmccarth at redhat.com  Thu Oct  4 15:21:47 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 4 Oct 2007 08:21:47 -0700
Subject: [Freeipa-devel] [PATCH] fix group api param names, controller
	calls
In-Reply-To: <4704EE41.8040304@redhat.com>
References: <20071004012341.GC23064@moon.usersys.redhat.com>
	<4704EE41.8040304@redhat.com>
Message-ID: <20071004152147.GA18815@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> This patch trickles the group_cn to group_dn rename down through to
>> ipaclient.
>> It also fixes the calls in controller.py (don't know why I didn't think
>> of that earlier...)
>> -Kevin
>
> Looks good.

Pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071004/dd41e533/attachment.bin>

From rcritten at redhat.com  Thu Oct  4 17:37:13 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 04 Oct 2007 13:37:13 -0400
Subject: [Freeipa-devel] Kerberos ticket forwarding
In-Reply-To: <4703B716.3050503@redhat.com>
References: <47015C1C.40403@redhat.com> <4703B716.3050503@redhat.com>
Message-ID: <470524C9.1000006@redhat.com>

Rob Crittenden wrote:
> Rob Crittenden wrote:
>> I started from scratch on the Kerberos ticket forwarding problem and 
>> mod_auth_kerb again. I have a 2-line patch that fixes it now and 
>> doesn't require the massive changes I currently used.
>>
>> In my rush I included the F7 patch in the RHEL-5 bug :-( I also made a 
>> patch for that.
>>
>> The patch for both can be found at:
>> https://bugzilla.redhat.com/show_bug.cgi?id=301061
>>
>> Note that I had RHEL-5 enforcing on my RHEL-5 box and had lots of 
>> problems with the tickets.
>>
>> The CGI I wrote to test this called klist to show that the ticket was 
>> forwarded properly. I got this denial:
>>
>> Oct  1 16:38:18 thor setroubleshoot:      SELinux is preventing the 
>> /usr/kerberos/bin/klist from using potentially mislabeled files 
>> (/tmp/krb5cc_apache_TxNr3M).      For complete SELinux messages. run 
>> sealert -l 40a72116-ed45-420d-914a-ce9d56486d94
>>
>> rob
>>
> 
> Attached is the new SRPM if anyone wants to give it a go.

Ok, it looks like I spoke too soon. This new module works fine with the 
command-line tools and curl but does not work with Firefox. With Firefox 
I get an error in Apache:

Cannot store delegated credential (gss_krb5_copy_ccache: Invalid 
credential was supplied (No error))

It works fine using the mod_auth_kerb SPNEGO code.

So to use the GUI stick with the 5.3-4ipa verison for now.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071004/54d103d0/attachment.bin>

From kmccarth at redhat.com  Thu Oct  4 19:18:38 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 4 Oct 2007 12:18:38 -0700
Subject: [Freeipa-devel] [PATCH] fix 'None' displaying
Message-ID: <20071004191838.GH18815@moon.usersys.redhat.com>

Fixes the None string displaying for results when given/sn is empty.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191525600 25200
# Node ID 66bfe41b5572dcfa726e37403948eb6a034dc97b
# Parent  2e368caed0742dcce6f0108eda7360866d1e280a
Fixes none values in first/last name to display properly.

diff -r 2e368caed074 -r 66bfe41b5572 ipa-python/entity.py
--- a/ipa-python/entity.py	Thu Oct 04 08:28:10 2007 -0700
+++ b/ipa-python/entity.py	Thu Oct 04 12:20:00 2007 -0700
@@ -79,9 +79,9 @@ class Entity:
         """Get the list (array) of values for the attribute named name"""
         return self.data.get(name)
 
-    def getValue(self,name):
+    def getValue(self,name,default=None):
         """Get the first value for the attribute named name"""
-        value =  self.data.get(name,[None])
+        value =  self.data.get(name,default)
         if isinstance(value,list) or isinstance(value,tuple):
             return value[0]
         else:
diff -r 2e368caed074 -r 66bfe41b5572 ipa-server/ipa-gui/ipagui/templates/dynamiceditsearch.kid
--- a/ipa-server/ipa-gui/ipagui/templates/dynamiceditsearch.kid	Thu Oct 04 08:28:10 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/dynamiceditsearch.kid	Thu Oct 04 12:20:00 2007 -0700
@@ -26,7 +26,8 @@ from ipagui.helpers import ipahelper
             ent_dn_esc = ipahelper.javascript_string_escape(entity.dn)
             ent_uid = entity.uid
             if ent_uid:
-                ent_name = "%s %s" % (entity.givenName, entity.sn)
+                ent_name = "%s %s" % (entity.getValue('givenName', ''),
+                                      entity.getValue('sn', ''))
                 ent_descr = "(%s)" % entity.uid
                 ent_type = "user"
             else:
diff -r 2e368caed074 -r 66bfe41b5572 ipa-server/ipa-gui/ipagui/templates/groupeditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Thu Oct 04 08:28:10 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Thu Oct 04 12:20:00 2007 -0700
@@ -116,8 +116,8 @@ from ipagui.helpers import ipahelper
 
           member_uid = member.get('uid')
           if member_uid:
-              member_name = "%s %s" % (member.get('givenName'),
-                                     member.get('sn'))
+              member_name = "%s %s" % (member.get('givenName', ''),
+                                     member.get('sn', ''))
               member_descr = "(%s)" % member.get('uid')
               member_type = "user"
           else:
diff -r 2e368caed074 -r 66bfe41b5572 ipa-server/ipa-gui/ipagui/templates/groupshow.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid	Thu Oct 04 08:28:10 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid	Thu Oct 04 12:20:00 2007 -0700
@@ -45,7 +45,7 @@ edit_url = tg.url('/groupedit', cn=group
 
       member_uid = member.get('uid')
       if member_uid:
-          member_cn = "%s %s" % (member.get('givenName'), member.get('sn'))
+          member_cn = "%s %s" % (member.get('givenName', ''), member.get('sn', ''))
           member_desc = "(%s)" % member_uid
           member_type = "user"
           view_url = tg.url('usershow', uid=member_uid)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071004/7a7488b3/attachment.bin>

From kmccarth at redhat.com  Thu Oct  4 20:37:51 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 4 Oct 2007 13:37:51 -0700
Subject: [Freeipa-devel] [PATCH] fix bootstrap data
Message-ID: <20071004203751.GI18815@moon.usersys.redhat.com>

The cn for the admin group didn't match its dn.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191530479 25200
# Node ID c9f55589df941c7083c3dea7d1ff0cce0840e7dc
# Parent  66bfe41b5572dcfa726e37403948eb6a034dc97b
patch queue: admin_account_fix.patch

diff -r 66bfe41b5572 -r c9f55589df94 ipa-server/ipa-install/share/bootstrap-template.ldif
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif	Thu Oct 04 12:20:00 2007 -0700
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif	Thu Oct 04 13:41:19 2007 -0700
@@ -60,7 +60,7 @@ objectClass: top
 objectClass: top
 objectClass: groupofuniquenames
 objectClass: posixGroup
-cn: Account Admins
+cn: admins
 description: Account administrators group
 gidNumber: 1001
 uniqueMember: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071004/ad03a536/attachment.bin>

From ssorce at redhat.com  Thu Oct  4 21:09:19 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 04 Oct 2007 17:09:19 -0400
Subject: [Freeipa-devel] [PATCH] fix 'None' displaying
In-Reply-To: <20071004191838.GH18815@moon.usersys.redhat.com>
References: <20071004191838.GH18815@moon.usersys.redhat.com>
Message-ID: <1191532159.26778.95.camel@localhost.localdomain>

On Thu, 2007-10-04 at 12:18 -0700, Kevin McCarthy wrote:
> Fixes the None string displaying for results when given/sn is empty.

Looks ok



From ssorce at redhat.com  Thu Oct  4 21:10:30 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 04 Oct 2007 17:10:30 -0400
Subject: [Freeipa-devel] [PATCH] fix bootstrap data
In-Reply-To: <20071004203751.GI18815@moon.usersys.redhat.com>
References: <20071004203751.GI18815@moon.usersys.redhat.com>
Message-ID: <1191532230.26778.97.camel@localhost.localdomain>

On Thu, 2007-10-04 at 13:37 -0700, Kevin McCarthy wrote:
> The cn for the admin group didn't match its dn.

I wonder how this even worked, doesn't FDS check the attribute used for
the RDN matches ??

Simo.



From rmeggins at redhat.com  Thu Oct  4 21:15:45 2007
From: rmeggins at redhat.com (Richard Megginson)
Date: Thu, 04 Oct 2007 15:15:45 -0600
Subject: [Freeipa-devel] [PATCH] fix bootstrap data
In-Reply-To: <1191532230.26778.97.camel@localhost.localdomain>
References: <20071004203751.GI18815@moon.usersys.redhat.com>
	<1191532230.26778.97.camel@localhost.localdomain>
Message-ID: <47055801.4080706@redhat.com>

Simo Sorce wrote:
> On Thu, 2007-10-04 at 13:37 -0700, Kevin McCarthy wrote:
>   
>> The cn for the admin group didn't match its dn.
>>     
>
> I wonder how this even worked, doesn't FDS check the attribute used for
> the RDN matches ??
>   
I'm not sure I understand what you mean.
> Simo.
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071004/35f51ef0/attachment.bin>

From prowley at redhat.com  Thu Oct  4 21:20:08 2007
From: prowley at redhat.com (Pete Rowley)
Date: Thu, 04 Oct 2007 14:20:08 -0700
Subject: [Freeipa-devel] [PATCH] fix bootstrap data
In-Reply-To: <1191532230.26778.97.camel@localhost.localdomain>
References: <20071004203751.GI18815@moon.usersys.redhat.com>
	<1191532230.26778.97.camel@localhost.localdomain>
Message-ID: <47055908.4060604@redhat.com>

Simo Sorce wrote:
> On Thu, 2007-10-04 at 13:37 -0700, Kevin McCarthy wrote:
>   
>> The cn for the admin group didn't match its dn.
>>     
>
> I wonder how this even worked, doesn't FDS check the attribute used for
> the RDN matches ??
>   
It adds the rdn value if it is missing from the entry.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071004/5103173c/attachment.bin>

From kmccarth at redhat.com  Thu Oct  4 21:23:27 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 4 Oct 2007 14:23:27 -0700
Subject: [Freeipa-devel] [PATCH] fix auto-suggest code
Message-ID: <20071004212326.GJ18815@moon.usersys.redhat.com>

Fixes from Dan's feedback.  Non-roundtrip code goes before the ajax
calls.  Also found a dumb bug with the initials code.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191533035 25200
# Node ID 181fd4fed78c68a7079e9d7eeb7c8a109db337f6
# Parent  472e4fdf6a838b0c058839281d575794c789cedd
Fix the autosuggest ordering so faster operations go first.
Also fix a bug with the initials autosuggest code.

diff -r 472e4fdf6a83 -r 181fd4fed78c ipa-server/ipa-gui/ipagui/templates/usernewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Thu Oct 04 13:53:16 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Thu Oct 04 14:23:55 2007 -0700
@@ -101,6 +101,26 @@ from ipagui.helpers import ipahelper
               var cn = $('form_cn');
               var displayname = $('form_displayname');
               var initials = $('form_initials');
+
+              if ((cn.value == "") || (cn.value == cn_suggest)) {
+                cn.value = givenname.value + " " + sn.value;
+                cn_suggest = cn.value;
+                new Effect.Highlight(cn);
+              }
+
+              if ((displayname.value == "") ||
+                  (displayname.value == displayname_suggest)) {
+                displayname.value = givenname.value + " " + sn.value;
+                displayname_suggest = displayname.value;
+                new Effect.Highlight(displayname);
+              }
+
+              if ((initials.value == "") ||
+                  (initials.value == initials_suggest)) {
+                initials.value = givenname.value[0] + sn.value[0];
+                initials_suggest = initials.value;
+                new Effect.Highlight(initials);
+              }
 
               if ((uid.value == "") || (uid.value == uid_suggest)) {
                 new Ajax.Request('${tg.url('/suggest_uid')}', {
@@ -124,26 +144,6 @@ from ipagui.helpers import ipahelper
                         new Effect.Highlight(mail);
                       }
                     });
-              }
-
-              if ((cn.value == "") || (cn.value == cn_suggest)) {
-                cn.value = givenname.value + " " + sn.value;
-                cn_suggest = cn.value;
-                new Effect.Highlight(cn);
-              }
-
-              if ((displayname.value == "") ||
-                  (displayname.value == displayname_suggest)) {
-                displayname.value = givenname.value + " " + sn.value;
-                displayname_suggest = displayname.value;
-                new Effect.Highlight(displayname);
-              }
-
-              if ((displayname.value == "") ||
-                  (displayname.value == displayname_suggest)) {
-                initials.value = givenname.value[0] + sn.value[0];
-                initials_suggest = initials.value;
-                new Effect.Highlight(initials);
               }
             }
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071004/7ed34fe7/attachment.bin>

From kmccarth at redhat.com  Thu Oct  4 21:25:06 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 4 Oct 2007 14:25:06 -0700
Subject: [Freeipa-devel] [PATCH] fix 'None' displaying
In-Reply-To: <1191532159.26778.95.camel@localhost.localdomain>
References: <20071004191838.GH18815@moon.usersys.redhat.com>
	<1191532159.26778.95.camel@localhost.localdomain>
Message-ID: <20071004212506.GK18815@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Thu, 2007-10-04 at 12:18 -0700, Kevin McCarthy wrote:
> > Fixes the None string displaying for results when given/sn is empty.
> 
> Looks ok

Pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071004/5c139a8c/attachment.bin>

From kmccarth at redhat.com  Thu Oct  4 21:27:25 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 4 Oct 2007 14:27:25 -0700
Subject: [Freeipa-devel] [PATCH] fix bootstrap data
In-Reply-To: <47055908.4060604@redhat.com>
References: <20071004203751.GI18815@moon.usersys.redhat.com>
	<1191532230.26778.97.camel@localhost.localdomain>
	<47055908.4060604@redhat.com>
Message-ID: <20071004212725.GL18815@moon.usersys.redhat.com>

Pete Rowley wrote:
> Simo Sorce wrote:
>> On Thu, 2007-10-04 at 13:37 -0700, Kevin McCarthy wrote:
>>   
>>> The cn for the admin group didn't match its dn.
>>>     
>>
>> I wonder how this even worked, doesn't FDS check the attribute used for
>> the RDN matches ??
>>   
> It adds the rdn value if it is missing from the entry.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071004/da75058b/attachment.bin>

From ssorce at redhat.com  Thu Oct  4 21:40:00 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 04 Oct 2007 17:40:00 -0400
Subject: [Freeipa-devel] [PATCH] fix bootstrap data
In-Reply-To: <47055908.4060604@redhat.com>
References: <20071004203751.GI18815@moon.usersys.redhat.com>
	<1191532230.26778.97.camel@localhost.localdomain>
	<47055908.4060604@redhat.com>
Message-ID: <1191534000.26778.99.camel@localhost.localdomain>

On Thu, 2007-10-04 at 14:20 -0700, Pete Rowley wrote:
> Simo Sorce wrote:
> > On Thu, 2007-10-04 at 13:37 -0700, Kevin McCarthy wrote:
> >   
> >> The cn for the admin group didn't match its dn.
> >>     
> >
> > I wonder how this even worked, doesn't FDS check the attribute used for
> > the RDN matches ??
> >   
> It adds the rdn value if it is missing from the entry.

Ohh, this is unexpected, I am not sure I like it, but good to know.
So this means cn was always multivalued for this object, right ?

Simo.



From kmccarth at redhat.com  Fri Oct  5 00:11:52 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 4 Oct 2007 17:11:52 -0700
Subject: [Freeipa-devel] [PATCH] split controllers out
Message-ID: <20071005001152.GM18815@moon.usersys.redhat.com>

This patch _looks_ big, but in truth it's just moving a bunch of code.
The main controllers.py is too big - I should have split it up a long
time ago, so now the sooner the better.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191543018 25200
# Node ID ed3b5011eae26ba896c6b438db49c7829e333e9e
# Parent  157e43b04db3a9cc23d65f814b670667c3a2b61c
Split the controllers out into separate user and group controllers.

diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/controllers.py
--- a/ipa-server/ipa-gui/ipagui/controllers.py	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/controllers.py	Thu Oct 04 17:10:18 2007 -0700
@@ -1,9 +1,3 @@ import random
-import random
-from pickle import dumps, loads
-from base64 import b64encode, b64decode
-import re
-
-import os
 import cherrypy
 import turbogears
 from turbogears import controllers, expose, flash
@@ -17,79 +11,15 @@ from turbogears import identity
 
 import ipa.config
 import ipa.ipaclient
-import ipa.user
-from ipa.entity import utf8_encode_values
-import xmlrpclib
-import forms.user
-import forms.group
-from helpers import userhelper
-from ipa import ipaerror
+
+from subcontrollers.user import UserController
+from subcontrollers.group import GroupController
 
 ipa.config.init_config()
-user_new_form = forms.user.UserNewForm()
-user_edit_form = forms.user.UserEditForm()
-group_new_form = forms.group.GroupNewForm()
-group_edit_form = forms.group.GroupEditForm()
-
-password_chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
-
-client = ipa.ipaclient.IPAClient(True)
-
-user_fields = ['*', 'nsAccountLock']
-
-group_fields = ['*']
-
-def restrict_post():
-    if cherrypy.request.method != "POST":
-        turbogears.flash("This method only accepts posts")
-        raise turbogears.redirect("/")
-
-def utf8_encode(value):
-    if value != None:
-        value = value.encode('utf-8')
-    return value
-
-def sort_group_member(a, b):
-    """Comparator function used for sorting group members."""
-    if a.getValue('uid') and b.getValue('uid'):
-        if a.getValue('givenname') == b.getValue('givenname'):
-            if a.getValue('sn') == b.getValue('sn'):
-                if a.getValue('uid') == b.getValue('uid'):
-                    return 0
-                elif a.getValue('uid') < b.getValue('uid'):
-                    return -1
-                else:
-                    return 1
-            elif a.getValue('sn') < b.getValue('sn'):
-                return -1
-            else:
-                return 1
-        elif a.getValue('givenname') < b.getValue('givenname'):
-            return -1
-        else:
-            return 1
-    elif a.getValue('uid'):
-        return -1
-    elif b.getValue('uid'):
-        return 1
-    else:
-        if a.getValue('cn') == b.getValue('cn'):
-            return 0
-        elif a.getValue('cn') < b.getValue('cn'):
-            return -1
-        else:
-            return 1
-
-def sort_by_cn(a, b):
-    """Comparator function used for sorting groups."""
-    if a.getValue('cn') == b.getValue('cn'):
-        return 0
-    elif a.getValue('cn') < b.getValue('cn'):
-        return -1
-    else:
-        return 1
 
 class Root(controllers.RootController):
+    user = UserController()
+    group = GroupController()
 
     @expose(template="ipagui.templates.welcome")
     @identity.require(identity.not_anonymous())
@@ -100,875 +30,9 @@ class Root(controllers.RootController):
     @identity.require(identity.not_anonymous())
     def topsearch(self, **kw):
         if kw.get('searchtype') == "Users":
-            return self.userlist(uid=kw.get('searchvalue'))
+            return Root.user.list(uid=kw.get('searchvalue'))
         else:
-            return self.grouplist(criteria=kw.get('searchvalue'))
-
-
-
-    ########
-    # User #
-    ########
-
-    @expose("ipagui.templates.usernew")
-    @identity.require(identity.not_anonymous())
-    def usernew(self, tg_errors=None):
-        """Displays the new user form"""
-        if tg_errors:
-            turbogears.flash("There was a problem with the form!")
-
-        return dict(form=user_new_form, user={})
-
-    @expose()
-    @identity.require(identity.not_anonymous())
-    def usercreate(self, **kw):
-        """Creates a new user"""
-        restrict_post()
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        if kw.get('submit') == 'Cancel':
-            turbogears.flash("Add user cancelled")
-            raise turbogears.redirect('/userlist')
-
-        tg_errors, kw = self.usercreatevalidate(**kw)
-        if tg_errors:
-            return dict(form=user_new_form, user=kw,
-                    tg_template='ipagui.templates.usernew')
-
-        #
-        # Create the user itself
-        #
-        try:
-            new_user = ipa.user.User()
-            new_user.setValue('title', kw.get('title'))
-            new_user.setValue('givenname', kw.get('givenname'))
-            new_user.setValue('sn', kw.get('sn'))
-            new_user.setValue('cn', kw.get('cn'))
-            new_user.setValue('displayname', kw.get('displayname'))
-            new_user.setValue('initials', kw.get('initials'))
-
-            new_user.setValue('uid', kw.get('uid'))
-            new_user.setValue('loginshell', kw.get('loginshell'))
-            new_user.setValue('gecos', kw.get('gecos'))
-
-            new_user.setValue('mail', kw.get('mail'))
-            new_user.setValue('telephonenumber', kw.get('telephonenumber'))
-            new_user.setValue('facsimiletelephonenumber',
-                    kw.get('facsimiletelephonenumber'))
-            new_user.setValue('mobile', kw.get('mobile'))
-            new_user.setValue('pager', kw.get('pager'))
-            new_user.setValue('homephone', kw.get('homephone'))
-
-            new_user.setValue('street', kw.get('street'))
-            new_user.setValue('l', kw.get('l'))
-            new_user.setValue('st', kw.get('st'))
-            new_user.setValue('postalcode', kw.get('postalcode'))
-
-            new_user.setValue('ou', kw.get('ou'))
-            new_user.setValue('businesscategory', kw.get('businesscategory'))
-            new_user.setValue('description', kw.get('description'))
-            new_user.setValue('employeetype', kw.get('employeetype'))
-            # new_user.setValue('manager', kw.get('manager'))
-            new_user.setValue('roomnumber', kw.get('roomnumber'))
-            # new_user.setValue('secretary', kw.get('secretary'))
-
-            new_user.setValue('carlicense', kw.get('carlicense'))
-            new_user.setValue('labeleduri', kw.get('labeleduri'))
-
-            if kw.get('nsAccountLock'):
-                new_user.setValue('nsAccountLock', 'true')
-
-            rv = client.add_user(new_user)
-        except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE):
-            turbogears.flash("Person with login '%s' already exists" %
-                    kw.get('uid'))
-            return dict(form=user_new_form, user=kw,
-                    tg_template='ipagui.templates.usernew')
-        except ipaerror.IPAError, e:
-            turbogears.flash("User add failed: " + str(e))
-            return dict(form=user_new_form, user=kw,
-                    tg_template='ipagui.templates.usernew')
-
-        #
-        # NOTE: from here on, the user account now exists.
-        #       on any error, we redirect to the _edit_ user page.
-        #       this code does data setup, similar to useredit()
-        #
-        user = client.get_user_by_uid(kw['uid'], user_fields)
-        user_dict = user.toDict()
-
-        user_groups_dicts = []
-        user_groups_data = b64encode(dumps(user_groups_dicts))
-
-        # store a copy of the original user for the update later
-        user_data = b64encode(dumps(user_dict))
-        user_dict['user_orig'] = user_data
-        user_dict['user_groups_data'] = user_groups_data
-
-        # preserve group add info in case of errors
-        user_dict['dnadd'] = kw.get('dnadd')
-        user_dict['dn_to_info_json'] = kw.get('dn_to_info_json')
-
-        #
-        # Password change
-        # TODO
-        #
-
-        #
-        # Add groups
-        #
-        failed_adds = []
-        try:
-            dnadds = kw.get('dnadd')
-            if dnadds != None:
-                if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
-                    dnadds = [dnadds]
-                failed_adds = client.add_groups_to_user(
-                        utf8_encode_values(dnadds), user.dn)
-                kw['dnadd'] = failed_adds
-        except ipaerror.IPAError, e:
-            failed_adds = dnadds
-
-        if len(failed_adds) > 0:
-            message = "Person successfully created.<br />"
-            message += "There was an error adding groups.<br />"
-            message += "Failures have been preserved in the add/remove lists."
-            turbogears.flash(message)
-            return dict(form=user_edit_form, user=user_dict,
-                        user_groups=user_groups_dicts,
-                        tg_template='ipagui.templates.useredit')
-
-        turbogears.flash("%s added!" % kw['uid'])
-        raise turbogears.redirect('/usershow', uid=kw['uid'])
-
-    @expose("ipagui.templates.dynamiceditsearch")
-    @identity.require(identity.not_anonymous())
-    def useredit_search(self, **kw):
-        """Searches for groups and displays list of results in a table.
-           This method is used for the ajax search on the user edit page."""
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        groups = []
-        groups_counter = 0
-        searchlimit = 100
-        criteria = kw.get('criteria')
-        if criteria != None and len(criteria) > 0:
-            try:
-                groups = client.find_groups(criteria.encode('utf-8'), None,
-                        searchlimit)
-                groups_counter = groups[0]
-                groups = groups[1:]
-            except ipaerror.IPAError, e:
-                turbogears.flash("search failed: " + str(e))
-
-        return dict(users=None, groups=groups, criteria=criteria,
-                counter=groups_counter)
-
-
-    @expose("ipagui.templates.useredit")
-    @identity.require(identity.not_anonymous())
-    def useredit(self, uid, tg_errors=None):
-        """Displays the edit user form"""
-        if tg_errors:
-            turbogears.flash("There was a problem with the form!")
-
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        try:
-            user = client.get_user_by_uid(uid, user_fields)
-            user_dict = user.toDict()
-            # Edit shouldn't fill in the password field.
-            if user_dict.has_key('userpassword'):
-                del(user_dict['userpassword'])
-
-            user_groups = client.get_groups_by_member(user.dn, ['dn', 'cn'])
-            user_groups.sort(sort_by_cn)
-            user_groups_dicts = map(lambda group: group.toDict(), user_groups)
-            user_groups_data = b64encode(dumps(user_groups_dicts))
-
-            # store a copy of the original user for the update later
-            user_data = b64encode(dumps(user_dict))
-            user_dict['user_orig'] = user_data
-            user_dict['user_groups_data'] = user_groups_data
-
-            return dict(form=user_edit_form, user=user_dict,
-                    user_groups=user_groups_dicts)
-        except ipaerror.IPAError, e:
-            turbogears.flash("User edit failed: " + str(e))
-            raise turbogears.redirect('/usershow', uid=kw.get('uid'))
-
-    @expose()
-    @identity.require(identity.not_anonymous())
-    def userupdate(self, **kw):
-        """Updates an existing user"""
-        restrict_post()
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        if kw.get('submit') == 'Cancel Edit':
-            turbogears.flash("Edit user cancelled")
-            raise turbogears.redirect('/usershow', uid=kw.get('uid'))
-
-        # Decode the group data, in case we need to round trip
-        user_groups_dicts = loads(b64decode(kw.get('user_groups_data')))
-
-        tg_errors, kw = self.userupdatevalidate(**kw)
-        if tg_errors:
-            return dict(form=user_edit_form, user=kw,
-                        user_groups=user_groups_dicts,
-                        tg_template='ipagui.templates.useredit')
-
-        password_change = False
-        user_modified = False
-
-        #
-        # Update the user itself
-        #
-        try:
-            orig_user_dict = loads(b64decode(kw.get('user_orig')))
-
-            new_user = ipa.user.User(orig_user_dict)
-            new_user.setValue('title', kw.get('title'))
-            new_user.setValue('givenname', kw.get('givenname'))
-            new_user.setValue('sn', kw.get('sn'))
-            new_user.setValue('cn', kw.get('cn'))
-            new_user.setValue('displayname', kw.get('displayname'))
-            new_user.setValue('initials', kw.get('initials'))
-
-            new_user.setValue('loginshell', kw.get('loginshell'))
-            new_user.setValue('gecos', kw.get('gecos'))
-
-            new_user.setValue('mail', kw.get('mail'))
-            new_user.setValue('telephonenumber', kw.get('telephonenumber'))
-            new_user.setValue('facsimiletelephonenumber',
-                    kw.get('facsimiletelephonenumber'))
-            new_user.setValue('mobile', kw.get('mobile'))
-            new_user.setValue('pager', kw.get('pager'))
-            new_user.setValue('homephone', kw.get('homephone'))
-
-            new_user.setValue('street', kw.get('street'))
-            new_user.setValue('l', kw.get('l'))
-            new_user.setValue('st', kw.get('st'))
-            new_user.setValue('postalcode', kw.get('postalcode'))
-
-            new_user.setValue('ou', kw.get('ou'))
-            new_user.setValue('businesscategory', kw.get('businesscategory'))
-            new_user.setValue('description', kw.get('description'))
-            new_user.setValue('employeetype', kw.get('employeetype'))
-            # new_user.setValue('manager', kw.get('manager'))
-            new_user.setValue('roomnumber', kw.get('roomnumber'))
-            # new_user.setValue('secretary', kw.get('secretary'))
-
-            new_user.setValue('carlicense', kw.get('carlicense'))
-            new_user.setValue('labeleduri', kw.get('labeleduri'))
-
-
-            if kw.get('nsAccountLock'):
-                new_user.setValue('nsAccountLock', 'true')
-            else:
-                new_user.setValue('nsAccountLock', None)
-            if kw.get('editprotected') == 'true':
-                if kw.get('userpassword'):
-                    password_change = True
-                new_user.setValue('uidnumber', str(kw.get('uidnumber')))
-                new_user.setValue('gidnumber', str(kw.get('gidnumber')))
-                new_user.setValue('homedirectory', str(kw.get('homedirectory')))
-
-            rv = client.update_user(new_user)
-            #
-            # If the user update succeeds, but below operations fail, we
-            # need to make sure a subsequent submit doesn't try to update
-            # the user again.
-            #
-            user_modified = True
-            kw['user_orig'] = b64encode(dumps(new_user.toDict()))
-        except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST), e:
-            # could be a password change
-            # could be groups change
-            # too much work to figure out unless someone really screams
-            pass
-        except ipaerror.IPAError, e:
-            turbogears.flash("User update failed: " + str(e))
-            return dict(form=user_edit_form, user=kw,
-                        user_groups=user_groups_dicts,
-                        tg_template='ipagui.templates.useredit')
-
-        #
-        # Password change
-        #
-        try:
-            if password_change:
-                rv = client.modifyPassword(kw['krbprincipalname'], "", kw.get('userpassword'))
-        except ipaerror.IPAError, e:
-            turbogears.flash("User password change failed: " + str(e))
-            return dict(form=user_edit_form, user=kw,
-                        user_groups=user_groups_dicts,
-                        tg_template='ipagui.templates.useredit')
-
-        #
-        # Add groups
-        #
-        failed_adds = []
-        try:
-            dnadds = kw.get('dnadd')
-            if dnadds != None:
-                if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
-                    dnadds = [dnadds]
-                failed_adds = client.add_groups_to_user(
-                        utf8_encode_values(dnadds), new_user.dn)
-                kw['dnadd'] = failed_adds
-        except ipaerror.IPAError, e:
-            failed_adds = dnadds
-
-        #
-        # Remove groups
-        #
-        failed_dels = []
-        try:
-            dndels = kw.get('dndel')
-            if dndels != None:
-                if not(isinstance(dndels,list) or isinstance(dndels,tuple)):
-                    dndels = [dndels]
-                failed_dels = client.remove_groups_from_user(
-                        utf8_encode_values(dndels), new_user.dn)
-                kw['dndel'] = failed_dels
-        except ipaerror.IPAError, e:
-            failed_dels = dndels
-
-        if (len(failed_adds) > 0) or (len(failed_dels) > 0):
-            message = "There was an error updating groups.<br />"
-            message += "Failures have been preserved in the add/remove lists."
-            if user_modified:
-                message = "User Details successfully updated.<br />" + message
-            if password_change:
-                message = "User password successfully updated.<br />" + message
-            turbogears.flash(message)
-            return dict(form=user_edit_form, user=kw,
-                        user_groups=user_groups_dicts,
-                        tg_template='ipagui.templates.useredit')
-
-        turbogears.flash("%s updated!" % kw['uid'])
-        raise turbogears.redirect('/usershow', uid=kw['uid'])
-
-
-    @expose("ipagui.templates.userlist")
-    @identity.require(identity.not_anonymous())
-    def userlist(self, **kw):
-        """Searches for users and displays list of results"""
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        users = None
-        counter = 0
-        uid = kw.get('uid')
-        if uid != None and len(uid) > 0:
-            try:
-                users = client.find_users(uid.encode('utf-8'), None, 0, 2)
-                counter = users[0]
-                users = users[1:]
-                if counter == -1:
-                    turbogears.flash("These results are truncated.<br />" +
-                                    "Please refine your search and try again.")
-            except ipaerror.IPAError, e:
-                turbogears.flash("User list failed: " + str(e))
-                raise turbogears.redirect("/userlist")
-
-        return dict(users=users, uid=uid, fields=forms.user.UserFields())
-
-
-    @expose("ipagui.templates.usershow")
-    @identity.require(identity.not_anonymous())
-    def usershow(self, uid):
-        """Retrieve a single user for display"""
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        try:
-            user = client.get_user_by_uid(uid, user_fields)
-            user_groups = client.get_groups_by_member(user.dn, ['cn'])
-            user_groups.sort(sort_by_cn)
-            user_reports = client.get_users_by_manager(user.dn,
-                    ['givenname', 'sn', 'uid'])
-            user_reports.sort(sort_group_member)
-
-            user_manager = None
-            try:
-                if user.manager:
-                    user_manager = client.get_user_by_dn(user.manager,
-                        ['givenname', 'sn', 'uid'])
-            except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
-                pass
-
-            return dict(user=user.toDict(), fields=forms.user.UserFields(),
-                        user_groups=user_groups, user_reports=user_reports,
-                        user_manager=user_manager)
-        except ipaerror.IPAError, e:
-            turbogears.flash("User show failed: " + str(e))
-            raise turbogears.redirect("/")
-
-    @validate(form=user_new_form)
-    @identity.require(identity.not_anonymous())
-    def usercreatevalidate(self, tg_errors=None, **kw):
-        return tg_errors, kw
-
-    @validate(form=user_edit_form)
-    @identity.require(identity.not_anonymous())
-    def userupdatevalidate(self, tg_errors=None, **kw):
-        return tg_errors, kw
-
-    @expose()
-    def userindex(self):
-        raise turbogears.redirect("/userlist")
-
-    # @expose()
-    def generate_password(self):
-        password = ""
-        generator = random.SystemRandom()
-        for char in range(8):
-            index = generator.randint(0, len(password_chars) - 1)
-            password += password_chars[index]
-
-        return password
-
-    @expose()
-    @identity.require(identity.not_anonymous())
-    def suggest_uid(self, givenname, sn):
-        # filter illegal uid characters out
-        givenname = re.sub(r'[^a-zA-Z_\-0-9]', "", givenname)
-        sn = re.sub(r'[^a-zA-Z_\-0-9]', "", sn)
-
-        if (len(givenname) == 0) or (len(sn) == 0):
-            return ""
-
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        givenname = givenname.lower()
-        sn = sn.lower()
-
-        uid = givenname[0] + sn[:7]
-        try:
-            client.get_user_by_uid(uid)
-        except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
-            return uid
-
-        uid = givenname[:7] + sn[0]
-        try:
-            client.get_user_by_uid(uid)
-        except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
-            return uid
-
-        uid = (givenname + sn)[:8]
-        try:
-            client.get_user_by_uid(uid)
-        except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
-            return uid
-
-        uid = sn[:8]
-        try:
-            client.get_user_by_uid(uid)
-        except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
-            return uid
-
-        suffix = 2
-        template = givenname[0] + sn[:7]
-        while suffix < 20:
-            uid = template[:8 - len(str(suffix))] + str(suffix)
-            try:
-                client.get_user_by_uid(uid)
-            except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
-                return uid
-            suffix += 1
-
-        return ""
-
-    @expose()
-    @identity.require(identity.not_anonymous())
-    def suggest_email(self, givenname, sn):
-        # remove illegal email characters
-        givenname = re.sub(r'[^a-zA-Z0-9!#\$%\*/?\|\^\{\}`~&\'\+\-=_]', "", givenname)
-        sn = re.sub(r'[^a-zA-Z0-9!#\$%\*/?\|\^\{\}`~&\'\+\-=_]', "", sn)
-
-        if (len(givenname) == 0) or (len(sn) == 0):
-            return ""
-
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        givenname = givenname.lower()
-        sn = sn.lower()
-
-        # TODO - get from config
-        domain = "freeipa.org"
-
-        return "%s.%s@%s" % (givenname, sn, domain)
-
-
-        # TODO - mail is currently not indexed nor searchable.
-        #        implement when it's done
-        # email = givenname + "." + sn + domain
-        # users = client.find_users(email, ['mail'])
-        # if len(filter(lambda u: u['mail'] == email, users[1:])) == 0:
-        #     return email
-
-        # email = self.suggest_uid(givenname, sn) + domain
-        # users = client.find_users(email, ['mail'])
-        # if len(filter(lambda u: u['mail'] == email, users[1:])) == 0:
-        #     return email
-
-        # suffix = 2
-        # template = givenname + "." + sn
-        # while suffix < 20:
-        #     email = template + str(suffix) + domain
-        #     users = client.find_users(email, ['mail'])
-        #     if len(filter(lambda u: u['mail'] == email, users[1:])) == 0:
-        #         return email
-        #     suffix += 1
-
-        # return ""
-
-
-
-    #########
-    # Group #
-    #########
-
-    @expose("ipagui.templates.groupindex")
-    @identity.require(identity.not_anonymous())
-    def groupindex(self, tg_errors=None):
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        return dict()
-
-    @expose("ipagui.templates.groupnew")
-    @identity.require(identity.not_anonymous())
-    def groupnew(self, tg_errors=None):
-        """Displays the new group form"""
-        if tg_errors:
-            turbogears.flash("There was a problem with the form!")
-
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-
-        return dict(form=group_new_form, group={})
-
-    @expose()
-    @identity.require(identity.not_anonymous())
-    def groupcreate(self, **kw):
-        """Creates a new group"""
-        restrict_post()
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-
-        if kw.get('submit') == 'Cancel':
-            turbogears.flash("Add group cancelled")
-            raise turbogears.redirect('/')
-
-        tg_errors, kw = self.groupcreatevalidate(**kw)
-        if tg_errors:
-            return dict(form=group_new_form, group=kw,
-                    tg_template='ipagui.templates.groupnew')
-
-        #
-        # Create the group itself
-        #
-        try:
-            new_group = ipa.group.Group()
-            new_group.setValue('cn', kw.get('cn'))
-            new_group.setValue('description', kw.get('description'))
-
-            rv = client.add_group(new_group)
-        except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE):
-            turbogears.flash("Group with name '%s' already exists" %
-                    kw.get('cn'))
-            return dict(form=group_new_form, group=kw,
-                    tg_template='ipagui.templates.groupnew')
-        except ipaerror.IPAError, e:
-            turbogears.flash("Group add failed: " + str(e) + "<br/>" + str(e.detail))
-            return dict(form=group_new_form, group=kw,
-                    tg_template='ipagui.templates.groupnew')
-
-        #
-        # NOTE: from here on, the group now exists.
-        #       on any error, we redirect to the _edit_ group page.
-        #       this code does data setup, similar to groupedit()
-        #
-        group = client.get_group_by_cn(kw['cn'], group_fields)
-        group_dict = group.toDict()
-        member_dicts = []
-
-        # store a copy of the original group for the update later
-        group_data = b64encode(dumps(group_dict))
-        member_data = b64encode(dumps(member_dicts))
-        group_dict['group_orig'] = group_data
-        group_dict['member_data'] = member_data
-
-        # preserve group add info in case of errors
-        group_dict['dnadd'] = kw.get('dnadd')
-        group_dict['dn_to_info_json'] = kw.get('dn_to_info_json')
-
-        #
-        # Add members
-        #
-        failed_adds = []
-        try:
-            dnadds = kw.get('dnadd')
-            if dnadds != None:
-                if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
-                    dnadds = [dnadds]
-                failed_adds = client.add_members_to_group(
-                        utf8_encode_values(dnadds), group.dn)
-                kw['dnadd'] = failed_adds
-        except ipaerror.IPAError, e:
-            failed_adds = dnadds
-
-        if len(failed_adds) > 0:
-            message = "Group successfully created.<br />"
-            message += "There was an error adding group members.<br />"
-            message += "Failures have been preserved in the add/remove lists."
-            turbogears.flash(message)
-            return dict(form=group_edit_form, group=group_dict,
-                        members=member_dicts,
-                        tg_template='ipagui.templates.groupedit')
-
-        turbogears.flash("%s added!" % kw.get('cn'))
-        raise turbogears.redirect('/groupshow', cn=kw.get('cn'))
-
-    @expose("ipagui.templates.dynamiceditsearch")
-    @identity.require(identity.not_anonymous())
-    def groupedit_search(self, **kw):
-        """Searches for users+groups and displays list of results in a table.
-           This method is used for the ajax search on the group edit page."""
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        users = []
-        groups = []
-        counter = 0
-        searchlimit = 100
-        criteria = kw.get('criteria')
-        if criteria != None and len(criteria) > 0:
-            try:
-                users = client.find_users(criteria.encode('utf-8'), None, searchlimit)
-                users_counter = users[0]
-                users = users[1:]
-
-                groups = client.find_groups(criteria.encode('utf-8'), None,
-                        searchlimit)
-                groups_counter = groups[0]
-                groups = groups[1:]
-
-                if users_counter < 0 or groups_counter < 0:
-                    counter = -1
-                else:
-                    counter = users_counter + groups_counter
-            except ipaerror.IPAError, e:
-                turbogears.flash("search failed: " + str(e))
-
-        return dict(users=users, groups=groups, criteria=criteria,
-                counter=counter)
-
-
-    @expose("ipagui.templates.groupedit")
-    @identity.require(identity.not_anonymous())
-    def groupedit(self, cn, tg_errors=None):
-        """Displays the edit group form"""
-        if tg_errors:
-            turbogears.flash("There was a problem with the form!")
-
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        try:
-            group = client.get_group_by_cn(cn, group_fields)
-
-            group_dict = group.toDict()
-
-            #
-            # convert members to users, for easier manipulation on the page
-            #
-            member_dns = []
-            if group_dict.has_key('uniquemember'):
-                member_dns = group_dict.get('uniquemember')
-                # remove from dict - it's not needed for update
-                # and we are storing the members in a different form
-                del group_dict['uniquemember']
-            if not(isinstance(member_dns,list) or isinstance(member_dns,tuple)):
-                member_dns = [member_dns]
-
-            # TODO: convert this into an efficient (single) function call
-            # Note: this isn't quite right, since it can be users and groups.
-            members = map(
-                    lambda dn: client.get_user_by_dn(dn, ['dn', 'givenname', 'sn',
-                        'uid', 'cn']),
-                    member_dns)
-            members.sort(sort_group_member)
-
-            # Map users into an array of dicts, which can be serialized
-            # (so we don't have to do this on each round trip)
-            member_dicts = map(lambda member: member.toDict(), members)
-
-            # store a copy of the original group for the update later
-            group_data = b64encode(dumps(group_dict))
-            member_data = b64encode(dumps(member_dicts))
-            group_dict['group_orig'] = group_data
-            group_dict['member_data'] = member_data
-
-            return dict(form=group_edit_form, group=group_dict, members=member_dicts)
-        except ipaerror.IPAError, e:
-            turbogears.flash("Group edit failed: " + str(e))
-            raise turbogears.redirect('/groupshow', uid=cn)
-
-    @expose()
-    @identity.require(identity.not_anonymous())
-    def groupupdate(self, **kw):
-        """Updates an existing group"""
-        restrict_post()
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        if kw.get('submit') == 'Cancel Edit':
-            turbogears.flash("Edit group cancelled")
-            raise turbogears.redirect('/groupshow', cn=kw.get('cn'))
-
-        # Decode the member data, in case we need to round trip
-        member_dicts = loads(b64decode(kw.get('member_data')))
-
-
-        tg_errors, kw = self.groupupdatevalidate(**kw)
-        if tg_errors:
-            return dict(form=group_edit_form, group=kw, members=member_dicts,
-                        tg_template='ipagui.templates.groupedit')
-
-        group_modified = False
-
-        #
-        # Update group itself
-        #
-        try:
-            orig_group_dict = loads(b64decode(kw.get('group_orig')))
-
-            new_group = ipa.group.Group(orig_group_dict)
-            if new_group.description != kw.get('description'):
-                group_modified = True
-                new_group.setValue('description', kw.get('description'))
-            if kw.get('editprotected') == 'true':
-                new_gid = str(kw.get('gidnumber'))
-                if new_group.gidnumber != new_gid:
-                    group_modified = True
-                    new_group.setValue('gidnumber', new_gid)
-
-            if group_modified:
-                rv = client.update_group(new_group)
-                #
-                # If the group update succeeds, but below operations fail, we
-                # need to make sure a subsequent submit doesn't try to update
-                # the group again.
-                #
-                kw['group_orig'] = b64encode(dumps(new_group.toDict()))
-        except ipaerror.IPAError, e:
-            turbogears.flash("Group update failed: " + str(e))
-            return dict(form=group_edit_form, group=kw, members=member_dicts,
-                        tg_template='ipagui.templates.groupedit')
-
-        #
-        # Add members
-        #
-        failed_adds = []
-        try:
-            dnadds = kw.get('dnadd')
-            if dnadds != None:
-                if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
-                    dnadds = [dnadds]
-                failed_adds = client.add_members_to_group(
-                        utf8_encode_values(dnadds), new_group.dn)
-                kw['dnadd'] = failed_adds
-        except ipaerror.IPAError, e:
-            turbogears.flash("Group update failed: " + str(e))
-            return dict(form=group_edit_form, group=kw, members=member_dicts,
-                        tg_template='ipagui.templates.groupedit')
-
-        #
-        # Remove members
-        #
-        failed_dels = []
-        try:
-            dndels = kw.get('dndel')
-            if dndels != None:
-                if not(isinstance(dndels,list) or isinstance(dndels,tuple)):
-                    dndels = [dndels]
-                failed_dels = client.remove_members_from_group(
-                        utf8_encode_values(dndels), new_group.dn)
-                kw['dndel'] = failed_dels
-        except ipaerror.IPAError, e:
-            turbogears.flash("Group update failed: " + str(e))
-            return dict(form=group_edit_form, group=kw, members=member_dicts,
-                        tg_template='ipagui.templates.groupedit')
-
-        #
-        # TODO - check failed ops to see if it's because of another update.
-        #        handle "someone else already did it" errors better - perhaps
-        #        not even as an error
-        # TODO - update the Group Members list.
-        #        (note that we have to handle the above todo first, or else
-        #         there will be an error message, but the add/del lists will
-        #         be empty)
-        #
-        if (len(failed_adds) > 0) or (len(failed_dels) > 0):
-            message = "There was an error updating group members.<br />"
-            message += "Failures have been preserved in the add/remove lists."
-            if group_modified:
-                message = "Group Details successfully updated.<br />" + message
-            turbogears.flash(message)
-            return dict(form=group_edit_form, group=kw, members=member_dicts,
-                        tg_template='ipagui.templates.groupedit')
-
-        turbogears.flash("%s updated!" % kw['cn'])
-        raise turbogears.redirect('/groupshow', cn=kw['cn'])
-
-
-    @expose("ipagui.templates.grouplist")
-    @identity.require(identity.not_anonymous())
-    def grouplist(self, **kw):
-        """Search for groups and display results"""
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        groups = None
-        # counter = 0
-        criteria = kw.get('criteria')
-        if criteria != None and len(criteria) > 0:
-            try:
-                groups = client.find_groups(criteria.encode('utf-8'), None, 0, 2)
-                counter = groups[0]
-                groups = groups[1:]
-                if counter == -1:
-                    turbogears.flash("These results are truncated.<br />" +
-                                    "Please refine your search and try again.")
-            except ipaerror.IPAError, e:
-                turbogears.flash("Find groups failed: " + str(e))
-                raise turbogears.redirect("/grouplist")
-
-        return dict(groups=groups, criteria=criteria, fields=forms.group.GroupFields())
-
-    @expose("ipagui.templates.groupshow")
-    @identity.require(identity.not_anonymous())
-    def groupshow(self, cn):
-        """Retrieve a single group for display"""
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        try:
-            group = client.get_group_by_cn(cn, group_fields)
-            group_dict = group.toDict()
-
-            #
-            # convert members to users, for display on the page
-            #
-            member_dns = []
-            if group_dict.has_key('uniquemember'):
-                member_dns = group_dict.get('uniquemember')
-            if not(isinstance(member_dns,list) or isinstance(member_dns,tuple)):
-                member_dns = [member_dns]
-
-            # TODO: convert this into an efficient (single) function call
-            # Note: this isn't quite right, since it can be users and groups.
-            members = map(
-                    lambda dn: client.get_user_by_dn(dn, ['dn', 'givenname', 'sn',
-                        'uid', 'cn']),
-                    member_dns)
-            members.sort(sort_group_member)
-            member_dicts = map(lambda member: member.toDict(), members)
-
-            return dict(group=group_dict, fields=forms.group.GroupFields(),
-                    members = member_dicts)
-        except ipaerror.IPAError, e:
-            turbogears.flash("Group show failed: " + str(e))
-            raise turbogears.redirect("/")
-
-    @validate(form=group_new_form)
-    @identity.require(identity.not_anonymous())
-    def groupcreatevalidate(self, tg_errors=None, **kw):
-        return tg_errors, kw
-
-    @validate(form=group_edit_form)
-    @identity.require(identity.not_anonymous())
-    def groupupdatevalidate(self, tg_errors=None, **kw):
-        return tg_errors, kw
+            return Root.group.list(criteria=kw.get('searchvalue'))
 
     @expose("ipagui.templates.loginfailed")
     def loginfailed(self, **kw):
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/subcontrollers/__init__.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/__init__.py	Thu Oct 04 17:10:18 2007 -0700
@@ -0,0 +1,1 @@
+# __init__.py
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/subcontrollers/group.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Thu Oct 04 17:10:18 2007 -0700
@@ -0,0 +1,386 @@
+import os
+from pickle import dumps, loads
+from base64 import b64encode, b64decode
+
+import cherrypy
+import turbogears
+from turbogears import controllers, expose, flash
+from turbogears import validators, validate
+from turbogears import widgets, paginate
+from turbogears import error_handler
+from turbogears import identity
+
+from ipacontroller import IPAController
+import ipa.config
+import ipa.ipaclient
+import ipa.group
+from ipa.entity import utf8_encode_values
+from ipa import ipaerror
+import ipagui.forms.group
+
+ipa.config.init_config()
+client = ipa.ipaclient.IPAClient(True)
+
+group_new_form = ipagui.forms.group.GroupNewForm()
+group_edit_form = ipagui.forms.group.GroupEditForm()
+
+group_fields = ['*']
+
+class GroupController(IPAController):
+
+
+    #########
+    # Group #
+    #########
+
+    @expose("ipagui.templates.groupindex")
+    @identity.require(identity.not_anonymous())
+    def index(self, tg_errors=None):
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        return dict()
+
+    @expose("ipagui.templates.groupnew")
+    @identity.require(identity.not_anonymous())
+    def new(self, tg_errors=None):
+        """Displays the new group form"""
+        if tg_errors:
+            turbogears.flash("There was a problem with the form!")
+
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+
+        return dict(form=group_new_form, group={})
+
+    @expose()
+    @identity.require(identity.not_anonymous())
+    def create(self, **kw):
+        """Creates a new group"""
+        self.restrict_post()
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+
+        if kw.get('submit') == 'Cancel':
+            turbogears.flash("Add group cancelled")
+            raise turbogears.redirect('/')
+
+        tg_errors, kw = self.groupcreatevalidate(**kw)
+        if tg_errors:
+            return dict(form=group_new_form, group=kw,
+                    tg_template='ipagui.templates.groupnew')
+
+        #
+        # Create the group itself
+        #
+        try:
+            new_group = ipa.group.Group()
+            new_group.setValue('cn', kw.get('cn'))
+            new_group.setValue('description', kw.get('description'))
+
+            rv = client.add_group(new_group)
+        except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE):
+            turbogears.flash("Group with name '%s' already exists" %
+                    kw.get('cn'))
+            return dict(form=group_new_form, group=kw,
+                    tg_template='ipagui.templates.groupnew')
+        except ipaerror.IPAError, e:
+            turbogears.flash("Group add failed: " + str(e) + "<br/>" + str(e.detail))
+            return dict(form=group_new_form, group=kw,
+                    tg_template='ipagui.templates.groupnew')
+
+        #
+        # NOTE: from here on, the group now exists.
+        #       on any error, we redirect to the _edit_ group page.
+        #       this code does data setup, similar to groupedit()
+        #
+        group = client.get_group_by_cn(kw['cn'], group_fields)
+        group_dict = group.toDict()
+        member_dicts = []
+
+        # store a copy of the original group for the update later
+        group_data = b64encode(dumps(group_dict))
+        member_data = b64encode(dumps(member_dicts))
+        group_dict['group_orig'] = group_data
+        group_dict['member_data'] = member_data
+
+        # preserve group add info in case of errors
+        group_dict['dnadd'] = kw.get('dnadd')
+        group_dict['dn_to_info_json'] = kw.get('dn_to_info_json')
+
+        #
+        # Add members
+        #
+        failed_adds = []
+        try:
+            dnadds = kw.get('dnadd')
+            if dnadds != None:
+                if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
+                    dnadds = [dnadds]
+                failed_adds = client.add_members_to_group(
+                        utf8_encode_values(dnadds), group.dn)
+                kw['dnadd'] = failed_adds
+        except ipaerror.IPAError, e:
+            failed_adds = dnadds
+
+        if len(failed_adds) > 0:
+            message = "Group successfully created.<br />"
+            message += "There was an error adding group members.<br />"
+            message += "Failures have been preserved in the add/remove lists."
+            turbogears.flash(message)
+            return dict(form=group_edit_form, group=group_dict,
+                        members=member_dicts,
+                        tg_template='ipagui.templates.groupedit')
+
+        turbogears.flash("%s added!" % kw.get('cn'))
+        raise turbogears.redirect('/group/show', cn=kw.get('cn'))
+
+    @expose("ipagui.templates.dynamiceditsearch")
+    @identity.require(identity.not_anonymous())
+    def edit_search(self, **kw):
+        """Searches for users+groups and displays list of results in a table.
+           This method is used for the ajax search on the group edit page."""
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        users = []
+        groups = []
+        counter = 0
+        searchlimit = 100
+        criteria = kw.get('criteria')
+        if criteria != None and len(criteria) > 0:
+            try:
+                users = client.find_users(criteria.encode('utf-8'), None, searchlimit)
+                users_counter = users[0]
+                users = users[1:]
+
+                groups = client.find_groups(criteria.encode('utf-8'), None,
+                        searchlimit)
+                groups_counter = groups[0]
+                groups = groups[1:]
+
+                if users_counter < 0 or groups_counter < 0:
+                    counter = -1
+                else:
+                    counter = users_counter + groups_counter
+            except ipaerror.IPAError, e:
+                turbogears.flash("search failed: " + str(e))
+
+        return dict(users=users, groups=groups, criteria=criteria,
+                counter=counter)
+
+
+    @expose("ipagui.templates.groupedit")
+    @identity.require(identity.not_anonymous())
+    def edit(self, cn, tg_errors=None):
+        """Displays the edit group form"""
+        if tg_errors:
+            turbogears.flash("There was a problem with the form!")
+
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        try:
+            group = client.get_group_by_cn(cn, group_fields)
+
+            group_dict = group.toDict()
+
+            #
+            # convert members to users, for easier manipulation on the page
+            #
+            member_dns = []
+            if group_dict.has_key('uniquemember'):
+                member_dns = group_dict.get('uniquemember')
+                # remove from dict - it's not needed for update
+                # and we are storing the members in a different form
+                del group_dict['uniquemember']
+            if not(isinstance(member_dns,list) or isinstance(member_dns,tuple)):
+                member_dns = [member_dns]
+
+            # TODO: convert this into an efficient (single) function call
+            # Note: this isn't quite right, since it can be users and groups.
+            members = map(
+                    lambda dn: client.get_user_by_dn(dn, ['dn', 'givenname', 'sn',
+                        'uid', 'cn']),
+                    member_dns)
+            members.sort(self.sort_group_member)
+
+            # Map users into an array of dicts, which can be serialized
+            # (so we don't have to do this on each round trip)
+            member_dicts = map(lambda member: member.toDict(), members)
+
+            # store a copy of the original group for the update later
+            group_data = b64encode(dumps(group_dict))
+            member_data = b64encode(dumps(member_dicts))
+            group_dict['group_orig'] = group_data
+            group_dict['member_data'] = member_data
+
+            return dict(form=group_edit_form, group=group_dict, members=member_dicts)
+        except ipaerror.IPAError, e:
+            turbogears.flash("Group edit failed: " + str(e))
+            raise turbogears.redirect('/group/show', uid=cn)
+
+    @expose()
+    @identity.require(identity.not_anonymous())
+    def update(self, **kw):
+        """Updates an existing group"""
+        self.restrict_post()
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        if kw.get('submit') == 'Cancel Edit':
+            turbogears.flash("Edit group cancelled")
+            raise turbogears.redirect('/group/show', cn=kw.get('cn'))
+
+        # Decode the member data, in case we need to round trip
+        member_dicts = loads(b64decode(kw.get('member_data')))
+
+
+        tg_errors, kw = self.groupupdatevalidate(**kw)
+        if tg_errors:
+            return dict(form=group_edit_form, group=kw, members=member_dicts,
+                        tg_template='ipagui.templates.groupedit')
+
+        group_modified = False
+
+        #
+        # Update group itself
+        #
+        try:
+            orig_group_dict = loads(b64decode(kw.get('group_orig')))
+
+            new_group = ipa.group.Group(orig_group_dict)
+            if new_group.description != kw.get('description'):
+                group_modified = True
+                new_group.setValue('description', kw.get('description'))
+            if kw.get('editprotected') == 'true':
+                new_gid = str(kw.get('gidnumber'))
+                if new_group.gidnumber != new_gid:
+                    group_modified = True
+                    new_group.setValue('gidnumber', new_gid)
+
+            if group_modified:
+                rv = client.update_group(new_group)
+                #
+                # If the group update succeeds, but below operations fail, we
+                # need to make sure a subsequent submit doesn't try to update
+                # the group again.
+                #
+                kw['group_orig'] = b64encode(dumps(new_group.toDict()))
+        except ipaerror.IPAError, e:
+            turbogears.flash("Group update failed: " + str(e))
+            return dict(form=group_edit_form, group=kw, members=member_dicts,
+                        tg_template='ipagui.templates.groupedit')
+
+        #
+        # Add members
+        #
+        failed_adds = []
+        try:
+            dnadds = kw.get('dnadd')
+            if dnadds != None:
+                if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
+                    dnadds = [dnadds]
+                failed_adds = client.add_members_to_group(
+                        utf8_encode_values(dnadds), new_group.dn)
+                kw['dnadd'] = failed_adds
+        except ipaerror.IPAError, e:
+            turbogears.flash("Group update failed: " + str(e))
+            return dict(form=group_edit_form, group=kw, members=member_dicts,
+                        tg_template='ipagui.templates.groupedit')
+
+        #
+        # Remove members
+        #
+        failed_dels = []
+        try:
+            dndels = kw.get('dndel')
+            if dndels != None:
+                if not(isinstance(dndels,list) or isinstance(dndels,tuple)):
+                    dndels = [dndels]
+                failed_dels = client.remove_members_from_group(
+                        utf8_encode_values(dndels), new_group.dn)
+                kw['dndel'] = failed_dels
+        except ipaerror.IPAError, e:
+            turbogears.flash("Group update failed: " + str(e))
+            return dict(form=group_edit_form, group=kw, members=member_dicts,
+                        tg_template='ipagui.templates.groupedit')
+
+        #
+        # TODO - check failed ops to see if it's because of another update.
+        #        handle "someone else already did it" errors better - perhaps
+        #        not even as an error
+        # TODO - update the Group Members list.
+        #        (note that we have to handle the above todo first, or else
+        #         there will be an error message, but the add/del lists will
+        #         be empty)
+        #
+        if (len(failed_adds) > 0) or (len(failed_dels) > 0):
+            message = "There was an error updating group members.<br />"
+            message += "Failures have been preserved in the add/remove lists."
+            if group_modified:
+                message = "Group Details successfully updated.<br />" + message
+            turbogears.flash(message)
+            return dict(form=group_edit_form, group=kw, members=member_dicts,
+                        tg_template='ipagui.templates.groupedit')
+
+        turbogears.flash("%s updated!" % kw['cn'])
+        raise turbogears.redirect('/group/show', cn=kw['cn'])
+
+
+    @expose("ipagui.templates.grouplist")
+    @identity.require(identity.not_anonymous())
+    def list(self, **kw):
+        """Search for groups and display results"""
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        groups = None
+        # counter = 0
+        criteria = kw.get('criteria')
+        if criteria != None and len(criteria) > 0:
+            try:
+                groups = client.find_groups(criteria.encode('utf-8'), None, 0, 2)
+                counter = groups[0]
+                groups = groups[1:]
+                if counter == -1:
+                    turbogears.flash("These results are truncated.<br />" +
+                                    "Please refine your search and try again.")
+            except ipaerror.IPAError, e:
+                turbogears.flash("Find groups failed: " + str(e))
+                raise turbogears.redirect("/group/list")
+
+        return dict(groups=groups, criteria=criteria,
+                    fields=ipagui.forms.group.GroupFields())
+
+    @expose("ipagui.templates.groupshow")
+    @identity.require(identity.not_anonymous())
+    def show(self, cn):
+        """Retrieve a single group for display"""
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        try:
+            group = client.get_group_by_cn(cn, group_fields)
+            group_dict = group.toDict()
+
+            #
+            # convert members to users, for display on the page
+            #
+            member_dns = []
+            if group_dict.has_key('uniquemember'):
+                member_dns = group_dict.get('uniquemember')
+            if not(isinstance(member_dns,list) or isinstance(member_dns,tuple)):
+                member_dns = [member_dns]
+
+            # TODO: convert this into an efficient (single) function call
+            # Note: this isn't quite right, since it can be users and groups.
+            members = map(
+                    lambda dn: client.get_user_by_dn(dn, ['dn', 'givenname', 'sn',
+                        'uid', 'cn']),
+                    member_dns)
+            members.sort(self.sort_group_member)
+            member_dicts = map(lambda member: member.toDict(), members)
+
+            return dict(group=group_dict, fields=ipagui.forms.group.GroupFields(),
+                    members = member_dicts)
+        except ipaerror.IPAError, e:
+            turbogears.flash("Group show failed: " + str(e))
+            raise turbogears.redirect("/")
+
+    @validate(form=group_new_form)
+    @identity.require(identity.not_anonymous())
+    def groupcreatevalidate(self, tg_errors=None, **kw):
+        return tg_errors, kw
+
+    @validate(form=group_edit_form)
+    @identity.require(identity.not_anonymous())
+    def groupupdatevalidate(self, tg_errors=None, **kw):
+        return tg_errors, kw
+
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py	Thu Oct 04 17:10:18 2007 -0700
@@ -0,0 +1,58 @@
+import cherrypy
+import turbogears
+from turbogears import controllers, expose, flash
+from turbogears import validators, validate
+from turbogears import widgets, paginate
+from turbogears import error_handler
+from turbogears import identity
+
+class IPAController(controllers.Controller):
+    def restrict_post(self):
+        if cherrypy.request.method != "POST":
+            turbogears.flash("This method only accepts posts")
+            raise turbogears.redirect("/")
+
+    def utf8_encode(self, value):
+        if value != None:
+            value = value.encode('utf-8')
+        return value
+
+    def sort_group_member(self, a, b):
+        """Comparator function used for sorting group members."""
+        if a.getValue('uid') and b.getValue('uid'):
+            if a.getValue('givenname') == b.getValue('givenname'):
+                if a.getValue('sn') == b.getValue('sn'):
+                    if a.getValue('uid') == b.getValue('uid'):
+                        return 0
+                    elif a.getValue('uid') < b.getValue('uid'):
+                        return -1
+                    else:
+                        return 1
+                elif a.getValue('sn') < b.getValue('sn'):
+                    return -1
+                else:
+                    return 1
+            elif a.getValue('givenname') < b.getValue('givenname'):
+                return -1
+            else:
+                return 1
+        elif a.getValue('uid'):
+            return -1
+        elif b.getValue('uid'):
+            return 1
+        else:
+            if a.getValue('cn') == b.getValue('cn'):
+                return 0
+            elif a.getValue('cn') < b.getValue('cn'):
+                return -1
+            else:
+                return 1
+
+    def sort_by_cn(self, a, b):
+        """Comparator function used for sorting groups."""
+        if a.getValue('cn') == b.getValue('cn'):
+            return 0
+        elif a.getValue('cn') < b.getValue('cn'):
+            return -1
+        else:
+            return 1
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/subcontrollers/user.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Thu Oct 04 17:10:18 2007 -0700
@@ -0,0 +1,537 @@
+import os
+import re
+import random
+from pickle import dumps, loads
+from base64 import b64encode, b64decode
+
+import cherrypy
+import turbogears
+from turbogears import controllers, expose, flash
+from turbogears import validators, validate
+from turbogears import widgets, paginate
+from turbogears import error_handler
+from turbogears import identity
+
+from ipacontroller import IPAController
+import ipa.config
+import ipa.ipaclient
+import ipa.user
+from ipa.entity import utf8_encode_values
+from ipa import ipaerror
+import ipagui.forms.user
+
+ipa.config.init_config()
+client = ipa.ipaclient.IPAClient(True)
+
+password_chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+
+user_new_form = ipagui.forms.user.UserNewForm()
+user_edit_form = ipagui.forms.user.UserEditForm()
+
+user_fields = ['*', 'nsAccountLock']
+
+class UserController(IPAController):
+
+    @expose()
+    def index(self):
+        raise turbogears.redirect("/user/list")
+
+    @expose("ipagui.templates.usernew")
+    @identity.require(identity.not_anonymous())
+    def new(self, tg_errors=None):
+        """Displays the new user form"""
+        if tg_errors:
+            turbogears.flash("There was a problem with the form!")
+
+        return dict(form=user_new_form, user={})
+
+    @expose()
+    @identity.require(identity.not_anonymous())
+    def create(self, **kw):
+        """Creates a new user"""
+        self.restrict_post()
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        if kw.get('submit') == 'Cancel':
+            turbogears.flash("Add user cancelled")
+            raise turbogears.redirect('/user/list')
+
+        tg_errors, kw = self.usercreatevalidate(**kw)
+        if tg_errors:
+            return dict(form=user_new_form, user=kw,
+                    tg_template='ipagui.templates.usernew')
+
+        #
+        # Create the user itself
+        #
+        try:
+            new_user = ipa.user.User()
+            new_user.setValue('title', kw.get('title'))
+            new_user.setValue('givenname', kw.get('givenname'))
+            new_user.setValue('sn', kw.get('sn'))
+            new_user.setValue('cn', kw.get('cn'))
+            new_user.setValue('displayname', kw.get('displayname'))
+            new_user.setValue('initials', kw.get('initials'))
+
+            new_user.setValue('uid', kw.get('uid'))
+            new_user.setValue('loginshell', kw.get('loginshell'))
+            new_user.setValue('gecos', kw.get('gecos'))
+
+            new_user.setValue('mail', kw.get('mail'))
+            new_user.setValue('telephonenumber', kw.get('telephonenumber'))
+            new_user.setValue('facsimiletelephonenumber',
+                    kw.get('facsimiletelephonenumber'))
+            new_user.setValue('mobile', kw.get('mobile'))
+            new_user.setValue('pager', kw.get('pager'))
+            new_user.setValue('homephone', kw.get('homephone'))
+
+            new_user.setValue('street', kw.get('street'))
+            new_user.setValue('l', kw.get('l'))
+            new_user.setValue('st', kw.get('st'))
+            new_user.setValue('postalcode', kw.get('postalcode'))
+
+            new_user.setValue('ou', kw.get('ou'))
+            new_user.setValue('businesscategory', kw.get('businesscategory'))
+            new_user.setValue('description', kw.get('description'))
+            new_user.setValue('employeetype', kw.get('employeetype'))
+            # new_user.setValue('manager', kw.get('manager'))
+            new_user.setValue('roomnumber', kw.get('roomnumber'))
+            # new_user.setValue('secretary', kw.get('secretary'))
+
+            new_user.setValue('carlicense', kw.get('carlicense'))
+            new_user.setValue('labeleduri', kw.get('labeleduri'))
+
+            if kw.get('nsAccountLock'):
+                new_user.setValue('nsAccountLock', 'true')
+
+            rv = client.add_user(new_user)
+        except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE):
+            turbogears.flash("Person with login '%s' already exists" %
+                    kw.get('uid'))
+            return dict(form=user_new_form, user=kw,
+                    tg_template='ipagui.templates.usernew')
+        except ipaerror.IPAError, e:
+            turbogears.flash("User add failed: " + str(e))
+            return dict(form=user_new_form, user=kw,
+                    tg_template='ipagui.templates.usernew')
+
+        #
+        # NOTE: from here on, the user account now exists.
+        #       on any error, we redirect to the _edit_ user page.
+        #       this code does data setup, similar to useredit()
+        #
+        user = client.get_user_by_uid(kw['uid'], user_fields)
+        user_dict = user.toDict()
+
+        user_groups_dicts = []
+        user_groups_data = b64encode(dumps(user_groups_dicts))
+
+        # store a copy of the original user for the update later
+        user_data = b64encode(dumps(user_dict))
+        user_dict['user_orig'] = user_data
+        user_dict['user_groups_data'] = user_groups_data
+
+        # preserve group add info in case of errors
+        user_dict['dnadd'] = kw.get('dnadd')
+        user_dict['dn_to_info_json'] = kw.get('dn_to_info_json')
+
+        #
+        # Password change
+        # TODO
+        #
+
+        #
+        # Add groups
+        #
+        failed_adds = []
+        try:
+            dnadds = kw.get('dnadd')
+            if dnadds != None:
+                if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
+                    dnadds = [dnadds]
+                failed_adds = client.add_groups_to_user(
+                        utf8_encode_values(dnadds), user.dn)
+                kw['dnadd'] = failed_adds
+        except ipaerror.IPAError, e:
+            failed_adds = dnadds
+
+        if len(failed_adds) > 0:
+            message = "Person successfully created.<br />"
+            message += "There was an error adding groups.<br />"
+            message += "Failures have been preserved in the add/remove lists."
+            turbogears.flash(message)
+            return dict(form=user_edit_form, user=user_dict,
+                        user_groups=user_groups_dicts,
+                        tg_template='ipagui.templates.useredit')
+
+        turbogears.flash("%s added!" % kw['uid'])
+        raise turbogears.redirect('/user/show', uid=kw['uid'])
+
+    @expose("ipagui.templates.dynamiceditsearch")
+    @identity.require(identity.not_anonymous())
+    def edit_search(self, **kw):
+        """Searches for groups and displays list of results in a table.
+           This method is used for the ajax search on the user edit page."""
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        groups = []
+        groups_counter = 0
+        searchlimit = 100
+        criteria = kw.get('criteria')
+        if criteria != None and len(criteria) > 0:
+            try:
+                groups = client.find_groups(criteria.encode('utf-8'), None,
+                        searchlimit)
+                groups_counter = groups[0]
+                groups = groups[1:]
+            except ipaerror.IPAError, e:
+                turbogears.flash("search failed: " + str(e))
+
+        return dict(users=None, groups=groups, criteria=criteria,
+                counter=groups_counter)
+
+
+    @expose("ipagui.templates.useredit")
+    @identity.require(identity.not_anonymous())
+    def edit(self, uid, tg_errors=None):
+        """Displays the edit user form"""
+        if tg_errors:
+            turbogears.flash("There was a problem with the form!")
+
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        try:
+            user = client.get_user_by_uid(uid, user_fields)
+            user_dict = user.toDict()
+            # Edit shouldn't fill in the password field.
+            if user_dict.has_key('userpassword'):
+                del(user_dict['userpassword'])
+
+            user_groups = client.get_groups_by_member(user.dn, ['dn', 'cn'])
+            user_groups.sort(self.sort_by_cn)
+            user_groups_dicts = map(lambda group: group.toDict(), user_groups)
+            user_groups_data = b64encode(dumps(user_groups_dicts))
+
+            # store a copy of the original user for the update later
+            user_data = b64encode(dumps(user_dict))
+            user_dict['user_orig'] = user_data
+            user_dict['user_groups_data'] = user_groups_data
+
+            return dict(form=user_edit_form, user=user_dict,
+                    user_groups=user_groups_dicts)
+        except ipaerror.IPAError, e:
+            turbogears.flash("User edit failed: " + str(e))
+            raise turbogears.redirect('/user/show', uid=kw.get('uid'))
+
+    @expose()
+    @identity.require(identity.not_anonymous())
+    def update(self, **kw):
+        """Updates an existing user"""
+        self.restrict_post()
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        if kw.get('submit') == 'Cancel Edit':
+            turbogears.flash("Edit user cancelled")
+            raise turbogears.redirect('/user/show', uid=kw.get('uid'))
+
+        # Decode the group data, in case we need to round trip
+        user_groups_dicts = loads(b64decode(kw.get('user_groups_data')))
+
+        tg_errors, kw = self.userupdatevalidate(**kw)
+        if tg_errors:
+            return dict(form=user_edit_form, user=kw,
+                        user_groups=user_groups_dicts,
+                        tg_template='ipagui.templates.useredit')
+
+        password_change = False
+        user_modified = False
+
+        #
+        # Update the user itself
+        #
+        try:
+            orig_user_dict = loads(b64decode(kw.get('user_orig')))
+
+            new_user = ipa.user.User(orig_user_dict)
+            new_user.setValue('title', kw.get('title'))
+            new_user.setValue('givenname', kw.get('givenname'))
+            new_user.setValue('sn', kw.get('sn'))
+            new_user.setValue('cn', kw.get('cn'))
+            new_user.setValue('displayname', kw.get('displayname'))
+            new_user.setValue('initials', kw.get('initials'))
+
+            new_user.setValue('loginshell', kw.get('loginshell'))
+            new_user.setValue('gecos', kw.get('gecos'))
+
+            new_user.setValue('mail', kw.get('mail'))
+            new_user.setValue('telephonenumber', kw.get('telephonenumber'))
+            new_user.setValue('facsimiletelephonenumber',
+                    kw.get('facsimiletelephonenumber'))
+            new_user.setValue('mobile', kw.get('mobile'))
+            new_user.setValue('pager', kw.get('pager'))
+            new_user.setValue('homephone', kw.get('homephone'))
+
+            new_user.setValue('street', kw.get('street'))
+            new_user.setValue('l', kw.get('l'))
+            new_user.setValue('st', kw.get('st'))
+            new_user.setValue('postalcode', kw.get('postalcode'))
+
+            new_user.setValue('ou', kw.get('ou'))
+            new_user.setValue('businesscategory', kw.get('businesscategory'))
+            new_user.setValue('description', kw.get('description'))
+            new_user.setValue('employeetype', kw.get('employeetype'))
+            # new_user.setValue('manager', kw.get('manager'))
+            new_user.setValue('roomnumber', kw.get('roomnumber'))
+            # new_user.setValue('secretary', kw.get('secretary'))
+
+            new_user.setValue('carlicense', kw.get('carlicense'))
+            new_user.setValue('labeleduri', kw.get('labeleduri'))
+
+
+            if kw.get('nsAccountLock'):
+                new_user.setValue('nsAccountLock', 'true')
+            else:
+                new_user.setValue('nsAccountLock', None)
+            if kw.get('editprotected') == 'true':
+                if kw.get('userpassword'):
+                    password_change = True
+                new_user.setValue('uidnumber', str(kw.get('uidnumber')))
+                new_user.setValue('gidnumber', str(kw.get('gidnumber')))
+                new_user.setValue('homedirectory', str(kw.get('homedirectory')))
+
+            rv = client.update_user(new_user)
+            #
+            # If the user update succeeds, but below operations fail, we
+            # need to make sure a subsequent submit doesn't try to update
+            # the user again.
+            #
+            user_modified = True
+            kw['user_orig'] = b64encode(dumps(new_user.toDict()))
+        except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST), e:
+            # could be a password change
+            # could be groups change
+            # too much work to figure out unless someone really screams
+            pass
+        except ipaerror.IPAError, e:
+            turbogears.flash("User update failed: " + str(e))
+            return dict(form=user_edit_form, user=kw,
+                        user_groups=user_groups_dicts,
+                        tg_template='ipagui.templates.useredit')
+
+        #
+        # Password change
+        #
+        try:
+            if password_change:
+                rv = client.modifyPassword(kw['krbprincipalname'], "", kw.get('userpassword'))
+        except ipaerror.IPAError, e:
+            turbogears.flash("User password change failed: " + str(e))
+            return dict(form=user_edit_form, user=kw,
+                        user_groups=user_groups_dicts,
+                        tg_template='ipagui.templates.useredit')
+
+        #
+        # Add groups
+        #
+        failed_adds = []
+        try:
+            dnadds = kw.get('dnadd')
+            if dnadds != None:
+                if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)):
+                    dnadds = [dnadds]
+                failed_adds = client.add_groups_to_user(
+                        utf8_encode_values(dnadds), new_user.dn)
+                kw['dnadd'] = failed_adds
+        except ipaerror.IPAError, e:
+            failed_adds = dnadds
+
+        #
+        # Remove groups
+        #
+        failed_dels = []
+        try:
+            dndels = kw.get('dndel')
+            if dndels != None:
+                if not(isinstance(dndels,list) or isinstance(dndels,tuple)):
+                    dndels = [dndels]
+                failed_dels = client.remove_groups_from_user(
+                        utf8_encode_values(dndels), new_user.dn)
+                kw['dndel'] = failed_dels
+        except ipaerror.IPAError, e:
+            failed_dels = dndels
+
+        if (len(failed_adds) > 0) or (len(failed_dels) > 0):
+            message = "There was an error updating groups.<br />"
+            message += "Failures have been preserved in the add/remove lists."
+            if user_modified:
+                message = "User Details successfully updated.<br />" + message
+            if password_change:
+                message = "User password successfully updated.<br />" + message
+            turbogears.flash(message)
+            return dict(form=user_edit_form, user=kw,
+                        user_groups=user_groups_dicts,
+                        tg_template='ipagui.templates.useredit')
+
+        turbogears.flash("%s updated!" % kw['uid'])
+        raise turbogears.redirect('/user/show', uid=kw['uid'])
+
+
+    @expose("ipagui.templates.userlist")
+    @identity.require(identity.not_anonymous())
+    def list(self, **kw):
+        """Searches for users and displays list of results"""
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        users = None
+        counter = 0
+        uid = kw.get('uid')
+        if uid != None and len(uid) > 0:
+            try:
+                users = client.find_users(uid.encode('utf-8'), None, 0, 2)
+                counter = users[0]
+                users = users[1:]
+                if counter == -1:
+                    turbogears.flash("These results are truncated.<br />" +
+                                    "Please refine your search and try again.")
+            except ipaerror.IPAError, e:
+                turbogears.flash("User list failed: " + str(e))
+                raise turbogears.redirect("/user/list")
+
+        return dict(users=users, uid=uid, fields=ipagui.forms.user.UserFields())
+
+
+    @expose("ipagui.templates.usershow")
+    @identity.require(identity.not_anonymous())
+    def show(self, uid):
+        """Retrieve a single user for display"""
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        try:
+            user = client.get_user_by_uid(uid, user_fields)
+            user_groups = client.get_groups_by_member(user.dn, ['cn'])
+            user_groups.sort(self.sort_by_cn)
+            user_reports = client.get_users_by_manager(user.dn,
+                    ['givenname', 'sn', 'uid'])
+            user_reports.sort(self.sort_group_member)
+
+            user_manager = None
+            try:
+                if user.manager:
+                    user_manager = client.get_user_by_dn(user.manager,
+                        ['givenname', 'sn', 'uid'])
+            except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+                pass
+
+            return dict(user=user.toDict(), fields=ipagui.forms.user.UserFields(),
+                        user_groups=user_groups, user_reports=user_reports,
+                        user_manager=user_manager)
+        except ipaerror.IPAError, e:
+            turbogears.flash("User show failed: " + str(e))
+            raise turbogears.redirect("/")
+
+    @validate(form=user_new_form)
+    @identity.require(identity.not_anonymous())
+    def usercreatevalidate(self, tg_errors=None, **kw):
+        return tg_errors, kw
+
+    @validate(form=user_edit_form)
+    @identity.require(identity.not_anonymous())
+    def userupdatevalidate(self, tg_errors=None, **kw):
+        return tg_errors, kw
+
+    # @expose()
+    def generate_password(self):
+        password = ""
+        generator = random.SystemRandom()
+        for char in range(8):
+            index = generator.randint(0, len(password_chars) - 1)
+            password += password_chars[index]
+
+        return password
+
+    @expose()
+    @identity.require(identity.not_anonymous())
+    def suggest_uid(self, givenname, sn):
+        # filter illegal uid characters out
+        givenname = re.sub(r'[^a-zA-Z_\-0-9]', "", givenname)
+        sn = re.sub(r'[^a-zA-Z_\-0-9]', "", sn)
+
+        if (len(givenname) == 0) or (len(sn) == 0):
+            return ""
+
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        givenname = givenname.lower()
+        sn = sn.lower()
+
+        uid = givenname[0] + sn[:7]
+        try:
+            client.get_user_by_uid(uid)
+        except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+            return uid
+
+        uid = givenname[:7] + sn[0]
+        try:
+            client.get_user_by_uid(uid)
+        except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+            return uid
+
+        uid = (givenname + sn)[:8]
+        try:
+            client.get_user_by_uid(uid)
+        except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+            return uid
+
+        uid = sn[:8]
+        try:
+            client.get_user_by_uid(uid)
+        except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+            return uid
+
+        suffix = 2
+        template = givenname[0] + sn[:7]
+        while suffix < 20:
+            uid = template[:8 - len(str(suffix))] + str(suffix)
+            try:
+                client.get_user_by_uid(uid)
+            except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+                return uid
+            suffix += 1
+
+        return ""
+
+    @expose()
+    @identity.require(identity.not_anonymous())
+    def suggest_email(self, givenname, sn):
+        # remove illegal email characters
+        givenname = re.sub(r'[^a-zA-Z0-9!#\$%\*/?\|\^\{\}`~&\'\+\-=_]', "", givenname)
+        sn = re.sub(r'[^a-zA-Z0-9!#\$%\*/?\|\^\{\}`~&\'\+\-=_]', "", sn)
+
+        if (len(givenname) == 0) or (len(sn) == 0):
+            return ""
+
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        givenname = givenname.lower()
+        sn = sn.lower()
+
+        # TODO - get from config
+        domain = "freeipa.org"
+
+        return "%s.%s@%s" % (givenname, sn, domain)
+
+
+        # TODO - mail is currently not indexed nor searchable.
+        #        implement when it's done
+        # email = givenname + "." + sn + domain
+        # users = client.find_users(email, ['mail'])
+        # if len(filter(lambda u: u['mail'] == email, users[1:])) == 0:
+        #     return email
+
+        # email = self.suggest_uid(givenname, sn) + domain
+        # users = client.find_users(email, ['mail'])
+        # if len(filter(lambda u: u['mail'] == email, users[1:])) == 0:
+        #     return email
+
+        # suffix = 2
+        # template = givenname + "." + sn
+        # while suffix < 20:
+        #     email = template + str(suffix) + domain
+        #     users = client.find_users(email, ['mail'])
+        #     if len(filter(lambda u: u['mail'] == email, users[1:])) == 0:
+        #         return email
+        #     suffix += 1
+
+        # return ""
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/groupedit.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupedit.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupedit.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -16,6 +16,6 @@
     <h2>Edit Group</h2>
   </div>
 
-  ${form.display(action="groupupdate", value=group, members=members)}
+  ${form.display(action=tg.url('/group/update'), value=group, members=members)}
 </body>
 </html>
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/groupeditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -23,7 +23,7 @@ from ipagui.helpers import ipahelper
   <script type="text/javascript" charset="utf-8"
     src="${tg.url('/static/javascript/dynamicedit.js')}"></script>
 
-  <?python searchurl = tg.url('/groupedit_search') ?>
+  <?python searchurl = tg.url('/group/edit_search') ?>
 
   <script type="text/javascript">
     function toggleProtectedFields(checkbox) {
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/grouplayout.kid
--- a/ipa-server/ipa-gui/ipagui/templates/grouplayout.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/grouplayout.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -14,9 +14,9 @@
 
 <!--      <div id="sidebar">
           <h2>Tools</h2>
-          <a href="${tg.url('/groupindex')}">Add Group</a><br/>
-          <a href="${tg.url('/groupindex')}">Find Group</a><br/>
-          <a href="${tg.url('/groupindex')}">List Groups</a><br/>
+          <a href="${tg.url('/group/index')}">Add Group</a><br/>
+          <a href="${tg.url('/group/index')}">Find Group</a><br/>
+          <a href="${tg.url('/group/index')}">List Groups</a><br/>
       </div> -->
 </body>
 
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/grouplist.kid
--- a/ipa-server/ipa-gui/ipagui/templates/grouplist.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/grouplist.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -8,7 +8,7 @@
 <body>
     <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/tablekit.js')}"></script>
     <div id="search">
-        <form action="${tg.url('/grouplist')}" method="get">
+        <form action="${tg.url('/group/list')}" method="get">
             <input id="criteria" type="text" name="criteria" value="${criteria}" />
             <input type="submit" value="Find Groups"/>
         </form>
@@ -32,7 +32,7 @@
           <tbody>
             <tr py:for="group in groups">
                 <td>
-                    <a href="${tg.url('/groupshow',cn=group.cn)}">${group.cn}</a>
+                    <a href="${tg.url('/group/show',cn=group.cn)}">${group.cn}</a>
                 </td>
                 <td>
                     ${group.description}
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/groupnew.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupnew.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupnew.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -8,6 +8,6 @@
 <body>
     <h2>Add Group</h2>
 
-    ${form.display(action="groupcreate", value=group)}
+    ${form.display(action=tg.url('/group/create'), value=group)}
 </body>
 </html>
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/groupnewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupnewform.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupnewform.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -18,7 +18,7 @@ from ipagui.helpers import ipahelper
   <script type="text/javascript" charset="utf-8"
     src="${tg.url('/static/javascript/dynamicedit.js')}"></script>
 
-  <?python searchurl = tg.url('/groupedit_search') ?>
+  <?python searchurl = tg.url('/group/edit_search') ?>
 
   <script type="text/javascript">
     function doSearch() {
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/groupshow.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -7,7 +7,7 @@
 </head>
 <body>
 <?python
-edit_url = tg.url('/groupedit', cn=group.get('cn'))
+edit_url = tg.url('/group/edit', cn=group.get('cn'))
 ?>
     <h2>View Group</h2>
 
@@ -48,12 +48,12 @@ edit_url = tg.url('/groupedit', cn=group
           member_cn = "%s %s" % (member.get('givenName', ''), member.get('sn', ''))
           member_desc = "(%s)" % member_uid
           member_type = "user"
-          view_url = tg.url('usershow', uid=member_uid)
+          view_url = tg.url('/user/show', uid=member_uid)
       else:
           member_cn = "%s" % member.get('cn')
           member_desc = "[group]"
           member_type = "group"
-          view_url = tg.url('groupshow', cn=member_cn)
+          view_url = tg.url('/group/show', cn=member_cn)
       ?>
       <span py:if='member_type == "user"'>
         <a href="${view_url}"
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/master.kid
--- a/ipa-server/ipa-gui/ipagui/templates/master.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/master.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -66,12 +66,12 @@
       <div id="sidebar">
         <h2>Tasks</h2>
         <p>
-        <a href="${tg.url('/usernew')}">Add Person</a><br/>
-        <a href="${tg.url('/userlist')}">Find People</a><br/>
+        <a href="${tg.url('/user/new')}">Add Person</a><br/>
+        <a href="${tg.url('/user/list')}">Find People</a><br/>
         </p>
         <p>
-        <a href="${tg.url('/groupnew')}">Add Group</a><br/>
-        <a href="${tg.url('/grouplist')}">Find Groups</a><br/>
+        <a href="${tg.url('/group/new')}">Add Group</a><br/>
+        <a href="${tg.url('/group/list')}">Find Groups</a><br/>
         </p>
         <p>
         <a href="${tg.url('/')}">Manage Policy</a><br/>
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/useredit.kid
--- a/ipa-server/ipa-gui/ipagui/templates/useredit.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/useredit.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -35,6 +35,6 @@ else:
         Password has expired
     </div>
 
-     ${form.display(action="userupdate", value=user, user_groups=user_groups)}
+     ${form.display(action=tg.url('/user/update'), value=user, user_groups=user_groups)}
 </body>
 </html>
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/usereditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -24,7 +24,7 @@ from ipagui.helpers import ipahelper
   <script type="text/javascript" charset="utf-8"
     src="${tg.url('/static/javascript/dynamicedit.js')}"></script>
 
-  <?python searchurl = tg.url('/useredit_search') ?>
+  <?python searchurl = tg.url('/user/edit_search') ?>
 
   <script type="text/javascript">
     function toggleProtectedFields(checkbox) {
@@ -196,7 +196,7 @@ from ipagui.helpers import ipahelper
           <span id="password_text">********</span>
           <input id="genpassword_button" type="button" value="Generate Password"
               disabled="true"
-              onclick="new Ajax.Request('${tg.url('/generate_password')}',
+              onclick="new Ajax.Request('${tg.url('/user/generate_password')}',
                 {
                   method: 'get',
                   onSuccess: function(transport) {
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/userlayout.kid
--- a/ipa-server/ipa-gui/ipagui/templates/userlayout.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/userlayout.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -14,8 +14,8 @@
 
 <!--      <div id="sidebar">
           <h2>Tools</h2>
-          <a href="${tg.url('/usernew')}">Add Person</a><br/>
-          <a href="${tg.url('/userlist')}">Find People</a><br/>
+          <a href="${tg.url('/user/new')}">Add Person</a><br/>
+          <a href="${tg.url('/user/list')}">Find People</a><br/>
       </div> -->
 </body>
 
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/userlist.kid
--- a/ipa-server/ipa-gui/ipagui/templates/userlist.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/userlist.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -8,7 +8,7 @@
 <body>
     <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/tablekit.js')}"></script>
     <div id="search">
-        <form action="${tg.url('/userlist')}" method="get">
+        <form action="${tg.url('/user/list')}" method="get">
             <input id="uid" type="text" name="uid" value="${uid}" />
             <input type="submit" value="Find People"/>
         </form>
@@ -38,7 +38,7 @@
           <tbody>
             <tr py:for="user in users">
                 <td>
-                    <a href="${tg.url('/usershow',uid=user.uid)}"
+                    <a href="${tg.url('/user/show',uid=user.uid)}"
                     >${user.givenName} ${user.sn}</a>
                     (${user.uid})
                 </td>
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/usernew.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usernew.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usernew.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -8,6 +8,6 @@
 <body>
     <h2>Add Person</h2>
 
-    ${form.display(action="usercreate", value=user)}
+    ${form.display(action=tg.url("/user/create"), value=user)}
 </body>
 </html>
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/usernewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -18,7 +18,7 @@ from ipagui.helpers import ipahelper
   <script type="text/javascript" charset="utf-8"
     src="${tg.url('/static/javascript/dynamicedit.js')}"></script>
 
-  <?python searchurl = tg.url('/useredit_search') ?>
+  <?python searchurl = tg.url('/user/edit_search') ?>
 
   <script type="text/javascript">
     function doSearch() {
@@ -123,7 +123,7 @@ from ipagui.helpers import ipahelper
               }
 
               if ((uid.value == "") || (uid.value == uid_suggest)) {
-                new Ajax.Request('${tg.url('/suggest_uid')}', {
+                new Ajax.Request('${tg.url('/user/suggest_uid')}', {
                     method: 'get',
                     parameters: {'givenname': givenname.value, 'sn': sn.value},
                     onSuccess: function(transport) {
@@ -135,7 +135,7 @@ from ipagui.helpers import ipahelper
               }
 
               if ((mail.value == "") || (mail.value == mail_suggest)) {
-                new Ajax.Request('${tg.url('/suggest_email')}', {
+                new Ajax.Request('${tg.url('/user/suggest_email')}', {
                     method: 'get',
                     parameters: {'givenname': givenname.value, 'sn': sn.value},
                     onSuccess: function(transport) {
@@ -230,7 +230,7 @@ from ipagui.helpers import ipahelper
 
           <!--
           <input type="button" value="Generate Password"
-              onclick="new Ajax.Request('${tg.url('/generate_password')}',
+              onclick="new Ajax.Request('${tg.url('/user/generate_password')}',
                 {
                   method: 'get',
                   onSuccess: function(transport) {
diff -r 157e43b04db3 -r ed3b5011eae2 ipa-server/ipa-gui/ipagui/templates/usershow.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Thu Oct 04 14:34:49 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Thu Oct 04 17:10:18 2007 -0700
@@ -7,7 +7,7 @@
 </head>
 <body>
 <?python
-edit_url = tg.url('/useredit', uid=user.get('uid'))
+edit_url = tg.url('/user/edit', uid=user.get('uid'))
 ?>
     <h2>View Person</h2>
 
@@ -218,7 +218,7 @@ else:
             Manager:
           </th>
           <td>
-            <a href="${tg.url('/usershow', uid=user_manager.uid)}"
+            <a href="${tg.url('/user/show', uid=user_manager.uid)}"
               >${user_manager.givenname} ${user_manager.sn}</a>
           </td>
         </tr>
@@ -254,13 +254,13 @@ else:
 
     <div class="formsection" py:if='len(user_reports) &gt; 0'>Direct Reports</div>
     <div py:for="report in user_reports">
-      <a href="${tg.url('/usershow', uid=report.uid)}"
+      <a href="${tg.url('/user/show', uid=report.uid)}"
         >${report.givenname} ${report.sn}</a>
     </div>
 
     <div class="formsection">Groups</div>
     <div py:for="group in user_groups">
-      <a href="${tg.url('/groupshow', cn=group.cn)}">${group.cn}</a>
+      <a href="${tg.url('/group/show', cn=group.cn)}">${group.cn}</a>
     </div>
 
     <br/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071004/2a01d3bf/attachment.bin>

From rcritten at redhat.com  Fri Oct  5 14:35:36 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 05 Oct 2007 10:35:36 -0400
Subject: [Freeipa-devel] [PATCH] split controllers out
In-Reply-To: <20071005001152.GM18815@moon.usersys.redhat.com>
References: <20071005001152.GM18815@moon.usersys.redhat.com>
Message-ID: <47064BB8.9090204@redhat.com>

Kevin McCarthy wrote:
> This patch _looks_ big, but in truth it's just moving a bunch of code.
> The main controllers.py is too big - I should have split it up a long
> time ago, so now the sooner the better.
> 
> -Kevin

I see what you mean. From what I can tell this looks ok. We'll find out 
pretty quickly if it doesn't work :-)

+1.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071005/f2953fc0/attachment.bin>

From rcritten at redhat.com  Fri Oct  5 15:30:09 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 05 Oct 2007 11:30:09 -0400
Subject: [Freeipa-devel] [PATCH] fix auto-suggest code
In-Reply-To: <20071004212326.GJ18815@moon.usersys.redhat.com>
References: <20071004212326.GJ18815@moon.usersys.redhat.com>
Message-ID: <47065881.90506@redhat.com>

Kevin McCarthy wrote:
> Fixes from Dan's feedback.  Non-roundtrip code goes before the ajax
> calls.  Also found a dumb bug with the initials code.
> 
> -Kevin
> 
> 
>

Looks ok.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071005/b04545bb/attachment.bin>

From kmccarth at redhat.com  Fri Oct  5 15:32:51 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 5 Oct 2007 08:32:51 -0700
Subject: [Freeipa-devel] [PATCH] fix auto-suggest code
In-Reply-To: <47065881.90506@redhat.com>
References: <20071004212326.GJ18815@moon.usersys.redhat.com>
	<47065881.90506@redhat.com>
Message-ID: <20071005153251.GA14918@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Fixes from Dan's feedback.  Non-roundtrip code goes before the ajax
>> calls.  Also found a dumb bug with the initials code.
>> -Kevin
>>
>
> Looks ok.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071005/31b30a00/attachment.bin>

From kmccarth at redhat.com  Fri Oct  5 15:34:01 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 5 Oct 2007 08:34:01 -0700
Subject: [Freeipa-devel] [PATCH] split controllers out
In-Reply-To: <47064BB8.9090204@redhat.com>
References: <20071005001152.GM18815@moon.usersys.redhat.com>
	<47064BB8.9090204@redhat.com>
Message-ID: <20071005153401.GB14918@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> This patch _looks_ big, but in truth it's just moving a bunch of code.
>> The main controllers.py is too big - I should have split it up a long
>> time ago, so now the sooner the better.
>> -Kevin
>
> I see what you mean. From what I can tell this looks ok. We'll find out 
> pretty quickly if it doesn't work :-)

Yup, another reason to do it now, so we can shake out any small things I
missed.

Pushed.

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071005/3098c983/attachment.bin>

From mccann at jhu.edu  Fri Oct  5 19:40:48 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Fri, 5 Oct 2007 15:40:48 -0400
Subject: [Freeipa-devel] [PATCH] don't append values multiple times to
	configuration files
In-Reply-To: <4704EA55.5030505@redhat.com>
References: <939dd5750710031753m3a03f970we42f2c154552cc57@mail.gmail.com>
	<4704EA55.5030505@redhat.com>
Message-ID: <939dd5750710051240u387346d2s8acc3f327718b291@mail.gmail.com>

On 10/4/07, Rob Crittenden <rcritten at redhat.com> wrote:
> William Jon McCann wrote:
> > Hi,
> >
> > After playing with the install (repeatedly) I ended up with a lot of
> > duplicate values in:
> > /etc/sysconfig/dirsrv
> > /etc/sysconfig/ipa-kpasswd
> >
> > Here is a patch that should fix this.  It modifies the file "in-place"
> > and removes lines that matching the key (or commented key) and then
> > appends the new key=value.
> >
> > Jon
>
> Cool, I've wanted to fix this for a while (and recently aborted a switch
> from open with "a" to "w").
>
> What happens if the file doesn't exist yet? Do we need to wrap the
> fileinput loop in either a try/except or just look to see if the file
> exists first (my vote)?
>
> Something like:
>
> def update_key_val_in_file(filename, key, val):
>      if os.path.exists(filename):
>          pattern = "^[\s#]*%s\s*=" % re.escape(key)
>          p = re.compile(pattern)
>          for line in fileinput.input(filename, inplace=1):
>              if not p.search(line):
>                  sys.stdout.write(line)
>          fileinput.close()
>      f = open(filename, "a")
>      f.write("%s=%s\n" % (key, val))
>      f.close()

Good point.  In genera,l I prefer doing a try because it is a little
less racy but in this case it doesn't make a difference.

Updated patch attached.

Thanks,
Jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-no-key-dups2.diff
Type: text/x-diff
Size: 2124 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071005/8bfe3f1d/attachment.bin>

From rcritten at redhat.com  Fri Oct  5 20:53:00 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 05 Oct 2007 16:53:00 -0400
Subject: [Freeipa-devel] initial quick setup docs
Message-ID: <4706A42C.1060100@redhat.com>

I hacked something up quickly on how to install IPA and some pitfalls to 
avoid.

Please criticize away.

rob
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: QuickInstall.txt
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071005/52e1603b/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071005/52e1603b/attachment.bin>

From kmccarth at redhat.com  Fri Oct  5 20:55:16 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 5 Oct 2007 13:55:16 -0700
Subject: [Freeipa-devel] [PATCH] fix for IE
Message-ID: <20071005205516.GF14918@moon.usersys.redhat.com>

Small fix so IE is happy.  Not that I care or anything ;-)

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191617944 25200
# Node ID 07edfe00c6dc51f4e87161e6b7bf67a2a5ed4055
# Parent  466680ea078ae3a9f2d2d3d0b6a0a35790c80fd7
Fix for Internet Explorer, which is picky about commas.

diff -r 466680ea078a -r 07edfe00c6dc ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js
--- a/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js	Fri Oct 05 09:34:42 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js	Fri Oct 05 13:59:04 2007 -0700
@@ -39,7 +39,7 @@ MemberDisplayInfo.prototype = {
     this.name = name;
     this.descr = descr;
     this.type = type;
-  },
+  }
 };
 
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071005/29da0ba8/attachment.bin>

From rcritten at redhat.com  Fri Oct  5 21:20:28 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 05 Oct 2007 17:20:28 -0400
Subject: [Freeipa-devel] [PATCH] fix for IE
In-Reply-To: <20071005205516.GF14918@moon.usersys.redhat.com>
References: <20071005205516.GF14918@moon.usersys.redhat.com>
Message-ID: <4706AA9C.3050308@redhat.com>

Kevin McCarthy wrote:
> Small fix so IE is happy.  Not that I care or anything ;-)
> 
> -Kevin
> 
>

Looks ok.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071005/e8024df0/attachment.bin>

From mccann at jhu.edu  Fri Oct  5 22:23:57 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Fri, 5 Oct 2007 18:23:57 -0400
Subject: [Freeipa-devel] more installer fixes
Message-ID: <939dd5750710051523s16f3f74et7f941a7951c7a34@mail.gmail.com>

Hi,

Here is another patch for the installer.  It does a few things:

 * use socket.getfqdn() but fallback to gethostname()
 * streamlines the hostname prompting
 * fixes a bunch of spelling and grammatical errors
 * fixes a bug in the hostname reading/verification logic
 * allows "yes" and "no" as answers
 * modularizes and reuses code where possible
 * changes some of the prompts to be more like
   the FDS installer - some text is copied (which is easy to use IMO)
 * tries to make the prompts fit on smaller screens (<80 chars)

Hope you agree that it is better.  :)

Thanks,
Jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-more-install-fixes.diff
Type: text/x-diff
Size: 20305 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071005/b284218b/attachment.bin>

From kmccarth at redhat.com  Fri Oct  5 22:28:27 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 5 Oct 2007 15:28:27 -0700
Subject: [Freeipa-devel] [PATCH] misc escaping issues
Message-ID: <20071005222826.GH14918@moon.usersys.redhat.com>

This patch adds dn escaping when entries are created.
 e.g. cn=Bob"s Group
Also adds the null char to safe_filter.
Lastly fixes a double escaping issues with dynamicedit.js

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191623158 25200
# Node ID 85a9d3f6c031f7f318b4d8b8e507e38829c9df1c
# Parent  37e1c1e03c98e2e03f198c6c300587c4369c867e
Several escaping fixes:
- illegal dn characters need to be escaped
- null characters in search filters
- dynamicedit.js was double html escaping (the python layer does it already)

diff -r 37e1c1e03c98 -r 85a9d3f6c031 ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js
--- a/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js	Fri Oct 05 13:59:35 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js	Fri Oct 05 15:25:58 2007 -0700
@@ -71,12 +71,12 @@ function renderMemberInfo(newdiv, info) 
 function renderMemberInfo(newdiv, info) {
   if (info.type == "user") {
     newdiv.appendChild(document.createTextNode(
-      info.name.escapeHTML() + " " + info.descr.escapeHTML() + " "));
+      info.name + " " + info.descr + " "));
   } else if (info.type == "group") {
     ital = document.createElement('i');
     ital.appendChild(document.createTextNode(
-      info.name.escapeHTML() + " " + 
-      info.descr.escapeHTML() + " "));
+      info.name + " " + 
+      info.descr + " "));
     newdiv.appendChild(ital);
   }
 }
diff -r 37e1c1e03c98 -r 85a9d3f6c031 ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Fri Oct 05 13:59:35 2007 -0700
+++ b/ipa-server/xmlrpc-server/funcs.py	Fri Oct 05 15:25:58 2007 -0700
@@ -22,6 +22,7 @@ sys.path.append("/usr/share/ipa")
 
 import krbV
 import ldap
+import ldap.dn
 import ipaserver.dsinstance
 import ipaserver.ipaldap
 import ipa.ipautil
@@ -347,7 +348,8 @@ class IPAServer:
         if self.__is_user_unique(user['uid'], opts) == 0:
             raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE)
 
-        dn="uid=%s,%s,%s" % (user['uid'], user_container,self.basedn)
+        dn="uid=%s,%s,%s" % (ldap.dn.escape_dn_chars(user['uid']),
+                             user_container,self.basedn)
         entry = ipaserver.ipaldap.Entry(dn)
 
         # FIXME: This should be dynamic and can include just about anything
@@ -650,7 +652,8 @@ class IPAServer:
         if self.__is_group_unique(group['cn'], opts) == 0:
             raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE)
 
-        dn="cn=%s,%s,%s" % (group['cn'], group_container,self.basedn)
+        dn="cn=%s,%s,%s" % (ldap.dn.escape_dn_chars(group['cn']),
+                            group_container,self.basedn)
         entry = ipaserver.ipaldap.Entry(dn)
 
         # some required objectclasses
@@ -1017,5 +1020,7 @@ def ldap_search_escape(match):
     elif value == "*":
         # drop '*' from input.  search performs its own wildcarding
         return ""
+    elif value =='\x00':
+        return r'\00'
     else:
         return value
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071005/46069de5/attachment.bin>

From kmccarth at redhat.com  Fri Oct  5 23:40:55 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 5 Oct 2007 16:40:55 -0700
Subject: [Freeipa-devel] threading issues
Message-ID: <20071005234055.GI14918@moon.usersys.redhat.com>

I wanted to put on the list to review threading issues.  Now that
we're using TG in a mod_proxy setting, we have to be concerned about
threading issues.

Right now, the web gui is (incorrectly) allocating a shared IPAServer
object (by allocating a shared IPAClient).  Unfortunately there are two
issues here:

1) The self.princ and self.krbccache are being set on each request -
   which obviously won't work with multiple threads

2) The IPAConnPool isn't using locks around self.freelist

The first change that has to happen is the web gui should allocate an
IPAClient for each request (I'll make that change).

However, this loses any connection pool benefits.  To fix this, we could
separate IPAConnPool from IPAServer and implement Locks at the right
places.

Any opinions?

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071005/777244e1/attachment.bin>

From ssorce at redhat.com  Sat Oct  6 16:13:13 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Sat, 06 Oct 2007 12:13:13 -0400
Subject: [Freeipa-devel] threading issues
In-Reply-To: <20071005234055.GI14918@moon.usersys.redhat.com>
References: <20071005234055.GI14918@moon.usersys.redhat.com>
Message-ID: <1191687193.14966.29.camel@localhost.localdomain>

On Fri, 2007-10-05 at 16:40 -0700, Kevin McCarthy wrote:
> I wanted to put on the list to review threading issues.  Now that
> we're using TG in a mod_proxy setting, we have to be concerned about
> threading issues.
> 
> Right now, the web gui is (incorrectly) allocating a shared IPAServer
> object (by allocating a shared IPAClient).  Unfortunately there are two
> issues here:
> 
> 1) The self.princ and self.krbccache are being set on each request -
>    which obviously won't work with multiple threads
> 
> 2) The IPAConnPool isn't using locks around self.freelist
> 
> The first change that has to happen is the web gui should allocate an
> IPAClient for each request (I'll make that change).
> 
> However, this loses any connection pool benefits.  To fix this, we could
> separate IPAConnPool from IPAServer and implement Locks at the right
> places.
> 
> Any opinions?

Didn't we decide to not use threads at all ?

Simo.



From rcritten at redhat.com  Mon Oct  8 14:38:47 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 08 Oct 2007 10:38:47 -0400
Subject: [Freeipa-devel] threading issues
In-Reply-To: <20071005234055.GI14918@moon.usersys.redhat.com>
References: <20071005234055.GI14918@moon.usersys.redhat.com>
Message-ID: <470A40F7.5020601@redhat.com>

Kevin McCarthy wrote:
> I wanted to put on the list to review threading issues.  Now that
> we're using TG in a mod_proxy setting, we have to be concerned about
> threading issues.
> 
> Right now, the web gui is (incorrectly) allocating a shared IPAServer
> object (by allocating a shared IPAClient).  Unfortunately there are two
> issues here:
> 
> 1) The self.princ and self.krbccache are being set on each request -
>    which obviously won't work with multiple threads
> 
> 2) The IPAConnPool isn't using locks around self.freelist
> 
> The first change that has to happen is the web gui should allocate an
> IPAClient for each request (I'll make that change).
> 
> However, this loses any connection pool benefits.  To fix this, we could
> separate IPAConnPool from IPAServer and implement Locks at the right
> places.
> 
> Any opinions?
> 
> -Kevin

It isn't really doing connection pooling anymore. Each connection is 
created/torn down for each API call. The pooling was done when we were 
binding using the SSL cert and using proxying.

We can't do pooling with kerberos because the credentials cache will 
disappear when the current HTTP request is finished.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071008/d33d1d7d/attachment.bin>

From ssorce at redhat.com  Mon Oct  8 14:48:16 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 08 Oct 2007 10:48:16 -0400
Subject: [Freeipa-devel] threading issues
In-Reply-To: <470A40F7.5020601@redhat.com>
References: <20071005234055.GI14918@moon.usersys.redhat.com>
	<470A40F7.5020601@redhat.com>
Message-ID: <1191854896.14966.96.camel@localhost.localdomain>

On Mon, 2007-10-08 at 10:38 -0400, Rob Crittenden wrote:
> Kevin McCarthy wrote:
> > I wanted to put on the list to review threading issues.  Now that
> > we're using TG in a mod_proxy setting, we have to be concerned about
> > threading issues.
> > 
> > Right now, the web gui is (incorrectly) allocating a shared IPAServer
> > object (by allocating a shared IPAClient).  Unfortunately there are two
> > issues here:
> > 
> > 1) The self.princ and self.krbccache are being set on each request -
> >    which obviously won't work with multiple threads
> > 
> > 2) The IPAConnPool isn't using locks around self.freelist
> > 
> > The first change that has to happen is the web gui should allocate an
> > IPAClient for each request (I'll make that change).
> > 
> > However, this loses any connection pool benefits.  To fix this, we could
> > separate IPAConnPool from IPAServer and implement Locks at the right
> > places.
> > 
> > Any opinions?
> > 
> > -Kevin
> 
> It isn't really doing connection pooling anymore. Each connection is 
> created/torn down for each API call. The pooling was done when we were 
> binding using the SSL cert and using proxying.

Yeah I saw this in my mod_auth_kerb debug session now that I think of
it.

> We can't do pooling with kerberos because the credentials cache will 
> disappear when the current HTTP request is finished.

I find this contradictory, connection pooling usually means you keep
around an authenticated connection open. All you need to do is to keep
around information about the connection (the principal that opened it)
and reuse that if it matches.
Is there a problem keeping around connections with our current code?

Simo.



From rcritten at redhat.com  Mon Oct  8 14:58:34 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 08 Oct 2007 10:58:34 -0400
Subject: [Freeipa-devel] threading issues
In-Reply-To: <1191854896.14966.96.camel@localhost.localdomain>
References: <20071005234055.GI14918@moon.usersys.redhat.com>	
	<470A40F7.5020601@redhat.com>
	<1191854896.14966.96.camel@localhost.localdomain>
Message-ID: <470A459A.1010403@redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-08 at 10:38 -0400, Rob Crittenden wrote:
>> Kevin McCarthy wrote:
>>> I wanted to put on the list to review threading issues.  Now that
>>> we're using TG in a mod_proxy setting, we have to be concerned about
>>> threading issues.
>>>
>>> Right now, the web gui is (incorrectly) allocating a shared IPAServer
>>> object (by allocating a shared IPAClient).  Unfortunately there are two
>>> issues here:
>>>
>>> 1) The self.princ and self.krbccache are being set on each request -
>>>    which obviously won't work with multiple threads
>>>
>>> 2) The IPAConnPool isn't using locks around self.freelist
>>>
>>> The first change that has to happen is the web gui should allocate an
>>> IPAClient for each request (I'll make that change).
>>>
>>> However, this loses any connection pool benefits.  To fix this, we could
>>> separate IPAConnPool from IPAServer and implement Locks at the right
>>> places.
>>>
>>> Any opinions?
>>>
>>> -Kevin
>> It isn't really doing connection pooling anymore. Each connection is 
>> created/torn down for each API call. The pooling was done when we were 
>> binding using the SSL cert and using proxying.
> 
> Yeah I saw this in my mod_auth_kerb debug session now that I think of
> it.
> 
>> We can't do pooling with kerberos because the credentials cache will 
>> disappear when the current HTTP request is finished.
> 
> I find this contradictory, connection pooling usually means you keep
> around an authenticated connection open. All you need to do is to keep
> around information about the connection (the principal that opened it)
> and reuse that if it matches.
> Is there a problem keeping around connections with our current code?
>

Don't be confused by the term pooling. As I said, I added that when we 
punted on doing ticket forwarding. Prior to that it was one operation, 
one connection.

Ok, now that I think about it further I suppose that since we are 
already authorized the ccache is probably not necessary to close the 
connection. It just seems wierd to have the keys taken away :-)

The problem keeping the connections around were outlined by Kevin. 
Basically there is no locking. I mentioned at the time that this code 
was lacking in many ways, it is just now time to pay the piper.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071008/25f5711d/attachment.bin>

From kmccarth at redhat.com  Mon Oct  8 15:15:50 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 8 Oct 2007 08:15:50 -0700
Subject: [Freeipa-devel] threading issues
In-Reply-To: <470A40F7.5020601@redhat.com>
References: <20071005234055.GI14918@moon.usersys.redhat.com>
	<470A40F7.5020601@redhat.com>
Message-ID: <20071008151550.GA3595@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> I wanted to put on the list to review threading issues.  Now that
>> we're using TG in a mod_proxy setting, we have to be concerned about
>> threading issues.
>> Right now, the web gui is (incorrectly) allocating a shared IPAServer
>> object (by allocating a shared IPAClient).  Unfortunately there are two
>> issues here:
>> 1) The self.princ and self.krbccache are being set on each request -
>>    which obviously won't work with multiple threads
>> 2) The IPAConnPool isn't using locks around self.freelist
>> The first change that has to happen is the web gui should allocate an
>> IPAClient for each request (I'll make that change).
>> However, this loses any connection pool benefits.  To fix this, we could
>> separate IPAConnPool from IPAServer and implement Locks at the right
>> places.
>> Any opinions?
>> -Kevin
>
> It isn't really doing connection pooling anymore. Each connection is 
> created/torn down for each API call. The pooling was done when we were 
> binding using the SSL cert and using proxying.
>
> We can't do pooling with kerberos because the credentials cache will 
> disappear when the current HTTP request is finished.

Okay, I'm glad I asked.  I will fix the webgui code for now.  If we
think of a clever way to reuse connections later we can bring it up
then.

Thanks,

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071008/ad2e1487/attachment.bin>

From kmacmill at redhat.com  Mon Oct  8 15:21:24 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 08 Oct 2007 11:21:24 -0400
Subject: [Freeipa-devel] [PATCH] don't append values multiple times to
	configuration files
In-Reply-To: <939dd5750710051240u387346d2s8acc3f327718b291@mail.gmail.com>
References: <939dd5750710031753m3a03f970we42f2c154552cc57@mail.gmail.com>
	<4704EA55.5030505@redhat.com>
	<939dd5750710051240u387346d2s8acc3f327718b291@mail.gmail.com>
Message-ID: <1191856884.4057.5.camel@localhost.localdomain>

On Fri, 2007-10-05 at 15:40 -0400, William Jon McCann wrote:
> On 10/4/07, Rob Crittenden <rcritten at redhat.com> wrote:
> > William Jon McCann wrote:
> > > Hi,
> > >
> > > After playing with the install (repeatedly) I ended up with a lot of
> > > duplicate values in:
> > > /etc/sysconfig/dirsrv
> > > /etc/sysconfig/ipa-kpasswd
> > >
> > > Here is a patch that should fix this.  It modifies the file "in-place"
> > > and removes lines that matching the key (or commented key) and then
> > > appends the new key=value.
> > >
> > > Jon
> >
> > Cool, I've wanted to fix this for a while (and recently aborted a switch
> > from open with "a" to "w").
> >
> > What happens if the file doesn't exist yet? Do we need to wrap the
> > fileinput loop in either a try/except or just look to see if the file
> > exists first (my vote)?
> >
> > Something like:
> >
> > def update_key_val_in_file(filename, key, val):
> >      if os.path.exists(filename):
> >          pattern = "^[\s#]*%s\s*=" % re.escape(key)
> >          p = re.compile(pattern)
> >          for line in fileinput.input(filename, inplace=1):
> >              if not p.search(line):
> >                  sys.stdout.write(line)
> >          fileinput.close()
> >      f = open(filename, "a")
> >      f.write("%s=%s\n" % (key, val))
> >      f.close()
> 
> Good point.  In genera,l I prefer doing a try because it is a little
> less racy but in this case it doesn't make a difference.
> 
> Updated patch attached.
> 
> Thanks,
> Jon

Pushed.

Karl



From ssorce at redhat.com  Mon Oct  8 15:31:59 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 08 Oct 2007 11:31:59 -0400
Subject: [Freeipa-devel] threading issues
In-Reply-To: <470A459A.1010403@redhat.com>
References: <20071005234055.GI14918@moon.usersys.redhat.com>
	<470A40F7.5020601@redhat.com>
	<1191854896.14966.96.camel@localhost.localdomain>
	<470A459A.1010403@redhat.com>
Message-ID: <1191857519.14966.100.camel@localhost.localdomain>

On Mon, 2007-10-08 at 10:58 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Mon, 2007-10-08 at 10:38 -0400, Rob Crittenden wrote:
> >> Kevin McCarthy wrote:
> >>> I wanted to put on the list to review threading issues.  Now that
> >>> we're using TG in a mod_proxy setting, we have to be concerned about
> >>> threading issues.
> >>>
> >>> Right now, the web gui is (incorrectly) allocating a shared IPAServer
> >>> object (by allocating a shared IPAClient).  Unfortunately there are two
> >>> issues here:
> >>>
> >>> 1) The self.princ and self.krbccache are being set on each request -
> >>>    which obviously won't work with multiple threads
> >>>
> >>> 2) The IPAConnPool isn't using locks around self.freelist
> >>>
> >>> The first change that has to happen is the web gui should allocate an
> >>> IPAClient for each request (I'll make that change).
> >>>
> >>> However, this loses any connection pool benefits.  To fix this, we could
> >>> separate IPAConnPool from IPAServer and implement Locks at the right
> >>> places.
> >>>
> >>> Any opinions?
> >>>
> >>> -Kevin
> >> It isn't really doing connection pooling anymore. Each connection is 
> >> created/torn down for each API call. The pooling was done when we were 
> >> binding using the SSL cert and using proxying.
> > 
> > Yeah I saw this in my mod_auth_kerb debug session now that I think of
> > it.
> > 
> >> We can't do pooling with kerberos because the credentials cache will 
> >> disappear when the current HTTP request is finished.
> > 
> > I find this contradictory, connection pooling usually means you keep
> > around an authenticated connection open. All you need to do is to keep
> > around information about the connection (the principal that opened it)
> > and reuse that if it matches.
> > Is there a problem keeping around connections with our current code?
> >
> 
> Don't be confused by the term pooling. As I said, I added that when we 
> punted on doing ticket forwarding. Prior to that it was one operation, 
> one connection.
> 
> Ok, now that I think about it further I suppose that since we are 
> already authorized the ccache is probably not necessary to close the 
> connection. It just seems wierd to have the keys taken away :-)

Does not need to be that way though, we can easily keep them around in a
cc file, just copy the CCache file somewhere else, maybe named after the
principal name. Just lets make sure it is removed when the connection
closes and that it is updated when a user re-authenticates.

> The problem keeping the connections around were outlined by Kevin. 
> Basically there is no locking. I mentioned at the time that this code 
> was lacking in many ways, it is just now time to pay the piper.

Yep when you do connection pooling you have to implement locking
mechanisms indeed.

Simo.



From kmacmill at redhat.com  Mon Oct  8 15:33:57 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 08 Oct 2007 11:33:57 -0400
Subject: [Freeipa-devel] Move of hg to fedoraproject.org
Message-ID: <1191857637.4057.12.camel@localhost.localdomain>

We now have a trac instance as part of the fedoraproject hosted
infrastructure and have moved the hg repo as well to get trac
integration.

For all committers - please send me your fedora account name so that I
can add you to the correct groups. You will also need to have the ssh
key you used to create your account available to do commits.

The urls are below:

Commits/non-anon checkout: ssh://hg.fedoraproject.org//hg/hosted/freeipa
anon checkout: http://hg.fedoraproject.org/hg/hosted/freeipa
trac instance: https://hosted.fedoraproject.org/projects/freeipa/

Please start adding tasks as tickets, particularly anything you want to
see in milestone-5. I've modified http://freeipa.org/page/Contribute to
be correct.

Karl



From kmccarth at redhat.com  Mon Oct  8 15:44:49 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 8 Oct 2007 08:44:49 -0700
Subject: [Freeipa-devel] [PATCH] fix for IE
In-Reply-To: <4706AA9C.3050308@redhat.com>
References: <20071005205516.GF14918@moon.usersys.redhat.com>
	<4706AA9C.3050308@redhat.com>
Message-ID: <20071008154449.GC3595@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Small fix so IE is happy.  Not that I care or anything ;-)
>> -Kevin
>>
>
> Looks ok.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071008/cef24938/attachment.bin>

From kmacmill at redhat.com  Mon Oct  8 16:10:47 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 08 Oct 2007 12:10:47 -0400
Subject: [Freeipa-devel] Move of hg to fedoraproject.org
In-Reply-To: <1191857637.4057.12.camel@localhost.localdomain>
References: <1191857637.4057.12.camel@localhost.localdomain>
Message-ID: <1191859847.4057.40.camel@localhost.localdomain>

On Mon, 2007-10-08 at 11:33 -0400, Karl MacMillan wrote:
> We now have a trac instance as part of the fedoraproject hosted
> infrastructure and have moved the hg repo as well to get trac
> integration.
> 
> For all committers - please send me your fedora account name so that I
> can add you to the correct groups. You will also need to have the ssh
> key you used to create your account available to do commits.
> 
> The urls are below:
> 
> Commits/non-anon checkout: ssh://hg.fedoraproject.org//hg/hosted/freeipa
> anon checkout: http://hg.fedoraproject.org/hg/hosted/freeipa
> trac instance: https://hosted.fedoraproject.org/projects/freeipa/
> 
> Please start adding tasks as tickets, particularly anything you want to
> see in milestone-5. I've modified http://freeipa.org/page/Contribute to
> be correct.
> 

BTW - you can simply edit .hg/hgrc in an existing repo to switch to the
new locations. No need to do a new checkout at all.

Karl




From kmccarth at redhat.com  Mon Oct  8 16:23:48 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 8 Oct 2007 09:23:48 -0700
Subject: [Freeipa-devel] [PATCH] small group fixes
Message-ID: <20071008162347.GD3595@moon.usersys.redhat.com>

Missed submitting this patch, so sending it before I send the IPAClient
fixes patch.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191860523 25200
# Node ID 7ee0841d54cf9bd415c1429891c2676a4177e716
# Parent  8a6b70b1ba1adb37bfdced6b2f6607efc9acaaff
Small group fixes: remove index, change to use hidden_fields (like UserFields)

diff -r 8a6b70b1ba1a -r 7ee0841d54cf ipa-server/ipa-gui/ipagui/forms/group.py
--- a/ipa-server/ipa-gui/ipagui/forms/group.py	Mon Oct 08 09:18:44 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/group.py	Mon Oct 08 09:22:03 2007 -0700
@@ -21,8 +21,9 @@ class GroupNewForm(widgets.Form):
 class GroupNewForm(widgets.Form):
     params = ['group']
 
-    fields = [GroupFields.cn, GroupFields.description,
-              GroupFields.dn_to_info_json]
+    hidden_fields = [
+      GroupFields.dn_to_info_json
+    ]
 
     validator = GroupNewValidator()
 
@@ -46,10 +47,11 @@ class GroupEditForm(widgets.Form):
 class GroupEditForm(widgets.Form):
     params = ['members', 'group']
 
-    fields = [GroupFields.gidnumber, GroupFields.description,
-              GroupFields.cn_hidden, GroupFields.editprotected_hidden,
-              GroupFields.group_orig, GroupFields.member_data,
-              GroupFields.dn_to_info_json]
+    hidden_fields = [
+      GroupFields.cn_hidden, GroupFields.editprotected_hidden,
+      GroupFields.group_orig, GroupFields.member_data,
+      GroupFields.dn_to_info_json
+    ]
 
     validator = GroupEditValidator()
 
diff -r 8a6b70b1ba1a -r 7ee0841d54cf ipa-server/ipa-gui/ipagui/subcontrollers/group.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Mon Oct 08 09:18:44 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Mon Oct 08 09:22:03 2007 -0700
@@ -33,11 +33,10 @@ class GroupController(IPAController):
     # Group #
     #########
 
-    @expose("ipagui.templates.groupindex")
+    @expose()
     @identity.require(identity.not_anonymous())
     def index(self, tg_errors=None):
-        client.set_krbccache(os.environ["KRB5CCNAME"])
-        return dict()
+        raise turbogears.redirect("/group/list")
 
     @expose("ipagui.templates.groupnew")
     @identity.require(identity.not_anonymous())
diff -r 8a6b70b1ba1a -r 7ee0841d54cf ipa-server/ipa-gui/ipagui/templates/groupindex.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupindex.kid	Mon Oct 08 09:18:44 2007 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,11 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xmlns:py="http://purl.org/kid/ns#"
-    py:extends="'grouplayout.kid'">
-<head>
-<meta content="text/html; charset=utf-8" http-equiv="Content-Type" py:replace="''"/>
-<title>Group Listing</title>
-</head>
-<body>
-       Groups go here.
-</body>
-</html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071008/84039c30/attachment.bin>

From kmccarth at redhat.com  Mon Oct  8 16:56:03 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 8 Oct 2007 09:56:03 -0700
Subject: [Freeipa-devel] [PATCH] fix webgui IPAClient allocation
Message-ID: <20071008165603.GE3595@moon.usersys.redhat.com>

This patch fixes the web gui to allocate a new IPAClient for each
request.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191862453 25200
# Node ID 5e8d5f4ee0d9b10a5d9489a60a8b0a8ec9c4c4d0
# Parent  7ee0841d54cf9bd415c1429891c2676a4177e716
Fix the webgui to allocate a new IPAClient for each request.

diff -r 7ee0841d54cf -r 5e8d5f4ee0d9 ipa-server/ipa-gui/ipagui/subcontrollers/group.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Mon Oct 08 09:22:03 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Mon Oct 08 09:54:13 2007 -0700
@@ -1,4 +1,3 @@ import os
-import os
 from pickle import dumps, loads
 from base64 import b64encode, b64decode
 
@@ -12,15 +11,11 @@ from turbogears import identity
 
 from ipacontroller import IPAController
 import ipa.config
-import ipa.ipaclient
 import ipa.group
 from ipa.entity import utf8_encode_values
 from ipa import ipaerror
 import ipagui.forms.group
 
-ipa.config.init_config()
-client = ipa.ipaclient.IPAClient(True)
-
 group_new_form = ipagui.forms.group.GroupNewForm()
 group_edit_form = ipagui.forms.group.GroupEditForm()
 
@@ -45,7 +40,7 @@ class GroupController(IPAController):
         if tg_errors:
             turbogears.flash("There was a problem with the form!")
 
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
 
         return dict(form=group_new_form, group={})
 
@@ -54,7 +49,7 @@ class GroupController(IPAController):
     def create(self, **kw):
         """Creates a new group"""
         self.restrict_post()
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
 
         if kw.get('submit') == 'Cancel':
             turbogears.flash("Add group cancelled")
@@ -135,7 +130,8 @@ class GroupController(IPAController):
     def edit_search(self, **kw):
         """Searches for users+groups and displays list of results in a table.
            This method is used for the ajax search on the group edit page."""
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
+
         users = []
         groups = []
         counter = 0
@@ -170,7 +166,8 @@ class GroupController(IPAController):
         if tg_errors:
             turbogears.flash("There was a problem with the form!")
 
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
+
         try:
             group = client.get_group_by_cn(cn, group_fields)
 
@@ -216,7 +213,8 @@ class GroupController(IPAController):
     def update(self, **kw):
         """Updates an existing group"""
         self.restrict_post()
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
+
         if kw.get('submit') == 'Cancel Edit':
             turbogears.flash("Edit group cancelled")
             raise turbogears.redirect('/group/show', cn=kw.get('cn'))
@@ -321,7 +319,8 @@ class GroupController(IPAController):
     @identity.require(identity.not_anonymous())
     def list(self, **kw):
         """Search for groups and display results"""
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
+
         groups = None
         # counter = 0
         criteria = kw.get('criteria')
@@ -344,7 +343,8 @@ class GroupController(IPAController):
     @identity.require(identity.not_anonymous())
     def show(self, cn):
         """Retrieve a single group for display"""
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
+
         try:
             group = client.get_group_by_cn(cn, group_fields)
             group_dict = group.toDict()
diff -r 7ee0841d54cf -r 5e8d5f4ee0d9 ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py	Mon Oct 08 09:22:03 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py	Mon Oct 08 09:54:13 2007 -0700
@@ -1,3 +1,5 @@ import cherrypy
+import os
+
 import cherrypy
 import turbogears
 from turbogears import controllers, expose, flash
@@ -6,11 +8,21 @@ from turbogears import error_handler
 from turbogears import error_handler
 from turbogears import identity
 
+import ipa.ipaclient
+import ipa.config
+
+ipa.config.init_config()
+
 class IPAController(controllers.Controller):
     def restrict_post(self):
         if cherrypy.request.method != "POST":
             turbogears.flash("This method only accepts posts")
             raise turbogears.redirect("/")
+
+    def get_ipaclient(self):
+        client = ipa.ipaclient.IPAClient(True)
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        return client
 
     def utf8_encode(self, value):
         if value != None:
diff -r 7ee0841d54cf -r 5e8d5f4ee0d9 ipa-server/ipa-gui/ipagui/subcontrollers/user.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Mon Oct 08 09:22:03 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Mon Oct 08 09:54:13 2007 -0700
@@ -1,4 +1,3 @@ import os
-import os
 import re
 import random
 from pickle import dumps, loads
@@ -13,16 +12,11 @@ from turbogears import identity
 from turbogears import identity
 
 from ipacontroller import IPAController
-import ipa.config
-import ipa.ipaclient
 import ipa.user
 from ipa.entity import utf8_encode_values
 from ipa import ipaerror
 import ipagui.forms.user
 
-ipa.config.init_config()
-client = ipa.ipaclient.IPAClient(True)
-
 password_chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
 
 user_new_form = ipagui.forms.user.UserNewForm()
@@ -50,7 +44,8 @@ class UserController(IPAController):
     def create(self, **kw):
         """Creates a new user"""
         self.restrict_post()
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
+
         if kw.get('submit') == 'Cancel':
             turbogears.flash("Add user cancelled")
             raise turbogears.redirect('/user/list')
@@ -171,7 +166,8 @@ class UserController(IPAController):
     def edit_search(self, **kw):
         """Searches for groups and displays list of results in a table.
            This method is used for the ajax search on the user edit page."""
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
+
         groups = []
         groups_counter = 0
         searchlimit = 100
@@ -196,7 +192,8 @@ class UserController(IPAController):
         if tg_errors:
             turbogears.flash("There was a problem with the form!")
 
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
+
         try:
             user = client.get_user_by_uid(uid, user_fields)
             user_dict = user.toDict()
@@ -225,7 +222,8 @@ class UserController(IPAController):
     def update(self, **kw):
         """Updates an existing user"""
         self.restrict_post()
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
+
         if kw.get('submit') == 'Cancel Edit':
             turbogears.flash("Edit user cancelled")
             raise turbogears.redirect('/user/show', uid=kw.get('uid'))
@@ -376,7 +374,8 @@ class UserController(IPAController):
     @identity.require(identity.not_anonymous())
     def list(self, **kw):
         """Searches for users and displays list of results"""
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
+
         users = None
         counter = 0
         uid = kw.get('uid')
@@ -399,7 +398,8 @@ class UserController(IPAController):
     @identity.require(identity.not_anonymous())
     def show(self, uid):
         """Retrieve a single user for display"""
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
+
         try:
             user = client.get_user_by_uid(uid, user_fields)
             user_groups = client.get_groups_by_member(user.dn, ['cn'])
@@ -453,7 +453,8 @@ class UserController(IPAController):
         if (len(givenname) == 0) or (len(sn) == 0):
             return ""
 
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
+
         givenname = givenname.lower()
         sn = sn.lower()
 
@@ -503,7 +504,8 @@ class UserController(IPAController):
         if (len(givenname) == 0) or (len(sn) == 0):
             return ""
 
-        client.set_krbccache(os.environ["KRB5CCNAME"])
+        client = self.get_ipaclient()
+
         givenname = givenname.lower()
         sn = sn.lower()
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071008/a69728fc/attachment.bin>

From rcritten at redhat.com  Mon Oct  8 17:02:28 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 08 Oct 2007 13:02:28 -0400
Subject: [Freeipa-devel] [PATCH] fix webgui IPAClient allocation
In-Reply-To: <20071008165603.GE3595@moon.usersys.redhat.com>
References: <20071008165603.GE3595@moon.usersys.redhat.com>
Message-ID: <470A62A4.50002@redhat.com>

Kevin McCarthy wrote:
> This patch fixes the web gui to allocate a new IPAClient for each
> request.
> 
> -Kevin

Kevin, is it possible to create the client in the Identity system? Would 
  that be any easier/better?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071008/9c750764/attachment.bin>

From kmccarth at redhat.com  Mon Oct  8 17:18:55 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 8 Oct 2007 10:18:55 -0700
Subject: [Freeipa-devel] [PATCH] fix webgui IPAClient allocation
In-Reply-To: <470A62A4.50002@redhat.com>
References: <20071008165603.GE3595@moon.usersys.redhat.com>
	<470A62A4.50002@redhat.com>
Message-ID: <20071008171855.GF3595@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> This patch fixes the web gui to allocate a new IPAClient for each
>> request.
>> -Kevin
>
> Kevin, is it possible to create the client in the Identity system? Would  
> that be any easier/better?

Hmmm... don't know.  I never quite dug into understanding the identity
code yet.  The patch involved as-is is pretty simple, and makes it
obvious what's going on, so I don't know if it's worth the effort to
work it into the identity code.

Of course, if you have a cool idea, I'm all eyes.

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071008/ecb077cc/attachment.bin>

From rcritten at redhat.com  Mon Oct  8 20:21:37 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 08 Oct 2007 16:21:37 -0400
Subject: [Freeipa-devel] [PATCH] new LDAP connection pool
Message-ID: <470A9151.3030002@redhat.com>

The old connection pool lacked locking and would iterate over the entire 
list for each request.

I've changed it to use a dict of connections keyed on principal.

There is a separate list keyed on principal that holds the order of the 
entries.

When an entry is requested it looks for it in the dictionary and if 
found, pops it off the list too.

When finished, it creates a new dict entry for it then appends it to the 
end of the list (so it is the most recently used).

If we ever have a full list, just pop element 0 as it is the LRU.

Remember that Apache is running multi-process so each process will have 
its own connection cache. This limits the effectiveness of the pooling 
but I suspect that with the GUI it will help somewhat.

This is the reason I've gone with a fairly conservative value for the 
max number of entries at 128.

It seems fairly weak in terms of catching possible errors. Some 
suggestions would be helpful. I don't think it can blow up and leave a 
hanging lock, so it won't hork the server. I also don't want to go 
overboard and put try/except around every call (or should I?)

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-253-pool.patch
Type: text/x-patch
Size: 5313 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071008/ab8f2627/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071008/ab8f2627/attachment-0001.bin>

From kmccarth at redhat.com  Mon Oct  8 20:34:03 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 8 Oct 2007 13:34:03 -0700
Subject: [Freeipa-devel] [PATCH] fix modlist order
Message-ID: <20071008203402.GG3595@moon.usersys.redhat.com>

This fixes Trac ticket 8.  It turns out the order in the modlist is
important - DELETE's need to come before ADDs or else case-changing
operations fail.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191875741 25200
# Node ID 5ca8f3c477ab3010f6e5d0ee9844ebdc8c2c51d9
# Parent  730cacd8020a6ebfb6203def05cb3a012b8f5ef0
DELETEs have to come first, in order for "case change" operations to work.

diff -r 730cacd8020a -r 5ca8f3c477ab ipa-server/ipaserver/ipaldap.py
--- a/ipa-server/ipaserver/ipaldap.py	Mon Oct 08 10:32:54 2007 -0700
+++ b/ipa-server/ipaserver/ipaldap.py	Mon Oct 08 13:35:41 2007 -0700
@@ -428,10 +428,10 @@ class IPAdmin(SimpleLDAPObject):
             adds = list(new_values.difference(old_values))
             removes = list(old_values.difference(new_values))
 
+            if len(removes) > 0:
+                modlist.append((ldap.MOD_DELETE, key, removes))
             if len(adds) > 0:
                 modlist.append((ldap.MOD_ADD, key, adds))
-            if len(removes) > 0:
-                modlist.append((ldap.MOD_DELETE, key, removes))
 
         return modlist
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071008/12428993/attachment.bin>

From kmccarth at redhat.com  Mon Oct  8 21:14:33 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 8 Oct 2007 14:14:33 -0700
Subject: [Freeipa-devel] [PATCH] new LDAP connection pool
In-Reply-To: <470A9151.3030002@redhat.com>
References: <470A9151.3030002@redhat.com>
Message-ID: <20071008211433.GH3595@moon.usersys.redhat.com>

Rob Crittenden wrote:
> The old connection pool lacked locking and would iterate over the entire 
> list for each request.

The idea looks good to me.  I think Simo/Pete/Karl should take a closer
look though since this is pretty important code.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071008/be6fcd55/attachment.bin>

From prowley at redhat.com  Mon Oct  8 22:31:23 2007
From: prowley at redhat.com (Pete Rowley)
Date: Mon, 08 Oct 2007 15:31:23 -0700
Subject: [Freeipa-devel] [PATCH] new LDAP connection pool
In-Reply-To: <470A9151.3030002@redhat.com>
References: <470A9151.3030002@redhat.com>
Message-ID: <470AAFBB.7000009@redhat.com>

Rob Crittenden wrote:

ok

> The old connection pool lacked locking and would iterate over the 
> entire list for each request.
>
> I've changed it to use a dict of connections keyed on principal.
>
> There is a separate list keyed on principal that holds the order of 
> the entries.
>
> When an entry is requested it looks for it in the dictionary and if 
> found, pops it off the list too.
>
> When finished, it creates a new dict entry for it then appends it to 
> the end of the list (so it is the most recently used).
>
> If we ever have a full list, just pop element 0 as it is the LRU.
>
> Remember that Apache is running multi-process so each process will 
> have its own connection cache. This limits the effectiveness of the 
> pooling but I suspect that with the GUI it will help somewhat.
>
> This is the reason I've gone with a fairly conservative value for the 
> max number of entries at 128.
>
> It seems fairly weak in terms of catching possible errors. Some 
> suggestions would be helpful. I don't think it can blow up and leave a 
> hanging lock, so it won't hork the server. I also don't want to go 
> overboard and put try/except around every call (or should I?)
>
> rob
> ------------------------------------------------------------------------
>
> # HG changeset patch
> # User Rob Crittenden <rcritten at redhat.com>
> # Date 1191874718 14400
> # Node ID dd67f3ae267949f4fc30493448cbd66a566766e3
> # Parent  1f5fc351120318e56161cf2327b46f62a6a98f18
> New LDAP connection pool that does locking
>
> diff -r 1f5fc3511203 -r dd67f3ae2679 ipa-server/ipaserver/ipaldap.py
> --- a/ipa-server/ipaserver/ipaldap.py	Fri Oct 05 13:59:04 2007 -0700
> +++ b/ipa-server/ipaserver/ipaldap.py	Mon Oct 08 16:18:38 2007 -0400
> @@ -265,10 +265,11 @@ class IPAdmin(SimpleLDAPObject):
>      def set_proxydn(self, proxydn):
>          self.proxydn = proxydn
>  
> -    def set_krbccache(self, krbccache):
> +    def set_krbccache(self, krbccache, principal):
>          if krbccache is not None:
>              os.environ["KRB5CCNAME"] = krbccache
>              self.sasl_interactive_bind_s("", sasl_auth)
> +            self.principal = principal
>          self.proxydn = None
>  
>      def getEntry(self,*args):
> diff -r 1f5fc3511203 -r dd67f3ae2679 ipa-server/xmlrpc-server/funcs.py
> --- a/ipa-server/xmlrpc-server/funcs.py	Fri Oct 05 13:59:04 2007 -0700
> +++ b/ipa-server/xmlrpc-server/funcs.py	Mon Oct 08 16:18:38 2007 -0400
> @@ -34,6 +34,11 @@ import os
>  import os
>  import re
>  
> +try:
> +    from threading import Lock
> +except ImportError:
> +    from dummy_threading import Lock
> +
>  # Need a global to store this between requests
>  _LDAPPool = None
>  
> @@ -45,35 +50,68 @@ DefaultGroupContainer = "cn=groups,cn=ac
>  # connection. This could theoretically drive the total number of connections
>  # very high but since this represents just the administrative interface
>  # this is not anticipated.
> +#
> +# The pool consists of two things, a dictionary keyed on the principal name
> +# that contains the connection and a list that is used to keep track of the
> +# order. If the list fills up just pop the top entry off and you've got
> +# the least recently used.
> +
> +# maxsize = 0 means no limit
>  class IPAConnPool:
> -    def __init__(self):
> -        self.freelist = []
> -
> -    def getConn(self, host, port, bindca, bindcert, bindkey, proxydn=None, krbccache=None, debug=None):
> +    def __init__(self, maxsize = 0):
> +        self._dict = {}
> +        self._lru = []
> +        self._lock = Lock()
> +        self._maxsize = maxsize
> +        self._ctx = krbV.default_context()
> +
> +    def getConn(self, host, port, krbccache=None, debug=None):
>          conn = None
> -        if len(self.freelist) > 0:
> -            for i in range(len(self.freelist)):
> -                c = self.freelist[i]
> -                if ((c.host == host) and (c.port == port)):
> -                    conn = self.freelist.pop(i)
> -                    break
> -        if conn is None:
> -            conn = ipaserver.ipaldap.IPAdmin(host,port,bindca,bindcert,bindkey,None,debug)
> -        if proxydn is not None:
> -            conn.set_proxydn(proxydn)
> -        else:
> -            conn.set_krbccache(krbccache)
> +        ccache = krbV.CCache(name=krbccache, context=self._ctx)
> +        cprinc = ccache.principal()
> +        self._lock.acquire()
> +        try:
> +            try:
> +                conn = self._dict[cprinc.name]
> +                del self._dict[cprinc.name]
> +                self._lru.remove(cprinc.name)
> +            except KeyError:
> +                conn = ipaserver.ipaldap.IPAdmin(host,port,None,None,None,debug)
> +                conn.set_krbccache(krbccache, cprinc.name)
> +        finally:
> +            self._lock.release()
> +
>          return conn
>  
>      def releaseConn(self, conn):
>          if conn is None:
>              return
> -        # We can't re-use SASL connections. If proxydn is None it means
> -        # we have a Kerberos credentials cache set. See ipaldap.set_krbccache
> -        if conn.proxydn is None:
> -            conn.unbind_s()
> -        else:
> -            self.freelist.append(conn)
> +
> +        cprinc = conn.principal
> +
> +        self._lock.acquire()
> +        try:
> +
> +            # Look to see if we are already on the list from another source and
> +            # if so, remove it.
> +            try:
> +                c = self._dict[cprinc]
> +                del self._dict[cprinc]
> +                self._lru.remove(cprinc)
> +            except KeyError:
> +                # Not in the list
> +                pass
> +
> +            if self._maxsize and len(self._dict) > self._maxsize:
> +                princ = self._lru.pop(0)
> +                c = self._dict[princ]
> +                c.unbind_s()
> +                del self._dict[cprinc]
> +
> +            self._lru.append(cprinc)
> +            self._dict[cprinc] = conn
> +        finally:
> +            self._lock.release()
>  
>  class IPAServer:
>  
> @@ -90,7 +128,7 @@ class IPAServer:
>          self.realm = self.krbctx.default_realm
>  
>          if _LDAPPool is None:
> -            _LDAPPool = IPAConnPool()
> +            _LDAPPool = IPAConnPool(128)
>          self.basedn = ipa.ipautil.realm_to_suffix(self.realm)
>          self.scope = ldap.SCOPE_SUBTREE
>          self.princ = None
> @@ -169,7 +207,7 @@ class IPAServer:
>              raise ipaerror.gen_exception(ipaerror.CONNECTION_NO_CCACHE)
>  
>          try:
> -            conn = _LDAPPool.getConn(self.host,port,bindca,bindcert,bindkey,proxy_dn,krbccache,debug)
> +            conn = _LDAPPool.getConn(self.host,port,krbccache,debug)
>          except ldap.INVALID_CREDENTIALS, e:
>              raise ipaerror.gen_exception(ipaerror.CONNECTION_GSSAPI_CREDENTIALS, nested_exception=e)
>  
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071008/324d6f74/attachment.bin>

From rcritten at redhat.com  Tue Oct  9 14:29:26 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 09 Oct 2007 10:29:26 -0400
Subject: [Freeipa-devel] [PATCH] new LDAP connection pool
In-Reply-To: <470AAFBB.7000009@redhat.com>
References: <470A9151.3030002@redhat.com> <470AAFBB.7000009@redhat.com>
Message-ID: <470B9046.1010805@redhat.com>

Pete Rowley wrote:
> Rob Crittenden wrote:
> 
> ok

pushed

> 
>> The old connection pool lacked locking and would iterate over the 
>> entire list for each request.
>>
>> I've changed it to use a dict of connections keyed on principal.
>>
>> There is a separate list keyed on principal that holds the order of 
>> the entries.
>>
>> When an entry is requested it looks for it in the dictionary and if 
>> found, pops it off the list too.
>>
>> When finished, it creates a new dict entry for it then appends it to 
>> the end of the list (so it is the most recently used).
>>
>> If we ever have a full list, just pop element 0 as it is the LRU.
>>
>> Remember that Apache is running multi-process so each process will 
>> have its own connection cache. This limits the effectiveness of the 
>> pooling but I suspect that with the GUI it will help somewhat.
>>
>> This is the reason I've gone with a fairly conservative value for the 
>> max number of entries at 128.
>>
>> It seems fairly weak in terms of catching possible errors. Some 
>> suggestions would be helpful. I don't think it can blow up and leave a 
>> hanging lock, so it won't hork the server. I also don't want to go 
>> overboard and put try/except around every call (or should I?)
>>
>> rob


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071009/b488520a/attachment.bin>

From kmacmill at redhat.com  Tue Oct  9 15:12:17 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 09 Oct 2007 11:12:17 -0400
Subject: [Freeipa-devel] Policy in v2
Message-ID: <1191942737.23486.26.camel@dhcp-64-223.iad.redhat.com>

Made some notes on what we are going to do for policy in v2. Feedback
welcome.

http://freeipa.com/page/PolicyEnforcement

Karl



From kmacmill at redhat.com  Tue Oct  9 15:53:00 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 09 Oct 2007 11:53:00 -0400
Subject: [Freeipa-devel] initial quick setup docs
In-Reply-To: <4706A42C.1060100@redhat.com>
References: <4706A42C.1060100@redhat.com>
Message-ID: <1191945180.23486.35.camel@dhcp-64-223.iad.redhat.com>

On Fri, 2007-10-05 at 16:53 -0400, Rob Crittenden wrote:
> I hacked something up quickly on how to install IPA and some pitfalls to 
> avoid.
> 
> Please criticize away.
> 

I added this to the wiki at http://freeipa.com/page/QuickInstall - also
linked off of the download page.

Karl

> rob
> plain text document attachment (QuickInstall.txt)
> Introduction
> ------------
> 
> Some down and dirty instructions for installing freeIPA
> 
> Some things of note:
> 
> - IPA assumes that the system it is installing on is "new." It will overwrite
>   many files without prompting.
> - You cannot have any existing Fedora DS instances.
> - IPA wants the following TCP ports:
>         80, 443, 8080: HTTP/HTTPS
>         389, 636: LDAP/LDAPS
>         464: kpasswd
> 
>    And UDP ports:
>         88, 750: kerberos
> 
> I've tried to distinguish between commands to be run as root versus a regular
> user. Commands to be run as root are prefixed with # and user with $.
> 
> Installation
> ------------
>         
> Add the freeIPA yum repo:
> 
> # cd /etc/yum.repos.d; wget http://freeipa.com/downloads/freeipa-devel.repo
> 
> Install the server and tools with:
> 
> # yum install freeipa-server freeipa-admintools
> 
> This is going to install a slew of dependencies includuing TurboGears,
> fedora-ds-base and krb5-server. Approximiately 40 dependencies are required
> depending on what is already installed.
> 
> freeIPA requires a special mod_auth_kerb so Kerberos ticket forwarding
> works properly. Confirm that you have the right version installed:
> 
> # rpm -q mod_auth_kerb
> mod_auth_kerb-5.3-4.ipa
> 
> If it isn't this version (or higher) then remove the current on and re-install
> using:
> 
> # yum install mod_auth_kerb
> 
> It should pick it up from the freeipa-devel channel. If it doesn't you can
> download the package from http://freeipa.org/page/Downloads
> 
> Currently (10/4/07) the Fedora Directory Server can do SASL/GSSAPI
> authentication but you have to set an environment variable telling it
> where to find its keytab.  Use this patch to set that.
> 
> --- /etc/init.d/dirsrv.orig     2007-07-06 18:21:30.000000000 -0400
> +++ /etc/init.d/dirsrv          2007-05-18 19:36:24.000000000 -0400
> @@ -10,6 +10,9 @@
>  # datadir:     /var/lib/dirsrv/slapd-<instance name>
>  #
>  
> +# Get config.
> +[ -r /etc/sysconfig/dirsrv ] && . /etc/sysconfig/dirsrv
> +
>  # Source function library.
>  if [ -f /etc/rc.d/init.d/functions ] ; then
>  . /etc/rc.d/init.d/functions
> 
> Apply it with something like:
> 
> # patch -p0 < dirsrv.patch
> 
> Now you are ready to configure your IPA server:
> 
> # /usr/sbin/ipa-server-install
> 
> You can add -d to get a lot of debug output if desired.
> 
> Kerberos has very specific DNS requirements. Your Kerberos server needs to
> have a proper DNS A record and reverse DNS needs to work properly. Do not
> use CNAME or DDNS name, you'll regret it later.
> 
> BE PATIENT. It can take several minutes to get everything setup and
> configured.
> 
> >From now on I'll assume that you are using FREEIPA.ORG as your realm.
> 
> Note that the realm is used as the base DN in the directory instance, so 
> it will be dc=freeipa,dc=org.
> 
> If the installation fails or you want to re-run it then you need to do some
> cleanup first. You'll need to do the following:
> 
> # /etc/init.d/dirsrv stop
> # rm -rf /etc/dirsrv/slapd-* /var/log/dirsrv/slapd-* /var/run/dirsrv/slapd*
> # rm /etc/dirsrv/ds.keytab
> # rm /etc/httpd/conf/ipa.keytab
> 
> Once the installation is complete all of the services should be running.
> 
> $ kinit admin
> Password for admin at GREYOAK.COM: 
> $ /usr/sbin/ipa-finduser admin
> dn: uid=admin,cn=sysaccounts,cn=etc,dc=freeipa,dc=org
> homedirectory: /home/admin
> cn: Administrator
> uid: admin
> 
> Configuring your Browser
> ------------------------
> 
> Firefox can use your kerberos credentials for authentication but you need
> to tell it what is allowed and which domains you want to communicate with.
> 
> These instructions with screen shots can be found at:
> http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/sso-ov.html#sso-config-firefox
> 
> You need to set both network.negotiate-auth.delegation-uris and
> network.negotiate-auth.trusted-uris to your domain (e.g. example.com).
> 
> When things go wrong
> --------------------
> 
> The first thing to to is make sure Kerberos is working. You can test this
> with:
> 
> $ kinit admin
> Password for admin at GREYOAK.COM:
> 
> Ok, so you have a ticket now. Lets use it.
> 
> $ ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" uid=admin
> 
> If you get an error message like:
> 
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure.  Minor code may provide more information (No such file or directory)
> 
> It means that you did not apply the patch to /etc/init.d/dirsrv telling FDS
> where it can find its keytab.
> 
> If that works but the ipa-* tools do not, you should first enable debug output
> in Apache by editting /etc/httpd/conf/httpd.conf. Set LogLevel to debug and
> restart httpd (service httpd restart)
> 
> Other errors might include:
> 
> 1. Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may provide
> more information/Server not found in Kerberos database
> 
> You may have multiple entries for the same host created by different KDCs.
> 
> A lot of common error messages can be looked up at
> http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html
> 
> Use a browser on another system
> -------------------------------
> 
> To use a browser on another system that already has Kerberos setup for
> a different realm, you have to do a little bit of work.
> 
> Get a copy of /etc/krb5.conf from the freeIPA server and put it onto the
> client system.
> 
> Fire up an xterm and run:
> 
> $ export KRB5_CONFIG=/path/to/freeipa/krb5.conf
> $ kinit user at FREEIPA.ORG
> $ /usr/bin/firefox
> 
> You will need to configure the Firefox negotiate as describe in the
> Configuring your Browser section.
> 
> Now you should be able to connect to the freeIPA gui remotely.
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel



From kmacmill at redhat.com  Tue Oct  9 15:54:58 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 09 Oct 2007 11:54:58 -0400
Subject: [Freeipa-devel] more installer fixes
In-Reply-To: <939dd5750710051523s16f3f74et7f941a7951c7a34@mail.gmail.com>
References: <939dd5750710051523s16f3f74et7f941a7951c7a34@mail.gmail.com>
Message-ID: <1191945298.23486.37.camel@dhcp-64-223.iad.redhat.com>

On Fri, 2007-10-05 at 18:23 -0400, William Jon McCann wrote:
> Hi,
> 
> Here is another patch for the installer.  It does a few things:
> 
>  * use socket.getfqdn() but fallback to gethostname()
>  * streamlines the hostname prompting
>  * fixes a bunch of spelling and grammatical errors
>  * fixes a bug in the hostname reading/verification logic
>  * allows "yes" and "no" as answers
>  * modularizes and reuses code where possible
>  * changes some of the prompts to be more like
>    the FDS installer - some text is copied (which is easy to use IMO)
>  * tries to make the prompts fit on smaller screens (<80 chars)
> 
> Hope you agree that it is better.  :)
> 
> Thanks,
> Jon 

Acked and pushed.

Karl



From kmacmill at redhat.com  Tue Oct  9 15:55:44 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 09 Oct 2007 11:55:44 -0400
Subject: [Freeipa-devel] [PATCH] misc escaping issues
In-Reply-To: <20071005222826.GH14918@moon.usersys.redhat.com>
References: <20071005222826.GH14918@moon.usersys.redhat.com>
Message-ID: <1191945344.23486.39.camel@dhcp-64-223.iad.redhat.com>

On Fri, 2007-10-05 at 15:28 -0700, Kevin McCarthy wrote:
> This patch adds dn escaping when entries are created.
>  e.g. cn=Bob"s Group
> Also adds the null char to safe_filter.
> Lastly fixes a double escaping issues with dynamicedit.js
> 
> -Kevin

Acked and pushed.



From kmacmill at redhat.com  Tue Oct  9 15:57:17 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 09 Oct 2007 11:57:17 -0400
Subject: [Freeipa-devel] [PATCH] small group fixes
In-Reply-To: <20071008162347.GD3595@moon.usersys.redhat.com>
References: <20071008162347.GD3595@moon.usersys.redhat.com>
Message-ID: <1191945437.23486.41.camel@dhcp-64-223.iad.redhat.com>

On Mon, 2007-10-08 at 09:23 -0700, Kevin McCarthy wrote:
> Missed submitting this patch, so sending it before I send the IPAClient
> fixes patch.
> 
> -Kevin

Acked and pushed.



From kmacmill at redhat.com  Tue Oct  9 15:57:45 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 09 Oct 2007 11:57:45 -0400
Subject: [Freeipa-devel] [PATCH] fix webgui IPAClient allocation
In-Reply-To: <20071008171855.GF3595@moon.usersys.redhat.com>
References: <20071008165603.GE3595@moon.usersys.redhat.com>
	<470A62A4.50002@redhat.com>
	<20071008171855.GF3595@moon.usersys.redhat.com>
Message-ID: <1191945465.23486.43.camel@dhcp-64-223.iad.redhat.com>

On Mon, 2007-10-08 at 10:18 -0700, Kevin McCarthy wrote:
> Rob Crittenden wrote:
> > Kevin McCarthy wrote:
> >> This patch fixes the web gui to allocate a new IPAClient for each
> >> request.
> >> -Kevin
> >
> > Kevin, is it possible to create the client in the Identity system? Would  
> > that be any easier/better?
> 
> Hmmm... don't know.  I never quite dug into understanding the identity
> code yet.  The patch involved as-is is pretty simple, and makes it
> obvious what's going on, so I don't know if it's worth the effort to
> work it into the identity code.
> 
> Of course, if you have a cool idea, I'm all eyes.
> 

Where are we with this - should it be merged or is there another patch
coming?

Karl



From kmacmill at redhat.com  Tue Oct  9 15:58:25 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 09 Oct 2007 11:58:25 -0400
Subject: [Freeipa-devel] [PATCH] fix modlist order
In-Reply-To: <20071008203402.GG3595@moon.usersys.redhat.com>
References: <20071008203402.GG3595@moon.usersys.redhat.com>
Message-ID: <1191945505.23486.45.camel@dhcp-64-223.iad.redhat.com>

On Mon, 2007-10-08 at 13:34 -0700, Kevin McCarthy wrote:
> This fixes Trac ticket 8.  It turns out the order in the modlist is
> important - DELETE's need to come before ADDs or else case-changing
> operations fail.
> 

Acked and pushed.



From kmccarth at redhat.com  Tue Oct  9 16:25:26 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 9 Oct 2007 09:25:26 -0700
Subject: [Freeipa-devel] [PATCH] combine get_by_cn/dn calls
Message-ID: <20071009162526.GB23078@moon.usersys.redhat.com>

This patch combines get_group_by_dn and get_user_by_dn into
get_entry_by_dn.  It does the same for cn.

It also includes a few double-escaping fixes I somehow missed before.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191947176 25200
# Node ID 9aeebc9d962e224bff3992a0ca2c804a792f992b
# Parent  ffa79b4eba033fa08babc4f61a4d9fc3ab5af7a8
Combine get_user/group by dn/cn into get_entry_by_cn/dn.
Also a couple double-escaping fixes I missed in the last patch.

diff -r ffa79b4eba03 -r 9aeebc9d962e ipa-admintools/ipa-groupmod
--- a/ipa-admintools/ipa-groupmod	Tue Oct 09 08:45:35 2007 -0700
+++ b/ipa-admintools/ipa-groupmod	Tue Oct 09 09:26:16 2007 -0700
@@ -56,7 +56,7 @@ def parse_options():
 
 def get_group(client, group_cn):
     try:
-        group = client.get_group_by_cn(group_cn)
+        group = client.get_entry_by_cn(group_cn)
     except ipa.ipaerror.IPAError, e:
         print "%s" % e.message
         return None
diff -r ffa79b4eba03 -r 9aeebc9d962e ipa-python/ipaclient.py
--- a/ipa-python/ipaclient.py	Tue Oct 09 08:45:35 2007 -0700
+++ b/ipa-python/ipaclient.py	Tue Oct 09 09:26:16 2007 -0700
@@ -26,6 +26,7 @@ if "/usr/share/ipa" not in sys.path:
 
 from ipaserver import funcs
 import ipa.rpcclient as rpcclient
+import entity
 import user
 import group
 import ipa
@@ -53,19 +54,28 @@ class IPAClient:
         if self.local:
             self.transport.set_krbccache(krbccache)
 
+# General searches
+
+    def get_entry_by_dn(self,dn,sattrs=None):
+        """Get a specific entry by dn. If sattrs is set then only those
+           attributes will be returned, otherwise all available attributes
+           are returned."""
+        result = self.transport.get_entry_by_dn(dn,sattrs)
+        return entity.Entity(result)
+
+    def get_entry_by_cn(self,cn,sattrs=None):
+        """Get a specific entry by cn. If sattrs is set then only those
+           attributes will be returned, otherwise all available attributes
+           are returned."""
+        result = self.transport.get_entry_by_cn(cn,sattrs)
+        return entity.Entity(result)
+
 # User support
     def get_user_by_uid(self,uid,sattrs=None):
         """Get a specific user by uid. If sattrs is set then only those
            attributes will be returned, otherwise all available attributes
            are returned."""
         result = self.transport.get_user_by_uid(uid,sattrs)
-        return user.User(result)
-
-    def get_user_by_dn(self,dn,sattrs=None):
-        """Get a specific user by dn. If sattrs is set then only those
-           attributes will be returned, otherwise all available attributes
-           are returned."""
-        result = self.transport.get_user_by_dn(dn,sattrs)
         return user.User(result)
 
     def get_user_by_principal(self,principal,sattrs=None):
@@ -154,20 +164,6 @@ class IPAClient:
 
 # Groups support
 
-    def get_group_by_cn(self,cn,sattrs=None):
-        """Get a specific group by cn. If sattrs is set then only those
-           attributes will be returned, otherwise all available attributes
-           are returned."""
-        result = self.transport.get_group_by_cn(cn,sattrs)
-        return group.Group(result)
-
-    def get_group_by_dn(self,dn,sattrs=None):
-        """Get a specific group by cn. If sattrs is set then only those
-           attributes will be returned, otherwise all available attributes
-           are returned."""
-        result = self.transport.get_group_by_dn(dn,sattrs)
-        return group.Group(result)
-
     def get_groups_by_member(self,member_dn,sattrs=None):
         """Gets the groups that member_dn belongs to.
            If sattrs is not None then only those
diff -r ffa79b4eba03 -r 9aeebc9d962e ipa-python/rpcclient.py
--- a/ipa-python/rpcclient.py	Tue Oct 09 08:45:35 2007 -0700
+++ b/ipa-python/rpcclient.py	Tue Oct 09 09:26:16 2007 -0700
@@ -66,7 +66,42 @@ class RPCClient:
                  obj[k] = ent[k]
     
         return obj 
-        
+
+# General searches
+
+    def get_entry_by_dn(self,dn,sattrs=None):
+        """Get a specific entry. If sattrs is not None then only those
+           attributes will be returned, otherwise all available
+           attributes are returned. The result is a dict."""
+        server = self.setup_server()
+        if sattrs is None:
+            sattrs = "__NONE__"
+        try:
+            result = server.get_entry_by_dn(dn, sattrs)
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return ipautil.unwrap_binary_data(result)
+
+    def get_entry_by_cn(self,cn,sattrs=None):
+        """Get a specific entry by cn. If sattrs is not None then only those
+           attributes will be returned, otherwise all available
+           attributes are returned. The result is a dict."""
+        server = self.setup_server()
+        if sattrs is None:
+            sattrs = "__NONE__"
+        try:
+            result = server.get_entry_by_cn(cn, sattrs)
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return ipautil.unwrap_binary_data(result)
+
+
 # User support
 
     def get_user_by_uid(self,uid,sattrs=None):
@@ -78,22 +113,6 @@ class RPCClient:
             sattrs = "__NONE__"
         try:
             result = server.get_user_by_uid(uid, sattrs)
-        except xmlrpclib.Fault, fault:
-            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
-        except socket.error, (value, msg):
-            raise xmlrpclib.Fault(value, msg)
-
-        return ipautil.unwrap_binary_data(result)
- 
-    def get_user_by_dn(self,dn,sattrs=None):
-        """Get a specific user. If sattrs is not None then only those
-           attributes will be returned, otherwise all available
-           attributes are returned. The result is a dict."""
-        server = self.setup_server()
-        if sattrs is None:
-            sattrs = "__NONE__"
-        try:
-            result = server.get_user_by_dn(dn, sattrs)
         except xmlrpclib.Fault, fault:
             raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
         except socket.error, (value, msg):
@@ -258,38 +277,6 @@ class RPCClient:
         return ipautil.unwrap_binary_data(result)
 
 # Group support
-        
-    def get_group_by_cn(self,cn,sattrs=None):
-        """Get a specific group. If sattrs is not None then only those
-           attributes will be returned, otherwise all available
-           attributes are returned. The result is a dict."""
-        server = self.setup_server()
-        if sattrs is None:
-            sattrs = "__NONE__"
-        try:
-            result = server.get_group_by_cn(cn, sattrs)
-        except xmlrpclib.Fault, fault:
-            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
-        except socket.error, (value, msg):
-            raise xmlrpclib.Fault(value, msg)
-
-        return ipautil.unwrap_binary_data(result)
-        
-    def get_group_by_dn(self,dn,sattrs=None):
-        """Get a specific group. If sattrs is not None then only those
-           attributes will be returned, otherwise all available
-           attributes are returned. The result is a dict."""
-        server = self.setup_server()
-        if sattrs is None:
-            sattrs = "__NONE__"
-        try:
-            result = server.get_group_by_dn(dn, sattrs)
-        except xmlrpclib.Fault, fault:
-            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
-        except socket.error, (value, msg):
-            raise xmlrpclib.Fault(value, msg)
-
-        return ipautil.unwrap_binary_data(result)
 
     def get_groups_by_member(self,member_dn,sattrs=None):
         """Gets the groups that member_dn belongs to.
diff -r ffa79b4eba03 -r 9aeebc9d962e ipa-server/ipa-gui/ipagui/subcontrollers/group.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Tue Oct 09 08:45:35 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Tue Oct 09 09:26:16 2007 -0700
@@ -84,7 +84,7 @@ class GroupController(IPAController):
         #       on any error, we redirect to the _edit_ group page.
         #       this code does data setup, similar to groupedit()
         #
-        group = client.get_group_by_cn(kw['cn'], group_fields)
+        group = client.get_entry_by_cn(kw['cn'], group_fields)
         group_dict = group.toDict()
         member_dicts = []
 
@@ -169,7 +169,7 @@ class GroupController(IPAController):
         client = self.get_ipaclient()
 
         try:
-            group = client.get_group_by_cn(cn, group_fields)
+            group = client.get_entry_by_cn(cn, group_fields)
 
             group_dict = group.toDict()
 
@@ -186,9 +186,8 @@ class GroupController(IPAController):
                 member_dns = [member_dns]
 
             # TODO: convert this into an efficient (single) function call
-            # Note: this isn't quite right, since it can be users and groups.
             members = map(
-                    lambda dn: client.get_user_by_dn(dn, ['dn', 'givenname', 'sn',
+                    lambda dn: client.get_entry_by_dn(dn, ['dn', 'givenname', 'sn',
                         'uid', 'cn']),
                     member_dns)
             members.sort(self.sort_group_member)
@@ -346,7 +345,7 @@ class GroupController(IPAController):
         client = self.get_ipaclient()
 
         try:
-            group = client.get_group_by_cn(cn, group_fields)
+            group = client.get_entry_by_cn(cn, group_fields)
             group_dict = group.toDict()
 
             #
@@ -359,9 +358,8 @@ class GroupController(IPAController):
                 member_dns = [member_dns]
 
             # TODO: convert this into an efficient (single) function call
-            # Note: this isn't quite right, since it can be users and groups.
             members = map(
-                    lambda dn: client.get_user_by_dn(dn, ['dn', 'givenname', 'sn',
+                    lambda dn: client.get_entry_by_dn(dn, ['dn', 'givenname', 'sn',
                         'uid', 'cn']),
                     member_dns)
             members.sort(self.sort_group_member)
diff -r ffa79b4eba03 -r 9aeebc9d962e ipa-server/ipa-gui/ipagui/subcontrollers/user.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Tue Oct 09 08:45:35 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Tue Oct 09 09:26:16 2007 -0700
@@ -411,7 +411,7 @@ class UserController(IPAController):
             user_manager = None
             try:
                 if user.manager:
-                    user_manager = client.get_user_by_dn(user.manager,
+                    user_manager = client.get_entry_by_dn(user.manager,
                         ['givenname', 'sn', 'uid'])
             except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
                 pass
diff -r ffa79b4eba03 -r 9aeebc9d962e ipa-server/ipa-gui/ipagui/templates/usereditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Tue Oct 09 08:45:35 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Tue Oct 09 09:26:16 2007 -0700
@@ -65,7 +65,7 @@ from ipagui.helpers import ipahelper
     function renderMemberInfo(newdiv, info) {
       if (info.type == "group") {
         newdiv.appendChild(document.createTextNode(
-          info.name.escapeHTML() + " "));
+          info.name + " "));
       }
     }
   </script>
diff -r ffa79b4eba03 -r 9aeebc9d962e ipa-server/ipa-gui/ipagui/templates/usernewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Tue Oct 09 08:45:35 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Tue Oct 09 09:26:16 2007 -0700
@@ -36,7 +36,7 @@ from ipagui.helpers import ipahelper
     function renderMemberInfo(newdiv, info) {
       if (info.type == "group") {
         newdiv.appendChild(document.createTextNode(
-          info.name.escapeHTML() + " "));
+          info.name + " "));
       }
     }
   </script>
diff -r ffa79b4eba03 -r 9aeebc9d962e ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Tue Oct 09 08:45:35 2007 -0700
+++ b/ipa-server/xmlrpc-server/funcs.py	Tue Oct 09 09:26:16 2007 -0700
@@ -323,7 +323,26 @@ class IPAServer:
         partial_match_filter += ")"
 
         return (exact_match_filter, partial_match_filter)
- 
+
+# General searches
+
+    def get_entry_by_dn (self, dn, sattrs=None, opts=None):
+        """Get a specific entry. Return as a dict of values.
+           Multi-valued fields are represented as lists.
+        """
+
+        filter = "(objectClass=*)"
+        return self.__get_entry(dn, filter, sattrs, opts)
+
+    def get_entry_by_cn (self, cn, sattrs=None, opts=None):
+        """Get a specific entry by cn. Return as a dict of values.
+           Multi-valued fields are represented as lists.
+        """
+
+        cn = self.__safe_filter(cn)
+        filter = "(cn=" + cn + ")"
+        return self.__get_entry(self.basedn, filter, sattrs, opts)
+
 # User support
 
     def __is_user_unique(self, uid, opts):
@@ -345,14 +364,6 @@ class IPAServer:
         uid = self.__safe_filter(uid)
         filter = "(uid=" + uid + ")"
         return self.__get_entry(self.basedn, filter, sattrs, opts)
-    
-    def get_user_by_dn (self, dn, sattrs=None, opts=None):
-        """Get a specific user's entry. Return as a dict of values.
-           Multi-valued fields are represented as lists.
-        """
-
-        filter = "(objectClass=*)"
-        return self.__get_entry(dn, filter, sattrs, opts)
 
     def get_user_by_principal(self, principal, sattrs=None, opts=None):
         """Get a user entry searching by Kerberos Principal Name.
@@ -649,23 +660,6 @@ class IPAServer:
         except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
             return 1
 
-    def get_group_by_cn (self, cn, sattrs=None, opts=None):
-        """Get a specific group's entry. Return as a dict of values.
-           Multi-valued fields are represented as lists.
-        """
-
-        cn = self.__safe_filter(cn)
-        filter = "(cn=" + cn + ")"
-        return self.__get_entry(self.basedn, filter, sattrs, opts)
-
-    def get_group_by_dn (self, dn, sattrs=None, opts=None):
-        """Get a specific group's entry. Return as a dict of values.
-           Multi-valued fields are represented as lists.
-        """
-
-        filter = "(objectClass=*)"
-        return self.__get_entry(dn, filter, sattrs, opts)
-
     def get_groups_by_member (self, member_dn, sattrs=None, opts=None):
         """Get a specific group's entry. Return as a dict of values.
            Multi-valued fields are represented as lists.
@@ -787,7 +781,7 @@ class IPAServer:
         """Add a member to an existing group.
         """
 
-        old_group = self.get_group_by_dn(group_dn, None, opts)
+        old_group = self.get_entry_by_dn(group_dn, None, opts)
         if old_group is None:
             raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
         new_group = copy.deepcopy(old_group)
@@ -834,7 +828,7 @@ class IPAServer:
         """Remove a member_dn from an existing group.
         """
 
-        old_group = self.get_group_by_dn(group_dn, None, opts)
+        old_group = self.get_entry_by_dn(group_dn, None, opts)
         if old_group is None:
             raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
         new_group = copy.deepcopy(old_group)
@@ -1002,7 +996,7 @@ class IPAServer:
            The memberOf plugin handles removing the group from any other
            groups.
         """
-        group = self.get_group_by_dn(group_dn, ['dn', 'cn'], opts)
+        group = self.get_entry_by_dn(group_dn, ['dn', 'cn'], opts)
 
         if len(group) != 1:
             raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
@@ -1020,12 +1014,12 @@ class IPAServer:
            tgroup is the DN of the target group to be added to
         """
 
-        old_group = self.get_group_by_dn(tgroup, None, opts)
+        old_group = self.get_entry_by_dn(tgroup, None, opts)
         if old_group is None:
             raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
         new_group = copy.deepcopy(old_group)
 
-        group_dn = self.get_group_by_dn(group, ['dn', 'cn', 'objectclass'], opts)
+        group_dn = self.get_entry_by_dn(group, ['dn', 'cn', 'objectclass'], opts)
         if group_dn is None:
             raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
 
diff -r ffa79b4eba03 -r 9aeebc9d962e ipa-server/xmlrpc-server/ipaxmlrpc.py
--- a/ipa-server/xmlrpc-server/ipaxmlrpc.py	Tue Oct 09 08:45:35 2007 -0700
+++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py	Tue Oct 09 09:26:16 2007 -0700
@@ -317,8 +317,9 @@ def handler(req, profiling=False):
         try:
             f = funcs.IPAServer()
             h = ModXMLRPCRequestHandler()
+            h.register_function(f.get_entry_by_dn)
+            h.register_function(f.get_entry_by_cn)
             h.register_function(f.get_user_by_uid)
-            h.register_function(f.get_user_by_dn)
             h.register_function(f.get_user_by_principal)
             h.register_function(f.get_users_by_manager)
             h.register_function(f.add_user)
@@ -329,8 +330,6 @@ def handler(req, profiling=False):
             h.register_function(f.delete_user)
             h.register_function(f.mark_user_deleted)
             h.register_function(f.modifyPassword)
-            h.register_function(f.get_group_by_cn)
-            h.register_function(f.get_group_by_dn)
             h.register_function(f.get_groups_by_member)
             h.register_function(f.add_group)
             h.register_function(f.find_groups)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071009/d0758140/attachment.bin>

From kmccarth at redhat.com  Tue Oct  9 16:30:41 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 9 Oct 2007 09:30:41 -0700
Subject: [Freeipa-devel] [PATCH] fix webgui IPAClient allocation
In-Reply-To: <1191945465.23486.43.camel@dhcp-64-223.iad.redhat.com>
References: <20071008165603.GE3595@moon.usersys.redhat.com>
	<470A62A4.50002@redhat.com>
	<20071008171855.GF3595@moon.usersys.redhat.com>
	<1191945465.23486.43.camel@dhcp-64-223.iad.redhat.com>
Message-ID: <20071009163041.GC23078@moon.usersys.redhat.com>

Karl MacMillan wrote:
> On Mon, 2007-10-08 at 10:18 -0700, Kevin McCarthy wrote:
> > Rob Crittenden wrote:
> > > Kevin McCarthy wrote:
> > >> This patch fixes the web gui to allocate a new IPAClient for each
> > >> request.
> > >> -Kevin
> > >
> > > Kevin, is it possible to create the client in the Identity system? Would  
> > > that be any easier/better?
> > 
> > Hmmm... don't know.  I never quite dug into understanding the identity
> > code yet.  The patch involved as-is is pretty simple, and makes it
> > obvious what's going on, so I don't know if it's worth the effort to
> > work it into the identity code.
> > 
> > Of course, if you have a cool idea, I'm all eyes.
> > 
> 
> Where are we with this - should it be merged or is there another patch
> coming?

pushed.  Rob we can revisit using the identity framework, I don't think
the code is too invasive as is.

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071009/9aa0322a/attachment.bin>

From rcritten at redhat.com  Tue Oct  9 18:10:26 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 09 Oct 2007 14:10:26 -0400
Subject: [Freeipa-devel] [PATCH] fix webgui IPAClient allocation
In-Reply-To: <1191945465.23486.43.camel@dhcp-64-223.iad.redhat.com>
References: <20071008165603.GE3595@moon.usersys.redhat.com>	<470A62A4.50002@redhat.com>	<20071008171855.GF3595@moon.usersys.redhat.com>
	<1191945465.23486.43.camel@dhcp-64-223.iad.redhat.com>
Message-ID: <470BC412.8090201@redhat.com>

Karl MacMillan wrote:
> On Mon, 2007-10-08 at 10:18 -0700, Kevin McCarthy wrote:
>> Rob Crittenden wrote:
>>> Kevin McCarthy wrote:
>>>> This patch fixes the web gui to allocate a new IPAClient for each
>>>> request.
>>>> -Kevin
>>> Kevin, is it possible to create the client in the Identity system? Would  
>>> that be any easier/better?
>> Hmmm... don't know.  I never quite dug into understanding the identity
>> code yet.  The patch involved as-is is pretty simple, and makes it
>> obvious what's going on, so I don't know if it's worth the effort to
>> work it into the identity code.
>>
>> Of course, if you have a cool idea, I'm all eyes.
>>
> 
> Where are we with this - should it be merged or is there another patch
> coming?
>

It is fine for now. I was just sort of thinking out loud.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071009/6879b2b7/attachment.bin>

From rcritten at redhat.com  Tue Oct  9 18:31:14 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 09 Oct 2007 14:31:14 -0400
Subject: [Freeipa-devel] [PATCH] combine get_by_cn/dn calls
In-Reply-To: <20071009162526.GB23078@moon.usersys.redhat.com>
References: <20071009162526.GB23078@moon.usersys.redhat.com>
Message-ID: <470BC8F2.1050706@redhat.com>

Kevin McCarthy wrote:
> This patch combines get_group_by_dn and get_user_by_dn into
> get_entry_by_dn.  It does the same for cn.
> 
> It also includes a few double-escaping fixes I somehow missed before.
> 
> -Kevin
> 
>

Looks good.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071009/262d2142/attachment.bin>

From kmccarth at redhat.com  Tue Oct  9 18:35:51 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 9 Oct 2007 11:35:51 -0700
Subject: [Freeipa-devel] [PATCH] combine get_by_cn/dn calls
In-Reply-To: <470BC8F2.1050706@redhat.com>
References: <20071009162526.GB23078@moon.usersys.redhat.com>
	<470BC8F2.1050706@redhat.com>
Message-ID: <20071009183551.GE23078@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> This patch combines get_group_by_dn and get_user_by_dn into
>> get_entry_by_dn.  It does the same for cn.
>> It also includes a few double-escaping fixes I somehow missed before.
>> -Kevin
>>
>
> Looks good.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071009/7feca510/attachment.bin>

From kmacmill at redhat.com  Tue Oct  9 20:09:52 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 09 Oct 2007 16:09:52 -0400
Subject: [Freeipa-devel] [PATCH] fix 64bit errors
Message-ID: <1191960592.23486.75.camel@dhcp-64-223.iad.redhat.com>

This largish patch makes the build and installation work on 64bit
machines. The only catch here is that to get a 64bit build you need to
set LIBDIR on make:

make install LIBDIR=/usr/lib64

The spec file does this correctly. I couldn't find any reliable way to
guess this that works both on real systems and in the almost entirely
empty rpm build root (you can't, for example, check for the existence
of /usr/lib64).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 64bit-fixes.patch
Type: text/x-patch
Size: 13037 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071009/aaeb5b39/attachment.bin>

From kmccarth at redhat.com  Tue Oct  9 20:26:11 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 9 Oct 2007 13:26:11 -0700
Subject: [Freeipa-devel] [PATCH] fix 64bit errors
In-Reply-To: <1191960592.23486.75.camel@dhcp-64-223.iad.redhat.com>
References: <1191960592.23486.75.camel@dhcp-64-223.iad.redhat.com>
Message-ID: <20071009202611.GF23078@moon.usersys.redhat.com>

Karl MacMillan wrote:
> This largish patch makes the build and installation work on 64bit
> machines. The only catch here is that to get a 64bit build you need to
> set LIBDIR on make:
> 
> make install LIBDIR=/usr/lib64
> 
> The spec file does this correctly. I couldn't find any reliable way to
> guess this that works both on real systems and in the almost entirely
> empty rpm build root (you can't, for example, check for the existence
> of /usr/lib64).

My only comment was whether you wanted the DEBUG and BUILD64 in both the
top-level Makefile and Makefile.common or not.

Otherwise looks good.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071009/3db5debf/attachment.bin>

From kmacmill at redhat.com  Tue Oct  9 20:26:36 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 09 Oct 2007 16:26:36 -0400
Subject: [Freeipa-devel] [PATCH] fix 64bit errors
In-Reply-To: <20071009202611.GF23078@moon.usersys.redhat.com>
References: <1191960592.23486.75.camel@dhcp-64-223.iad.redhat.com>
	<20071009202611.GF23078@moon.usersys.redhat.com>
Message-ID: <1191961596.23486.83.camel@dhcp-64-223.iad.redhat.com>

On Tue, 2007-10-09 at 13:26 -0700, Kevin McCarthy wrote:
> Karl MacMillan wrote:
> > This largish patch makes the build and installation work on 64bit
> > machines. The only catch here is that to get a 64bit build you need to
> > set LIBDIR on make:
> > 
> > make install LIBDIR=/usr/lib64
> > 
> > The spec file does this correctly. I couldn't find any reliable way to
> > guess this that works both on real systems and in the almost entirely
> > empty rpm build root (you can't, for example, check for the existence
> > of /usr/lib64).
> 
> My only comment was whether you wanted the DEBUG and BUILD64 in both the
> top-level Makefile and Makefile.common or not.
> 
> Otherwise looks good.
> 
> -Kevin
> _______________________________________________

Nope - committed and pushed the attached patch instead.

Thanks,

Karl



From ssorce at redhat.com  Tue Oct  9 20:44:48 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 09 Oct 2007 16:44:48 -0400
Subject: [Freeipa-devel] [PATCH] fix 64bit errors
In-Reply-To: <1191961596.23486.83.camel@dhcp-64-223.iad.redhat.com>
References: <1191960592.23486.75.camel@dhcp-64-223.iad.redhat.com>
	<20071009202611.GF23078@moon.usersys.redhat.com>
	<1191961596.23486.83.camel@dhcp-64-223.iad.redhat.com>
Message-ID: <1191962688.11753.14.camel@localhost.localdomain>

On Tue, 2007-10-09 at 16:26 -0400, Karl MacMillan wrote:
> 
> Nope - committed and pushed the attached patch instead.
> 
> Thanks,


No patch attached instead :-)



From kmccarth at redhat.com  Tue Oct  9 20:49:49 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 9 Oct 2007 13:49:49 -0700
Subject: [Freeipa-devel] [PATCH] simple aci parser
Message-ID: <20071009204948.GH23078@moon.usersys.redhat.com>

This is a simple ACI parser.  It will be used to parse out the relevant
entries for the delegation gui.  Don't worry, that gui will _ignore_
entries it doesn't understand.  This parser will only recognize entries
the gui creates, so it's not very forgiving of any deviation.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1191963158 25200
# Node ID 39e350d86367ac35318fb6dbab6570710a5f4957
# Parent  587c0641df6a6752299fa39711cc5c9680bfff50
This is a really simple (and dumb) ACI parser for the ACI's we
will need in the delegation UI.

diff -r 587c0641df6a -r 39e350d86367 ipa-python/aci.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-python/aci.py	Tue Oct 09 13:52:38 2007 -0700
@@ -0,0 +1,116 @@
+#! /usr/bin/python -E
+#
+# Copyright (C) 2007    Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.    See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import re
+
+class ACI:
+    """
+    Holds the basic data for an ACI entry, as stored in the cn=accounts
+    entry in LDAP.  Has methods to parse an ACI string and export to an
+    ACI String.
+    """
+
+    def __init__(self,acistr=None):
+        self.source_group = ''
+        self.dest_group = ''
+        self.attrs = []
+        self.name = ''
+        if acistr is not None:
+            self.parse_acistr(acistr)
+
+    def export_to_string(self):
+        """Converts the ACI to a string suitable for an LDAP aci attribute."""
+        attrs_str = ' || '.join(self.attrs)
+
+        # dest_group and source_group are assumed to be pre-escaped.
+        # dn's aren't typed in, but searched for, and the search results
+        # will return escaped dns
+
+        acistr = ('(targetattr = "%s")' +
+                  '(targetfilter="(memberOf=%s)")' +
+                  '(version 3.0;' +
+                  'acl "%s";' +
+                  'allow (write) ' +
+                  'groupdn="%s";)') % (attrs_str,
+                                       self.dest_group,
+                                       self.name,
+                                       self.source_group)
+        return acistr
+
+    def _match(self, prefix, inputstr):
+        """Returns inputstr with prefix removed, or else raises a
+           SyntaxError."""
+        if inputstr.startswith(prefix):
+            return inputstr[len(prefix):]
+        else:
+            raise SyntaxError, "'%s' not found at '%s'" % (prefix, inputstr)
+
+    def _match_str(self, inputstr):
+        """Tries to extract a " delimited string from the front of inputstr.
+           Returns (string, inputstr) where:
+             - string is the extracted string (minus the enclosing " chars)
+             - inputstr is the parameter with the string removed.
+           Raises SyntaxError is a string is not found."""
+        if not inputstr.startswith('"'):
+            raise SyntaxError, "string not found at '%s'" % inputstr
+
+        found = False
+        start_index = 1
+        final_index = 1
+        while not found and (final_index < len(inputstr)):
+            if inputstr[final_index] == '\\':
+                final_index += 2
+            elif inputstr[final_index] == '"':
+                found = True
+            else:
+                final_index += 1
+        if not found:
+            raise SyntaxError, "string not found at '%s'" % inputstr
+
+        match = inputstr[start_index:final_index]
+        inputstr = inputstr[final_index + 1:]
+
+        return(match, inputstr)
+
+    def parse_acistr(self, acistr):
+        """Parses the acistr.  If the string isn't recognized, a SyntaxError
+           is raised."""
+        acistr = self._match('(targetattr = ', acistr)
+        (attrstr, acistr) = self._match_str(acistr)
+        self.attrs = attrstr.split(' || ')
+
+        acistr = self._match(')(targetfilter=', acistr)
+        (target_dn_str, acistr) = self._match_str(acistr)
+        target_dn_str = self._match('(memberOf=', target_dn_str)
+        if target_dn_str.endswith(')'):
+            self.dest_group = target_dn_str[:-1]
+        else:
+            raise SyntaxError, "illegal dest_group at '%s'" % target_dn_str
+
+        acistr = self._match(')(version 3.0;acl ', acistr)
+        (name_str, acistr) = self._match_str(acistr)
+        self.name = name_str
+
+        acistr = self._match(';allow (write) groupdn=', acistr)
+        (src_dn_str, acistr) = self._match_str(acistr)
+        self.source_group = src_dn_str
+
+        acistr = self._match(';)', acistr)
+        if len(acistr) > 0:
+            raise SyntaxError, "unexpected aci suffix at '%s'" % acistr
diff -r 587c0641df6a -r 39e350d86367 ipa-python/test/test_aci.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-python/test/test_aci.py	Tue Oct 09 13:52:38 2007 -0700
@@ -0,0 +1,97 @@
+#! /usr/bin/python -E
+#
+# Copyright (C) 2007    Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.    See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import sys
+sys.path.insert(0, ".")
+
+import unittest
+import aci
+
+
+class TestACI(unittest.TestCase):
+    acitemplate = ('(targetattr = "%s")' +
+               '(targetfilter="(memberOf=%s)")' +
+               '(version 3.0;' +
+               'acl "%s";' +
+               'allow (write) ' +
+               'groupdn="%s";)')
+
+    def setUp(self):
+        self.aci = aci.ACI()
+
+    def tearDown(self):
+        pass
+
+    def testExport(self):
+        self.aci.source_group = 'cn=foo, dc=freeipa, dc=org'
+        self.aci.dest_group = 'cn=bar, dc=freeipa, dc=org'
+        self.aci.name = 'this is a "name'
+        self.aci.attrs = ['field1', 'field2', 'field3']
+
+        exportaci = self.aci.export_to_string()
+        aci = TestACI.acitemplate % ('field1 || field2 || field3',
+                                     self.aci.dest_group,
+                                     'this is a "name',
+                                     self.aci.source_group)
+
+        self.assertEqual(aci, exportaci)
+
+    def testSimpleParse(self):
+        attr_str = 'field3 || field4 || field5'
+        dest_dn = 'cn=dest\\"group, dc=freeipa, dc=org'
+        name = 'my name'
+        src_dn = 'cn=srcgroup, dc=freeipa, dc=org'
+
+        acistr = TestACI.acitemplate % (attr_str, dest_dn, name, src_dn)
+        self.aci.parse_acistr(acistr)
+
+        self.assertEqual(['field3', 'field4', 'field5'], self.aci.attrs)
+        self.assertEqual(dest_dn, self.aci.dest_group)
+        self.assertEqual(name, self.aci.name)
+        self.assertEqual(src_dn, self.aci.source_group)
+
+    def testInvalidParse(self):
+        try:
+          self.aci.parse_acistr('foo bar')
+          self.fail('Should have failed to parse')
+        except SyntaxError:
+            pass
+
+        try:
+          self.aci.parse_acistr('')
+          self.fail('Should have failed to parse')
+        except SyntaxError:
+            pass
+
+        attr_str = 'field3 || field4 || field5'
+        dest_dn = 'cn=dest\\"group, dc=freeipa, dc=org'
+        name = 'my name'
+        src_dn = 'cn=srcgroup, dc=freeipa, dc=org'
+
+        acistr = TestACI.acitemplate % (attr_str, dest_dn, name, src_dn)
+        acistr += 'trailing garbage'
+        try:
+          self.aci.parse_acistr('')
+          self.fail('Should have failed to parse')
+        except SyntaxError:
+            pass
+
+
+if __name__ == '__main__':
+    unittest.main()
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071009/1b22ffba/attachment.bin>

From kmacmill at redhat.com  Tue Oct  9 20:50:38 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 09 Oct 2007 16:50:38 -0400
Subject: [Freeipa-devel] [PATCH] fix 64bit errors
In-Reply-To: <1191962688.11753.14.camel@localhost.localdomain>
References: <1191960592.23486.75.camel@dhcp-64-223.iad.redhat.com>
	<20071009202611.GF23078@moon.usersys.redhat.com>
	<1191961596.23486.83.camel@dhcp-64-223.iad.redhat.com>
	<1191962688.11753.14.camel@localhost.localdomain>
Message-ID: <1191963038.23486.100.camel@dhcp-64-223.iad.redhat.com>

On Tue, 2007-10-09 at 16:44 -0400, Simo Sorce wrote:
> On Tue, 2007-10-09 at 16:26 -0400, Karl MacMillan wrote:
> > 
> > Nope - committed and pushed the attached patch instead.
> > 
> > Thanks,
> 
> 
> No patch attached instead :-)
> 

Ooops.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 64bit-fixes.patch
Type: text/x-patch
Size: 12978 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071009/c8373fdd/attachment.bin>

From rcritten at redhat.com  Wed Oct 10 17:02:43 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 10 Oct 2007 13:02:43 -0400
Subject: [Freeipa-devel] what do we want to show?
Message-ID: <470D05B3.9050906@redhat.com>

Currently ipa-finduser and ipa-findgroup display a fairly random set of 
attributes.

What do we want to show?

I was thinking ala finger:

username
cn
homeDirectory
shell
krbPrincipalName

But if the GUI is used we'll also have full address, phone, etc.

And what about e-mail address?

For groups I was thinking:

cn
description
gidnumber
members

The thing about members is that it includes the DN of the member which 
isn't particulary human-readable.

I have a couple ideas about that:

1. Make membership an optional argument
2. Translate members into something more readable by looking up the cn 
for each member (expensive).
3. Unknown option X

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071010/b420a889/attachment.bin>

From prowley at redhat.com  Wed Oct 10 18:36:08 2007
From: prowley at redhat.com (Pete Rowley)
Date: Wed, 10 Oct 2007 11:36:08 -0700
Subject: [Freeipa-devel] what do we want to show?
In-Reply-To: <470D05B3.9050906@redhat.com>
References: <470D05B3.9050906@redhat.com>
Message-ID: <470D1B98.8060203@redhat.com>

Rob Crittenden wrote:
> Currently ipa-finduser and ipa-findgroup display a fairly random set 
> of attributes.
>
> What do we want to show?
>
> I was thinking ala finger:
>
> username
> cn
> homeDirectory
> shell
> krbPrincipalName
>
I think this is fine as default
> But if the GUI is used we'll also have full address, phone, etc.
>
An option to show the rest would be good.
> cn
> description
> gidnumber
> members
>
> The thing about members is that it includes the DN of the member which 
> isn't particulary human-readable.
>
> I have a couple ideas about that:
>
> 1. Make membership an optional argument
Good idea I think.
> 2. Translate members into something more readable by looking up the cn 
> for each member (expensive).
Would be quite cheap if you search on memberof attribute - it's one 
search to get all you need.


-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071010/9576685f/attachment.bin>

From rcritten at redhat.com  Wed Oct 10 18:44:12 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 10 Oct 2007 14:44:12 -0400
Subject: [Freeipa-devel] what do we want to show?
In-Reply-To: <470D1B98.8060203@redhat.com>
References: <470D05B3.9050906@redhat.com> <470D1B98.8060203@redhat.com>
Message-ID: <470D1D7C.3010403@redhat.com>

Pete Rowley wrote:
> Rob Crittenden wrote:
>> Currently ipa-finduser and ipa-findgroup display a fairly random set 
>> of attributes.
>>
>> What do we want to show?
>>
>> I was thinking ala finger:
>>
>> username
>> cn
>> homeDirectory
>> shell
>> krbPrincipalName
>>
> I think this is fine as default
>> But if the GUI is used we'll also have full address, phone, etc.
>>
> An option to show the rest would be good.
>> cn
>> description
>> gidnumber
>> members
>>
>> The thing about members is that it includes the DN of the member which 
>> isn't particulary human-readable.
>>
>> I have a couple ideas about that:
>>
>> 1. Make membership an optional argument
> Good idea I think.
>> 2. Translate members into something more readable by looking up the cn 
>> for each member (expensive).
> Would be quite cheap if you search on memberof attribute - it's one 
> search to get all you need.
> 

What would that search look like?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071010/6e6c00f3/attachment.bin>

From prowley at redhat.com  Wed Oct 10 18:59:51 2007
From: prowley at redhat.com (Pete Rowley)
Date: Wed, 10 Oct 2007 11:59:51 -0700
Subject: [Freeipa-devel] what do we want to show?
In-Reply-To: <470D1D7C.3010403@redhat.com>
References: <470D05B3.9050906@redhat.com> <470D1B98.8060203@redhat.com>
	<470D1D7C.3010403@redhat.com>
Message-ID: <470D2127.8040208@redhat.com>

Rob Crittenden wrote:
> Pete Rowley wrote:
>> Rob Crittenden wrote:
>>> Currently ipa-finduser and ipa-findgroup display a fairly random set 
>>> of attributes.
>>>
>>> What do we want to show?
>>>
>>> I was thinking ala finger:
>>>
>>> username
>>> cn
>>> homeDirectory
>>> shell
>>> krbPrincipalName
>>>
>> I think this is fine as default
>>> But if the GUI is used we'll also have full address, phone, etc.
>>>
>> An option to show the rest would be good.
>>> cn
>>> description
>>> gidnumber
>>> members
>>>
>>> The thing about members is that it includes the DN of the member 
>>> which isn't particulary human-readable.
>>>
>>> I have a couple ideas about that:
>>>
>>> 1. Make membership an optional argument
>> Good idea I think.
>>> 2. Translate members into something more readable by looking up the 
>>> cn for each member (expensive).
>> Would be quite cheap if you search on memberof attribute - it's one 
>> search to get all you need.
>>
>
> What would that search look like?
(memberof=<dn of group>) and request any attributes you want from the 
entries.


-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071010/57d21d28/attachment.bin>

From rcritten at redhat.com  Wed Oct 10 19:10:39 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 10 Oct 2007 15:10:39 -0400
Subject: [Freeipa-devel] what do we want to show?
In-Reply-To: <470D2127.8040208@redhat.com>
References: <470D05B3.9050906@redhat.com> <470D1B98.8060203@redhat.com>
	<470D1D7C.3010403@redhat.com> <470D2127.8040208@redhat.com>
Message-ID: <470D23AF.8080009@redhat.com>

Pete Rowley wrote:
>>
>> What would that search look like?
> (memberof=<dn of group>) and request any attributes you want from the 
> entries.
> 
> 

Ok, don't mean to be thick, but I still don't get it:

ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" 
"memberOf=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org" cn

Tried with memberOf="dn:..." too.

Both return:

# search result
search: 4
result: 0 Success

# numResponses: 1

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071010/24efb0b7/attachment.bin>

From prowley at redhat.com  Wed Oct 10 19:31:17 2007
From: prowley at redhat.com (Pete Rowley)
Date: Wed, 10 Oct 2007 12:31:17 -0700
Subject: [Freeipa-devel] what do we want to show?
In-Reply-To: <470D23AF.8080009@redhat.com>
References: <470D05B3.9050906@redhat.com> <470D1B98.8060203@redhat.com>
	<470D1D7C.3010403@redhat.com> <470D2127.8040208@redhat.com>
	<470D23AF.8080009@redhat.com>
Message-ID: <470D2885.4090206@redhat.com>

Rob Crittenden wrote:
> Pete Rowley wrote:
>>>
>>> What would that search look like?
>> (memberof=<dn of group>) and request any attributes you want from the 
>> entries.
>>
>>
>
> Ok, don't mean to be thick, but I still don't get it:
>
> ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" 
> "memberOf=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org" cn
>
> Tried with memberOf="dn:..." too.
Need the memberof plugin configured.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071010/f771c4a2/attachment.bin>

From rcritten at redhat.com  Wed Oct 10 20:53:52 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 10 Oct 2007 16:53:52 -0400
Subject: [Freeipa-devel] what do we want to show?
In-Reply-To: <470D2885.4090206@redhat.com>
References: <470D05B3.9050906@redhat.com> <470D1B98.8060203@redhat.com>
	<470D1D7C.3010403@redhat.com> <470D2127.8040208@redhat.com>
	<470D23AF.8080009@redhat.com> <470D2885.4090206@redhat.com>
Message-ID: <470D3BE0.3000202@redhat.com>

Pete Rowley wrote:
> Rob Crittenden wrote:
>> Pete Rowley wrote:
>>>>
>>>> What would that search look like?
>>> (memberof=<dn of group>) and request any attributes you want from the 
>>> entries.
>>>
>>>
>>
>> Ok, don't mean to be thick, but I still don't get it:
>>
>> ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" 
>> "memberOf=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org" cn
>>
>> Tried with memberOf="dn:..." too.
> Need the memberof plugin configured.
> 

You're working on that, right?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071010/5b30cc1f/attachment.bin>

From mccann at jhu.edu  Wed Oct 10 21:40:22 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Wed, 10 Oct 2007 17:40:22 -0400
Subject: [Freeipa-devel] [PATCH] setup.py for freeipa-python
Message-ID: <939dd5750710101440s1fffa8dat5e4c7058f4566f8d@mail.gmail.com>

Hi,

Here is a patch that adds a setup.py for the freeipa-python package.

This makes it easier to build tarballs, rpms, and do installs.  It can
even generate a spec file:
python setup.py bdist_rpm --spec

Jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-python-setuppy.diff
Type: text/x-diff
Size: 2266 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071010/5486f1fb/attachment.bin>

From prowley at redhat.com  Wed Oct 10 23:25:47 2007
From: prowley at redhat.com (Pete Rowley)
Date: Wed, 10 Oct 2007 16:25:47 -0700
Subject: [Freeipa-devel] [PATCH] enable memberof plugin
Message-ID: <470D5F7B.2010605@redhat.com>


-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071010/cda902c5/attachment.bin>

From prowley at redhat.com  Wed Oct 10 23:30:55 2007
From: prowley at redhat.com (Pete Rowley)
Date: Wed, 10 Oct 2007 16:30:55 -0700
Subject: [Freeipa-devel] [PATCH] enable memberof plugin
Message-ID: <470D60AF.3040300@redhat.com>

this time, with a patch attached :)

-- 
Pete

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch.txt
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071010/2a4e5ef3/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071010/2a4e5ef3/attachment.bin>

From ssorce at redhat.com  Thu Oct 11 04:00:09 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 11 Oct 2007 00:00:09 -0400
Subject: [Freeipa-devel] [PATCH] enable memberof plugin
In-Reply-To: <470D60AF.3040300@redhat.com>
References: <470D60AF.3040300@redhat.com>
Message-ID: <1192075209.27891.11.camel@localhost.localdomain>

On Wed, 2007-10-10 at 16:30 -0700, Pete Rowley wrote:
> this time, with a patch attached :)

I think this should be done separately from bootstrap and in the
dsinstance.py module, like we do in the krbinstance.py module with the
__add_pwd_extop_module() to enable the passwd extop plugin.

Simo.



From rcritten at redhat.com  Thu Oct 11 13:24:01 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 11 Oct 2007 09:24:01 -0400
Subject: [Freeipa-devel] [PATCH] enable memberof plugin
In-Reply-To: <470D60AF.3040300@redhat.com>
References: <470D60AF.3040300@redhat.com>
Message-ID: <470E23F1.4050106@redhat.com>

Pete Rowley wrote:
> this time, with a patch attached :)
> 

I applied this ldif to my server but memberof still returns nothing:

ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" 
"memberOf=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org" cn
SASL/GSSAPI authentication started
SASL username: rcrit at FREEIPA.ORG
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <dc=freeipa,dc=org> with scope subtree
# filter: memberOf=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org
# requesting: cn
#

# search result
search: 4
result: 0 Success

# numResponses: 1

There are members:

ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" cn=admins uniqueMember

# admins, groups, accounts, freeipa.org
dn: cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org
uniqueMember: uid=admin,cn=sysaccounts,cn=etc,dc=freeipa,dc=org
uniqueMember: uid=rcrit,cn=users,cn=accounts,dc=freeipa,dc=org
uniqueMember: uid=test1,cn=users,cn=accounts,dc=freeipa,dc=org
uniqueMember: uid=test2,cn=users,cn=accounts,dc=freeipa,dc=org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/586f7607/attachment.bin>

From rcritten at redhat.com  Thu Oct 11 13:26:35 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 11 Oct 2007 09:26:35 -0400
Subject: [Freeipa-devel] [PATCH] setup.py for freeipa-python
In-Reply-To: <939dd5750710101440s1fffa8dat5e4c7058f4566f8d@mail.gmail.com>
References: <939dd5750710101440s1fffa8dat5e4c7058f4566f8d@mail.gmail.com>
Message-ID: <470E248B.8050508@redhat.com>

William Jon McCann wrote:
> Hi,
> 
> Here is a patch that adds a setup.py for the freeipa-python package.
> 
> This makes it easier to build tarballs, rpms, and do installs.  It can
> even generate a spec file:
> python setup.py bdist_rpm --spec
> 
> Jon
> 

I'm not familiar with the python distutils package, what does this buy 
us? We already generate tar.gz and rpm files.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/a29107b8/attachment.bin>

From rcritten at redhat.com  Thu Oct 11 14:51:07 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 11 Oct 2007 10:51:07 -0400
Subject: [Freeipa-devel] [PATCH] ipa-finduser fixes
Message-ID: <470E385B.70905@redhat.com>

I added an '-a/--all' option to ipa-finduser to display all attributes 
returned.
Binary values are now base64-encoded
The attributes are sorted before being printed
Values are stripped before being printed. The base64-encoding was adding 
an extra carriage return.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-265-finduser.patch
Type: text/x-patch
Size: 3118 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/c03b2ded/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/c03b2ded/attachment-0001.bin>

From rcritten at redhat.com  Thu Oct 11 14:52:33 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 11 Oct 2007 10:52:33 -0400
Subject: [Freeipa-devel] [PATCH] command-line tools man pages
Message-ID: <470E38B1.5030807@redhat.com>

I hacked up some man pages for the ipa-* command-line tools. These are 
so simple and small using xml is probably overkill, though it should be 
straightforward to convert if necessary.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-266-man.patch
Type: text/x-patch
Size: 19123 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/62694e56/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/62694e56/attachment-0001.bin>

From mccann at jhu.edu  Thu Oct 11 15:08:01 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Thu, 11 Oct 2007 11:08:01 -0400
Subject: [Freeipa-devel] [PATCH] setup.py for freeipa-python
In-Reply-To: <470E248B.8050508@redhat.com>
References: <939dd5750710101440s1fffa8dat5e4c7058f4566f8d@mail.gmail.com>
	<470E248B.8050508@redhat.com>
Message-ID: <939dd5750710110808k2e25af9bic607fd5649e30769@mail.gmail.com>

Hi Rob,

On 10/11/07, Rob Crittenden <rcritten at redhat.com> wrote:
> William Jon McCann wrote:
> > Hi,
> >
> > Here is a patch that adds a setup.py for the freeipa-python package.
> >
> > This makes it easier to build tarballs, rpms, and do installs.  It can
> > even generate a spec file:
> > python setup.py bdist_rpm --spec
> >
> > Jon
> >
>
> I'm not familiar with the python distutils package, what does this buy
> us? We already generate tar.gz and rpm files.

Well, in my opinion, freeipa/Makefile really isn't a good build
system.  It has a number of problems:

 * It exists outside of the discrete packages
   If someone wants to build or package one of the individual modules
either from hg or from a tarball it isn't straighforward
 * The version numbers of the individual packages isn't contained in the package
 * It is too heavily biased toward RPM production and not extensible
 * The dist target builds RPMs and SRPMs
 * Does not seem to detect python versions or directories
 * Does not have a mechanism for specifying files to include/exclude
from distribution

The Makefiles in the individual sudirectories have their own problems.
 It is probably sufficient for making the official tarballs and rpms
for the project but it is very inconvenient for an external
developer/packager to use.

I would like to improve the overall system.  Since the subdirectories
are packaged and installed separately I think it makes sense for each
to be self-contained.  This makes it way easier to work with, hack on,
and test each package individually.

Looking at ipa-python specifically:

Since this is a pure python package, I think it makes sense to use:
http://docs.python.org/lib/module-distutils.html

For one, it is the way people expect to work with a python library.
The Makefile that is used is a little lacking:
 * doesn't compile the .py files
 * maintain a version number
 * generate the .spec file
 * have a dist (tarball) target

I suppose another option would be to use autotools but I don't think
that makes sense for a pure python module.

Thanks,
Jon



From kmacmill at redhat.com  Thu Oct 11 15:23:51 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 11 Oct 2007 11:23:51 -0400
Subject: [Freeipa-devel] [PATCH] setup.py for freeipa-python
In-Reply-To: <939dd5750710110808k2e25af9bic607fd5649e30769@mail.gmail.com>
References: <939dd5750710101440s1fffa8dat5e4c7058f4566f8d@mail.gmail.com>
	<470E248B.8050508@redhat.com>
	<939dd5750710110808k2e25af9bic607fd5649e30769@mail.gmail.com>
Message-ID: <1192116231.26928.35.camel@dhcp-64-223.iad.redhat.com>

On Thu, 2007-10-11 at 11:08 -0400, William Jon McCann wrote:
> Hi Rob,
> 
> On 10/11/07, Rob Crittenden <rcritten at redhat.com> wrote:
> > William Jon McCann wrote:
> > > Hi,
> > >
> > > Here is a patch that adds a setup.py for the freeipa-python package.
> > >
> > > This makes it easier to build tarballs, rpms, and do installs.  It can
> > > even generate a spec file:
> > > python setup.py bdist_rpm --spec
> > >
> > > Jon
> > >
> >
> > I'm not familiar with the python distutils package, what does this buy
> > us? We already generate tar.gz and rpm files.
> 
> Well, in my opinion, freeipa/Makefile really isn't a good build
> system.  It has a number of problems:
> 
>  * It exists outside of the discrete packages
>    If someone wants to build or package one of the individual modules
> either from hg or from a tarball it isn't straighforward

Really? What doesn't work? The top-level makefile is supposed to just be
a convenience for developers for building everything and making
packages. And the individual tarballs get built whenever the src rpms
are build.

>  * The version numbers of the individual packages isn't contained in the package

They are in the spec files - where else should they be?

>  * It is too heavily biased toward RPM production and not extensible

Well - the lower-level makefiles are just plain makefiles. Again, the
top-level is more just a convenience for developers - i.e. me :).

>  * The dist target builds RPMs and SRPMs

what should it build?

>  * Does not seem to detect python versions or directories

It should - e.g.:

PYTHONLIBDIR ?= $(shell  python -c "from distutils.sysconfig import *;
print get_python_lib()")

>  * Does not have a mechanism for specifying files to include/exclude
> from distribution
> 

What would that be used for?

> The Makefiles in the individual sudirectories have their own problems.
>  It is probably sufficient for making the official tarballs and rpms
> for the project but it is very inconvenient for an external
> developer/packager to use.
> 
> I would like to improve the overall system.  Since the subdirectories
> are packaged and installed separately I think it makes sense for each
> to be self-contained.  This makes it way easier to work with, hack on,
> and test each package individually.
> 

I'm having trouble understanding exactly what problems you are
encountering. I'm definitely open to improving the build system - it is
currently just the easiest possible thing we could do, so it has many
shortcomings. However, understanding what you are looking for would help
choose the right direction for the changes.

> Looking at ipa-python specifically:
> 
> Since this is a pure python package, I think it makes sense to use:
> http://docs.python.org/lib/module-distutils.html
> 
> For one, it is the way people expect to work with a python library.
> The Makefile that is used is a little lacking:
>  * doesn't compile the .py files
>  * maintain a version number
>  * generate the .spec file
>  * have a dist (tarball) target
> 

I'm not a huge distutils fan. At the very least, the spec files it
produces are not usable as a basis for packages to be included in Fedora
(and likely other distributions), so we would end up maintaining those
by hand anyway.

> I suppose another option would be to use autotools but I don't think
> that makes sense for a pure python module.
> 

I'm open to autotooling everything - but I have no experience myself.

Karl



From ssorce at redhat.com  Thu Oct 11 15:49:18 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 11 Oct 2007 11:49:18 -0400
Subject: [Freeipa-devel] [PATCH] setup.py for freeipa-python
In-Reply-To: <1192116231.26928.35.camel@dhcp-64-223.iad.redhat.com>
References: <939dd5750710101440s1fffa8dat5e4c7058f4566f8d@mail.gmail.com>
	<470E248B.8050508@redhat.com>
	<939dd5750710110808k2e25af9bic607fd5649e30769@mail.gmail.com>
	<1192116231.26928.35.camel@dhcp-64-223.iad.redhat.com>
Message-ID: <1192117758.851.23.camel@localhost.localdomain>

On Thu, 2007-10-11 at 11:23 -0400, Karl MacMillan wrote:
> On Thu, 2007-10-11 at 11:08 -0400, William Jon McCann wrote:
> > Hi Rob,
> > 
> > On 10/11/07, Rob Crittenden <rcritten at redhat.com> wrote:
> > > William Jon McCann wrote:
> > > > Hi,
> > > >
> > > > Here is a patch that adds a setup.py for the freeipa-python package.
> > > >
> > > > This makes it easier to build tarballs, rpms, and do installs.  It can
> > > > even generate a spec file:
> > > > python setup.py bdist_rpm --spec
> > > >
> > > > Jon
> > > >
> > >
> > > I'm not familiar with the python distutils package, what does this buy
> > > us? We already generate tar.gz and rpm files.
> > 
> > Well, in my opinion, freeipa/Makefile really isn't a good build
> > system.  It has a number of problems:
> > 
> >  * It exists outside of the discrete packages
> >    If someone wants to build or package one of the individual modules
> > either from hg or from a tarball it isn't straighforward
> 
> Really? What doesn't work? The top-level makefile is supposed to just be
> a convenience for developers for building everything and making
> packages. And the individual tarballs get built whenever the src rpms
> are build.
> 
> >  * The version numbers of the individual packages isn't contained in the package
> 
> They are in the spec files - where else should they be?

spec file == rpm, if you just want the tar you don't get version numbers
== bad.

> >  * Does not seem to detect python versions or directories
> 
> It should - e.g.:
> 
> PYTHONLIBDIR ?= $(shell  python -c "from distutils.sysconfig import *;
> print get_python_lib()")
> 
> >  * Does not have a mechanism for specifying files to include/exclude
> > from distribution
> > 
> 
> What would that be used for?

For example stuff used for testing, you don't want unit tests in the
shipping code imo.

> > The Makefiles in the individual sudirectories have their own problems.
> >  It is probably sufficient for making the official tarballs and rpms
> > for the project but it is very inconvenient for an external
> > developer/packager to use.
> > 
> > I would like to improve the overall system.  Since the subdirectories
> > are packaged and installed separately I think it makes sense for each
> > to be self-contained.  This makes it way easier to work with, hack on,
> > and test each package individually.
> > 
> 
> I'm having trouble understanding exactly what problems you are
> encountering. I'm definitely open to improving the build system - it is
> currently just the easiest possible thing we could do, so it has many
> shortcomings. However, understanding what you are looking for would help
> choose the right direction for the changes.

Personally I think pure python stuff should just use setup.py, as that
the default mechanism for delivering/building python packages, so I
think Jon is right here.

> > Looking at ipa-python specifically:
> > 
> > Since this is a pure python package, I think it makes sense to use:
> > http://docs.python.org/lib/module-distutils.html
> > 
> > For one, it is the way people expect to work with a python library.
> > The Makefile that is used is a little lacking:
> >  * doesn't compile the .py files
> >  * maintain a version number
> >  * generate the .spec file
> >  * have a dist (tarball) target
> > 
> 
> I'm not a huge distutils fan. At the very least, the spec files it
> produces are not usable as a basis for packages to be included in Fedora
> (and likely other distributions), so we would end up maintaining those
> by hand anyway.

Uhmm is this the case for all python packages in Fedora?
Anyway while the project matures we will have request to have it
installable on other systems too so it seem like we may end up with more
"packaging cruft" anyway

> > I suppose another option would be to use autotools but I don't think
> > that makes sense for a pure python module.
> > 
> 
> I'm open to autotooling everything - but I have no experience myself.

I'd like to start use autoconf/automake it makes it a lot easier to
check the build environment has all is needed in the long term it will
be absolutely needed.

Simo.



From mccann at jhu.edu  Thu Oct 11 16:10:26 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Thu, 11 Oct 2007 12:10:26 -0400
Subject: [Freeipa-devel] [PATCH] setup.py for freeipa-python
In-Reply-To: <1192116231.26928.35.camel@dhcp-64-223.iad.redhat.com>
References: <939dd5750710101440s1fffa8dat5e4c7058f4566f8d@mail.gmail.com>
	<470E248B.8050508@redhat.com>
	<939dd5750710110808k2e25af9bic607fd5649e30769@mail.gmail.com>
	<1192116231.26928.35.camel@dhcp-64-223.iad.redhat.com>
Message-ID: <939dd5750710110910o50e67cb6t820aaf2e468feddd@mail.gmail.com>

Hi Karl,

On 10/11/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> On Thu, 2007-10-11 at 11:08 -0400, William Jon McCann wrote:
> > Hi Rob,
> >
> > On 10/11/07, Rob Crittenden <rcritten at redhat.com> wrote:
> > > William Jon McCann wrote:
> > > > Hi,
> > > >
> > > > Here is a patch that adds a setup.py for the freeipa-python package.
> > > >
> > > > This makes it easier to build tarballs, rpms, and do installs.  It can
> > > > even generate a spec file:
> > > > python setup.py bdist_rpm --spec
> > > >
> > > > Jon
> > > >
> > >
> > > I'm not familiar with the python distutils package, what does this buy
> > > us? We already generate tar.gz and rpm files.
> >
> > Well, in my opinion, freeipa/Makefile really isn't a good build
> > system.  It has a number of problems:
> >
> >  * It exists outside of the discrete packages
> >    If someone wants to build or package one of the individual modules
> > either from hg or from a tarball it isn't straighforward
>
> Really? What doesn't work? The top-level makefile is supposed to just be
> a convenience for developers for building everything and making
> packages. And the individual tarballs get built whenever the src rpms
> are build.

Which is certainly not typical.  It doesn't work for at least the
following situations:
 * I want to make a tarball for ipa-python
 * I don't have RPM
 * I don't want RPM only SRPM
 * Want to compile .py files
 * etc, etc

> >  * The version numbers of the individual packages isn't contained in the package
>
> They are in the spec files - where else should they be?

In the build system or in the code.  Specifically not just in the
distribution metadata.

In the case for python modules, in the setup.py or in a config file.
In the case for autotools, in the configure.ac.

> >  * It is too heavily biased toward RPM production and not extensible
>
> Well - the lower-level makefiles are just plain makefiles. Again, the
> top-level is more just a convenience for developers - i.e. me :).

Right.  I think we can make both better.  We can make each standalone
system better and have a smarter way to pull them all together - for
those who need to build them all at once (probably only you :) )

> >  * The dist target builds RPMs and SRPMs
>
> what should it build?

It depends, of course, on the platform.  In the typical autotools
setup it will build tar.gz or tar.bz2.  With distutils you can build
these too or RPMS, SRPMS, and is extensible...

http://docs.python.org/dist/source-dist.html
http://docs.python.org/dist/built-dist.html
http://docs.python.org/dist/node33.html


> >  * Does not seem to detect python versions or directories
>
> It should - e.g.:
>
> PYTHONLIBDIR ?= $(shell  python -c "from distutils.sysconfig import *;
> print get_python_lib()")

Not in the toplevel it doesn't.  And even for ipa-python setup.py does
it way better.  Take a look.

> >  * Does not have a mechanism for specifying files to include/exclude
> > from distribution
> >
>
> What would that be used for?

That is used all the time in other build systems.

 * Exclude SCM metadata
 * Exclude built sources
 * Exclude temporary files
 * Exclude generated files
 * Exclude backup files
 * Allow for a "distcheck" target to be possible
 * etc

> > The Makefiles in the individual sudirectories have their own problems.
> >  It is probably sufficient for making the official tarballs and rpms
> > for the project but it is very inconvenient for an external
> > developer/packager to use.
> >
> > I would like to improve the overall system.  Since the subdirectories
> > are packaged and installed separately I think it makes sense for each
> > to be self-contained.  This makes it way easier to work with, hack on,
> > and test each package individually.
> >
>
> I'm having trouble understanding exactly what problems you are
> encountering. I'm definitely open to improving the build system - it is
> currently just the easiest possible thing we could do, so it has many
> shortcomings. However, understanding what you are looking for would help
> choose the right direction for the changes.

Sure, no problem.  I should be able to pull ipa-python from hg, hack
it, install it to a directory of my choice, build a tar.bz2, generate
a .spec.

> > Looking at ipa-python specifically:
> >
> > Since this is a pure python package, I think it makes sense to use:
> > http://docs.python.org/lib/module-distutils.html
> >
> > For one, it is the way people expect to work with a python library.
> > The Makefile that is used is a little lacking:
> >  * doesn't compile the .py files
> >  * maintain a version number
> >  * generate the .spec file
> >  * have a dist (tarball) target
> >
>
> I'm not a huge distutils fan. At the very least, the spec files it
> produces are not usable as a basis for packages to be included in Fedora
> (and likely other distributions), so we would end up maintaining those
> by hand anyway.

Oh.  Well very few packages actually maintain the distribution
specific metadata in their SCM.  The fact that you are is really an
artifact of being a Red Hat sponsored project.  Fortunately, I'm a
RHEL customer but I think that there is a real advantage to IPA
becoming a true "upstream" project.

> > I suppose another option would be to use autotools but I don't think
> > that makes sense for a pure python module.
> >
>
> I'm open to autotooling everything - but I have no experience myself.

For the stuff with C code it is probably more natural than distutils
anyway.  If this is the direction you'd like to go I'll give it a
shot.

Jon



From ssorce at redhat.com  Thu Oct 11 16:17:23 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 11 Oct 2007 12:17:23 -0400
Subject: [Freeipa-devel] [PATCH] setup.py for freeipa-python
In-Reply-To: <939dd5750710110910o50e67cb6t820aaf2e468feddd@mail.gmail.com>
References: <939dd5750710101440s1fffa8dat5e4c7058f4566f8d@mail.gmail.com>
	<470E248B.8050508@redhat.com>
	<939dd5750710110808k2e25af9bic607fd5649e30769@mail.gmail.com>
	<1192116231.26928.35.camel@dhcp-64-223.iad.redhat.com>
	<939dd5750710110910o50e67cb6t820aaf2e468feddd@mail.gmail.com>
Message-ID: <1192119443.851.30.camel@localhost.localdomain>

On Thu, 2007-10-11 at 12:10 -0400, William Jon McCann wrote:
> 
> For the stuff with C code it is probably more natural than distutils
> anyway.  If this is the direction you'd like to go I'll give it a
> shot.

If you can help with this, it will be great.

I agree with you on the other points of this email.

Simo.



From kmccarth at redhat.com  Thu Oct 11 16:44:37 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 11 Oct 2007 09:44:37 -0700
Subject: [Freeipa-devel] [PATCH] quick get_entry refactor
Message-ID: <20071011164437.GA13334@moon.usersys.redhat.com>

The current get_entry_by_dn() call doesn't work on non-leaf entries.
The underlying __get_entry() call always uses scope of SUB.  I'm not
sure what the best API is for this, but attached is a quick fix,
separating the calls into get_base_entry() and get_sub_entry().

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192121308 25200
# Node ID ce81fbca3e7d9955b9e81392f5229a4796d3a98c
# Parent  2a013fa18a148583163b9e86122de722d8b5dc43
Refactor the __get_entry into __get_base_entry and __get_sub_entry().
The API needs to be thought about, but this is a quick fix w/minimal impact
to allow get_entry_by_dn do work on non-leaf entries.

diff -r 2a013fa18a14 -r ce81fbca3e7d ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Thu Oct 11 07:54:33 2007 -0700
+++ b/ipa-server/xmlrpc-server/funcs.py	Thu Oct 11 09:48:28 2007 -0700
@@ -235,19 +235,39 @@ class IPAServer:
                     entry[key] = value[0]
         return entry
 
-    def __get_entry (self, base, filter, sattrs=None, opts=None):
-        """Get a specific entry. Return as a dict of values.
+    # TODO: rethink the get_entry vs get_list API calls.
+    #       they currently restrict the data coming back without
+    #       restricting scope.  For now adding a __get_base/sub_entry()
+    #       calls, but the API isn't great.
+    def __get_entry (self, base, scope, filter, sattrs=None, opts=None):
+        """Get a specific entry (with a parametized scope).
+           Return as a dict of values.
            Multi-valued fields are represented as lists.
         """
         ent=""
 
         conn = self.getConnection(opts)
         try:
-            ent = conn.getEntry(base, self.scope, filter, sattrs)
-        finally:
-            self.releaseConnection(conn)
-    
+            ent = conn.getEntry(base, scope, filter, sattrs)
+
+        finally:
+            self.releaseConnection(conn)
+
         return self.convert_entry(ent)
+
+    def __get_base_entry (self, base, filter, sattrs=None, opts=None):
+        """Get a specific entry (with a scope of BASE).
+           Return as a dict of values.
+           Multi-valued fields are represented as lists.
+        """
+        return self.__get_entry(base, ldap.SCOPE_BASE, filter, sattrs, opts)
+
+    def __get_sub_entry (self, base, filter, sattrs=None, opts=None):
+        """Get a specific entry (with a scope of SUB).
+           Return as a dict of values.
+           Multi-valued fields are represented as lists.
+        """
+        return self.__get_entry(base, ldap.SCOPE_SUB, filter, sattrs, opts)
 
     def __get_list (self, base, filter, sattrs=None, opts=None):
         """Gets a list of entries. Each is converted to a dict of values.
@@ -332,7 +352,7 @@ class IPAServer:
         """
 
         filter = "(objectClass=*)"
-        return self.__get_entry(dn, filter, sattrs, opts)
+        return self.__get_base_entry(dn, filter, sattrs, opts)
 
     def get_entry_by_cn (self, cn, sattrs=None, opts=None):
         """Get a specific entry by cn. Return as a dict of values.
@@ -341,7 +361,7 @@ class IPAServer:
 
         cn = self.__safe_filter(cn)
         filter = "(cn=" + cn + ")"
-        return self.__get_entry(self.basedn, filter, sattrs, opts)
+        return self.__get_sub_entry(self.basedn, filter, sattrs, opts)
 
 # User support
 
@@ -351,7 +371,7 @@ class IPAServer:
         filter = "(&(uid=%s)(objectclass=posixAccount))" % uid
  
         try:
-            entry = self.__get_entry(self.basedn, filter, ['dn','uid'], opts)
+            entry = self.__get_sub_entry(self.basedn, filter, ['dn','uid'], opts)
             return 0
         except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
             return 1
@@ -363,7 +383,7 @@ class IPAServer:
 
         uid = self.__safe_filter(uid)
         filter = "(uid=" + uid + ")"
-        return self.__get_entry(self.basedn, filter, sattrs, opts)
+        return self.__get_sub_entry(self.basedn, filter, sattrs, opts)
 
     def get_user_by_principal(self, principal, sattrs=None, opts=None):
         """Get a user entry searching by Kerberos Principal Name.
@@ -372,7 +392,7 @@ class IPAServer:
         """
 
         filter = "(krbPrincipalName="+self.__safe_filter(principal)+")"
-        return self.__get_entry(self.basedn, filter, sattrs, opts)
+        return self.__get_sub_entry(self.basedn, filter, sattrs, opts)
     
     def get_users_by_manager (self, manager_dn, sattrs=None, opts=None):
         """Gets the users that report to a particular manager.
@@ -655,7 +675,7 @@ class IPAServer:
         filter = "(&(cn=%s)(objectclass=posixGroup))" % cn
  
         try:
-            entry = self.__get_entry(self.basedn, filter, ['dn','cn'], opts)
+            entry = self.__get_sub_entry(self.basedn, filter, ['dn','cn'], opts)
             return 0
         except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
             return 1
@@ -787,7 +807,7 @@ class IPAServer:
         new_group = copy.deepcopy(old_group)
 
         # check to make sure member_dn exists
-        member_entry = self.__get_entry(member_dn, "(objectClass=*)", ['dn','uid'], opts)
+        member_entry = self.__get_base_entry(member_dn, "(objectClass=*)", ['dn','uid'], opts)
 
         if new_group.get('uniquemember') is not None:
             if ((isinstance(new_group.get('uniquemember'), str)) or (isinstance(new_group.get('uniquemember'), unicode))):
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/f1ff28bb/attachment.bin>

From kmccarth at redhat.com  Thu Oct 11 17:06:54 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 11 Oct 2007 10:06:54 -0700
Subject: [Freeipa-devel] [PATCH] quick get_entry refactor
In-Reply-To: <20071011164437.GA13334@moon.usersys.redhat.com>
References: <20071011164437.GA13334@moon.usersys.redhat.com>
Message-ID: <20071011170653.GB13334@moon.usersys.redhat.com>

Kevin McCarthy wrote:
> The current get_entry_by_dn() call doesn't work on non-leaf entries.
> The underlying __get_entry() call always uses scope of SUB.  I'm not
> sure what the best API is for this, but attached is a quick fix,
> separating the calls into get_base_entry() and get_sub_entry().

Sorry, I blew it with this patch.  I'll post a fixed one shortly.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/f309d682/attachment.bin>

From kmccarth at redhat.com  Thu Oct 11 17:12:38 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 11 Oct 2007 10:12:38 -0700
Subject: [Freeipa-devel] [PATCH] quick get_entry refactor
In-Reply-To: <20071011170653.GB13334@moon.usersys.redhat.com>
References: <20071011164437.GA13334@moon.usersys.redhat.com>
	<20071011170653.GB13334@moon.usersys.redhat.com>
Message-ID: <20071011171237.GC13334@moon.usersys.redhat.com>

Kevin McCarthy wrote:
> Kevin McCarthy wrote:
> > The current get_entry_by_dn() call doesn't work on non-leaf entries.
> > The underlying __get_entry() call always uses scope of SUB.  I'm not
> > sure what the best API is for this, but attached is a quick fix,
> > separating the calls into get_base_entry() and get_sub_entry().
> 
> Sorry, I blew it with this patch.  I'll post a fixed one shortly.

Revised patch attached.

-Kevin
-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192122603 25200
# Node ID 358668cd31b287061d27b3044f3a99f36c749056
# Parent  2a013fa18a148583163b9e86122de722d8b5dc43
Refactor the __get_entry into __get_base_entry and __get_sub_entry().
The API needs to be thought about, but this is a quick fix w/minimal impact
to allow get_entry_by_dn do work on non-leaf entries.

diff -r 2a013fa18a14 -r 358668cd31b2 ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Thu Oct 11 07:54:33 2007 -0700
+++ b/ipa-server/xmlrpc-server/funcs.py	Thu Oct 11 10:10:03 2007 -0700
@@ -235,19 +235,39 @@ class IPAServer:
                     entry[key] = value[0]
         return entry
 
-    def __get_entry (self, base, filter, sattrs=None, opts=None):
-        """Get a specific entry. Return as a dict of values.
+    # TODO: rethink the get_entry vs get_list API calls.
+    #       they currently restrict the data coming back without
+    #       restricting scope.  For now adding a __get_base/sub_entry()
+    #       calls, but the API isn't great.
+    def __get_entry (self, base, scope, filter, sattrs=None, opts=None):
+        """Get a specific entry (with a parametized scope).
+           Return as a dict of values.
            Multi-valued fields are represented as lists.
         """
         ent=""
 
         conn = self.getConnection(opts)
         try:
-            ent = conn.getEntry(base, self.scope, filter, sattrs)
-        finally:
-            self.releaseConnection(conn)
-    
+            ent = conn.getEntry(base, scope, filter, sattrs)
+
+        finally:
+            self.releaseConnection(conn)
+
         return self.convert_entry(ent)
+
+    def __get_base_entry (self, base, filter, sattrs=None, opts=None):
+        """Get a specific entry (with a scope of BASE).
+           Return as a dict of values.
+           Multi-valued fields are represented as lists.
+        """
+        return self.__get_entry(base, ldap.SCOPE_BASE, filter, sattrs, opts)
+
+    def __get_sub_entry (self, base, filter, sattrs=None, opts=None):
+        """Get a specific entry (with a scope of SUB).
+           Return as a dict of values.
+           Multi-valued fields are represented as lists.
+        """
+        return self.__get_entry(base, ldap.SCOPE_SUBTREE, filter, sattrs, opts)
 
     def __get_list (self, base, filter, sattrs=None, opts=None):
         """Gets a list of entries. Each is converted to a dict of values.
@@ -332,7 +352,7 @@ class IPAServer:
         """
 
         filter = "(objectClass=*)"
-        return self.__get_entry(dn, filter, sattrs, opts)
+        return self.__get_base_entry(dn, filter, sattrs, opts)
 
     def get_entry_by_cn (self, cn, sattrs=None, opts=None):
         """Get a specific entry by cn. Return as a dict of values.
@@ -341,7 +361,7 @@ class IPAServer:
 
         cn = self.__safe_filter(cn)
         filter = "(cn=" + cn + ")"
-        return self.__get_entry(self.basedn, filter, sattrs, opts)
+        return self.__get_sub_entry(self.basedn, filter, sattrs, opts)
 
 # User support
 
@@ -351,7 +371,7 @@ class IPAServer:
         filter = "(&(uid=%s)(objectclass=posixAccount))" % uid
  
         try:
-            entry = self.__get_entry(self.basedn, filter, ['dn','uid'], opts)
+            entry = self.__get_sub_entry(self.basedn, filter, ['dn','uid'], opts)
             return 0
         except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
             return 1
@@ -363,7 +383,7 @@ class IPAServer:
 
         uid = self.__safe_filter(uid)
         filter = "(uid=" + uid + ")"
-        return self.__get_entry(self.basedn, filter, sattrs, opts)
+        return self.__get_sub_entry(self.basedn, filter, sattrs, opts)
 
     def get_user_by_principal(self, principal, sattrs=None, opts=None):
         """Get a user entry searching by Kerberos Principal Name.
@@ -372,7 +392,7 @@ class IPAServer:
         """
 
         filter = "(krbPrincipalName="+self.__safe_filter(principal)+")"
-        return self.__get_entry(self.basedn, filter, sattrs, opts)
+        return self.__get_sub_entry(self.basedn, filter, sattrs, opts)
     
     def get_users_by_manager (self, manager_dn, sattrs=None, opts=None):
         """Gets the users that report to a particular manager.
@@ -655,7 +675,7 @@ class IPAServer:
         filter = "(&(cn=%s)(objectclass=posixGroup))" % cn
  
         try:
-            entry = self.__get_entry(self.basedn, filter, ['dn','cn'], opts)
+            entry = self.__get_sub_entry(self.basedn, filter, ['dn','cn'], opts)
             return 0
         except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
             return 1
@@ -787,7 +807,7 @@ class IPAServer:
         new_group = copy.deepcopy(old_group)
 
         # check to make sure member_dn exists
-        member_entry = self.__get_entry(member_dn, "(objectClass=*)", ['dn','uid'], opts)
+        member_entry = self.__get_base_entry(member_dn, "(objectClass=*)", ['dn','uid'], opts)
 
         if new_group.get('uniquemember') is not None:
             if ((isinstance(new_group.get('uniquemember'), str)) or (isinstance(new_group.get('uniquemember'), unicode))):
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/07e13a10/attachment.bin>

From kmacmill at redhat.com  Thu Oct 11 17:19:22 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 11 Oct 2007 13:19:22 -0400
Subject: [Freeipa-devel] Func and kerberos
Message-ID: <1192123162.26928.81.camel@dhcp-64-223.iad.redhat.com>

So func looks interesting and I wanted to ask a few questions about
potential integration w/ LDAP and kerberos (and freeipa.org).

* Any chance you would be interested in supporting kerberos in addition
to certificates? The main advantage here is that you would be able to
authenticate specific users or services on other systems more easily.

* For later versions of freeipa we plan to do machine identity. With
that you would have a list of machines stored in ldap, groupings of
those machines, and already have certs / kerberos principals to identify
those machines. It would also enable you to obtain additional certs /
principals for the func service securely.

Speaking of which, it looks like you currently have clients
automatically obtain certificates from the master server without
authenticating the master server in any way. This seems like a security
hole. Basically - if a rogue master server can spoof the master on the
network (which would be easy) I can intercept registration requests,
issue a cert, and fully control all of the other systems. It could even
communicate with the real master and become a man-in-the-middle.

There are a number of solutions to this, obviously, but freeipa will
hopefully provide some in the future.

* Another security concern - is the funcd on the clients trusted to
perform all of the actions? This will make it a huge target for attacks.
Could you instead exec helper applications? This would also allow you to
run the helper applications with lower privileges - either in an
specific selinux context, have it drop some capabilities before exec of
the script, or even as an unprivileged user.

Karl



From ssorce at redhat.com  Thu Oct 11 17:26:11 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 11 Oct 2007 13:26:11 -0400
Subject: [Freeipa-devel] [PATCH] quick get_entry refactor
In-Reply-To: <20071011171237.GC13334@moon.usersys.redhat.com>
References: <20071011164437.GA13334@moon.usersys.redhat.com>
	<20071011170653.GB13334@moon.usersys.redhat.com>
	<20071011171237.GC13334@moon.usersys.redhat.com>
Message-ID: <1192123571.851.42.camel@localhost.localdomain>

On Thu, 2007-10-11 at 10:12 -0700, Kevin McCarthy wrote:
> Kevin McCarthy wrote:
> > Kevin McCarthy wrote:
> > > The current get_entry_by_dn() call doesn't work on non-leaf
> entries.
> > > The underlying __get_entry() call always uses scope of SUB.  I'm
> not
> > > sure what the best API is for this, but attached is a quick fix,
> > > separating the calls into get_base_entry() and get_sub_entry().
> > 
> > Sorry, I blew it with this patch.  I'll post a fixed one shortly.
> 
> Revised patch attached.

Looks good please push.

P.S: to be absolutely complete you should provide a function to perform
one level scoped searches, but if we never use that nevermind :-)



From kmccarth at redhat.com  Thu Oct 11 17:31:47 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 11 Oct 2007 10:31:47 -0700
Subject: [Freeipa-devel] [PATCH] quick get_entry refactor
In-Reply-To: <1192123571.851.42.camel@localhost.localdomain>
References: <20071011164437.GA13334@moon.usersys.redhat.com>
	<20071011170653.GB13334@moon.usersys.redhat.com>
	<20071011171237.GC13334@moon.usersys.redhat.com>
	<1192123571.851.42.camel@localhost.localdomain>
Message-ID: <20071011173146.GD13334@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Thu, 2007-10-11 at 10:12 -0700, Kevin McCarthy wrote:
> > Kevin McCarthy wrote:
> > > Kevin McCarthy wrote:
> > > > The current get_entry_by_dn() call doesn't work on non-leaf
> > entries.
> > > > The underlying __get_entry() call always uses scope of SUB.  I'm
> > not
> > > > sure what the best API is for this, but attached is a quick fix,
> > > > separating the calls into get_base_entry() and get_sub_entry().
> > > 
> > > Sorry, I blew it with this patch.  I'll post a fixed one shortly.
> > 
> > Revised patch attached.
> 
> Looks good please push.
> 
> P.S: to be absolutely complete you should provide a function to perform
> one level scoped searches, but if we never use that nevermind :-)

Thanks, Simo, pushed.  (so far, we don't have any scope_one searches, so
I'll leave that one out for now :-) )

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/c7ade878/attachment.bin>

From kmacmill at redhat.com  Thu Oct 11 17:54:26 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 11 Oct 2007 13:54:26 -0400
Subject: [Freeipa-devel] [PATCH] simple aci parser
In-Reply-To: <20071009204948.GH23078@moon.usersys.redhat.com>
References: <20071009204948.GH23078@moon.usersys.redhat.com>
Message-ID: <1192125266.26928.93.camel@dhcp-64-223.iad.redhat.com>

On Tue, 2007-10-09 at 13:49 -0700, Kevin McCarthy wrote:
> This is a simple ACI parser.  It will be used to parse out the relevant
> entries for the delegation gui.  Don't worry, that gui will _ignore_
> entries it doesn't understand.  This parser will only recognize entries
> the gui creates, so it's not very forgiving of any deviation.
> 

+#! /usr/bin/python -E

This is not needed (these have been sneaking in - we should likely
remove them).

Is ipa-python the right place for this? Will it ever be used client
side?

Otherwise looks good.

Karl



From kmccarth at redhat.com  Thu Oct 11 18:03:44 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 11 Oct 2007 11:03:44 -0700
Subject: [Freeipa-devel] [PATCH] simple aci parser
In-Reply-To: <1192125266.26928.93.camel@dhcp-64-223.iad.redhat.com>
References: <20071009204948.GH23078@moon.usersys.redhat.com>
	<1192125266.26928.93.camel@dhcp-64-223.iad.redhat.com>
Message-ID: <20071011180343.GE13334@moon.usersys.redhat.com>

Karl MacMillan wrote:
> On Tue, 2007-10-09 at 13:49 -0700, Kevin McCarthy wrote:
> > This is a simple ACI parser.  It will be used to parse out the relevant
> > entries for the delegation gui.  Don't worry, that gui will _ignore_
> > entries it doesn't understand.  This parser will only recognize entries
> > the gui creates, so it's not very forgiving of any deviation.
> > 
> 
> +#! /usr/bin/python -E
> 
> This is not needed (these have been sneaking in - we should likely
> remove them).

Will remove.

> Is ipa-python the right place for this? Will it ever be used client
> side?

Yeah, I debated its usefulness for everyone.  But decided it might be,
so erred on the side of sharing.

If not, I suppose I can find someplace to put it under webgui.

Anyone else feel strongly?

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/e6f051a9/attachment.bin>

From gdk at redhat.com  Thu Oct 11 18:10:57 2007
From: gdk at redhat.com (Greg DeKoenigsberg)
Date: Thu, 11 Oct 2007 14:10:57 -0400 (EDT)
Subject: [Freeipa-devel] Re: [Func-list] Func and kerberos
In-Reply-To: <1192123162.26928.81.camel@dhcp-64-223.iad.redhat.com>
References: <1192123162.26928.81.camel@dhcp-64-223.iad.redhat.com>
Message-ID: <Pine.LNX.4.64.0710111405080.32315@dhcp243-160.rdu.redhat.com>


Some comments inline:

On Thu, 11 Oct 2007, Karl MacMillan wrote:

> So func looks interesting and I wanted to ask a few questions about
> potential integration w/ LDAP and kerberos (and freeipa.org).
>
> * Any chance you would be interested in supporting kerberos in addition
> to certificates? The main advantage here is that you would be able to
> authenticate specific users or services on other systems more easily.

Sounds useful.

> * For later versions of freeipa we plan to do machine identity. With
> that you would have a list of machines stored in ldap, groupings of
> those machines, and already have certs / kerberos principals to identify
> those machines. It would also enable you to obtain additional certs /
> principals for the func service securely.

Should be pretty trivial to just use a different cert.  In theory, a cert 
is a cert is a cert; if the server can say "hello, do you trust me?" and 
the client can say "yes, I'm listening," func doesn't care what that 
mechanism is.

> Speaking of which, it looks like you currently have clients
> automatically obtain certificates from the master server without
> authenticating the master server in any way. This seems like a security
> hole. Basically - if a rogue master server can spoof the master on the
> network (which would be easy) I can intercept registration requests,
> issue a cert, and fully control all of the other systems. It could even
> communicate with the real master and become a man-in-the-middle.

Yep.  The question *very quickly* becomes, "is func useful enough in the 
general case to even bother solving that problem?"  Which, I think, is the 
*first* question to figure out.  Until we know that func is a viable 
codebase and something that people will rally to and use, overdeveloping 
the security model isn't useful.

Of course, the minute that people decide that func *is* useful, then the 
security model becomes *extremely* important, and there's nothing 
fundamental to the func design that precludes this work later, AIUI.

> * Another security concern - is the funcd on the clients trusted to
> perform all of the actions? This will make it a huge target for attacks.
> Could you instead exec helper applications? This would also allow you to
> run the helper applications with lower privileges - either in an
> specific selinux context, have it drop some capabilities before exec of
> the script, or even as an unprivileged user.

Again: first let's validate that people find func (a) useful and (b) 
something they would want to extend with a community of modules.  *Then* 
worry about things like "helper scripts with dropped privs."  I think 
everyone's pretty well aware that, to start, func is nothing but a big ol' 
rootkit.  *For now*, that's perfectly okay.

--g

-- 
Greg DeKoenigsberg
Community Development Manager
Red Hat, Inc. :: 1-919-754-4255
"To whomsoever much hath been given...
...from him much shall be asked"



From ssorce at redhat.com  Thu Oct 11 18:13:00 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 11 Oct 2007 14:13:00 -0400
Subject: [Freeipa-devel] [PATCH] simple aci parser
In-Reply-To: <20071011180343.GE13334@moon.usersys.redhat.com>
References: <20071009204948.GH23078@moon.usersys.redhat.com>
	<1192125266.26928.93.camel@dhcp-64-223.iad.redhat.com>
	<20071011180343.GE13334@moon.usersys.redhat.com>
Message-ID: <1192126380.851.59.camel@localhost.localdomain>

On Thu, 2007-10-11 at 11:03 -0700, Kevin McCarthy wrote:
> Karl MacMillan wrote:
> > On Tue, 2007-10-09 at 13:49 -0700, Kevin McCarthy wrote:
> > > This is a simple ACI parser.  It will be used to parse out the relevant
> > > entries for the delegation gui.  Don't worry, that gui will _ignore_
> > > entries it doesn't understand.  This parser will only recognize entries
> > > the gui creates, so it's not very forgiving of any deviation.
> > > 
> > 
> > +#! /usr/bin/python -E
> > 
> > This is not needed (these have been sneaking in - we should likely
> > remove them).
> 
> Will remove.
> 
> > Is ipa-python the right place for this? Will it ever be used client
> > side?
> 
> Yeah, I debated its usefulness for everyone.  But decided it might be,
> so erred on the side of sharing.
> 
> If not, I suppose I can find someplace to put it under webgui.
> 
> Anyone else feel strongly?

No, but keep in under ipa-python for now, unless it implies technical
problems is better to err on the sharing side.

Simo.



From kmccarth at redhat.com  Thu Oct 11 18:21:05 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 11 Oct 2007 11:21:05 -0700
Subject: [Freeipa-devel] [PATCH] simple aci parser
In-Reply-To: <1192126380.851.59.camel@localhost.localdomain>
References: <20071009204948.GH23078@moon.usersys.redhat.com>
	<1192125266.26928.93.camel@dhcp-64-223.iad.redhat.com>
	<20071011180343.GE13334@moon.usersys.redhat.com>
	<1192126380.851.59.camel@localhost.localdomain>
Message-ID: <20071011182104.GF13334@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Thu, 2007-10-11 at 11:03 -0700, Kevin McCarthy wrote:
> > Karl MacMillan wrote:
> > > On Tue, 2007-10-09 at 13:49 -0700, Kevin McCarthy wrote:
> > > > This is a simple ACI parser.  It will be used to parse out the relevant
> > > > entries for the delegation gui.  Don't worry, that gui will _ignore_
> > > > entries it doesn't understand.  This parser will only recognize entries
> > > > the gui creates, so it's not very forgiving of any deviation.
> > > > 
> > > 
> > > +#! /usr/bin/python -E
> > > 
> > > This is not needed (these have been sneaking in - we should likely
> > > remove them).
> > 
> > Will remove.
> > 
> > > Is ipa-python the right place for this? Will it ever be used client
> > > side?
> > 
> > Yeah, I debated its usefulness for everyone.  But decided it might be,
> > so erred on the side of sharing.
> > 
> > If not, I suppose I can find someplace to put it under webgui.
> > 
> > Anyone else feel strongly?
> 
> No, but keep in under ipa-python for now, unless it implies technical
> problems is better to err on the sharing side.

Okay, removed #! and pushed.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/4cfe5e13/attachment.bin>

From prowley at redhat.com  Thu Oct 11 18:22:41 2007
From: prowley at redhat.com (Pete Rowley)
Date: Thu, 11 Oct 2007 11:22:41 -0700
Subject: [Freeipa-devel] [PATCH] enable memberof plugin
In-Reply-To: <470E23F1.4050106@redhat.com>
References: <470D60AF.3040300@redhat.com> <470E23F1.4050106@redhat.com>
Message-ID: <470E69F1.6050309@redhat.com>

Do the entries have the inetuser objectclass?  That allows memberof.  
Also only new additionsto groups will show up, you'll need to create a 
DS task entry to get existing members to have their memberof attribute 
populated (an example is at the top of memberof.c).


Rob Crittenden wrote:
> Pete Rowley wrote:
>> this time, with a patch attached :)
>>
>
> I applied this ldif to my server but memberof still returns nothing:
>
> ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" 
> "memberOf=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org" cn
> SASL/GSSAPI authentication started
> SASL username: rcrit at FREEIPA.ORG
> SASL SSF: 56
> SASL installing layers
> # extended LDIF
> #
> # LDAPv3
> # base <dc=freeipa,dc=org> with scope subtree
> # filter: memberOf=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org
> # requesting: cn
> #
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 1
>
> There are members:
>
> ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" cn=admins uniqueMember
>
> # admins, groups, accounts, freeipa.org
> dn: cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org
> uniqueMember: uid=admin,cn=sysaccounts,cn=etc,dc=freeipa,dc=org
> uniqueMember: uid=rcrit,cn=users,cn=accounts,dc=freeipa,dc=org
> uniqueMember: uid=test1,cn=users,cn=accounts,dc=freeipa,dc=org
> uniqueMember: uid=test2,cn=users,cn=accounts,dc=freeipa,dc=org


-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/10cd57b2/attachment.bin>

From kmacmill at redhat.com  Thu Oct 11 18:25:31 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 11 Oct 2007 14:25:31 -0400
Subject: [Freeipa-devel] Re: [Func-list] Func and kerberos
In-Reply-To: <Pine.LNX.4.64.0710111405080.32315@dhcp243-160.rdu.redhat.com>
References: <1192123162.26928.81.camel@dhcp-64-223.iad.redhat.com>
	<Pine.LNX.4.64.0710111405080.32315@dhcp243-160.rdu.redhat.com>
Message-ID: <1192127131.26928.121.camel@dhcp-64-223.iad.redhat.com>

On Thu, 2007-10-11 at 14:10 -0400, Greg DeKoenigsberg wrote:
> Some comments inline:

[...]

> 
> > * For later versions of freeipa we plan to do machine identity. With
> > that you would have a list of machines stored in ldap, groupings of
> > those machines, and already have certs / kerberos principals to identify
> > those machines. It would also enable you to obtain additional certs /
> > principals for the func service securely.
> 
> Should be pretty trivial to just use a different cert.  In theory, a cert 
> is a cert is a cert; if the server can say "hello, do you trust me?" and 
> the client can say "yes, I'm listening," func doesn't care what that 
> mechanism is.
> 

You might want to do kerberos instead of certs, though. Kerberos will
get you per-user auth easily while the cert model is going to be hard to
scale to per-user.

> > Speaking of which, it looks like you currently have clients
> > automatically obtain certificates from the master server without
> > authenticating the master server in any way. This seems like a security
> > hole. Basically - if a rogue master server can spoof the master on the
> > network (which would be easy) I can intercept registration requests,
> > issue a cert, and fully control all of the other systems. It could even
> > communicate with the real master and become a man-in-the-middle.
> 
> Yep.  The question *very quickly* becomes, "is func useful enough in the 
> general case to even bother solving that problem?"  Which, I think, is the 
> *first* question to figure out.  Until we know that func is a viable 
> codebase and something that people will rally to and use, overdeveloping 
> the security model isn't useful.
> 
> Of course, the minute that people decide that func *is* useful, then the 
> security model becomes *extremely* important, and there's nothing 
> fundamental to the func design that precludes this work later, AIUI.
> 
> > * Another security concern - is the funcd on the clients trusted to
> > perform all of the actions? This will make it a huge target for attacks.
> > Could you instead exec helper applications? This would also allow you to
> > run the helper applications with lower privileges - either in an
> > specific selinux context, have it drop some capabilities before exec of
> > the script, or even as an unprivileged user.
> 
> Again: first let's validate that people find func (a) useful and (b) 
> something they would want to extend with a community of modules.  *Then* 
> worry about things like "helper scripts with dropped privs."  I think 
> everyone's pretty well aware that, to start, func is nothing but a big ol' 
> rootkit.  *For now*, that's perfectly okay.

Ok - as long as you guys know that you will have to think about security
at some point :) I do think moving to separate helper processes early
will help you add better security in the future though.

Karl



From gdk at redhat.com  Thu Oct 11 18:47:46 2007
From: gdk at redhat.com (Greg DeKoenigsberg)
Date: Thu, 11 Oct 2007 14:47:46 -0400 (EDT)
Subject: [Freeipa-devel] Re: [Func-list] Func and kerberos
In-Reply-To: <1192127131.26928.121.camel@dhcp-64-223.iad.redhat.com>
References: <1192123162.26928.81.camel@dhcp-64-223.iad.redhat.com> 
	<Pine.LNX.4.64.0710111405080.32315@dhcp243-160.rdu.redhat.com>
	<1192127131.26928.121.camel@dhcp-64-223.iad.redhat.com>
Message-ID: <Pine.LNX.4.64.0710111446140.32315@dhcp243-160.rdu.redhat.com>

On Thu, 11 Oct 2007, Karl MacMillan wrote:

>> Should be pretty trivial to just use a different cert.  In theory, a cert
>> is a cert is a cert; if the server can say "hello, do you trust me?" and
>> the client can say "yes, I'm listening," func doesn't care what that
>> mechanism is.
>
> You might want to do kerberos instead of certs, though. Kerberos will
> get you per-user auth easily while the cert model is going to be hard to
> scale to per-user.

Instead of, rather than in addition to?  Is there a particular reason not 
to enable both?  Mandating krb will exclude some folks.

> Ok - as long as you guys know that you will have to think about security
> at some point :) I do think moving to separate helper processes early
> will help you add better security in the future though.

I think they're actively talking about this on #func right now.

--g

-- 
Greg DeKoenigsberg
Community Development Manager
Red Hat, Inc. :: 1-919-754-4255
"To whomsoever much hath been given...
...from him much shall be asked"



From kmacmill at redhat.com  Thu Oct 11 18:44:53 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 11 Oct 2007 14:44:53 -0400
Subject: [Freeipa-devel] Re: [Func-list] Func and kerberos
In-Reply-To: <Pine.LNX.4.64.0710111446140.32315@dhcp243-160.rdu.redhat.com>
References: <1192123162.26928.81.camel@dhcp-64-223.iad.redhat.com>
	<Pine.LNX.4.64.0710111405080.32315@dhcp243-160.rdu.redhat.com>
	<1192127131.26928.121.camel@dhcp-64-223.iad.redhat.com>
	<Pine.LNX.4.64.0710111446140.32315@dhcp243-160.rdu.redhat.com>
Message-ID: <1192128293.26928.132.camel@dhcp-64-223.iad.redhat.com>

On Thu, 2007-10-11 at 14:47 -0400, Greg DeKoenigsberg wrote:
> On Thu, 11 Oct 2007, Karl MacMillan wrote:
> 
> >> Should be pretty trivial to just use a different cert.  In theory, a cert
> >> is a cert is a cert; if the server can say "hello, do you trust me?" and
> >> the client can say "yes, I'm listening," func doesn't care what that
> >> mechanism is.
> >
> > You might want to do kerberos instead of certs, though. Kerberos will
> > get you per-user auth easily while the cert model is going to be hard to
> > scale to per-user.
> 
> Instead of, rather than in addition to?  Is there a particular reason not 
> to enable both?  Mandating krb will exclude some folks.
> 

I meant in addition to.

Karl



From gdk at redhat.com  Thu Oct 11 18:53:59 2007
From: gdk at redhat.com (Greg DeKoenigsberg)
Date: Thu, 11 Oct 2007 14:53:59 -0400 (EDT)
Subject: [Freeipa-devel] Re: [Func-list] Func and kerberos
In-Reply-To: <1192128293.26928.132.camel@dhcp-64-223.iad.redhat.com>
References: <1192123162.26928.81.camel@dhcp-64-223.iad.redhat.com> 
	<Pine.LNX.4.64.0710111405080.32315@dhcp243-160.rdu.redhat.com> 
	<1192127131.26928.121.camel@dhcp-64-223.iad.redhat.com> 
	<Pine.LNX.4.64.0710111446140.32315@dhcp243-160.rdu.redhat.com>
	<1192128293.26928.132.camel@dhcp-64-223.iad.redhat.com>
Message-ID: <Pine.LNX.4.64.0710111453440.32315@dhcp243-160.rdu.redhat.com>

On Thu, 11 Oct 2007, Karl MacMillan wrote:

>> Instead of, rather than in addition to?  Is there a particular reason not
>> to enable both?  Mandating krb will exclude some folks.
>
> I meant in addition to.

I agree there.  Patches welcome.  ;-)

--g

-- 
Greg DeKoenigsberg
Community Development Manager
Red Hat, Inc. :: 1-919-754-4255
"To whomsoever much hath been given...
...from him much shall be asked"



From kmccarth at redhat.com  Thu Oct 11 19:02:26 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 11 Oct 2007 12:02:26 -0700
Subject: [Freeipa-devel] [PATCH] add inetUser objectclass,
	remove test-users ldif
Message-ID: <20071011190226.GG13334@moon.usersys.redhat.com>

This patch adds the inetUser objectclass.  It also pulls out the
test-user ldif generation (instructions now say to use the command-line
tools for this).

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192129186 25200
# Node ID 7208e4f1fbc9401d2fa1970c0dc1a5034510be7f
# Parent  a4f77437f2965144308df0dd1e48f86240adf4f1
Add inetUser objectclass.  Remove test-users ldif.

diff -r a4f77437f296 -r 7208e4f1fbc9 ipa-server/ipa-install/test/test-users-template.ldif
--- a/ipa-server/ipa-install/test/test-users-template.ldif	Thu Oct 11 11:25:19 2007 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,22 +0,0 @@
-# test, users, default, $REALM
-dn: uid=test,cn=users,cn=accounts,$SUFFIX
-changetype: add
-uidNumber: 1003
-uid: test
-gecos: test
-homeDirectory: /home/test
-loginShell: /bin/bash
-gidNumber: 1002
-objectclass: krbPrincipalAux
-objectclass: inetOrgPerson
-objectClass: posixAccount
-objectClass: account
-objectClass: top
-cn: Test User
-sn: User
-krbPrincipalName: test@$REALM
-
-dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
-changetype: modify
-add: uniqueMember
-uniqueMember: uid=test,cn=users,cn=accounts,$SUFFIX
diff -r a4f77437f296 -r 7208e4f1fbc9 ipa-server/ipaserver/dsinstance.py
--- a/ipa-server/ipaserver/dsinstance.py	Thu Oct 11 11:25:19 2007 -0700
+++ b/ipa-server/ipaserver/dsinstance.py	Thu Oct 11 11:59:46 2007 -0700
@@ -97,7 +97,6 @@ class DsInstance:
             # TODO: roll back here?
             print "Failed to restart the ds instance"
         self.__add_default_layout()
-        self.__create_test_users()
 
     def config_dirname(self):
         if not self.serverid:
@@ -193,14 +192,6 @@ class DsInstance:
         except subprocess.CalledProcessError, e:
             print "Failed to add default ds layout", e
             logging.debug("Failed to add default ds layout %s" % e)
-        
-    def __create_test_users(self):
-        logging.debug("create test users ldif")
-        txt = template_file(SHARE_DIR + "test-users-template.ldif", self.sub_dict)
-        user_fd = open(SHARE_DIR+"test-users.ldif", "w")
-        user_fd.write(txt)
-        user_fd.close()
-        logging.debug("done creating test users ldif")
 
     def __certmap_conf(self):
         logging.debug("configuring certmap.conf for ds instance")
diff -r a4f77437f296 -r 7208e4f1fbc9 ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Thu Oct 11 11:25:19 2007 -0700
+++ b/ipa-server/xmlrpc-server/funcs.py	Thu Oct 11 11:59:46 2007 -0700
@@ -448,8 +448,9 @@ class IPAServer:
             del user['gn']
 
         # some required objectclasses
-        entry.setValues('objectClass', 'top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount', 'krbPrincipalAux')
-    
+        entry.setValues('objectClass', 'top', 'person', 'organizationalPerson',
+                'inetOrgPerson', 'inetUser', 'posixAccount', 'krbPrincipalAux')
+
         # fill in our new entry with everything sent by the user
         for u in user:
             entry.setValues(u, user[u])
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/bf823530/attachment.bin>

From kmccarth at redhat.com  Thu Oct 11 19:21:19 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 11 Oct 2007 12:21:19 -0700
Subject: [Freeipa-devel] [PATCH] add inetUser objectclass, remove
	test-users ldif
In-Reply-To: <20071011190226.GG13334@moon.usersys.redhat.com>
References: <20071011190226.GG13334@moon.usersys.redhat.com>
Message-ID: <20071011192119.GH13334@moon.usersys.redhat.com>

Kevin McCarthy wrote:
> This patch adds the inetUser objectclass.  It also pulls out the
> test-user ldif generation (instructions now say to use the command-line
> tools for this).

Revised patch adding inetUser to groups too.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192130382 25200
# Node ID 6d5bbb4a6066cc37682506d33f9d5a5846ec666d
# Parent  a4f77437f2965144308df0dd1e48f86240adf4f1
Add inetUser objectclass.  Remove test-users ldif.

diff -r a4f77437f296 -r 6d5bbb4a6066 ipa-server/ipa-install/test/test-users-template.ldif
--- a/ipa-server/ipa-install/test/test-users-template.ldif	Thu Oct 11 11:25:19 2007 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,22 +0,0 @@
-# test, users, default, $REALM
-dn: uid=test,cn=users,cn=accounts,$SUFFIX
-changetype: add
-uidNumber: 1003
-uid: test
-gecos: test
-homeDirectory: /home/test
-loginShell: /bin/bash
-gidNumber: 1002
-objectclass: krbPrincipalAux
-objectclass: inetOrgPerson
-objectClass: posixAccount
-objectClass: account
-objectClass: top
-cn: Test User
-sn: User
-krbPrincipalName: test@$REALM
-
-dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
-changetype: modify
-add: uniqueMember
-uniqueMember: uid=test,cn=users,cn=accounts,$SUFFIX
diff -r a4f77437f296 -r 6d5bbb4a6066 ipa-server/ipaserver/dsinstance.py
--- a/ipa-server/ipaserver/dsinstance.py	Thu Oct 11 11:25:19 2007 -0700
+++ b/ipa-server/ipaserver/dsinstance.py	Thu Oct 11 12:19:42 2007 -0700
@@ -97,7 +97,6 @@ class DsInstance:
             # TODO: roll back here?
             print "Failed to restart the ds instance"
         self.__add_default_layout()
-        self.__create_test_users()
 
     def config_dirname(self):
         if not self.serverid:
@@ -193,14 +192,6 @@ class DsInstance:
         except subprocess.CalledProcessError, e:
             print "Failed to add default ds layout", e
             logging.debug("Failed to add default ds layout %s" % e)
-        
-    def __create_test_users(self):
-        logging.debug("create test users ldif")
-        txt = template_file(SHARE_DIR + "test-users-template.ldif", self.sub_dict)
-        user_fd = open(SHARE_DIR+"test-users.ldif", "w")
-        user_fd.write(txt)
-        user_fd.close()
-        logging.debug("done creating test users ldif")
 
     def __certmap_conf(self):
         logging.debug("configuring certmap.conf for ds instance")
diff -r a4f77437f296 -r 6d5bbb4a6066 ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Thu Oct 11 11:25:19 2007 -0700
+++ b/ipa-server/xmlrpc-server/funcs.py	Thu Oct 11 12:19:42 2007 -0700
@@ -448,8 +448,9 @@ class IPAServer:
             del user['gn']
 
         # some required objectclasses
-        entry.setValues('objectClass', 'top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount', 'krbPrincipalAux')
-    
+        entry.setValues('objectClass', 'top', 'person', 'organizationalPerson',
+                'inetOrgPerson', 'inetUser', 'posixAccount', 'krbPrincipalAux')
+
         # fill in our new entry with everything sent by the user
         for u in user:
             entry.setValues(u, user[u])
@@ -709,7 +710,8 @@ class IPAServer:
         entry = ipaserver.ipaldap.Entry(dn)
 
         # some required objectclasses
-        entry.setValues('objectClass', 'top', 'groupofuniquenames', 'posixGroup')
+        entry.setValues('objectClass', 'top', 'groupofuniquenames', 'posixGroup',
+                        'inetUser')
 
         # FIXME, need a gidNumber generator
         if group.get('gidnumber') is None:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/d1914098/attachment.bin>

From rcritten at redhat.com  Thu Oct 11 19:23:17 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 11 Oct 2007 15:23:17 -0400
Subject: [Freeipa-devel] [PATCH] add inetUser objectclass,
	remove	test-users ldif
In-Reply-To: <20071011192119.GH13334@moon.usersys.redhat.com>
References: <20071011190226.GG13334@moon.usersys.redhat.com>
	<20071011192119.GH13334@moon.usersys.redhat.com>
Message-ID: <470E7825.9090700@redhat.com>

Kevin McCarthy wrote:
> Kevin McCarthy wrote:
>> This patch adds the inetUser objectclass.  It also pulls out the
>> test-user ldif generation (instructions now say to use the command-line
>> tools for this).
> 
> Revised patch adding inetUser to groups too.
> 
> -Kevin

Looks ok.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/a259e9b1/attachment.bin>

From kmccarth at redhat.com  Thu Oct 11 19:25:59 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 11 Oct 2007 12:25:59 -0700
Subject: [Freeipa-devel] [PATCH] add inetUser objectclass, remove
	test-users ldif
In-Reply-To: <470E7825.9090700@redhat.com>
References: <20071011190226.GG13334@moon.usersys.redhat.com>
	<20071011192119.GH13334@moon.usersys.redhat.com>
	<470E7825.9090700@redhat.com>
Message-ID: <20071011192559.GI13334@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Kevin McCarthy wrote:
>>> This patch adds the inetUser objectclass.  It also pulls out the
>>> test-user ldif generation (instructions now say to use the command-line
>>> tools for this).
>> Revised patch adding inetUser to groups too.
>> -Kevin
>
> Looks ok.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/f9313ef9/attachment.bin>

From rcritten at redhat.com  Thu Oct 11 21:10:37 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 11 Oct 2007 17:10:37 -0400
Subject: [Freeipa-devel] SASL whoami
Message-ID: <470E914D.9050808@redhat.com>

The connection pool has a fairly big problem with it. When a connection 
goes away, it doesn't currently see that and returns a failure rather 
than reconnecting. These connections can go away if FDS restarts, for 
example. Or the connection times out or we're hit by gamma rays, who knows.

Trying to figure out where this failure is occurring and retrying the 
operation will be fairly difficult (for every LDAP operation basically).

Instead what I've tried to do is run a quick operation on the connection 
when I pull it out of the pool. If it is bad I can easily make a new one.

I wanted an LDAP operation that wasn't going to stress the server at 
all. There is an extended operation whoami so you can find out who is 
authenticated on this connection.

Using this I can see whether the connection is alive or not and it 
actually works fairly well.

The problem is that FDS doesn't implement it, so an error is logged. It 
isn't a big deal in my mind and in fact the operation is probably quite 
swift ("Do I have this extop? Nope, return.").

So, we have several options:

1. Go with my current uncommitted patch and use an unimplemented extop 
to test the connection.
2. Go with the current uncommitted patch AND write a quickie plugin that 
does whoami.
3. Try something else altogether, such as catching ldap.SERVER_DOWN 
everywhere and trying again.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/63b6ad83/attachment.bin>

From rcritten at redhat.com  Thu Oct 11 21:19:03 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 11 Oct 2007 17:19:03 -0400
Subject: [Freeipa-devel] ntp
Message-ID: <470E9347.1000201@redhat.com>

We should require ntp be running in order to install IPA. I was thinking 
we could check the output of ntpq -p:

1. If ntpq is not installed, quit
2. If ntpq returns "Connection refused" quit
3. If ntpq returns a list of peers, continue

Thoughts?

Should we include an ntp configuration for clients as well?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/124a3ec4/attachment.bin>

From rmeggins at redhat.com  Thu Oct 11 21:21:11 2007
From: rmeggins at redhat.com (Richard Megginson)
Date: Thu, 11 Oct 2007 15:21:11 -0600
Subject: [Freeipa-devel] SASL whoami
In-Reply-To: <470E914D.9050808@redhat.com>
References: <470E914D.9050808@redhat.com>
Message-ID: <470E93C7.7010007@redhat.com>

Rob Crittenden wrote:
> The connection pool has a fairly big problem with it. When a 
> connection goes away, it doesn't currently see that and returns a 
> failure rather than reconnecting. These connections can go away if FDS 
> restarts, for example. Or the connection times out or we're hit by 
> gamma rays, who knows.
>
> Trying to figure out where this failure is occurring and retrying the 
> operation will be fairly difficult (for every LDAP operation basically).
>
> Instead what I've tried to do is run a quick operation on the 
> connection when I pull it out of the pool. If it is bad I can easily 
> make a new one.
>
> I wanted an LDAP operation that wasn't going to stress the server at 
> all. There is an extended operation whoami so you can find out who is 
> authenticated on this connection.
>
> Using this I can see whether the connection is alive or not and it 
> actually works fairly well.
>
> The problem is that FDS doesn't implement it, so an error is logged. 
> It isn't a big deal in my mind and in fact the operation is probably 
> quite swift ("Do I have this extop? Nope, return.").
>
> So, we have several options:
>
> 1. Go with my current uncommitted patch and use an unimplemented extop 
> to test the connection.
> 2. Go with the current uncommitted patch AND write a quickie plugin 
> that does whoami.
> 3. Try something else altogether, such as catching ldap.SERVER_DOWN 
> everywhere and trying again.
Instead of the extop, could just query the root DSE?
>
> rob
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/3693c029/attachment.bin>

From kmccarth at redhat.com  Thu Oct 11 21:27:16 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 11 Oct 2007 14:27:16 -0700
Subject: [Freeipa-devel] ntp
In-Reply-To: <470E9347.1000201@redhat.com>
References: <470E9347.1000201@redhat.com>
Message-ID: <20071011212715.GJ13334@moon.usersys.redhat.com>

Rob Crittenden wrote:
> We should require ntp be running in order to install IPA. I was thinking we 
> could check the output of ntpq -p:
>
> 1. If ntpq is not installed, quit
> 2. If ntpq returns "Connection refused" quit
> 3. If ntpq returns a list of peers, continue

I think only 1 is required of us.  Maybe just printing a message warning
that correct time is essential for operation of the KDC.

> Should we include an ntp configuration for clients as well?

I think configuring ntp for them is a bit out of scope.

Just my $0.02

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/63e5851a/attachment.bin>

From ssorce at redhat.com  Thu Oct 11 21:51:16 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 11 Oct 2007 17:51:16 -0400
Subject: [Freeipa-devel] SASL whoami
In-Reply-To: <470E914D.9050808@redhat.com>
References: <470E914D.9050808@redhat.com>
Message-ID: <1192139476.851.69.camel@localhost.localdomain>

On Thu, 2007-10-11 at 17:10 -0400, Rob Crittenden wrote:
> The connection pool has a fairly big problem with it. When a connection 
> goes away, it doesn't currently see that and returns a failure rather 
> than reconnecting. These connections can go away if FDS restarts, for 
> example. Or the connection times out or we're hit by gamma rays, who knows.
> 
> Trying to figure out where this failure is occurring and retrying the 
> operation will be fairly difficult (for every LDAP operation basically).
> 
> Instead what I've tried to do is run a quick operation on the connection 
> when I pull it out of the pool. If it is bad I can easily make a new one.
> 
> I wanted an LDAP operation that wasn't going to stress the server at 
> all. There is an extended operation whoami so you can find out who is 
> authenticated on this connection.
> 
> Using this I can see whether the connection is alive or not and it 
> actually works fairly well.
> 
> The problem is that FDS doesn't implement it, so an error is logged. It 
> isn't a big deal in my mind and in fact the operation is probably quite 
> swift ("Do I have this extop? Nope, return.").
> 
> So, we have several options:
> 
> 1. Go with my current uncommitted patch and use an unimplemented extop 
> to test the connection.
> 2. Go with the current uncommitted patch AND write a quickie plugin that 
> does whoami.
> 3. Try something else altogether, such as catching ldap.SERVER_DOWN 
> everywhere and trying again.

3. FDS can restart just after your operation has happened and you are
still in trouble, only you are going to add tons of unnecessary
operations and still not able to retry the right one.

Simo.



From kmccarth at redhat.com  Thu Oct 11 21:53:34 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 11 Oct 2007 14:53:34 -0700
Subject: [Freeipa-devel] SASL whoami
In-Reply-To: <470E914D.9050808@redhat.com>
References: <470E914D.9050808@redhat.com>
Message-ID: <20071011215333.GK13334@moon.usersys.redhat.com>

Rob Crittenden wrote:
> So, we have several options:
>
> 1. Go with my current uncommitted patch and use an unimplemented extop to 
> test the connection.
> 2. Go with the current uncommitted patch AND write a quickie plugin that 
> does whoami.
> 3. Try something else altogether, such as catching ldap.SERVER_DOWN 
> everywhere and trying again.

4. Forget about connection pooling for V1 ???

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/4d3bc870/attachment.bin>

From rcritten at redhat.com  Thu Oct 11 21:55:43 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 11 Oct 2007 17:55:43 -0400
Subject: [Freeipa-devel] SASL whoami
In-Reply-To: <1192139476.851.69.camel@localhost.localdomain>
References: <470E914D.9050808@redhat.com>
	<1192139476.851.69.camel@localhost.localdomain>
Message-ID: <470E9BDF.30408@redhat.com>

Simo Sorce wrote:
> On Thu, 2007-10-11 at 17:10 -0400, Rob Crittenden wrote:
>> The connection pool has a fairly big problem with it. When a connection 
>> goes away, it doesn't currently see that and returns a failure rather 
>> than reconnecting. These connections can go away if FDS restarts, for 
>> example. Or the connection times out or we're hit by gamma rays, who knows.
>>
>> Trying to figure out where this failure is occurring and retrying the 
>> operation will be fairly difficult (for every LDAP operation basically).
>>
>> Instead what I've tried to do is run a quick operation on the connection 
>> when I pull it out of the pool. If it is bad I can easily make a new one.
>>
>> I wanted an LDAP operation that wasn't going to stress the server at 
>> all. There is an extended operation whoami so you can find out who is 
>> authenticated on this connection.
>>
>> Using this I can see whether the connection is alive or not and it 
>> actually works fairly well.
>>
>> The problem is that FDS doesn't implement it, so an error is logged. It 
>> isn't a big deal in my mind and in fact the operation is probably quite 
>> swift ("Do I have this extop? Nope, return.").
>>
>> So, we have several options:
>>
>> 1. Go with my current uncommitted patch and use an unimplemented extop 
>> to test the connection.
>> 2. Go with the current uncommitted patch AND write a quickie plugin that 
>> does whoami.
>> 3. Try something else altogether, such as catching ldap.SERVER_DOWN 
>> everywhere and trying again.
> 
> 3. FDS can restart just after your operation has happened and you are
> still in trouble, only you are going to add tons of unnecessary
> operations and still not able to retry the right one.
> 
> Simo.
> 

I'm trying to handle the most common cases. The current code will not 
work. We can alternatively rebind with every request, that will also 
detect the loss of connectivity. That just seems like overkill.

I'm happy with a best-effort. If FDS is restarting in the middle of 
things a few client errors are probably the least of our troubles.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/4eed3f1f/attachment.bin>

From ssorce at redhat.com  Thu Oct 11 21:56:29 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 11 Oct 2007 17:56:29 -0400
Subject: [Freeipa-devel] ntp
In-Reply-To: <20071011212715.GJ13334@moon.usersys.redhat.com>
References: <470E9347.1000201@redhat.com>
	<20071011212715.GJ13334@moon.usersys.redhat.com>
Message-ID: <1192139789.851.74.camel@localhost.localdomain>

On Thu, 2007-10-11 at 14:27 -0700, Kevin McCarthy wrote:
> Rob Crittenden wrote:
> > We should require ntp be running in order to install IPA. I was thinking we 
> > could check the output of ntpq -p:
> >
> > 1. If ntpq is not installed, quit
> > 2. If ntpq returns "Connection refused" quit
> > 3. If ntpq returns a list of peers, continue
> 
> I think only 1 is required of us.  Maybe just printing a message warning
> that correct time is essential for operation of the KDC.
> 
> > Should we include an ntp configuration for clients as well?
> 
> I think configuring ntp for them is a bit out of scope.

It's not out of scope at all, we should do this for all clients anyway
like we configure kerberos and ldap.
The problem with ntp is that it seem that if it starts and it can't
contact the server it just dies. I have been told some times ago that
starting ntp with an empty configuration and piping in the right server
after it is started using a client tool provided in the package solves
this problem. Unfortunately it is too much for v1.

So for now we should just check ntp is up and running both on server and
client, and just *warn*. They maybe running something different that
keep clock in sync, we shouldn't force ntp at all costs.

Simo.



From rcritten at redhat.com  Thu Oct 11 21:57:02 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 11 Oct 2007 17:57:02 -0400
Subject: [Freeipa-devel] SASL whoami
In-Reply-To: <20071011215333.GK13334@moon.usersys.redhat.com>
References: <470E914D.9050808@redhat.com>
	<20071011215333.GK13334@moon.usersys.redhat.com>
Message-ID: <470E9C2E.5070901@redhat.com>

Kevin McCarthy wrote:
> Rob Crittenden wrote:
>> So, we have several options:
>>
>> 1. Go with my current uncommitted patch and use an unimplemented extop to 
>> test the connection.
>> 2. Go with the current uncommitted patch AND write a quickie plugin that 
>> does whoami.
>> 3. Try something else altogether, such as catching ldap.SERVER_DOWN 
>> everywhere and trying again.
> 
> 4. Forget about connection pooling for V1 ???
>

I think it would be really, really slow. Consider the number of LDAP 
operations. To connect, bind, do an operation, and disconnect each time 
could be bad under load. We can always try it out I suppose.

This is why I was looking for a low-impact operation to do just to 
verify that things are a-ok.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/4ba0e68a/attachment.bin>

From prowley at redhat.com  Thu Oct 11 22:01:12 2007
From: prowley at redhat.com (Pete Rowley)
Date: Thu, 11 Oct 2007 15:01:12 -0700
Subject: [Freeipa-devel] SASL whoami
In-Reply-To: <470E9BDF.30408@redhat.com>
References: <470E914D.9050808@redhat.com>	<1192139476.851.69.camel@localhost.localdomain>
	<470E9BDF.30408@redhat.com>
Message-ID: <470E9D28.9060103@redhat.com>

Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Thu, 2007-10-11 at 17:10 -0400, Rob Crittenden wrote:
>>> The connection pool has a fairly big problem with it. When a 
>>> connection goes away, it doesn't currently see that and returns a 
>>> failure rather than reconnecting. These connections can go away if 
>>> FDS restarts, for example. Or the connection times out or we're hit 
>>> by gamma rays, who knows.
>>>
>>> Trying to figure out where this failure is occurring and retrying 
>>> the operation will be fairly difficult (for every LDAP operation 
>>> basically).
>>>
>>> Instead what I've tried to do is run a quick operation on the 
>>> connection when I pull it out of the pool. If it is bad I can easily 
>>> make a new one.
>>>
>>> I wanted an LDAP operation that wasn't going to stress the server at 
>>> all. There is an extended operation whoami so you can find out who 
>>> is authenticated on this connection.
>>>
>>> Using this I can see whether the connection is alive or not and it 
>>> actually works fairly well.
>>>
>>> The problem is that FDS doesn't implement it, so an error is logged. 
>>> It isn't a big deal in my mind and in fact the operation is probably 
>>> quite swift ("Do I have this extop? Nope, return.").
>>>
>>> So, we have several options:
>>>
>>> 1. Go with my current uncommitted patch and use an unimplemented 
>>> extop to test the connection.
>>> 2. Go with the current uncommitted patch AND write a quickie plugin 
>>> that does whoami.
>>> 3. Try something else altogether, such as catching ldap.SERVER_DOWN 
>>> everywhere and trying again.
>>
>> 3. FDS can restart just after your operation has happened and you are
>> still in trouble, only you are going to add tons of unnecessary
>> operations and still not able to retry the right one.
>>
>> Simo.
>>
>
> I'm trying to handle the most common cases. The current code will not 
> work. We can alternatively rebind with every request, that will also 
> detect the loss of connectivity. That just seems like overkill.
>
> I'm happy with a best-effort. If FDS is restarting in the middle of 
> things a few client errors are probably the least of our troubles.
How about a keep alive thread that adds fresh activity on each 
connection every minute or so and fixes up dead connections.  Then we 
can keep this business out of the main loop.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/ff7661df/attachment.bin>

From mgregg at redhat.com  Thu Oct 11 22:00:14 2007
From: mgregg at redhat.com (michael gregg)
Date: Thu, 11 Oct 2007 15:00:14 -0700
Subject: [Freeipa-devel] ntp
In-Reply-To: <470E9347.1000201@redhat.com>
References: <470E9347.1000201@redhat.com>
Message-ID: <470E9CEE.30100@redhat.com>

Rob Crittenden wrote:

> We should require ntp be running in order to install IPA. I was 
> thinking we could check the output of ntpq -p:
>
> 1. If ntpq is not installed, quit
> 2. If ntpq returns "Connection refused" quit
> 3. If ntpq returns a list of peers, continue
>
> Thoughts?
>
> Should we include an ntp configuration for clients as well?
>
> rob
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Freeipa-devel mailing list
>Freeipa-devel at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-devel
>
I think it would be best to have ntpd as a rpm dependency.

Providing a warning that ntpd may be misconfigured (along with a 
description of why that is bad when ntpq does not return a list of 
peers) would be nice.

And supplying a sample ntp.conf for clients would be a very good thing.

Michael-


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2000 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/39bc3244/attachment.bin>

From rcritten at redhat.com  Fri Oct 12 02:24:12 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 11 Oct 2007 22:24:12 -0400
Subject: [Freeipa-devel] SASL whoami
In-Reply-To: <470E9D28.9060103@redhat.com>
References: <470E914D.9050808@redhat.com>	<1192139476.851.69.camel@localhost.localdomain>
	<470E9BDF.30408@redhat.com> <470E9D28.9060103@redhat.com>
Message-ID: <470EDACC.8050806@redhat.com>

Pete Rowley wrote:
> Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Thu, 2007-10-11 at 17:10 -0400, Rob Crittenden wrote:
>>>> The connection pool has a fairly big problem with it. When a 
>>>> connection goes away, it doesn't currently see that and returns a 
>>>> failure rather than reconnecting. These connections can go away if 
>>>> FDS restarts, for example. Or the connection times out or we're hit 
>>>> by gamma rays, who knows.
>>>>
>>>> Trying to figure out where this failure is occurring and retrying 
>>>> the operation will be fairly difficult (for every LDAP operation 
>>>> basically).
>>>>
>>>> Instead what I've tried to do is run a quick operation on the 
>>>> connection when I pull it out of the pool. If it is bad I can easily 
>>>> make a new one.
>>>>
>>>> I wanted an LDAP operation that wasn't going to stress the server at 
>>>> all. There is an extended operation whoami so you can find out who 
>>>> is authenticated on this connection.
>>>>
>>>> Using this I can see whether the connection is alive or not and it 
>>>> actually works fairly well.
>>>>
>>>> The problem is that FDS doesn't implement it, so an error is logged. 
>>>> It isn't a big deal in my mind and in fact the operation is probably 
>>>> quite swift ("Do I have this extop? Nope, return.").
>>>>
>>>> So, we have several options:
>>>>
>>>> 1. Go with my current uncommitted patch and use an unimplemented 
>>>> extop to test the connection.
>>>> 2. Go with the current uncommitted patch AND write a quickie plugin 
>>>> that does whoami.
>>>> 3. Try something else altogether, such as catching ldap.SERVER_DOWN 
>>>> everywhere and trying again.
>>>
>>> 3. FDS can restart just after your operation has happened and you are
>>> still in trouble, only you are going to add tons of unnecessary
>>> operations and still not able to retry the right one.
>>>
>>> Simo.
>>>
>>
>> I'm trying to handle the most common cases. The current code will not 
>> work. We can alternatively rebind with every request, that will also 
>> detect the loss of connectivity. That just seems like overkill.
>>
>> I'm happy with a best-effort. If FDS is restarting in the middle of 
>> things a few client errors are probably the least of our troubles.
> How about a keep alive thread that adds fresh activity on each 
> connection every minute or so and fixes up dead connections.  Then we 
> can keep this business out of the main loop.
> 

Well, it may not be a good idea to keep around authenticated connections 
as it is.

All the problems go away if I unbind() once the work is done and re-bind 
later. We still save the connection cost. Shall I go ahead and do that 
instead?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/a0998e26/attachment.bin>

From ssorce at redhat.com  Fri Oct 12 13:43:48 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 12 Oct 2007 09:43:48 -0400
Subject: [Freeipa-devel] SASL whoami
In-Reply-To: <470EDACC.8050806@redhat.com>
References: <470E914D.9050808@redhat.com>
	<1192139476.851.69.camel@localhost.localdomain>
	<470E9BDF.30408@redhat.com>
	<470E9D28.9060103@redhat.com>  <470EDACC.8050806@redhat.com>
Message-ID: <1192196628.10852.9.camel@localhost.localdomain>

On Thu, 2007-10-11 at 22:24 -0400, Rob Crittenden wrote:
> Pete Rowley wrote:
> > Rob Crittenden wrote:
> >> Simo Sorce wrote:
> >>> On Thu, 2007-10-11 at 17:10 -0400, Rob Crittenden wrote:
> >>>> The connection pool has a fairly big problem with it. When a 
> >>>> connection goes away, it doesn't currently see that and returns a 
> >>>> failure rather than reconnecting. These connections can go away if 
> >>>> FDS restarts, for example. Or the connection times out or we're hit 
> >>>> by gamma rays, who knows.
> >>>>
> >>>> Trying to figure out where this failure is occurring and retrying 
> >>>> the operation will be fairly difficult (for every LDAP operation 
> >>>> basically).
> >>>>
> >>>> Instead what I've tried to do is run a quick operation on the 
> >>>> connection when I pull it out of the pool. If it is bad I can easily 
> >>>> make a new one.
> >>>>
> >>>> I wanted an LDAP operation that wasn't going to stress the server at 
> >>>> all. There is an extended operation whoami so you can find out who 
> >>>> is authenticated on this connection.
> >>>>
> >>>> Using this I can see whether the connection is alive or not and it 
> >>>> actually works fairly well.
> >>>>
> >>>> The problem is that FDS doesn't implement it, so an error is logged. 
> >>>> It isn't a big deal in my mind and in fact the operation is probably 
> >>>> quite swift ("Do I have this extop? Nope, return.").
> >>>>
> >>>> So, we have several options:
> >>>>
> >>>> 1. Go with my current uncommitted patch and use an unimplemented 
> >>>> extop to test the connection.
> >>>> 2. Go with the current uncommitted patch AND write a quickie plugin 
> >>>> that does whoami.
> >>>> 3. Try something else altogether, such as catching ldap.SERVER_DOWN 
> >>>> everywhere and trying again.
> >>>
> >>> 3. FDS can restart just after your operation has happened and you are
> >>> still in trouble, only you are going to add tons of unnecessary
> >>> operations and still not able to retry the right one.
> >>>
> >>> Simo.
> >>>
> >>
> >> I'm trying to handle the most common cases. The current code will not 
> >> work. We can alternatively rebind with every request, that will also 
> >> detect the loss of connectivity. That just seems like overkill.
> >>
> >> I'm happy with a best-effort. If FDS is restarting in the middle of 
> >> things a few client errors are probably the least of our troubles.
> > How about a keep alive thread that adds fresh activity on each 
> > connection every minute or so and fixes up dead connections.  Then we 
> > can keep this business out of the main loop.
> > 
> 
> Well, it may not be a good idea to keep around authenticated connections 
> as it is.
> 
> All the problems go away if I unbind() once the work is done and re-bind 
> later. We still save the connection cost. Shall I go ahead and do that 
> instead?

I think this is better that keepalive or whoami for now, I still think
we should handle errors better, but I guess we can defer that work.

sImo.



From rcritten at redhat.com  Fri Oct 12 14:10:52 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 12 Oct 2007 10:10:52 -0400
Subject: [Freeipa-devel] SASL whoami
In-Reply-To: <1192196628.10852.9.camel@localhost.localdomain>
References: <470E914D.9050808@redhat.com>	
	<1192139476.851.69.camel@localhost.localdomain>
	<470E9BDF.30408@redhat.com>	 <470E9D28.9060103@redhat.com>
	<470EDACC.8050806@redhat.com>
	<1192196628.10852.9.camel@localhost.localdomain>
Message-ID: <470F806C.3070902@redhat.com>

Simo Sorce wrote:
> On Thu, 2007-10-11 at 22:24 -0400, Rob Crittenden wrote:
>> Pete Rowley wrote:
>>> Rob Crittenden wrote:
>>>> Simo Sorce wrote:
>>>>> On Thu, 2007-10-11 at 17:10 -0400, Rob Crittenden wrote:
>>>>>> The connection pool has a fairly big problem with it. When a 
>>>>>> connection goes away, it doesn't currently see that and returns a 
>>>>>> failure rather than reconnecting. These connections can go away if 
>>>>>> FDS restarts, for example. Or the connection times out or we're hit 
>>>>>> by gamma rays, who knows.
>>>>>>
>>>>>> Trying to figure out where this failure is occurring and retrying 
>>>>>> the operation will be fairly difficult (for every LDAP operation 
>>>>>> basically).
>>>>>>
>>>>>> Instead what I've tried to do is run a quick operation on the 
>>>>>> connection when I pull it out of the pool. If it is bad I can easily 
>>>>>> make a new one.
>>>>>>
>>>>>> I wanted an LDAP operation that wasn't going to stress the server at 
>>>>>> all. There is an extended operation whoami so you can find out who 
>>>>>> is authenticated on this connection.
>>>>>>
>>>>>> Using this I can see whether the connection is alive or not and it 
>>>>>> actually works fairly well.
>>>>>>
>>>>>> The problem is that FDS doesn't implement it, so an error is logged. 
>>>>>> It isn't a big deal in my mind and in fact the operation is probably 
>>>>>> quite swift ("Do I have this extop? Nope, return.").
>>>>>>
>>>>>> So, we have several options:
>>>>>>
>>>>>> 1. Go with my current uncommitted patch and use an unimplemented 
>>>>>> extop to test the connection.
>>>>>> 2. Go with the current uncommitted patch AND write a quickie plugin 
>>>>>> that does whoami.
>>>>>> 3. Try something else altogether, such as catching ldap.SERVER_DOWN 
>>>>>> everywhere and trying again.
>>>>> 3. FDS can restart just after your operation has happened and you are
>>>>> still in trouble, only you are going to add tons of unnecessary
>>>>> operations and still not able to retry the right one.
>>>>>
>>>>> Simo.
>>>>>
>>>> I'm trying to handle the most common cases. The current code will not 
>>>> work. We can alternatively rebind with every request, that will also 
>>>> detect the loss of connectivity. That just seems like overkill.
>>>>
>>>> I'm happy with a best-effort. If FDS is restarting in the middle of 
>>>> things a few client errors are probably the least of our troubles.
>>> How about a keep alive thread that adds fresh activity on each 
>>> connection every minute or so and fixes up dead connections.  Then we 
>>> can keep this business out of the main loop.
>>>
>> Well, it may not be a good idea to keep around authenticated connections 
>> as it is.
>>
>> All the problems go away if I unbind() once the work is done and re-bind 
>> later. We still save the connection cost. Shall I go ahead and do that 
>> instead?
> 
> I think this is better that keepalive or whoami for now, I still think
> we should handle errors better, but I guess we can defer that work.

It appears that a SASL connection cannot be rebound. It fails with no 
error logged in FDS, it just closes the connection.

I've got a patch that binds and unbinds with each get/release 
connection. We can address caching in the future. At least this code 
isn't buggy.

I'll get a patch out later this morning.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/4f664491/attachment.bin>

From ssorce at redhat.com  Fri Oct 12 14:16:17 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 12 Oct 2007 10:16:17 -0400
Subject: [Freeipa-devel] SASL whoami
In-Reply-To: <470F806C.3070902@redhat.com>
References: <470E914D.9050808@redhat.com>
	<1192139476.851.69.camel@localhost.localdomain>
	<470E9BDF.30408@redhat.com>
	<470E9D28.9060103@redhat.com> <470EDACC.8050806@redhat.com>
	<1192196628.10852.9.camel@localhost.localdomain>
	<470F806C.3070902@redhat.com>
Message-ID: <1192198577.10852.30.camel@localhost.localdomain>

On Fri, 2007-10-12 at 10:10 -0400, Rob Crittenden wrote:
> It appears that a SASL connection cannot be rebound. It fails with no 
> error logged in FDS, it just closes the connection.

Ahh right! And I knew about that, stoopid memory :)

> I've got a patch that binds and unbinds with each get/release 
> connection. We can address caching in the future. At least this code 
> isn't buggy.

Well if I have to play the role of the devil you know there is always
the chance of a drop just after the bind, but at least retrying a failed
operation will not fail as we will re-establish the connection.

> I'll get a patch out later this morning.

Green light from me, thanks for taking care of this.
simo.



From rcritten at redhat.com  Fri Oct 12 14:38:24 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 12 Oct 2007 10:38:24 -0400
Subject: [Freeipa-devel] [PATCH] remove LDAP connection caching
Message-ID: <470F86E0.5070106@redhat.com>

I've left the infrastructure in place but removed the caching for now.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-265-nocache.patch
Type: text/x-patch
Size: 2243 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/e5743956/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/e5743956/attachment-0001.bin>

From ssorce at redhat.com  Fri Oct 12 16:06:15 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 12 Oct 2007 12:06:15 -0400
Subject: [Freeipa-devel] [PATCH] minor errors
Message-ID: <1192205175.13192.0.camel@hopeson>

Fixed minor errors in the setup script and the build system


-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-265-os-error.patch
Type: text/x-patch
Size: 1386 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/6a9e0485/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-266-make-error.patch
Type: text/x-patch
Size: 1003 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/6a9e0485/attachment-0001.bin>

From kmccarth at redhat.com  Fri Oct 12 16:27:01 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 12 Oct 2007 09:27:01 -0700
Subject: [Freeipa-devel] [PATCH] remove LDAP connection caching
In-Reply-To: <470F86E0.5070106@redhat.com>
References: <470F86E0.5070106@redhat.com>
Message-ID: <20071012162700.GB6225@moon.usersys.redhat.com>

Rob Crittenden wrote:
> I've left the infrastructure in place but removed the caching for now.

Looks good to me.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/409a44f0/attachment.bin>

From rcritten at redhat.com  Fri Oct 12 16:28:10 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 12 Oct 2007 12:28:10 -0400
Subject: [Freeipa-devel] [PATCH] minor errors
In-Reply-To: <1192205175.13192.0.camel@hopeson>
References: <1192205175.13192.0.camel@hopeson>
Message-ID: <470FA09A.40408@redhat.com>

Simo Sorce wrote:
> Fixed minor errors in the setup script and the build system
> 

Both look fine to me.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/ad47e94d/attachment.bin>

From ssorce at redhat.com  Fri Oct 12 16:36:21 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 12 Oct 2007 12:36:21 -0400
Subject: [Freeipa-devel] [PATCH] minor errors
In-Reply-To: <470FA09A.40408@redhat.com>
References: <1192205175.13192.0.camel@hopeson>  <470FA09A.40408@redhat.com>
Message-ID: <1192206981.10852.50.camel@localhost.localdomain>

On Fri, 2007-10-12 at 12:28 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > Fixed minor errors in the setup script and the build system
> > 
> 
> Both look fine to me.

Pushed.



From ssorce at redhat.com  Fri Oct 12 17:27:49 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 12 Oct 2007 13:27:49 -0400
Subject: [Freeipa-devel] [PATCH] Better IPv6/IPv4 support for kpasswd
Message-ID: <1192210069.15630.1.camel@hopeson>

Implements suggestion from Daniel Berranger so that ipa-kpasswd can work
in whatever mode the kernel has been configured to work wrt IPv6.

Simo.



From ssorce at redhat.com  Fri Oct 12 17:32:30 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 12 Oct 2007 13:32:30 -0400
Subject: [Freeipa-devel] Re: [PATCH] Better IPv6/IPv4 support for kpasswd
In-Reply-To: <1192210069.15630.1.camel@hopeson>
References: <1192210069.15630.1.camel@hopeson>
Message-ID: <1192210350.15630.3.camel@hopeson>

On Fri, 2007-10-12 at 13:27 -0400, Simo Sorce wrote:
> Implements suggestion from Daniel Berranger so that ipa-kpasswd can work
> in whatever mode the kernel has been configured to work wrt IPv6.

Better with the patch of course :-/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-267-ipv6-kpasswd.patch
Type: text/x-patch
Size: 9545 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/56e7815a/attachment.bin>

From mccann at jhu.edu  Fri Oct 12 18:03:38 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Fri, 12 Oct 2007 14:03:38 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-server
Message-ID: <939dd5750710121103ie32f12bg4d66386eb88e812a@mail.gmail.com>

Hi,

Here is a patch to autotoolize ipa-server.

Jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-autotoolize.diff
Type: text/x-diff
Size: 54800 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/fc2d32af/attachment.bin>

From mccann at jhu.edu  Fri Oct 12 19:09:45 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Fri, 12 Oct 2007 15:09:45 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
Message-ID: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>

Hi,

Here is a patch to autotoolize ipa-client.

Jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-client-autotoolize.diff
Type: text/x-diff
Size: 12024 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/8291699d/attachment.bin>

From kmacmill at redhat.com  Fri Oct 12 20:01:28 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 12 Oct 2007 16:01:28 -0400
Subject: [Freeipa-devel] ntp
In-Reply-To: <1192139789.851.74.camel@localhost.localdomain>
References: <470E9347.1000201@redhat.com>
	<20071011212715.GJ13334@moon.usersys.redhat.com>
	<1192139789.851.74.camel@localhost.localdomain>
Message-ID: <1192219288.3294.56.camel@localhost.localdomain>

On Thu, 2007-10-11 at 17:56 -0400, Simo Sorce wrote:
> On Thu, 2007-10-11 at 14:27 -0700, Kevin McCarthy wrote:
> > Rob Crittenden wrote:
> > > We should require ntp be running in order to install IPA. I was thinking we 
> > > could check the output of ntpq -p:
> > >
> > > 1. If ntpq is not installed, quit
> > > 2. If ntpq returns "Connection refused" quit
> > > 3. If ntpq returns a list of peers, continue
> > 
> > I think only 1 is required of us.  Maybe just printing a message warning
> > that correct time is essential for operation of the KDC.
> > 
> > > Should we include an ntp configuration for clients as well?
> > 
> > I think configuring ntp for them is a bit out of scope.
> 
> It's not out of scope at all, we should do this for all clients anyway
> like we configure kerberos and ldap.
> The problem with ntp is that it seem that if it starts and it can't
> contact the server it just dies. I have been told some times ago that
> starting ntp with an empty configuration and piping in the right server
> after it is started using a client tool provided in the package solves
> this problem. Unfortunately it is too much for v1.
> 

Since we don't have disconnected operation for v1 is this really an
issue?

> So for now we should just check ntp is up and running both on server and
> client, and just *warn*. They maybe running something different that
> keep clock in sync, we shouldn't force ntp at all costs.
> 

Not certain what you mean - I think the server tools should setup an ntp
server regardless. It doesn't hurt. The client tools should optionally
configure ntp.

Karl



From rcritten at redhat.com  Fri Oct 12 20:02:58 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 12 Oct 2007 16:02:58 -0400
Subject: [Freeipa-devel] [PATCH] add inetUser objectclass,
	remove test-users ldif
In-Reply-To: <20071011190226.GG13334@moon.usersys.redhat.com>
References: <20071011190226.GG13334@moon.usersys.redhat.com>
Message-ID: <470FD2F2.2030002@redhat.com>

Kevin McCarthy wrote:
> This patch adds the inetUser objectclass.  It also pulls out the
> test-user ldif generation (instructions now say to use the command-line
> tools for this).
> 
> -Kevin
> 
>

Looks good, push it.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/fd3c4291/attachment.bin>

From rcritten at redhat.com  Fri Oct 12 20:04:54 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 12 Oct 2007 16:04:54 -0400
Subject: [Freeipa-devel] [PATCH] remove LDAP connection caching
In-Reply-To: <20071012162700.GB6225@moon.usersys.redhat.com>
References: <470F86E0.5070106@redhat.com>
	<20071012162700.GB6225@moon.usersys.redhat.com>
Message-ID: <470FD366.3080404@redhat.com>

Kevin McCarthy wrote:
> Rob Crittenden wrote:
>> I've left the infrastructure in place but removed the caching for now.
> 
> Looks good to me.
> 
> -Kevin
> 

Pushed.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/090712e7/attachment.bin>

From rcritten at redhat.com  Fri Oct 12 20:10:02 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 12 Oct 2007 16:10:02 -0400
Subject: [Freeipa-devel] Re: [PATCH] Better IPv6/IPv4 support for kpasswd
In-Reply-To: <1192210350.15630.3.camel@hopeson>
References: <1192210069.15630.1.camel@hopeson>
	<1192210350.15630.3.camel@hopeson>
Message-ID: <470FD49A.6000606@redhat.com>

Simo Sorce wrote:
> On Fri, 2007-10-12 at 13:27 -0400, Simo Sorce wrote:
>> Implements suggestion from Daniel Berranger so that ipa-kpasswd can work
>> in whatever mode the kernel has been configured to work wrt IPv6.
> 
> Better with the patch of course :-/
>

I know this isn't related to the current patch but how does the 
blacklist work? If two users initiate a password change from the same 
machine at once, will one get rejected? What does a return of 0 give the 
user?

The patch itself looks good, from what I can understand of it (the only 
IPv6 work I've done has been in NSPR which handles this for you).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/62672ddb/attachment.bin>

From mccann at jhu.edu  Fri Oct 12 20:37:45 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Fri, 12 Oct 2007 16:37:45 -0400
Subject: [Freeipa-devel] [PATCH] distutils for ipa-python (revised)
Message-ID: <939dd5750710121337h5dde9232n21f23f99d6d1d599@mail.gmail.com>

Hi,

Here is an updated version of the patch to add distutils support to ipa-python.

Fixes a problem with the installation directory for ipa.conf and
updates the .spec files.

Jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-python-setuppy-3.diff
Type: text/x-diff
Size: 6320 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/b4fa7e3f/attachment.bin>

From kmccarth at redhat.com  Fri Oct 12 22:13:16 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 12 Oct 2007 15:13:16 -0700
Subject: [Freeipa-devel] [PATCH] delegation list and create GUI
Message-ID: <20071012221316.GC6225@moon.usersys.redhat.com>

This is the delegation ACI listing and creation GUI.  Editing is still
todo.

Sorry, this patch got a bit bigger than I intended, but the listing and
creation were intertwined.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192227115 25200
# Node ID 2ffed88489759ced4ba285c3f1d00f84eb3eeebe
# Parent  dcfb5974ee278ca2b94052ea19897310ecd7531c
Adds delegation listing and creation to the GUI.

diff -r dcfb5974ee27 -r 2ffed8848975 ipa-python/aci.py
--- a/ipa-python/aci.py	Fri Oct 12 10:11:57 2007 -0700
+++ b/ipa-python/aci.py	Fri Oct 12 15:11:55 2007 -0700
@@ -16,6 +16,7 @@
 #
 
 import re
+import urllib
 
 class ACI:
     """
@@ -25,10 +26,10 @@ class ACI:
     """
 
     def __init__(self,acistr=None):
+        self.name = ''
         self.source_group = ''
         self.dest_group = ''
         self.attrs = []
-        self.name = ''
         if acistr is not None:
             self.parse_acistr(acistr)
 
@@ -40,15 +41,15 @@ class ACI:
         # dn's aren't typed in, but searched for, and the search results
         # will return escaped dns
 
-        acistr = ('(targetattr = "%s")' +
+        acistr = ('(targetattr="%s")' +
                   '(targetfilter="(memberOf=%s)")' +
                   '(version 3.0;' +
                   'acl "%s";' +
                   'allow (write) ' +
-                  'groupdn="%s";)') % (attrs_str,
+                  'groupdn="ldap:///%s";)') % (attrs_str,
                                        self.dest_group,
                                        self.name,
-                                       self.source_group)
+                                       urllib.quote(self.source_group, "/=, "))
         return acistr
 
     def _match(self, prefix, inputstr):
@@ -89,7 +90,7 @@ class ACI:
     def parse_acistr(self, acistr):
         """Parses the acistr.  If the string isn't recognized, a SyntaxError
            is raised."""
-        acistr = self._match('(targetattr = ', acistr)
+        acistr = self._match('(targetattr=', acistr)
         (attrstr, acistr) = self._match_str(acistr)
         self.attrs = attrstr.split(' || ')
 
@@ -107,7 +108,8 @@ class ACI:
 
         acistr = self._match(';allow (write) groupdn=', acistr)
         (src_dn_str, acistr) = self._match_str(acistr)
-        self.source_group = src_dn_str
+        src_dn_str = self._match('ldap:///', src_dn_str)
+        self.source_group = urllib.unquote(src_dn_str)
 
         acistr = self._match(';)', acistr)
         if len(acistr) > 0:
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-python/ipaclient.py
--- a/ipa-python/ipaclient.py	Fri Oct 12 10:11:57 2007 -0700
+++ b/ipa-python/ipaclient.py	Fri Oct 12 15:11:55 2007 -0700
@@ -54,6 +54,14 @@ class IPAClient:
         if self.local:
             self.transport.set_krbccache(krbccache)
 
+# Higher-level API
+
+    def get_aci_entry(self, sattrs=None):
+        """Returns the entry containing access control ACIs."""
+
+        result = self.transport.get_aci_entry(sattrs)
+        return entity.Entity(result)
+
 # General searches
 
     def get_entry_by_dn(self,dn,sattrs=None):
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-python/rpcclient.py
--- a/ipa-python/rpcclient.py	Fri Oct 12 10:11:57 2007 -0700
+++ b/ipa-python/rpcclient.py	Fri Oct 12 15:11:55 2007 -0700
@@ -67,6 +67,23 @@ class RPCClient:
     
         return obj 
 
+# Higher-level API
+
+    def get_aci_entry(self, sattrs=None):
+        """Returns the entry containing access control ACIs."""
+        server = self.setup_server()
+        if sattrs is None:
+            sattrs = "__NONE__"
+        try:
+            result = server.get_aci_entry(sattrs)
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return ipautil.unwrap_binary_data(result)
+
+
 # General searches
 
     def get_entry_by_dn(self,dn,sattrs=None):
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-python/test/test_aci.py
--- a/ipa-python/test/test_aci.py	Fri Oct 12 10:11:57 2007 -0700
+++ b/ipa-python/test/test_aci.py	Fri Oct 12 15:11:55 2007 -0700
@@ -22,15 +22,16 @@ sys.path.insert(0, ".")
 
 import unittest
 import aci
+import urllib
 
 
 class TestACI(unittest.TestCase):
-    acitemplate = ('(targetattr = "%s")' +
+    acitemplate = ('(targetattr="%s")' +
                '(targetfilter="(memberOf=%s)")' +
                '(version 3.0;' +
                'acl "%s";' +
                'allow (write) ' +
-               'groupdn="%s";)')
+               'groupdn="ldap:///%s";)')
 
     def setUp(self):
         self.aci = aci.ACI()
@@ -52,6 +53,20 @@ class TestACI(unittest.TestCase):
 
         self.assertEqual(aci, exportaci)
 
+    def testURLEncodedExport(self):
+        self.aci.source_group = 'cn=foo " bar, dc=freeipa, dc=org'
+        self.aci.dest_group = 'cn=bar, dc=freeipa, dc=org'
+        self.aci.name = 'this is a "name'
+        self.aci.attrs = ['field1', 'field2', 'field3']
+
+        exportaci = self.aci.export_to_string()
+        aci = TestACI.acitemplate % ('field1 || field2 || field3',
+                                     self.aci.dest_group,
+                                     'this is a "name',
+                                     urllib.quote(self.aci.source_group, "/=, "))
+
+        self.assertEqual(aci, exportaci)
+
     def testSimpleParse(self):
         attr_str = 'field3 || field4 || field5'
         dest_dn = 'cn=dest\\"group, dc=freeipa, dc=org'
@@ -59,6 +74,21 @@ class TestACI(unittest.TestCase):
         src_dn = 'cn=srcgroup, dc=freeipa, dc=org'
 
         acistr = TestACI.acitemplate % (attr_str, dest_dn, name, src_dn)
+        self.aci.parse_acistr(acistr)
+
+        self.assertEqual(['field3', 'field4', 'field5'], self.aci.attrs)
+        self.assertEqual(dest_dn, self.aci.dest_group)
+        self.assertEqual(name, self.aci.name)
+        self.assertEqual(src_dn, self.aci.source_group)
+
+    def testUrlEncodedParse(self):
+        attr_str = 'field3 || field4 || field5'
+        dest_dn = 'cn=dest\\"group, dc=freeipa, dc=org'
+        name = 'my name'
+        src_dn = 'cn=src " group, dc=freeipa, dc=org'
+
+        acistr = TestACI.acitemplate % (attr_str, dest_dn, name, 
+                urllib.quote(src_dn, "/=, "))
         self.aci.parse_acistr(acistr)
 
         self.assertEqual(['field3', 'field4', 'field5'], self.aci.attrs)
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-server/ipa-gui/ipagui/controllers.py
--- a/ipa-server/ipa-gui/ipagui/controllers.py	Fri Oct 12 10:11:57 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/controllers.py	Fri Oct 12 15:11:55 2007 -0700
@@ -14,12 +14,14 @@ import ipa.ipaclient
 
 from subcontrollers.user import UserController
 from subcontrollers.group import GroupController
+from subcontrollers.delegation import DelegationController
 
 ipa.config.init_config()
 
 class Root(controllers.RootController):
     user = UserController()
     group = GroupController()
+    delegate = DelegationController()
 
     @expose(template="ipagui.templates.welcome")
     @identity.require(identity.not_anonymous())
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-server/ipa-gui/ipagui/forms/delegate.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/forms/delegate.py	Fri Oct 12 15:11:55 2007 -0700
@@ -0,0 +1,86 @@
+import turbogears
+from turbogears import validators, widgets
+
+from ipagui.forms.user import UserFields
+
+# TODO - get from config or somewhere
+aci_attrs = [
+  UserFields.givenname,
+  UserFields.sn,
+  UserFields.cn,
+  UserFields.title,
+  UserFields.displayname,
+  UserFields.initials,
+  UserFields.uid,
+  UserFields.userpassword,
+  UserFields.uidnumber,
+  UserFields.gidnumber,
+  UserFields.homedirectory,
+  UserFields.loginshell,
+  UserFields.gecos,
+  UserFields.mail,
+  UserFields.telephonenumber,
+  UserFields.facsimiletelephonenumber,
+  UserFields.mobile,
+  UserFields.pager,
+  UserFields.homephone,
+  UserFields.street,
+  UserFields.l,
+  UserFields.st,
+  UserFields.postalcode,
+  UserFields.ou,
+  UserFields.businesscategory,
+  UserFields.description,
+  UserFields.employeetype,
+  UserFields.manager,
+  UserFields.roomnumber,
+  UserFields.secretary,
+  UserFields.carlicense,
+  UserFields.labeleduri,
+]
+
+aci_checkbox_attrs = [(field.name, field.label) for field in aci_attrs]
+
+class DelegateFields():
+    name = widgets.TextField(name="name", label="ACI Name")
+
+    source_group_dn = widgets.HiddenField(name="source_group_dn")
+    dest_group_dn = widgets.HiddenField(name="dest_group_dn")
+
+    source_group_cn = widgets.HiddenField(name="source_group_cn",
+        label="People in Group")
+    dest_group_cn = widgets.HiddenField(name="dest_group_cn",
+        label="For People in Group")
+
+    attrs = widgets.CheckBoxList(name="attrs", label="Can Modify",
+            options=aci_checkbox_attrs, validator=validators.NotEmpty)
+
+class DelegateNewValidator(validators.Schema):
+    name = validators.String(not_empty=True)
+    source_group_dn = validators.String(not_empty=True,
+        messages = { 'empty': _("Please choose a group"), })
+    dest_group_dn = validators.String(not_empty=True,
+        messages = { 'empty': _("Please choose a group"), })
+    attrs = validators.NotEmpty(
+        messages = { 'empty': _("Please select at least one value"), })
+
+class DelegateNewForm(widgets.Form):
+    params = ['delegate', 'attr_list']
+
+    hidden_fields = [
+      DelegateFields.source_group_dn,
+      DelegateFields.dest_group_dn,
+      DelegateFields.source_group_cn,
+      DelegateFields.dest_group_cn,
+    ]
+
+    validator = DelegateNewValidator()
+
+    def __init__(self, *args, **kw):
+        super(DelegateNewForm,self).__init__(*args, **kw)
+        (self.template_c, self.template) = widgets.meta.load_kid_template(
+                "ipagui.templates.delegatenewform")
+        self.delegate = DelegateFields
+
+    def update_params(self, params):
+        super(DelegateNewForm,self).update_params(params)
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-server/ipa-gui/ipagui/static/css/style.css
--- a/ipa-server/ipa-gui/ipagui/static/css/style.css	Fri Oct 12 10:11:57 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/static/css/style.css	Fri Oct 12 15:11:55 2007 -0700
@@ -77,7 +77,7 @@ body {
 #main_content {
   background:#fff;
   float:right;
-  width:85%;
+  width:82%;
   min-height:500px;
   border-left: 1px solid #000;
   padding: 10px;
@@ -92,7 +92,7 @@ body {
 #sidebar {
   background:#ccc;  /* should be same as #page */
   float:left;
-  width:10%;
+  width:13%;
   padding: 5px;
   font-size: medium;
 }
@@ -207,6 +207,19 @@ body {
 }
 
 /*
+ * Used for checkboxlist of aci attributes
+ */
+ul.requiredfield {
+  background: #ffffff;
+}
+
+ul.checkboxlist {
+  padding: 0px;
+  margin: 0px;
+  list-style: none;
+}
+
+/*
  * TableKit css
  */
 
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Fri Oct 12 15:11:55 2007 -0700
@@ -0,0 +1,168 @@
+import os
+from pickle import dumps, loads
+from base64 import b64encode, b64decode
+
+import cherrypy
+import turbogears
+from turbogears import controllers, expose, flash
+from turbogears import validators, validate
+from turbogears import widgets, paginate
+from turbogears import error_handler
+from turbogears import identity
+
+from ipacontroller import IPAController
+from ipa.entity import utf8_encode_values
+from ipa import ipaerror
+import ipagui.forms.delegate
+import ipa.aci
+
+import ldap.dn
+
+aci_fields = ['*', 'aci']
+
+delegate_new_form = ipagui.forms.delegate.DelegateNewForm()
+
+class DelegationController(IPAController):
+
+    @expose()
+    @identity.require(identity.not_anonymous())
+    def index(self, tg_errors=None):
+        raise turbogears.redirect("/delegate/list")
+
+    @expose("ipagui.templates.delegatenew")
+    @identity.require(identity.not_anonymous())
+    def new(self):
+        """Display delegate page"""
+        client = self.get_ipaclient()
+        delegate = {}
+        delegate['source_group_cn'] = "Please choose"
+        delegate['dest_group_cn'] = "Please choose"
+
+        return dict(form=delegate_new_form, delegate=delegate)
+
+    @expose()
+    @identity.require(identity.not_anonymous())
+    def create(self, **kw):
+        """Creates a new delegation"""
+        client = self.get_ipaclient()
+
+        tg_errors, kw = self.delegatecreatevalidate(**kw)
+        if tg_errors:
+            return dict(form=delegate_new_form, delegate=kw,
+                    tg_template='ipagui.templates.delegatenew')
+
+        try:
+            new_aci = ipa.aci.ACI()
+            new_aci.name = kw.get('name')
+            new_aci.source_group = kw.get('source_group_dn')
+            new_aci.dest_group = kw.get('dest_group_dn')
+            new_aci.attrs = kw.get('attrs')
+
+            # not pulling down existing aci attributes
+            aci_entry = client.get_aci_entry(['dn'])
+            aci_entry.setValue('aci', new_aci.export_to_string())
+
+            # TODO - add a client.update_entry() call instead
+            client.update_group(aci_entry)
+        except ipaerror.IPAError, e:
+            turbogears.flash("Delgate add failed: " + str(e))
+            return dict(form=delegate_new_form, delegate=kw,
+                    tg_template='ipagui.templates.delegatenew')
+
+        turbogears.flash("delegate created")
+        raise turbogears.redirect('/delegate/list')
+# 
+#     @expose("ipagui.templates.delegateedit")
+#     @identity.require(identity.not_anonymous())
+#     def edit(self):
+#         """Display delegate page"""
+#         client = self.get_ipaclient()
+# 
+#         return dict(userfields=ipagui.forms.user.UserFields())
+# 
+#     @expose()
+#     @identity.require(identity.not_anonymous())
+#     def update(self, **kw):
+#         """Display delegate page"""
+#         client = self.get_ipaclient()
+# 
+#         turbogears.flash("delegate updated")
+#         raise turbogears.redirect('/delegate/list')
+
+    @expose("ipagui.templates.delegatelist")
+    @identity.require(identity.not_anonymous())
+    def list(self):
+        """Display delegate page"""
+        client = self.get_ipaclient()
+
+        aci_entry = client.get_aci_entry(aci_fields)
+        aci_str_list = aci_entry.getValues('aci')
+        if aci_str_list is None:
+            aci_str_list = []
+
+        aci_list = []
+        for aci_str in aci_str_list:
+            try:
+                aci = ipa.aci.ACI(aci_str)
+                aci_list.append(aci)
+            except SyntaxError:
+                # ignore aci_str's that ACI can't parse
+                pass
+        group_dn_to_cn = self.extract_group_cns(aci_list, client)
+
+        return dict(aci_list=aci_list, group_dn_to_cn=group_dn_to_cn)
+
+    @expose("ipagui.templates.delegategroupsearch")
+    @identity.require(identity.not_anonymous())
+    def group_search(self, **kw):
+        """Searches for groups and displays list of results in a table.
+           This method is used for the ajax search on the delegation pages."""
+        client = self.get_ipaclient()
+
+        groups = []
+        groups_counter = 0
+        searchlimit = 100
+        criteria = kw.get('criteria')
+        if criteria != None and len(criteria) > 0:
+            try:
+                groups = client.find_groups(criteria.encode('utf-8'), None,
+                        searchlimit)
+                groups_counter = groups[0]
+                groups = groups[1:]
+            except ipaerror.IPAError, e:
+                turbogears.flash("search failed: " + str(e))
+
+        return dict(groups=groups, criteria=criteria,
+                which_group=kw.get('which_group'),
+                counter=groups_counter)
+
+    @validate(form=delegate_new_form)
+    @identity.require(identity.not_anonymous())
+    def delegatecreatevalidate(self, tg_errors=None, **kw):
+        return tg_errors, kw
+
+    def extract_group_cns(self, aci_list, client):
+        """Extracts all the cn's from a list of aci's and returns them as a hash
+           from group_dn to group_cn.
+
+           It first tries to cheat by looking at the first rdn for the
+           group dn.  If that's not cn for some reason, it looks up the group."""
+        group_dn_to_cn = {}
+        for aci in aci_list:
+            for dn in (aci.source_group, aci.dest_group):
+                if not group_dn_to_cn.has_key(dn):
+                    rdn_list = ldap.dn.str2dn(dn)
+                    first_rdn = rdn_list[0]
+                    for (type,value,junk) in first_rdn:
+                        if type == "cn":
+                            group_dn_to_cn[dn] = value
+                            break;
+                    else:
+                        try:
+                            group = client.get_entry_by_dn(dn, ['cn'])
+                            group_dn_to_cn[dn] = group.getValue('cn')
+                        except ipaerror.IPAError, e:
+                            group_dn_to_cn[dn] = 'unknown'
+
+        return group_dn_to_cn
+
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-server/ipa-gui/ipagui/templates/delegategroupsearch.kid
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/templates/delegategroupsearch.kid	Fri Oct 12 15:11:55 2007 -0700
@@ -0,0 +1,31 @@
+<div xmlns:py="http://purl.org/kid/ns#">
+
+<?python
+from ipagui.helpers import ipahelper
+?>
+  <div py:if='(groups != None) and (len(groups) > 0)'>
+    <div id="search-results-count">
+      ${len(groups)} results returned:
+      <span py:if="counter &lt; 0">
+        (truncated)
+      </span>
+    </div>
+
+    <div py:for="group in groups">
+      <?python
+      group_dn_esc = ipahelper.javascript_string_escape(group.dn)
+      group_cn_esc = ipahelper.javascript_string_escape(group.cn)
+      which_group_esc = ipahelper.javascript_string_escape(which_group)
+      ?>
+
+      ${group.cn}
+      <a href=""
+        onclick="selectGroup('${which_group_esc}', '${group_dn_esc}', '${group_cn_esc}');
+                return false;"
+      >select</a>
+    </div>
+  </div>
+  <div py:if='(groups != None) and (len(groups) == 0)'>
+    No results found for "${criteria}"
+  </div>
+</div>
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-server/ipa-gui/ipagui/templates/delegatelayout.kid
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/templates/delegatelayout.kid	Fri Oct 12 15:11:55 2007 -0700
@@ -0,0 +1,16 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:py="http://purl.org/kid/ns#"
+    py:extends="'master.kid'">
+<head>
+</head>
+
+<body py:match="item.tag=='{http://www.w3.org/1999/xhtml}body'" py:attrs="item.items()">
+      <div id="main_content">
+        <div id="status_block" py:if="value_of('tg_flash', None)"
+            py:content="XML(tg_flash)"></div>
+
+        <div py:replace="[item.text]+item[:]"></div>
+      </div>
+</body>
+
+</html>
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-server/ipa-gui/ipagui/templates/delegatelist.kid
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/templates/delegatelist.kid	Fri Oct 12 15:11:55 2007 -0700
@@ -0,0 +1,60 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:py="http://purl.org/kid/ns#"
+    py:extends="'delegatelayout.kid'">
+<head>
+<meta content="text/html; charset=utf-8" http-equiv="Content-Type" py:replace="''"/>
+<title>Delegations</title>
+</head>
+<body>
+  <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/tablekit.js')}"></script>
+
+  <h2>Delegations</h2>
+
+  <table id="resultstable" class="sortable resizable">
+    <thead>
+    <tr>
+      <th>Name</th>
+      <th>People in Group</th>
+      <th>Can Modify</th>
+      <th>For People in Group</th>
+      <th>Action</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr py:for='aci in aci_list'>
+      <?python
+      source_cn = group_dn_to_cn.get(aci.source_group)
+      dest_cn = group_dn_to_cn.get(aci.dest_group)
+      ?>
+      <td>
+        ${aci.name}
+      </td>
+      <td>
+        <a href="${tg.url('/group/show', cn=source_cn)}"
+          >${source_cn}</a>
+      </td>
+      <td>
+        ${", ".join(aci.attrs)}
+      </td>
+      <td>
+        <a href="${tg.url('/group/show', cn=dest_cn)}"
+          >${dest_cn}</a>
+      </td>
+      <td>
+        <a href="${tg.url('/delegate/edit')}">edit</a> (TODO)<br />
+      </td>
+    </tr>
+    </tbody>
+  </table>
+
+  <table border="0">
+    <tbody>
+    <tr>
+      <td>
+        <a href="${tg.url('/delegate/new')}">add new delegation</a><br />
+      </td>
+    </tr>
+    </tbody>
+  </table>
+</body>
+</html>
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-server/ipa-gui/ipagui/templates/delegatenew.kid
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/templates/delegatenew.kid	Fri Oct 12 15:11:55 2007 -0700
@@ -0,0 +1,15 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:py="http://purl.org/kid/ns#"
+    py:extends="'delegatelayout.kid'">
+<head>
+<meta content="text/html; charset=utf-8" http-equiv="Content-Type" py:replace="''"/>
+<title>Add Delegation</title>
+</head>
+<body>
+
+    <h2>Add Delegation</h2>
+
+    ${form.display(action=tg.url("/delegate/create"), value=delegate)}
+
+</body>
+</html>
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-server/ipa-gui/ipagui/templates/delegatenewform.kid
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/templates/delegatenewform.kid	Fri Oct 12 15:11:55 2007 -0700
@@ -0,0 +1,154 @@
+<div xmlns:py="http://purl.org/kid/ns#"
+  class="simpleroster">
+
+  <?python searchurl = tg.url('/delegate/group_search') ?>
+
+  <script type="text/javascript">
+
+    function enterDoSearch(e, which_group) {
+      var keyPressed;
+      if (window.event) {
+        keyPressed = window.event.keyCode;
+      } else {
+        keyPressed = e.which; 
+      }
+
+      if (keyPressed == 13) {
+        return doSearch(which_group);
+      } else {
+        return true;
+      }
+    }
+
+    function doSearch(which_group) {
+      $(which_group + '_searchresults').update("Searching...");
+      new Ajax.Updater(which_group + '_searchresults',
+          '${searchurl}',
+          {  asynchronous:true,
+             parameters: { criteria: $(which_group + '_criteria').value,
+                           which_group: which_group},
+             evalScripts: true });
+      return false;
+    }
+
+    function selectGroup(which_group, group_dn, group_cn) {
+      group_dn_field = $('form_' + which_group + '_group_dn');
+      group_cn_field = $('form_' + which_group + '_group_cn');
+      group_cn_span = $(which_group + '_group_cn');
+
+      group_dn_field.value = group_dn;
+      group_cn_field.value = group_cn;
+      group_cn_span.update(group_cn);
+
+      new Effect.Fade($(which_group + '_searcharea'), {duration: 0.25});
+      new Effect.Appear($(which_group + '_change_link'), {duration: 0.25});
+    }
+  </script>
+
+  <form action="${action}" name="${name}" method="${method}" class="tableform">
+
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <td>
+          <input type="submit" class="submitbutton" name="submit"
+                 value="Add Delegation"/>
+        </td>
+      </tr>
+    </table>
+
+    <div py:for="field in hidden_fields"
+      py:replace="field.display(value_for(field), **params_for(field))" 
+      />
+
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th valign="top">
+          <label class="fieldlabel" for="${delegate.name.field_id}"
+            py:content="delegate.name.label" />:
+        </th>
+        <td>
+          <span py:replace="delegate.name.display(value_for(delegate.name))" />
+          <span py:if="tg.errors.get('name')" class="fielderror"
+              py:content="tg.errors.get('name')" />
+        </td>
+      </tr>
+      <tr>
+        <th valign="top">
+          <label class="fieldlabel" for="${delegate.source_group_cn.field_id}"
+            py:content="delegate.source_group_cn.label" />:
+        </th>
+        <td>
+          <div>
+            <span id='source_group_cn'>${value_for(delegate.source_group_cn)}</span>
+            <a href="#" id='source_change_link'
+              onclick="new Effect.Appear($('source_searcharea'), {duration: 0.25});
+                       new Effect.Fade(this, {duration: 0.25});
+                       return false;">change</a>
+            <span py:if="tg.errors.get('source_group_dn')" class="fielderror"
+                py:content="tg.errors.get('source_group_dn')" />
+          </div>
+          <div id="source_searcharea" style="display:none">
+            <div>
+              <input id="source_criteria" type="text"
+                onkeypress="return enterDoSearch(event, 'source');" />
+              <input type="button" value="Find"
+                onclick="return doSearch('source');"
+              />
+            </div>
+            <div id="source_searchresults">
+            </div>
+          </div>
+        </td>
+      </tr>
+      <tr>
+        <th valign="top">
+          <label class="fieldlabel" for="${delegate.attrs.field_id}"
+            py:content="delegate.attrs.label" />:
+        </th>
+        <td valign="top">
+          <span py:if="tg.errors.get('attrs')" class="fielderror"
+              py:content="tg.errors.get('attrs')" />
+          <span py:replace="delegate.attrs.display(value_for(delegate.attrs))" />
+        </td>
+      </tr>
+      <tr>
+        <th valign="top">
+          <label class="fieldlabel" for="${delegate.dest_group_cn.field_id}"
+            py:content="delegate.dest_group_cn.label" />:
+        </th>
+        <td>
+          <div>
+            <span id='dest_group_cn'>${value_for(delegate.dest_group_cn)}</span>
+            <a href="#" id='dest_change_link'
+              onclick="new Effect.Appear($('dest_searcharea'), {duration: 0.25});
+                       new Effect.Fade(this, {duration: 0.25});
+                       return false;">change</a>
+            <span py:if="tg.errors.get('dest_group_dn')" class="fielderror"
+                py:content="tg.errors.get('dest_group_dn')" />
+          </div>
+          <div id="dest_searcharea" style="display:none">
+            <div>
+              <input id="dest_criteria" type="text"
+                onkeypress="return enterDoSearch(event, 'dest');" />
+              <input type="button" value="Find"
+                onclick="return doSearch('dest');"
+              />
+            </div>
+            <div id="dest_searchresults">
+            </div>
+          </div>
+        </td>
+      </tr>
+    </table>
+
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <td>
+          <input type="submit" class="submitbutton" name="submit"
+                 value="Add Delegation"/>
+        </td>
+      </tr>
+    </table>
+
+  </form>
+</div>
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-server/ipa-gui/ipagui/templates/master.kid
--- a/ipa-server/ipa-gui/ipagui/templates/master.kid	Fri Oct 12 10:11:57 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/master.kid	Fri Oct 12 15:11:55 2007 -0700
@@ -77,6 +77,9 @@
         <a href="${tg.url('/')}">Manage Policy</a><br/>
         <a href="${tg.url('/')}">Self Service</a><br/>
         </p>
+        <p>
+        <a href="${tg.url('/delegate/list')}">Delegation Mgmt</a><br/>
+        </p>
       </div>
 
       <div py:replace="[item.text]+item[:]"></div>
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Fri Oct 12 10:11:57 2007 -0700
+++ b/ipa-server/xmlrpc-server/funcs.py	Fri Oct 12 15:11:55 2007 -0700
@@ -43,6 +43,7 @@ except ImportError:
 # Need a global to store this between requests
 _LDAPPool = None
 
+ACIContainer = "cn=accounts"
 DefaultUserContainer = "cn=users,cn=accounts"
 DefaultGroupContainer = "cn=groups,cn=accounts"
 
@@ -343,6 +344,14 @@ class IPAServer:
         partial_match_filter += ")"
 
         return (exact_match_filter, partial_match_filter)
+
+# Higher-level API
+
+    def get_aci_entry(self, sattrs=None, opts=None):
+        """Returns the entry containing access control ACIs."""
+
+        dn="%s,%s" % (ACIContainer, self.basedn)
+        return self.get_entry_by_dn(dn, sattrs, opts)
 
 # General searches
 
diff -r dcfb5974ee27 -r 2ffed8848975 ipa-server/xmlrpc-server/ipaxmlrpc.py
--- a/ipa-server/xmlrpc-server/ipaxmlrpc.py	Fri Oct 12 10:11:57 2007 -0700
+++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py	Fri Oct 12 15:11:55 2007 -0700
@@ -317,6 +317,7 @@ def handler(req, profiling=False):
         try:
             f = funcs.IPAServer()
             h = ModXMLRPCRequestHandler()
+            h.register_function(f.get_aci_entry)
             h.register_function(f.get_entry_by_dn)
             h.register_function(f.get_entry_by_cn)
             h.register_function(f.get_user_by_uid)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/30d21467/attachment.bin>

From kmccarth at redhat.com  Fri Oct 12 23:00:46 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 12 Oct 2007 16:00:46 -0700
Subject: [Freeipa-devel] [PATCH] update_entry
Message-ID: <20071012230046.GD6225@moon.usersys.redhat.com>

This patch unifies the update_group and update_user methods into
update_entry.

The modivation for this was from the delegation management code, where I
need to update the cn=accounts entry.  Although calling update_group()
worked, it looked strange.

That said, it may be just as offensive to have an API with add_user,
delete_user, but update_entry.  I'm open to suggestions.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192229916 25200
# Node ID 33d4a477d7326a633d6d65dea46817b1eb371416
# Parent  2ffed88489759ced4ba285c3f1d00f84eb3eeebe
Creates a single update_entry api call.

diff -r 2ffed8848975 -r 33d4a477d732 ipa-admintools/ipa-groupmod
--- a/ipa-admintools/ipa-groupmod	Fri Oct 12 15:11:55 2007 -0700
+++ b/ipa-admintools/ipa-groupmod	Fri Oct 12 15:58:36 2007 -0700
@@ -91,7 +91,7 @@ def main():
             if group is None:
                 return 1
             group.setValue('description', options.desc)
-            client.update_group(group)
+            client.update_entry(group)
             print args[1] + " successfully updated"
     except xmlrpclib.Fault, f:
         print f.faultString
diff -r 2ffed8848975 -r 33d4a477d732 ipa-admintools/ipa-usermod
--- a/ipa-admintools/ipa-usermod	Fri Oct 12 15:11:55 2007 -0700
+++ b/ipa-admintools/ipa-usermod	Fri Oct 12 15:58:36 2007 -0700
@@ -190,7 +190,7 @@ def main():
         user.setValue('loginshell', shell)
 
     try:
-        client.update_user(user)
+        client.update_entry(user)
     except xmlrpclib.Fault, f:
         print f.faultString
         return 1
diff -r 2ffed8848975 -r 33d4a477d732 ipa-python/ipaclient.py
--- a/ipa-python/ipaclient.py	Fri Oct 12 15:11:55 2007 -0700
+++ b/ipa-python/ipaclient.py	Fri Oct 12 15:58:36 2007 -0700
@@ -78,6 +78,12 @@ class IPAClient:
         result = self.transport.get_entry_by_cn(cn,sattrs)
         return entity.Entity(result)
 
+    def update_entry(self,entry):
+        """Update a entry."""
+
+        result = self.transport.update_entry(entry.origDataDict(), entry.toDict())
+        return result
+
 # User support
     def get_user_by_uid(self,uid,sattrs=None):
         """Get a specific user by uid. If sattrs is set then only those
@@ -145,12 +151,6 @@ class IPAClient:
 
         return users
 
-    def update_user(self,user):
-        """Update a user entry."""
-
-        result = self.transport.update_user(user.origDataDict(), user.toDict())
-        return result
-
     def delete_user(self,uid):
         """Delete a user entry."""
 
@@ -285,11 +285,6 @@ class IPAClient:
 
         return self.transport.remove_groups_from_user(group_dns, user_dn)
 
-    def update_group(self,group):
-        """Update a group entry."""
-
-        return self.transport.update_group(group.origDataDict(), group.toDict())
-
     def delete_group(self,group_cn):
         """Delete a group entry."""
 
diff -r 2ffed8848975 -r 33d4a477d732 ipa-python/rpcclient.py
--- a/ipa-python/rpcclient.py	Fri Oct 12 15:11:55 2007 -0700
+++ b/ipa-python/rpcclient.py	Fri Oct 12 15:58:36 2007 -0700
@@ -118,6 +118,20 @@ class RPCClient:
 
         return ipautil.unwrap_binary_data(result)
 
+    def update_entry(self,oldentry,newentry):
+        """Update an existing entry. oldentry and newentry are dicts of attributes"""
+        server = self.setup_server()
+
+        try:
+            result = server.update_entry(ipautil.wrap_binary_data(oldentry),
+                    ipautil.wrap_binary_data(newentry))
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return ipautil.unwrap_binary_data(result)
+
 
 # User support
 
@@ -237,20 +251,6 @@ class RPCClient:
     
         return ipautil.unwrap_binary_data(result)
 
-    def update_user(self,olduser,newuser):
-        """Update an existing user. olduser and newuser are dicts of attributes"""
-        server = self.setup_server()
-    
-        try:
-            result = server.update_user(ipautil.wrap_binary_data(olduser),
-                    ipautil.wrap_binary_data(newuser))
-        except xmlrpclib.Fault, fault:
-            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
-        except socket.error, (value, msg):
-            raise xmlrpclib.Fault(value, msg)
-
-        return ipautil.unwrap_binary_data(result)
-
     def delete_user(self,uid):
         """Delete a user. uid is the uid of the user to delete."""
         server = self.setup_server()
@@ -491,20 +491,6 @@ class RPCClient:
 
         return ipautil.unwrap_binary_data(result)
 
-    def update_group(self,oldgroup,newgroup):
-        """Update an existing group. oldgroup and newgroup are dicts of attributes"""
-        server = self.setup_server()
-    
-        try:
-            result = server.update_group(ipautil.wrap_binary_data(oldgroup),
-                    ipautil.wrap_binary_data(newgroup))
-        except xmlrpclib.Fault, fault:
-            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
-        except socket.error, (value, msg):
-            raise xmlrpclib.Fault(value, msg)
-
-        return ipautil.unwrap_binary_data(result)
-
     def delete_group(self,group_cn):
         """Delete a group. group_cn is the cn of the group to be deleted."""
         server = self.setup_server()
diff -r 2ffed8848975 -r 33d4a477d732 ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Fri Oct 12 15:11:55 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Fri Oct 12 15:58:36 2007 -0700
@@ -62,8 +62,7 @@ class DelegationController(IPAController
             aci_entry = client.get_aci_entry(['dn'])
             aci_entry.setValue('aci', new_aci.export_to_string())
 
-            # TODO - add a client.update_entry() call instead
-            client.update_group(aci_entry)
+            client.update_entry(aci_entry)
         except ipaerror.IPAError, e:
             turbogears.flash("Delgate add failed: " + str(e))
             return dict(form=delegate_new_form, delegate=kw,
diff -r 2ffed8848975 -r 33d4a477d732 ipa-server/ipa-gui/ipagui/subcontrollers/group.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Fri Oct 12 15:11:55 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Fri Oct 12 15:58:36 2007 -0700
@@ -246,7 +246,7 @@ class GroupController(IPAController):
                     new_group.setValue('gidnumber', new_gid)
 
             if group_modified:
-                rv = client.update_group(new_group)
+                rv = client.update_entry(new_group)
                 #
                 # If the group update succeeds, but below operations fail, we
                 # need to make sure a subsequent submit doesn't try to update
diff -r 2ffed8848975 -r 33d4a477d732 ipa-server/ipa-gui/ipagui/subcontrollers/user.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Fri Oct 12 15:11:55 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Fri Oct 12 15:58:36 2007 -0700
@@ -293,7 +293,7 @@ class UserController(IPAController):
                 new_user.setValue('gidnumber', str(kw.get('gidnumber')))
                 new_user.setValue('homedirectory', str(kw.get('homedirectory')))
 
-            rv = client.update_user(new_user)
+            rv = client.update_entry(new_user)
             #
             # If the user update succeeds, but below operations fail, we
             # need to make sure a subsequent submit doesn't try to update
diff -r 2ffed8848975 -r 33d4a477d732 ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Fri Oct 12 15:11:55 2007 -0700
+++ b/ipa-server/xmlrpc-server/funcs.py	Fri Oct 12 15:58:36 2007 -0700
@@ -372,6 +372,10 @@ class IPAServer:
         filter = "(cn=" + cn + ")"
         return self.__get_sub_entry(self.basedn, filter, sattrs, opts)
 
+    def update_entry (self, oldentry, newentry, opts=None):
+        """Update an entry in LDAP"""
+        return self.__update_entry(oldentry, newentry, opts)
+
 # User support
 
     def __is_user_unique(self, uid, opts):
@@ -614,10 +618,6 @@ class IPAServer:
             new_dict[k] = v
 
         return new_dict
-
-    def update_user (self, olduser, newuser, opts=None):
-        """Update a user in LDAP"""
-        return self.__update_entry(olduser, newuser, opts)
 
     def mark_user_deleted (self, uid, opts=None):
         """Mark a user as inactive in LDAP. We aren't actually deleting
@@ -1015,10 +1015,6 @@ class IPAServer:
                 failed.append(group_dn)
 
         return failed
-
-    def update_group (self, oldgroup, newgroup, opts=None):
-        """Update a group in LDAP"""
-        return self.__update_entry(oldgroup, newgroup, opts)
 
     def delete_group (self, group_dn, opts=None):
         """Delete a group
diff -r 2ffed8848975 -r 33d4a477d732 ipa-server/xmlrpc-server/ipaxmlrpc.py
--- a/ipa-server/xmlrpc-server/ipaxmlrpc.py	Fri Oct 12 15:11:55 2007 -0700
+++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py	Fri Oct 12 15:58:36 2007 -0700
@@ -320,6 +320,7 @@ def handler(req, profiling=False):
             h.register_function(f.get_aci_entry)
             h.register_function(f.get_entry_by_dn)
             h.register_function(f.get_entry_by_cn)
+            h.register_function(f.update_entry)
             h.register_function(f.get_user_by_uid)
             h.register_function(f.get_user_by_principal)
             h.register_function(f.get_users_by_manager)
@@ -327,7 +328,6 @@ def handler(req, profiling=False):
             h.register_function(f.get_add_schema)
             h.register_function(f.get_all_users)
             h.register_function(f.find_users)
-            h.register_function(f.update_user)
             h.register_function(f.delete_user)
             h.register_function(f.mark_user_deleted)
             h.register_function(f.modifyPassword)
@@ -345,7 +345,6 @@ def handler(req, profiling=False):
             h.register_function(f.remove_users_from_group)
             h.register_function(f.add_groups_to_user)
             h.register_function(f.remove_groups_from_user)
-            h.register_function(f.update_group)
             h.register_function(f.delete_group)
             h.handle_request(req)
         finally:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/a9bef447/attachment.bin>

From ssorce at redhat.com  Sat Oct 13 02:48:45 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 12 Oct 2007 22:48:45 -0400
Subject: [Freeipa-devel] ntp
In-Reply-To: <1192219288.3294.56.camel@localhost.localdomain>
References: <470E9347.1000201@redhat.com>
	<20071011212715.GJ13334@moon.usersys.redhat.com>
	<1192139789.851.74.camel@localhost.localdomain>
	<1192219288.3294.56.camel@localhost.localdomain>
Message-ID: <1192243725.10852.63.camel@localhost.localdomain>

On Fri, 2007-10-12 at 16:01 -0400, Karl MacMillan wrote:

> > It's not out of scope at all, we should do this for all clients anyway
> > like we configure kerberos and ldap.
> > The problem with ntp is that it seem that if it starts and it can't
> > contact the server it just dies. I have been told some times ago that
> > starting ntp with an empty configuration and piping in the right server
> > after it is started using a client tool provided in the package solves
> > this problem. Unfortunately it is too much for v1.
> > 
> 
> Since we don't have disconnected operation for v1 is this really an
> issue?

Yes it is, if your server start before your router/DNS/whatever makes it
not reach the ntp server, then, from what I have been told, your ntpd
will simply exit (no ntp for clients, kerberos breaks).

> > So for now we should just check ntp is up and running both on server and
> > client, and just *warn*. They maybe running something different that
> > keep clock in sync, we shouldn't force ntp at all costs.
> > 
> 
> Not certain what you mean - I think the server tools should setup an ntp
> server regardless. It doesn't hurt. The client tools should optionally
> configure ntp.

This is what I meant, more or less :)

Simo.



From rcritten at redhat.com  Mon Oct 15 12:45:32 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 15 Oct 2007 08:45:32 -0400
Subject: [Freeipa-devel] [PATCH] update_entry
In-Reply-To: <20071012230046.GD6225@moon.usersys.redhat.com>
References: <20071012230046.GD6225@moon.usersys.redhat.com>
Message-ID: <471360EC.4050504@redhat.com>

Kevin McCarthy wrote:
> This patch unifies the update_group and update_user methods into
> update_entry.
> 
> The modivation for this was from the delegation management code, where I
> need to update the cn=accounts entry.  Although calling update_group()
> worked, it looked strange.
> 
> That said, it may be just as offensive to have an API with add_user,
> delete_user, but update_entry.  I'm open to suggestions.
> 
>
I don't understand how update_group looked strange.

We can always have an update_user function that is an alias to update_entry.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/26476b4c/attachment.bin>

From rcritten at redhat.com  Mon Oct 15 14:49:17 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 15 Oct 2007 10:49:17 -0400
Subject: [Freeipa-devel] [PATCH] check for LDAP ports during install
Message-ID: <47137DED.9000505@redhat.com>

Patch to verify that the LDAP ports are available when doing an 
installation. If they aren't the FDS installer will crash and burn.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-269-ports.patch
Type: text/x-patch
Size: 2035 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/82ed3ab9/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/82ed3ab9/attachment-0001.bin>

From kmccarth at redhat.com  Mon Oct 15 15:28:30 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 15 Oct 2007 08:28:30 -0700
Subject: [Freeipa-devel] [PATCH] update_entry
In-Reply-To: <471360EC.4050504@redhat.com>
References: <20071012230046.GD6225@moon.usersys.redhat.com>
	<471360EC.4050504@redhat.com>
Message-ID: <20071015152829.GA3834@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> This patch unifies the update_group and update_user methods into
>> update_entry.
>> The modivation for this was from the delegation management code, where I
>> need to update the cn=accounts entry.  Although calling update_group()
>> worked, it looked strange.
>> That said, it may be just as offensive to have an API with add_user,
>> delete_user, but update_entry.  I'm open to suggestions.
>>
> I don't understand how update_group looked strange.

Well, basically because it wasn't a group that I was updating, it was an
ACI container.  So that api calls looked like
  aci = get_aci_entry()
  ...
  update_group(aci)

> We can always have an update_user function that is an alias to 
> update_entry.

Sounds like a reasonable solution to me.  Let me rework the patch,
preserving update_user and update_group alias for update_entry.

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/377bf38e/attachment.bin>

From kmccarth at redhat.com  Mon Oct 15 15:30:08 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 15 Oct 2007 08:30:08 -0700
Subject: [Freeipa-devel] [PATCH] check for LDAP ports during install
In-Reply-To: <47137DED.9000505@redhat.com>
References: <47137DED.9000505@redhat.com>
Message-ID: <20071015153008.GB3834@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Patch to verify that the LDAP ports are available when doing an 
> installation. If they aren't the FDS installer will crash and burn.

Looks great.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/6098aa54/attachment.bin>

From kmccarth at redhat.com  Mon Oct 15 16:06:21 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 15 Oct 2007 09:06:21 -0700
Subject: [Freeipa-devel] [PATCH] update_entry
In-Reply-To: <20071015152829.GA3834@moon.usersys.redhat.com>
References: <20071012230046.GD6225@moon.usersys.redhat.com>
	<471360EC.4050504@redhat.com>
	<20071015152829.GA3834@moon.usersys.redhat.com>
Message-ID: <20071015160621.GC3834@moon.usersys.redhat.com>

Kevin McCarthy wrote:
> Rob Crittenden wrote:
> > Kevin McCarthy wrote:
> >> This patch unifies the update_group and update_user methods into
> >> update_entry.
> >> The modivation for this was from the delegation management code, where I
> >> need to update the cn=accounts entry.  Although calling update_group()
> >> worked, it looked strange.
> >> That said, it may be just as offensive to have an API with add_user,
> >> delete_user, but update_entry.  I'm open to suggestions.
> >>
> > I don't understand how update_group looked strange.
> 
> Well, basically because it wasn't a group that I was updating, it was an
> ACI container.  So that api calls looked like
>   aci = get_aci_entry()
>   ...
>   update_group(aci)
> 
> > We can always have an update_user function that is an alias to 
> > update_entry.
> 
> Sounds like a reasonable solution to me.  Let me rework the patch,
> preserving update_user and update_group alias for update_entry.

Attached is the new version of the patch, preserving the update_user and
update_group calls.

-Kevin
-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192464253 25200
# Node ID 9a29344f0870d0963529d97c3893f68d947675df
# Parent  bfbffaf14140dbccf15a9563d69e854909f80647
Creates an update_entry api call, aliases update_user and update_group to it.

diff -r bfbffaf14140 -r 9a29344f0870 ipa-python/ipaclient.py
--- a/ipa-python/ipaclient.py	Mon Oct 15 08:53:24 2007 -0700
+++ b/ipa-python/ipaclient.py	Mon Oct 15 09:04:13 2007 -0700
@@ -78,6 +78,12 @@ class IPAClient:
         result = self.transport.get_entry_by_cn(cn,sattrs)
         return entity.Entity(result)
 
+    def update_entry(self,entry):
+        """Update a entry."""
+
+        result = self.transport.update_entry(entry.origDataDict(), entry.toDict())
+        return result
+
 # User support
     def get_user_by_uid(self,uid,sattrs=None):
         """Get a specific user by uid. If sattrs is set then only those
diff -r bfbffaf14140 -r 9a29344f0870 ipa-python/rpcclient.py
--- a/ipa-python/rpcclient.py	Mon Oct 15 08:53:24 2007 -0700
+++ b/ipa-python/rpcclient.py	Mon Oct 15 09:04:13 2007 -0700
@@ -118,6 +118,20 @@ class RPCClient:
 
         return ipautil.unwrap_binary_data(result)
 
+    def update_entry(self,oldentry,newentry):
+        """Update an existing entry. oldentry and newentry are dicts of attributes"""
+        server = self.setup_server()
+
+        try:
+            result = server.update_entry(ipautil.wrap_binary_data(oldentry),
+                    ipautil.wrap_binary_data(newentry))
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return ipautil.unwrap_binary_data(result)
+
 
 # User support
 
diff -r bfbffaf14140 -r 9a29344f0870 ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Mon Oct 15 08:53:24 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Mon Oct 15 09:04:13 2007 -0700
@@ -62,8 +62,7 @@ class DelegationController(IPAController
             aci_entry = client.get_aci_entry(['dn'])
             aci_entry.setValue('aci', new_aci.export_to_string())
 
-            # TODO - add a client.update_entry() call instead
-            client.update_group(aci_entry)
+            client.update_entry(aci_entry)
         except ipaerror.IPAError, e:
             turbogears.flash("Delgate add failed: " + str(e))
             return dict(form=delegate_new_form, delegate=kw,
diff -r bfbffaf14140 -r 9a29344f0870 ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Mon Oct 15 08:53:24 2007 -0700
+++ b/ipa-server/xmlrpc-server/funcs.py	Mon Oct 15 09:04:13 2007 -0700
@@ -343,6 +343,10 @@ class IPAServer:
         filter = "(cn=" + cn + ")"
         return self.__get_sub_entry(self.basedn, filter, sattrs, opts)
 
+    def update_entry (self, oldentry, newentry, opts=None):
+        """Update an entry in LDAP"""
+        return self.__update_entry(oldentry, newentry, opts)
+
 # User support
 
     def __is_user_unique(self, uid, opts):
@@ -586,9 +590,7 @@ class IPAServer:
 
         return new_dict
 
-    def update_user (self, olduser, newuser, opts=None):
-        """Update a user in LDAP"""
-        return self.__update_entry(olduser, newuser, opts)
+    update_user = update_entry
 
     def mark_user_deleted (self, uid, opts=None):
         """Mark a user as inactive in LDAP. We aren't actually deleting
@@ -987,9 +989,7 @@ class IPAServer:
 
         return failed
 
-    def update_group (self, oldgroup, newgroup, opts=None):
-        """Update a group in LDAP"""
-        return self.__update_entry(oldgroup, newgroup, opts)
+    update_group = update_entry
 
     def delete_group (self, group_dn, opts=None):
         """Delete a group
diff -r bfbffaf14140 -r 9a29344f0870 ipa-server/xmlrpc-server/ipaxmlrpc.py
--- a/ipa-server/xmlrpc-server/ipaxmlrpc.py	Mon Oct 15 08:53:24 2007 -0700
+++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py	Mon Oct 15 09:04:13 2007 -0700
@@ -320,6 +320,7 @@ def handler(req, profiling=False):
             h.register_function(f.get_aci_entry)
             h.register_function(f.get_entry_by_dn)
             h.register_function(f.get_entry_by_cn)
+            h.register_function(f.update_entry)
             h.register_function(f.get_user_by_uid)
             h.register_function(f.get_user_by_principal)
             h.register_function(f.get_users_by_manager)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/29e06258/attachment.bin>

From mccann at jhu.edu  Mon Oct 15 16:25:54 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Mon, 15 Oct 2007 12:25:54 -0400
Subject: [Freeipa-devel] [PATCH] check for LDAP ports during install
In-Reply-To: <47137DED.9000505@redhat.com>
References: <47137DED.9000505@redhat.com>
Message-ID: <939dd5750710150925o2beade9r1d5cfb9c123409fe@mail.gmail.com>

On 10/15/07, Rob Crittenden <rcritten at redhat.com> wrote:
> Patch to verify that the LDAP ports are available when doing an
> installation. If they aren't the FDS installer will crash and burn.

FWIW, I think this is great.  I ran into this problem myself.

Jon



From ssorce at redhat.com  Mon Oct 15 16:29:25 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 15 Oct 2007 12:29:25 -0400
Subject: [Freeipa-devel] [PATCH] check for LDAP ports during install
In-Reply-To: <47137DED.9000505@redhat.com>
References: <47137DED.9000505@redhat.com>
Message-ID: <1192465765.7342.3.camel@localhost.localdomain>

On Mon, 2007-10-15 at 10:49 -0400, Rob Crittenden wrote:
> Patch to verify that the LDAP ports are available when doing an 
> installation. If they aren't the FDS installer will crash and burn.

To properly check you should not try to connect to the ports, but
instead try to bind the ports.
Connect may fail because of firewall or maybe because a server is bound
only to the public IP and not localhost, etc ...
Trying to bind to the wildcard address will tell you exactly if binding
is possible. Can you change the patch to try to bind instead of trying
to connect?

Thanks,
Simo.



From rcritten at redhat.com  Mon Oct 15 16:57:57 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 15 Oct 2007 12:57:57 -0400
Subject: [Freeipa-devel] [PATCH] check for LDAP ports during install
In-Reply-To: <1192465765.7342.3.camel@localhost.localdomain>
References: <47137DED.9000505@redhat.com>
	<1192465765.7342.3.camel@localhost.localdomain>
Message-ID: <47139C15.5070707@redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-15 at 10:49 -0400, Rob Crittenden wrote:
>> Patch to verify that the LDAP ports are available when doing an 
>> installation. If they aren't the FDS installer will crash and burn.
> 
> To properly check you should not try to connect to the ports, but
> instead try to bind the ports.
> Connect may fail because of firewall or maybe because a server is bound
> only to the public IP and not localhost, etc ...
> Trying to bind to the wildcard address will tell you exactly if binding
> is possible. Can you change the patch to try to bind instead of trying
> to connect?
> 
> Thanks,
> Simo.
> 

Ok, that makes sense to see if openldap is bound on something other than 
localhost. I'll send a new patch soonish.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/e295fbb9/attachment.bin>

From rcritten at redhat.com  Mon Oct 15 17:27:55 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 15 Oct 2007 13:27:55 -0400
Subject: [Freeipa-devel] [PATCH] check for LDAP ports during install
In-Reply-To: <1192465765.7342.3.camel@localhost.localdomain>
References: <47137DED.9000505@redhat.com>
	<1192465765.7342.3.camel@localhost.localdomain>
Message-ID: <4713A31B.6000902@redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-15 at 10:49 -0400, Rob Crittenden wrote:
>> Patch to verify that the LDAP ports are available when doing an 
>> installation. If they aren't the FDS installer will crash and burn.
> 
> To properly check you should not try to connect to the ports, but
> instead try to bind the ports.
> Connect may fail because of firewall or maybe because a server is bound
> only to the public IP and not localhost, etc ...
> Trying to bind to the wildcard address will tell you exactly if binding
> is possible. Can you change the patch to try to bind instead of trying
> to connect?

Revised patch to use bind() instead of connect(). I added a test for 
both IPv4 and IPv6 ports though I don't currently have IPv6 enabled so I 
can't test this. It at least doesn't seem to affect the IPv4 test.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-269-ports.patch
Type: text/x-patch
Size: 2459 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/b460b836/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/b460b836/attachment-0001.bin>

From ssorce at redhat.com  Mon Oct 15 17:37:28 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 15 Oct 2007 13:37:28 -0400
Subject: [Freeipa-devel] [PATCH] check for LDAP ports during install
In-Reply-To: <4713A31B.6000902@redhat.com>
References: <47137DED.9000505@redhat.com>
	<1192465765.7342.3.camel@localhost.localdomain>
	<4713A31B.6000902@redhat.com>
Message-ID: <1192469848.7342.14.camel@localhost.localdomain>

On Mon, 2007-10-15 at 13:27 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Mon, 2007-10-15 at 10:49 -0400, Rob Crittenden wrote:
> >> Patch to verify that the LDAP ports are available when doing an 
> >> installation. If they aren't the FDS installer will crash and burn.
> > 
> > To properly check you should not try to connect to the ports, but
> > instead try to bind the ports.
> > Connect may fail because of firewall or maybe because a server is bound
> > only to the public IP and not localhost, etc ...
> > Trying to bind to the wildcard address will tell you exactly if binding
> > is possible. Can you change the patch to try to bind instead of trying
> > to connect?
> 
> Revised patch to use bind() instead of connect(). I added a test for 
> both IPv4 and IPv6 ports though I don't currently have IPv6 enabled so I 
> can't test this. It at least doesn't seem to affect the IPv4 test.

Looks good.
Simo.



From rcritten at redhat.com  Mon Oct 15 17:42:09 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 15 Oct 2007 13:42:09 -0400
Subject: [Freeipa-devel] [PATCH] update_entry
In-Reply-To: <20071015160621.GC3834@moon.usersys.redhat.com>
References: <20071012230046.GD6225@moon.usersys.redhat.com>	<471360EC.4050504@redhat.com>	<20071015152829.GA3834@moon.usersys.redhat.com>
	<20071015160621.GC3834@moon.usersys.redhat.com>
Message-ID: <4713A671.4050402@redhat.com>

Kevin McCarthy wrote:
> Kevin McCarthy wrote:
>> Rob Crittenden wrote:
>>> Kevin McCarthy wrote:
>>>> This patch unifies the update_group and update_user methods into
>>>> update_entry.
>>>> The modivation for this was from the delegation management code, where I
>>>> need to update the cn=accounts entry.  Although calling update_group()
>>>> worked, it looked strange.
>>>> That said, it may be just as offensive to have an API with add_user,
>>>> delete_user, but update_entry.  I'm open to suggestions.
>>>>
>>> I don't understand how update_group looked strange.
>> Well, basically because it wasn't a group that I was updating, it was an
>> ACI container.  So that api calls looked like
>>   aci = get_aci_entry()
>>   ...
>>   update_group(aci)
>>
>>> We can always have an update_user function that is an alias to 
>>> update_entry.
>> Sounds like a reasonable solution to me.  Let me rework the patch,
>> preserving update_user and update_group alias for update_entry.
> 
> Attached is the new version of the patch, preserving the update_user and
> update_group calls.
> 
> -Kevin

Looks good. As we've said before I guess we'll need to re-evaluate as 
there is no difference between Users and Groups.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/822872bf/attachment.bin>

From rcritten at redhat.com  Mon Oct 15 18:45:19 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 15 Oct 2007 14:45:19 -0400
Subject: [Freeipa-devel] [PATCH] check for LDAP ports during install
In-Reply-To: <1192469848.7342.14.camel@localhost.localdomain>
References: <47137DED.9000505@redhat.com>	
	<1192465765.7342.3.camel@localhost.localdomain>	
	<4713A31B.6000902@redhat.com>
	<1192469848.7342.14.camel@localhost.localdomain>
Message-ID: <4713B53F.60806@redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-15 at 13:27 -0400, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Mon, 2007-10-15 at 10:49 -0400, Rob Crittenden wrote:
>>>> Patch to verify that the LDAP ports are available when doing an 
>>>> installation. If they aren't the FDS installer will crash and burn.
>>> To properly check you should not try to connect to the ports, but
>>> instead try to bind the ports.
>>> Connect may fail because of firewall or maybe because a server is bound
>>> only to the public IP and not localhost, etc ...
>>> Trying to bind to the wildcard address will tell you exactly if binding
>>> is possible. Can you change the patch to try to bind instead of trying
>>> to connect?
>> Revised patch to use bind() instead of connect(). I added a test for 
>> both IPv4 and IPv6 ports though I don't currently have IPv6 enabled so I 
>> can't test this. It at least doesn't seem to affect the IPv4 test.
> 
> Looks good.
> Simo.
> 

Pushed. I included a shutdown(0) before the close() because otherwise 
this patch guaranteed that the FDS install would fail :-)

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/a5c63561/attachment.bin>

From ssorce at redhat.com  Mon Oct 15 19:31:19 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 15 Oct 2007 15:31:19 -0400
Subject: [Freeipa-devel] [PATCH] check for LDAP ports during install
In-Reply-To: <4713B53F.60806@redhat.com>
References: <47137DED.9000505@redhat.com>
	<1192465765.7342.3.camel@localhost.localdomain>
	<4713A31B.6000902@redhat.com>
	<1192469848.7342.14.camel@localhost.localdomain>
	<4713B53F.60806@redhat.com>
Message-ID: <1192476679.7342.21.camel@localhost.localdomain>

On Mon, 2007-10-15 at 14:45 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Mon, 2007-10-15 at 13:27 -0400, Rob Crittenden wrote:
> >> Simo Sorce wrote:
> >>> On Mon, 2007-10-15 at 10:49 -0400, Rob Crittenden wrote:
> >>>> Patch to verify that the LDAP ports are available when doing an 
> >>>> installation. If they aren't the FDS installer will crash and burn.
> >>> To properly check you should not try to connect to the ports, but
> >>> instead try to bind the ports.
> >>> Connect may fail because of firewall or maybe because a server is bound
> >>> only to the public IP and not localhost, etc ...
> >>> Trying to bind to the wildcard address will tell you exactly if binding
> >>> is possible. Can you change the patch to try to bind instead of trying
> >>> to connect?
> >> Revised patch to use bind() instead of connect(). I added a test for 
> >> both IPv4 and IPv6 ports though I don't currently have IPv6 enabled so I 
> >> can't test this. It at least doesn't seem to affect the IPv4 test.
> > 
> > Looks good.
> > Simo.
> > 
> 
> Pushed. I included a shutdown(0) before the close() because otherwise 
> this patch guaranteed that the FDS install would fail :-)

lol, thanks :-)

Simo.



From rcritten at redhat.com  Mon Oct 15 19:44:35 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 15 Oct 2007 15:44:35 -0400
Subject: [Freeipa-devel] [PATCH] start of SSL implementation
Message-ID: <4713C323.40006@redhat.com>

This small patch will get mod_nss installed and listening on the right port.

I'm going to need to mess around with the ipa configuration to do port 
forwarding from 80 -> 443 as well as some other stuff.

I'm not entirely sure how we're going to provide the CA cert we're using 
to generate our SSL certs. I'm wondering if we should/could supply it on 
the web server, I'm just not sure how I want to do it yet.

I also need to replace the mod_nss-generated server cert with one issued 
by the the same CA that FDS is using.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-269-ssl.patch
Type: text/x-patch
Size: 5654 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/5177b000/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/5177b000/attachment-0001.bin>

From kmccarth at redhat.com  Mon Oct 15 20:09:53 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 15 Oct 2007 13:09:53 -0700
Subject: [Freeipa-devel] [PATCH] add delegation editing
Message-ID: <20071015200953.GD3834@moon.usersys.redhat.com>

This patch adds editing to the delegation UI.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192478859 25200
# Node ID af0b0ac1b3064cfd55b5d3fb927b01855ebf74eb
# Parent  9a29344f0870d0963529d97c3893f68d947675df
Add basic delegation editing.

diff -r 9a29344f0870 -r af0b0ac1b306 ipa-python/aci.py
--- a/ipa-python/aci.py	Mon Oct 15 09:04:13 2007 -0700
+++ b/ipa-python/aci.py	Mon Oct 15 13:07:39 2007 -0700
@@ -18,6 +18,8 @@ import re
 import re
 import urllib
 
+import ipa.ipautil
+
 class ACI:
     """
     Holds the basic data for an ACI entry, as stored in the cn=accounts
@@ -30,6 +32,7 @@ class ACI:
         self.source_group = ''
         self.dest_group = ''
         self.attrs = []
+        self.orig_acistr = acistr
         if acistr is not None:
             self.parse_acistr(acistr)
 
@@ -51,6 +54,16 @@ class ACI:
                                        self.name,
                                        urllib.quote(self.source_group, "/=, "))
         return acistr
+
+    def to_dict(self):
+        result = ipa.ipautil.CIDict()
+        result['name'] = self.name
+        result['source_group'] = self.source_group
+        result['dest_group'] = self.dest_group
+        result['attrs'] = self.attrs
+        result['orig_acistr'] = self.orig_acistr
+
+        return result
 
     def _match(self, prefix, inputstr):
         """Returns inputstr with prefix removed, or else raises a
@@ -90,6 +103,8 @@ class ACI:
     def parse_acistr(self, acistr):
         """Parses the acistr.  If the string isn't recognized, a SyntaxError
            is raised."""
+        self.orig_acistr = acistr
+
         acistr = self._match('(targetattr=', acistr)
         (attrstr, acistr) = self._match_str(acistr)
         self.attrs = attrstr.split(' || ')
diff -r 9a29344f0870 -r af0b0ac1b306 ipa-server/ipa-gui/ipagui/forms/delegate.py
--- a/ipa-server/ipa-gui/ipagui/forms/delegate.py	Mon Oct 15 09:04:13 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/delegate.py	Mon Oct 15 13:07:39 2007 -0700
@@ -52,10 +52,12 @@ class DelegateFields():
     dest_group_cn = widgets.HiddenField(name="dest_group_cn",
         label="For People in Group")
 
+    orig_acistr = widgets.HiddenField(name="orig_acistr")
+
     attrs = widgets.CheckBoxList(name="attrs", label="Can Modify",
             options=aci_checkbox_attrs, validator=validators.NotEmpty)
 
-class DelegateNewValidator(validators.Schema):
+class DelegateValidator(validators.Schema):
     name = validators.String(not_empty=True)
     source_group_dn = validators.String(not_empty=True,
         messages = { 'empty': _("Please choose a group"), })
@@ -64,7 +66,7 @@ class DelegateNewValidator(validators.Sc
     attrs = validators.NotEmpty(
         messages = { 'empty': _("Please select at least one value"), })
 
-class DelegateNewForm(widgets.Form):
+class DelegateForm(widgets.Form):
     params = ['delegate', 'attr_list']
 
     hidden_fields = [
@@ -72,15 +74,17 @@ class DelegateNewForm(widgets.Form):
       DelegateFields.dest_group_dn,
       DelegateFields.source_group_cn,
       DelegateFields.dest_group_cn,
+      DelegateFields.orig_acistr,
     ]
 
-    validator = DelegateNewValidator()
+    validator = DelegateValidator()
 
     def __init__(self, *args, **kw):
-        super(DelegateNewForm,self).__init__(*args, **kw)
+        super(DelegateForm,self).__init__(*args, **kw)
+        # TODO - rename to delegateform
         (self.template_c, self.template) = widgets.meta.load_kid_template(
                 "ipagui.templates.delegatenewform")
         self.delegate = DelegateFields
 
     def update_params(self, params):
-        super(DelegateNewForm,self).update_params(params)
+        super(DelegateForm,self).update_params(params)
diff -r 9a29344f0870 -r af0b0ac1b306 ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Mon Oct 15 09:04:13 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Mon Oct 15 13:07:39 2007 -0700
@@ -1,6 +1,7 @@ import os
 import os
 from pickle import dumps, loads
 from base64 import b64encode, b64decode
+import copy
 
 import cherrypy
 import turbogears
@@ -20,7 +21,7 @@ import ldap.dn
 
 aci_fields = ['*', 'aci']
 
-delegate_new_form = ipagui.forms.delegate.DelegateNewForm()
+delegate_form = ipagui.forms.delegate.DelegateForm()
 
 class DelegationController(IPAController):
 
@@ -35,20 +36,25 @@ class DelegationController(IPAController
         """Display delegate page"""
         client = self.get_ipaclient()
         delegate = {}
-        delegate['source_group_cn'] = "Please choose"
-        delegate['dest_group_cn'] = "Please choose"
-
-        return dict(form=delegate_new_form, delegate=delegate)
+        delegate['source_group_cn'] = "Please choose:"
+        delegate['dest_group_cn'] = "Please choose:"
+
+        return dict(form=delegate_form, delegate=delegate)
 
     @expose()
     @identity.require(identity.not_anonymous())
     def create(self, **kw):
         """Creates a new delegation"""
-        client = self.get_ipaclient()
-
-        tg_errors, kw = self.delegatecreatevalidate(**kw)
-        if tg_errors:
-            return dict(form=delegate_new_form, delegate=kw,
+        self.restrict_post()
+        client = self.get_ipaclient()
+
+        if kw.get('submit', '').startswith('Cancel'):
+            turbogears.flash("Add delegation cancelled")
+            raise turbogears.redirect('/delegate/list')
+
+        tg_errors, kw = self.delegatevalidate(**kw)
+        if tg_errors:
+            return dict(form=delegate_form, delegate=kw,
                     tg_template='ipagui.templates.delegatenew')
 
         try:
@@ -65,28 +71,90 @@ class DelegationController(IPAController
             client.update_entry(aci_entry)
         except ipaerror.IPAError, e:
             turbogears.flash("Delgate add failed: " + str(e))
-            return dict(form=delegate_new_form, delegate=kw,
+            return dict(form=delegate_form, delegate=kw,
                     tg_template='ipagui.templates.delegatenew')
 
         turbogears.flash("delegate created")
         raise turbogears.redirect('/delegate/list')
-# 
-#     @expose("ipagui.templates.delegateedit")
-#     @identity.require(identity.not_anonymous())
-#     def edit(self):
-#         """Display delegate page"""
-#         client = self.get_ipaclient()
-# 
-#         return dict(userfields=ipagui.forms.user.UserFields())
-# 
-#     @expose()
-#     @identity.require(identity.not_anonymous())
-#     def update(self, **kw):
-#         """Display delegate page"""
-#         client = self.get_ipaclient()
-# 
-#         turbogears.flash("delegate updated")
-#         raise turbogears.redirect('/delegate/list')
+
+    @expose("ipagui.templates.delegateedit")
+    @identity.require(identity.not_anonymous())
+    def edit(self, acistr, tg_errors=None):
+        """Display delegate page"""
+        if tg_errors:
+            turbogears.flash("There was a problem with the form!")
+
+        client = self.get_ipaclient()
+
+        try:
+            aci_entry = client.get_aci_entry(aci_fields)
+            aci = ipa.aci.ACI(acistr)
+            group_dn_to_cn = self.extract_group_cns([aci], client)
+
+            delegate = aci.to_dict()
+            delegate['source_group_dn'] = delegate['source_group']
+            delegate['source_group_cn'] = group_dn_to_cn[delegate['source_group_dn']]
+            delegate['dest_group_dn'] = delegate['dest_group']
+            delegate['dest_group_cn'] = group_dn_to_cn[delegate['dest_group_dn']]
+
+            return dict(form=delegate_form, delegate=delegate)
+        except (SyntaxError, ipaerror.IPAError), e:
+            turbogears.flash("Delegation edit failed: " + str(e))
+            raise turbogears.redirect('/delegate/list')
+
+
+    @expose()
+    @identity.require(identity.not_anonymous())
+    def update(self, **kw):
+        """Display delegate page"""
+        self.restrict_post()
+        client = self.get_ipaclient()
+
+        if kw.get('submit', '').startswith('Cancel'):
+            turbogears.flash("Edit delegation cancelled")
+            raise turbogears.redirect('/delegate/list')
+
+        tg_errors, kw = self.delegatevalidate(**kw)
+        if tg_errors:
+            return dict(form=delegate_form, delegate=kw,
+                    tg_template='ipagui.templates.delegatenew')
+
+        try:
+            aci_entry = client.get_aci_entry(aci_fields)
+
+            aci_str_list = aci_entry.getValues('aci')
+            if aci_str_list is None:
+                aci_str_list = []
+
+            try :
+                old_aci_index = aci_str_list.index(kw['orig_acistr'])
+            except ValueError:
+                turbogears.flash("Delegation update failed:<br />" +
+                        "The delegation you were attempting to update has been " +
+                        "concurrently modified.  Please cancel the edit " +
+                        "and try editing the delegation again.")
+                return dict(form=delegate_form, delegate=kw,
+                            tg_template='ipagui.templates.delegateedit')
+
+            new_aci = ipa.aci.ACI()
+            new_aci.name = kw.get('name')
+            new_aci.source_group = kw.get('source_group_dn')
+            new_aci.dest_group = kw.get('dest_group_dn')
+            new_aci.attrs = kw.get('attrs')
+            new_aci_str = new_aci.export_to_string()
+
+            new_aci_str_list = copy.copy(aci_str_list)
+            new_aci_str_list[old_aci_index] = new_aci_str
+            aci_entry.setValue('aci', new_aci_str_list)
+
+            client.update_entry(aci_entry)
+
+            turbogears.flash("delegate updated")
+            raise turbogears.redirect('/delegate/list')
+        except (SyntaxError, ipaerror.IPAError), e:
+            turbogears.flash("Delegation update failed: " + str(e))
+            return dict(form=delegate_form, delegate=kw,
+                        tg_template='ipagui.templates.delegateedit')
 
     @expose("ipagui.templates.delegatelist")
     @identity.require(identity.not_anonymous())
@@ -94,7 +162,12 @@ class DelegationController(IPAController
         """Display delegate page"""
         client = self.get_ipaclient()
 
-        aci_entry = client.get_aci_entry(aci_fields)
+        try:
+            aci_entry = client.get_aci_entry(aci_fields)
+        except ipaerror.IPAError, e:
+            turbogears.flash("Delegation list failed: " + str(e))
+            raise turbogears.redirect('/')
+
         aci_str_list = aci_entry.getValues('aci')
         if aci_str_list is None:
             aci_str_list = []
@@ -135,9 +208,9 @@ class DelegationController(IPAController
                 which_group=kw.get('which_group'),
                 counter=groups_counter)
 
-    @validate(form=delegate_new_form)
-    @identity.require(identity.not_anonymous())
-    def delegatecreatevalidate(self, tg_errors=None, **kw):
+    @validate(form=delegate_form)
+    @identity.require(identity.not_anonymous())
+    def delegatevalidate(self, tg_errors=None, **kw):
         return tg_errors, kw
 
     def extract_group_cns(self, aci_list, client):
diff -r 9a29344f0870 -r af0b0ac1b306 ipa-server/ipa-gui/ipagui/templates/delegateedit.kid
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/templates/delegateedit.kid	Mon Oct 15 13:07:39 2007 -0700
@@ -0,0 +1,16 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:py="http://purl.org/kid/ns#"
+    py:extends="'delegatelayout.kid'">
+<head>
+<meta content="text/html; charset=utf-8" http-equiv="Content-Type" py:replace="''"/>
+<title>Edit Delegation</title>
+</head>
+<body>
+
+    <h2>Edit Delegation</h2>
+
+    ${form.display(action=tg.url("/delegate/update"), value=delegate,
+                   actionname='Edit')}
+
+</body>
+</html>
diff -r 9a29344f0870 -r af0b0ac1b306 ipa-server/ipa-gui/ipagui/templates/delegatelist.kid
--- a/ipa-server/ipa-gui/ipagui/templates/delegatelist.kid	Mon Oct 15 09:04:13 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/delegatelist.kid	Mon Oct 15 13:07:39 2007 -0700
@@ -41,7 +41,13 @@
           >${dest_cn}</a>
       </td>
       <td>
-        <a href="${tg.url('/delegate/edit')}">edit</a> (TODO)<br />
+        <?python
+        # it's probably a bad idea to use a GET string here.
+        # orig_acistr may be quite long
+        # TODO - change to use a form/POST
+        #
+        ?>
+        <a href="${tg.url('/delegate/edit', acistr=aci.orig_acistr)}">edit</a><br />
       </td>
     </tr>
     </tbody>
diff -r 9a29344f0870 -r af0b0ac1b306 ipa-server/ipa-gui/ipagui/templates/delegatenew.kid
--- a/ipa-server/ipa-gui/ipagui/templates/delegatenew.kid	Mon Oct 15 09:04:13 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/delegatenew.kid	Mon Oct 15 13:07:39 2007 -0700
@@ -9,7 +9,8 @@
 
     <h2>Add Delegation</h2>
 
-    ${form.display(action=tg.url("/delegate/create"), value=delegate)}
+    ${form.display(action=tg.url("/delegate/create"), value=delegate,
+                   actionname='Add')}
 
 </body>
 </html>
diff -r 9a29344f0870 -r af0b0ac1b306 ipa-server/ipa-gui/ipagui/templates/delegatenewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/delegatenewform.kid	Mon Oct 15 09:04:13 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/delegatenewform.kid	Mon Oct 15 13:07:39 2007 -0700
@@ -49,9 +49,15 @@
 
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
+        <th>
+          <input type="submit" class="submitbutton" name="submit"
+                 value="${actionname} Delegation"/>
+          <br />
+        </th>
         <td>
           <input type="submit" class="submitbutton" name="submit"
-                 value="Add Delegation"/>
+                 value="Cancel ${actionname}"/>
+          <br />
         </td>
       </tr>
     </table>
@@ -143,12 +149,25 @@
 
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
+        <th>
+          <input type="submit" class="submitbutton" name="submit"
+                 value="${actionname} Delegation"/>
+        </th>
         <td>
           <input type="submit" class="submitbutton" name="submit"
-                 value="Add Delegation"/>
+                 value="Cancel ${actionname}"/>
         </td>
       </tr>
     </table>
 
+  <script py:if="not value.get('source_group_dn')">
+      new Effect.Appear($('source_searcharea'), {duration: 0.25});
+      new Effect.Fade($('source_change_link'), {duration: 0.25});
+  </script>
+  <script py:if="not value.get('dest_group_dn')">
+      new Effect.Appear($('dest_searcharea'), {duration: 0.25});
+      new Effect.Fade($('dest_change_link'), {duration: 0.25});
+  </script>
+
   </form>
 </div>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/b7e9b052/attachment.bin>

From kmccarth at redhat.com  Mon Oct 15 20:19:59 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 15 Oct 2007 13:19:59 -0700
Subject: [Freeipa-devel] [PATCH] rename delegatenewform
Message-ID: <20071015201959.GE3834@moon.usersys.redhat.com>

This patch merely renames the file delegatenewform.kid to
delegateform.kid.  Separated out from previous patch to improve
readability.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192479446 25200
# Node ID 95281370afe695061cca35b515d082f3d647044a
# Parent  af0b0ac1b3064cfd55b5d3fb927b01855ebf74eb
Rename delegatenewform to delegateform.

diff -r af0b0ac1b306 -r 95281370afe6 ipa-server/ipa-gui/ipagui/forms/delegate.py
--- a/ipa-server/ipa-gui/ipagui/forms/delegate.py	Mon Oct 15 13:07:39 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/delegate.py	Mon Oct 15 13:17:26 2007 -0700
@@ -81,9 +81,8 @@ class DelegateForm(widgets.Form):
 
     def __init__(self, *args, **kw):
         super(DelegateForm,self).__init__(*args, **kw)
-        # TODO - rename to delegateform
         (self.template_c, self.template) = widgets.meta.load_kid_template(
-                "ipagui.templates.delegatenewform")
+                "ipagui.templates.delegateform")
         self.delegate = DelegateFields
 
     def update_params(self, params):
diff -r af0b0ac1b306 -r 95281370afe6 ipa-server/ipa-gui/ipagui/templates/delegateform.kid
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/templates/delegateform.kid	Mon Oct 15 13:17:26 2007 -0700
@@ -0,0 +1,173 @@
+<div xmlns:py="http://purl.org/kid/ns#"
+  class="simpleroster">
+
+  <?python searchurl = tg.url('/delegate/group_search') ?>
+
+  <script type="text/javascript">
+
+    function enterDoSearch(e, which_group) {
+      var keyPressed;
+      if (window.event) {
+        keyPressed = window.event.keyCode;
+      } else {
+        keyPressed = e.which; 
+      }
+
+      if (keyPressed == 13) {
+        return doSearch(which_group);
+      } else {
+        return true;
+      }
+    }
+
+    function doSearch(which_group) {
+      $(which_group + '_searchresults').update("Searching...");
+      new Ajax.Updater(which_group + '_searchresults',
+          '${searchurl}',
+          {  asynchronous:true,
+             parameters: { criteria: $(which_group + '_criteria').value,
+                           which_group: which_group},
+             evalScripts: true });
+      return false;
+    }
+
+    function selectGroup(which_group, group_dn, group_cn) {
+      group_dn_field = $('form_' + which_group + '_group_dn');
+      group_cn_field = $('form_' + which_group + '_group_cn');
+      group_cn_span = $(which_group + '_group_cn');
+
+      group_dn_field.value = group_dn;
+      group_cn_field.value = group_cn;
+      group_cn_span.update(group_cn);
+
+      new Effect.Fade($(which_group + '_searcharea'), {duration: 0.25});
+      new Effect.Appear($(which_group + '_change_link'), {duration: 0.25});
+    }
+  </script>
+
+  <form action="${action}" name="${name}" method="${method}" class="tableform">
+
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th>
+          <input type="submit" class="submitbutton" name="submit"
+                 value="${actionname} Delegation"/>
+          <br />
+        </th>
+        <td>
+          <input type="submit" class="submitbutton" name="submit"
+                 value="Cancel ${actionname}"/>
+          <br />
+        </td>
+      </tr>
+    </table>
+
+    <div py:for="field in hidden_fields"
+      py:replace="field.display(value_for(field), **params_for(field))" 
+      />
+
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th valign="top">
+          <label class="fieldlabel" for="${delegate.name.field_id}"
+            py:content="delegate.name.label" />:
+        </th>
+        <td>
+          <span py:replace="delegate.name.display(value_for(delegate.name))" />
+          <span py:if="tg.errors.get('name')" class="fielderror"
+              py:content="tg.errors.get('name')" />
+        </td>
+      </tr>
+      <tr>
+        <th valign="top">
+          <label class="fieldlabel" for="${delegate.source_group_cn.field_id}"
+            py:content="delegate.source_group_cn.label" />:
+        </th>
+        <td>
+          <div>
+            <span id='source_group_cn'>${value_for(delegate.source_group_cn)}</span>
+            <a href="#" id='source_change_link'
+              onclick="new Effect.Appear($('source_searcharea'), {duration: 0.25});
+                       new Effect.Fade(this, {duration: 0.25});
+                       return false;">change</a>
+            <span py:if="tg.errors.get('source_group_dn')" class="fielderror"
+                py:content="tg.errors.get('source_group_dn')" />
+          </div>
+          <div id="source_searcharea" style="display:none">
+            <div>
+              <input id="source_criteria" type="text"
+                onkeypress="return enterDoSearch(event, 'source');" />
+              <input type="button" value="Find"
+                onclick="return doSearch('source');"
+              />
+            </div>
+            <div id="source_searchresults">
+            </div>
+          </div>
+        </td>
+      </tr>
+      <tr>
+        <th valign="top">
+          <label class="fieldlabel" for="${delegate.attrs.field_id}"
+            py:content="delegate.attrs.label" />:
+        </th>
+        <td valign="top">
+          <span py:if="tg.errors.get('attrs')" class="fielderror"
+              py:content="tg.errors.get('attrs')" />
+          <span py:replace="delegate.attrs.display(value_for(delegate.attrs))" />
+        </td>
+      </tr>
+      <tr>
+        <th valign="top">
+          <label class="fieldlabel" for="${delegate.dest_group_cn.field_id}"
+            py:content="delegate.dest_group_cn.label" />:
+        </th>
+        <td>
+          <div>
+            <span id='dest_group_cn'>${value_for(delegate.dest_group_cn)}</span>
+            <a href="#" id='dest_change_link'
+              onclick="new Effect.Appear($('dest_searcharea'), {duration: 0.25});
+                       new Effect.Fade(this, {duration: 0.25});
+                       return false;">change</a>
+            <span py:if="tg.errors.get('dest_group_dn')" class="fielderror"
+                py:content="tg.errors.get('dest_group_dn')" />
+          </div>
+          <div id="dest_searcharea" style="display:none">
+            <div>
+              <input id="dest_criteria" type="text"
+                onkeypress="return enterDoSearch(event, 'dest');" />
+              <input type="button" value="Find"
+                onclick="return doSearch('dest');"
+              />
+            </div>
+            <div id="dest_searchresults">
+            </div>
+          </div>
+        </td>
+      </tr>
+    </table>
+
+    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+      <tr>
+        <th>
+          <input type="submit" class="submitbutton" name="submit"
+                 value="${actionname} Delegation"/>
+        </th>
+        <td>
+          <input type="submit" class="submitbutton" name="submit"
+                 value="Cancel ${actionname}"/>
+        </td>
+      </tr>
+    </table>
+
+  <script py:if="not value.get('source_group_dn')">
+      new Effect.Appear($('source_searcharea'), {duration: 0.25});
+      new Effect.Fade($('source_change_link'), {duration: 0.25});
+  </script>
+  <script py:if="not value.get('dest_group_dn')">
+      new Effect.Appear($('dest_searcharea'), {duration: 0.25});
+      new Effect.Fade($('dest_change_link'), {duration: 0.25});
+  </script>
+
+  </form>
+</div>
diff -r af0b0ac1b306 -r 95281370afe6 ipa-server/ipa-gui/ipagui/templates/delegatenewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/delegatenewform.kid	Mon Oct 15 13:07:39 2007 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,173 +0,0 @@
-<div xmlns:py="http://purl.org/kid/ns#"
-  class="simpleroster">
-
-  <?python searchurl = tg.url('/delegate/group_search') ?>
-
-  <script type="text/javascript">
-
-    function enterDoSearch(e, which_group) {
-      var keyPressed;
-      if (window.event) {
-        keyPressed = window.event.keyCode;
-      } else {
-        keyPressed = e.which; 
-      }
-
-      if (keyPressed == 13) {
-        return doSearch(which_group);
-      } else {
-        return true;
-      }
-    }
-
-    function doSearch(which_group) {
-      $(which_group + '_searchresults').update("Searching...");
-      new Ajax.Updater(which_group + '_searchresults',
-          '${searchurl}',
-          {  asynchronous:true,
-             parameters: { criteria: $(which_group + '_criteria').value,
-                           which_group: which_group},
-             evalScripts: true });
-      return false;
-    }
-
-    function selectGroup(which_group, group_dn, group_cn) {
-      group_dn_field = $('form_' + which_group + '_group_dn');
-      group_cn_field = $('form_' + which_group + '_group_cn');
-      group_cn_span = $(which_group + '_group_cn');
-
-      group_dn_field.value = group_dn;
-      group_cn_field.value = group_cn;
-      group_cn_span.update(group_cn);
-
-      new Effect.Fade($(which_group + '_searcharea'), {duration: 0.25});
-      new Effect.Appear($(which_group + '_change_link'), {duration: 0.25});
-    }
-  </script>
-
-  <form action="${action}" name="${name}" method="${method}" class="tableform">
-
-    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
-      <tr>
-        <th>
-          <input type="submit" class="submitbutton" name="submit"
-                 value="${actionname} Delegation"/>
-          <br />
-        </th>
-        <td>
-          <input type="submit" class="submitbutton" name="submit"
-                 value="Cancel ${actionname}"/>
-          <br />
-        </td>
-      </tr>
-    </table>
-
-    <div py:for="field in hidden_fields"
-      py:replace="field.display(value_for(field), **params_for(field))" 
-      />
-
-    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
-      <tr>
-        <th valign="top">
-          <label class="fieldlabel" for="${delegate.name.field_id}"
-            py:content="delegate.name.label" />:
-        </th>
-        <td>
-          <span py:replace="delegate.name.display(value_for(delegate.name))" />
-          <span py:if="tg.errors.get('name')" class="fielderror"
-              py:content="tg.errors.get('name')" />
-        </td>
-      </tr>
-      <tr>
-        <th valign="top">
-          <label class="fieldlabel" for="${delegate.source_group_cn.field_id}"
-            py:content="delegate.source_group_cn.label" />:
-        </th>
-        <td>
-          <div>
-            <span id='source_group_cn'>${value_for(delegate.source_group_cn)}</span>
-            <a href="#" id='source_change_link'
-              onclick="new Effect.Appear($('source_searcharea'), {duration: 0.25});
-                       new Effect.Fade(this, {duration: 0.25});
-                       return false;">change</a>
-            <span py:if="tg.errors.get('source_group_dn')" class="fielderror"
-                py:content="tg.errors.get('source_group_dn')" />
-          </div>
-          <div id="source_searcharea" style="display:none">
-            <div>
-              <input id="source_criteria" type="text"
-                onkeypress="return enterDoSearch(event, 'source');" />
-              <input type="button" value="Find"
-                onclick="return doSearch('source');"
-              />
-            </div>
-            <div id="source_searchresults">
-            </div>
-          </div>
-        </td>
-      </tr>
-      <tr>
-        <th valign="top">
-          <label class="fieldlabel" for="${delegate.attrs.field_id}"
-            py:content="delegate.attrs.label" />:
-        </th>
-        <td valign="top">
-          <span py:if="tg.errors.get('attrs')" class="fielderror"
-              py:content="tg.errors.get('attrs')" />
-          <span py:replace="delegate.attrs.display(value_for(delegate.attrs))" />
-        </td>
-      </tr>
-      <tr>
-        <th valign="top">
-          <label class="fieldlabel" for="${delegate.dest_group_cn.field_id}"
-            py:content="delegate.dest_group_cn.label" />:
-        </th>
-        <td>
-          <div>
-            <span id='dest_group_cn'>${value_for(delegate.dest_group_cn)}</span>
-            <a href="#" id='dest_change_link'
-              onclick="new Effect.Appear($('dest_searcharea'), {duration: 0.25});
-                       new Effect.Fade(this, {duration: 0.25});
-                       return false;">change</a>
-            <span py:if="tg.errors.get('dest_group_dn')" class="fielderror"
-                py:content="tg.errors.get('dest_group_dn')" />
-          </div>
-          <div id="dest_searcharea" style="display:none">
-            <div>
-              <input id="dest_criteria" type="text"
-                onkeypress="return enterDoSearch(event, 'dest');" />
-              <input type="button" value="Find"
-                onclick="return doSearch('dest');"
-              />
-            </div>
-            <div id="dest_searchresults">
-            </div>
-          </div>
-        </td>
-      </tr>
-    </table>
-
-    <table class="formtable" cellpadding="2" cellspacing="0" border="0">
-      <tr>
-        <th>
-          <input type="submit" class="submitbutton" name="submit"
-                 value="${actionname} Delegation"/>
-        </th>
-        <td>
-          <input type="submit" class="submitbutton" name="submit"
-                 value="Cancel ${actionname}"/>
-        </td>
-      </tr>
-    </table>
-
-  <script py:if="not value.get('source_group_dn')">
-      new Effect.Appear($('source_searcharea'), {duration: 0.25});
-      new Effect.Fade($('source_change_link'), {duration: 0.25});
-  </script>
-  <script py:if="not value.get('dest_group_dn')">
-      new Effect.Appear($('dest_searcharea'), {duration: 0.25});
-      new Effect.Fade($('dest_change_link'), {duration: 0.25});
-  </script>
-
-  </form>
-</div>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/3341d673/attachment.bin>

From rcritten at redhat.com  Mon Oct 15 20:37:34 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 15 Oct 2007 16:37:34 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-server
In-Reply-To: <939dd5750710121103ie32f12bg4d66386eb88e812a@mail.gmail.com>
References: <939dd5750710121103ie32f12bg4d66386eb88e812a@mail.gmail.com>
Message-ID: <4713CF8E.4020907@redhat.com>

William Jon McCann wrote:
> Hi,
> 
> Here is a patch to autotoolize ipa-server.
> 
> Jon

I'm going to pull a new tree in a day or so and give the autotool 
patches a whirl and see how they work. I don't think a straight read 
will do them justice.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/ec495708/attachment.bin>

From kmccarth at redhat.com  Mon Oct 15 20:57:00 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 15 Oct 2007 13:57:00 -0700
Subject: [Freeipa-devel] [PATCH] delegation list and create GUI
In-Reply-To: <4713CF53.9080303@redhat.com>
References: <20071012221316.GC6225@moon.usersys.redhat.com>
	<4713CF53.9080303@redhat.com>
Message-ID: <20071015205700.GA4766@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> This is the delegation ACI listing and creation GUI.  Editing is still
>> todo.
>> Sorry, this patch got a bit bigger than I intended, but the listing and
>> creation were intertwined.
>> -Kevin
>
> Whew, a lot to take in but it looks ok.

Thanks for looking it over.  Sorry this one was quite a doozy...

Pushed.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/fa12efd2/attachment.bin>

From kmccarth at redhat.com  Mon Oct 15 20:58:51 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 15 Oct 2007 13:58:51 -0700
Subject: [Freeipa-devel] [PATCH] update_entry
In-Reply-To: <4713A671.4050402@redhat.com>
References: <20071015152829.GA3834@moon.usersys.redhat.com>
	<20071015160621.GC3834@moon.usersys.redhat.com>
	<4713A671.4050402@redhat.com>
Message-ID: <20071015205851.GB4766@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Kevin McCarthy wrote:
>>> Rob Crittenden wrote:
>>>> Kevin McCarthy wrote:
>>>>> This patch unifies the update_group and update_user methods into
>>>>> update_entry.
>>>>> The modivation for this was from the delegation management code, where 
>>>>> I
>>>>> need to update the cn=accounts entry.  Although calling update_group()
>>>>> worked, it looked strange.
>>>>> That said, it may be just as offensive to have an API with add_user,
>>>>> delete_user, but update_entry.  I'm open to suggestions.
>>>>>
>>>> I don't understand how update_group looked strange.
>>> Well, basically because it wasn't a group that I was updating, it was an
>>> ACI container.  So that api calls looked like
>>>   aci = get_aci_entry()
>>>   ...
>>>   update_group(aci)
>>>
>>>> We can always have an update_user function that is an alias to 
>>>> update_entry.
>>> Sounds like a reasonable solution to me.  Let me rework the patch,
>>> preserving update_user and update_group alias for update_entry.
>> Attached is the new version of the patch, preserving the update_user and
>> update_group calls.
>> -Kevin
>
> Looks good. As we've said before I guess we'll need to re-evaluate as there 
> is no difference between Users and Groups.

Agreed.  I've tagged it in my todo list.

Pushed.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/eb0d0073/attachment.bin>

From kmccarth at redhat.com  Mon Oct 15 21:02:22 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 15 Oct 2007 14:02:22 -0700
Subject: [Freeipa-devel] [PATCH] add delegation editing
In-Reply-To: <4713CFEA.3030109@redhat.com>
References: <20071015200953.GD3834@moon.usersys.redhat.com>
	<4713CFEA.3030109@redhat.com>
Message-ID: <20071015210222.GC4766@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> This patch adds editing to the delegation UI.
>> -Kevin
>
> Looks ok.

Pushed.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/501b4b37/attachment.bin>

From kmccarth at redhat.com  Mon Oct 15 21:19:27 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 15 Oct 2007 14:19:27 -0700
Subject: [Freeipa-devel] [PATCH] fix list page to show field labels
Message-ID: <20071015211927.GD4766@moon.usersys.redhat.com>

Translate ldap fields to labels on the delegation list page.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192483071 25200
# Node ID 68927a02eb9f37f6853cbe1ea849f7479d0c265e
# Parent  79fde8826508f31c94dae3e9c71d53caa8654ce0
Fix list delegations to show field labels.
Also fix script tags on delegateform.kid.

diff -r 79fde8826508 -r 68927a02eb9f ipa-server/ipa-gui/ipagui/forms/delegate.py
--- a/ipa-server/ipa-gui/ipagui/forms/delegate.py	Mon Oct 15 14:04:01 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/delegate.py	Mon Oct 15 14:17:51 2007 -0700
@@ -40,6 +40,8 @@ aci_attrs = [
 ]
 
 aci_checkbox_attrs = [(field.name, field.label) for field in aci_attrs]
+
+aci_name_to_label = dict(aci_checkbox_attrs)
 
 class DelegateFields():
     name = widgets.TextField(name="name", label="ACI Name")
diff -r 79fde8826508 -r 68927a02eb9f ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Mon Oct 15 14:04:01 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Mon Oct 15 14:17:51 2007 -0700
@@ -181,6 +181,13 @@ class DelegationController(IPAController
                 # ignore aci_str's that ACI can't parse
                 pass
         group_dn_to_cn = self.extract_group_cns(aci_list, client)
+
+        # The list page needs to display field labels, not raw
+        # LDAP attributes
+        for aci in aci_list:
+            aci.attrs = map(lambda name:
+                      ipagui.forms.delegate.aci_name_to_label.get(name, name),
+                      aci.attrs)
 
         return dict(aci_list=aci_list, group_dn_to_cn=group_dn_to_cn)
 
diff -r 79fde8826508 -r 68927a02eb9f ipa-server/ipa-gui/ipagui/templates/delegateform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/delegateform.kid	Mon Oct 15 14:04:01 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/delegateform.kid	Mon Oct 15 14:17:51 2007 -0700
@@ -160,11 +160,13 @@
       </tr>
     </table>
 
-  <script py:if="not value.get('source_group_dn')">
+  <script py:if="not value.get('source_group_dn')"
+    type="text/javascript">
       new Effect.Appear($('source_searcharea'), {duration: 0.25});
       new Effect.Fade($('source_change_link'), {duration: 0.25});
   </script>
-  <script py:if="not value.get('dest_group_dn')">
+  <script py:if="not value.get('dest_group_dn')"
+    type="text/javascript">
       new Effect.Appear($('dest_searcharea'), {duration: 0.25});
       new Effect.Fade($('dest_change_link'), {duration: 0.25});
   </script>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/58827c67/attachment.bin>

From kmccarth at redhat.com  Mon Oct 15 21:58:31 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 15 Oct 2007 14:58:31 -0700
Subject: [Freeipa-devel] [PATCH] fix for single ACI
Message-ID: <20071015215831.GE4766@moon.usersys.redhat.com>

Keeping with a few micro-patches to spare poor Rob.  Fix to translate
single ACI's into a list, so I don't end up iterating over chars!  :-)

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192485342 25200
# Node ID 718f89606a6fcfa850554541f40e7121e529f1df
# Parent  adbcd2bf981679e0596cc340b07b8361ce28833d
Fix for when there's a single ACI.

diff -r adbcd2bf9816 -r 718f89606a6f ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Mon Oct 15 14:53:44 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Mon Oct 15 14:55:42 2007 -0700
@@ -125,6 +125,8 @@ class DelegationController(IPAController
             aci_str_list = aci_entry.getValues('aci')
             if aci_str_list is None:
                 aci_str_list = []
+            if not(isinstance(aci_str_list,list) or isinstance(aci_str_list,tuple)):
+                aci_str_list = [aci_str_list]
 
             try :
                 old_aci_index = aci_str_list.index(kw['orig_acistr'])
@@ -171,6 +173,8 @@ class DelegationController(IPAController
         aci_str_list = aci_entry.getValues('aci')
         if aci_str_list is None:
             aci_str_list = []
+        if not(isinstance(aci_str_list,list) or isinstance(aci_str_list,tuple)):
+            aci_str_list = [aci_str_list]
 
         aci_list = []
         for aci_str in aci_str_list:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/d0810db5/attachment.bin>

From rcritten at redhat.com  Mon Oct 15 22:04:59 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 15 Oct 2007 18:04:59 -0400
Subject: [Freeipa-devel] [PATCH] fix for single ACI
In-Reply-To: <20071015215831.GE4766@moon.usersys.redhat.com>
References: <20071015215831.GE4766@moon.usersys.redhat.com>
Message-ID: <4713E40B.3090006@redhat.com>

Kevin McCarthy wrote:
> Keeping with a few micro-patches to spare poor Rob.  Fix to translate
> single ACI's into a list, so I don't end up iterating over chars!  :-)
> 
> -Kevin
> 

My poor eyes thank you!

Looks good.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/f4a57c20/attachment.bin>

From kmccarth at redhat.com  Mon Oct 15 23:24:38 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 15 Oct 2007 16:24:38 -0700
Subject: [Freeipa-devel] [PATCH] fixes for acilist page
Message-ID: <20071015232438.GF4766@moon.usersys.redhat.com>

Change the aci list page to use POST.  The acistr can be way too long.
Also fix to use field labels and adjust formatting a bit.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192490470 25200
# Node ID fe170b17389fa7a511df6ed84a51dc0b79b3ae3a
# Parent  718f89606a6fcfa850554541f40e7121e529f1df
Fixes to acilist: make use POST, use field labels.

diff -r 718f89606a6f -r fe170b17389f ipa-server/ipa-gui/ipagui/forms/delegate.py
--- a/ipa-server/ipa-gui/ipagui/forms/delegate.py	Mon Oct 15 14:55:42 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/delegate.py	Mon Oct 15 16:21:10 2007 -0700
@@ -44,7 +44,7 @@ aci_name_to_label = dict(aci_checkbox_at
 aci_name_to_label = dict(aci_checkbox_attrs)
 
 class DelegateFields():
-    name = widgets.TextField(name="name", label="ACI Name")
+    name = widgets.TextField(name="name", label="Name")
 
     source_group_dn = widgets.HiddenField(name="source_group_dn")
     dest_group_dn = widgets.HiddenField(name="dest_group_dn")
diff -r 718f89606a6f -r fe170b17389f ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Mon Oct 15 14:55:42 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Mon Oct 15 16:21:10 2007 -0700
@@ -193,7 +193,8 @@ class DelegationController(IPAController
                       ipagui.forms.delegate.aci_name_to_label.get(name, name),
                       aci.attrs)
 
-        return dict(aci_list=aci_list, group_dn_to_cn=group_dn_to_cn)
+        return dict(aci_list=aci_list, group_dn_to_cn=group_dn_to_cn,
+                    fields=ipagui.forms.delegate.DelegateFields())
 
     @expose("ipagui.templates.delegategroupsearch")
     @identity.require(identity.not_anonymous())
diff -r 718f89606a6f -r fe170b17389f ipa-server/ipa-gui/ipagui/templates/delegateform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/delegateform.kid	Mon Oct 15 14:55:42 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/delegateform.kid	Mon Oct 15 16:21:10 2007 -0700
@@ -52,12 +52,12 @@
         <th>
           <input type="submit" class="submitbutton" name="submit"
                  value="${actionname} Delegation"/>
-          <br />
+          <br/><br/>
         </th>
         <td>
           <input type="submit" class="submitbutton" name="submit"
                  value="Cancel ${actionname}"/>
-          <br />
+          <br/><br/>
         </td>
       </tr>
     </table>
@@ -150,10 +150,12 @@
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
+          <br/>
           <input type="submit" class="submitbutton" name="submit"
                  value="${actionname} Delegation"/>
         </th>
         <td>
+          <br/>
           <input type="submit" class="submitbutton" name="submit"
                  value="Cancel ${actionname}"/>
         </td>
diff -r 718f89606a6f -r fe170b17389f ipa-server/ipa-gui/ipagui/templates/delegatelist.kid
--- a/ipa-server/ipa-gui/ipagui/templates/delegatelist.kid	Mon Oct 15 14:55:42 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/delegatelist.kid	Mon Oct 15 16:21:10 2007 -0700
@@ -6,18 +6,35 @@
 <title>Delegations</title>
 </head>
 <body>
+
+<?python
+from ipagui.helpers import ipahelper
+?>
+
   <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/tablekit.js')}"></script>
+
+  <script type="text/javascript">
+    function editDelegation(acistr) {
+      $('edit_acistr').value = acistr;
+      $('editform').submit();
+      return false;
+    }
+  </script>
+
+  <form style="display:none" id='editform'
+    method="post" action="${tg.url('/delegate/edit')}">
+    <input type="hidden" id="edit_acistr" name="acistr" value="" />
+  </form>
 
   <h2>Delegations</h2>
 
   <table id="resultstable" class="sortable resizable">
     <thead>
     <tr>
-      <th>Name</th>
-      <th>People in Group</th>
-      <th>Can Modify</th>
-      <th>For People in Group</th>
-      <th>Action</th>
+      <th>${fields.name.label}</th>
+      <th>${fields.source_group_cn.label}</th>
+      <th>${fields.attrs.label}</th>
+      <th>${fields.dest_group_cn.label}</th>
     </tr>
     </thead>
     <tbody>
@@ -25,9 +42,12 @@
       <?python
       source_cn = group_dn_to_cn.get(aci.source_group)
       dest_cn = group_dn_to_cn.get(aci.dest_group)
+      acistr = aci.orig_acistr
+      acistr_esc = ipahelper.javascript_string_escape(acistr)
       ?>
       <td>
-        ${aci.name}
+        <a href="#" onclick="return editDelegation('${acistr_esc}');"
+        >${aci.name}</a>
       </td>
       <td>
         <a href="${tg.url('/group/show', cn=source_cn)}"
@@ -39,15 +59,6 @@
       <td>
         <a href="${tg.url('/group/show', cn=dest_cn)}"
           >${dest_cn}</a>
-      </td>
-      <td>
-        <?python
-        # it's probably a bad idea to use a GET string here.
-        # orig_acistr may be quite long
-        # TODO - change to use a form/POST
-        #
-        ?>
-        <a href="${tg.url('/delegate/edit', acistr=aci.orig_acistr)}">edit</a><br />
       </td>
     </tr>
     </tbody>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071015/5bd02441/attachment.bin>

From rcritten at redhat.com  Tue Oct 16 12:56:08 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 16 Oct 2007 08:56:08 -0400
Subject: [Freeipa-devel] [PATCH] fixes for acilist page
In-Reply-To: <20071015232438.GF4766@moon.usersys.redhat.com>
References: <20071015232438.GF4766@moon.usersys.redhat.com>
Message-ID: <4714B4E8.1010205@redhat.com>

Kevin McCarthy wrote:
> Change the aci list page to use POST.  The acistr can be way too long.
> Also fix to use field labels and adjust formatting a bit.
> 
> -Kevin
> 

Looks good.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/1fe528ac/attachment.bin>

From rcritten at redhat.com  Tue Oct 16 14:18:09 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 16 Oct 2007 10:18:09 -0400
Subject: [Freeipa-devel] [PATCH] enable memberof plugin
In-Reply-To: <1192075209.27891.11.camel@localhost.localdomain>
References: <470D60AF.3040300@redhat.com>
	<1192075209.27891.11.camel@localhost.localdomain>
Message-ID: <4714C821.6030503@redhat.com>

Simo Sorce wrote:
> On Wed, 2007-10-10 at 16:30 -0700, Pete Rowley wrote:
>> this time, with a patch attached :)
> 
> I think this should be done separately from bootstrap and in the
> dsinstance.py module, like we do in the krbinstance.py module with the
> __add_pwd_extop_module() to enable the passwd extop plugin.

I agree. A patch to do that is attached.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-274-memberof.patch
Type: text/x-patch
Size: 2231 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/f5eec533/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/f5eec533/attachment-0001.bin>

From ssorce at redhat.com  Tue Oct 16 14:46:31 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 16 Oct 2007 10:46:31 -0400
Subject: [Freeipa-devel] [PATCH] enable memberof plugin
In-Reply-To: <4714C821.6030503@redhat.com>
References: <470D60AF.3040300@redhat.com>
	<1192075209.27891.11.camel@localhost.localdomain>
	<4714C821.6030503@redhat.com>
Message-ID: <1192545991.7342.65.camel@localhost.localdomain>

On Tue, 2007-10-16 at 10:18 -0400, Rob Crittenden wrote:
> 
> I agree. A patch to do that is attached.


Looks good,
please push this.

Now that we have it in we should also add a final job before closing
dsinstance to activate the famous FDS task so that the memberof plugin
checks all things are ok for the default users/groups we have in the
tree.

Simo.



From rcritten at redhat.com  Tue Oct 16 14:50:31 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 16 Oct 2007 10:50:31 -0400
Subject: [Freeipa-devel] [PATCH] enable memberof plugin
In-Reply-To: <1192545991.7342.65.camel@localhost.localdomain>
References: <470D60AF.3040300@redhat.com>	
	<1192075209.27891.11.camel@localhost.localdomain>	
	<4714C821.6030503@redhat.com>
	<1192545991.7342.65.camel@localhost.localdomain>
Message-ID: <4714CFB7.1030402@redhat.com>

Simo Sorce wrote:
> On Tue, 2007-10-16 at 10:18 -0400, Rob Crittenden wrote:
>> I agree. A patch to do that is attached.
> 
> 
> Looks good,
> please push this.
> 
> Now that we have it in we should also add a final job before closing
> dsinstance to activate the famous FDS task so that the memberof plugin
> checks all things are ok for the default users/groups we have in the
> tree.
> 
> Simo.
> 

Pushed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/32ad5781/attachment.bin>

From kmccarth at redhat.com  Tue Oct 16 15:31:48 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 16 Oct 2007 08:31:48 -0700
Subject: [Freeipa-devel] [PATCH] command-line tools man pages
In-Reply-To: <470E38B1.5030807@redhat.com>
References: <470E38B1.5030807@redhat.com>
Message-ID: <20071016153147.GA27259@moon.usersys.redhat.com>

Rob Crittenden wrote:
> I hacked up some man pages for the ipa-* command-line tools. These are so 
> simple and small using xml is probably overkill, though it should be 
> straightforward to convert if necessary.

+Ack

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/f1968b54/attachment.bin>

From kmccarth at redhat.com  Tue Oct 16 15:34:13 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 16 Oct 2007 08:34:13 -0700
Subject: [Freeipa-devel] [PATCH] ipa-finduser fixes
In-Reply-To: <470E385B.70905@redhat.com>
References: <470E385B.70905@redhat.com>
Message-ID: <20071016153413.GB27259@moon.usersys.redhat.com>

Rob Crittenden wrote:
> I added an '-a/--all' option to ipa-finduser to display all attributes 
> returned.
> Binary values are now base64-encoded
> The attributes are sorted before being printed
> Values are stripped before being printed. The base64-encoding was adding an 
> extra carriage return.

Looks good.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/4afa1c62/attachment.bin>

From rcritten at redhat.com  Tue Oct 16 15:34:33 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 16 Oct 2007 11:34:33 -0400
Subject: [Freeipa-devel] [PATCH] command-line tools man pages
In-Reply-To: <20071016153147.GA27259@moon.usersys.redhat.com>
References: <470E38B1.5030807@redhat.com>
	<20071016153147.GA27259@moon.usersys.redhat.com>
Message-ID: <4714DA09.1090509@redhat.com>

Kevin McCarthy wrote:
> Rob Crittenden wrote:
>> I hacked up some man pages for the ipa-* command-line tools. These are so 
>> simple and small using xml is probably overkill, though it should be 
>> straightforward to convert if necessary.
> 
> +Ack
> 
> -Kevin

Thanks, pushed.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/21945a23/attachment.bin>

From kmccarth at redhat.com  Tue Oct 16 15:38:51 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 16 Oct 2007 08:38:51 -0700
Subject: [Freeipa-devel] [PATCH] start of SSL implementation
In-Reply-To: <4713C323.40006@redhat.com>
References: <4713C323.40006@redhat.com>
Message-ID: <20071016153850.GC27259@moon.usersys.redhat.com>

Rob Crittenden wrote:
> This small patch will get mod_nss installed and listening on the right 
> port.
>
> I'm going to need to mess around with the ipa configuration to do port 
> forwarding from 80 -> 443 as well as some other stuff.
>
> I'm not entirely sure how we're going to provide the CA cert we're using to 
> generate our SSL certs. I'm wondering if we should/could supply it on the 
> web server, I'm just not sure how I want to do it yet.
>
> I also need to replace the mod_nss-generated server cert with one issued by 
> the the same CA that FDS is using.

Looks good.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/ad59b9be/attachment.bin>

From rcritten at redhat.com  Tue Oct 16 15:42:03 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 16 Oct 2007 11:42:03 -0400
Subject: [Freeipa-devel] [PATCH] ipa-finduser fixes
In-Reply-To: <20071016153413.GB27259@moon.usersys.redhat.com>
References: <470E385B.70905@redhat.com>
	<20071016153413.GB27259@moon.usersys.redhat.com>
Message-ID: <4714DBCB.90208@redhat.com>

Kevin McCarthy wrote:
> Rob Crittenden wrote:
>> I added an '-a/--all' option to ipa-finduser to display all attributes 
>> returned.
>> Binary values are now base64-encoded
>> The attributes are sorted before being printed
>> Values are stripped before being printed. The base64-encoding was adding an 
>> extra carriage return.
> 
> Looks good.
> 

Pushed

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/946ce896/attachment.bin>

From rcritten at redhat.com  Tue Oct 16 15:42:29 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 16 Oct 2007 11:42:29 -0400
Subject: [Freeipa-devel] [PATCH] start of SSL implementation
In-Reply-To: <20071016153850.GC27259@moon.usersys.redhat.com>
References: <4713C323.40006@redhat.com>
	<20071016153850.GC27259@moon.usersys.redhat.com>
Message-ID: <4714DBE5.2070401@redhat.com>

Kevin McCarthy wrote:
> Rob Crittenden wrote:
>> This small patch will get mod_nss installed and listening on the right 
>> port.
>>
>> I'm going to need to mess around with the ipa configuration to do port 
>> forwarding from 80 -> 443 as well as some other stuff.
>>
>> I'm not entirely sure how we're going to provide the CA cert we're using to 
>> generate our SSL certs. I'm wondering if we should/could supply it on the 
>> web server, I'm just not sure how I want to do it yet.
>>
>> I also need to replace the mod_nss-generated server cert with one issued by 
>> the the same CA that FDS is using.
> 
> Looks good.

Pushed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/021a361d/attachment.bin>

From rcritten at redhat.com  Tue Oct 16 16:20:24 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 16 Oct 2007 12:20:24 -0400
Subject: [Freeipa-devel] [PATCH] ipa-find* exit status when nothing is found
Message-ID: <4714E4C8.3060607@redhat.com>

ipa-finduser and ipa-findgroup now return 2 if no entries match the 
search string.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-276-exit.patch
Type: text/x-patch
Size: 2155 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/20ef0cfd/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/20ef0cfd/attachment-0001.bin>

From kmccarth at redhat.com  Tue Oct 16 16:23:02 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 16 Oct 2007 09:23:02 -0700
Subject: [Freeipa-devel] [PATCH] ipa-find* exit status when nothing is
	found
In-Reply-To: <4714E4C8.3060607@redhat.com>
References: <4714E4C8.3060607@redhat.com>
Message-ID: <20071016162302.GD27259@moon.usersys.redhat.com>

Rob Crittenden wrote:
> ipa-finduser and ipa-findgroup now return 2 if no entries match the search 
> string.

Looks good.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/ffc6cb9f/attachment.bin>

From rcritten at redhat.com  Tue Oct 16 16:29:24 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 16 Oct 2007 12:29:24 -0400
Subject: [Freeipa-devel] [PATCH] ipa-find* exit status when nothing is
	found
In-Reply-To: <20071016162302.GD27259@moon.usersys.redhat.com>
References: <4714E4C8.3060607@redhat.com>
	<20071016162302.GD27259@moon.usersys.redhat.com>
Message-ID: <4714E6E4.2080905@redhat.com>

Kevin McCarthy wrote:
> Rob Crittenden wrote:
>> ipa-finduser and ipa-findgroup now return 2 if no entries match the search 
>> string.
> 
> Looks good.
> 
> -Kevin
>

Thanks, pushed.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/e54aa5e7/attachment.bin>

From kmccarth at redhat.com  Tue Oct 16 17:04:16 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 16 Oct 2007 10:04:16 -0700
Subject: [Freeipa-devel] [PATCH] delete delegations
Message-ID: <20071016170416.GE27259@moon.usersys.redhat.com>

Adds a delete button for delegations.  I debated a confirmation pages
vs confirm dialog.  For now I've gone for the dialog, with the addition
that the delete can't be triggered without javascript.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192554090 25200
# Node ID bd42c014d9168c5ed95ed720b49b8791181fe267
# Parent  b24e9309b3f266c5c321cdda047d29dd9495d5b0
Adds deletion for delegations.
The deletion is only triggered via javascript, so they must hit confirm.

diff -r b24e9309b3f2 -r bd42c014d916 ipa-server/ipa-gui/ipagui/static/css/style.css
--- a/ipa-server/ipa-gui/ipagui/static/css/style.css	Tue Oct 16 09:24:21 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/static/css/style.css	Tue Oct 16 10:01:30 2007 -0700
@@ -206,6 +206,10 @@ body {
   background: #eee;
 }
 
+.deletebutton {
+  background: #ee2222;
+}
+
 /*
  * Used for checkboxlist of aci attributes
  */
diff -r b24e9309b3f2 -r bd42c014d916 ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Tue Oct 16 09:24:21 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Tue Oct 16 10:01:30 2007 -0700
@@ -195,6 +195,42 @@ class DelegationController(IPAController
 
         return dict(aci_list=aci_list, group_dn_to_cn=group_dn_to_cn,
                     fields=ipagui.forms.delegate.DelegateFields())
+
+    @expose()
+    @identity.require(identity.not_anonymous())
+    def delete(self, acistr):
+        """Display delegate page"""
+        self.restrict_post()
+        client = self.get_ipaclient()
+
+        try:
+            aci_entry = client.get_aci_entry(aci_fields)
+
+            aci_str_list = aci_entry.getValues('aci')
+            if aci_str_list is None:
+                aci_str_list = []
+            if not(isinstance(aci_str_list,list) or isinstance(aci_str_list,tuple)):
+                aci_str_list = [aci_str_list]
+
+            try :
+                old_aci_index = aci_str_list.index(acistr)
+            except ValueError:
+                turbogears.flash("Delegation deletion failed:<br />" +
+                        "The delegation you were attempting to delete has been " +
+                        "concurrently modified.")
+                raise turbogears.redirect('/delegate/list')
+
+            new_aci_str_list = copy.copy(aci_str_list)
+            del new_aci_str_list[old_aci_index]
+            aci_entry.setValue('aci', new_aci_str_list)
+
+            client.update_entry(aci_entry)
+
+            turbogears.flash("delegate deleted")
+            raise turbogears.redirect('/delegate/list')
+        except (SyntaxError, ipaerror.IPAError), e:
+            turbogears.flash("Delegation deletion failed: " + str(e))
+            raise turbogears.redirect('/delegate/list')
 
     @expose("ipagui.templates.delegategroupsearch")
     @identity.require(identity.not_anonymous())
diff -r b24e9309b3f2 -r bd42c014d916 ipa-server/ipa-gui/ipagui/templates/delegateform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/delegateform.kid	Tue Oct 16 09:24:21 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/delegateform.kid	Tue Oct 16 10:01:30 2007 -0700
@@ -43,7 +43,19 @@
       new Effect.Fade($(which_group + '_searcharea'), {duration: 0.25});
       new Effect.Appear($(which_group + '_change_link'), {duration: 0.25});
     }
-  </script>
+
+    function confirmDelete() {
+      if (confirm("Are you sure you want to delete this delegation?")) {
+        $('deleteform').submit();
+      }
+      return false;
+    }
+  </script>
+
+  <form style="display:none" id='deleteform'
+    method="post" action="${tg.url('/delegate/delete')}">
+    <input type="hidden" name="acistr" value="${value.get('orig_acistr')}" />
+  </form>
 
   <form action="${action}" name="${name}" method="${method}" class="tableform">
 
@@ -57,6 +69,14 @@
         <td>
           <input type="submit" class="submitbutton" name="submit"
                  value="Cancel ${actionname}"/>
+          <br/><br/>
+        </td>
+        <td py:if='actionname == "Edit"'>
+          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
+          <input type="button" class="deletebutton"
+                 value="Delete Delegation"
+                 onclick="return confirmDelete();"
+                 />
           <br/><br/>
         </td>
       </tr>
@@ -159,6 +179,14 @@
           <input type="submit" class="submitbutton" name="submit"
                  value="Cancel ${actionname}"/>
         </td>
+        <td py:if='actionname == "Edit"'>
+          <br/>
+          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
+          <input type="button" class="deletebutton"
+                 value="Delete Delegation"
+                 onclick="return confirmDelete();"
+                 />
+        </td>
       </tr>
     </table>
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/99fc3a0a/attachment.bin>

From kmccarth at redhat.com  Tue Oct 16 17:16:35 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 16 Oct 2007 10:16:35 -0700
Subject: [Freeipa-devel] [PATCH] minor delegation ui adjustments
Message-ID: <20071016171634.GF27259@moon.usersys.redhat.com>

Some minor tweeks to the delegation ui.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192554867 25200
# Node ID 1387124c194f8b290b6a9c35196456ff172108d6
# Parent  bd42c014d9168c5ed95ed720b49b8791181fe267
Remove coffee-spewing color from delete button.  Adjust nav-link and size.

diff -r bd42c014d916 -r 1387124c194f ipa-server/ipa-gui/ipagui/static/css/style.css
--- a/ipa-server/ipa-gui/ipagui/static/css/style.css	Tue Oct 16 10:01:30 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/static/css/style.css	Tue Oct 16 10:14:27 2007 -0700
@@ -77,7 +77,7 @@ body {
 #main_content {
   background:#fff;
   float:right;
-  width:82%;
+  width:84%;
   min-height:500px;
   border-left: 1px solid #000;
   padding: 10px;
@@ -92,7 +92,7 @@ body {
 #sidebar {
   background:#ccc;  /* should be same as #page */
   float:left;
-  width:13%;
+  width:11%;
   padding: 5px;
   font-size: medium;
 }
@@ -207,7 +207,6 @@ body {
 }
 
 .deletebutton {
-  background: #ee2222;
 }
 
 /*
diff -r bd42c014d916 -r 1387124c194f ipa-server/ipa-gui/ipagui/templates/master.kid
--- a/ipa-server/ipa-gui/ipagui/templates/master.kid	Tue Oct 16 10:01:30 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/master.kid	Tue Oct 16 10:14:27 2007 -0700
@@ -78,7 +78,7 @@
         <a href="${tg.url('/')}">Self Service</a><br/>
         </p>
         <p>
-        <a href="${tg.url('/delegate/list')}">Delegation Mgmt</a><br/>
+        <a href="${tg.url('/delegate/list')}">Delegations</a><br/>
         </p>
       </div>
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/4ceb3075/attachment.bin>

From kmccarth at redhat.com  Tue Oct 16 17:56:30 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 16 Oct 2007 10:56:30 -0700
Subject: [Freeipa-devel] [PATCH] tiny jslint fixes
Message-ID: <20071016175630.GG27259@moon.usersys.redhat.com>

Fix a few lint warnings on the javascript (just missing semi-colons).

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192557287 25200
# Node ID 2e62c1868c2ef46fc3042b382a228124af4138f5
# Parent  1387124c194f8b290b6a9c35196456ff172108d6
patch queue: jslint_fixes.patch

diff -r 1387124c194f -r 2e62c1868c2e ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js
--- a/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js	Tue Oct 16 10:14:27 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js	Tue Oct 16 10:54:47 2007 -0700
@@ -117,11 +117,11 @@ function addmember(dn, info) {
   newdiv.style.display = 'none';
   $('newmembers').appendChild(newdiv);
 
-  return newdiv
+  return newdiv;
 }
 
 function addmemberHandler(element, dn, info) {
-  var newdiv = addmember(dn, info)
+  var newdiv = addmember(dn, info);
   if (newdiv != null) {
     new Effect.Fade(Element.up(element), {duration: 0.75});
     new Effect.Appear(newdiv, {duration: 0.75});
@@ -154,7 +154,7 @@ function removemember(dn, info) {
   newdiv.style.display = 'none';
   $('delmembers').appendChild(newdiv);
 
-  return newdiv
+  return newdiv;
 }
 
 function removememberHandler(element, dn, info) {
diff -r 1387124c194f -r 2e62c1868c2e ipa-server/ipa-gui/ipagui/static/javascript/ipautil.js
--- a/ipa-server/ipa-gui/ipagui/static/javascript/ipautil.js	Tue Oct 16 10:14:27 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/static/javascript/ipautil.js	Tue Oct 16 10:54:47 2007 -0700
@@ -4,5 +4,5 @@
  * it can be embedded inside a dynamically generated string.
  */
 function jsStringEscape(input) {
-    return input.gsub(/(['"\\])/, function(match){ return "\\" + match[0]} );
+    return input.gsub(/(['"\\])/, function(match){ return "\\" + match[0];} );
 }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/a68985a2/attachment.bin>

From kmacmill at redhat.com  Tue Oct 16 17:57:21 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 16 Oct 2007 13:57:21 -0400
Subject: [Freeipa-devel] Re: [Func-list] Func and kerberos
In-Reply-To: <1192543149.8542.10.camel@cutter>
References: <1192123162.26928.81.camel@dhcp-64-223.iad.redhat.com>
	<1192198610.19308.48.camel@cutter>
	<1192201550.3294.12.camel@localhost.localdomain>
	<1192202373.19308.69.camel@cutter>
	<1192208317.3294.30.camel@localhost.localdomain>
	<1192211025.19308.79.camel@cutter>
	<1192477129.2913.81.camel@localhost.localdomain>
	<1192477212.2393.35.camel@cutter>
	<1192478479.2913.98.camel@localhost.localdomain>
	<1192478824.2393.44.camel@cutter>
	<1192486486.2871.13.camel@localhost.localdomain>
	<1192543149.8542.10.camel@cutter>
Message-ID: <1192557441.24007.24.camel@dhcp-64-223.iad.redhat.com>

On Tue, 2007-10-16 at 09:59 -0400, seth vidal wrote:
> On Mon, 2007-10-15 at 18:14 -0400, Karl MacMillan wrote:
> > On Mon, 2007-10-15 at 16:07 -0400, seth vidal wrote:
> > > On Mon, 2007-10-15 at 16:01 -0400, Karl MacMillan wrote:
> > > > If you plan to use this cert infrastructure more broadly then my
> > > > concerns about the weaknesses grow quite a bit.
> > > 
> > > We can use the cert signing portion of the infrastructure for whatever
> > > needs help communicating with certificates as auth.
> > > 
> > > examples:
> > > - yum can use the certs to talk to mod_auth_cert on apache to have
> > > authenticated access to repositories
> > > 
> > > - nagios can use it as a transport mechanism to do system checks and to
> > > send alerts
> > > 
> > > - cacti can use it as a better-authenticated way to gather system stats
> > > 
> > > - puppet can use the certs as it does currently.
> > > 
> > 
> > I certainly agree that cert infrastructure is useful and important. I
> > would argue a few things:
> > 
> > * It would be nice to abstract this kind of authentication / encryption
> > where possible to allow the use of other methods (using things like
> > SASL). I know you don't like kerberos, but it has many nice properties.
> > Sometimes kerberos is better and sometimes certs are better - allowing
> > admins to choose is probably best.
> > 
> > * Putting this all on a distribution mechanism that appears to be
> > vulnerable to man-in-the-middle attacks is only providing false
> > security.
> 
> Your answer to how to avoid the mitm attacks was, ultimately: "that's
> what a signed rpms are for".

[If you want to skip the bickering back and forth, please skip to the
bottom where I have a suggestion that might make all of us happy]

Well that was one option. Any mutual authentication scheme - including
something as simple as ssh - can give you better security.

>  You realize that signed rpms have to have a
> key to check them. That key is NOT checked during an anaconda install.
> So you have to have a source for the rpms you implicitly trust, since
> checking once they are already installed is pointless.
> 

Not if you install from DVD or are on a separate, trusted network. And
anaconda should be checking for that key since there is should be no
danger in distributing it with the boot media (and yes, of course, that
media is sometimes insecure, but that doesn't mean that anaconda should
just globally punt on checking the signatures).

> Trusting that a specific source for your rpms has not been spoofed or
> exploited is just as dangerous, if not more so, than what we've set up.
> 

Only for the initial install - from that point forward package signing
works fairly well.

> So, during any install you're already counting on that an http/ftp/nfs
> server is not being spoofed on your network. B/c if it is, anaconda will
> happily install compromised packages and even push in an exploiters
> gpgkeys. The problem is you have to start your trust somewhere.
> 

In one scenario! How often do we see applications used outside of their
original purpose with disastrous security results?

> Now, if we want to increase the security then we could just make
> certmaster an ssl'd xmlrpc server and have the funcd process (when it
> first connects to certmaster) pop up a 'is this the CN of your
> certmaster' dialog. That means, of course, that we'll have to allow
> automating that process so that people can kickstart their boxes
> properly.
> 

That is one solution, though of course those dialogs hardly help. I'm
more suggesting that you should consider using other, secure
communication channels if they are available.

> > * I know that you want very low infrastructure, but I think that you are
> > quickly going to want a little more than you currently have if you
> > succeed in getting certs widely distributed. Most obvious to me is
> > revocation and automated renewal.
> 
> revocation doesn't have any meaning b/c you have to propagate OUT the
> revoked keys.

Which is why having a real CA is nice.

>  In this way we're acting like ssh. How do you revoke ankey 
> ssh key? You don't. You just remove it from the systems in both priv and
> pub forms and that's it.
> 

Well - that is one of the main weaknesses of ssh keys and why people
want things like kerberos or real certificate infrastructure. And what
will you do about key renewal?

> 
> > We are working on similar things as part of freeipa.org. I'd appreciate
> > it if you took a look at that and provided some feedback about how that
> > doesn't meet your needs.
> 
> b/c the size of the overhead to run it is too large. Setting it up is
> more than: yum install func; /etc/init.d/certmaster
> start; /etc/init.d/funcd start
> 
> That's one of the points. Simple things get used immediately,
> complicated things only get used after hours of meetings and planning.
> 

And how complex do you think freeipa is to set up? It should be one
additional step - that requires a realm name and some passwords (and
some dns changes if you want auto-discovery to work). Now, I'm not
suggesting that there isn't additional overhead because there is. But it
is not that much.

Here's a suggestion. We were going to propose an F9 feature to continue
work on some conventions for cert storage / management. Perhaps what we
should have instead is something like the xdg tools for cert management
that will present the same interface regardless of the distribution
mechanism. It can offer initial distribution of keys, renewal, and
revocation. It would also, by default, use cert storage in /etc/pki. I
would also like it to work for kerberos keytabs.

Thoughts? Would you guys be interested in working with us on that type
of feature?

Karl



From rcritten at redhat.com  Tue Oct 16 18:02:59 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 16 Oct 2007 14:02:59 -0400
Subject: [Freeipa-devel] [PATCH] delete delegations
In-Reply-To: <20071016170416.GE27259@moon.usersys.redhat.com>
References: <20071016170416.GE27259@moon.usersys.redhat.com>
Message-ID: <4714FCD3.80409@redhat.com>

Kevin McCarthy wrote:
> Adds a delete button for delegations.  I debated a confirmation pages
> vs confirm dialog.  For now I've gone for the dialog, with the addition
> that the delete can't be triggered without javascript.
> 
> -Kevin

Looks ok

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/68001894/attachment.bin>

From rcritten at redhat.com  Tue Oct 16 18:03:39 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 16 Oct 2007 14:03:39 -0400
Subject: [Freeipa-devel] [PATCH] minor delegation ui adjustments
In-Reply-To: <20071016171634.GF27259@moon.usersys.redhat.com>
References: <20071016171634.GF27259@moon.usersys.redhat.com>
Message-ID: <4714FCFB.9090609@redhat.com>

Kevin McCarthy wrote:
> Some minor tweeks to the delegation ui.
> 
> -Kevin

Looks ok.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/3f88dc6a/attachment.bin>

From rcritten at redhat.com  Tue Oct 16 18:04:47 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 16 Oct 2007 14:04:47 -0400
Subject: [Freeipa-devel] [PATCH] tiny jslint fixes
In-Reply-To: <20071016175630.GG27259@moon.usersys.redhat.com>
References: <20071016175630.GG27259@moon.usersys.redhat.com>
Message-ID: <4714FD3F.9010607@redhat.com>

Kevin McCarthy wrote:
> Fix a few lint warnings on the javascript (just missing semi-colons).
> 
> -Kevin
> 
>

Looks good.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/1f9c4813/attachment.bin>

From kmacmill at redhat.com  Tue Oct 16 18:57:21 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 16 Oct 2007 14:57:21 -0400
Subject: [Freeipa-devel] Re: [PATCH] Better IPv6/IPv4 support for kpasswd
In-Reply-To: <470FD49A.6000606@redhat.com>
References: <1192210069.15630.1.camel@hopeson>
	<1192210350.15630.3.camel@hopeson>  <470FD49A.6000606@redhat.com>
Message-ID: <1192561041.24007.29.camel@dhcp-64-223.iad.redhat.com>

On Fri, 2007-10-12 at 16:10 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Fri, 2007-10-12 at 13:27 -0400, Simo Sorce wrote:
> >> Implements suggestion from Daniel Berranger so that ipa-kpasswd can work
> >> in whatever mode the kernel has been configured to work wrt IPv6.
> > 
> > Better with the patch of course :-/
> >
> 
> I know this isn't related to the current patch but how does the 
> blacklist work? If two users initiate a password change from the same 
> machine at once, will one get rejected? What does a return of 0 give the 
> user?
> 
> The patch itself looks good, from what I can understand of it (the only 
> IPv6 work I've done has been in NSPR which handles this for you).
> 

Pushed



From kmacmill at redhat.com  Tue Oct 16 20:09:13 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 16 Oct 2007 16:09:13 -0400
Subject: [Freeipa-devel] [PATCH] distutils for ipa-python (revised)
In-Reply-To: <939dd5750710121337h5dde9232n21f23f99d6d1d599@mail.gmail.com>
References: <939dd5750710121337h5dde9232n21f23f99d6d1d599@mail.gmail.com>
Message-ID: <1192565353.29521.7.camel@dhcp-64-223.iad.redhat.com>

On Fri, 2007-10-12 at 16:37 -0400, William Jon McCann wrote:
> Hi,
> 
> Here is an updated version of the patch to add distutils support to ipa-python.
> 
> Fixes a problem with the installation directory for ipa.conf and
> updates the .spec files.
> 

Acked and pushed. For me this broke make local-dist (and dist). The
attached patch fixes that by going back to a spec file that is closer to
a standard fedora spec. Also fixed the ipa-python/Makefile to use
setup.py.

Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-227-setup.py-style-changes.patch
Type: text/x-patch
Size: 4623 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/79d6c377/attachment.bin>

From kmacmill at redhat.com  Tue Oct 16 20:40:49 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 16 Oct 2007 16:40:49 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>
Message-ID: <1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>

On Fri, 2007-10-12 at 15:09 -0400, William Jon McCann wrote:
> Hi,
> 
> Here is a patch to autotoolize ipa-client.
> 

Any ideas:

$ ./configure 
./configure: line 1627: AM_INIT_AUTOMAKE: command not found
./configure: line 1629: AM_MAINTAINER_MODE: command not found
configure: Checking for Python
./configure: line 1637: syntax error near unexpected token `2.3'
./configure: line 1637: `AM_PATH_PYTHON(2.3)'






From mccann at jhu.edu  Tue Oct 16 20:58:12 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Tue, 16 Oct 2007 16:58:12 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>
	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>
Message-ID: <939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>

Hi

On 10/16/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> On Fri, 2007-10-12 at 15:09 -0400, William Jon McCann wrote:
> > Hi,
> >
> > Here is a patch to autotoolize ipa-client.
> >
>
> Any ideas:
>
> $ ./configure
> ./configure: line 1627: AM_INIT_AUTOMAKE: command not found
> ./configure: line 1629: AM_MAINTAINER_MODE: command not found
> configure: Checking for Python
> ./configure: line 1637: syntax error near unexpected token `2.3'
> ./configure: line 1637: `AM_PATH_PYTHON(2.3)'

Did you run autogen.sh?  Strange, this looks like automake is broken
on your system.  Those are all standard macros.

Jon



From rcritten at redhat.com  Tue Oct 16 21:38:34 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 16 Oct 2007 17:38:34 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>
	<939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>
Message-ID: <47152F5A.4080007@redhat.com>

William Jon McCann wrote:
> Hi
> 
> On 10/16/07, Karl MacMillan <kmacmill at redhat.com> wrote:
>> On Fri, 2007-10-12 at 15:09 -0400, William Jon McCann wrote:
>>> Hi,
>>>
>>> Here is a patch to autotoolize ipa-client.
>>>
>> Any ideas:
>>
>> $ ./configure
>> ./configure: line 1627: AM_INIT_AUTOMAKE: command not found
>> ./configure: line 1629: AM_MAINTAINER_MODE: command not found
>> configure: Checking for Python
>> ./configure: line 1637: syntax error near unexpected token `2.3'
>> ./configure: line 1637: `AM_PATH_PYTHON(2.3)'
> 
> Did you run autogen.sh?  Strange, this looks like automake is broken
> on your system.  Those are all standard macros.
> 
>

Along these lines, I wonder if we need separate autoconf configurations 
for each subdirectory. What do other large services do that include a 
client and a server (Samba for example, or openldap)?

I've gone through the server one a bit and found a few problems, not 
necessarily with the autoconf code but with some hardcoded directories.

Also, make dist-clean still leaves a slew of autoconf-generated files. I 
think we should have a make target that removes everything 
auto-generated, if not dist-clean then something else. Or we can leave 
them around as most projects do, but we should decide now.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071016/77da75b7/attachment.bin>

From mccann at jhu.edu  Tue Oct 16 22:21:23 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Tue, 16 Oct 2007 18:21:23 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <47152F5A.4080007@redhat.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>
	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>
	<939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>
	<47152F5A.4080007@redhat.com>
Message-ID: <939dd5750710161521t6d76890ar1a529c229f5922a4@mail.gmail.com>

On 10/16/07, Rob Crittenden <rcritten at redhat.com> wrote:
> William Jon McCann wrote:
> > Hi
> >
> > On 10/16/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> >> On Fri, 2007-10-12 at 15:09 -0400, William Jon McCann wrote:
> >>> Hi,
> >>>
> >>> Here is a patch to autotoolize ipa-client.
> >>>
> >> Any ideas:
> >>
> >> $ ./configure
> >> ./configure: line 1627: AM_INIT_AUTOMAKE: command not found
> >> ./configure: line 1629: AM_MAINTAINER_MODE: command not found
> >> configure: Checking for Python
> >> ./configure: line 1637: syntax error near unexpected token `2.3'
> >> ./configure: line 1637: `AM_PATH_PYTHON(2.3)'
> >
> > Did you run autogen.sh?  Strange, this looks like automake is broken
> > on your system.  Those are all standard macros.
> >
> >
>
> Along these lines, I wonder if we need separate autoconf configurations
> for each subdirectory. What do other large services do that include a
> client and a server (Samba for example, or openldap)?

It is usually based on how you package it.  There is usually one
configure script per package: ipa-client, ipa-server, ipa-python, etc.

> I've gone through the server one a bit and found a few problems, not
> necessarily with the autoconf code but with some hardcoded directories.

Like what?

> Also, make dist-clean still leaves a slew of autoconf-generated files. I
> think we should have a make target that removes everything
> auto-generated, if not dist-clean then something else. Or we can leave
> them around as most projects do, but we should decide now.

distclean is supposed to leave those files.  It should only clean up
what configure makes:
http://www.gnu.org/software/automake/manual/html_node/Clean.html

In practice, the maintainer-clean target has been extended to
additionally clean files generated by autogen.sh.

Jon



From jdennis at redhat.com  Tue Oct 16 22:52:40 2007
From: jdennis at redhat.com (John Dennis)
Date: Tue, 16 Oct 2007 18:52:40 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <47152F5A.4080007@redhat.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>	<939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>
	<47152F5A.4080007@redhat.com>
Message-ID: <471540B8.4060600@redhat.com>

Rob Crittenden wrote:
> Along these lines, I wonder if we need separate autoconf configurations 
> for each subdirectory. What do other large services do that include a 
> client and a server (Samba for example, or openldap)?

Do you mean its own configure.ac et. al.? Probably not, unless the 
client and server are packaged independently and have their own 
indpendent configuration. What some RPM's in this instance do is to run 
configure twice, and build select parts of the tree.

 From what I know of IPA I don't see a need for this, one configure.ac 
to rule them all :-)

> Also, make dist-clean still leaves a slew of autoconf-generated files. I 
> think we should have a make target that removes everything 
> auto-generated, if not dist-clean then something else. Or we can leave 
> them around as most projects do, but we should decide now.

What is dist clean not removing? It should be everything autoconf 
generated. Other generated files may need to be removed by specifying
DISTCLEANFILES or BUILT_SOURCES

-- 
John Dennis <jdennis at redhat.com>



From jdennis at redhat.com  Tue Oct 16 22:59:41 2007
From: jdennis at redhat.com (John Dennis)
Date: Tue, 16 Oct 2007 18:59:41 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <939dd5750710161521t6d76890ar1a529c229f5922a4@mail.gmail.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>	<939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>	<47152F5A.4080007@redhat.com>
	<939dd5750710161521t6d76890ar1a529c229f5922a4@mail.gmail.com>
Message-ID: <4715425D.7040108@redhat.com>

William Jon McCann wrote:
> On 10/16/07, Rob Crittenden <rcritten at redhat.com> wrote:
>> Along these lines, I wonder if we need separate autoconf configurations
>> for each subdirectory. What do other large services do that include a
>> client and a server (Samba for example, or openldap)?
> 
> It is usually based on how you package it.  There is usually one
> configure script per package: ipa-client, ipa-server, ipa-python, etc.

If they share the same configuration options and are sub-packages this 
is not necessary (e.g. one spec file).

On the other hand if the configuration is unique per component or you 
use separate spec files for each component then you should have separate 
configure.ac. Note one reason this you need a separate configure.ac for 
each spec files is because the version information is embedded in 
configure.ac and the version information carries through to the spec file.

-- 
John Dennis <jdennis at redhat.com>



From rcritten at redhat.com  Wed Oct 17 13:50:53 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 17 Oct 2007 09:50:53 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <939dd5750710161521t6d76890ar1a529c229f5922a4@mail.gmail.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>	
	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>	
	<939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>	
	<47152F5A.4080007@redhat.com>
	<939dd5750710161521t6d76890ar1a529c229f5922a4@mail.gmail.com>
Message-ID: <4716133D.4030302@redhat.com>

William Jon McCann wrote:
> On 10/16/07, Rob Crittenden <rcritten at redhat.com> wrote:
>> William Jon McCann wrote:
>>> Hi
>>>
>>> On 10/16/07, Karl MacMillan <kmacmill at redhat.com> wrote:
>>>> On Fri, 2007-10-12 at 15:09 -0400, William Jon McCann wrote:
>>>>> Hi,
>>>>>
>>>>> Here is a patch to autotoolize ipa-client.
>>>>>
>>>> Any ideas:
>>>>
>>>> $ ./configure
>>>> ./configure: line 1627: AM_INIT_AUTOMAKE: command not found
>>>> ./configure: line 1629: AM_MAINTAINER_MODE: command not found
>>>> configure: Checking for Python
>>>> ./configure: line 1637: syntax error near unexpected token `2.3'
>>>> ./configure: line 1637: `AM_PATH_PYTHON(2.3)'
>>> Did you run autogen.sh?  Strange, this looks like automake is broken
>>> on your system.  Those are all standard macros.
>>>
>>>
>> Along these lines, I wonder if we need separate autoconf configurations
>> for each subdirectory. What do other large services do that include a
>> client and a server (Samba for example, or openldap)?
> 
> It is usually based on how you package it.  There is usually one
> configure script per package: ipa-client, ipa-server, ipa-python, etc.

I'm not so sure about that and I think it would cause confusion (e.g. 
oops, forgot to use --prefix in one of the builds). I'm with John Dennis 
on this, one configure.ac to rule them all.

> 
>> I've gone through the server one a bit and found a few problems, not
>> necessarily with the autoconf code but with some hardcoded directories.
> 
> Like what?

ipa.conf for one (the file for Apache). Would need an ipa.conf.in instead.

>> Also, make dist-clean still leaves a slew of autoconf-generated files. I
>> think we should have a make target that removes everything
>> auto-generated, if not dist-clean then something else. Or we can leave
>> them around as most projects do, but we should decide now.
> 
> distclean is supposed to leave those files.  It should only clean up
> what configure makes:
> http://www.gnu.org/software/automake/manual/html_node/Clean.html
> 
> In practice, the maintainer-clean target has been extended to
> additionally clean files generated by autogen.sh.

Ok, maintainer-clean is a lot better! I use 'hg stat' to make sure I 
don't miss any new files and sifting through all the autoconf cruft 
would be painful at best.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/edc6d2d9/attachment.bin>

From kmacmill at redhat.com  Wed Oct 17 13:57:30 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 17 Oct 2007 09:57:30 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <4716133D.4030302@redhat.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>
	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>
	<939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>
	<47152F5A.4080007@redhat.com>
	<939dd5750710161521t6d76890ar1a529c229f5922a4@mail.gmail.com>
	<4716133D.4030302@redhat.com>
Message-ID: <1192629450.18460.0.camel@dhcp-64-223.iad.redhat.com>

On Wed, 2007-10-17 at 09:50 -0400, Rob Crittenden wrote:
> William Jon McCann wrote:
> > On 10/16/07, Rob Crittenden <rcritten at redhat.com> wrote:
> >> William Jon McCann wrote:
> >>> Hi
> >>>
> >>> On 10/16/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> >>>> On Fri, 2007-10-12 at 15:09 -0400, William Jon McCann wrote:
> >>>>> Hi,
> >>>>>
> >>>>> Here is a patch to autotoolize ipa-client.
> >>>>>
> >>>> Any ideas:
> >>>>
> >>>> $ ./configure
> >>>> ./configure: line 1627: AM_INIT_AUTOMAKE: command not found
> >>>> ./configure: line 1629: AM_MAINTAINER_MODE: command not found
> >>>> configure: Checking for Python
> >>>> ./configure: line 1637: syntax error near unexpected token `2.3'
> >>>> ./configure: line 1637: `AM_PATH_PYTHON(2.3)'
> >>> Did you run autogen.sh?  Strange, this looks like automake is broken
> >>> on your system.  Those are all standard macros.
> >>>
> >>>
> >> Along these lines, I wonder if we need separate autoconf configurations
> >> for each subdirectory. What do other large services do that include a
> >> client and a server (Samba for example, or openldap)?
> > 
> > It is usually based on how you package it.  There is usually one
> > configure script per package: ipa-client, ipa-server, ipa-python, etc.
> 
> I'm not so sure about that and I think it would cause confusion (e.g. 
> oops, forgot to use --prefix in one of the builds). I'm with John Dennis 
> on this, one configure.ac to rule them all.
> 

That won't work because the rpm builds never see the top-level. They
only see the tgz of the subdirectory.

Karl



From rcritten at redhat.com  Wed Oct 17 14:10:43 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 17 Oct 2007 10:10:43 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <1192629450.18460.0.camel@dhcp-64-223.iad.redhat.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>	
	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>	
	<939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>	
	<47152F5A.4080007@redhat.com>	
	<939dd5750710161521t6d76890ar1a529c229f5922a4@mail.gmail.com>	
	<4716133D.4030302@redhat.com>
	<1192629450.18460.0.camel@dhcp-64-223.iad.redhat.com>
Message-ID: <471617E3.7070302@redhat.com>

Karl MacMillan wrote:
> On Wed, 2007-10-17 at 09:50 -0400, Rob Crittenden wrote:
>> William Jon McCann wrote:
>>> On 10/16/07, Rob Crittenden <rcritten at redhat.com> wrote:
>>>> William Jon McCann wrote:
>>>>> Hi
>>>>>
>>>>> On 10/16/07, Karl MacMillan <kmacmill at redhat.com> wrote:
>>>>>> On Fri, 2007-10-12 at 15:09 -0400, William Jon McCann wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Here is a patch to autotoolize ipa-client.
>>>>>>>
>>>>>> Any ideas:
>>>>>>
>>>>>> $ ./configure
>>>>>> ./configure: line 1627: AM_INIT_AUTOMAKE: command not found
>>>>>> ./configure: line 1629: AM_MAINTAINER_MODE: command not found
>>>>>> configure: Checking for Python
>>>>>> ./configure: line 1637: syntax error near unexpected token `2.3'
>>>>>> ./configure: line 1637: `AM_PATH_PYTHON(2.3)'
>>>>> Did you run autogen.sh?  Strange, this looks like automake is broken
>>>>> on your system.  Those are all standard macros.
>>>>>
>>>>>
>>>> Along these lines, I wonder if we need separate autoconf configurations
>>>> for each subdirectory. What do other large services do that include a
>>>> client and a server (Samba for example, or openldap)?
>>> It is usually based on how you package it.  There is usually one
>>> configure script per package: ipa-client, ipa-server, ipa-python, etc.
>> I'm not so sure about that and I think it would cause confusion (e.g. 
>> oops, forgot to use --prefix in one of the builds). I'm with John Dennis 
>> on this, one configure.ac to rule them all.
>>
> 
> That won't work because the rpm builds never see the top-level. They
> only see the tgz of the subdirectory.
> 
> Karl
> 

There are two ways to resolve this:

1. For each RPM you do:

cd freeipa-<VERSION>
./configure --options
cd directory_I_care_about
make all
make install
do rpm stuff

So each package contains all the source to freeIPA, not just that 
particular subdirectory.

2. You have a single spec file that creates a bunch of packages (ala 
openldap, amanda, openoffice, httpd and other big packages).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/18029346/attachment.bin>

From kmacmill at redhat.com  Wed Oct 17 14:13:57 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 17 Oct 2007 10:13:57 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <471617E3.7070302@redhat.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>
	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>
	<939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>
	<47152F5A.4080007@redhat.com>
	<939dd5750710161521t6d76890ar1a529c229f5922a4@mail.gmail.com>
	<4716133D.4030302@redhat.com>
	<1192629450.18460.0.camel@dhcp-64-223.iad.redhat.com>
	<471617E3.7070302@redhat.com>
Message-ID: <1192630437.18460.7.camel@dhcp-64-223.iad.redhat.com>

On Wed, 2007-10-17 at 10:10 -0400, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > On Wed, 2007-10-17 at 09:50 -0400, Rob Crittenden wrote:
> >> William Jon McCann wrote:
> >>> On 10/16/07, Rob Crittenden <rcritten at redhat.com> wrote:
> >>>> William Jon McCann wrote:
> >>>>> Hi
> >>>>>
> >>>>> On 10/16/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> >>>>>> On Fri, 2007-10-12 at 15:09 -0400, William Jon McCann wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> Here is a patch to autotoolize ipa-client.
> >>>>>>>
> >>>>>> Any ideas:
> >>>>>>
> >>>>>> $ ./configure
> >>>>>> ./configure: line 1627: AM_INIT_AUTOMAKE: command not found
> >>>>>> ./configure: line 1629: AM_MAINTAINER_MODE: command not found
> >>>>>> configure: Checking for Python
> >>>>>> ./configure: line 1637: syntax error near unexpected token `2.3'
> >>>>>> ./configure: line 1637: `AM_PATH_PYTHON(2.3)'
> >>>>> Did you run autogen.sh?  Strange, this looks like automake is broken
> >>>>> on your system.  Those are all standard macros.
> >>>>>
> >>>>>
> >>>> Along these lines, I wonder if we need separate autoconf configurations
> >>>> for each subdirectory. What do other large services do that include a
> >>>> client and a server (Samba for example, or openldap)?
> >>> It is usually based on how you package it.  There is usually one
> >>> configure script per package: ipa-client, ipa-server, ipa-python, etc.
> >> I'm not so sure about that and I think it would cause confusion (e.g. 
> >> oops, forgot to use --prefix in one of the builds). I'm with John Dennis 
> >> on this, one configure.ac to rule them all.
> >>
> > 
> > That won't work because the rpm builds never see the top-level. They
> > only see the tgz of the subdirectory.
> > 
> > Karl
> > 
> 
> There are two ways to resolve this:
> 
> 1. For each RPM you do:
> 
> cd freeipa-<VERSION>
> ./configure --options
> cd directory_I_care_about
> make all
> make install
> do rpm stuff
> 
> So each package contains all the source to freeIPA, not just that 
> particular subdirectory.
> 

I don't like that.

> 2. You have a single spec file that creates a bunch of packages (ala 
> openldap, amanda, openoffice, httpd and other big packages).
> 

I guess I'd be ok with that, but what about source tarballs? This is
going to suck for some distros.

I'd rather have the top-level makefile have targets for autoconf and
configure that can take common options (like prefix). That would make
our packages look like others to non-developers but give us some
convenience.

Karl



From mccann at jhu.edu  Wed Oct 17 14:19:26 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Wed, 17 Oct 2007 10:19:26 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <471617E3.7070302@redhat.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>
	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>
	<939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>
	<47152F5A.4080007@redhat.com>
	<939dd5750710161521t6d76890ar1a529c229f5922a4@mail.gmail.com>
	<4716133D.4030302@redhat.com>
	<1192629450.18460.0.camel@dhcp-64-223.iad.redhat.com>
	<471617E3.7070302@redhat.com>
Message-ID: <939dd5750710170719q1c6d6918odd6b8045fa08e983@mail.gmail.com>

On 10/17/07, Rob Crittenden <rcritten at redhat.com> wrote:
> Karl MacMillan wrote:
> > On Wed, 2007-10-17 at 09:50 -0400, Rob Crittenden wrote:
> >> William Jon McCann wrote:
> >>> On 10/16/07, Rob Crittenden <rcritten at redhat.com> wrote:
> >>>> William Jon McCann wrote:
> >>>>> Hi
> >>>>>
> >>>>> On 10/16/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> >>>>>> On Fri, 2007-10-12 at 15:09 -0400, William Jon McCann wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> Here is a patch to autotoolize ipa-client.
> >>>>>>>
> >>>>>> Any ideas:
> >>>>>>
> >>>>>> $ ./configure
> >>>>>> ./configure: line 1627: AM_INIT_AUTOMAKE: command not found
> >>>>>> ./configure: line 1629: AM_MAINTAINER_MODE: command not found
> >>>>>> configure: Checking for Python
> >>>>>> ./configure: line 1637: syntax error near unexpected token `2.3'
> >>>>>> ./configure: line 1637: `AM_PATH_PYTHON(2.3)'
> >>>>> Did you run autogen.sh?  Strange, this looks like automake is broken
> >>>>> on your system.  Those are all standard macros.
> >>>>>
> >>>>>
> >>>> Along these lines, I wonder if we need separate autoconf configurations
> >>>> for each subdirectory. What do other large services do that include a
> >>>> client and a server (Samba for example, or openldap)?
> >>> It is usually based on how you package it.  There is usually one
> >>> configure script per package: ipa-client, ipa-server, ipa-python, etc.
> >> I'm not so sure about that and I think it would cause confusion (e.g.
> >> oops, forgot to use --prefix in one of the builds). I'm with John Dennis
> >> on this, one configure.ac to rule them all.
> >>
> >
> > That won't work because the rpm builds never see the top-level. They
> > only see the tgz of the subdirectory.
> >
> > Karl
> >
>
> There are two ways to resolve this:
>
> 1. For each RPM you do:
>
> cd freeipa-<VERSION>
> ./configure --options
> cd directory_I_care_about
> make all
> make install
> do rpm stuff
>
> So each package contains all the source to freeIPA, not just that
> particular subdirectory.
>
> 2. You have a single spec file that creates a bunch of packages (ala
> openldap, amanda, openoffice, httpd and other big packages).

Personally, I don't think this is a good idea.  You have nice separate
directories, packages, spec files, rpms now.  Why would you muddle
that up into one blob?  One of the reasons I put this patch together
was to make each package more distinct.

In my experience meta-packages are usually a mistake.  Xorg is a good example.

It would make is even more difficult than it is now to:
 * hack on one component
 * push updates for (only) one component
 * build an RPM for one component
 * etc

I just don't see any compelling reason to package the server and
client together.

Jon



From rcritten at redhat.com  Wed Oct 17 14:34:08 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 17 Oct 2007 10:34:08 -0400
Subject: [Freeipa-devel] [PATCH] Fix build, rpmlint issues
Message-ID: <47161D60.5040102@redhat.com>

This patch, based on one from Michael Gregg, fixes build issues with 
freeipa-python and also addresses some rpmlint problems (bad changelog, 
#!/usr/bin/python in non-executable scripts).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-279-buildfix.patch
Type: text/x-patch
Size: 6342 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/563074d8/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/563074d8/attachment-0001.bin>

From mccann at jhu.edu  Wed Oct 17 14:35:41 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Wed, 17 Oct 2007 10:35:41 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <1192630437.18460.7.camel@dhcp-64-223.iad.redhat.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>
	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>
	<939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>
	<47152F5A.4080007@redhat.com>
	<939dd5750710161521t6d76890ar1a529c229f5922a4@mail.gmail.com>
	<4716133D.4030302@redhat.com>
	<1192629450.18460.0.camel@dhcp-64-223.iad.redhat.com>
	<471617E3.7070302@redhat.com>
	<1192630437.18460.7.camel@dhcp-64-223.iad.redhat.com>
Message-ID: <939dd5750710170735y7b326142kfae4c38f090ddd71@mail.gmail.com>

On 10/17/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> On Wed, 2007-10-17 at 10:10 -0400, Rob Crittenden wrote:
> > Karl MacMillan wrote:
> > > On Wed, 2007-10-17 at 09:50 -0400, Rob Crittenden wrote:
> > >> William Jon McCann wrote:
> > >>> On 10/16/07, Rob Crittenden <rcritten at redhat.com> wrote:
> > >>>> William Jon McCann wrote:
> > >>>>> Hi
> > >>>>>
> > >>>>> On 10/16/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> > >>>>>> On Fri, 2007-10-12 at 15:09 -0400, William Jon McCann wrote:
> > >>>>>>> Hi,
> > >>>>>>>
> > >>>>>>> Here is a patch to autotoolize ipa-client.
> > >>>>>>>
> > >>>>>> Any ideas:
> > >>>>>>
> > >>>>>> $ ./configure
> > >>>>>> ./configure: line 1627: AM_INIT_AUTOMAKE: command not found
> > >>>>>> ./configure: line 1629: AM_MAINTAINER_MODE: command not found
> > >>>>>> configure: Checking for Python
> > >>>>>> ./configure: line 1637: syntax error near unexpected token `2.3'
> > >>>>>> ./configure: line 1637: `AM_PATH_PYTHON(2.3)'
> > >>>>> Did you run autogen.sh?  Strange, this looks like automake is broken
> > >>>>> on your system.  Those are all standard macros.
> > >>>>>
> > >>>>>
> > >>>> Along these lines, I wonder if we need separate autoconf configurations
> > >>>> for each subdirectory. What do other large services do that include a
> > >>>> client and a server (Samba for example, or openldap)?
> > >>> It is usually based on how you package it.  There is usually one
> > >>> configure script per package: ipa-client, ipa-server, ipa-python, etc.
> > >> I'm not so sure about that and I think it would cause confusion (e.g.
> > >> oops, forgot to use --prefix in one of the builds). I'm with John Dennis
> > >> on this, one configure.ac to rule them all.
> > >>
> > >
> > > That won't work because the rpm builds never see the top-level. They
> > > only see the tgz of the subdirectory.
> > >
> > > Karl
> > >
> >
> > There are two ways to resolve this:
> >
> > 1. For each RPM you do:
> >
> > cd freeipa-<VERSION>
> > ./configure --options
> > cd directory_I_care_about
> > make all
> > make install
> > do rpm stuff
> >
> > So each package contains all the source to freeIPA, not just that
> > particular subdirectory.
> >
>
> I don't like that.
>
> > 2. You have a single spec file that creates a bunch of packages (ala
> > openldap, amanda, openoffice, httpd and other big packages).
> >
>
> I guess I'd be ok with that, but what about source tarballs? This is
> going to suck for some distros.
>
> I'd rather have the top-level makefile have targets for autoconf and
> configure that can take common options (like prefix). That would make
> our packages look like others to non-developers but give us some
> convenience.


One possibility for a convenience layer is to use jhbuild:
http://www.freedesktop.org/wiki/Software/jhbuild

I use it every day and couldn't work without it.  We could create a
moduleset freeipa.modules that lists all the packages and
dependencies.  Then you could just build to a prefix using:
jhbuild build -m freeipa freeipa

I'll set something up for you to try...

Jon



From rcritten at redhat.com  Wed Oct 17 14:59:36 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 17 Oct 2007 10:59:36 -0400
Subject: [Freeipa-devel] [PATCH] Fix build, rpmlint issues
In-Reply-To: <47161D60.5040102@redhat.com>
References: <47161D60.5040102@redhat.com>
Message-ID: <47162358.2010902@redhat.com>

Rob Crittenden wrote:
> This patch, based on one from Michael Gregg, fixes build issues with 
> freeipa-python and also addresses some rpmlint problems (bad changelog, 
> #!/usr/bin/python in non-executable scripts).
> 
> rob
>

Oh, I somehow missed Karl's patch yesterday that addresses this too. I 
think a combination of the two is probably the way to go.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/99f42368/attachment.bin>

From rcritten at redhat.com  Wed Oct 17 15:29:42 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 17 Oct 2007 11:29:42 -0400
Subject: [Freeipa-devel] [PATCH] freeipa-python build issues REDUX
Message-ID: <47162A66.8080405@redhat.com>

I somehow missed Karl's earlier patch. I've combined them with my patch 
(based on Michael Gregg's patch). So if anything blows up nobody will 
know who to blame :-)

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-279-buildfix-redux.patch
Type: text/x-patch
Size: 7667 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/ac0d5e5f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/ac0d5e5f/attachment-0001.bin>

From kmacmill at redhat.com  Wed Oct 17 15:30:47 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 17 Oct 2007 11:30:47 -0400
Subject: [Freeipa-devel] [PATCH] freeipa-python build issues REDUX
In-Reply-To: <47162A66.8080405@redhat.com>
References: <47162A66.8080405@redhat.com>
Message-ID: <1192635047.18460.15.camel@dhcp-64-223.iad.redhat.com>

On Wed, 2007-10-17 at 11:29 -0400, Rob Crittenden wrote:
> I somehow missed Karl's earlier patch. I've combined them with my patch 
> (based on Michael Gregg's patch). So if anything blows up nobody will 
> know who to blame :-)

Acked and pushed. Thanks for resolving all of this.

Karl



From rcritten at redhat.com  Wed Oct 17 16:07:17 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 17 Oct 2007 12:07:17 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <939dd5750710170719q1c6d6918odd6b8045fa08e983@mail.gmail.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>	
	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>	
	<939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>	
	<47152F5A.4080007@redhat.com>	
	<939dd5750710161521t6d76890ar1a529c229f5922a4@mail.gmail.com>	
	<4716133D.4030302@redhat.com>	
	<1192629450.18460.0.camel@dhcp-64-223.iad.redhat.com>	
	<471617E3.7070302@redhat.com>
	<939dd5750710170719q1c6d6918odd6b8045fa08e983@mail.gmail.com>
Message-ID: <47163335.2000502@redhat.com>

William Jon McCann wrote:
>> particular subdirectory.
>>
>> 2. You have a single spec file that creates a bunch of packages (ala
>> openldap, amanda, openoffice, httpd and other big packages).
> 
> Personally, I don't think this is a good idea.  You have nice separate
> directories, packages, spec files, rpms now.  Why would you muddle
> that up into one blob?  One of the reasons I put this patch together
> was to make each package more distinct.

Yeah, I'm waffling on that. I think I'm too close to it now and can't 
put myself into the place of Joe-developer who wants to try to build it 
himself.

> In my experience meta-packages are usually a mistake.  Xorg is a good example.
> It would make is even more difficult than it is now to:
>  * hack on one component
>  * push updates for (only) one component
>  * build an RPM for one component
>  * etc

Good point.

> I just don't see any compelling reason to package the server and
> client together.

I was proposing only the source would be packaged together. Each 
component would be separate, but it still raises the issue where only 
one piece needs an update you've gotta build them all.

So I think I'm ok leaving them separate for now. We still may want/need 
some top-level Makefile to do something useful. I use make-localdist all 
the time to build the packages for testing.

Now, onto some uglier stuff. I poked further at what changes would be 
required for hardcoded paths and what I found isn't pretty.

We have a slew of references to /usr/ in there, from the installer to 
runtime components. I think at least we should centralize this into one 
or two places (/etc/ipa/ipa.conf or some ipaconfig.py file).

The files affected are, at a minimum:

./ipa-gui/ipa-webgui
./ipa-install/ipa-server-install
./ipa-install/share/kdc.conf.template
./ipa-install/test/Makefile
./ipaserver/dsinstance.py
./xmlrpc-server/funcs.py
./xmlrpc-server/ipa.conf
./xmlrpc-server/ipaxmlrpc.py
./xmlrpc-server/test/README

Most of these are: sys.path.append("/usr/share/ipa/")

The two init files (ipa-webgui and ipa-kpasswd) both refer to /usr/sbin.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/210604f4/attachment.bin>

From rcritten at redhat.com  Wed Oct 17 18:40:53 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 17 Oct 2007 14:40:53 -0400
Subject: [Freeipa-devel] [PATCH] fix list page to show field labels
In-Reply-To: <20071015211927.GD4766@moon.usersys.redhat.com>
References: <20071015211927.GD4766@moon.usersys.redhat.com>
Message-ID: <47165735.9020709@redhat.com>

Kevin McCarthy wrote:
> Translate ldap fields to labels on the delegation list page.
> 
> -Kevin
>

Looks good

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/80561e59/attachment.bin>

From kmccarth at redhat.com  Wed Oct 17 18:45:08 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 17 Oct 2007 11:45:08 -0700
Subject: [Freeipa-devel] [PATCH] rename delegatenewform
In-Reply-To: <47165713.9070706@redhat.com>
References: <20071015201959.GE3834@moon.usersys.redhat.com>
	<47165713.9070706@redhat.com>
Message-ID: <20071017184508.GB24262@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> This patch merely renames the file delegatenewform.kid to
>> delegateform.kid.  Separated out from previous patch to improve
>> readability.
>> -Kevin
>
> Looks ok.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/674d6cd7/attachment.bin>

From kmccarth at redhat.com  Wed Oct 17 18:45:50 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 17 Oct 2007 11:45:50 -0700
Subject: [Freeipa-devel] [PATCH] fix list page to show field labels
In-Reply-To: <47165735.9020709@redhat.com>
References: <20071015211927.GD4766@moon.usersys.redhat.com>
	<47165735.9020709@redhat.com>
Message-ID: <20071017184550.GC24262@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Translate ldap fields to labels on the delegation list page.
>> -Kevin
>>
>
> Looks good

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/8e602a67/attachment.bin>

From kmccarth at redhat.com  Wed Oct 17 18:47:34 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 17 Oct 2007 11:47:34 -0700
Subject: [Freeipa-devel] [PATCH] fixes for acilist page
In-Reply-To: <4714B4E8.1010205@redhat.com>
References: <20071015232438.GF4766@moon.usersys.redhat.com>
	<4714B4E8.1010205@redhat.com>
Message-ID: <20071017184733.GD24262@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Change the aci list page to use POST.  The acistr can be way too long.
>> Also fix to use field labels and adjust formatting a bit.
>> -Kevin
>
> Looks good.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/70a5f4de/attachment.bin>

From kmccarth at redhat.com  Wed Oct 17 18:48:31 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 17 Oct 2007 11:48:31 -0700
Subject: [Freeipa-devel] [PATCH] delete delegations
In-Reply-To: <4714FCD3.80409@redhat.com>
References: <20071016170416.GE27259@moon.usersys.redhat.com>
	<4714FCD3.80409@redhat.com>
Message-ID: <20071017184830.GE24262@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Adds a delete button for delegations.  I debated a confirmation pages
>> vs confirm dialog.  For now I've gone for the dialog, with the addition
>> that the delete can't be triggered without javascript.
>> -Kevin
>
> Looks ok

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/bb3a9dbf/attachment.bin>

From kmccarth at redhat.com  Wed Oct 17 18:49:19 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 17 Oct 2007 11:49:19 -0700
Subject: [Freeipa-devel] [PATCH] minor delegation ui adjustments
In-Reply-To: <4714FCFB.9090609@redhat.com>
References: <20071016171634.GF27259@moon.usersys.redhat.com>
	<4714FCFB.9090609@redhat.com>
Message-ID: <20071017184919.GF24262@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Some minor tweeks to the delegation ui.
>> -Kevin
>
> Looks ok.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/8176bb90/attachment.bin>

From kmccarth at redhat.com  Wed Oct 17 18:50:08 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 17 Oct 2007 11:50:08 -0700
Subject: [Freeipa-devel] [PATCH] tiny jslint fixes
In-Reply-To: <4714FD3F.9010607@redhat.com>
References: <20071016175630.GG27259@moon.usersys.redhat.com>
	<4714FD3F.9010607@redhat.com>
Message-ID: <20071017185007.GG24262@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Fix a few lint warnings on the javascript (just missing semi-colons).
>> -Kevin
>>
>
> Looks good.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/a97dc7ab/attachment.bin>

From kmacmill at redhat.com  Wed Oct 17 19:45:42 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 17 Oct 2007 15:45:42 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-server
In-Reply-To: <939dd5750710121103ie32f12bg4d66386eb88e812a@mail.gmail.com>
References: <939dd5750710121103ie32f12bg4d66386eb88e812a@mail.gmail.com>
Message-ID: <1192650342.22245.13.camel@dhcp-64-223.iad.redhat.com>

On Fri, 2007-10-12 at 14:03 -0400, William Jon McCann wrote:
> Hi,
> 
> Here is a patch to autotoolize ipa-server.
> 

I pushed a slightly modified version to account for some drift since you
prepared the patch. Attached.

Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: autool-ipa-server.diff
Type: text/x-patch
Size: 38804 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/2cc16c1c/attachment.bin>

From kmacmill at redhat.com  Wed Oct 17 19:47:33 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 17 Oct 2007 15:47:33 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>
	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>
	<939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>
Message-ID: <1192650453.22245.15.camel@dhcp-64-223.iad.redhat.com>

On Tue, 2007-10-16 at 16:58 -0400, William Jon McCann wrote:
> Hi
> 
> On 10/16/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> > On Fri, 2007-10-12 at 15:09 -0400, William Jon McCann wrote:
> > > Hi,
> > >
> > > Here is a patch to autotoolize ipa-client.
> > >
> >
> > Any ideas:
> >
> > $ ./configure
> > ./configure: line 1627: AM_INIT_AUTOMAKE: command not found
> > ./configure: line 1629: AM_MAINTAINER_MODE: command not found
> > configure: Checking for Python
> > ./configure: line 1637: syntax error near unexpected token `2.3'
> > ./configure: line 1637: `AM_PATH_PYTHON(2.3)'
> 
> Did you run autogen.sh?

That was it.

>   Strange, this looks like automake is broken
> on your system.  Those are all standard macros.
> 
> Jon



From kmacmill at redhat.com  Wed Oct 17 19:47:49 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 17 Oct 2007 15:47:49 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>
Message-ID: <1192650469.22245.17.camel@dhcp-64-223.iad.redhat.com>

On Fri, 2007-10-12 at 15:09 -0400, William Jon McCann wrote:
> Hi,
> 
> Here is a patch to autotoolize ipa-client.
> 

Pushed.



From kmacmill at redhat.com  Wed Oct 17 19:51:02 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 17 Oct 2007 15:51:02 -0400
Subject: [Freeipa-devel] [PATCH] autotoolize ipa-client
In-Reply-To: <47163335.2000502@redhat.com>
References: <939dd5750710121209o2886020duc56f6c83dcdd0637@mail.gmail.com>
	<1192567249.29521.13.camel@dhcp-64-223.iad.redhat.com>
	<939dd5750710161358t6caaa2fct567c6e287d32a5db@mail.gmail.com>
	<47152F5A.4080007@redhat.com>
	<939dd5750710161521t6d76890ar1a529c229f5922a4@mail.gmail.com>
	<4716133D.4030302@redhat.com>
	<1192629450.18460.0.camel@dhcp-64-223.iad.redhat.com>
	<471617E3.7070302@redhat.com>
	<939dd5750710170719q1c6d6918odd6b8045fa08e983@mail.gmail.com>
	<47163335.2000502@redhat.com>
Message-ID: <1192650662.22245.21.camel@dhcp-64-223.iad.redhat.com>

On Wed, 2007-10-17 at 12:07 -0400, Rob Crittenden wrote:
> William Jon McCann wrote:

[...]

> > I just don't see any compelling reason to package the server and
> > client together.
> 
> I was proposing only the source would be packaged together. Each 
> component would be separate, but it still raises the issue where only 
> one piece needs an update you've gotta build them all.
> 
> So I think I'm ok leaving them separate for now. We still may want/need 
> some top-level Makefile to do something useful. I use make-localdist all 
> the time to build the packages for testing.
> 
> Now, onto some uglier stuff. I poked further at what changes would be 
> required for hardcoded paths and what I found isn't pretty.
> 
> We have a slew of references to /usr/ in there, from the installer to 
> runtime components. I think at least we should centralize this into one 
> or two places (/etc/ipa/ipa.conf or some ipaconfig.py file).
> 
> The files affected are, at a minimum:
> 
> ./ipa-gui/ipa-webgui
> ./ipa-install/ipa-server-install
> ./ipa-install/share/kdc.conf.template
> ./ipa-install/test/Makefile
> ./ipaserver/dsinstance.py
> ./xmlrpc-server/funcs.py
> ./xmlrpc-server/ipa.conf
> ./xmlrpc-server/ipaxmlrpc.py
> ./xmlrpc-server/test/README
> 
> Most of these are: sys.path.append("/usr/share/ipa/")
> 
> The two init files (ipa-webgui and ipa-kpasswd) both refer to /usr/sbin.
> 

Added ticket #47 to track this. Whenever we make the change we need to
be careful to separate out things that we now at ipa build time
(e.g., /usr/share/ipa) and things that are system dependent (like the
location of the DS setup tools). The latter needs to be configurable on
the end system?

Karl



From kmccarth at redhat.com  Wed Oct 17 20:15:24 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 17 Oct 2007 13:15:24 -0700
Subject: [Freeipa-devel] [PATCH] print css
Message-ID: <20071017201523.GH24262@moon.usersys.redhat.com>

Add print css statements.  Rename delegation edit button.

Also, change the direct reports to be a numbered list (bob's preference,
feel free to send feedback and cc him).

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192651963 25200
# Node ID 8985d3968184535bd1fedab77ac9e09910efc94d
# Parent  4a10c2e709590fec108a37510229e4ea22e5a371
Add print media CSS.  Rename delegation edit button to 'update'.

diff -r 4a10c2e70959 -r 8985d3968184 ipa-server/ipa-gui/ipagui/static/css/style.css
--- a/ipa-server/ipa-gui/ipagui/static/css/style.css	Wed Oct 17 11:55:39 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/static/css/style.css	Wed Oct 17 13:12:43 2007 -0700
@@ -255,3 +255,18 @@ div.resize-handle {
   left:0;
 }
 
+
+/*
+ * Overrides for printing
+ */
+ at media print {
+    #header  { display:none; }
+    #nav     { display:none; }
+    #sidebar { display:none; }
+    #footer  { display:none; }
+    #main_content { width: 95%; margin:0; padding:0; border-left-style: none; }
+
+    .submitbutton { display:none; }
+    .deletebutton { display:none; }
+}
+
diff -r 4a10c2e70959 -r 8985d3968184 ipa-server/ipa-gui/ipagui/templates/delegateedit.kid
--- a/ipa-server/ipa-gui/ipagui/templates/delegateedit.kid	Wed Oct 17 11:55:39 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/delegateedit.kid	Wed Oct 17 13:12:43 2007 -0700
@@ -10,7 +10,7 @@
     <h2>Edit Delegation</h2>
 
     ${form.display(action=tg.url("/delegate/update"), value=delegate,
-                   actionname='Edit')}
+                   actionname='Update')}
 
 </body>
 </html>
diff -r 4a10c2e70959 -r 8985d3968184 ipa-server/ipa-gui/ipagui/templates/delegateform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/delegateform.kid	Wed Oct 17 11:55:39 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/delegateform.kid	Wed Oct 17 13:12:43 2007 -0700
@@ -71,7 +71,7 @@
                  value="Cancel ${actionname}"/>
           <br/><br/>
         </td>
-        <td py:if='actionname == "Edit"'>
+        <td py:if='actionname == "Update"'>
           &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
           <input type="button" class="deletebutton"
                  value="Delete Delegation"
@@ -179,7 +179,7 @@
           <input type="submit" class="submitbutton" name="submit"
                  value="Cancel ${actionname}"/>
         </td>
-        <td py:if='actionname == "Edit"'>
+        <td py:if='actionname == "Update"'>
           <br/>
           &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
           <input type="button" class="deletebutton"
diff -r 4a10c2e70959 -r 8985d3968184 ipa-server/ipa-gui/ipagui/templates/master.kid
--- a/ipa-server/ipa-gui/ipagui/templates/master.kid	Wed Oct 17 11:55:39 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/master.kid	Wed Oct 17 13:12:43 2007 -0700
@@ -6,7 +6,7 @@
     <meta content="text/html; charset=UTF-8" http-equiv="content-type" py:replace="''"/>
     <title py:replace="''">Your title goes here</title>
     <meta py:replace="item[:]"/>
-    <style type="text/css" media="screen">
+    <style type="text/css" media="all">
     @import "${tg.url('/static/css/style.css')}";
     </style>
     <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/prototype.js')}"></script>
diff -r 4a10c2e70959 -r 8985d3968184 ipa-server/ipa-gui/ipagui/templates/usershow.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Wed Oct 17 11:55:39 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Wed Oct 17 13:12:43 2007 -0700
@@ -253,10 +253,12 @@ else:
     </table>
 
     <div class="formsection" py:if='len(user_reports) &gt; 0'>Direct Reports</div>
-    <div py:for="report in user_reports">
-      <a href="${tg.url('/user/show', uid=report.uid)}"
-        >${report.givenname} ${report.sn}</a>
-    </div>
+    <ol>
+      <li py:for="report in user_reports">
+        <a href="${tg.url('/user/show', uid=report.uid)}"
+          >${report.givenname} ${report.sn}</a>
+      </li>
+    </ol>
 
     <div class="formsection">Groups</div>
     <div py:for="group in user_groups">
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/a017e80f/attachment.bin>

From rcritten at redhat.com  Wed Oct 17 20:33:54 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 17 Oct 2007 16:33:54 -0400
Subject: [Freeipa-devel] [PATCH] print css
In-Reply-To: <20071017201523.GH24262@moon.usersys.redhat.com>
References: <20071017201523.GH24262@moon.usersys.redhat.com>
Message-ID: <471671B2.9090308@redhat.com>

Kevin McCarthy wrote:
> Add print css statements.  Rename delegation edit button.
> 
> Also, change the direct reports to be a numbered list (bob's preference,
> feel free to send feedback and cc him).
> 
> -Kevin
> 

Looks good.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/6f231cc1/attachment.bin>

From kmccarth at redhat.com  Wed Oct 17 20:45:34 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 17 Oct 2007 13:45:34 -0700
Subject: [Freeipa-devel] [PATCH] sort by last name.  uri attribute link.
Message-ID: <20071017204533.GJ24262@moon.usersys.redhat.com>

One more "micro-patch".

This patch changes the sort order for people to be by last name.
It also make the labeleduri a link on the urishow page.

-Kevin
-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192653765 25200
# Node ID 759e9e1eaa5b8e3b848a186e64c9f4d96605d693
# Parent  8985d3968184535bd1fedab77ac9e09910efc94d
Sort users by last name.  Make labeleduri a link.

diff -r 8985d3968184 -r 759e9e1eaa5b ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py	Wed Oct 17 13:12:43 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py	Wed Oct 17 13:42:45 2007 -0700
@@ -32,19 +32,19 @@ class IPAController(controllers.Controll
     def sort_group_member(self, a, b):
         """Comparator function used for sorting group members."""
         if a.getValue('uid') and b.getValue('uid'):
-            if a.getValue('givenname') == b.getValue('givenname'):
-                if a.getValue('sn') == b.getValue('sn'):
+            if a.getValue('sn') == b.getValue('sn'):
+                if a.getValue('givenName') == b.getValue('givenName'):
                     if a.getValue('uid') == b.getValue('uid'):
                         return 0
                     elif a.getValue('uid') < b.getValue('uid'):
                         return -1
                     else:
                         return 1
-                elif a.getValue('sn') < b.getValue('sn'):
+                elif a.getValue('givenName') < b.getValue('givenName'):
                     return -1
                 else:
                     return 1
-            elif a.getValue('givenname') < b.getValue('givenname'):
+            elif a.getValue('sn') < b.getValue('sn'):
                 return -1
             else:
                 return 1
diff -r 8985d3968184 -r 759e9e1eaa5b ipa-server/ipa-gui/ipagui/templates/usershow.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Wed Oct 17 13:12:43 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Wed Oct 17 13:42:45 2007 -0700
@@ -248,7 +248,9 @@ else:
           <th>
             <label class="fieldlabel" py:content="fields.labeleduri.label" />:
           </th>
-          <td>${user.get("labeleduri")}</td>
+          <td>
+            <a href="${user.get('labeleduri')}">${user.get('labeleduri')}</a>
+          </td>
         </tr>
     </table>
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/cff017d1/attachment.bin>

From kmccarth at redhat.com  Wed Oct 17 20:46:21 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 17 Oct 2007 13:46:21 -0700
Subject: [Freeipa-devel] [PATCH] print css
In-Reply-To: <471671B2.9090308@redhat.com>
References: <20071017201523.GH24262@moon.usersys.redhat.com>
	<471671B2.9090308@redhat.com>
Message-ID: <20071017204620.GK24262@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Add print css statements.  Rename delegation edit button.
>> Also, change the direct reports to be a numbered list (bob's preference,
>> feel free to send feedback and cc him).
>> -Kevin
>
> Looks good.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/37a0aa5e/attachment.bin>

From rcritten at redhat.com  Wed Oct 17 20:51:25 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 17 Oct 2007 16:51:25 -0400
Subject: [Freeipa-devel] [PATCH] sort by last name.  uri attribute link.
In-Reply-To: <20071017204533.GJ24262@moon.usersys.redhat.com>
References: <20071017204533.GJ24262@moon.usersys.redhat.com>
Message-ID: <471675CD.3080002@redhat.com>

Kevin McCarthy wrote:
> One more "micro-patch".
> 
> This patch changes the sort order for people to be by last name.
> It also make the labeleduri a link on the urishow page.
> 
> -Kevin
> 

ok

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/3f8fac16/attachment.bin>

From kmccarth at redhat.com  Wed Oct 17 20:53:39 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 17 Oct 2007 13:53:39 -0700
Subject: [Freeipa-devel] [PATCH] sort by last name.  uri attribute link.
In-Reply-To: <471675CD.3080002@redhat.com>
References: <20071017204533.GJ24262@moon.usersys.redhat.com>
	<471675CD.3080002@redhat.com>
Message-ID: <20071017205339.GL24262@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> One more "micro-patch".
>> This patch changes the sort order for people to be by last name.
>> It also make the labeleduri a link on the urishow page.
>> -Kevin
>
> ok

Thanks, Rob.

Pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/c2893843/attachment.bin>

From kmccarth at redhat.com  Wed Oct 17 23:47:19 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 17 Oct 2007 16:47:19 -0700
Subject: [Freeipa-devel] [PATCH] logging in controllers
Message-ID: <20071017234719.GP24262@moon.usersys.redhat.com>

Add logging objects to controllers, and some minor tweeks to the logging
configuration.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192664720 25200
# Node ID 21d9d5828d6d00abf75aadc640997fe7e30e208e
# Parent  ca0b2900c48da8d02ebd93cc9f4592b3445206b0
Add logger objects to each controller.
Fix up the config settings for logging.

diff -r ca0b2900c48d -r 21d9d5828d6d ipa-server/ipa-gui/ipagui/config/log.cfg
--- a/ipa-server/ipa-gui/ipagui/config/log.cfg	Wed Oct 17 13:54:08 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/config/log.cfg	Wed Oct 17 16:45:20 2007 -0700
@@ -10,6 +10,9 @@ format='*(message)s'
 [[[full_content]]]
 format='*(asctime)s *(name)s *(levelname)s *(message)s'
 
+[[[datestamped]]]
+format='*(asctime)s *(message)s'
+
 [[handlers]]
 [[[debug_out]]]
 class='StreamHandler'
@@ -21,7 +24,7 @@ class='StreamHandler'
 class='StreamHandler'
 level='INFO'
 args='(sys.stdout,)'
-formatter='message_only'
+formatter='datestamped'
 
 [[[error_out]]]
 class='StreamHandler'
diff -r ca0b2900c48d -r 21d9d5828d6d ipa-server/ipa-gui/ipagui/controllers.py
--- a/ipa-server/ipa-gui/ipagui/controllers.py	Wed Oct 17 13:54:08 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/controllers.py	Wed Oct 17 16:45:20 2007 -0700
@@ -1,3 +1,5 @@ import cherrypy
+import logging
+
 import cherrypy
 import turbogears
 from turbogears import controllers, expose, flash
@@ -5,9 +7,6 @@ from turbogears import widgets, paginate
 from turbogears import widgets, paginate
 from turbogears import error_handler
 from turbogears import identity
-# from model import *
-# import logging
-# log = logging.getLogger("ipagui.controllers")
 
 import ipa.config
 import ipa.ipaclient
@@ -18,7 +17,10 @@ from subcontrollers.delegation import De
 
 ipa.config.init_config()
 
+log = logging.getLogger(__name__)
+
 class Root(controllers.RootController):
+
     user = UserController()
     group = GroupController()
     delegate = DelegationController()
diff -r ca0b2900c48d -r 21d9d5828d6d ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Wed Oct 17 13:54:08 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Wed Oct 17 16:45:20 2007 -0700
@@ -2,6 +2,7 @@ from pickle import dumps, loads
 from pickle import dumps, loads
 from base64 import b64encode, b64decode
 import copy
+import logging
 
 import cherrypy
 import turbogears
@@ -18,6 +19,8 @@ import ipa.aci
 import ipa.aci
 
 import ldap.dn
+
+log = logging.getLogger(__name__)
 
 aci_fields = ['*', 'aci']
 
diff -r ca0b2900c48d -r 21d9d5828d6d ipa-server/ipa-gui/ipagui/subcontrollers/group.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Wed Oct 17 13:54:08 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Wed Oct 17 16:45:20 2007 -0700
@@ -1,5 +1,6 @@ from pickle import dumps, loads
 from pickle import dumps, loads
 from base64 import b64encode, b64decode
+import logging
 
 import cherrypy
 import turbogears
@@ -15,6 +16,8 @@ from ipa.entity import utf8_encode_value
 from ipa.entity import utf8_encode_values
 from ipa import ipaerror
 import ipagui.forms.group
+
+log = logging.getLogger(__name__)
 
 group_new_form = ipagui.forms.group.GroupNewForm()
 group_edit_form = ipagui.forms.group.GroupEditForm()
diff -r ca0b2900c48d -r 21d9d5828d6d ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py	Wed Oct 17 13:54:08 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py	Wed Oct 17 16:45:20 2007 -0700
@@ -1,4 +1,5 @@ import os
 import os
+import logging
 
 import cherrypy
 import turbogears
@@ -10,6 +11,8 @@ from turbogears import identity
 
 import ipa.ipaclient
 import ipa.config
+
+log = logging.getLogger(__name__)
 
 ipa.config.init_config()
 
diff -r ca0b2900c48d -r 21d9d5828d6d ipa-server/ipa-gui/ipagui/subcontrollers/user.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Wed Oct 17 13:54:08 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Wed Oct 17 16:45:20 2007 -0700
@@ -2,6 +2,7 @@ import random
 import random
 from pickle import dumps, loads
 from base64 import b64encode, b64decode
+import logging
 
 import cherrypy
 import turbogears
@@ -16,6 +17,8 @@ from ipa.entity import utf8_encode_value
 from ipa.entity import utf8_encode_values
 from ipa import ipaerror
 import ipagui.forms.user
+
+log = logging.getLogger(__name__)
 
 password_chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
 
diff -r ca0b2900c48d -r 21d9d5828d6d ipa-server/ipa-gui/sample-prod.cfg
--- a/ipa-server/ipa-gui/sample-prod.cfg	Wed Oct 17 13:54:08 2007 -0700
+++ b/ipa-server/ipa-gui/sample-prod.cfg	Wed Oct 17 16:45:20 2007 -0700
@@ -1,7 +1,7 @@
 [global]
 # DATABASE
 
-# no database for ipa-webgui since everything is stored in LDAP
+# no database for ipagui since everything is stored in LDAP
 
 # IDENTITY
 
@@ -59,19 +59,19 @@ server.thread_pool = 10
 
 [[[access_out]]]
 # set the filename as the first argument below
-args="('ipa-webgui',)"
+args="('ipagui',)"
 class='FileHandler'
 level='INFO'
-formatter='message_only'
+formatter='datestamped'
 
 [[loggers]]
 [[[ipagui]]]
 level='ERROR'
-qualname='ipa-webgui'
+qualname='ipagui'
 handlers=['debug_out']
 
 [[[access]]]
 level='INFO'
-qualname='ipa-webgui.access'
+qualname='turbogears.access'
 handlers=['access_out']
 propagate=0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071017/79ff7577/attachment.bin>

From kmacmill at redhat.com  Thu Oct 18 14:14:31 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 18 Oct 2007 10:14:31 -0400
Subject: [Freeipa-devel] [PATCH] build fixes
Message-ID: <1192716871.2934.22.camel@localhost.localdomain>

This patch fixes the dist and local-dist targets from the recent
autoconf import. It also makes some minor fixes to the spec files.

One remaining question: when I make the source tarballs for distribution
I'm running autogen.sh. However, that runs configure which, I think, is
not typically run before distributing the source. Should I just remove
the configure step from autogen.sh?

Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-290-build-fixes.patch
Type: text/x-patch
Size: 6745 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/a0851e2b/attachment.bin>

From mccann at jhu.edu  Thu Oct 18 14:30:06 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Thu, 18 Oct 2007 10:30:06 -0400
Subject: [Freeipa-devel] Re: [PATCH] build fixes
In-Reply-To: <1192716871.2934.22.camel@localhost.localdomain>
References: <1192716871.2934.22.camel@localhost.localdomain>
Message-ID: <939dd5750710180730s338a4756seae7c5dd46f9ec67@mail.gmail.com>

On 10/18/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> This patch fixes the dist and local-dist targets from the recent
> autoconf import. It also makes some minor fixes to the spec files.
>
> One remaining question: when I make the source tarballs for distribution
> I'm running autogen.sh. However, that runs configure which, I think, is
> not typically run before distributing the source. Should I just remove
> the configure step from autogen.sh?

No.  At least in my experience the proper way to do a release is to:

Pull a fresh tree  or run make maintainer-clean (does not have
configure or Makefile)
Run autogen.sh (which builds configure, runs configure, creates Makefile)
Run "make distcheck" (which requires Makfile)

Also, looks like parts of the autotools patches didn't get committed
and needs fixing up:
 * autogen.sh should have +x mode
 * Running autogen.sh gives:
   Makefile.am: required file `./NEWS' not found
   Makefile.am: required file `./README' not found
   Makefile.am: required file `./AUTHORS' not found

Jon



From kmacmill at redhat.com  Thu Oct 18 14:36:04 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 18 Oct 2007 10:36:04 -0400
Subject: [Freeipa-devel] Re: [PATCH] build fixes
In-Reply-To: <939dd5750710180730s338a4756seae7c5dd46f9ec67@mail.gmail.com>
References: <1192716871.2934.22.camel@localhost.localdomain>
	<939dd5750710180730s338a4756seae7c5dd46f9ec67@mail.gmail.com>
Message-ID: <1192718164.11164.1.camel@localhost.localdomain>

On Thu, 2007-10-18 at 10:30 -0400, William Jon McCann wrote:
> On 10/18/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> > This patch fixes the dist and local-dist targets from the recent
> > autoconf import. It also makes some minor fixes to the spec files.
> >
> > One remaining question: when I make the source tarballs for distribution
> > I'm running autogen.sh. However, that runs configure which, I think, is
> > not typically run before distributing the source. Should I just remove
> > the configure step from autogen.sh?
> 
> No.  At least in my experience the proper way to do a release is to:
> 
> Pull a fresh tree  or run make maintainer-clean (does not have
> configure or Makefile)

We create an clean archive out of hg.

> Run autogen.sh (which builds configure, runs configure, creates Makefile)
> Run "make distcheck" (which requires Makfile)
> 

Ok

> Also, looks like parts of the autotools patches didn't get committed
> and needs fixing up:
>  * autogen.sh should have +x mode
>  * Running autogen.sh gives:
>    Makefile.am: required file `./NEWS' not found
>    Makefile.am: required file `./README' not found
>    Makefile.am: required file `./AUTHORS' not found
> 

These are being fixed by this patch and later ones.

Another question - currently the directory server plugins are having
a .so installed and a .la installed. How do I get rid of the .la?

Karl



From mccann at jhu.edu  Thu Oct 18 14:37:20 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Thu, 18 Oct 2007 10:37:20 -0400
Subject: [Freeipa-devel] Re: [PATCH] build fixes
In-Reply-To: <939dd5750710180730s338a4756seae7c5dd46f9ec67@mail.gmail.com>
References: <1192716871.2934.22.camel@localhost.localdomain>
	<939dd5750710180730s338a4756seae7c5dd46f9ec67@mail.gmail.com>
Message-ID: <939dd5750710180737p532db53fo1f36b08d07dd9200@mail.gmail.com>

On 10/18/07, William Jon McCann <mccann at jhu.edu> wrote:
> On 10/18/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> > This patch fixes the dist and local-dist targets from the recent
> > autoconf import. It also makes some minor fixes to the spec files.
> >
> > One remaining question: when I make the source tarballs for distribution
> > I'm running autogen.sh. However, that runs configure which, I think, is
> > not typically run before distributing the source. Should I just remove
> > the configure step from autogen.sh?
>
> No.  At least in my experience the proper way to do a release is to:
>
> Pull a fresh tree  or run make maintainer-clean (does not have
> configure or Makefile)
> Run autogen.sh (which builds configure, runs configure, creates Makefile)
> Run "make distcheck" (which requires Makfile)
>
> Also, looks like parts of the autotools patches didn't get committed
> and needs fixing up:
>  * autogen.sh should have +x mode
>  * Running autogen.sh gives:
>    Makefile.am: required file `./NEWS' not found
>    Makefile.am: required file `./README' not found
>    Makefile.am: required file `./AUTHORS' not found

Seems like "hg diff" doesn't report locally added files by default.
But hg diff --git does.  Weird.  What should I be using?

Thanks,
Jon



From rcritten at redhat.com  Thu Oct 18 14:40:31 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 18 Oct 2007 10:40:31 -0400
Subject: [Freeipa-devel] Re: [PATCH] build fixes
In-Reply-To: <939dd5750710180737p532db53fo1f36b08d07dd9200@mail.gmail.com>
References: <1192716871.2934.22.camel@localhost.localdomain>	<939dd5750710180730s338a4756seae7c5dd46f9ec67@mail.gmail.com>
	<939dd5750710180737p532db53fo1f36b08d07dd9200@mail.gmail.com>
Message-ID: <4717705F.1090101@redhat.com>

William Jon McCann wrote:
> On 10/18/07, William Jon McCann <mccann at jhu.edu> wrote:
>> On 10/18/07, Karl MacMillan <kmacmill at redhat.com> wrote:
>>> This patch fixes the dist and local-dist targets from the recent
>>> autoconf import. It also makes some minor fixes to the spec files.
>>>
>>> One remaining question: when I make the source tarballs for distribution
>>> I'm running autogen.sh. However, that runs configure which, I think, is
>>> not typically run before distributing the source. Should I just remove
>>> the configure step from autogen.sh?
>> No.  At least in my experience the proper way to do a release is to:
>>
>> Pull a fresh tree  or run make maintainer-clean (does not have
>> configure or Makefile)
>> Run autogen.sh (which builds configure, runs configure, creates Makefile)
>> Run "make distcheck" (which requires Makfile)
>>
>> Also, looks like parts of the autotools patches didn't get committed
>> and needs fixing up:
>>  * autogen.sh should have +x mode
>>  * Running autogen.sh gives:
>>    Makefile.am: required file `./NEWS' not found
>>    Makefile.am: required file `./README' not found
>>    Makefile.am: required file `./AUTHORS' not found
> 
> Seems like "hg diff" doesn't report locally added files by default.
> But hg diff --git does.  Weird.  What should I be using?
> 
>

I use 'hg stat' for that.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/895252e8/attachment.bin>

From kmacmill at redhat.com  Thu Oct 18 14:48:34 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 18 Oct 2007 10:48:34 -0400
Subject: [Freeipa-devel] Re: [PATCH] build fixes
In-Reply-To: <4717705F.1090101@redhat.com>
References: <1192716871.2934.22.camel@localhost.localdomain>
	<939dd5750710180730s338a4756seae7c5dd46f9ec67@mail.gmail.com>
	<939dd5750710180737p532db53fo1f36b08d07dd9200@mail.gmail.com>
	<4717705F.1090101@redhat.com>
Message-ID: <1192718914.11164.3.camel@localhost.localdomain>

On Thu, 2007-10-18 at 10:40 -0400, Rob Crittenden wrote:
> William Jon McCann wrote:
> > On 10/18/07, William Jon McCann <mccann at jhu.edu> wrote:
> >> On 10/18/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> >>> This patch fixes the dist and local-dist targets from the recent
> >>> autoconf import. It also makes some minor fixes to the spec files.
> >>>
> >>> One remaining question: when I make the source tarballs for distribution
> >>> I'm running autogen.sh. However, that runs configure which, I think, is
> >>> not typically run before distributing the source. Should I just remove
> >>> the configure step from autogen.sh?
> >> No.  At least in my experience the proper way to do a release is to:
> >>
> >> Pull a fresh tree  or run make maintainer-clean (does not have
> >> configure or Makefile)
> >> Run autogen.sh (which builds configure, runs configure, creates Makefile)
> >> Run "make distcheck" (which requires Makfile)
> >>
> >> Also, looks like parts of the autotools patches didn't get committed
> >> and needs fixing up:
> >>  * autogen.sh should have +x mode
> >>  * Running autogen.sh gives:
> >>    Makefile.am: required file `./NEWS' not found
> >>    Makefile.am: required file `./README' not found
> >>    Makefile.am: required file `./AUTHORS' not found
> > 
> > Seems like "hg diff" doesn't report locally added files by default.
> > But hg diff --git does.  Weird.  What should I be using?
> > 
> >
> 
> I use 'hg stat' for that.
> 

And hg addremove will automatically, well, add and remove anything.

Karl



From kmacmill at redhat.com  Thu Oct 18 14:49:24 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 18 Oct 2007 10:49:24 -0400
Subject: [Freeipa-devel] Re: [PATCH] build fixes
In-Reply-To: <939dd5750710180737p532db53fo1f36b08d07dd9200@mail.gmail.com>
References: <1192716871.2934.22.camel@localhost.localdomain>
	<939dd5750710180730s338a4756seae7c5dd46f9ec67@mail.gmail.com>
	<939dd5750710180737p532db53fo1f36b08d07dd9200@mail.gmail.com>
Message-ID: <1192718964.11164.5.camel@localhost.localdomain>

On Thu, 2007-10-18 at 10:37 -0400, William Jon McCann wrote:
> On 10/18/07, William Jon McCann <mccann at jhu.edu> wrote:
> > On 10/18/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> > > This patch fixes the dist and local-dist targets from the recent
> > > autoconf import. It also makes some minor fixes to the spec files.
> > >
> > > One remaining question: when I make the source tarballs for distribution
> > > I'm running autogen.sh. However, that runs configure which, I think, is
> > > not typically run before distributing the source. Should I just remove
> > > the configure step from autogen.sh?
> >
> > No.  At least in my experience the proper way to do a release is to:
> >
> > Pull a fresh tree  or run make maintainer-clean (does not have
> > configure or Makefile)
> > Run autogen.sh (which builds configure, runs configure, creates Makefile)
> > Run "make distcheck" (which requires Makfile)
> >
> > Also, looks like parts of the autotools patches didn't get committed
> > and needs fixing up:
> >  * autogen.sh should have +x mode
> >  * Running autogen.sh gives:
> >    Makefile.am: required file `./NEWS' not found
> >    Makefile.am: required file `./README' not found
> >    Makefile.am: required file `./AUTHORS' not found
> 
> Seems like "hg diff" doesn't report locally added files by default.
> But hg diff --git does.  Weird.  What should I be using?
> 

Oh, and hg export preserves checkin comments and, I think, mode changes
where as hg diff does not.

Karl



From kmacmill at redhat.com  Thu Oct 18 14:55:51 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 18 Oct 2007 10:55:51 -0400
Subject: [Freeipa-devel] [PATCH] build fixes
In-Reply-To: <1192716871.2934.22.camel@localhost.localdomain>
References: <1192716871.2934.22.camel@localhost.localdomain>
Message-ID: <1192719351.11164.7.camel@localhost.localdomain>

On Thu, 2007-10-18 at 10:14 -0400, Karl MacMillan wrote:
> This patch fixes the dist and local-dist targets from the recent
> autoconf import. It also makes some minor fixes to the spec files.
> 
> One remaining question: when I make the source tarballs for distribution
> I'm running autogen.sh. However, that runs configure which, I think, is
> not typically run before distributing the source. Should I just remove
> the configure step from autogen.sh?
> 

Another patch (on top of the previous patch) which fixes many errors
pointed out by Rob. Only remaining issue is the .la files.

Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-291-build-fixes.patch
Type: text/x-patch
Size: 1030 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/04f1fc7a/attachment.bin>

From kmccarth at redhat.com  Thu Oct 18 15:22:10 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 18 Oct 2007 08:22:10 -0700
Subject: [Freeipa-devel] Re: [PATCH] build fixes
In-Reply-To: <1192718964.11164.5.camel@localhost.localdomain>
References: <1192716871.2934.22.camel@localhost.localdomain>
	<939dd5750710180730s338a4756seae7c5dd46f9ec67@mail.gmail.com>
	<939dd5750710180737p532db53fo1f36b08d07dd9200@mail.gmail.com>
	<1192718964.11164.5.camel@localhost.localdomain>
Message-ID: <20071018152209.GA17589@moon.usersys.redhat.com>

Karl MacMillan wrote:
> On Thu, 2007-10-18 at 10:37 -0400, William Jon McCann wrote:
> > On 10/18/07, William Jon McCann <mccann at jhu.edu> wrote:
> > > On 10/18/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> > > > This patch fixes the dist and local-dist targets from the recent
> > > > autoconf import. It also makes some minor fixes to the spec files.
> > > >
> > > > One remaining question: when I make the source tarballs for distribution
> > > > I'm running autogen.sh. However, that runs configure which, I think, is
> > > > not typically run before distributing the source. Should I just remove
> > > > the configure step from autogen.sh?
> > >
> > > No.  At least in my experience the proper way to do a release is to:
> > >
> > > Pull a fresh tree  or run make maintainer-clean (does not have
> > > configure or Makefile)
> > > Run autogen.sh (which builds configure, runs configure, creates Makefile)
> > > Run "make distcheck" (which requires Makfile)
> > >
> > > Also, looks like parts of the autotools patches didn't get committed
> > > and needs fixing up:
> > >  * autogen.sh should have +x mode
> > >  * Running autogen.sh gives:
> > >    Makefile.am: required file `./NEWS' not found
> > >    Makefile.am: required file `./README' not found
> > >    Makefile.am: required file `./AUTHORS' not found
> > 
> > Seems like "hg diff" doesn't report locally added files by default.
> > But hg diff --git does.  Weird.  What should I be using?
> > 
> 
> Oh, and hg export preserves checkin comments and, I think, mode changes
> where as hg diff does not.

Use 'hg export -g' to create a patch that prevserves binary files and
file permissions.

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/e3d3abbb/attachment.bin>

From kmacmill at redhat.com  Thu Oct 18 15:45:36 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 18 Oct 2007 11:45:36 -0400
Subject: [Freeipa-devel] [PATCH] build fixes
In-Reply-To: <1192719351.11164.7.camel@localhost.localdomain>
References: <1192716871.2934.22.camel@localhost.localdomain>
	<1192719351.11164.7.camel@localhost.localdomain>
Message-ID: <1192722336.11164.9.camel@localhost.localdomain>

On Thu, 2007-10-18 at 10:55 -0400, Karl MacMillan wrote:
> On Thu, 2007-10-18 at 10:14 -0400, Karl MacMillan wrote:
> > This patch fixes the dist and local-dist targets from the recent
> > autoconf import. It also makes some minor fixes to the spec files.
> > 
> > One remaining question: when I make the source tarballs for distribution
> > I'm running autogen.sh. However, that runs configure which, I think, is
> > not typically run before distributing the source. Should I just remove
> > the configure step from autogen.sh?
> > 
> 
> Another patch (on top of the previous patch) which fixes many errors
> pointed out by Rob. Only remaining issue is the .la files.
> 

Wrong patch - correct one attached.

Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-292-build-fixes.patch
Type: text/x-patch
Size: 5888 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/510982b2/attachment.bin>

From rcritten at redhat.com  Thu Oct 18 15:51:25 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 18 Oct 2007 11:51:25 -0400
Subject: [Freeipa-devel] [PATCH] build fixes
In-Reply-To: <1192722336.11164.9.camel@localhost.localdomain>
References: <1192716871.2934.22.camel@localhost.localdomain>	<1192719351.11164.7.camel@localhost.localdomain>
	<1192722336.11164.9.camel@localhost.localdomain>
Message-ID: <471780FD.6080700@redhat.com>

Karl MacMillan wrote:
> On Thu, 2007-10-18 at 10:55 -0400, Karl MacMillan wrote:
>> On Thu, 2007-10-18 at 10:14 -0400, Karl MacMillan wrote:
>>> This patch fixes the dist and local-dist targets from the recent
>>> autoconf import. It also makes some minor fixes to the spec files.
>>>
>>> One remaining question: when I make the source tarballs for distribution
>>> I'm running autogen.sh. However, that runs configure which, I think, is
>>> not typically run before distributing the source. Should I just remove
>>> the configure step from autogen.sh?
>>>
>> Another patch (on top of the previous patch) which fixes many errors
>> pointed out by Rob. Only remaining issue is the .la files.
>>
> 
> Wrong patch - correct one attached.
> 
> Karl
> 
>

Looks ok.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/cca9ed7a/attachment.bin>

From mccann at jhu.edu  Thu Oct 18 15:55:46 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Thu, 18 Oct 2007 11:55:46 -0400
Subject: [Freeipa-devel] Re: [PATCH] build fixes
In-Reply-To: <1192718164.11164.1.camel@localhost.localdomain>
References: <1192716871.2934.22.camel@localhost.localdomain>
	<939dd5750710180730s338a4756seae7c5dd46f9ec67@mail.gmail.com>
	<1192718164.11164.1.camel@localhost.localdomain>
Message-ID: <939dd5750710180855t3cf9f418jc59651af257d4c15@mail.gmail.com>

On 10/18/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> Another question - currently the directory server plugins are having
> a .so installed and a .la installed. How do I get rid of the .la?

That is usually done in the RPM build.

See:
http://cvs.fedora.redhat.com/viewcvs/devel/gtk2/gtk2.spec?rev=1.263&view=auto
http://cvs.fedora.redhat.com/viewcvs/devel/totem/totem.spec?rev=1.122&view=auto
etc

Jon



From kmccarth at redhat.com  Thu Oct 18 16:51:12 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 18 Oct 2007 09:51:12 -0700
Subject: [Freeipa-devel] [PATCH] error handler for webgui
Message-ID: <20071018165110.GB17589@moon.usersys.redhat.com>

Attached is an error handler for the webgui.  It's derived from the
example at http://docs.turbogears.org/1.0/ErrorReporting (and
attributed).

The only decision I had was whether to handle 404's.  For now I have, as
it at least hides the stack-trace in production mode.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192725973 25200
# Node ID 9be4aa4be3ef10752047fa94c7fd5a263bbb35cb
# Parent  21d9d5828d6d00abf75aadc640997fe7e30e208e
Add an exception/error handler to the web gui.

diff -r 21d9d5828d6d -r 9be4aa4be3ef ipa-server/ipa-gui/ipagui/controllers.py
--- a/ipa-server/ipa-gui/ipagui/controllers.py	Wed Oct 17 16:45:20 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/controllers.py	Thu Oct 18 09:46:13 2007 -0700
@@ -1,8 +1,11 @@ import logging
 import logging
+import StringIO
+import traceback
 
 import cherrypy
 import turbogears
 from turbogears import controllers, expose, flash
+from turbogears import config
 from turbogears import validators, validate
 from turbogears import widgets, paginate
 from turbogears import error_handler
@@ -41,3 +44,61 @@ class Root(controllers.RootController):
     @expose("ipagui.templates.loginfailed")
     def loginfailed(self, **kw):
         return dict()
+
+
+    _error_codes = {
+        None: u'General Error',
+        400: u'400 - Bad Request',
+        401: u'401 - Unauthorized',
+        403: u'403 - Forbidden',
+        404: u'404 - Not Found',
+        500: u'500 - Internal Server Error',
+        501: u'501 - Not Implemented',
+        502: u'502 - Bad Gateway',
+    }
+
+    def handle_error(self, status, message):
+        """This method is derived from the sample error catcher on
+           http://docs.turbogears.org/1.0/ErrorReporting."""
+        try:
+            cherrypy._cputil._cp_on_http_error(status, message)
+            error_msg = self._error_codes.get(status, self._error_codes[None])
+            url = "%s %s" % (cherrypy.request.method, cherrypy.request.path)
+            log.exception("CherryPy %s error (%s) for request '%s'", status,
+                          error_msg, url)
+
+            if config.get('server.environment') == 'production':
+                details = ''
+            else:
+                buf = StringIO.StringIO()
+                traceback.print_exc(file=buf)
+                details = buf.getvalue()
+                buf.close()
+
+            data = dict(
+                status = status,
+                message = message,
+                error_msg = error_msg,
+                url = url,
+                details = details,
+            )
+
+            body = controllers._process_output(
+                data,
+                'ipagui.templates.unhandled_exception',
+                'html',
+                'text/html',
+                None
+            )
+            cherrypy.response.headers['Content-Length'] = len(body)
+            cherrypy.response.body = body
+
+        # don't catch SystemExit
+        except StandardError, exc:
+            log.exception('Error handler failed: %s', exc)
+
+    # To hook in error handler for production only:
+    # if config.get('server.environment') == 'production':
+    #     _cp_on_http_error = handle_error
+
+    _cp_on_http_error = handle_error
diff -r 21d9d5828d6d -r 9be4aa4be3ef ipa-server/ipa-gui/ipagui/templates/unhandled_exception.kid
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/templates/unhandled_exception.kid	Thu Oct 18 09:46:13 2007 -0700
@@ -0,0 +1,31 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"
+  xmlns:py="http://purl.org/kid/ns#"
+  py:extends="'master.kid'">
+<head>
+<meta content="text/html; charset=utf-8" http-equiv="Content-Type" py:replace="''"/>
+<title>Error</title>
+</head>
+
+<body>
+  <div id="main_content">
+    <h1>An unexpected error occured</h1>
+
+    <div py:if='message'>
+      <b>Message:</b>
+      <pre>${message}</pre>
+    </div>
+
+    <div py:if='error_msg'>
+      <b>HTTP Error Message:</b>
+      <pre>${error_msg}</pre>
+    </div>
+
+    <div py:if='details'>
+      <b>Stack Trace:</b>
+      <pre>${details}</pre>
+    </div>
+  </div>
+
+</body>
+</html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/71ec22dd/attachment.bin>

From kmacmill at redhat.com  Thu Oct 18 16:57:54 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 18 Oct 2007 12:57:54 -0400
Subject: [Freeipa-devel] [PATCH] logging in controllers
In-Reply-To: <20071017234719.GP24262@moon.usersys.redhat.com>
References: <20071017234719.GP24262@moon.usersys.redhat.com>
Message-ID: <1192726674.12120.1.camel@localhost.localdomain>

On Wed, 2007-10-17 at 16:47 -0700, Kevin McCarthy wrote:
> Add logging objects to controllers, and some minor tweeks to the logging
> configuration.

Looks good to me - pushed.

Karl



From mccann at jhu.edu  Thu Oct 18 19:03:31 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Thu, 18 Oct 2007 15:03:31 -0400
Subject: [Freeipa-devel] Re: [PATCH] build fixes
In-Reply-To: <20071018152209.GA17589@moon.usersys.redhat.com>
References: <1192716871.2934.22.camel@localhost.localdomain>
	<939dd5750710180730s338a4756seae7c5dd46f9ec67@mail.gmail.com>
	<939dd5750710180737p532db53fo1f36b08d07dd9200@mail.gmail.com>
	<1192718964.11164.5.camel@localhost.localdomain>
	<20071018152209.GA17589@moon.usersys.redhat.com>
Message-ID: <939dd5750710181203u47d16e7dgcd6ff28f2377a474@mail.gmail.com>

On 10/18/07, Kevin McCarthy <kmccarth at redhat.com> wrote:
> Karl MacMillan wrote:
> > On Thu, 2007-10-18 at 10:37 -0400, William Jon McCann wrote:
> > > On 10/18/07, William Jon McCann <mccann at jhu.edu> wrote:
> > > > On 10/18/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> > > > > This patch fixes the dist and local-dist targets from the recent
> > > > > autoconf import. It also makes some minor fixes to the spec files.
> > > > >
> > > > > One remaining question: when I make the source tarballs for distribution
> > > > > I'm running autogen.sh. However, that runs configure which, I think, is
> > > > > not typically run before distributing the source. Should I just remove
> > > > > the configure step from autogen.sh?
> > > >
> > > > No.  At least in my experience the proper way to do a release is to:
> > > >
> > > > Pull a fresh tree  or run make maintainer-clean (does not have
> > > > configure or Makefile)
> > > > Run autogen.sh (which builds configure, runs configure, creates Makefile)
> > > > Run "make distcheck" (which requires Makfile)
> > > >
> > > > Also, looks like parts of the autotools patches didn't get committed
> > > > and needs fixing up:
> > > >  * autogen.sh should have +x mode
> > > >  * Running autogen.sh gives:
> > > >    Makefile.am: required file `./NEWS' not found
> > > >    Makefile.am: required file `./README' not found
> > > >    Makefile.am: required file `./AUTHORS' not found
> > >
> > > Seems like "hg diff" doesn't report locally added files by default.
> > > But hg diff --git does.  Weird.  What should I be using?
> > >
> >
> > Oh, and hg export preserves checkin comments and, I think, mode changes
> > where as hg diff does not.
>
> Use 'hg export -g' to create a patch that prevserves binary files and
> file permissions.

Ok, thanks!  Could we add that to
http://freeipa.org/page/Contribute#Submitting_Changes or is there a
way I can edit the wiki?  I can't figure out how to create a new user.

Jon



From kmacmill at redhat.com  Thu Oct 18 19:09:38 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 18 Oct 2007 15:09:38 -0400
Subject: [Freeipa-devel] Re: [PATCH] build fixes
In-Reply-To: <939dd5750710181203u47d16e7dgcd6ff28f2377a474@mail.gmail.com>
References: <1192716871.2934.22.camel@localhost.localdomain>
	<939dd5750710180730s338a4756seae7c5dd46f9ec67@mail.gmail.com>
	<939dd5750710180737p532db53fo1f36b08d07dd9200@mail.gmail.com>
	<1192718964.11164.5.camel@localhost.localdomain>
	<20071018152209.GA17589@moon.usersys.redhat.com>
	<939dd5750710181203u47d16e7dgcd6ff28f2377a474@mail.gmail.com>
Message-ID: <1192734578.12120.23.camel@localhost.localdomain>

On Thu, 2007-10-18 at 15:03 -0400, William Jon McCann wrote:
> On 10/18/07, Kevin McCarthy <kmccarth at redhat.com> wrote:
> > Karl MacMillan wrote:
> > > On Thu, 2007-10-18 at 10:37 -0400, William Jon McCann wrote:
> > > > On 10/18/07, William Jon McCann <mccann at jhu.edu> wrote:
> > > > > On 10/18/07, Karl MacMillan <kmacmill at redhat.com> wrote:
> > > > > > This patch fixes the dist and local-dist targets from the recent
> > > > > > autoconf import. It also makes some minor fixes to the spec files.
> > > > > >
> > > > > > One remaining question: when I make the source tarballs for distribution
> > > > > > I'm running autogen.sh. However, that runs configure which, I think, is
> > > > > > not typically run before distributing the source. Should I just remove
> > > > > > the configure step from autogen.sh?
> > > > >
> > > > > No.  At least in my experience the proper way to do a release is to:
> > > > >
> > > > > Pull a fresh tree  or run make maintainer-clean (does not have
> > > > > configure or Makefile)
> > > > > Run autogen.sh (which builds configure, runs configure, creates Makefile)
> > > > > Run "make distcheck" (which requires Makfile)
> > > > >
> > > > > Also, looks like parts of the autotools patches didn't get committed
> > > > > and needs fixing up:
> > > > >  * autogen.sh should have +x mode
> > > > >  * Running autogen.sh gives:
> > > > >    Makefile.am: required file `./NEWS' not found
> > > > >    Makefile.am: required file `./README' not found
> > > > >    Makefile.am: required file `./AUTHORS' not found
> > > >
> > > > Seems like "hg diff" doesn't report locally added files by default.
> > > > But hg diff --git does.  Weird.  What should I be using?
> > > >
> > >
> > > Oh, and hg export preserves checkin comments and, I think, mode changes
> > > where as hg diff does not.
> >
> > Use 'hg export -g' to create a patch that prevserves binary files and
> > file permissions.
> 
> Ok, thanks!  Could we add that to
> http://freeipa.org/page/Contribute#Submitting_Changes or is there a
> way I can edit the wiki?  I can't figure out how to create a new user.
> 

Made the change, adding info about how to get a wiki account, and I'll
send you info about your wiki account separately.

Karl



From mccann at jhu.edu  Thu Oct 18 19:16:40 2007
From: mccann at jhu.edu (William Jon McCann)
Date: Thu, 18 Oct 2007 15:16:40 -0400
Subject: [Freeipa-devel] Re: [PATCH] build fixes
In-Reply-To: <1192734578.12120.23.camel@localhost.localdomain>
References: <1192716871.2934.22.camel@localhost.localdomain>
	<939dd5750710180730s338a4756seae7c5dd46f9ec67@mail.gmail.com>
	<939dd5750710180737p532db53fo1f36b08d07dd9200@mail.gmail.com>
	<1192718964.11164.5.camel@localhost.localdomain>
	<20071018152209.GA17589@moon.usersys.redhat.com>
	<939dd5750710181203u47d16e7dgcd6ff28f2377a474@mail.gmail.com>
	<1192734578.12120.23.camel@localhost.localdomain>
Message-ID: <939dd5750710181216h4839e7f1tf865a77cde2816a7@mail.gmail.com>

On 10/18/07, Karl MacMillan <kmacmill at redhat.com> wrote
> Made the change, adding info about how to get a wiki account, and I'll
> send you info about your wiki account separately.

Thank you.  :)

Jon



From kmacmill at redhat.com  Thu Oct 18 19:18:21 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 18 Oct 2007 15:18:21 -0400
Subject: [Freeipa-devel] [PATCH] autogen.sh fixes
Message-ID: <1192735101.12120.31.camel@localhost.localdomain>

Turns out that autogen.sh didn't correctly compare versions, making it
think that aclocal 1.10 was older than 1.7. Added a more robust compare.
Also remove .la files from rpms.

Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-297-autogen-fix.patch
Type: text/x-patch
Size: 7586 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/b0324c46/attachment.bin>

From rcritten at redhat.com  Thu Oct 18 19:25:02 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 18 Oct 2007 15:25:02 -0400
Subject: [Freeipa-devel] [PATCH] autogen.sh fixes
In-Reply-To: <1192735101.12120.31.camel@localhost.localdomain>
References: <1192735101.12120.31.camel@localhost.localdomain>
Message-ID: <4717B30E.9030304@redhat.com>

Karl MacMillan wrote:
> Turns out that autogen.sh didn't correctly compare versions, making it
> think that aclocal 1.10 was older than 1.7. Added a more robust compare.
> Also remove .la files from rpms.
> 
> Karl

In the ipa-client/autogen.sh you switched PACKAGE to freeipa-server.

Otherwise it looks ok.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/435021cd/attachment.bin>

From kmacmill at redhat.com  Thu Oct 18 19:26:53 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 18 Oct 2007 15:26:53 -0400
Subject: [Freeipa-devel] [PATCH] autogen.sh fixes
In-Reply-To: <4717B30E.9030304@redhat.com>
References: <1192735101.12120.31.camel@localhost.localdomain>
	<4717B30E.9030304@redhat.com>
Message-ID: <1192735613.12120.33.camel@localhost.localdomain>

On Thu, 2007-10-18 at 15:25 -0400, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > Turns out that autogen.sh didn't correctly compare versions, making it
> > think that aclocal 1.10 was older than 1.7. Added a more robust compare.
> > Also remove .la files from rpms.
> > 
> > Karl
> 
> In the ipa-client/autogen.sh you switched PACKAGE to freeipa-server.
> 
> Otherwise it looks ok.
> 

Pushed with the fix for PACKAGE.

Karl



From rcritten at redhat.com  Thu Oct 18 20:19:53 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 18 Oct 2007 16:19:53 -0400
Subject: [Freeipa-devel] [PATCH] fix build
Message-ID: <4717BFE9.3040700@redhat.com>

A relatively new file, httpinstance.py, wasn't being installed. Include it.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-299-buildfix.patch
Type: text/x-patch
Size: 562 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/d892bce3/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/d892bce3/attachment-0001.bin>

From kmacmill at redhat.com  Thu Oct 18 20:50:11 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 18 Oct 2007 16:50:11 -0400
Subject: [Freeipa-devel] [PATCH] fix build
In-Reply-To: <4717BFE9.3040700@redhat.com>
References: <4717BFE9.3040700@redhat.com>
Message-ID: <1192740611.12120.47.camel@localhost.localdomain>

On Thu, 2007-10-18 at 16:19 -0400, Rob Crittenden wrote:
> A relatively new file, httpinstance.py, wasn't being installed. Include it.
> 

Pushed. BTW - anyway to use some globbing - updating these constantly is
going to get tedious.

Karl



From kmacmill at redhat.com  Thu Oct 18 21:20:46 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 18 Oct 2007 17:20:46 -0400
Subject: [Freeipa-devel] [PATCH] improve error reporting in
	ipa-server-install
Message-ID: <1192742446.12120.49.camel@localhost.localdomain>

Print a traceback to the install log on unexpected error.

Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-300-install-error-reporting.patch
Type: text/x-patch
Size: 1208 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/49ba3091/attachment.bin>

From kmccarth at redhat.com  Thu Oct 18 21:36:15 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 18 Oct 2007 14:36:15 -0700
Subject: [Freeipa-devel] [PATCH] finish email auto-suggest
Message-ID: <20071018213615.GB19844@moon.usersys.redhat.com>

Finish up the email auto-suggest.  Searching w/field specification is a
ways off, so for now I'm adding an API call.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192743235 25200
# Node ID 57092d263dfeaf213adf10b04af0333efb4eb25f
# Parent  d3b8c1fad11638fd5b6e84ab2ba4ce1cbb9009ad
Finish the email autosuggest.
For now I've added a new API call.  The field-specific searching is
a ways off.

diff -r d3b8c1fad116 -r 57092d263dfe ipa-python/ipaclient.py
--- a/ipa-python/ipaclient.py	Thu Oct 18 14:17:59 2007 -0700
+++ b/ipa-python/ipaclient.py	Thu Oct 18 14:33:55 2007 -0700
@@ -98,6 +98,13 @@ class IPAClient:
         result = self.transport.get_user_by_principal(principal,sattrs)
         return user.User(result)
 
+    def get_user_by_email(self,email,sattrs=None):
+        """Get a specific user's entry. Return as a dict of values.
+           Multi-valued fields are represented as lists.
+        """
+        result = self.transport.get_user_by_email(email,sattrs)
+        return user.User(result)
+
     def get_users_by_manager(self,manager_dn,sattrs=None):
         """Gets the users the report to a particular manager.
            If sattrs is not None then only those
diff -r d3b8c1fad116 -r 57092d263dfe ipa-python/rpcclient.py
--- a/ipa-python/rpcclient.py	Thu Oct 18 14:17:59 2007 -0700
+++ b/ipa-python/rpcclient.py	Thu Oct 18 14:33:55 2007 -0700
@@ -165,7 +165,23 @@ class RPCClient:
             raise xmlrpclib.Fault(value, msg)
 
         return ipautil.unwrap_binary_data(result)
- 
+
+    def get_user_by_email(self,email,sattrs=None):
+        """Get a specific user's entry. Return as a dict of values.
+           Multi-valued fields are represented as lists.
+        """
+        server = self.setup_server()
+        if sattrs is None:
+            sattrs = "__NONE__"
+        try:
+            result = server.get_user_by_email(email, sattrs)
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return ipautil.unwrap_binary_data(result)
+
     def get_users_by_manager(self,manager_dn,sattrs=None):
         """Gets the users that report to a manager.
            If sattrs is not None then only those
diff -r d3b8c1fad116 -r 57092d263dfe ipa-server/ipa-gui/ipagui/subcontrollers/user.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Thu Oct 18 14:17:59 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Thu Oct 18 14:33:55 2007 -0700
@@ -17,6 +17,7 @@ from ipa.entity import utf8_encode_value
 from ipa.entity import utf8_encode_values
 from ipa import ipaerror
 import ipagui.forms.user
+import ipa.config
 
 log = logging.getLogger(__name__)
 
@@ -26,6 +27,8 @@ user_edit_form = ipagui.forms.user.UserE
 user_edit_form = ipagui.forms.user.UserEditForm()
 
 user_fields = ['*', 'nsAccountLock']
+
+email_domain = ipa.config.config.default_realm.lower()
 
 class UserController(IPAController):
 
@@ -512,31 +515,16 @@ class UserController(IPAController):
         givenname = givenname.lower()
         sn = sn.lower()
 
-        # TODO - get from config
-        domain = "freeipa.org"
-
-        return "%s.%s@%s" % (givenname, sn, domain)
-
-
-        # TODO - mail is currently not indexed nor searchable.
-        #        implement when it's done
-        # email = givenname + "." + sn + domain
-        # users = client.find_users(email, ['mail'])
-        # if len(filter(lambda u: u['mail'] == email, users[1:])) == 0:
-        #     return email
-
-        # email = self.suggest_uid(givenname, sn) + domain
-        # users = client.find_users(email, ['mail'])
-        # if len(filter(lambda u: u['mail'] == email, users[1:])) == 0:
-        #     return email
-
-        # suffix = 2
-        # template = givenname + "." + sn
-        # while suffix < 20:
-        #     email = template + str(suffix) + domain
-        #     users = client.find_users(email, ['mail'])
-        #     if len(filter(lambda u: u['mail'] == email, users[1:])) == 0:
-        #         return email
-        #     suffix += 1
-
-        # return ""
+        email = "%s.%s@%s" % (givenname, sn, email_domain)
+        try:
+            client.get_user_by_email(email)
+        except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+            return email
+
+        email = "%s@%s" % (self.suggest_uid(givenname, sn), email_domain)
+        try:
+            client.get_user_by_email(email)
+        except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+            return email
+
+        return ""
diff -r d3b8c1fad116 -r 57092d263dfe ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Thu Oct 18 14:17:59 2007 -0700
+++ b/ipa-server/xmlrpc-server/funcs.py	Thu Oct 18 14:33:55 2007 -0700
@@ -377,7 +377,16 @@ class IPAServer:
 
         filter = "(krbPrincipalName="+self.__safe_filter(principal)+")"
         return self.__get_sub_entry(self.basedn, filter, sattrs, opts)
-    
+
+    def get_user_by_email (self, email, sattrs=None, opts=None):
+        """Get a specific user's entry. Return as a dict of values.
+           Multi-valued fields are represented as lists.
+        """
+
+        email = self.__safe_filter(email)
+        filter = "(mail=" + email + ")"
+        return self.__get_sub_entry(self.basedn, filter, sattrs, opts)
+
     def get_users_by_manager (self, manager_dn, sattrs=None, opts=None):
         """Gets the users that report to a particular manager.
         """
diff -r d3b8c1fad116 -r 57092d263dfe ipa-server/xmlrpc-server/ipaxmlrpc.py
--- a/ipa-server/xmlrpc-server/ipaxmlrpc.py	Thu Oct 18 14:17:59 2007 -0700
+++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py	Thu Oct 18 14:33:55 2007 -0700
@@ -323,6 +323,7 @@ def handler(req, profiling=False):
             h.register_function(f.update_entry)
             h.register_function(f.get_user_by_uid)
             h.register_function(f.get_user_by_principal)
+            h.register_function(f.get_user_by_email)
             h.register_function(f.get_users_by_manager)
             h.register_function(f.add_user)
             h.register_function(f.get_add_schema)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/9cdf5526/attachment.bin>

From mbooth at redhat.com  Thu Oct 18 22:18:57 2007
From: mbooth at redhat.com (Matthew Booth)
Date: Thu, 18 Oct 2007 23:18:57 +0100
Subject: [Freeipa-devel] Root accountability in a cluster
Message-ID: <1192745937.28947.50.camel@localhost.localdomain>

If I want the actions of a root user to be accountable, I can insist
that users log on as themselves and then use, eg, sudo to escalate their
privileges. If I want to run a command as root on a cluster, though,
this appears to fall down. I can implement kerberos authentication for
the cluster so that I can seamlessly hop from machine to machine without
reauthenticating. However, I cannot transfer my escalated privileges in
a similar manner, without doing something like running sudo on every
target node.

Is the following feasible:
* SSH to root at foo.example.com
* Present credentials for mbooth at EXAMPLE.COM
* mbooth at EXAMPLE.COM is on an allowed list for root
* I am logged in directly as root
* My audit context is mbooth

I think all but the last step is probably possible, but I'm not sure of
that. Is it possible? Is it sane? Is anybody working on it?

Thanks,

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/38211951/attachment.sig>

From rcritten at redhat.com  Fri Oct 19 02:04:37 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 18 Oct 2007 22:04:37 -0400
Subject: [Freeipa-devel] [PATCH] fix more build issues
Message-ID: <471810B5.1020103@redhat.com>

These seem to be the last of the really obvious build problems. I was 
able to do a local-dist build and install the RPMs and have everything 
seem to work. I didn't exercise things too much but I did test the cli 
and the GUI.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-300-buildfix.patch
Type: text/x-patch
Size: 2007 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/1fd18ea7/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071018/1fd18ea7/attachment-0001.bin>

From rcritten at redhat.com  Fri Oct 19 13:56:08 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 19 Oct 2007 09:56:08 -0400
Subject: [Freeipa-devel] [PATCH] make distclean fix
Message-ID: <4718B778.90909@redhat.com>

This patch makes 'make distclean' work again.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-300-distclean.patch
Type: text/x-patch
Size: 804 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/4d9a1953/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/4d9a1953/attachment-0001.bin>

From rcritten at redhat.com  Fri Oct 19 13:58:24 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 19 Oct 2007 09:58:24 -0400
Subject: [Freeipa-devel] [PATCH] Actually return a value in the cmdline tools
Message-ID: <4718B800.8080906@redhat.com>

The command-line tools weren't actually returning a value to the shell. 
This fixes that.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-300-rval.patch
Type: text/x-patch
Size: 3024 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/92848917/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/92848917/attachment-0001.bin>

From kmacmill at redhat.com  Fri Oct 19 14:05:22 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 19 Oct 2007 10:05:22 -0400
Subject: [Freeipa-devel] [PATCH] fix more build issues
In-Reply-To: <471810B5.1020103@redhat.com>
References: <471810B5.1020103@redhat.com>
Message-ID: <1192802722.2829.6.camel@localhost.localdomain>

On Thu, 2007-10-18 at 22:04 -0400, Rob Crittenden wrote:
> These seem to be the last of the really obvious build problems. I was 
> able to do a local-dist build and install the RPMs and have everything 
> seem to work. I didn't exercise things too much but I did test the cli 
> and the GUI.
> 

Pushed.



From kmacmill at redhat.com  Fri Oct 19 14:05:58 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 19 Oct 2007 10:05:58 -0400
Subject: [Freeipa-devel] [PATCH] make distclean fix
In-Reply-To: <4718B778.90909@redhat.com>
References: <4718B778.90909@redhat.com>
Message-ID: <1192802758.2829.8.camel@localhost.localdomain>

On Fri, 2007-10-19 at 09:56 -0400, Rob Crittenden wrote:
> This patch makes 'make distclean' work again.
> 

Pushed.



From kmacmill at redhat.com  Fri Oct 19 14:06:35 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 19 Oct 2007 10:06:35 -0400
Subject: [Freeipa-devel] [PATCH] Actually return a value in the cmdline
	tools
In-Reply-To: <4718B800.8080906@redhat.com>
References: <4718B800.8080906@redhat.com>
Message-ID: <1192802795.2829.10.camel@localhost.localdomain>

On Fri, 2007-10-19 at 09:58 -0400, Rob Crittenden wrote:
> The command-line tools weren't actually returning a value to the shell. 
> This fixes that.
> 

Pushed.



From kmacmill at redhat.com  Fri Oct 19 14:12:31 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 19 Oct 2007 10:12:31 -0400
Subject: [Freeipa-devel] [PATCH] error handler for webgui
In-Reply-To: <20071018165110.GB17589@moon.usersys.redhat.com>
References: <20071018165110.GB17589@moon.usersys.redhat.com>
Message-ID: <1192803151.2829.14.camel@localhost.localdomain>

On Thu, 2007-10-18 at 09:51 -0700, Kevin McCarthy wrote:
> Attached is an error handler for the webgui.  It's derived from the
> example at http://docs.turbogears.org/1.0/ErrorReporting (and
> attributed).
> 
> The only decision I had was whether to handle 404's.  For now I have, as
> it at least hides the stack-trace in production mode.

Pushed and added the new template to the build system. With automake we
are going to have to be a bit more careful about adding new files to the
build system, so just be aware.

Karl



From rcritten at redhat.com  Fri Oct 19 14:56:42 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 19 Oct 2007 10:56:42 -0400
Subject: [Freeipa-devel] [PATCH] require SSL for HTTP requests
Message-ID: <4718C5AA.8010109@redhat.com>

This patch forces SSL for all HTTP-based services. This includes the 
XML-RPC server (so the command-line tools) and the GUI.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-307-ssl.patch
Type: text/x-patch
Size: 3571 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/060cc750/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/060cc750/attachment-0001.bin>

From rcritten at redhat.com  Fri Oct 19 14:58:33 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 19 Oct 2007 10:58:33 -0400
Subject: [Freeipa-devel] [PATCH] require SSL for HTTP requests
In-Reply-To: <4718C5AA.8010109@redhat.com>
References: <4718C5AA.8010109@redhat.com>
Message-ID: <4718C619.3030102@redhat.com>

Rob Crittenden wrote:
> This patch forces SSL for all HTTP-based services. This includes the 
> XML-RPC server (so the command-line tools) and the GUI.
> 
> rob

Oh, one other thing, and I'll send out a patch for this in a bit. For 
the GUI to work this requires mod_nss-1.0.7-2 or higher. I fixed a bug 
related to mod_proxy in that version.

This build has been put into the F7 updates channel but hasn't hit the 
mirrors yet. It missed the latest F8 freeze.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/726ac73a/attachment.bin>

From rcritten at redhat.com  Fri Oct 19 15:42:37 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 19 Oct 2007 11:42:37 -0400
Subject: [Freeipa-devel] [PATCH] requires for SSL
Message-ID: <4718D06D.3070701@redhat.com>

Need to require mod_nss 1.0.7-2 or higher for the GUI to work.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-309-mod_nss.patch
Type: text/x-patch
Size: 3059 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/0964e407/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/0964e407/attachment-0001.bin>

From kmccarth at redhat.com  Fri Oct 19 16:01:42 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 19 Oct 2007 09:01:42 -0700
Subject: [Freeipa-devel] [PATCH] add validation message to top
Message-ID: <20071019160141.GA14360@moon.usersys.redhat.com>

Add a message to the top of the page when there are validation errors.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192809580 25200
# Node ID ced99337e0e07aa24ae1ac31d6cf3125d74511c7
# Parent  508a76cb47774438125c4861e5d9dac599266fc3
Add a flash message to the top of the page when there are validation errors.

diff -r 508a76cb4777 -r ced99337e0e0 ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Fri Oct 19 08:34:45 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py	Fri Oct 19 08:59:40 2007 -0700
@@ -57,6 +57,8 @@ class DelegationController(IPAController
 
         tg_errors, kw = self.delegatevalidate(**kw)
         if tg_errors:
+            turbogears.flash("There were validation errors.<br/>" +
+                             "Please see the messages below for details.")
             return dict(form=delegate_form, delegate=kw,
                     tg_template='ipagui.templates.delegatenew')
 
@@ -85,7 +87,8 @@ class DelegationController(IPAController
     def edit(self, acistr, tg_errors=None):
         """Display delegate page"""
         if tg_errors:
-            turbogears.flash("There was a problem with the form!")
+            turbogears.flash("There were validation errors.<br/>" +
+                             "Please see the messages below for details.")
 
         client = self.get_ipaclient()
 
@@ -119,6 +122,8 @@ class DelegationController(IPAController
 
         tg_errors, kw = self.delegatevalidate(**kw)
         if tg_errors:
+            turbogears.flash("There were validation errors.<br/>" +
+                             "Please see the messages below for details.")
             return dict(form=delegate_form, delegate=kw,
                     tg_template='ipagui.templates.delegatenew')
 
diff -r 508a76cb4777 -r ced99337e0e0 ipa-server/ipa-gui/ipagui/subcontrollers/group.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Fri Oct 19 08:34:45 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Fri Oct 19 08:59:40 2007 -0700
@@ -41,7 +41,8 @@ class GroupController(IPAController):
     def new(self, tg_errors=None):
         """Displays the new group form"""
         if tg_errors:
-            turbogears.flash("There was a problem with the form!")
+            turbogears.flash("There were validation errors.<br/>" +
+                             "Please see the messages below for details.")
 
         client = self.get_ipaclient()
 
@@ -60,6 +61,8 @@ class GroupController(IPAController):
 
         tg_errors, kw = self.groupcreatevalidate(**kw)
         if tg_errors:
+            turbogears.flash("There were validation errors.<br/>" +
+                             "Please see the messages below for details.")
             return dict(form=group_new_form, group=kw,
                     tg_template='ipagui.templates.groupnew')
 
@@ -167,7 +170,8 @@ class GroupController(IPAController):
     def edit(self, cn, tg_errors=None):
         """Displays the edit group form"""
         if tg_errors:
-            turbogears.flash("There was a problem with the form!")
+            turbogears.flash("There were validation errors.<br/>" +
+                             "Please see the messages below for details.")
 
         client = self.get_ipaclient()
 
@@ -227,6 +231,8 @@ class GroupController(IPAController):
 
         tg_errors, kw = self.groupupdatevalidate(**kw)
         if tg_errors:
+            turbogears.flash("There were validation errors.<br/>" +
+                             "Please see the messages below for details.")
             return dict(form=group_edit_form, group=kw, members=member_dicts,
                         tg_template='ipagui.templates.groupedit')
 
diff -r 508a76cb4777 -r ced99337e0e0 ipa-server/ipa-gui/ipagui/subcontrollers/user.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Fri Oct 19 08:34:45 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Fri Oct 19 08:59:40 2007 -0700
@@ -41,7 +41,8 @@ class UserController(IPAController):
     def new(self, tg_errors=None):
         """Displays the new user form"""
         if tg_errors:
-            turbogears.flash("There was a problem with the form!")
+            turbogears.flash("There were validation errors.<br/>" +
+                             "Please see the messages below for details.")
 
         return dict(form=user_new_form, user={})
 
@@ -58,6 +59,8 @@ class UserController(IPAController):
 
         tg_errors, kw = self.usercreatevalidate(**kw)
         if tg_errors:
+            turbogears.flash("There were validation errors.<br/>" +
+                             "Please see the messages below for details.")
             return dict(form=user_new_form, user=kw,
                     tg_template='ipagui.templates.usernew')
 
@@ -196,7 +199,8 @@ class UserController(IPAController):
     def edit(self, uid, tg_errors=None):
         """Displays the edit user form"""
         if tg_errors:
-            turbogears.flash("There was a problem with the form!")
+            turbogears.flash("There were validation errors.<br/>" +
+                             "Please see the messages below for details.")
 
         client = self.get_ipaclient()
 
@@ -239,6 +243,8 @@ class UserController(IPAController):
 
         tg_errors, kw = self.userupdatevalidate(**kw)
         if tg_errors:
+            turbogears.flash("There were validation errors.<br/>" +
+                             "Please see the messages below for details.")
             return dict(form=user_edit_form, user=kw,
                         user_groups=user_groups_dicts,
                         tg_template='ipagui.templates.useredit')
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/bf92b922/attachment.bin>

From rcritten at redhat.com  Fri Oct 19 16:06:49 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 19 Oct 2007 12:06:49 -0400
Subject: [Freeipa-devel] [PATCH] add validation message to top
In-Reply-To: <20071019160141.GA14360@moon.usersys.redhat.com>
References: <20071019160141.GA14360@moon.usersys.redhat.com>
Message-ID: <4718D619.5040501@redhat.com>

Kevin McCarthy wrote:
> Add a message to the top of the page when there are validation errors.
> 
> -Kevin
> 

Looks good.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/170d6067/attachment.bin>

From kmccarth at redhat.com  Fri Oct 19 16:10:45 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 19 Oct 2007 09:10:45 -0700
Subject: [Freeipa-devel] [PATCH] add validation message to top
In-Reply-To: <4718D619.5040501@redhat.com>
References: <20071019160141.GA14360@moon.usersys.redhat.com>
	<4718D619.5040501@redhat.com>
Message-ID: <20071019161043.GB14360@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Add a message to the top of the page when there are validation errors.
>> -Kevin
>
> Looks good.

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/bbf352fb/attachment.bin>

From kmccarth at redhat.com  Fri Oct 19 16:21:34 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 19 Oct 2007 09:21:34 -0700
Subject: [Freeipa-devel] [PATCH] minor HTML validation fixes
Message-ID: <20071019162134.GC14360@moon.usersys.redhat.com>

Fix some HTML validation errors.  Move room number into address section.

Going to be doing some bigger stuff on these pages, so thought I'd
separate this patch out.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192810731 25200
# Node ID fd6a79faf029e6c79ac618a523302360030f2aa3
# Parent  0827981e8e19135e341c7169041325d23964b244
Fix HTML errors on empty fields.  Move roomnumber to address section.

diff -r 0827981e8e19 -r fd6a79faf029 ipa-server/ipa-gui/ipagui/templates/usereditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Fri Oct 19 09:11:28 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Fri Oct 19 09:18:51 2007 -0700
@@ -415,6 +415,18 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
+          <label class="fieldlabel" for="${user.roomnumber.field_id}"
+            py:content="user.roomnumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user.roomnumber.display(value_for(user.roomnumber))" />
+          <span py:if="tg.errors.get('roomnumber')" class="fielderror"
+              py:content="tg.errors.get('roomnumber')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
           <label class="fieldlabel" for="${user.l.field_id}"
             py:content="user.l.label" />:
         </th>
@@ -507,18 +519,6 @@ from ipagui.helpers import ipahelper
         </th>
         <td>
            TODO
-        </td>
-      </tr>
-
-      <tr>
-        <th>
-          <label class="fieldlabel" for="${user.roomnumber.field_id}"
-            py:content="user.roomnumber.label" />:
-        </th>
-        <td>
-          <span py:replace="user.roomnumber.display(value_for(user.roomnumber))" />
-          <span py:if="tg.errors.get('roomnumber')" class="fielderror"
-              py:content="tg.errors.get('roomnumber')" />
         </td>
       </tr>
 
diff -r 0827981e8e19 -r fd6a79faf029 ipa-server/ipa-gui/ipagui/templates/usernewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Fri Oct 19 09:11:28 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Fri Oct 19 09:18:51 2007 -0700
@@ -403,6 +403,18 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
+          <label class="fieldlabel" for="${user.roomnumber.field_id}"
+            py:content="user.roomnumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user.roomnumber.display(value_for(user.roomnumber))" />
+          <span py:if="tg.errors.get('roomnumber')" class="fielderror"
+              py:content="tg.errors.get('roomnumber')" />
+        </td>
+      </tr>
+
+      <tr>
+        <th>
           <label class="fieldlabel" for="${user.l.field_id}"
             py:content="user.l.label" />:
         </th>
@@ -495,18 +507,6 @@ from ipagui.helpers import ipahelper
         </th>
         <td>
            TODO
-        </td>
-      </tr>
-
-      <tr>
-        <th>
-          <label class="fieldlabel" for="${user.roomnumber.field_id}"
-            py:content="user.roomnumber.label" />:
-        </th>
-        <td>
-          <span py:replace="user.roomnumber.display(value_for(user.roomnumber))" />
-          <span py:if="tg.errors.get('roomnumber')" class="fielderror"
-              py:content="tg.errors.get('roomnumber')" />
         </td>
       </tr>
 
diff -r 0827981e8e19 -r fd6a79faf029 ipa-server/ipa-gui/ipagui/templates/usershow.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Fri Oct 19 09:11:28 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Fri Oct 19 09:18:51 2007 -0700
@@ -125,7 +125,8 @@ else:
           <th>
             <label class="fieldlabel" py:content="fields.mail.label" />:
           </th>
-          <td><a href="mailto:${user.get('mail')}">${user.get("mail")}</a></td>
+          <td><a py:if="user.get('mail')"
+                 href="mailto:${user.get('mail')}">${user.get("mail")}</a></td>
         </tr>
         <tr>
           <th>
@@ -166,6 +167,12 @@ else:
             <label class="fieldlabel" py:content="fields.street.label" />:
           </th>
           <td>${user.get("street")}</td>
+        </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.roomnumber.label" />:
+          </th>
+          <td>${user.get("roomnumber")}</td>
         </tr>
         <tr>
           <th>
@@ -224,12 +231,6 @@ else:
         </tr>
         <tr>
           <th>
-            <label class="fieldlabel" py:content="fields.roomnumber.label" />:
-          </th>
-          <td>${user.get("roomnumber")}</td>
-        </tr>
-        <tr>
-          <th>
             <label class="fieldlabel" py:content="fields.secretary.label" />:
           </th>
           <td>TODO</td>
@@ -249,13 +250,14 @@ else:
             <label class="fieldlabel" py:content="fields.labeleduri.label" />:
           </th>
           <td>
-            <a href="${user.get('labeleduri')}">${user.get('labeleduri')}</a>
+            <a py:if="user.get('labeleduri')"
+               href="${user.get('labeleduri')}">${user.get('labeleduri')}</a>
           </td>
         </tr>
     </table>
 
     <div class="formsection" py:if='len(user_reports) &gt; 0'>Direct Reports</div>
-    <ol>
+    <ol py:if="len(user_reports) &gt; 0">
       <li py:for="report in user_reports">
         <a href="${tg.url('/user/show', uid=report.uid)}"
           >${report.givenname} ${report.sn}</a>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/9de6bcea/attachment.bin>

From rcritten at redhat.com  Fri Oct 19 16:28:09 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 19 Oct 2007 12:28:09 -0400
Subject: [Freeipa-devel] [PATCH] minor HTML validation fixes
In-Reply-To: <20071019162134.GC14360@moon.usersys.redhat.com>
References: <20071019162134.GC14360@moon.usersys.redhat.com>
Message-ID: <4718DB19.2050405@redhat.com>

Kevin McCarthy wrote:
> Fix some HTML validation errors.  Move room number into address section.
> 
> Going to be doing some bigger stuff on these pages, so thought I'd
> separate this patch out.
> 
> -Kevin

ack

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/1b44cb15/attachment.bin>

From kmccarth at redhat.com  Fri Oct 19 16:48:10 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 19 Oct 2007 09:48:10 -0700
Subject: [Freeipa-devel] [PATCH] minor HTML validation fixes
In-Reply-To: <4718DB19.2050405@redhat.com>
References: <20071019162134.GC14360@moon.usersys.redhat.com>
	<4718DB19.2050405@redhat.com>
Message-ID: <20071019164810.GE14360@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Fix some HTML validation errors.  Move room number into address section.
>> Going to be doing some bigger stuff on these pages, so thought I'd
>> separate this patch out.
>> -Kevin
>
> ack

pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/6b512202/attachment.bin>

From kmacmill at redhat.com  Fri Oct 19 17:28:25 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 19 Oct 2007 13:28:25 -0400
Subject: [Freeipa-devel] [PATCH] stop using uuid in DS instance names
Message-ID: <1192814905.2880.1.camel@laptop.local>

The use of a uuid for the DS instance name is overkill and it is a real
pain. This patch will use ipa-realm-name instead (resulting in something
like slapd-ipa-EXAMPLE.COM).

Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: no-uuid.patch
Type: text/x-patch
Size: 1390 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/d584a732/attachment.bin>

From rmeggins at redhat.com  Fri Oct 19 17:32:35 2007
From: rmeggins at redhat.com (Richard Megginson)
Date: Fri, 19 Oct 2007 11:32:35 -0600
Subject: [Freeipa-devel] [PATCH] stop using uuid in DS instance names
In-Reply-To: <1192814905.2880.1.camel@laptop.local>
References: <1192814905.2880.1.camel@laptop.local>
Message-ID: <4718EA33.8090709@redhat.com>

Karl MacMillan wrote:
> The use of a uuid for the DS instance name is overkill and it is a real
> pain. This patch will use ipa-realm-name instead (resulting in something
> like slapd-ipa-EXAMPLE.COM).
>   
That probably won't work either - Fedora DS has problems when there is a 
"." in the instance name - see 
https://bugzilla.redhat.com/show_bug.cgi?id=316831
> Karl
>   
> ------------------------------------------------------------------------
>
> # HG changeset patch
> # User "Karl MacMillan <kmacmill at redhat.com>"
> # Date 1192814547 14400
> # Node ID f0e409c7191ea32e58a39c6ddc4468b08a8ba5e7
> # Parent  61c76c977b20c469a627603b2b90ddafee8342a2
> Remove the use of uuid in the directory server instance name.
>
> diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py
> --- a/ipa-server/ipaserver/dsinstance.py
> +++ b/ipa-server/ipaserver/dsinstance.py
> @@ -34,18 +34,6 @@ def ldap_mod(fd, dn, pwd):
>  def ldap_mod(fd, dn, pwd):
>      args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
>      run(args)
> -
> -def generate_serverid():
> -    """Generate a UUID (universally unique identifier) suitable
> -    for use as a unique identifier for a DS instance.
> -    """
> -    try:
> -        import uuid
> -        id = str(uuid.uuid1())
> -    except ImportError:
> -        import commands
> -        id = commands.getoutput("/usr/bin/uuidgen")
> -    return id
>  
>  def realm_to_suffix(realm_name):
>      s = realm_name.split(".")
> @@ -82,7 +70,7 @@ class DsInstance:
>  
>      def create_instance(self, ds_user, realm_name, host_name, dm_password):
>          self.ds_user = ds_user
> -        self.serverid = generate_serverid()
> +        self.serverid = "ipa-" + realm_name
>          self.realm_name = realm_name.upper()
>          self.suffix = realm_to_suffix(self.realm_name)
>          self.host_name = host_name
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/e0bf89a4/attachment.bin>

From ssorce at redhat.com  Fri Oct 19 17:32:50 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 19 Oct 2007 13:32:50 -0400
Subject: [Freeipa-devel] Root accountability in a cluster
In-Reply-To: <1192745937.28947.50.camel@localhost.localdomain>
References: <1192745937.28947.50.camel@localhost.localdomain>
Message-ID: <1192815170.3167.125.camel@localhost.localdomain>

Mathew,
there are a few ways to address this problem.

It is indeed correct that if you escalate privileges locally with sudo
you can't bring this around. I won't go in details but it would be very
difficult to do.

But there are other ways to do it.

1. a way can be for you to simply kinit to a root at BLAH principal that is
mapped to root, this will give you access as root to all machines. This
is not  convenient of course as it would reveal the root password.

2. make a sudo configuration that does not require a password for the
commands you need, this will work on all machines (provided they have
the same sudo config) and not requiring a password will just work. The
only caveat is that you have to call all commands you need via sudo.

3. add another auth layer to that bu limiting passwordless duo to
specific accounts, a kinit to xyzadmin at REALM will give you access to all
machines as xyzadmin and sudo will allow only him to issue passwordless
privileged commands.

3.1. #3 has the same caveat as 2, but if you are truly *evil* you can
"alias" the needed commands so that doing something like chkconfig will
actually result in "sudo chkconfig". This will be relatively harmless as
the account used is for "admin operations only".


Of course if you need to operate on localhost you can still do all this
and then just ssh localhost (the kerberos ticket will allow you
passwordless access to localhost as well).

Is there a scenario you have in mind where any of these would still not
be optimal ?

Simo.

On Thu, 2007-10-18 at 23:18 +0100, Matthew Booth wrote:
> If I want the actions of a root user to be accountable, I can insist
> that users log on as themselves and then use, eg, sudo to escalate their
> privileges. If I want to run a command as root on a cluster, though,
> this appears to fall down. I can implement kerberos authentication for
> the cluster so that I can seamlessly hop from machine to machine without
> reauthenticating. However, I cannot transfer my escalated privileges in
> a similar manner, without doing something like running sudo on every
> target node.
> 
> Is the following feasible:
> * SSH to root at foo.example.com
> * Present credentials for mbooth at EXAMPLE.COM
> * mbooth at EXAMPLE.COM is on an allowed list for root
> * I am logged in directly as root
> * My audit context is mbooth
> 
> I think all but the last step is probably possible, but I'm not sure of
> that. Is it possible? Is it sane? Is anybody working on it?
> 
> Thanks,
> 
> Matt
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel



From ssorce at redhat.com  Fri Oct 19 17:48:31 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 19 Oct 2007 13:48:31 -0400
Subject: [Freeipa-devel] [PATCH] stop using uuid in DS instance names
In-Reply-To: <4718EA33.8090709@redhat.com>
References: <1192814905.2880.1.camel@laptop.local>
	<4718EA33.8090709@redhat.com>
Message-ID: <1192816111.3167.132.camel@localhost.localdomain>

On Fri, 2007-10-19 at 11:32 -0600, Richard Megginson wrote:
> Karl MacMillan wrote:
> > The use of a uuid for the DS instance name is overkill and it is a
> real
> > pain. This patch will use ipa-realm-name instead (resulting in
> something
> > like slapd-ipa-EXAMPLE.COM).
> >   
> That probably won't work either - Fedora DS has problems when there is
> a 
> "." in the instance name - see 
> https://bugzilla.redhat.com/show_bug.cgi?id=316831 

I am aware of this, I guess we can use '-' ?

Is something like: slapd-EXAMPLE-COM a good name ?

Karl, we do not need to put an extra -ipa- in there IMO.

Simo.



From rmeggins at redhat.com  Fri Oct 19 17:53:07 2007
From: rmeggins at redhat.com (Richard Megginson)
Date: Fri, 19 Oct 2007 11:53:07 -0600
Subject: [Freeipa-devel] [PATCH] stop using uuid in DS instance names
In-Reply-To: <1192816111.3167.132.camel@localhost.localdomain>
References: <1192814905.2880.1.camel@laptop.local>	<4718EA33.8090709@redhat.com>
	<1192816111.3167.132.camel@localhost.localdomain>
Message-ID: <4718EF03.4020309@redhat.com>

Simo Sorce wrote:
> On Fri, 2007-10-19 at 11:32 -0600, Richard Megginson wrote:
>   
>> Karl MacMillan wrote:
>>     
>>> The use of a uuid for the DS instance name is overkill and it is a
>>>       
>> real
>>     
>>> pain. This patch will use ipa-realm-name instead (resulting in
>>>       
>> something
>>     
>>> like slapd-ipa-EXAMPLE.COM).
>>>   
>>>       
>> That probably won't work either - Fedora DS has problems when there is
>> a 
>> "." in the instance name - see 
>> https://bugzilla.redhat.com/show_bug.cgi?id=316831 
>>     
>
> I am aware of this, I guess we can use '-' ?
>
> Is something like: slapd-EXAMPLE-COM a good name ?
>   
Yes, I think so.
> Karl, we do not need to put an extra -ipa- in there IMO.
>
> Simo.
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/f6dd3bed/attachment.bin>

From kmacmill at redhat.com  Fri Oct 19 18:21:41 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 19 Oct 2007 14:21:41 -0400
Subject: [Freeipa-devel] [PATCH] Remove the use of uuid in the directory
	server instance name
Message-ID: <82d6225b95a95f399f93.1192818101@laptop.local>

# HG changeset patch
# User "Karl MacMillan <kmacmill at redhat.com>"
# Date 1192818011 14400
# Node ID 82d6225b95a95f399f93141d559beaa9e9b6ab4d
# Parent  61c76c977b20c469a627603b2b90ddafee8342a2
Remove the use of uuid in the directory server instance name.

The use of a uuid for the DS instance name is overkill and it is a real
pain. This patch will use ipa-realm-name instead (resulting in something
like slapd-EXAMPLE-COM). All periods are converted to "-" because the DS
can't handle periods in server ids.

diff -r 61c76c977b20 -r 82d6225b95a9 ipa-server/ipaserver/dsinstance.py
--- a/ipa-server/ipaserver/dsinstance.py	Fri Oct 19 09:18:51 2007 -0700
+++ b/ipa-server/ipaserver/dsinstance.py	Fri Oct 19 14:20:11 2007 -0400
@@ -34,18 +34,6 @@ def ldap_mod(fd, dn, pwd):
 def ldap_mod(fd, dn, pwd):
     args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
     run(args)
-
-def generate_serverid():
-    """Generate a UUID (universally unique identifier) suitable
-    for use as a unique identifier for a DS instance.
-    """
-    try:
-        import uuid
-        id = str(uuid.uuid1())
-    except ImportError:
-        import commands
-        id = commands.getoutput("/usr/bin/uuidgen")
-    return id
 
 def realm_to_suffix(realm_name):
     s = realm_name.split(".")
@@ -82,8 +70,8 @@ class DsInstance:
 
     def create_instance(self, ds_user, realm_name, host_name, dm_password):
         self.ds_user = ds_user
-        self.serverid = generate_serverid()
         self.realm_name = realm_name.upper()
+        self.serverid = "-".join(self.realm_name.split("."))
         self.suffix = realm_to_suffix(self.realm_name)
         self.host_name = host_name
         self.dm_password = dm_password



From rcritten at redhat.com  Fri Oct 19 18:43:46 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 19 Oct 2007 14:43:46 -0400
Subject: [Freeipa-devel] [PATCH] Remove the use of uuid in the directory
	server instance name
In-Reply-To: <82d6225b95a95f399f93.1192818101@laptop.local>
References: <82d6225b95a95f399f93.1192818101@laptop.local>
Message-ID: <4718FAE2.3060200@redhat.com>

Karl MacMillan wrote:
> # HG changeset patch
> # User "Karl MacMillan <kmacmill at redhat.com>"
> # Date 1192818011 14400
> # Node ID 82d6225b95a95f399f93141d559beaa9e9b6ab4d
> # Parent  61c76c977b20c469a627603b2b90ddafee8342a2
> Remove the use of uuid in the directory server instance name.
> 
> The use of a uuid for the DS instance name is overkill and it is a real
> pain. This patch will use ipa-realm-name instead (resulting in something
> like slapd-EXAMPLE-COM). All periods are converted to "-" because the DS
> can't handle periods in server ids.
> 

Looks good.

rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/6e701872/attachment.bin>

From kmacmill at redhat.com  Fri Oct 19 18:56:37 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 19 Oct 2007 14:56:37 -0400
Subject: [Freeipa-devel] [PATCH] Remove the use of uuid in the
	directory server instance name
In-Reply-To: <4718FAE2.3060200@redhat.com>
References: <82d6225b95a95f399f93.1192818101@laptop.local>
	<4718FAE2.3060200@redhat.com>
Message-ID: <1192820198.2880.17.camel@laptop.local>

On Fri, 2007-10-19 at 14:43 -0400, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > # HG changeset patch
> > # User "Karl MacMillan <kmacmill at redhat.com>"
> > # Date 1192818011 14400
> > # Node ID 82d6225b95a95f399f93141d559beaa9e9b6ab4d
> > # Parent  61c76c977b20c469a627603b2b90ddafee8342a2
> > Remove the use of uuid in the directory server instance name.
> > 
> > The use of a uuid for the DS instance name is overkill and it is a real
> > pain. This patch will use ipa-realm-name instead (resulting in something
> > like slapd-EXAMPLE-COM). All periods are converted to "-" because the DS
> > can't handle periods in server ids.
> > 
> 
> Looks good.
> 

Pushed.

Karl



From kmacmill at redhat.com  Fri Oct 19 19:02:36 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 19 Oct 2007 15:02:36 -0400
Subject: [Freeipa-devel] [PATCH] Remove dependency between ipa-pyton and
	ipa-server
Message-ID: <516a862e61b99d456862.1192820556@laptop.local>

# HG changeset patch
# User "Karl MacMillan <kmacmill at redhat.com>"
# Date 1192820498 14400
# Node ID 516a862e61b99d4568620b1c3f446f3778ec5f4a
# Parent  82d6225b95a95f399f93141d559beaa9e9b6ab4d
Remove dependency between ipa-pyton and ipa-server

Current ipa-python imports and calls code from ipaserver (which is in
the ipa-server package). This makes it impossible to use the admin
tools or the ipa-python package on a system without the server bits
installed. This fixes that in a fairly minimal way.

diff -r 82d6225b95a9 -r 516a862e61b9 ipa-python/ipaclient.py
--- a/ipa-python/ipaclient.py	Fri Oct 19 14:20:11 2007 -0400
+++ b/ipa-python/ipaclient.py	Fri Oct 19 15:01:38 2007 -0400
@@ -20,10 +20,7 @@
 #!/usr/bin/python
 
 import sys
-if "/usr/share/ipa" not in sys.path:
-    sys.path.append("/usr/share/ipa")
-
-from ipaserver import funcs
+
 import ipa.rpcclient as rpcclient
 import entity
 import user
@@ -33,12 +30,12 @@ import config
 
 class IPAClient:
 
-    def __init__(self,local=None):
-        self.local = local
-        if local:
-            self.transport = funcs.IPAServer()
-            # client needs to call set_principal(user at REALM)
+    def __init__(self,transport=None):
+        if transport:
+            self.local = True
+            self.transport = transport
         else:
+            self.local = False
             self.transport = rpcclient.RPCClient()
 
     def set_principal(self,princ):
diff -r 82d6225b95a9 -r 516a862e61b9 ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py	Fri Oct 19 14:20:11 2007 -0400
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/ipacontroller.py	Fri Oct 19 15:01:38 2007 -0400
@@ -10,6 +10,7 @@ from turbogears import identity
 from turbogears import identity
 
 import ipa.ipaclient
+from ipaserver import funcs
 import ipa.config
 
 log = logging.getLogger(__name__)
@@ -23,7 +24,8 @@ class IPAController(controllers.Controll
             raise turbogears.redirect("/")
 
     def get_ipaclient(self):
-        client = ipa.ipaclient.IPAClient(True)
+        transport = funcs.IPAServer()
+        client = ipa.ipaclient.IPAClient(transport)
         client.set_krbccache(os.environ["KRB5CCNAME"])
         return client
 



From kmacmill at redhat.com  Fri Oct 19 19:19:44 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 19 Oct 2007 15:19:44 -0400
Subject: [Freeipa-devel] [PATCH] requires for SSL
In-Reply-To: <4718D06D.3070701@redhat.com>
References: <4718D06D.3070701@redhat.com>
Message-ID: <1192821585.2880.19.camel@laptop.local>

On Fri, 2007-10-19 at 11:42 -0400, Rob Crittenden wrote:
> Need to require mod_nss 1.0.7-2 or higher for the GUI to work.
> 
> rob

Looks good.



From kmacmill at redhat.com  Fri Oct 19 19:22:39 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 19 Oct 2007 15:22:39 -0400
Subject: [Freeipa-devel] [PATCH] require SSL for HTTP requests
In-Reply-To: <4718C5AA.8010109@redhat.com>
References: <4718C5AA.8010109@redhat.com>
Message-ID: <1192821759.2880.21.camel@laptop.local>

On Fri, 2007-10-19 at 10:56 -0400, Rob Crittenden wrote:
> This patch forces SSL for all HTTP-based services. This includes the 
> XML-RPC server (so the command-line tools) and the GUI.
> 
> rob

Looks good to me.



From rcritten at redhat.com  Fri Oct 19 19:28:06 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 19 Oct 2007 15:28:06 -0400
Subject: [Freeipa-devel] [PATCH] Remove dependency between ipa-pyton and
	ipa-server
In-Reply-To: <516a862e61b99d456862.1192820556@laptop.local>
References: <516a862e61b99d456862.1192820556@laptop.local>
Message-ID: <47190546.8020805@redhat.com>

Karl MacMillan wrote:
> # HG changeset patch
> # User "Karl MacMillan <kmacmill at redhat.com>"
> # Date 1192820498 14400
> # Node ID 516a862e61b99d4568620b1c3f446f3778ec5f4a
> # Parent  82d6225b95a95f399f93141d559beaa9e9b6ab4d
> Remove dependency between ipa-pyton and ipa-server
> 
> Current ipa-python imports and calls code from ipaserver (which is in
> the ipa-server package). This makes it impossible to use the admin
> tools or the ipa-python package on a system without the server bits
> installed. This fixes that in a fairly minimal way.

Looks good.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/555a7e7e/attachment.bin>

From rcritten at redhat.com  Fri Oct 19 19:34:45 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 19 Oct 2007 15:34:45 -0400
Subject: [Freeipa-devel] [PATCH] requires for SSL
In-Reply-To: <1192821585.2880.19.camel@laptop.local>
References: <4718D06D.3070701@redhat.com>
	<1192821585.2880.19.camel@laptop.local>
Message-ID: <471906D5.5090309@redhat.com>

Karl MacMillan wrote:
> On Fri, 2007-10-19 at 11:42 -0400, Rob Crittenden wrote:
>> Need to require mod_nss 1.0.7-2 or higher for the GUI to work.
>>
>> rob
> 
> Looks good.
> 

Pushed

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/f262a8de/attachment.bin>

From rcritten at redhat.com  Fri Oct 19 19:34:52 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 19 Oct 2007 15:34:52 -0400
Subject: [Freeipa-devel] [PATCH] require SSL for HTTP requests
In-Reply-To: <1192821759.2880.21.camel@laptop.local>
References: <4718C5AA.8010109@redhat.com>
	<1192821759.2880.21.camel@laptop.local>
Message-ID: <471906DC.7020909@redhat.com>

Karl MacMillan wrote:
> On Fri, 2007-10-19 at 10:56 -0400, Rob Crittenden wrote:
>> This patch forces SSL for all HTTP-based services. This includes the 
>> XML-RPC server (so the command-line tools) and the GUI.
>>
>> rob
> 
> Looks good to me.
> 

Pushed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/4a2a2776/attachment.bin>

From kmccarth at redhat.com  Fri Oct 19 20:39:18 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 19 Oct 2007 13:39:18 -0700
Subject: [Freeipa-devel] [PATCH] Remove dependency between ipa-pyton
	and ipa-server
In-Reply-To: <516a862e61b99d456862.1192820556@laptop.local>
References: <516a862e61b99d456862.1192820556@laptop.local>
Message-ID: <20071019203917.GF14360@moon.usersys.redhat.com>

Karl MacMillan wrote:
> # HG changeset patch
> # User "Karl MacMillan <kmacmill at redhat.com>"
> # Date 1192820498 14400
> # Node ID 516a862e61b99d4568620b1c3f446f3778ec5f4a
> # Parent  82d6225b95a95f399f93141d559beaa9e9b6ab4d
> Remove dependency between ipa-pyton and ipa-server
> 
> Current ipa-python imports and calls code from ipaserver (which is in
> the ipa-server package). This makes it impossible to use the admin
> tools or the ipa-python package on a system without the server bits
> installed. This fixes that in a fairly minimal way.


Okay, just be prepared for the perf hit.  So far I've been running it in
local mode.

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/4ee15900/attachment.bin>

From kmacmill at redhat.com  Fri Oct 19 20:49:43 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 19 Oct 2007 16:49:43 -0400
Subject: [Freeipa-devel] [PATCH] Remove dependency between ipa-pyton
	and ipa-server
In-Reply-To: <20071019203917.GF14360@moon.usersys.redhat.com>
References: <516a862e61b99d456862.1192820556@laptop.local>
	<20071019203917.GF14360@moon.usersys.redhat.com>
Message-ID: <1192826984.2880.29.camel@laptop.local>

On Fri, 2007-10-19 at 13:39 -0700, Kevin McCarthy wrote:
> Karl MacMillan wrote:
> > # HG changeset patch
> > # User "Karl MacMillan <kmacmill at redhat.com>"
> > # Date 1192820498 14400
> > # Node ID 516a862e61b99d4568620b1c3f446f3778ec5f4a
> > # Parent  82d6225b95a95f399f93141d559beaa9e9b6ab4d
> > Remove dependency between ipa-pyton and ipa-server
> > 
> > Current ipa-python imports and calls code from ipaserver (which is in
> > the ipa-server package). This makes it impossible to use the admin
> > tools or the ipa-python package on a system without the server bits
> > installed. This fixes that in a fairly minimal way.
> 
> 
> Okay, just be prepared for the perf hit.  So far I've been running it in
> local mode.
> 

Perf hit? This doesn't force the web gui through xml-rpc, it just
changes how the dependencies work (the gui creates the right transport
object and passes it in rather than ipa-python doing that).

Karl



From kmccarth at redhat.com  Fri Oct 19 21:01:58 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 19 Oct 2007 14:01:58 -0700
Subject: [Freeipa-devel] [PATCH] Remove dependency between ipa-pyton
	and ipa-server
In-Reply-To: <1192826984.2880.29.camel@laptop.local>
References: <516a862e61b99d456862.1192820556@laptop.local>
	<20071019203917.GF14360@moon.usersys.redhat.com>
	<1192826984.2880.29.camel@laptop.local>
Message-ID: <20071019210158.GG14360@moon.usersys.redhat.com>

Karl MacMillan wrote:
> On Fri, 2007-10-19 at 13:39 -0700, Kevin McCarthy wrote:
> > Karl MacMillan wrote:
> > > # HG changeset patch
> > > # User "Karl MacMillan <kmacmill at redhat.com>"
> > > # Date 1192820498 14400
> > > # Node ID 516a862e61b99d4568620b1c3f446f3778ec5f4a
> > > # Parent  82d6225b95a95f399f93141d559beaa9e9b6ab4d
> > > Remove dependency between ipa-pyton and ipa-server
> > > 
> > > Current ipa-python imports and calls code from ipaserver (which is in
> > > the ipa-server package). This makes it impossible to use the admin
> > > tools or the ipa-python package on a system without the server bits
> > > installed. This fixes that in a fairly minimal way.
> > 
> > 
> > Okay, just be prepared for the perf hit.  So far I've been running it in
> > local mode.
> > 
> 
> Perf hit? This doesn't force the web gui through xml-rpc, it just
> changes how the dependencies work (the gui creates the right transport
> object and passes it in rather than ipa-python doing that).

Doh... sorry (and happy too).

Thanks for not taking away the local transport.  :-)

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/fa3449a4/attachment.bin>

From mbooth at redhat.com  Fri Oct 19 21:27:03 2007
From: mbooth at redhat.com (Matthew Booth)
Date: Fri, 19 Oct 2007 22:27:03 +0100
Subject: [Freeipa-devel] Root accountability in a cluster
In-Reply-To: <1192815170.3167.125.camel@localhost.localdomain>
References: <1192745937.28947.50.camel@localhost.localdomain>
	<1192815170.3167.125.camel@localhost.localdomain>
Message-ID: <1192829223.5300.6.camel@localhost.localdomain>

On Fri, 2007-10-19 at 13:32 -0400, Simo Sorce wrote:
> Mathew,
> there are a few ways to address this problem.
> 
> It is indeed correct that if you escalate privileges locally with sudo
> you can't bring this around. I won't go in details but it would be very
> difficult to do.
> 
> But there are other ways to do it.
> 
> 1. a way can be for you to simply kinit to a root at BLAH principal that is
> mapped to root, this will give you access as root to all machines. This
> is not  convenient of course as it would reveal the root password.
> 
> 2. make a sudo configuration that does not require a password for the
> commands you need, this will work on all machines (provided they have
> the same sudo config) and not requiring a password will just work. The
> only caveat is that you have to call all commands you need via sudo.
> 
> 3. add another auth layer to that bu limiting passwordless duo to
> specific accounts, a kinit to xyzadmin at REALM will give you access to all
> machines as xyzadmin and sudo will allow only him to issue passwordless
> privileged commands.
> 
> 3.1. #3 has the same caveat as 2, but if you are truly *evil* you can
> "alias" the needed commands so that doing something like chkconfig will
> actually result in "sudo chkconfig". This will be relatively harmless as
> the account used is for "admin operations only".
> 
> 
> Of course if you need to operate on localhost you can still do all this
> and then just ssh localhost (the kerberos ticket will allow you
> passwordless access to localhost as well).
> 
> Is there a scenario you have in mind where any of these would still not
> be optimal ?

I was looking for unconfined root on all servers. Allowing passwordless
sudo execution of any command would work, but would be extremely ugly.
I'd like to keep it as a fallback.

I was hoping that auth_to_local (man krb5.conf) might be of use to me. I
haven't tried this out, but I got the impression I could map
mbooth at EXAMPLE.COM to root. Will that work? If so, would it still be
feasible to set an audit context representing mbooth at EXAMPLE.COM ?

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/c60e0927/attachment.sig>

From kmccarth at redhat.com  Fri Oct 19 22:26:57 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 19 Oct 2007 15:26:57 -0700
Subject: [Freeipa-devel] [PATCH] manager and secretary editing
Message-ID: <20071019222657.GH14360@moon.usersys.redhat.com>

Add add/edit/show for manager and secretary fields.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1192832368 25200
# Node ID 232eee38d96b0e5ac507b491a150c70319279b05
# Parent  fd6a79faf029e6c79ac618a523302360030f2aa3
Add add/edit/show for manager and secretary fields.

diff -r fd6a79faf029 -r 232eee38d96b ipa-server/ipa-gui/ipagui/forms/user.py
--- a/ipa-server/ipa-gui/ipagui/forms/user.py	Fri Oct 19 09:18:51 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/user.py	Fri Oct 19 15:19:28 2007 -0700
@@ -36,9 +36,11 @@ class UserFields():
     businesscategory = widgets.TextField(name="businesscategory", label="Tags")
     description = widgets.TextField(name="description", label="Description")
     employeetype = widgets.TextField(name="employeetype", label="Employee Type")
-    manager = widgets.TextField(name="manager", label="Manager")
+    manager = widgets.HiddenField(name="manager", label="Manager")
+    manager_cn = widgets.HiddenField(name="manager_cn", label="Manager")
     roomnumber = widgets.TextField(name="roomnumber", label="Room Number")
-    secretary = widgets.TextField(name="secretary", label="Secretary")
+    secretary = widgets.HiddenField(name="secretary", label="Secretary")
+    secretary_cn = widgets.HiddenField(name="secretary_cn", label="Manager")
 
     carlicense = widgets.TextField(name="carlicense", label="Car License")
     labeleduri = widgets.TextField(name="labeleduri", label="Home Page")
@@ -75,6 +77,10 @@ class UserNewForm(widgets.Form):
 
     hidden_fields = [
       UserFields.dn_to_info_json,
+      UserFields.manager,
+      UserFields.manager_cn,
+      UserFields.secretary,
+      UserFields.secretary_cn,
     ]
 
     validator = UserNewValidator()
@@ -114,6 +120,10 @@ class UserEditForm(widgets.Form):
       UserFields.editprotected_hidden,
       UserFields.user_groups_data,
       UserFields.dn_to_info_json,
+      UserFields.manager,
+      UserFields.manager_cn,
+      UserFields.secretary,
+      UserFields.secretary_cn,
     ]
 
     validator = UserEditValidator()
diff -r fd6a79faf029 -r 232eee38d96b ipa-server/ipa-gui/ipagui/static/javascript/Makefile.am
--- a/ipa-server/ipa-gui/ipagui/static/javascript/Makefile.am	Fri Oct 19 09:18:51 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/static/javascript/Makefile.am	Fri Oct 19 15:19:28 2007 -0700
@@ -3,6 +3,7 @@ appdir = $(IPA_DATA_DIR)/ipagui/static/j
 appdir = $(IPA_DATA_DIR)/ipagui/static/javascript
 app_DATA = 			\
 	dynamicedit.js		\
+	dynamicselect.js	\
 	effects.js		\
 	ipautil.js		\
 	prototype.js		\
diff -r fd6a79faf029 -r 232eee38d96b ipa-server/ipa-gui/ipagui/static/javascript/dynamicselect.js
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/static/javascript/dynamicselect.js	Fri Oct 19 15:19:28 2007 -0700
@@ -0,0 +1,53 @@
+/**
+ * dynamicselect.js
+ *
+ * Shared code, data, and functions for the dynamic select lists on the
+ * edit user pages.
+ *
+ */
+
+function enterDoSelectSearch(e, which_select) {
+  var keyPressed;
+  if (window.event) {
+    keyPressed = window.event.keyCode;
+  } else {
+    keyPressed = e.which; 
+  }
+
+  if (keyPressed == 13) {
+    return doSelectSearch(which_select);
+  } else {
+    return true;
+  }
+}
+
+function startSelect(which_select) {
+  new Effect.Appear($(which_select + '_searcharea'), {duration: 0.25});
+  new Effect.Fade($(which_select + '_links'), {duration: 0.25});
+  return false;
+}
+
+function doSelect(which_select, select_dn, select_cn) {
+  select_dn_field = $('form_' + which_select);
+  select_cn_field = $('form_' + which_select + '_cn');
+  select_cn_span = $(which_select + '_select_cn');
+
+  select_dn_field.value = select_dn;
+  select_cn_field.value = select_cn;
+  select_cn_span.update(select_cn);
+
+  new Effect.Fade($(which_select + '_searcharea'), {duration: 0.25});
+  new Effect.Appear($(which_select + '_links'), {duration: 0.25});
+}
+
+function clearSelect(which_select) {
+  select_dn_field = $('form_' + which_select);
+  select_cn_field = $('form_' + which_select + '_cn');
+  select_cn_span = $(which_select + '_select_cn');
+
+  select_dn_field.value = '';
+  select_cn_field.value = '';
+  select_cn_span.update('');
+
+  return false;
+}
diff -r fd6a79faf029 -r 232eee38d96b ipa-server/ipa-gui/ipagui/subcontrollers/user.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Fri Oct 19 09:18:51 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Fri Oct 19 15:19:28 2007 -0700
@@ -97,9 +97,9 @@ class UserController(IPAController):
             new_user.setValue('businesscategory', kw.get('businesscategory'))
             new_user.setValue('description', kw.get('description'))
             new_user.setValue('employeetype', kw.get('employeetype'))
-            # new_user.setValue('manager', kw.get('manager'))
+            new_user.setValue('manager', kw.get('manager'))
             new_user.setValue('roomnumber', kw.get('roomnumber'))
-            # new_user.setValue('secretary', kw.get('secretary'))
+            new_user.setValue('secretary', kw.get('secretary'))
 
             new_user.setValue('carlicense', kw.get('carlicense'))
             new_user.setValue('labeleduri', kw.get('labeleduri'))
@@ -221,11 +221,33 @@ class UserController(IPAController):
             user_dict['user_orig'] = user_data
             user_dict['user_groups_data'] = user_groups_data
 
+            # grab manager and secretary names
+            if user.manager:
+                try:
+                    user_manager = client.get_entry_by_dn(user.manager,
+                        ['givenname', 'sn', 'uid'])
+                    user_dict['manager_cn'] = "%s %s" % (
+                            user_manager.getValue('givenname', ''),
+                            user_manager.getValue('sn', ''))
+                except (ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND),
+                        ipaerror.exception_for(ipaerror.LDAP_DATABASE_ERROR)):
+                    pass
+            if user.secretary:
+                try:
+                    user_secretary = client.get_entry_by_dn(user.secretary,
+                        ['givenname', 'sn', 'uid'])
+                    user_dict['secretary_cn'] = "%s %s" % (
+                            user_secretary.getValue('givenname', ''),
+                            user_secretary.getValue('sn', ''))
+                except (ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND),
+                        ipaerror.exception_for(ipaerror.LDAP_DATABASE_ERROR)):
+                    pass
+
             return dict(form=user_edit_form, user=user_dict,
                     user_groups=user_groups_dicts)
         except ipaerror.IPAError, e:
             turbogears.flash("User edit failed: " + str(e))
-            raise turbogears.redirect('/user/show', uid=kw.get('uid'))
+            raise turbogears.redirect('/user/show', uid=uid)
 
     @expose()
     @identity.require(identity.not_anonymous())
@@ -286,9 +308,9 @@ class UserController(IPAController):
             new_user.setValue('businesscategory', kw.get('businesscategory'))
             new_user.setValue('description', kw.get('description'))
             new_user.setValue('employeetype', kw.get('employeetype'))
-            # new_user.setValue('manager', kw.get('manager'))
+            new_user.setValue('manager', kw.get('manager'))
             new_user.setValue('roomnumber', kw.get('roomnumber'))
-            # new_user.setValue('secretary', kw.get('secretary'))
+            new_user.setValue('secretary', kw.get('secretary'))
 
             new_user.setValue('carlicense', kw.get('carlicense'))
             new_user.setValue('labeleduri', kw.get('labeleduri'))
@@ -421,16 +443,26 @@ class UserController(IPAController):
             user_reports.sort(self.sort_group_member)
 
             user_manager = None
+            user_secretary = None
             try:
                 if user.manager:
                     user_manager = client.get_entry_by_dn(user.manager,
                         ['givenname', 'sn', 'uid'])
-            except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+            except (ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND),
+                    ipaerror.exception_for(ipaerror.LDAP_DATABASE_ERROR)):
+                pass
+
+            try:
+                if user.secretary:
+                    user_secretary = client.get_entry_by_dn(user.secretary,
+                        ['givenname', 'sn', 'uid'])
+            except (ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND),
+                    ipaerror.exception_for(ipaerror.LDAP_DATABASE_ERROR)):
                 pass
 
             return dict(user=user.toDict(), fields=ipagui.forms.user.UserFields(),
                         user_groups=user_groups, user_reports=user_reports,
-                        user_manager=user_manager)
+                        user_manager=user_manager, user_secretary=user_secretary)
         except ipaerror.IPAError, e:
             turbogears.flash("User show failed: " + str(e))
             raise turbogears.redirect("/")
@@ -534,3 +566,28 @@ class UserController(IPAController):
             return email
 
         return ""
+
+    @expose("ipagui.templates.userselectsearch")
+    @identity.require(identity.not_anonymous())
+    def user_select_search(self, **kw):
+        """Searches for users and displays list of results in a table.
+           This method is used for the ajax search for managers
+           and secrectary on the user pages."""
+        client = self.get_ipaclient()
+
+        users = []
+        users_counter = 0
+        searchlimit = 100
+        criteria = kw.get('criteria')
+        if criteria != None and len(criteria) > 0:
+            try:
+                users = client.find_users(criteria.encode('utf-8'), None,
+                        searchlimit)
+                users_counter = users[0]
+                users = users[1:]
+            except ipaerror.IPAError, e:
+                turbogears.flash("search failed: " + str(e))
+
+        return dict(users=users, criteria=criteria,
+                which_select=kw.get('which_select'),
+                counter=users_counter)
diff -r fd6a79faf029 -r 232eee38d96b ipa-server/ipa-gui/ipagui/templates/Makefile.am
--- a/ipa-server/ipa-gui/ipagui/templates/Makefile.am	Fri Oct 19 09:18:51 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/Makefile.am	Fri Oct 19 15:19:28 2007 -0700
@@ -28,6 +28,7 @@ app_DATA =			\
 	userlist.kid		\
 	usernewform.kid		\
 	usernew.kid		\
+	userselectsearch.kid	\
 	usershow.kid		\
 	welcome.kid		\
 	unhandled_exception.kid \
diff -r fd6a79faf029 -r 232eee38d96b ipa-server/ipa-gui/ipagui/templates/usereditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Fri Oct 19 09:18:51 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Fri Oct 19 15:19:28 2007 -0700
@@ -23,8 +23,13 @@ from ipagui.helpers import ipahelper
 
   <script type="text/javascript" charset="utf-8"
     src="${tg.url('/static/javascript/dynamicedit.js')}"></script>
-
-  <?python searchurl = tg.url('/user/edit_search') ?>
+  <script type="text/javascript" charset="utf-8"
+    src="${tg.url('/static/javascript/dynamicselect.js')}"></script>
+
+  <?python 
+  searchurl = tg.url('/user/edit_search')
+  selectSearchurl = tg.url('/user/user_select_search')
+  ?>
 
   <script type="text/javascript">
     function toggleProtectedFields(checkbox) {
@@ -68,6 +73,17 @@ from ipagui.helpers import ipahelper
           info.name + " "));
       }
     }
+
+    function doSelectSearch(which_select) {
+      $(which_select + '_searchresults').update("Searching...");
+      new Ajax.Updater(which_select + '_searchresults',
+          '${selectSearchurl}',
+          {  asynchronous:true,
+             parameters: { criteria: $(which_select + '_criteria').value,
+                           which_select: which_select},
+             evalScripts: true });
+      return false;
+    }
   </script>
 
 
@@ -513,22 +529,60 @@ from ipagui.helpers import ipahelper
       </tr>
 
       <tr>
-        <th>
+        <th valign="top">
           <label class="fieldlabel" for="${user.manager.field_id}"
             py:content="user.manager.label" />:
         </th>
-        <td>
-           TODO
-        </td>
-      </tr>
-
-      <tr>
-        <th>
+        <td valign="top">
+          <div>
+            <span id='manager_select_cn'>${value_for(user.manager_cn)}</span>
+            <span id='manager_links'>
+              <a href="#" onclick="return clearSelect('manager');">clear</a>
+              <a href="#" onclick="return startSelect('manager');">change</a>
+            </span>
+            <span py:if="tg.errors.get('manager')" class="fielderror"
+                py:content="tg.errors.get('manager')" />
+          </div>
+          <div id="manager_searcharea" style="display:none">
+            <div>
+              <input id="manager_criteria" type="text"
+                onkeypress="return enterDoSelectSearch(event, 'manager');" />
+              <input type="button" value="Find"
+                onclick="return doSelectSearch('manager');"
+              />
+            </div>
+            <div id="manager_searchresults">
+            </div>
+          </div>
+        </td>
+      </tr>
+
+      <tr>
+        <th valign="top">
           <label class="fieldlabel" for="${user.secretary.field_id}"
             py:content="user.secretary.label" />:
         </th>
-        <td>
-           TODO
+        <td valign="top">
+          <div>
+            <span id='secretary_select_cn'>${value_for(user.secretary_cn)}</span>
+            <span id='secretary_links'>
+              <a href="#" onclick="return clearSelect('secretary');">clear</a>
+              <a href="#" onclick="return startSelect('secretary');">change</a>
+            </span>
+            <span py:if="tg.errors.get('secretary')" class="fielderror"
+                py:content="tg.errors.get('secretary')" />
+          </div>
+          <div id="secretary_searcharea" style="display:none">
+            <div>
+              <input id="secretary_criteria" type="text"
+                onkeypress="return enterDoSelectSearch(event, 'secretary');" />
+              <input type="button" value="Find"
+                onclick="return doSelectSearch('secretary');"
+              />
+            </div>
+            <div id="secretary_searchresults">
+            </div>
+          </div>
         </td>
       </tr>
     </table>
diff -r fd6a79faf029 -r 232eee38d96b ipa-server/ipa-gui/ipagui/templates/usernewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Fri Oct 19 09:18:51 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Fri Oct 19 15:19:28 2007 -0700
@@ -17,8 +17,13 @@ from ipagui.helpers import ipahelper
 
   <script type="text/javascript" charset="utf-8"
     src="${tg.url('/static/javascript/dynamicedit.js')}"></script>
-
-  <?python searchurl = tg.url('/user/edit_search') ?>
+  <script type="text/javascript" charset="utf-8"
+    src="${tg.url('/static/javascript/dynamicselect.js')}"></script>
+
+  <?python 
+  searchurl = tg.url('/user/edit_search')
+  selectSearchurl = tg.url('/user/user_select_search')
+  ?>
 
   <script type="text/javascript">
     function doSearch() {
@@ -38,6 +43,17 @@ from ipagui.helpers import ipahelper
         newdiv.appendChild(document.createTextNode(
           info.name + " "));
       }
+    }
+
+    function doSelectSearch(which_select) {
+      $(which_select + '_searchresults').update("Searching...");
+      new Ajax.Updater(which_select + '_searchresults',
+          '${selectSearchurl}',
+          {  asynchronous:true,
+             parameters: { criteria: $(which_select + '_criteria').value,
+                           which_select: which_select},
+             evalScripts: true });
+      return false;
     }
   </script>
 
@@ -501,12 +517,31 @@ from ipagui.helpers import ipahelper
       </tr>
 
       <tr>
-        <th>
+        <th valign="top">
           <label class="fieldlabel" for="${user.manager.field_id}"
             py:content="user.manager.label" />:
         </th>
-        <td>
-           TODO
+        <td valign="top">
+          <div>
+            <span id='manager_select_cn'>${value_for(user.manager)}</span>
+            <span id='manager_links'>
+              <a href="#" onclick="return clearSelect('manager');">clear</a>
+              <a href="#" onclick="return startSelect('manager');">change</a>
+            </span>
+            <span py:if="tg.errors.get('manager')" class="fielderror"
+                py:content="tg.errors.get('manager')" />
+          </div>
+          <div id="manager_searcharea" style="display:none">
+            <div>
+              <input id="manager_criteria" type="text"
+                onkeypress="return enterDoSelectSearch(event, 'manager');" />
+              <input type="button" value="Find"
+                onclick="return doSelectSearch('manager');"
+              />
+            </div>
+            <div id="manager_searchresults">
+            </div>
+          </div>
         </td>
       </tr>
 
@@ -516,7 +551,26 @@ from ipagui.helpers import ipahelper
             py:content="user.secretary.label" />:
         </th>
         <td>
-           TODO
+          <div>
+            <span id='secretary_select_cn'>${value_for(user.secretary)}</span>
+            <span id='secretary_links'>
+              <a href="#" onclick="return clearSelect('secretary');">clear</a>
+              <a href="#" onclick="return startSelect('secretary');">change</a>
+            </span>
+            <span py:if="tg.errors.get('secretary')" class="fielderror"
+                py:content="tg.errors.get('secretary')" />
+          </div>
+          <div id="secretary_searcharea" style="display:none">
+            <div>
+              <input id="secretary_criteria" type="text"
+                onkeypress="return enterDoSelectSearch(event, 'secretary');" />
+              <input type="button" value="Find"
+                onclick="return doSelectSearch('secretary');"
+              />
+            </div>
+            <div id="secretary_searchresults">
+            </div>
+          </div>
         </td>
       </tr>
     </table>
diff -r fd6a79faf029 -r 232eee38d96b ipa-server/ipa-gui/ipagui/templates/userselectsearch.kid
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-gui/ipagui/templates/userselectsearch.kid	Fri Oct 19 15:19:28 2007 -0700
@@ -0,0 +1,36 @@
+<div xmlns:py="http://purl.org/kid/ns#">
+
+<?python
+from ipagui.helpers import ipahelper
+?>
+  <div py:if='(users != None) and (len(users) > 0)'>
+    <div id="search-results-count">
+      ${len(users)} results returned:
+      <span py:if="counter &lt; 0">
+        (truncated)
+      </span>
+    </div>
+
+    <div py:for="user in users">
+      <?python
+      user_name = "%s %s" % (user.getValue('givenName', ''),
+                             user.getValue('sn', ''))
+      user_descr = "(%s)" % user.uid
+
+      user_dn_esc = ipahelper.javascript_string_escape(user.dn)
+      user_name_esc = ipahelper.javascript_string_escape(user_name)
+      user_descr_esc = ipahelper.javascript_string_escape(user_descr)
+      which_select_esc = ipahelper.javascript_string_escape(which_select)
+      ?>
+
+      ${user_name} ${user_descr}
+      <a href=""
+        onclick="doSelect('${which_select_esc}', '${user_dn_esc}', '${user_name_esc}');
+                return false;"
+      >select</a>
+    </div>
+  </div>
+  <div py:if='(users != None) and (len(users) == 0)'>
+    No results found for "${criteria}"
+  </div>
+</div>
diff -r fd6a79faf029 -r 232eee38d96b ipa-server/ipa-gui/ipagui/templates/usershow.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Fri Oct 19 09:18:51 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Fri Oct 19 15:19:28 2007 -0700
@@ -222,18 +222,21 @@ else:
         </tr>
         <tr py:if='user_manager'>
           <th>
-            Manager:
+            <label class="fieldlabel" py:content="fields.manager.label" />:
           </th>
           <td>
             <a href="${tg.url('/user/show', uid=user_manager.uid)}"
               >${user_manager.givenname} ${user_manager.sn}</a>
           </td>
         </tr>
-        <tr>
+        <tr py:if='user_secretary'>
           <th>
             <label class="fieldlabel" py:content="fields.secretary.label" />:
           </th>
-          <td>TODO</td>
+          <td>
+            <a href="${tg.url('/user/show', uid=user_secretary.uid)}"
+              >${user_secretary.givenname} ${user_secretary.sn}</a>
+          </td>
         </tr>
     </table>
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/2c96268d/attachment.bin>

From kmccarth at redhat.com  Fri Oct 19 22:38:16 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 19 Oct 2007 15:38:16 -0700
Subject: [Freeipa-devel] ping for finish email auto-suggest
Message-ID: <20071019223816.GI14360@moon.usersys.redhat.com>

Just a ping to make sure 'finish email auto-suggest' doesn't get lost in
the backlog of patches.

Thanks,

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071019/f1a354e5/attachment.bin>

From kmacmill at redhat.com  Mon Oct 22 13:58:06 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 22 Oct 2007 09:58:06 -0400
Subject: [Freeipa-devel] [PATCH] finish email auto-suggest
In-Reply-To: <20071018213615.GB19844@moon.usersys.redhat.com>
References: <20071018213615.GB19844@moon.usersys.redhat.com>
Message-ID: <1193061486.2898.20.camel@localhost.localdomain>

On Thu, 2007-10-18 at 14:36 -0700, Kevin McCarthy wrote:
> Finish up the email auto-suggest.  Searching w/field specification is a
> ways off, so for now I'm adding an API call.
> 

Pushed. Searching by field is not currently on the list of things to get
done for M5 - should it be? It be nice to get it in.

Karl



From rcritten at redhat.com  Mon Oct 22 14:00:26 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 22 Oct 2007 10:00:26 -0400
Subject: [Freeipa-devel] [PATCH] improve error reporting
	in	ipa-server-install
In-Reply-To: <1192742446.12120.49.camel@localhost.localdomain>
References: <1192742446.12120.49.camel@localhost.localdomain>
Message-ID: <471CACFA.8070207@redhat.com>

Karl MacMillan wrote:
> Print a traceback to the install log on unexpected error.
> 
> Karl
> 
> 

Ack

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/18e3a1c5/attachment.bin>

From rcritten at redhat.com  Mon Oct 22 14:01:05 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 22 Oct 2007 10:01:05 -0400
Subject: [Freeipa-devel] [PATCH] manager and secretary editing
In-Reply-To: <20071019222657.GH14360@moon.usersys.redhat.com>
References: <20071019222657.GH14360@moon.usersys.redhat.com>
Message-ID: <471CAD21.6080502@redhat.com>

Kevin McCarthy wrote:
> Add add/edit/show for manager and secretary fields.
> 
> -Kevin

Ok

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/40114be2/attachment.bin>

From kmacmill at redhat.com  Mon Oct 22 14:03:13 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 22 Oct 2007 10:03:13 -0400
Subject: [Freeipa-devel] [PATCH] Remove dependency between ipa-pyton
	and ipa-server
In-Reply-To: <47190546.8020805@redhat.com>
References: <516a862e61b99d456862.1192820556@laptop.local>
	<47190546.8020805@redhat.com>
Message-ID: <1193061793.2898.22.camel@localhost.localdomain>

On Fri, 2007-10-19 at 15:28 -0400, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > # HG changeset patch
> > # User "Karl MacMillan <kmacmill at redhat.com>"
> > # Date 1192820498 14400
> > # Node ID 516a862e61b99d4568620b1c3f446f3778ec5f4a
> > # Parent  82d6225b95a95f399f93141d559beaa9e9b6ab4d
> > Remove dependency between ipa-pyton and ipa-server
> > 
> > Current ipa-python imports and calls code from ipaserver (which is in
> > the ipa-server package). This makes it impossible to use the admin
> > tools or the ipa-python package on a system without the server bits
> > installed. This fixes that in a fairly minimal way.
> 
> Looks good.
> 

Pushed.



From kmacmill at redhat.com  Mon Oct 22 14:10:07 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 22 Oct 2007 10:10:07 -0400
Subject: [Freeipa-devel] [PATCH] manager and secretary editing
In-Reply-To: <471CAD21.6080502@redhat.com>
References: <20071019222657.GH14360@moon.usersys.redhat.com>
	<471CAD21.6080502@redhat.com>
Message-ID: <1193062207.2898.27.camel@laptop.local>

On Mon, 2007-10-22 at 10:01 -0400, Rob Crittenden wrote:
> Kevin McCarthy wrote:
> > Add add/edit/show for manager and secretary fields.
> > 
> > -Kevin
> 
> Ok

Pushed.

Karl



From kmacmill at redhat.com  Mon Oct 22 14:10:18 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 22 Oct 2007 10:10:18 -0400
Subject: [Freeipa-devel] [PATCH] improve error reporting
	in	ipa-server-install
In-Reply-To: <471CACFA.8070207@redhat.com>
References: <1192742446.12120.49.camel@localhost.localdomain>
	<471CACFA.8070207@redhat.com>
Message-ID: <1193062218.2898.29.camel@laptop.local>

On Mon, 2007-10-22 at 10:00 -0400, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > Print a traceback to the install log on unexpected error.
> > 
> > Karl
> > 
> > 
> 
> Ack
> 

Pushed.



From rcritten at redhat.com  Mon Oct 22 14:10:59 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 22 Oct 2007 10:10:59 -0400
Subject: [Freeipa-devel] [PATCH] add update_user and update_group functions
Message-ID: <471CAF73.30504@redhat.com>

update_user and update_group are just aliases for update_entry but they 
apparently need to be truly defined in order to be available to XML-RPC. 
This fixes that.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-317-update.patch
Type: text/x-patch
Size: 1253 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/19a64fef/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/19a64fef/attachment-0001.bin>

From kmacmill at redhat.com  Mon Oct 22 14:16:15 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 22 Oct 2007 10:16:15 -0400
Subject: [Freeipa-devel] [PATCH] add update_user and update_group functions
In-Reply-To: <471CAF73.30504@redhat.com>
References: <471CAF73.30504@redhat.com>
Message-ID: <1193062575.2898.35.camel@laptop.local>

On Mon, 2007-10-22 at 10:10 -0400, Rob Crittenden wrote:
> update_user and update_group are just aliases for update_entry but they 
> apparently need to be truly defined in order to be available to XML-RPC. 
> This fixes that.
> 

Pushed.



From kmccarth at redhat.com  Mon Oct 22 15:18:19 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 22 Oct 2007 08:18:19 -0700
Subject: [Freeipa-devel] [PATCH] finish email auto-suggest
In-Reply-To: <1193061486.2898.20.camel@localhost.localdomain>
References: <20071018213615.GB19844@moon.usersys.redhat.com>
	<1193061486.2898.20.camel@localhost.localdomain>
Message-ID: <20071022151818.GA3841@moon.usersys.redhat.com>

Karl MacMillan wrote:
> On Thu, 2007-10-18 at 14:36 -0700, Kevin McCarthy wrote:
> > Finish up the email auto-suggest.  Searching w/field specification is a
> > ways off, so for now I'm adding an API call.
> > 
> 
> Pushed. Searching by field is not currently on the list of things to get
> done for M5 - should it be? It be nice to get it in.

No, I think it will require some careful thought.  I'm not even sure it
will make V1 at this point, but let's see.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/bb134297/attachment.bin>

From kmacmill at redhat.com  Mon Oct 22 15:27:40 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 22 Oct 2007 11:27:40 -0400
Subject: [Freeipa-devel] [PATCH] finish email auto-suggest
In-Reply-To: <20071022151818.GA3841@moon.usersys.redhat.com>
References: <20071018213615.GB19844@moon.usersys.redhat.com>
	<1193061486.2898.20.camel@localhost.localdomain>
	<20071022151818.GA3841@moon.usersys.redhat.com>
Message-ID: <1193066860.2898.42.camel@laptop.local>

On Mon, 2007-10-22 at 08:18 -0700, Kevin McCarthy wrote:
> Karl MacMillan wrote:
> > On Thu, 2007-10-18 at 14:36 -0700, Kevin McCarthy wrote:
> > > Finish up the email auto-suggest.  Searching w/field specification is a
> > > ways off, so for now I'm adding an API call.
> > > 
> > 
> > Pushed. Searching by field is not currently on the list of things to get
> > done for M5 - should it be? It be nice to get it in.
> 
> No, I think it will require some careful thought.  I'm not even sure it
> will make V1 at this point, but let's see.

According to the current schedule, anything not in M5 won't make v1. I'm
certain exceptions can be made, but the goal is to run M5 through
testing for a while to get a v1 - so post M5 is bug fix only.

Karl



From kmacmill at redhat.com  Mon Oct 22 15:58:38 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 22 Oct 2007 11:58:38 -0400
Subject: [Freeipa-devel] [PATCH] Print warning about NTP
Message-ID: <492654169fe314db9c93.1193068718@laptop.local>

# HG changeset patch
# User "Karl MacMillan <kmacmill at redhat.com>"
# Date 1193068711 14400
# Node ID 492654169fe314db9c9324849e3e6c8657761c80
# Parent  f7f85a88b2b4c1f21a97348fc5237be473c3e2fa
Print warning about NTP

After looking into setting up ntpd on the IPA servers I decided it
was better just to warn admins. There are just too many valid setups
for time synchronization for us to try to get this right. Additionally,
just installing ntp and accepting the default config will result in
a configuration that is perfectly valid for IPA.

This patch checks if ntpd is running and suggests enabling it if it
is not - for client and server. It also adds some suggested next
steps to the server installation.

diff -r f7f85a88b2b4 -r 492654169fe3 ipa-client/ipa-install/ipa-client-install
--- a/ipa-client/ipa-install/ipa-client-install	Mon Oct 22 10:09:39 2007 -0400
+++ b/ipa-client/ipa-install/ipa-client-install	Mon Oct 22 11:58:31 2007 -0400
@@ -67,6 +67,14 @@ def logging_setup(options):
     console.setFormatter(formatter)
     logging.getLogger('').addHandler(console)
 
+def check_ntp():
+    ret_code = 1
+    p = subprocess.Popen(["/sbin/service", "ntpd", "status"], stdout=subprocess.PIPE,
+                         stderr=subprocess.PIPE)
+    stdout, stderr = p.communicate()
+
+    return p.returncode
+
 def main():
     options = parse_options()
     logging_setup(options)
@@ -200,6 +208,11 @@ def main():
     #Modify pam to add pam_krb5
     run(["/usr/sbin/authconfig", "--enablekrb5", "--update"])
 
+    # print warning about ntp
+    if check_ntp() != 0:
+        print "WARNING: Kerberos requires time synchronization between clients"
+        print "and servers for correct operation. You should consider enabling ntpd."
+
     return 0
 
 main()
diff -r f7f85a88b2b4 -r 492654169fe3 ipa-server/ipa-install/ipa-server-install
--- a/ipa-server/ipa-install/ipa-server-install	Mon Oct 22 10:09:39 2007 -0400
+++ b/ipa-server/ipa-install/ipa-server-install	Mon Oct 22 11:58:31 2007 -0400
@@ -372,6 +372,15 @@ def read_admin_password():
     admin_password = read_password("IPA admin")
     return admin_password
 
+def check_ntp():
+    ret_code = 1
+    p = subprocess.Popen(["/sbin/service", "ntpd", "status"], stdout=subprocess.PIPE,
+                         stderr=subprocess.PIPE)
+    stdout, stderr = p.communicate()
+
+    return p.returncode
+    
+
 def main():
     global ds
     ds = None
@@ -584,6 +593,28 @@ def main():
     fd.write("realm=" + realm_name + "\n")
     fd.close()
 
+    print "=============================================================================="
+    print "Setup complete"
+    print ""
+    print "Next steps:"
+    print "\t1. You may need to open some network ports - specifically:"
+    print "\t\tTCP Ports:"
+    print "\t\t  * 80, 443, 8080: HTTP/HTTPS"
+    print "\t\t  * 389, 636: LDAP/LDAPS"
+    print "\t\t  * 464: kpasswd"
+    print "\t\tUDP Ports:"
+    print "\t\t  * 88, 750: kerberos"
+    print ""
+    print "\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'."
+    print "\t   This ticket will allow you to use the IPA tools (e.g., ipa-adduser)"
+    print "\t   and the web user interface."
+
+    if check_ntp() != 0:
+        print "\t3. Kerberos requires time synchronization between clients"
+        print "\t   and servers for correct operation. You should consider enabling ntpd."
+
+
+
     return 0
 
 try:



From rcritten at redhat.com  Mon Oct 22 16:52:07 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 22 Oct 2007 12:52:07 -0400
Subject: [Freeipa-devel] [PATCH] Print warning about NTP
In-Reply-To: <492654169fe314db9c93.1193068718@laptop.local>
References: <492654169fe314db9c93.1193068718@laptop.local>
Message-ID: <471CD537.8080604@redhat.com>

Karl MacMillan wrote:
> # HG changeset patch
> # User "Karl MacMillan <kmacmill at redhat.com>"
> # Date 1193068711 14400
> # Node ID 492654169fe314db9c9324849e3e6c8657761c80
> # Parent  f7f85a88b2b4c1f21a97348fc5237be473c3e2fa
> Print warning about NTP
> 

Ok

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/91d61fdb/attachment.bin>

From ssorce at redhat.com  Mon Oct 22 17:01:24 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 22 Oct 2007 13:01:24 -0400
Subject: [Freeipa-devel] [PATCH] Print warning about NTP
In-Reply-To: <492654169fe314db9c93.1193068718@laptop.local>
References: <492654169fe314db9c93.1193068718@laptop.local>
Message-ID: <1193072484.3167.234.camel@localhost.localdomain>

On Mon, 2007-10-22 at 11:58 -0400, Karl MacMillan wrote:
> # HG changeset patch
> # User "Karl MacMillan <kmacmill at redhat.com>"
> # Date 1193068711 14400
> # Node ID 492654169fe314db9c9324849e3e6c8657761c80
> # Parent  f7f85a88b2b4c1f21a97348fc5237be473c3e2fa
> Print warning about NTP
> 
> After looking into setting up ntpd on the IPA servers I decided it
> was better just to warn admins. There are just too many valid setups
> for time synchronization for us to try to get this right. Additionally,
> just installing ntp and accepting the default config will result in
> a configuration that is perfectly valid for IPA.
> 
> This patch checks if ntpd is running and suggests enabling it if it
> is not - for client and server. It also adds some suggested next
> steps to the server installation.

Should we add something in the bind zone we create to point at master
serverts as ntp masters as well? IS there a specific SRV record for ntp
servers ?

> diff -r f7f85a88b2b4 -r 492654169fe3 ipa-client/ipa-install/ipa-client-install
> --- a/ipa-client/ipa-install/ipa-client-install	Mon Oct 22 10:09:39 2007 -0400
> +++ b/ipa-client/ipa-install/ipa-client-install	Mon Oct 22 11:58:31 2007 -0400
> @@ -67,6 +67,14 @@ def logging_setup(options):
>      console.setFormatter(formatter)
>      logging.getLogger('').addHandler(console)
>  
> +def check_ntp():
> +    ret_code = 1
> +    p = subprocess.Popen(["/sbin/service", "ntpd", "status"], stdout=subprocess.PIPE,
> +                         stderr=subprocess.PIPE)
> +    stdout, stderr = p.communicate()
> +
> +    return p.returncode
> +
>  def main():
>      options = parse_options()
>      logging_setup(options)
> @@ -200,6 +208,11 @@ def main():
>      #Modify pam to add pam_krb5
>      run(["/usr/sbin/authconfig", "--enablekrb5", "--update"])
>  
> +    # print warning about ntp
> +    if check_ntp() != 0:
> +        print "WARNING: Kerberos requires time synchronization between clients"
> +        print "and servers for correct operation. You should consider enabling ntpd."
> +
>      return 0

Can you please wrap this code in try/except statements ? I don't like
when setup aborts with a backtrace on a simple check.

>  main()
> diff -r f7f85a88b2b4 -r 492654169fe3 ipa-server/ipa-install/ipa-server-install
> --- a/ipa-server/ipa-install/ipa-server-install	Mon Oct 22 10:09:39 2007 -0400
> +++ b/ipa-server/ipa-install/ipa-server-install	Mon Oct 22 11:58:31 2007 -0400
> @@ -372,6 +372,15 @@ def read_admin_password():
>      admin_password = read_password("IPA admin")
>      return admin_password
>  
> +def check_ntp():
> +    ret_code = 1
> +    p = subprocess.Popen(["/sbin/service", "ntpd", "status"], stdout=subprocess.PIPE,
> +                         stderr=subprocess.PIPE)
> +    stdout, stderr = p.communicate()
> +
> +    return p.returncode
> +    
> +
>  def main():
>      global ds
>      ds = None
> @@ -584,6 +593,28 @@ def main():
>      fd.write("realm=" + realm_name + "\n")
>      fd.close()
>  
> +    print "=============================================================================="
> +    print "Setup complete"
> +    print ""
> +    print "Next steps:"
> +    print "\t1. You may need to open some network ports - specifically:"
> +    print "\t\tTCP Ports:"
> +    print "\t\t  * 80, 443, 8080: HTTP/HTTPS"

Do we really need 8080 open ?

> +    print "\t\t  * 389, 636: LDAP/LDAPS"
> +    print "\t\t  * 464: kpasswd"
> +    print "\t\tUDP Ports:"
> +    print "\t\t  * 88, 750: kerberos"

Kerberos is TCP as well and required when packets are big and do not fit
a single UDP packet.

Also 750 is krb4 do we really need that ?

> +    print ""
> +    print "\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'."
> +    print "\t   This ticket will allow you to use the IPA tools (e.g., ipa-adduser)"
> +    print "\t   and the web user interface."
> +
> +    if check_ntp() != 0:
> +        print "\t3. Kerberos requires time synchronization between clients"
> +        print "\t   and servers for correct operation. You should consider enabling ntpd."

should we say: to work at all! ? :-)

Simo.




From rcritten at redhat.com  Mon Oct 22 18:29:30 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 22 Oct 2007 14:29:30 -0400
Subject: [Freeipa-devel] [PATCH] top level make all work again
Message-ID: <471CEC0A.6000406@redhat.com>

Fix to have 'make all' work again.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-322-make.patch
Type: text/x-patch
Size: 630 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/a75875e9/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/a75875e9/attachment-0001.bin>

From rcritten at redhat.com  Mon Oct 22 18:38:24 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 22 Oct 2007 14:38:24 -0400
Subject: [Freeipa-devel] [PATCH] attr -> labels, moving aci functions
Message-ID: <471CEE20.2070700@redhat.com>

Add an LDAP attribute -> label mapping function to XML-RPC layer.

Also move some ACI functions around in preparation for cli delegation. 
I'm just starting to look at delegation at the command-line and I think 
that with these two changes it should go fairly smoothly.

Doing this in bits and pieces to avoid a humongous patch that will be 
hard for anyone to review.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-323-labels.patch
Type: text/x-patch
Size: 9413 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/8185573e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/8185573e/attachment-0001.bin>

From kmacmill at redhat.com  Mon Oct 22 19:05:10 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 22 Oct 2007 15:05:10 -0400
Subject: [Freeipa-devel] [PATCH] top level make all work again
In-Reply-To: <471CEC0A.6000406@redhat.com>
References: <471CEC0A.6000406@redhat.com>
Message-ID: <1193079910.2969.1.camel@localhost.localdomain>

On Mon, 2007-10-22 at 14:29 -0400, Rob Crittenden wrote:
> Fix to have 'make all' work again.
> 

I had intentionally not done this to avoid running autogen repeatedly -
once it has been run once make all should work fine. Thoughts?

Karl



From rcritten at redhat.com  Mon Oct 22 19:32:52 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 22 Oct 2007 15:32:52 -0400
Subject: [Freeipa-devel] [PATCH] top level make all work again
In-Reply-To: <1193079910.2969.1.camel@localhost.localdomain>
References: <471CEC0A.6000406@redhat.com>
	<1193079910.2969.1.camel@localhost.localdomain>
Message-ID: <471CFAE4.8070208@redhat.com>

Karl MacMillan wrote:
> On Mon, 2007-10-22 at 14:29 -0400, Rob Crittenden wrote:
>> Fix to have 'make all' work again.
>>
> 
> I had intentionally not done this to avoid running autogen repeatedly -
> once it has been run once make all should work fine. Thoughts?
> 
> Karl
> 

Maybe we can make autogen smart and exit quietly if Makefile already exists?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/352365bd/attachment.bin>

From kmccarth at redhat.com  Mon Oct 22 20:10:06 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 22 Oct 2007 13:10:06 -0700
Subject: [Freeipa-devel] [PATCH] attr -> labels, moving aci functions
In-Reply-To: <471CEE20.2070700@redhat.com>
References: <471CEE20.2070700@redhat.com>
Message-ID: <20071022201006.GB3841@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Add an LDAP attribute -> label mapping function to XML-RPC layer.
>
> Also move some ACI functions around in preparation for cli delegation. I'm 
> just starting to look at delegation at the command-line and I think that 
> with these two changes it should go fairly smoothly.
>
> Doing this in bits and pieces to avoid a humongous patch that will be hard 
> for anyone to review.

Who would do something so horrible like that.  ;-)


> --- a/ipa-server/xmlrpc-server/funcs.py	Mon Oct 22 14:29:00 2007 -0400
> +++ b/ipa-server/xmlrpc-server/funcs.py	Mon Oct 22 14:35:50 2007 -0400
> @@ -28,6 +28,7 @@ import ipa.ipautil
>  import ipa.ipautil
>  import xmlrpclib
>  import copy
> +import attrs
>  from ipa import ipaerror
>  
>  import string
> @@ -1041,6 +1042,19 @@ class IPAServer:
>          except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST):
>              raise
>          return ret
> +
> +    def attrs_to_labels(self, attr_list, opts=None):
> +        """Take a list of LDAP attributes and convert them to more friendly
> +           labels."""
> +        label_list = {}
> +
> +        for a in attr_list:

if you like, you can shorten this to just
                label_list[a] = attrs.attr_label_list.get(a, a)


> +            if attrs.attr_label_list.get(a):
> +                label_list[a] = attrs.attr_label_list.get(a)
> +            else:
> +                label_list[a] = a
> +
> +        return label_list
>  
>  def ldap_search_escape(match):
>      """Escapes out nasty characters from the ldap search.
> diff -r 44230f15037e -r ad98546dac85 ipa-server/xmlrpc-server/ipaxmlrpc.py
> --- a/ipa-server/xmlrpc-server/ipaxmlrpc.py	Mon Oct 22 14:29:00 2007 -0400
> +++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py	Mon Oct 22 14:35:50 2007 -0400
> @@ -348,6 +348,7 @@ def handler(req, profiling=False):
>              h.register_function(f.remove_groups_from_user)
>              h.register_function(f.update_group)
>              h.register_function(f.delete_group)
> +            h.register_function(f.attrs_to_labels)
>              h.handle_request(req)
>          finally:
>               pass




> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/fe3ef3f7/attachment.bin>

From kmacmill at redhat.com  Mon Oct 22 20:11:17 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 22 Oct 2007 16:11:17 -0400
Subject: [Freeipa-devel] [PATCH] top level make all work again
In-Reply-To: <471CFAE4.8070208@redhat.com>
References: <471CEC0A.6000406@redhat.com>
	<1193079910.2969.1.camel@localhost.localdomain>
	<471CFAE4.8070208@redhat.com>
Message-ID: <1193083877.2942.1.camel@localhost.localdomain>

On Mon, 2007-10-22 at 15:32 -0400, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > On Mon, 2007-10-22 at 14:29 -0400, Rob Crittenden wrote:
> >> Fix to have 'make all' work again.
> >>
> > 
> > I had intentionally not done this to avoid running autogen repeatedly -
> > once it has been run once make all should work fine. Thoughts?
> > 
> > Karl
> > 
> 
> Maybe we can make autogen smart and exit quietly if Makefile already exists?
> 

Or maybe do that in the makefile (make a dep on the makefiles and add a
rule to generate them) - otherwise we'd have to make autogen have a flag
to force regeneration when that was needed.

Karl



From kmccarth at redhat.com  Mon Oct 22 21:02:11 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 22 Oct 2007 14:02:11 -0700
Subject: [Freeipa-devel] [PATCH] attr -> labels, moving aci functions
In-Reply-To: <20071022201006.GB3841@moon.usersys.redhat.com>
References: <471CEE20.2070700@redhat.com>
	<20071022201006.GB3841@moon.usersys.redhat.com>
Message-ID: <20071022210211.GC3841@moon.usersys.redhat.com>

Kevin McCarthy wrote:
> Rob Crittenden wrote:
> > Add an LDAP attribute -> label mapping function to XML-RPC layer.
> >
> > Also move some ACI functions around in preparation for cli delegation. I'm 
> > just starting to look at delegation at the command-line and I think that 
> > with these two changes it should go fairly smoothly.
> >
> > Doing this in bits and pieces to avoid a humongous patch that will be hard 
> > for anyone to review.
> 
> Who would do something so horrible like that.  ;-)

approved, btw.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/c7db5bfb/attachment.bin>

From rcritten at redhat.com  Mon Oct 22 21:07:21 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 22 Oct 2007 17:07:21 -0400
Subject: [Freeipa-devel] [PATCH] attr -> labels, moving aci functions
In-Reply-To: <20071022210211.GC3841@moon.usersys.redhat.com>
References: <471CEE20.2070700@redhat.com>	<20071022201006.GB3841@moon.usersys.redhat.com>
	<20071022210211.GC3841@moon.usersys.redhat.com>
Message-ID: <471D1109.3040108@redhat.com>

Kevin McCarthy wrote:
> Kevin McCarthy wrote:
>> Rob Crittenden wrote:
>>> Add an LDAP attribute -> label mapping function to XML-RPC layer.
>>>
>>> Also move some ACI functions around in preparation for cli delegation. I'm 
>>> just starting to look at delegation at the command-line and I think that 
>>> with these two changes it should go fairly smoothly.
>>>
>>> Doing this in bits and pieces to avoid a humongous patch that will be hard 
>>> for anyone to review.
>> Who would do something so horrible like that.  ;-)
> 
> approved, btw.
> 

Pushed with your list default value suggestion, thanks.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/5518e1ef/attachment.bin>

From kmccarth at redhat.com  Mon Oct 22 21:08:24 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 22 Oct 2007 14:08:24 -0700
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
Message-ID: <20071022210823.GD3841@moon.usersys.redhat.com>

This is a proposal for config entries.  I've created a global and local
entry.  The idea (which will be coded next) is to read the global entry
first, then overwrite with values in local (if any).  So each ipa "node"
could tweek independently.

Also, I've currently created anonymous access to the config entries.
I'd ideally like to cache the config at startup, or maybe first hit.

Feedback welcome (and expected) as I haven't touched our schema before.

Thanks,

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1193088002 25200
# Node ID 6b6364a5a2922309c1682bafa34d129d5230baa6
# Parent  934aee640cf9a53c403d0b335ee8f7dbb06d8bf2
Add entries to store the config in LDAP.
Add anonymous ACI's  so we can cache on startup.

diff -r 934aee640cf9 -r 6b6364a5a292 ipa-server/ipa-install/share/bootstrap-template.ldif
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif	Mon Oct 22 08:57:29 2007 -0700
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif	Mon Oct 22 14:20:02 2007 -0700
@@ -32,6 +32,30 @@ objectClass: nsContainer
 objectClass: nsContainer
 objectClass: top
 cn: etc
+
+dn: cn=config,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: config
+
+dn: cn=global,cn=config,cn=etc,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+objectClass: extensibleObject
+cn: global
+userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
+searchTimeLimit: 2
+maxUidLength: 8
+passwordExpireNotifyDays: 7
+
+dn: cn=local,cn=config,cn=etc,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+objectClass: extensibleObject
+cn: local
 
 dn: cn=sysaccounts,cn=etc,$SUFFIX
 changetype: add
diff -r 934aee640cf9 -r 6b6364a5a292 ipa-server/ipa-install/share/default-aci.ldif
--- a/ipa-server/ipa-install/share/default-aci.ldif	Mon Oct 22 08:57:29 2007 -0700
+++ b/ipa-server/ipa-install/share/default-aci.ldif	Mon Oct 22 14:20:02 2007 -0700
@@ -8,3 +8,4 @@ aci: (targetattr="krbLastSuccessfulAuth 
 aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
 aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
 aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0; acl "Enable anonymous access to config"; allow (read, search, compare) userdn="ldap:///anyone";)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/4532b43f/attachment.bin>

From ssorce at redhat.com  Mon Oct 22 22:13:28 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 22 Oct 2007 18:13:28 -0400
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <20071022210823.GD3841@moon.usersys.redhat.com>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
Message-ID: <1193091208.3167.269.camel@localhost.localdomain>

On Mon, 2007-10-22 at 14:08 -0700, Kevin McCarthy wrote:
> This is a proposal for config entries.  I've created a global and
> local
> entry.  The idea (which will be coded next) is to read the global
> entry
> first, then overwrite with values in local (if any).  So each ipa
> "node"
> could tweek independently.

but cn=etc is replicated globally in all its contents now ...
maybe you can have a container with the server own name to do non-global
conf, but just using "local" on all nodes is not going to help you :)

> Also, I've currently created anonymous access to the config entries.
> I'd ideally like to cache the config at startup, or maybe first hit.

Is there a reason why? Who is going to be the consumer ?

> Feedback welcome (and expected) as I haven't touched our schema
> before.

Se below

> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (freeipa-372-ldap_config_ldif.patch)
> 
> # HG changeset patch
> # User Kevin McCarthy <kmccarth at redhat.com>
> # Date 1193088002 25200
> # Node ID 6b6364a5a2922309c1682bafa34d129d5230baa6
> # Parent  934aee640cf9a53c403d0b335ee8f7dbb06d8bf2
> Add entries to store the config in LDAP.
> Add anonymous ACI's  so we can cache on startup.
> 
> diff -r 934aee640cf9 -r 6b6364a5a292
> ipa-server/ipa-install/share/bootstrap-template.ldif
> --- a/ipa-server/ipa-install/share/bootstrap-template.ldif      Mon
> Oct 22 08:57:29 2007 -0700
> +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif      Mon
> Oct 22 14:20:02 2007 -0700
> @@ -32,6 +32,30 @@ objectClass: nsContainer
>  objectClass: nsContainer
>  objectClass: top
>  cn: etc
> +
> +dn: cn=config,cn=etc,$SUFFIX
> +changetype: add
> +objectClass: nsContainer
> +objectClass: top
> +cn: config
> +
> +dn: cn=global,cn=config,cn=etc,$SUFFIX
> +changetype: add
> +objectClass: top
> +objectClass: nsContainer
> +objectClass: extensibleObject
----------------^^^^^^^^^^^^^^^

/me raise eyebrow, are you *sure* ? :)

> +cn: global
> +userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
> +searchTimeLimit: 2
> +maxUidLength: 8
> +passwordExpireNotifyDays: 7

should we keep security policies and GUI configuration in different
entries ?

> +dn: cn=local,cn=config,cn=etc,$SUFFIX
> +changetype: add
> +objectClass: top
> +objectClass: nsContainer
> +objectClass: extensibleObject
> +cn: local

As stated above "local" is not going to be unique per server :)

>  dn: cn=sysaccounts,cn=etc,$SUFFIX
>  changetype: add
> diff -r 934aee640cf9 -r 6b6364a5a292
> ipa-server/ipa-install/share/default-aci.ldif
> --- a/ipa-server/ipa-install/share/default-aci.ldif     Mon Oct 22
> 08:57:29 2007 -0700
> +++ b/ipa-server/ipa-install/share/default-aci.ldif     Mon Oct 22
> 14:20:02 2007 -0700
> @@ -8,3 +8,4 @@ aci: (targetattr="krbLastSuccessfulAuth 
>  aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth ||
> krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow
> (read, search, compare, write)
> userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
>  aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword
> || sambaNTPassword || krbPasswordExpiration || krbPwdHistory ||
> krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes
> for passowrd changes"; allow (read, write)
> userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=
> $REALM,cn=kerberos,$SUFFIX";)
>  aci:
> (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
> +aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0;
> acl "Enable anonymous access to config"; allow (read, search, compare)
> userdn="ldap:///anyone";)

Is this not readable right now already?
/me can't remember if we are denying anonymous access right now.

Simo.



From kmccarth at redhat.com  Mon Oct 22 23:23:00 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Mon, 22 Oct 2007 16:23:00 -0700
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <1193091208.3167.269.camel@localhost.localdomain>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
	<1193091208.3167.269.camel@localhost.localdomain>
Message-ID: <20071022232300.GE3841@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-22 at 14:08 -0700, Kevin McCarthy wrote:
> > This is a proposal for config entries.  I've created a global and
> > local entry.  The idea (which will be coded next) is to read the
> > global entry first, then overwrite with values in local (if any).
> > So each ipa "node" could tweek independently.
> 
> but cn=etc is replicated globally in all its contents now ...  maybe
> you can have a container with the server own name to do non-global
> conf, but just using "local" on all nodes is not going to help you :)
> 
> > Also, I've currently created anonymous access to the config entries.
> > I'd ideally like to cache the config at startup, or maybe first hit.
> 
> Is there a reason why? Who is going to be the consumer ?

Pete mentioned it as an idea, but didn't really "bake" how it should be.
That's why I threw this out though, to get some ideas/feedback.

For now, perhaps we can just have a "shared" config and worry about
local configs later.

> > plain text
> > document
> > attachment
> > (freeipa-372-ldap_config_ldif.patch)
> > 
> > # HG changeset patch
> > # User Kevin McCarthy <kmccarth at redhat.com>
> > # Date 1193088002 25200
> > # Node ID 6b6364a5a2922309c1682bafa34d129d5230baa6
> > # Parent  934aee640cf9a53c403d0b335ee8f7dbb06d8bf2
> > Add entries to store the config in LDAP.
> > Add anonymous ACI's  so we can cache on startup.
> > 
> > diff -r 934aee640cf9 -r 6b6364a5a292
> > ipa-server/ipa-install/share/bootstrap-template.ldif
> > --- a/ipa-server/ipa-install/share/bootstrap-template.ldif      Mon
> > Oct 22 08:57:29 2007 -0700
> > +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif      Mon
> > Oct 22 14:20:02 2007 -0700
> > @@ -32,6 +32,30 @@ objectClass: nsContainer
> >  objectClass: nsContainer
> >  objectClass: top
> >  cn: etc
> > +
> > +dn: cn=config,cn=etc,$SUFFIX
> > +changetype: add
> > +objectClass: nsContainer
> > +objectClass: top
> > +cn: config
> > +
> > +dn: cn=global,cn=config,cn=etc,$SUFFIX
> > +changetype: add
> > +objectClass: top
> > +objectClass: nsContainer
> > +objectClass: extensibleObject
> ----------------^^^^^^^^^^^^^^^
> 
> /me raise eyebrow, are you *sure* ? :)


Nope, definitely not sure.  It would be better if there was some
objectClass I could use to store:
-name
-value
-comment

so each configuration could have their own entry with a comment.  Do you
have any suggestions about how to do that?

> 
> > +cn: global
> > +userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
> > +searchTimeLimit: 2
> > +maxUidLength: 8
> > +passwordExpireNotifyDays: 7
> 
> should we keep security policies and GUI configuration in different
> entries ?

Sure.  Are you thinking
cn=policy,cn=config,cn=etc...
  and
cn=gui,cn=config,cn=etc

For me the passwordExpireNotifyDays was a parameter I was going to use
in the GUI - for when to show a message at the top of the page.

> > +aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0;
> > acl "Enable anonymous access to config"; allow (read, search, compare)
> > userdn="ldap:///anyone";)
> 
> Is this not readable right now already?
> /me can't remember if we are denying anonymous access right now.

Don't know.  I haven't written the code to try to read it just yet.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/f55c0262/attachment.bin>

From prowley at redhat.com  Tue Oct 23 14:38:02 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 23 Oct 2007 07:38:02 -0700
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <20071022232300.GE3841@moon.usersys.redhat.com>
References: <20071022210823.GD3841@moon.usersys.redhat.com>	<1193091208.3167.269.camel@localhost.localdomain>
	<20071022232300.GE3841@moon.usersys.redhat.com>
Message-ID: <471E074A.9030704@redhat.com>

Kevin McCarthy wrote:
> Simo Sorce wrote:
>   
>> On Mon, 2007-10-22 at 14:08 -0700, Kevin McCarthy wrote:
>>     
>>> This is a proposal for config entries.  I've created a global and
>>> local entry.  The idea (which will be coded next) is to read the
>>> global entry first, then overwrite with values in local (if any).
>>> So each ipa "node" could tweek independently.
>>>       
>> but cn=etc is replicated globally in all its contents now ...  maybe
>> you can have a container with the server own name to do non-global
>> conf, but just using "local" on all nodes is not going to help you :)
>>
>>     
>>> Also, I've currently created anonymous access to the config entries.
>>> I'd ideally like to cache the config at startup, or maybe first hit.
>>>       
>> Is there a reason why? Who is going to be the consumer ?
>>     
>
> Pete mentioned it as an idea, but didn't really "bake" how it should be.
> That's why I threw this out though, to get some ideas/feedback.
>
>   
cn=local should be an unreplicated backend.
> For now, perhaps we can just have a "shared" config and worry about
> local configs later.
>
>   
>>> plain text
>>> document
>>> attachment
>>> (freeipa-372-ldap_config_ldif.patch)
>>>
>>> # HG changeset patch
>>> # User Kevin McCarthy <kmccarth at redhat.com>
>>> # Date 1193088002 25200
>>> # Node ID 6b6364a5a2922309c1682bafa34d129d5230baa6
>>> # Parent  934aee640cf9a53c403d0b335ee8f7dbb06d8bf2
>>> Add entries to store the config in LDAP.
>>> Add anonymous ACI's  so we can cache on startup.
>>>
>>> diff -r 934aee640cf9 -r 6b6364a5a292
>>> ipa-server/ipa-install/share/bootstrap-template.ldif
>>> --- a/ipa-server/ipa-install/share/bootstrap-template.ldif      Mon
>>> Oct 22 08:57:29 2007 -0700
>>> +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif      Mon
>>> Oct 22 14:20:02 2007 -0700
>>> @@ -32,6 +32,30 @@ objectClass: nsContainer
>>>  objectClass: nsContainer
>>>  objectClass: top
>>>  cn: etc
>>> +
>>> +dn: cn=config,cn=etc,$SUFFIX
>>> +changetype: add
>>> +objectClass: nsContainer
>>> +objectClass: top
>>> +cn: config
>>> +
>>> +dn: cn=global,cn=config,cn=etc,$SUFFIX
>>> +changetype: add
>>> +objectClass: top
>>> +objectClass: nsContainer
>>> +objectClass: extensibleObject
>>>       
>> ----------------^^^^^^^^^^^^^^^
>>
>> /me raise eyebrow, are you *sure* ? :)
>>     
>
>
> Nope, definitely not sure.  It would be better if there was some
> objectClass I could use to store:
> -name
> -value
> -comment
>
> so each configuration could have their own entry with a comment.  Do you
> have any suggestions about how to do that?
>
>   
>>> +cn: global
>>> +userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
>>> +searchTimeLimit: 2
>>> +maxUidLength: 8
>>> +passwordExpireNotifyDays: 7
>>>       
>> should we keep security policies and GUI configuration in different
>> entries ?
>>     
>
> Sure.  Are you thinking
> cn=policy,cn=config,cn=etc...
>   and
> cn=gui,cn=config,cn=etc
>
> For me the passwordExpireNotifyDays was a parameter I was going to use
> in the GUI - for when to show a message at the top of the page.
>
>   
>>> +aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0;
>>> acl "Enable anonymous access to config"; allow (read, search, compare)
>>> userdn="ldap:///anyone";)
>>>       
>> Is this not readable right now already?
>> /me can't remember if we are denying anonymous access right now.
>>     
>
> Don't know.  I haven't written the code to try to read it just yet.
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071023/35f3b7e3/attachment.bin>

From ssorce at redhat.com  Tue Oct 23 15:04:54 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 23 Oct 2007 11:04:54 -0400
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <471E074A.9030704@redhat.com>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
	<1193091208.3167.269.camel@localhost.localdomain>
	<20071022232300.GE3841@moon.usersys.redhat.com>
	<471E074A.9030704@redhat.com>
Message-ID: <1193151894.23200.2.camel@localhost.localdomain>

On Tue, 2007-10-23 at 07:38 -0700, Pete Rowley wrote:
> Kevin McCarthy wrote:
> > Simo Sorce wrote:
> >   
> >> On Mon, 2007-10-22 at 14:08 -0700, Kevin McCarthy wrote:
> >>     
> >>> This is a proposal for config entries.  I've created a global and
> >>> local entry.  The idea (which will be coded next) is to read the
> >>> global entry first, then overwrite with values in local (if any).
> >>> So each ipa "node" could tweek independently.
> >>>       
> >> but cn=etc is replicated globally in all its contents now ...  maybe
> >> you can have a container with the server own name to do non-global
> >> conf, but just using "local" on all nodes is not going to help you :)
> >>
> >>     
> >>> Also, I've currently created anonymous access to the config entries.
> >>> I'd ideally like to cache the config at startup, or maybe first hit.
> >>>       
> >> Is there a reason why? Who is going to be the consumer ?
> >>     
> >
> > Pete mentioned it as an idea, but didn't really "bake" how it should be.
> > That's why I threw this out though, to get some ideas/feedback.
> >
> >   
> cn=local should be an unreplicated backend.

No, it would make management of many servers more difficult as then you
have to contact each IPA Server, both to check what are the settings and
to change them.
It would be a non-starter.
Keeping a container named after the server resolves the problem and
keeps stuff easily manageable and audit-able.

Simo.



From ssorce at redhat.com  Tue Oct 23 15:13:39 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 23 Oct 2007 11:13:39 -0400
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <20071022232300.GE3841@moon.usersys.redhat.com>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
	<1193091208.3167.269.camel@localhost.localdomain>
	<20071022232300.GE3841@moon.usersys.redhat.com>
Message-ID: <1193152419.23200.12.camel@localhost.localdomain>

On Mon, 2007-10-22 at 16:23 -0700, Kevin McCarthy wrote:
> Simo Sorce wrote:

> > > +dn: cn=global,cn=config,cn=etc,$SUFFIX
> > > +changetype: add
> > > +objectClass: top
> > > +objectClass: nsContainer
> > > +objectClass: extensibleObject
> > ----------------^^^^^^^^^^^^^^^
> > 
> > /me raise eyebrow, are you *sure* ? :)
> 
> 
> Nope, definitely not sure.  It would be better if there was some
> objectClass I could use to store:
> -name
> -value
> -comment
> 
> so each configuration could have their own entry with a comment.  Do you
> have any suggestions about how to do that?

Unfortunately this is a very hard thing with LDAP, and I guess on
purpose.
An object class like that could be done, but it would make sense for a
single conf option, as in LDAP multivalued attributes are not guaranteed
to keep contents in a specific order.

objectClass: nameValuePairs
name: string
name: number
name: bool
value: 1
value: hey
value: 42
comment: my favourite
comment: the answer
comment: default

You see? 

LDAP is schema, schema is LDAP ...

> > > +cn: global
> > > +userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
> > > +searchTimeLimit: 2
> > > +maxUidLength: 8
> > > +passwordExpireNotifyDays: 7
> > 
> > should we keep security policies and GUI configuration in different
> > entries ?
> 
> Sure.  Are you thinking
> cn=policy,cn=config,cn=etc...
>   and
> cn=gui,cn=config,cn=etc
> 
> For me the passwordExpireNotifyDays was a parameter I was going to use
> in the GUI - for when to show a message at the top of the page.

This may be policy or both, the problem is defining a decent structure
for cn=etc, so different components knows what to look at and there is
no ambiguity.

Should we also make clear that this tree is for IPA components only ?
Or should we allow (as a guideline) third party apps to store configs
there?
In such case, we should define a clear way to create entries, so that we
do not have name space conflicts or other ambiguities.

> > > +aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0;
> > > acl "Enable anonymous access to config"; allow (read, search, compare)
> > > userdn="ldap:///anyone";)
> > 
> > Is this not readable right now already?
> > /me can't remember if we are denying anonymous access right now.
> 
> Don't know.  I haven't written the code to try to read it just yet.

ldapsearch -x -h localhost -b cn=etc,<basedn>

Simo.




From kmccarth at redhat.com  Tue Oct 23 15:50:48 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 23 Oct 2007 08:50:48 -0700
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <1193152419.23200.12.camel@localhost.localdomain>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
	<1193091208.3167.269.camel@localhost.localdomain>
	<20071022232300.GE3841@moon.usersys.redhat.com>
	<1193152419.23200.12.camel@localhost.localdomain>
Message-ID: <20071023155048.GB21877@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-22 at 16:23 -0700, Kevin McCarthy wrote:
> > Simo Sorce wrote:
> 
> > > > +dn: cn=global,cn=config,cn=etc,$SUFFIX
> > > > +changetype: add
> > > > +objectClass: top
> > > > +objectClass: nsContainer
> > > > +objectClass: extensibleObject
> > > ----------------^^^^^^^^^^^^^^^
> > > 
> > > /me raise eyebrow, are you *sure* ? :)
> > 
> > 
> > Nope, definitely not sure.  It would be better if there was some
> > objectClass I could use to store:
> > -name
> > -value
> > -comment
> > 
> > so each configuration could have their own entry with a comment.  Do you
> > have any suggestions about how to do that?
> 
> Unfortunately this is a very hard thing with LDAP, and I guess on
> purpose.
> An object class like that could be done, but it would make sense for a
> single conf option, as in LDAP multivalued attributes are not guaranteed
> to keep contents in a specific order.
> 
> objectClass: nameValuePairs
> name: string
> name: number
> name: bool
> value: 1
> value: hey
> value: 42
> comment: my favourite
> comment: the answer
> comment: default
> 
> You see? 
> 
> LDAP is schema, schema is LDAP ...

But is the order guaranteed?  I think the modlist code works with sets
and is guaranteed to mess up the ordering on any updates...

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071023/cdcf6c39/attachment.bin>

From kmccarth at redhat.com  Tue Oct 23 15:53:14 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 23 Oct 2007 08:53:14 -0700
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <20071023155048.GB21877@moon.usersys.redhat.com>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
	<1193091208.3167.269.camel@localhost.localdomain>
	<20071022232300.GE3841@moon.usersys.redhat.com>
	<1193152419.23200.12.camel@localhost.localdomain>
	<20071023155048.GB21877@moon.usersys.redhat.com>
Message-ID: <20071023155314.GC21877@moon.usersys.redhat.com>

Kevin McCarthy wrote:
> Simo Sorce wrote:
> > On Mon, 2007-10-22 at 16:23 -0700, Kevin McCarthy wrote:
> > > Simo Sorce wrote:
> > 
> > > > > +dn: cn=global,cn=config,cn=etc,$SUFFIX
> > > > > +changetype: add
> > > > > +objectClass: top
> > > > > +objectClass: nsContainer
> > > > > +objectClass: extensibleObject
> > > > ----------------^^^^^^^^^^^^^^^
> > > > 
> > > > /me raise eyebrow, are you *sure* ? :)
> > > 
> > > 
> > > Nope, definitely not sure.  It would be better if there was some
> > > objectClass I could use to store:
> > > -name
> > > -value
> > > -comment
> > > 
> > > so each configuration could have their own entry with a comment.  Do you
> > > have any suggestions about how to do that?
> > 
> > Unfortunately this is a very hard thing with LDAP, and I guess on
> > purpose.
> > An object class like that could be done, but it would make sense for a
> > single conf option, as in LDAP multivalued attributes are not guaranteed
> > to keep contents in a specific order.
> > 
> > objectClass: nameValuePairs
> > name: string
> > name: number
> > name: bool
> > value: 1
> > value: hey
> > value: 42
> > comment: my favourite
> > comment: the answer
> > comment: default
> > 
> > You see? 
> > 
> > LDAP is schema, schema is LDAP ...
> 
> But is the order guaranteed?  I think the modlist code works with sets
> and is guaranteed to mess up the ordering on any updates...

Duhh... really slow today. Now I'm seeing you were answering my own
question!

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071023/505bbd63/attachment.bin>

From kmccarth at redhat.com  Tue Oct 23 16:05:31 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 23 Oct 2007 09:05:31 -0700
Subject: [Freeipa-devel] [PATCH] fix webgui devel mode
Message-ID: <20071023160530.GA22720@moon.usersys.redhat.com>

The recent refactor for ipa-python added a dependency on ipaserver
inside ipacontroller.py

Unfortunately, ipaserver is only inside /usr/share/ipa

So, I've made /usr/share/ipa always included in the python path in order
for the devel mode to work.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1193155375 25200
# Node ID dd94e5e53c7cbfb59c1bfa5fca86923cb950bd57
# Parent  c8cd28ecb998e5bb85b0cea83ead818efd47c841
Fix devel mode for the webgui.

diff -r c8cd28ecb998 -r dd94e5e53c7c ipa-server/ipa-gui/ipa-webgui
--- a/ipa-server/ipa-gui/ipa-webgui	Mon Oct 22 14:28:29 2007 -0700
+++ b/ipa-server/ipa-gui/ipa-webgui	Tue Oct 23 09:02:55 2007 -0700
@@ -57,11 +57,10 @@ def daemonize():
 # environment to load a different configuration and avoid becoming
 # a daemon
 devel = False
-if os.path.exists(os.path.join(os.path.dirname(__file__), "Makefile")):
+if os.path.exists(os.path.join(os.path.dirname(__file__), "Makefile.am")):
     devel = True
 
-if not devel:
-    sys.path.append("/usr/share/ipa/")
+sys.path.append("/usr/share/ipa/")
 
 # this must be after sys.path is changed to work correctly
 import pkg_resources
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071023/62aee10c/attachment.bin>

From ssorce at redhat.com  Tue Oct 23 16:20:16 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 23 Oct 2007 12:20:16 -0400
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <20071023155048.GB21877@moon.usersys.redhat.com>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
	<1193091208.3167.269.camel@localhost.localdomain>
	<20071022232300.GE3841@moon.usersys.redhat.com>
	<1193152419.23200.12.camel@localhost.localdomain>
	<20071023155048.GB21877@moon.usersys.redhat.com>
Message-ID: <1193156416.23200.23.camel@localhost.localdomain>

On Tue, 2007-10-23 at 08:50 -0700, Kevin McCarthy wrote:
> Simo Sorce wrote:
> > On Mon, 2007-10-22 at 16:23 -0700, Kevin McCarthy wrote:
> > > Simo Sorce wrote:
> > 
> > > > > +dn: cn=global,cn=config,cn=etc,$SUFFIX
> > > > > +changetype: add
> > > > > +objectClass: top
> > > > > +objectClass: nsContainer
> > > > > +objectClass: extensibleObject
> > > > ----------------^^^^^^^^^^^^^^^
> > > > 
> > > > /me raise eyebrow, are you *sure* ? :)
> > > 
> > > 
> > > Nope, definitely not sure.  It would be better if there was some
> > > objectClass I could use to store:
> > > -name
> > > -value
> > > -comment
> > > 
> > > so each configuration could have their own entry with a comment.  Do you
> > > have any suggestions about how to do that?
> > 
> > Unfortunately this is a very hard thing with LDAP, and I guess on
> > purpose.
> > An object class like that could be done, but it would make sense for a
> > single conf option, as in LDAP multivalued attributes are not guaranteed
> > to keep contents in a specific order.
> > 
> > objectClass: nameValuePairs
> > name: string
> > name: number
> > name: bool
> > value: 1
> > value: hey
> > value: 42
> > comment: my favourite
> > comment: the answer
> > comment: default
> > 
> > You see? 
> > 
> > LDAP is schema, schema is LDAP ...
> 
> But is the order guaranteed?  I think the modlist code works with sets
> and is guaranteed to mess up the ordering on any updates...

No, this was exactly my point :-)
Look at the example to see if you think it is correctly ordered :-)

Simo.



From kmacmill at redhat.com  Tue Oct 23 16:41:11 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Tue, 23 Oct 2007 12:41:11 -0400
Subject: [Freeipa-devel] [PATCH] Print warning about NTP
In-Reply-To: <1193072484.3167.234.camel@localhost.localdomain>
References: <492654169fe314db9c93.1193068718@laptop.local>
	<1193072484.3167.234.camel@localhost.localdomain>
Message-ID: <1193157671.7758.7.camel@localhost.localdomain>

On Mon, 2007-10-22 at 13:01 -0400, Simo Sorce wrote:
> On Mon, 2007-10-22 at 11:58 -0400, Karl MacMillan wrote:
> > # HG changeset patch
> > # User "Karl MacMillan <kmacmill at redhat.com>"
> > # Date 1193068711 14400
> > # Node ID 492654169fe314db9c9324849e3e6c8657761c80
> > # Parent  f7f85a88b2b4c1f21a97348fc5237be473c3e2fa
> > Print warning about NTP
> > 
> > After looking into setting up ntpd on the IPA servers I decided it
> > was better just to warn admins. There are just too many valid setups
> > for time synchronization for us to try to get this right. Additionally,
> > just installing ntp and accepting the default config will result in
> > a configuration that is perfectly valid for IPA.
> > 
> > This patch checks if ntpd is running and suggests enabling it if it
> > is not - for client and server. It also adds some suggested next
> > steps to the server installation.
> 
> Should we add something in the bind zone we create to point at master
> serverts as ntp masters as well? IS there a specific SRV record for ntp
> servers ?
> 

Since we aren't configuring ntp, I don't think so.

Karl



From rcritten at redhat.com  Tue Oct 23 21:38:47 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 23 Oct 2007 17:38:47 -0400
Subject: [Freeipa-devel] [PATCH] fix webgui devel mode
In-Reply-To: <20071023160530.GA22720@moon.usersys.redhat.com>
References: <20071023160530.GA22720@moon.usersys.redhat.com>
Message-ID: <471E69E7.8040602@redhat.com>

Kevin McCarthy wrote:
> The recent refactor for ipa-python added a dependency on ipaserver
> inside ipacontroller.py
> 
> Unfortunately, ipaserver is only inside /usr/share/ipa
> 
> So, I've made /usr/share/ipa always included in the python path in order
> for the devel mode to work.
> 
> -Kevin
> 

Looks good.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071023/eaf0ee49/attachment.bin>

From kmccarth at redhat.com  Tue Oct 23 21:55:05 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 23 Oct 2007 14:55:05 -0700
Subject: [Freeipa-devel] [PATCH] fix webgui devel mode
In-Reply-To: <471E69E7.8040602@redhat.com>
References: <20071023160530.GA22720@moon.usersys.redhat.com>
	<471E69E7.8040602@redhat.com>
Message-ID: <20071023215504.GC22720@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> The recent refactor for ipa-python added a dependency on ipaserver
>> inside ipacontroller.py
>> Unfortunately, ipaserver is only inside /usr/share/ipa
>> So, I've made /usr/share/ipa always included in the python path in order
>> for the devel mode to work.
>> -Kevin
>
> Looks good.

pushed.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071023/221bd90d/attachment.bin>

From rcritten at redhat.com  Tue Oct 23 22:01:20 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 23 Oct 2007 18:01:20 -0400
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <1193152419.23200.12.camel@localhost.localdomain>
References: <20071022210823.GD3841@moon.usersys.redhat.com>	<1193091208.3167.269.camel@localhost.localdomain>	<20071022232300.GE3841@moon.usersys.redhat.com>
	<1193152419.23200.12.camel@localhost.localdomain>
Message-ID: <471E6F30.7040809@redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-22 at 16:23 -0700, Kevin McCarthy wrote:
>> Simo Sorce wrote:
> 
>>>> +dn: cn=global,cn=config,cn=etc,$SUFFIX
>>>> +changetype: add
>>>> +objectClass: top
>>>> +objectClass: nsContainer
>>>> +objectClass: extensibleObject
>>> ----------------^^^^^^^^^^^^^^^
>>>
>>> /me raise eyebrow, are you *sure* ? :)
>>
>> Nope, definitely not sure.  It would be better if there was some
>> objectClass I could use to store:
>> -name
>> -value
>> -comment
>>
>> so each configuration could have their own entry with a comment.  Do you
>> have any suggestions about how to do that?
> 
> Unfortunately this is a very hard thing with LDAP, and I guess on
> purpose.
> An object class like that could be done, but it would make sense for a
> single conf option, as in LDAP multivalued attributes are not guaranteed
> to keep contents in a specific order.
> 
> objectClass: nameValuePairs
> name: string
> name: number
> name: bool
> value: 1
> value: hey
> value: 42
> comment: my favourite
> comment: the answer
> comment: default
> 
> You see? 
> 
> LDAP is schema, schema is LDAP ...
> 
>>>> +cn: global
>>>> +userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
>>>> +searchTimeLimit: 2
>>>> +maxUidLength: 8
>>>> +passwordExpireNotifyDays: 7
>>> should we keep security policies and GUI configuration in different
>>> entries ?
>> Sure.  Are you thinking
>> cn=policy,cn=config,cn=etc...
>>   and
>> cn=gui,cn=config,cn=etc
>>
>> For me the passwordExpireNotifyDays was a parameter I was going to use
>> in the GUI - for when to show a message at the top of the page.
> 
> This may be policy or both, the problem is defining a decent structure
> for cn=etc, so different components knows what to look at and there is
> no ambiguity.
> 
> Should we also make clear that this tree is for IPA components only ?
> Or should we allow (as a guideline) third party apps to store configs
> there?
> In such case, we should define a clear way to create entries, so that we
> do not have name space conflicts or other ambiguities.
> 
>>>> +aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0;
>>>> acl "Enable anonymous access to config"; allow (read, search, compare)
>>>> userdn="ldap:///anyone";)
>>> Is this not readable right now already?
>>> /me can't remember if we are denying anonymous access right now.
>> Don't know.  I haven't written the code to try to read it just yet.
> 
> ldapsearch -x -h localhost -b cn=etc,<basedn>
> 
> Simo.
>

I think what we need is for someone with more LDAP experience to say 
"You need to use the 'foo' objectclass and put it in the tree 'here'."

Kevin and I aren't intimate with all the various object classes nor did 
we design the tree.

So somebody needs to step up and tell us where to put stuff and what to 
put it in. Otherwise we'll keep going through these iterations of us 
trying our best to pick a spot and an OC and getting told on the one 
hand that it won't work but on the other it might but not very nicely.

So the choices are be told how to do this or I'll put it into a flat 
file, and I'm not joking (nor am I particularly cranky, just weary of 
this constant back and forth about object classes and DNs).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071023/35975bd9/attachment.bin>

From ssorce at redhat.com  Tue Oct 23 22:09:47 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 23 Oct 2007 18:09:47 -0400
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <471E6F30.7040809@redhat.com>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
	<1193091208.3167.269.camel@localhost.localdomain>
	<20071022232300.GE3841@moon.usersys.redhat.com>
	<1193152419.23200.12.camel@localhost.localdomain>
	<471E6F30.7040809@redhat.com>
Message-ID: <1193177387.24962.7.camel@localhost.localdomain>

On Tue, 2007-10-23 at 18:01 -0400, Rob Crittenden wrote:
> I think what we need is for someone with more LDAP experience to say 
> "You need to use the 'foo' objectclass and put it in the tree 'here'."
> 
> Kevin and I aren't intimate with all the various object classes nor
> did 
> we design the tree.
> 
> So somebody needs to step up and tell us where to put stuff and what
> to 
> put it in. Otherwise we'll keep going through these iterations of us 
> trying our best to pick a spot and an OC and getting told on the one 
> hand that it won't work but on the other it might but not very nicely.
> 
> So the choices are be told how to do this or I'll put it into a flat 
> file, and I'm not joking (nor am I particularly cranky, just weary of 
> this constant back and forth about object classes and DNs). 

I will be more than pleased to help you.
But I need to know exactly what you want to put in there to be able to
tell you what objectclass to use, or even design one ad-hoc if nothing
suitable exists.

Simo.



From kmccarth at redhat.com  Tue Oct 23 22:21:17 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 23 Oct 2007 15:21:17 -0700
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <1193177387.24962.7.camel@localhost.localdomain>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
	<1193091208.3167.269.camel@localhost.localdomain>
	<20071022232300.GE3841@moon.usersys.redhat.com>
	<1193152419.23200.12.camel@localhost.localdomain>
	<471E6F30.7040809@redhat.com>
	<1193177387.24962.7.camel@localhost.localdomain>
Message-ID: <20071023222117.GE22720@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Tue, 2007-10-23 at 18:01 -0400, Rob Crittenden wrote:
> > I think what we need is for someone with more LDAP experience to say 
> > "You need to use the 'foo' objectclass and put it in the tree 'here'."
> > 
> > Kevin and I aren't intimate with all the various object classes nor
> > did 
> > we design the tree.
> > 
> > So somebody needs to step up and tell us where to put stuff and what
> > to 
> > put it in. Otherwise we'll keep going through these iterations of us 
> > trying our best to pick a spot and an OC and getting told on the one 
> > hand that it won't work but on the other it might but not very nicely.
> > 
> > So the choices are be told how to do this or I'll put it into a flat 
> > file, and I'm not joking (nor am I particularly cranky, just weary of 
> > this constant back and forth about object classes and DNs). 
> 
> I will be more than pleased to help you.
> But I need to know exactly what you want to put in there to be able to
> tell you what objectclass to use, or even design one ad-hoc if nothing
> suitable exists.

Hi Simo,

The webgui has limited needs - just a place to store key/value pairs.
The equivalent of a hash table stored in ldap.  The keys and values are
freeform.  For me, I don't care if it's one LDAP entry per key/value
pair, or we use an extensibleObject.  So the first problem is whether
there is an objectClass that supports a single key/value pair storage
per entry?

  dn=name=foo,.....,dc=freeipa,dc=org
  objectClass=???
  name=foo
  value=bar
  comment=foo is used for baz

  dn=name=yi,.....,dc=freeipa,dc=org
  objectClass=???
  name=er
  value=san
  comment=chinese numbers are fun

You raised some excellent points though - about local vs global, and
policy vs gui config values.  I don't think either Rob or have a good
idea how to design that.  We're looking to Pete/you for input as to a
good hierarchy for that.  So the second question is, where exactly
should we put the webgui entries in the hierarchy?  Should we even worry
about global/local for now?

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071023/0c9e12a9/attachment.bin>

From kmccarth at redhat.com  Tue Oct 23 23:04:58 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 23 Oct 2007 16:04:58 -0700
Subject: [Freeipa-devel] [PATCH] add group inactivation
Message-ID: <20071023230458.GF22720@moon.usersys.redhat.com>

This adds the same inactivation code for users to the groups pages.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1193180611 25200
# Node ID ba1cfe1ec9043c581a7cbb5ad6d2cfc472e9a7eb
# Parent  f80f449a54d241db1bfb675a637bd7a24f745d43
Add group inactivation select list to web gui.

diff -r f80f449a54d2 -r ba1cfe1ec904 ipa-server/ipa-gui/ipagui/forms/group.py
--- a/ipa-server/ipa-gui/ipagui/forms/group.py	Tue Oct 23 15:36:52 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/group.py	Tue Oct 23 16:03:31 2007 -0700
@@ -5,6 +5,10 @@ class GroupFields():
     cn = widgets.TextField(name="cn", label="Name")
     gidnumber = widgets.TextField(name="gidnumber", label="GID")
     description = widgets.TextField(name="description", label="Description")
+
+    nsAccountLock = widgets.SingleSelectField(name="nsAccountLock",
+            label="Account Status",
+            options = [("", "active"), ("true", "inactive")])
 
     cn_hidden = widgets.HiddenField(name="cn")
     editprotected_hidden = widgets.HiddenField(name="editprotected")
diff -r f80f449a54d2 -r ba1cfe1ec904 ipa-server/ipa-gui/ipagui/helpers/ipahelper.py
--- a/ipa-server/ipa-gui/ipagui/helpers/ipahelper.py	Tue Oct 23 15:36:52 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/helpers/ipahelper.py	Tue Oct 23 16:03:31 2007 -0700
@@ -7,3 +7,9 @@ def javascript_string_escape(input):
     return re.sub(r'[\'\"\\]',
             lambda match: "\\%s" % match.group(),
             input)
+
+def account_status_display(status):
+    if status == "true":
+        return "inactive"
+    else:
+        return "active"
diff -r f80f449a54d2 -r ba1cfe1ec904 ipa-server/ipa-gui/ipagui/helpers/userhelper.py
--- a/ipa-server/ipa-gui/ipagui/helpers/userhelper.py	Tue Oct 23 15:36:52 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/helpers/userhelper.py	Tue Oct 23 16:03:31 2007 -0700
@@ -21,9 +21,3 @@ def password_is_expired(days):
 
 def password_expires_soon(days):
     return (not password_is_expired(days)) and (days < 7)
-
-def account_status_display(status):
-    if status == "true":
-        return "inactive"
-    else:
-        return "active"
diff -r f80f449a54d2 -r ba1cfe1ec904 ipa-server/ipa-gui/ipagui/subcontrollers/group.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Tue Oct 23 15:36:52 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Tue Oct 23 16:03:31 2007 -0700
@@ -22,7 +22,7 @@ group_new_form = ipagui.forms.group.Grou
 group_new_form = ipagui.forms.group.GroupNewForm()
 group_edit_form = ipagui.forms.group.GroupEditForm()
 
-group_fields = ['*']
+group_fields = ['*', 'nsAccountLock']
 
 class GroupController(IPAController):
 
@@ -73,6 +73,9 @@ class GroupController(IPAController):
             new_group = ipa.group.Group()
             new_group.setValue('cn', kw.get('cn'))
             new_group.setValue('description', kw.get('description'))
+
+            if kw.get('nsAccountLock'):
+                new_group.setValue('nsAccountLock', 'true')
 
             rv = client.add_group(new_group)
         except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE):
@@ -245,23 +248,28 @@ class GroupController(IPAController):
             orig_group_dict = loads(b64decode(kw.get('group_orig')))
 
             new_group = ipa.group.Group(orig_group_dict)
-            if new_group.description != kw.get('description'):
-                group_modified = True
-                new_group.setValue('description', kw.get('description'))
+
+            new_group.setValue('description', kw.get('description'))
+
             if kw.get('editprotected') == 'true':
                 new_gid = str(kw.get('gidnumber'))
-                if new_group.gidnumber != new_gid:
-                    group_modified = True
-                    new_group.setValue('gidnumber', new_gid)
-
-            if group_modified:
-                rv = client.update_group(new_group)
-                #
-                # If the group update succeeds, but below operations fail, we
-                # need to make sure a subsequent submit doesn't try to update
-                # the group again.
-                #
-                kw['group_orig'] = b64encode(dumps(new_group.toDict()))
+                new_group.setValue('gidnumber', new_gid)
+
+            if kw.get('nsAccountLock'):
+                new_group.setValue('nsAccountLock', 'true')
+            else:
+                new_group.setValue('nsAccountLock', None)
+
+            rv = client.update_group(new_group)
+            group_modified = True
+            #
+            # If the group update succeeds, but below operations fail, we
+            # need to make sure a subsequent submit doesn't try to update
+            # the group again.
+            #
+            kw['group_orig'] = b64encode(dumps(new_group.toDict()))
+        except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST), e:
+            pass
         except ipaerror.IPAError, e:
             turbogears.flash("Group update failed: " + str(e))
             return dict(form=group_edit_form, group=kw, members=member_dicts,
diff -r f80f449a54d2 -r ba1cfe1ec904 ipa-server/ipa-gui/ipagui/templates/groupeditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Tue Oct 23 15:36:52 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Tue Oct 23 16:03:31 2007 -0700
@@ -94,6 +94,18 @@ from ipagui.helpers import ipahelper
           <script type="text/javascript">
               document.getElementById('form_gidnumber').disabled = true;
           </script>
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${group.nsAccountLock.field_id}"
+            py:content="group.nsAccountLock.label" />:
+        </th>
+        <td>
+          <span py:replace="group.nsAccountLock.display(value_for(group.nsAccountLock))" />
+          <span py:if="tg.errors.get('nsAccountLock')" class="fielderror"
+                    py:content="tg.errors.get('nsAccountLock')" />
         </td>
       </tr>
     </table>
diff -r f80f449a54d2 -r ba1cfe1ec904 ipa-server/ipa-gui/ipagui/templates/groupnewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupnewform.kid	Tue Oct 23 15:36:52 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupnewform.kid	Tue Oct 23 16:03:31 2007 -0700
@@ -73,6 +73,18 @@ from ipagui.helpers import ipahelper
           Generated by server
         </td>
       </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${group.nsAccountLock.field_id}"
+            py:content="group.nsAccountLock.label" />:
+        </th>
+        <td>
+          <span py:replace="group.nsAccountLock.display(value_for(group.nsAccountLock))" />
+          <span py:if="tg.errors.get('nsAccountLock')" class="fielderror"
+                    py:content="tg.errors.get('nsAccountLock')" />
+        </td>
+      </tr>
     </table>
 
     <div style="clear:both">
diff -r f80f449a54d2 -r ba1cfe1ec904 ipa-server/ipa-gui/ipagui/templates/groupshow.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid	Tue Oct 23 15:36:52 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid	Tue Oct 23 16:03:31 2007 -0700
@@ -7,6 +7,8 @@
 </head>
 <body>
 <?python
+from ipagui.helpers import ipahelper
+
 edit_url = tg.url('/group/edit', cn=group.get('cn'))
 ?>
     <h2>View Group</h2>
@@ -36,6 +38,13 @@ edit_url = tg.url('/group/edit', cn=grou
             <label class="fieldlabel" py:content="fields.gidnumber.label" />:
           </th>
           <td>${group.get("gidnumber")}</td>
+        </tr>
+
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.nsAccountLock.label" />:
+          </th>
+          <td>${ipahelper.account_status_display(group.get("nsAccountLock"))}</td>
         </tr>
     </table>
 
diff -r f80f449a54d2 -r ba1cfe1ec904 ipa-server/ipa-gui/ipagui/templates/usershow.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Tue Oct 23 15:36:52 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Tue Oct 23 16:03:31 2007 -0700
@@ -17,6 +17,7 @@ edit_url = tg.url('/user/edit', uid=user
 
 <?python
 from ipagui.helpers import userhelper
+from ipagui.helpers import ipahelper
 pw_expires_days = userhelper.password_expires_in(user.get("krbPasswordExpiration"))
 pw_expires_soon = userhelper.password_expires_soon(pw_expires_days)
 pw_is_expired = userhelper.password_is_expired(pw_expires_days)
@@ -79,7 +80,7 @@ else:
           <th>
             <label class="fieldlabel" py:content="fields.nsAccountLock.label" />:
           </th>
-          <td>${userhelper.account_status_display(user.get("nsAccountLock"))}</td>
+          <td>${ipahelper.account_status_display(user.get("nsAccountLock"))}</td>
         </tr>
         <tr>
           <th>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071023/d30545ca/attachment.bin>

From kmccarth at redhat.com  Tue Oct 23 23:49:51 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Tue, 23 Oct 2007 16:49:51 -0700
Subject: [Freeipa-devel] [PATCH] user and group deletion
Message-ID: <20071023234951.GG22720@moon.usersys.redhat.com>

This adds user and group deletion to the gui.

It sidesteps the issues of:
1) What if the user is a manager or secretary of another user
2) What if the user is a member of a group
3) What if the group is a member of a group.

I'm assuming these kinds of things will be solved with a server-side
plugin.

The patch also fixes a bug with add user brought on by the
manager/secretary patch.  Apparently hidden fields don't have a "" value
by default and so were passing none if not set.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1193183210 25200
# Node ID 01dc1360f0471de7086ef363c61548dd9af59954
# Parent  ba1cfe1ec9043c581a7cbb5ad6d2cfc472e9a7eb
Add delete user and group to webgui.
NOTE: this doesn't handle referential integrity.

diff -r ba1cfe1ec904 -r 01dc1360f047 ipa-python/ipaclient.py
--- a/ipa-python/ipaclient.py	Tue Oct 23 16:03:31 2007 -0700
+++ b/ipa-python/ipaclient.py	Tue Oct 23 16:46:50 2007 -0700
@@ -299,10 +299,10 @@ class IPAClient:
 
         return self.transport.update_group(group.origDataDict(), group.toDict())
 
-    def delete_group(self,group_cn):
+    def delete_group(self,group_dn):
         """Delete a group entry."""
 
-        return self.transport.delete_group(group_cn)
+        return self.transport.delete_group(group_dn)
 
     def add_group_to_group(self, group_cn, tgroup_cn):
         """Add a group to an existing group.
diff -r ba1cfe1ec904 -r 01dc1360f047 ipa-python/rpcclient.py
--- a/ipa-python/rpcclient.py	Tue Oct 23 16:03:31 2007 -0700
+++ b/ipa-python/rpcclient.py	Tue Oct 23 16:46:50 2007 -0700
@@ -534,12 +534,12 @@ class RPCClient:
 
         return ipautil.unwrap_binary_data(result)
 
-    def delete_group(self,group_cn):
-        """Delete a group. group_cn is the cn of the group to be deleted."""
-        server = self.setup_server()
-    
-        try:
-            result = server.delete_group(group_cn)
+    def delete_group(self,group_dn):
+        """Delete a group. group_dn is the dn of the group to be deleted."""
+        server = self.setup_server()
+    
+        try:
+            result = server.delete_group(group_dn)
         except xmlrpclib.Fault, fault:
             raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
         except socket.error, (value, msg):
diff -r ba1cfe1ec904 -r 01dc1360f047 ipa-server/ipa-gui/ipagui/subcontrollers/group.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Tue Oct 23 16:03:31 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Tue Oct 23 16:46:50 2007 -0700
@@ -388,6 +388,22 @@ class GroupController(IPAController):
             turbogears.flash("Group show failed: " + str(e))
             raise turbogears.redirect("/")
 
+    @expose()
+    @identity.require(identity.not_anonymous())
+    def delete(self, dn):
+        """Delete group."""
+        self.restrict_post()
+        client = self.get_ipaclient()
+
+        try:
+            client.delete_group(dn)
+
+            turbogears.flash("group deleted")
+            raise turbogears.redirect('/group/list')
+        except (SyntaxError, ipaerror.IPAError), e:
+            turbogears.flash("Group deletion failed: " + str(e) + "<br/>" + str(e.detail))
+            raise turbogears.redirect('/group/list')
+
     @validate(form=group_new_form)
     @identity.require(identity.not_anonymous())
     def groupcreatevalidate(self, tg_errors=None, **kw):
diff -r ba1cfe1ec904 -r 01dc1360f047 ipa-server/ipa-gui/ipagui/subcontrollers/user.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Tue Oct 23 16:03:31 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Tue Oct 23 16:46:50 2007 -0700
@@ -97,9 +97,11 @@ class UserController(IPAController):
             new_user.setValue('businesscategory', kw.get('businesscategory'))
             new_user.setValue('description', kw.get('description'))
             new_user.setValue('employeetype', kw.get('employeetype'))
-            new_user.setValue('manager', kw.get('manager'))
+            if kw.get('manager'):
+                new_user.setValue('manager', kw.get('manager'))
             new_user.setValue('roomnumber', kw.get('roomnumber'))
-            new_user.setValue('secretary', kw.get('secretary'))
+            if kw.get('secretary'):
+                new_user.setValue('secretary', kw.get('secretary'))
 
             new_user.setValue('carlicense', kw.get('carlicense'))
             new_user.setValue('labeleduri', kw.get('labeleduri'))
@@ -467,6 +469,22 @@ class UserController(IPAController):
             turbogears.flash("User show failed: " + str(e))
             raise turbogears.redirect("/")
 
+    @expose()
+    @identity.require(identity.not_anonymous())
+    def delete(self, uid):
+        """Delete user."""
+        self.restrict_post()
+        client = self.get_ipaclient()
+
+        try:
+            client.delete_user(uid)
+
+            turbogears.flash("user deleted")
+            raise turbogears.redirect('/user/list')
+        except (SyntaxError, ipaerror.IPAError), e:
+            turbogears.flash("User deletion failed: " + str(e))
+            raise turbogears.redirect('/user/list')
+
     @validate(form=user_new_form)
     @identity.require(identity.not_anonymous())
     def usercreatevalidate(self, tg_errors=None, **kw):
diff -r ba1cfe1ec904 -r 01dc1360f047 ipa-server/ipa-gui/ipagui/templates/groupeditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Tue Oct 23 16:03:31 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Tue Oct 23 16:46:50 2007 -0700
@@ -1,5 +1,11 @@
 <div xmlns:py="http://purl.org/kid/ns#"
   class="simpleroster">
+
+  <form style="display:none" id='deleteform'
+    method="post" action="${tg.url('/group/delete')}">
+    <input type="hidden" name="dn" value="${value.get('dn')}" />
+  </form>
+
   <form action="${action}" name="${name}" method="${method}" class="tableform"
       onsubmit="preSubmit()" >
 
@@ -12,6 +18,14 @@
         <td>
           <input type="submit" class="submitbutton" name="submit"
               value="Cancel Edit" />
+        </td>
+        <td>
+          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
+          <input type="button" class="deletebutton"
+                 value="Delete Group"
+                 onclick="return confirmDelete();"
+                 />
+          <br/><br/>
         </td>
       </tr>
     </table>
@@ -44,6 +58,13 @@ from ipagui.helpers import ipahelper
           {  asynchronous:true,
              parameters: { criteria: $('criteria').value },
              evalScripts: true });
+      return false;
+    }
+
+    function confirmDelete() {
+      if (confirm("Are you sure you want to delete this group?")) {
+        $('deleteform').submit();
+      }
       return false;
     }
   </script>
@@ -200,6 +221,14 @@ from ipagui.helpers import ipahelper
           <input type="submit" class="submitbutton" name="submit"
               value="Cancel Edit" />
         </td>
+        <td>
+          <br />
+          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
+          <input type="button" class="deletebutton"
+                 value="Delete Group"
+                 onclick="return confirmDelete();"
+                 />
+        </td>
       </tr>
     </table>
 
diff -r ba1cfe1ec904 -r 01dc1360f047 ipa-server/ipa-gui/ipagui/templates/usereditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Tue Oct 23 16:03:31 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Tue Oct 23 16:46:50 2007 -0700
@@ -1,5 +1,11 @@
 <div xmlns:py="http://purl.org/kid/ns#"
   class="simpleroster">
+
+  <form style="display:none" id='deleteform'
+    method="post" action="${tg.url('/user/delete')}">
+    <input type="hidden" name="uid" value="${value.get('uid')}" />
+  </form>
+
   <form action="${action}" name="${name}" method="${method}" class="tableform"
     onsubmit="preSubmit()">
 
@@ -13,7 +19,13 @@
           <input type="submit" class="submitbutton" name="submit"
               value="Cancel Edit" />
         </td>
-        <td></td>
+        <td>
+          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
+          <input type="button" class="deletebutton"
+                 value="Delete Person"
+                 onclick="return confirmDelete();"
+                 />
+        </td>
       </tr>
     </table>
 
@@ -84,6 +96,13 @@ from ipagui.helpers import ipahelper
              evalScripts: true });
       return false;
     }
+
+    function confirmDelete() {
+      if (confirm("Are you sure you want to delete this person?")) {
+        $('deleteform').submit();
+      }
+      return false;
+    }
   </script>
 
 
@@ -698,7 +717,14 @@ from ipagui.helpers import ipahelper
           <input type="submit" class="submitbutton" name="submit"
               value="Cancel Edit" />
         </td>
-        <td></td>
+        <td>
+          <br />
+          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
+          <input type="button" class="deletebutton"
+                 value="Delete Person"
+                 onclick="return confirmDelete();"
+                 />
+        </td>
       </tr>
     </table>
 
diff -r ba1cfe1ec904 -r 01dc1360f047 ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Tue Oct 23 16:03:31 2007 -0700
+++ b/ipa-server/xmlrpc-server/funcs.py	Tue Oct 23 16:46:50 2007 -0700
@@ -1013,13 +1013,12 @@ class IPAServer:
            groups.
         """
         group = self.get_entry_by_dn(group_dn, ['dn', 'cn'], opts)
-
-        if len(group) != 1:
+        if group is None:
             raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
 
         conn = self.getConnection(opts)
         try:
-            res = conn.deleteEntry(group[0]['dn'])
+            res = conn.deleteEntry(group_dn)
         finally:
             self.releaseConnection(conn)
         return res
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071023/46f83db3/attachment.bin>

From rcritten at redhat.com  Wed Oct 24 12:53:18 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 24 Oct 2007 08:53:18 -0400
Subject: [Freeipa-devel] [PATCH] add group inactivation
In-Reply-To: <20071023230458.GF22720@moon.usersys.redhat.com>
References: <20071023230458.GF22720@moon.usersys.redhat.com>
Message-ID: <471F403E.8040201@redhat.com>

Kevin McCarthy wrote:
> This adds the same inactivation code for users to the groups pages.
> 
> -Kevin
> 

I had wondered about this. What does it mean to have an inactive 
objects. Currently the cli group delete command actually deletes the 
group. I suppose it should do the same thing as the GUI.

On a more general note, will ACI's automatically reject requests when 
nsAccountLock is set?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/77b7898a/attachment.bin>

From ssorce at redhat.com  Wed Oct 24 13:36:09 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 24 Oct 2007 09:36:09 -0400
Subject: [Freeipa-devel] [PATCH] add group inactivation
In-Reply-To: <471F403E.8040201@redhat.com>
References: <20071023230458.GF22720@moon.usersys.redhat.com>
	<471F403E.8040201@redhat.com>
Message-ID: <1193232969.24962.27.camel@localhost.localdomain>

On Wed, 2007-10-24 at 08:53 -0400, Rob Crittenden wrote:
> Kevin McCarthy wrote:
> > This adds the same inactivation code for users to the groups pages.
> > 
> > -Kevin
> > 
> 
> I had wondered about this. What does it mean to have an inactive 
> objects. Currently the cli group delete command actually deletes the 
> group. I suppose it should do the same thing as the GUI.
> 
> On a more general note, will ACI's automatically reject requests when 
> nsAccountLock is set?

I was wondering as well, I can't remember talking about group
deactivation ...

Simo.



From ssorce at redhat.com  Wed Oct 24 13:41:18 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 24 Oct 2007 09:41:18 -0400
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <20071023222117.GE22720@moon.usersys.redhat.com>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
	<1193091208.3167.269.camel@localhost.localdomain>
	<20071022232300.GE3841@moon.usersys.redhat.com>
	<1193152419.23200.12.camel@localhost.localdomain>
	<471E6F30.7040809@redhat.com>
	<1193177387.24962.7.camel@localhost.localdomain>
	<20071023222117.GE22720@moon.usersys.redhat.com>
Message-ID: <1193233278.24962.33.camel@localhost.localdomain>

On Tue, 2007-10-23 at 15:21 -0700, Kevin McCarthy wrote:
> Hi Simo,
> 
> The webgui has limited needs - just a place to store key/value pairs.
> The equivalent of a hash table stored in ldap.  The keys and values
> are
> freeform.  For me, I don't care if it's one LDAP entry per key/value
> pair, or we use an extensibleObject.

LDAP does not work this way, and I'd avoid doing something like that if
possible.

>   So the first problem is whether
> there is an objectClass that supports a single key/value pair storage
> per entry?

No this is the last question after all the normal options have been
deemed not appropriate.

>   dn=name=foo,.....,dc=freeipa,dc=org
>   objectClass=???
>   name=foo
>   value=bar
>   comment=foo is used for baz
> 
>   dn=name=yi,.....,dc=freeipa,dc=org
>   objectClass=???
>   name=er
>   value=san
>   comment=chinese numbers are fun

This way of handling things have huge problems.

1. No way to control the attribute value syntax.
2. No way to search all options with a single query on an object
3. Uncontrollable proliferation of objects
4. impossible to validate syntax of both attribute names and values


Can you list exactly what you would like to set in conf options for real
so that we can evaluate why you are asking for this kind of schema?

> You raised some excellent points though - about local vs global, and
> policy vs gui config values.  I don't think either Rob or have a good
> idea how to design that.  We're looking to Pete/you for input as to a
> good hierarchy for that.  So the second question is, where exactly
> should we put the webgui entries in the hierarchy?  Should we even
> worry
> about global/local for now?

Yes we should, things can't be easily changed later, but the hierarchy
thing is not a real problem just make your code configurable so that you
can pass an arbitrary base dn.
I am more worried about your request to be free from a schema.

Simo.



From kmacmill at redhat.com  Wed Oct 24 14:10:38 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 24 Oct 2007 10:10:38 -0400
Subject: [Freeipa-devel] [PATCH] Handle selinux failure
Message-ID: <9ff6cec98d764acbaefe.1193235038@localhost.localdomain>

# HG changeset patch
# User "Karl MacMillan <kmacmill at redhat.com>"
# Date 1193235029 14400
# Node ID 9ff6cec98d764acbaefe915e0da63d29cd72cea1
# Parent  d474654ca48ff4d36dffca6a94ac88ed0e441586
Handle selinux failure

Ignore errors if setsebool fails and print a warning.

diff -r d474654ca48f -r 9ff6cec98d76 ipa-server/ipa-install/ipa-server-install
--- a/ipa-server/ipa-install/ipa-server-install	Wed Oct 24 10:04:43 2007 -0400
+++ b/ipa-server/ipa-install/ipa-server-install	Wed Oct 24 10:10:29 2007 -0400
@@ -554,7 +554,16 @@ def main():
 
         if selinux:
             # Allow apache to connect to the turbogears web gui
-            run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
+            # This can still fail even if selinux is enabled
+            try:
+                run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
+            except:
+                print "WARNING: could not set selinux boolean httpd_can_network_connect to true."
+                print "The web interface may not function correctly until this boolean is"
+                print "successfully change with the command:"
+                print "   /usr/sbin/setsebool -P httpd_can_network_connect true"
+                print "Try updating the policycoreutils and selinux-policy packages."
+                pass
 
         # Start the web gui
         run(["/sbin/service", "ipa-webgui", "start"])



From ssorce at redhat.com  Wed Oct 24 14:38:44 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 24 Oct 2007 10:38:44 -0400
Subject: [Freeipa-devel] [PATCH] Handle selinux failure
In-Reply-To: <9ff6cec98d764acbaefe.1193235038@localhost.localdomain>
References: <9ff6cec98d764acbaefe.1193235038@localhost.localdomain>
Message-ID: <1193236724.24962.39.camel@localhost.localdomain>

On Wed, 2007-10-24 at 10:10 -0400, Karl MacMillan wrote:
> # HG changeset patch
> # User "Karl MacMillan <kmacmill at redhat.com>"
> # Date 1193235029 14400
> # Node ID 9ff6cec98d764acbaefe915e0da63d29cd72cea1
> # Parent  d474654ca48ff4d36dffca6a94ac88ed0e441586
> Handle selinux failure
> 
> Ignore errors if setsebool fails and print a warning.

good



From kmccarth at redhat.com  Wed Oct 24 15:16:42 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 24 Oct 2007 08:16:42 -0700
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <1193233278.24962.33.camel@localhost.localdomain>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
	<1193091208.3167.269.camel@localhost.localdomain>
	<20071022232300.GE3841@moon.usersys.redhat.com>
	<1193152419.23200.12.camel@localhost.localdomain>
	<471E6F30.7040809@redhat.com>
	<1193177387.24962.7.camel@localhost.localdomain>
	<20071023222117.GE22720@moon.usersys.redhat.com>
	<1193233278.24962.33.camel@localhost.localdomain>
Message-ID: <20071024151641.GA16414@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Tue, 2007-10-23 at 15:21 -0700, Kevin McCarthy wrote:
> >   dn=name=yi,.....,dc=freeipa,dc=org
> >   objectClass=???
> >   name=er
> >   value=san
> >   comment=chinese numbers are fun
> 
> This way of handling things have huge problems.
> 
> 1. No way to control the attribute value syntax.
> 2. No way to search all options with a single query on an object
> 3. Uncontrollable proliferation of objects
> 4. impossible to validate syntax of both attribute names and values
> 
> Can you list exactly what you would like to set in conf options for real
> so that we can evaluate why you are asking for this kind of schema?

Sure, some of the values we want to store were in the patch starting
this thread:

userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
searchTimeLimit: 2
maxUidLength: 8
passwordExpireNotifyDays: 7

I'm sure there will be others.

The idea was just to take miscellaneous configs from webgui code out of
the code and into an externally modifiable place.

However, if it's that big of a headache I'm inclined to just leave them
in the code!  :-)

In all seriousness, I think you and Pete need to chat and work out
something with Rob.  I think it will take a bit more time to think this
through and I'm not sure it's worth it for Milestone 5 or V1.

-Kevin

> 
> > You raised some excellent points though - about local vs global, and
> > policy vs gui config values.  I don't think either Rob or have a good
> > idea how to design that.  We're looking to Pete/you for input as to a
> > good hierarchy for that.  So the second question is, where exactly
> > should we put the webgui entries in the hierarchy?  Should we even
> > worry
> > about global/local for now?
> 
> Yes we should, things can't be easily changed later, but the hierarchy
> thing is not a real problem just make your code configurable so that you
> can pass an arbitrary base dn.
> I am more worried about your request to be free from a schema.
> 
> Simo.
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/d265f30e/attachment.bin>

From kmccarth at redhat.com  Wed Oct 24 15:19:43 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 24 Oct 2007 08:19:43 -0700
Subject: [Freeipa-devel] [PATCH] add group inactivation
In-Reply-To: <1193232969.24962.27.camel@localhost.localdomain>
References: <20071023230458.GF22720@moon.usersys.redhat.com>
	<471F403E.8040201@redhat.com>
	<1193232969.24962.27.camel@localhost.localdomain>
Message-ID: <20071024151943.GB16414@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Wed, 2007-10-24 at 08:53 -0400, Rob Crittenden wrote:
> > Kevin McCarthy wrote:
> > > This adds the same inactivation code for users to the groups pages.
> > > 
> > > -Kevin
> > > 
> > 
> > I had wondered about this. What does it mean to have an inactive 
> > objects. Currently the cli group delete command actually deletes the 
> > group. I suppose it should do the same thing as the GUI.
> > 
> > On a more general note, will ACI's automatically reject requests when 
> > nsAccountLock is set?
> 
> I was wondering as well, I can't remember talking about group
> deactivation ...

I'm not sure what it means either.  I only added this because of Req21.5
http://www.freeipa.com/page/V1PRD#.5BReq21.5DAdministrator_Management_of_Groups

however, not that I'm thinking about it, maybe it means inactivate all
the _users_ in the group.  not the group itself.

No problem, just drop this patch then.  :-)

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/495ab584/attachment.bin>

From ssorce at redhat.com  Wed Oct 24 15:25:39 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 24 Oct 2007 11:25:39 -0400
Subject: [Freeipa-devel] [PATCH] add group inactivation
In-Reply-To: <20071024151943.GB16414@moon.usersys.redhat.com>
References: <20071023230458.GF22720@moon.usersys.redhat.com>
	<471F403E.8040201@redhat.com>
	<1193232969.24962.27.camel@localhost.localdomain>
	<20071024151943.GB16414@moon.usersys.redhat.com>
Message-ID: <1193239539.24962.41.camel@localhost.localdomain>

On Wed, 2007-10-24 at 08:19 -0700, Kevin McCarthy wrote:
> Simo Sorce wrote:
> > On Wed, 2007-10-24 at 08:53 -0400, Rob Crittenden wrote:
> > > Kevin McCarthy wrote:
> > > > This adds the same inactivation code for users to the groups pages.
> > > > 
> > > > -Kevin
> > > > 
> > > 
> > > I had wondered about this. What does it mean to have an inactive 
> > > objects. Currently the cli group delete command actually deletes the 
> > > group. I suppose it should do the same thing as the GUI.
> > > 
> > > On a more general note, will ACI's automatically reject requests when 
> > > nsAccountLock is set?
> > 
> > I was wondering as well, I can't remember talking about group
> > deactivation ...
> 
> I'm not sure what it means either.  I only added this because of Req21.5
> http://www.freeipa.com/page/V1PRD#.5BReq21.5DAdministrator_Management_of_Groups
> 
> however, not that I'm thinking about it, maybe it means inactivate all
> the _users_ in the group.  not the group itself.

Yes, I think that's what it means.

> No problem, just drop this patch then.  :-)

Ok.



From ssorce at redhat.com  Wed Oct 24 15:26:34 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 24 Oct 2007 11:26:34 -0400
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <20071024151641.GA16414@moon.usersys.redhat.com>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
	<1193091208.3167.269.camel@localhost.localdomain>
	<20071022232300.GE3841@moon.usersys.redhat.com>
	<1193152419.23200.12.camel@localhost.localdomain>
	<471E6F30.7040809@redhat.com>
	<1193177387.24962.7.camel@localhost.localdomain>
	<20071023222117.GE22720@moon.usersys.redhat.com>
	<1193233278.24962.33.camel@localhost.localdomain>
	<20071024151641.GA16414@moon.usersys.redhat.com>
Message-ID: <1193239594.24962.43.camel@localhost.localdomain>

On Wed, 2007-10-24 at 08:16 -0700, Kevin McCarthy wrote:
> The idea was just to take miscellaneous configs from webgui code out
> of
> the code and into an externally modifiable place.
> 
> However, if it's that big of a headache I'm inclined to just leave
> them
> in the code!  :-)
> 
> In all seriousness, I think you and Pete need to chat and work out
> something with Rob.  I think it will take a bit more time to think
> this
> through and I'm not sure it's worth it for Milestone 5 or V1.

I agree.

Simo.



From kmacmill at redhat.com  Wed Oct 24 15:30:05 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 24 Oct 2007 11:30:05 -0400
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <1193239594.24962.43.camel@localhost.localdomain>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
	<1193091208.3167.269.camel@localhost.localdomain>
	<20071022232300.GE3841@moon.usersys.redhat.com>
	<1193152419.23200.12.camel@localhost.localdomain>
	<471E6F30.7040809@redhat.com>
	<1193177387.24962.7.camel@localhost.localdomain>
	<20071023222117.GE22720@moon.usersys.redhat.com>
	<1193233278.24962.33.camel@localhost.localdomain>
	<20071024151641.GA16414@moon.usersys.redhat.com>
	<1193239594.24962.43.camel@localhost.localdomain>
Message-ID: <1193239805.2892.90.camel@localhost.localdomain>

On Wed, 2007-10-24 at 11:26 -0400, Simo Sorce wrote:
> On Wed, 2007-10-24 at 08:16 -0700, Kevin McCarthy wrote:
> > The idea was just to take miscellaneous configs from webgui code out
> > of
> > the code and into an externally modifiable place.
> > 
> > However, if it's that big of a headache I'm inclined to just leave
> > them
> > in the code!  :-)
> > 
> > In all seriousness, I think you and Pete need to chat and work out
> > something with Rob.  I think it will take a bit more time to think
> > this
> > through and I'm not sure it's worth it for Milestone 5 or V1.
> 
> I agree.
> 

Except we are going to be in bug-fix only mode after milestone 5 . . .

Karl



From rcritten at redhat.com  Wed Oct 24 15:37:32 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 24 Oct 2007 11:37:32 -0400
Subject: [Freeipa-devel] [PATCH] Handle selinux failure
In-Reply-To: <9ff6cec98d764acbaefe.1193235038@localhost.localdomain>
References: <9ff6cec98d764acbaefe.1193235038@localhost.localdomain>
Message-ID: <471F66BC.1090909@redhat.com>

Karl MacMillan wrote:
> # HG changeset patch
> # User "Karl MacMillan <kmacmill at redhat.com>"
> # Date 1193235029 14400
> # Node ID 9ff6cec98d764acbaefe915e0da63d29cd72cea1
> # Parent  d474654ca48ff4d36dffca6a94ac88ed0e441586
> Handle selinux failure
> 
> Ignore errors if setsebool fails and print a warning.
> 
> diff -r d474654ca48f -r 9ff6cec98d76 ipa-server/ipa-install/ipa-server-install
> --- a/ipa-server/ipa-install/ipa-server-install	Wed Oct 24 10:04:43 2007 -0400
> +++ b/ipa-server/ipa-install/ipa-server-install	Wed Oct 24 10:10:29 2007 -0400
> @@ -554,7 +554,16 @@ def main():
>  
>          if selinux:
>              # Allow apache to connect to the turbogears web gui
> -            run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
> +            # This can still fail even if selinux is enabled
> +            try:
> +                run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
> +            except:
> +                print "WARNING: could not set selinux boolean httpd_can_network_connect to true."
> +                print "The web interface may not function correctly until this boolean is"
> +                print "successfully change with the command:"
> +                print "   /usr/sbin/setsebool -P httpd_can_network_connect true"
> +                print "Try updating the policycoreutils and selinux-policy packages."
> +                pass
>  
>          # Start the web gui
>          run(["/sbin/service", "ipa-webgui", "start"])

Um, shouldn't we just have some minimum required version? If we know a 
setup isn't going to work should we really let them proceed?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/a7904472/attachment.bin>

From rcritten at redhat.com  Wed Oct 24 15:41:33 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 24 Oct 2007 11:41:33 -0400
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <20071024151641.GA16414@moon.usersys.redhat.com>
References: <20071022210823.GD3841@moon.usersys.redhat.com>	<1193091208.3167.269.camel@localhost.localdomain>	<20071022232300.GE3841@moon.usersys.redhat.com>	<1193152419.23200.12.camel@localhost.localdomain>	<471E6F30.7040809@redhat.com>	<1193177387.24962.7.camel@localhost.localdomain>	<20071023222117.GE22720@moon.usersys.redhat.com>	<1193233278.24962.33.camel@localhost.localdomain>
	<20071024151641.GA16414@moon.usersys.redhat.com>
Message-ID: <471F67AD.6060702@redhat.com>

Kevin McCarthy wrote:
> Simo Sorce wrote:
>> On Tue, 2007-10-23 at 15:21 -0700, Kevin McCarthy wrote:
>>>   dn=name=yi,.....,dc=freeipa,dc=org
>>>   objectClass=???
>>>   name=er
>>>   value=san
>>>   comment=chinese numbers are fun
>> This way of handling things have huge problems.
>>
>> 1. No way to control the attribute value syntax.
>> 2. No way to search all options with a single query on an object
>> 3. Uncontrollable proliferation of objects
>> 4. impossible to validate syntax of both attribute names and values
>>
>> Can you list exactly what you would like to set in conf options for real
>> so that we can evaluate why you are asking for this kind of schema?
> 
> Sure, some of the values we want to store were in the patch starting
> this thread:
> 
> userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
> searchTimeLimit: 2
> maxUidLength: 8
> passwordExpireNotifyDays: 7
> 
> I'm sure there will be others.
> 
> The idea was just to take miscellaneous configs from webgui code out of
> the code and into an externally modifiable place.
> 
> However, if it's that big of a headache I'm inclined to just leave them
> in the code!  :-)
> 
> In all seriousness, I think you and Pete need to chat and work out
> something with Rob.  I think it will take a bit more time to think this
> through and I'm not sure it's worth it for Milestone 5 or V1.

FDS stores its entire configuration in LDAP. It can't be that hard to 
work something out.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/12c8a4d1/attachment.bin>

From rmeggins at redhat.com  Wed Oct 24 15:56:26 2007
From: rmeggins at redhat.com (Richard Megginson)
Date: Wed, 24 Oct 2007 09:56:26 -0600
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <471F67AD.6060702@redhat.com>
References: <20071022210823.GD3841@moon.usersys.redhat.com>	<1193091208.3167.269.camel@localhost.localdomain>	<20071022232300.GE3841@moon.usersys.redhat.com>	<1193152419.23200.12.camel@localhost.localdomain>	<471E6F30.7040809@redhat.com>	<1193177387.24962.7.camel@localhost.localdomain>	<20071023222117.GE22720@moon.usersys.redhat.com>	<1193233278.24962.33.camel@localhost.localdomain>	<20071024151641.GA16414@moon.usersys.redhat.com>
	<471F67AD.6060702@redhat.com>
Message-ID: <471F6B2A.2050206@redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Simo Sorce wrote:
>>> On Tue, 2007-10-23 at 15:21 -0700, Kevin McCarthy wrote:
>>>>   dn=name=yi,.....,dc=freeipa,dc=org
>>>>   objectClass=???
>>>>   name=er
>>>>   value=san
>>>>   comment=chinese numbers are fun
>>> This way of handling things have huge problems.
>>>
>>> 1. No way to control the attribute value syntax.
>>> 2. No way to search all options with a single query on an object
>>> 3. Uncontrollable proliferation of objects
>>> 4. impossible to validate syntax of both attribute names and values
>>>
>>> Can you list exactly what you would like to set in conf options for 
>>> real
>>> so that we can evaluate why you are asking for this kind of schema?
>>
>> Sure, some of the values we want to store were in the patch starting
>> this thread:
>>
>> userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
>> searchTimeLimit: 2
>> maxUidLength: 8
>> passwordExpireNotifyDays: 7
>>
>> I'm sure there will be others.
>>
>> The idea was just to take miscellaneous configs from webgui code out of
>> the code and into an externally modifiable place.
>>
>> However, if it's that big of a headache I'm inclined to just leave them
>> in the code!  :-)
>>
>> In all seriousness, I think you and Pete need to chat and work out
>> something with Rob.  I think it will take a bit more time to think this
>> through and I'm not sure it's worth it for Milestone 5 or V1.
>
> FDS stores its entire configuration in LDAP. It can't be that hard to 
> work something out.
Well, Fedora DS "cheats" - that is, many of the config entries are 
"extensibleObject" and there is no schema defined.  The best way is to 
actually define a schema, which we did for many of the config entries.  
But before you do that, you will need to figure out which base OID to 
use.  Should Red Hat's base OID be used?  Can freeIPA get its own OID?
>
> rob
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/c7dc10e3/attachment.bin>

From rcritten at redhat.com  Wed Oct 24 16:06:39 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 24 Oct 2007 12:06:39 -0400
Subject: [Freeipa-devel] [PATCH] command-line delegation
Message-ID: <471F6D8F.8090206@redhat.com>

A quartet of commands to manage delegations from the command-line (man 
pages thrown in for free).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-326-delegation.patch
Type: text/x-patch
Size: 23331 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/faa29d5c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/faa29d5c/attachment-0001.bin>

From ssorce at redhat.com  Wed Oct 24 16:26:45 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 24 Oct 2007 12:26:45 -0400
Subject: [Freeipa-devel] [PATCH] ldif and acis for config
In-Reply-To: <471F6B2A.2050206@redhat.com>
References: <20071022210823.GD3841@moon.usersys.redhat.com>
	<1193091208.3167.269.camel@localhost.localdomain>
	<20071022232300.GE3841@moon.usersys.redhat.com>
	<1193152419.23200.12.camel@localhost.localdomain>
	<471E6F30.7040809@redhat.com>
	<1193177387.24962.7.camel@localhost.localdomain>
	<20071023222117.GE22720@moon.usersys.redhat.com>
	<1193233278.24962.33.camel@localhost.localdomain>
	<20071024151641.GA16414@moon.usersys.redhat.com>
	<471F67AD.6060702@redhat.com>  <471F6B2A.2050206@redhat.com>
Message-ID: <1193243205.24962.58.camel@localhost.localdomain>

On Wed, 2007-10-24 at 09:56 -0600, Richard Megginson wrote:
> Well, Fedora DS "cheats" - that is, many of the config entries are 
> "extensibleObject" and there is no schema defined.  The best way is
> to 
> actually define a schema, which we did for many of the config
> entries.  
> But before you do that, you will need to figure out which base OID to 
> use.  Should Red Hat's base OID be used?  Can freeIPA get its own
> OID? 

Do we have any recommendation?
I would ask IANA for an OID for FreeIPA, but if we can use one of the
OIDs RH already has that is fine for me as well.

Simo.



From kmccarth at redhat.com  Wed Oct 24 16:49:58 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 24 Oct 2007 09:49:58 -0700
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <471F6D8F.8090206@redhat.com>
References: <471F6D8F.8090206@redhat.com>
Message-ID: <20071024164957.GC16414@moon.usersys.redhat.com>

Rob Crittenden wrote:
> A quartet of commands to manage delegations from the command-line (man 
> pages thrown in for free).

First general comment.  Right now the webgui is not enforcing a unique
'name' field.  This isn't a bad idea - I just haven't implemented such
an enforcment in the code.

If people agree using the name as an identifier is fine, then we should
add enforcement to the gui too.  (and then perhaps we can use the name
instead of the entire acistr to identity an individual aci)

I have two comments below.  Feel free to submit and send fixes as a
separate patch.

-Kevin


> diff -r 5a62b0d18944 -r db42a6078cde ipa-admintools/ipa-deldelegation
> --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
> +++ b/ipa-admintools/ipa-deldelegation	Wed Oct 24 12:04:53 2007 -0400
> @@ -0,0 +1,102 @@
[snip]
> +
> +        for aci_str in aci_str_list:
> +            try:
> +                aci = ipa.aci.ACI(aci_str)
> +                if aci.name == args[1]:
> +                    acistr = aci_str
> +                    break
> +            except SyntaxError:
> +                # ignore aci_str's that ACI can't parse
> +                pass
> +
> +        if acistr is None:
> +            print "No delegation %s found." % args[1]
> +            return 2
> +
> +        try:
> +            old_aci_index = aci_str_list.index(acistr)
> +        except ValueError:
> +            print "The delegation you were attempting to delete has been concurrently modified."
> +            return 3

This check isn't needed for the cli only the webgui (because during the
time between when the edit page loads and they press the update, the ACI
could have changed.


> diff -r 5a62b0d18944 -r db42a6078cde ipa-admintools/ipa-moddelegation
> --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
> +++ b/ipa-admintools/ipa-moddelegation	Wed Oct 24 12:04:53 2007 -0400
> @@ -0,0 +1,166 @@
> +        try:
> +            old_aci_index = aci_str_list.index(acistr)
> +        except ValueError:
> +            print "The delegation you were attempting to delete has been concurrently modified."
> +            return 3

Likewise for here.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/6035fe65/attachment.bin>

From rcritten at redhat.com  Wed Oct 24 17:01:35 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 24 Oct 2007 13:01:35 -0400
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <20071024164957.GC16414@moon.usersys.redhat.com>
References: <471F6D8F.8090206@redhat.com>
	<20071024164957.GC16414@moon.usersys.redhat.com>
Message-ID: <471F7A6F.40802@redhat.com>

Kevin McCarthy wrote:
> Rob Crittenden wrote:
>> A quartet of commands to manage delegations from the command-line (man 
>> pages thrown in for free).
> 
> First general comment.  Right now the webgui is not enforcing a unique
> 'name' field.  This isn't a bad idea - I just haven't implemented such
> an enforcment in the code.
> 
> If people agree using the name as an identifier is fine, then we should
> add enforcement to the gui too.  (and then perhaps we can use the name
> instead of the entire acistr to identity an individual aci)

The only other way to do it on the CLI would have the user paste in the 
entire value of the ACI. I don't think there is another way if we want a 
CLI equivalent.

> I have two comments below.  Feel free to submit and send fixes as a
> separate patch.

Well, I figured checking for concurrency couldn't hurt :-) It is a 
little paranoid though. Did it change yet? How about now? Now? Or 
now...? :-)

I'll strip those out for now and commit the patch.

thanks

rob

> 
> -Kevin
> 
> 
>> diff -r 5a62b0d18944 -r db42a6078cde ipa-admintools/ipa-deldelegation
>> --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
>> +++ b/ipa-admintools/ipa-deldelegation	Wed Oct 24 12:04:53 2007 -0400
>> @@ -0,0 +1,102 @@
> [snip]
>> +
>> +        for aci_str in aci_str_list:
>> +            try:
>> +                aci = ipa.aci.ACI(aci_str)
>> +                if aci.name == args[1]:
>> +                    acistr = aci_str
>> +                    break
>> +            except SyntaxError:
>> +                # ignore aci_str's that ACI can't parse
>> +                pass
>> +
>> +        if acistr is None:
>> +            print "No delegation %s found." % args[1]
>> +            return 2
>> +
>> +        try:
>> +            old_aci_index = aci_str_list.index(acistr)
>> +        except ValueError:
>> +            print "The delegation you were attempting to delete has been concurrently modified."
>> +            return 3
> 
> This check isn't needed for the cli only the webgui (because during the
> time between when the edit page loads and they press the update, the ACI
> could have changed.
> 
> 
>> diff -r 5a62b0d18944 -r db42a6078cde ipa-admintools/ipa-moddelegation
>> --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
>> +++ b/ipa-admintools/ipa-moddelegation	Wed Oct 24 12:04:53 2007 -0400
>> @@ -0,0 +1,166 @@
>> +        try:
>> +            old_aci_index = aci_str_list.index(acistr)
>> +        except ValueError:
>> +            print "The delegation you were attempting to delete has been concurrently modified."
>> +            return 3
> 
> Likewise for here.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/38e25c9f/attachment.bin>

From rcritten at redhat.com  Wed Oct 24 17:11:26 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 24 Oct 2007 13:11:26 -0400
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <20071024164957.GC16414@moon.usersys.redhat.com>
References: <471F6D8F.8090206@redhat.com>
	<20071024164957.GC16414@moon.usersys.redhat.com>
Message-ID: <471F7CBE.1030006@redhat.com>

Kevin McCarthy wrote:
> Rob Crittenden wrote:
>> A quartet of commands to manage delegations from the command-line (man 
>> pages thrown in for free).
> 
> First general comment.  Right now the webgui is not enforcing a unique
> 'name' field.  This isn't a bad idea - I just haven't implemented such
> an enforcment in the code.
> 
> If people agree using the name as an identifier is fine, then we should
> add enforcement to the gui too.  (and then perhaps we can use the name
> instead of the entire acistr to identity an individual aci)
> 
> I have two comments below.  Feel free to submit and send fixes as a
> separate patch.

Fixed and pushed.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/ce3fca2e/attachment.bin>

From mbooth at redhat.com  Wed Oct 24 09:31:53 2007
From: mbooth at redhat.com (Matthew Booth)
Date: Wed, 24 Oct 2007 10:31:53 +0100
Subject: [Freeipa-devel] Kerberos ticket renewal
Message-ID: <1193218313.12524.68.camel@localhost.localdomain>

I'm running RHEL 5 on my laptop. I used to get a popup when my tickets
were about to expire, or had expired. I don't remember if that was on
RHEL 4 or 5, though. A hunt through installed an available packages
hasn't revealed anything obvious. Any idea what this utility is?

On the subject of renewal, are there any tools available which manage
this automatically? What I'd like to achieve is a 2 hour ticket
renewable for 24 hours. While a user remains 'active' their ticket is
renewed without intervention.

On a related note, are there any existing definitions of 'active'?

Thanks,

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/4d547fc9/attachment.sig>

From ssorce at redhat.com  Wed Oct 24 18:00:13 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 24 Oct 2007 14:00:13 -0400
Subject: [Freeipa-devel] Kerberos ticket renewal
In-Reply-To: <1193218313.12524.68.camel@localhost.localdomain>
References: <1193218313.12524.68.camel@localhost.localdomain>
Message-ID: <1193248813.1916.3.camel@localhost.localdomain>

On Wed, 2007-10-24 at 10:31 +0100, Matthew Booth wrote:
> I'm running RHEL 5 on my laptop. I used to get a popup when my tickets
> were about to expire, or had expired. I don't remember if that was on
> RHEL 4 or 5, though. A hunt through installed an available packages
> hasn't revealed anything obvious. Any idea what this utility is?

IIRC krb5-auth-dialog

> On the subject of renewal, are there any tools available which manage
> this automatically? What I'd like to achieve is a 2 hour ticket
> renewable for 24 hours. While a user remains 'active' their ticket is
> renewed without intervention.

Not for v1

> On a related note, are there any existing definitions of 'active'?

Usually logged in on a machine, not really easy to define, it's an
almost open question, but you can tie it to pam sessions

Simo.



From rcritten at redhat.com  Wed Oct 24 19:18:28 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 24 Oct 2007 15:18:28 -0400
Subject: [Freeipa-devel] [PATCH] user and group deletion
In-Reply-To: <20071023234951.GG22720@moon.usersys.redhat.com>
References: <20071023234951.GG22720@moon.usersys.redhat.com>
Message-ID: <471F9A84.3010807@redhat.com>

Kevin McCarthy wrote:
> This adds user and group deletion to the gui.
> 
> It sidesteps the issues of:
> 1) What if the user is a manager or secretary of another user
> 2) What if the user is a member of a group
> 3) What if the group is a member of a group.
> 
> I'm assuming these kinds of things will be solved with a server-side
> plugin.
> 
> The patch also fixes a bug with add user brought on by the
> manager/secretary patch.  Apparently hidden fields don't have a "" value
> by default and so were passing none if not set.
>

I thought the plan was to inactivate users and delete groups. That is 
what I'm doing in the cli anyway.

Inactivation solve some of these problems but it does mean that the 
secretary or manager could be inactive.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/6b25101a/attachment.bin>

From rcritten at redhat.com  Wed Oct 24 19:39:37 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 24 Oct 2007 15:39:37 -0400
Subject: [Freeipa-devel] [PATCH] Add dependency for python-krbV to
	freeipa-server
Message-ID: <471F9F79.8070105@redhat.com>

Add dependency for python-krbV to freeipa-server

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-318-dep.patch
Type: text/x-patch
Size: 2903 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/a55f9bf7/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/a55f9bf7/attachment-0001.bin>

From kmccarth at redhat.com  Wed Oct 24 19:52:12 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 24 Oct 2007 12:52:12 -0700
Subject: [Freeipa-devel] [PATCH] Add dependency for python-krbV to
	freeipa-server
In-Reply-To: <471F9F79.8070105@redhat.com>
References: <471F9F79.8070105@redhat.com>
Message-ID: <20071024195212.GD16414@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Add dependency for python-krbV to freeipa-server

Looks good.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/8e36e102/attachment.bin>

From rcritten at redhat.com  Wed Oct 24 20:07:36 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 24 Oct 2007 16:07:36 -0400
Subject: [Freeipa-devel] [PATCH] Add dependency for python-krbV
	to	freeipa-server
In-Reply-To: <20071024195212.GD16414@moon.usersys.redhat.com>
References: <471F9F79.8070105@redhat.com>
	<20071024195212.GD16414@moon.usersys.redhat.com>
Message-ID: <471FA608.1080009@redhat.com>

Kevin McCarthy wrote:
> Rob Crittenden wrote:
>> Add dependency for python-krbV to freeipa-server
> 
> Looks good.
> 
> -Kevin
>

Pushed.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/f22692ce/attachment.bin>

From rcritten at redhat.com  Wed Oct 24 20:34:22 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 24 Oct 2007 16:34:22 -0400
Subject: [Freeipa-devel] When ticket fwding fails
Message-ID: <471FAC4E.5030402@redhat.com>

Sit down for a nice little story.

Once upon a time we wanted to do kerberos ticket forwarding and use that 
to authenticate to FDS. Unfortunately our hero (that's me) couldn't get 
it working.

So instead we decided to use LDAP proxy authentication instead. What we 
would do is take the principal that was authenticated and use that to 
find the DN of the person. We would then send that DN along in a server 
control when doing LDAP operations.

Things were fine but the evil ACIs were causing troubles.

Then our hero found a patch on a mailing list that made mod_auth_kerb 
play nice and actually do ticket forwarding so we switched to that.

The code for proxy auth was left in as a fallback but as things 
progressed that code suffered serious bit-rot and much was ripped out 
(those evil ACI's for one).

Here were are in the present day and someone tried to use freeipa 
without using the magical mod_auth_kerb that does ticket forwarding and 
it tried to fall back to proxy auth which not only failed, it threw some 
nasty Python errors because the argument list changed.

As I see it we have 3 options:

1. Slay the beast and remove all vestigates of proxy auth
2. Ignore the beast and leave things as they are with the probably 
unfulfilled promise of tackling it later
3. Fix it so proxy auth can work again

I think I'm inclined to go route #2, perhaps adding an "except" in so we 
can better tell the user was is wrong rather than having to remember 
what a cryptic Python stack means.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/f55e68f5/attachment.bin>

From mgregg at redhat.com  Wed Oct 24 20:44:40 2007
From: mgregg at redhat.com (michael gregg)
Date: Wed, 24 Oct 2007 13:44:40 -0700
Subject: [Freeipa-devel] [PATCH] Add dependency for
	python-krbV	to	freeipa-server
In-Reply-To: <471FA608.1080009@redhat.com>
References: <471F9F79.8070105@redhat.com>	<20071024195212.GD16414@moon.usersys.redhat.com>
	<471FA608.1080009@redhat.com>
Message-ID: <471FAEB8.5010002@redhat.com>

That patch seemed to work. 

 Result was GOOD, please see:
 http://apoc.dsdev.sjc.redhat.com/tet/results/2007-10-24_13_31/log.txt
 and http://apoc.dsdev.sjc.redhat.com/tet/results/2007-10-24_13_31/ipa_install_log.txt
For details.
These files might be on the local system at /tet/results/2007-10-24_13_31



Rob Crittenden wrote:

> Kevin McCarthy wrote:
>
>> Rob Crittenden wrote:
>>
>>> Add dependency for python-krbV to freeipa-server
>>
>>
>> Looks good.
>>
>> -Kevin
>>
>
> Pushed.
>
> rob
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Freeipa-devel mailing list
>Freeipa-devel at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-devel
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2000 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/64265761/attachment.bin>

From kmccarth at redhat.com  Wed Oct 24 23:08:55 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Wed, 24 Oct 2007 16:08:55 -0700
Subject: [Freeipa-devel] [PATCH] webgui custom fields
Message-ID: <20071024230854.GF16414@moon.usersys.redhat.com>

This is the webgui part of custom fields.  It will take a little more
thought as to where to store the fields, etc.  But this is my
recommendation for how to implement them in the UI.

I have actually included a couple bogus fields, just so you can see it
in action.  Of course, rip those out when you get the real
infrastructure in.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1193267057 25200
# Node ID cde69f824a52e2fc3e1ec96b1b995d71aee2b1a1
# Parent  6ef60881c7b292bba8438b2f76e7159275ef2554
webgui side of custom fields.

diff -r 6ef60881c7b2 -r cde69f824a52 ipa-server/ipa-gui/ipagui/forms/user.py
--- a/ipa-server/ipa-gui/ipagui/forms/user.py	Wed Oct 24 15:04:17 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/user.py	Wed Oct 24 16:04:17 2007 -0700
@@ -59,6 +59,8 @@ class UserFields():
     user_groups_data = widgets.HiddenField(name="user_groups_data")
     dn_to_info_json = widgets.HiddenField(name="dn_to_info_json")
 
+    custom_fields = []
+
 class UserNewValidator(validators.Schema):
     uid = validators.PlainText(not_empty=True)
     userpassword = validators.String(not_empty=False)
@@ -73,7 +75,7 @@ class UserNewValidator(validators.Schema
 
 
 class UserNewForm(widgets.Form):
-    params = ['user']
+    params = ['user', 'custom_fields']
 
     hidden_fields = [
       UserFields.dn_to_info_json,
@@ -82,6 +84,8 @@ class UserNewForm(widgets.Form):
       UserFields.secretary,
       UserFields.secretary_cn,
     ]
+
+    custom_fields = []
 
     validator = UserNewValidator()
 
@@ -112,7 +116,7 @@ class UserEditValidator(validators.Schem
     ]
 
 class UserEditForm(widgets.Form):
-    params = ['user']
+    params = ['user', 'custom_fields']
 
     hidden_fields = [
       UserFields.uid_hidden, UserFields.user_orig,
@@ -125,6 +129,8 @@ class UserEditForm(widgets.Form):
       UserFields.secretary,
       UserFields.secretary_cn,
     ]
+
+    custom_fields = []
 
     validator = UserEditValidator()
 
diff -r 6ef60881c7b2 -r cde69f824a52 ipa-server/ipa-gui/ipagui/subcontrollers/user.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Wed Oct 24 15:04:17 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Wed Oct 24 16:04:17 2007 -0700
@@ -31,6 +31,36 @@ email_domain = ipa.config.config.default
 email_domain = ipa.config.config.default_realm.lower()
 
 class UserController(IPAController):
+
+    def __init__(self, *args, **kw):
+        super(UserController,self).__init__(*args, **kw)
+        self.load_custom_fields()
+
+    def load_custom_fields(self):
+        # client = self.get_ipaclient()
+        # schema = client.get_user_custom_schema()
+        schema = [
+          { 'label': 'See Also',
+            'field': 'seeAlso',
+            'required': 'true', } ,
+          { 'label': 'O O O',
+            'field': 'o',
+            'required': 'false', } ,
+        ]
+        for s in schema:
+            required=False
+            if (s['required'] == "true"):
+                required=True
+            field = widgets.TextField(name=s['field'],label=s['label'])
+            validator = validators.String(not_empty=required)
+
+            ipagui.forms.user.UserFields.custom_fields.append(field)
+            user_new_form.custom_fields.append(field)
+            user_edit_form.custom_fields.append(field)
+
+            user_new_form.validator.add_field(s['field'], validator)
+            user_edit_form.validator.add_field(s['field'], validator)
+
 
     @expose()
     def index(self):
@@ -108,6 +138,10 @@ class UserController(IPAController):
 
             if kw.get('nsAccountLock'):
                 new_user.setValue('nsAccountLock', 'true')
+
+            for custom_field in user_new_form.custom_fields:
+                new_user.setValue(custom_field.name,
+                                  kw.get(custom_field.name, ''))
 
             rv = client.add_user(new_user)
         except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE):
@@ -322,12 +356,17 @@ class UserController(IPAController):
                 new_user.setValue('nsAccountLock', 'true')
             else:
                 new_user.setValue('nsAccountLock', None)
+
             if kw.get('editprotected') == 'true':
                 if kw.get('userpassword'):
                     password_change = True
                 new_user.setValue('uidnumber', str(kw.get('uidnumber')))
                 new_user.setValue('gidnumber', str(kw.get('gidnumber')))
                 new_user.setValue('homedirectory', str(kw.get('homedirectory')))
+
+            for custom_field in user_edit_form.custom_fields:
+                new_user.setValue(custom_field.name,
+                                  kw.get(custom_field.name, ''))
 
             rv = client.update_user(new_user)
             #
diff -r 6ef60881c7b2 -r cde69f824a52 ipa-server/ipa-gui/ipagui/templates/usereditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Wed Oct 24 15:04:17 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Wed Oct 24 16:04:17 2007 -0700
@@ -632,6 +632,23 @@ from ipagui.helpers import ipahelper
       </tr>
     </table>
 
+    <div py:if='len(custom_fields) &gt; 0'>
+      <div class="formsection" >Custom Fields</div>
+      <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+        <tr py:for='custom_field in custom_fields'>
+          <th>
+            <label class="fieldlabel" for="${custom_field.field_id}"
+              py:content="custom_field.label" />:
+          </th>
+          <td>
+            <span py:replace="custom_field.display(value_for(custom_field))" />
+            <span py:if="tg.errors.get(custom_field.name)" class="fielderror"
+                py:content="tg.errors.get(custom_field.name)" />
+          </td>
+        </tr>
+      </table>
+    </div>
+
 
     <div>
       <div class="formsection">Groups</div>
diff -r 6ef60881c7b2 -r cde69f824a52 ipa-server/ipa-gui/ipagui/templates/usernewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Wed Oct 24 15:04:17 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Wed Oct 24 16:04:17 2007 -0700
@@ -601,6 +601,23 @@ from ipagui.helpers import ipahelper
       </tr>
     </table>
 
+    <div py:if='len(custom_fields) &gt; 0'>
+      <div class="formsection" >Custom Fields</div>
+      <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+        <tr py:for='custom_field in custom_fields'>
+          <th>
+            <label class="fieldlabel" for="${custom_field.field_id}"
+              py:content="custom_field.label" />:
+          </th>
+          <td>
+            <span py:replace="custom_field.display(value_for(custom_field))" />
+            <span py:if="tg.errors.get(custom_field.name)" class="fielderror"
+                py:content="tg.errors.get(custom_field.name)" />
+          </td>
+        </tr>
+      </table>
+    </div>
+
     <div style="clear:both">
       <div class="formsection">Add Groups</div>
 
diff -r 6ef60881c7b2 -r cde69f824a52 ipa-server/ipa-gui/ipagui/templates/usershow.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Wed Oct 24 15:04:17 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usershow.kid	Wed Oct 24 16:04:17 2007 -0700
@@ -259,6 +259,21 @@ else:
         </tr>
     </table>
 
+    <div py:if='len(fields.custom_fields) &gt; 0'>
+      <div class="formsection" >Custom Fields</div>
+      <table class="formtable" cellpadding="2" cellspacing="0" border="0">
+        <tr py:for='custom_field in fields.custom_fields'>
+          <th>
+            <label class="fieldlabel" for="${custom_field.field_id}"
+              py:content="custom_field.label" />:
+          </th>
+          <td>
+            ${user.get(custom_field.name)}
+          </td>
+        </tr>
+      </table>
+    </div>
+
     <div class="formsection" py:if='len(user_reports) &gt; 0'>Direct Reports</div>
     <ol py:if="len(user_reports) &gt; 0">
       <li py:for="report in user_reports">
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071024/7459627a/attachment.bin>

From markmc at redhat.com  Thu Oct 25 14:39:24 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 25 Oct 2007 14:39:24 -0000
Subject: [Freeipa-devel] [PATCH 2 of 5] imported patch
	freeipa-require-python-krbv.patch
In-Reply-To: <patchbomb.1203608092@localhost.localdomain>
Message-ID: <a04945a85fdc00dac3e0.1203608094@localhost.localdomain>

# HG changeset patch
# User Mark McLoughlin <markmc at redhat.com>
# Date 1203607409 0
# Node ID a04945a85fdc00dac3e0381de7011b149a76b026
# Parent  7058ecd55fe58ffc2fc3611eeff4d10a29db545d
imported patch freeipa-require-python-krbv.patch

diff -r 7058ecd55fe5 -r a04945a85fdc ipa-admintools/freeipa-admintools.spec
--- a/ipa-admintools/freeipa-admintools.spec	Thu Feb 21 15:23:29 2008 +0000
+++ b/ipa-admintools/freeipa-admintools.spec	Thu Feb 21 15:23:29 2008 +0000
@@ -10,7 +10,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{ve
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch: 	noarch
 
-Requires: python freeipa-python
+Requires: python python-krbV freeipa-python
 
 %description
 FreeIPA is a server for identity, policy, and audit.
diff -r 7058ecd55fe5 -r a04945a85fdc ipa-admintools/freeipa-admintools.spec.in
--- a/ipa-admintools/freeipa-admintools.spec.in	Thu Feb 21 15:23:29 2008 +0000
+++ b/ipa-admintools/freeipa-admintools.spec.in	Thu Feb 21 15:23:29 2008 +0000
@@ -10,7 +10,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{ve
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch: 	noarch
 
-Requires: python freeipa-python
+Requires: python python-krbV freeipa-python
 
 %description
 FreeIPA is a server for identity, policy, and audit.



From markmc at redhat.com  Thu Oct 25 14:39:24 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 25 Oct 2007 14:39:24 -0000
Subject: [Freeipa-devel] [PATCH 4 of 5] Create repodata during "make dist"
In-Reply-To: <patchbomb.1203608092@localhost.localdomain>
Message-ID: <a976a68fd8d0b8b2b41a.1203608096@localhost.localdomain>

# HG changeset patch
# User Mark McLoughlin <markmc at redhat.com>
# Date 1203607409 0
# Node ID a976a68fd8d0b8b2b41af68e816a48c69b72a213
# Parent  f3a8d25e7a37f194faa71577e5a19d8627d1da04
Create repodata during "make dist"

This patch just makes "make dist" build the yum repodata.

Note, that since the repodata is at the toplevel, if this
dist/ dir is uploaded to freeipa.org/downloads, people's
yum configs will continue to work.

Signed-off-by: Mark McLoughlin <markmc at redhat.com>

diff -r f3a8d25e7a37 -r a976a68fd8d0 Makefile
--- a/Makefile	Thu Feb 21 15:23:29 2008 +0000
+++ b/Makefile	Thu Feb 21 15:23:29 2008 +0000
@@ -151,7 +151,10 @@ rpm-ipa-client:
 
 rpms: rpmroot rpmdistdir rpm-ipa-server rpm-ipa-admin rpm-ipa-python rpm-ipa-client
 
-dist: version-update archive tarballs archive-cleanup rpms
+repodata:
+	-createrepo -p dist
+
+dist: version-update archive tarballs archive-cleanup rpms repodata
 
 local-dist: autogen clean version-update local-archive tarballs archive-cleanup rpms
 



From markmc at redhat.com  Thu Oct 25 14:39:24 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 25 Oct 2007 14:39:24 -0000
Subject: [Freeipa-devel] [PATCH 0 of 5] Miscellaneous trivial patches
Message-ID: <patchbomb.1203608092@localhost.localdomain>

Hi,
        What follows are just a few trivial patches to fix minor
packaging issues, "make dist" and a bug in ipa-server-install.

Cheers,
Mark.



From markmc at redhat.com  Thu Oct 25 14:39:25 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 25 Oct 2007 14:39:25 -0000
Subject: [Freeipa-devel] [PATCH 1 of 5] Cleanup freeipa-python requires
In-Reply-To: <patchbomb.1203608092@localhost.localdomain>
Message-ID: <7058ecd55fe58ffc2fc3.1203608093@localhost.localdomain>

# HG changeset patch
# User Mark McLoughlin <markmc at redhat.com>
# Date 1203607409 0
# Node ID 7058ecd55fe58ffc2fc3611eeff4d10a29db545d
# Parent  a02374271cb7b385bc8f5d9c55f7640f5b899d39
Cleanup freeipa-python requires

We don't need the elaborate python requires, since a requires
for e.g. "python-abi = 2.5" is automatically added.

We also don't need the elaborate build requires, since all
it does is query the currently installed version of python
and require that you have it's appropriate python-devel
installed. But if python-devel is installed at all, this
should hold true.

(Also, IMHO the .spec files should be removed from mercurial
since they are automatically generated)

Signed-off-by: Mark McLouglin <markmc at redhat.com>

diff -r a02374271cb7 -r 7058ecd55fe5 ipa-python/freeipa-python.spec
--- a/ipa-python/freeipa-python.spec	Wed Oct 24 15:39:05 2007 -0400
+++ b/ipa-python/freeipa-python.spec	Thu Feb 21 15:23:29 2008 +0000
@@ -1,5 +1,3 @@
-%define pyver  %(%{__python} -c 'import sys ; print sys.version[:3]')
-%define pynext %(%{__python} -c 'print %{pyver} + 0.1')
 
 Name:           freeipa-python
 Version:        0.4.0
@@ -12,8 +10,7 @@ Source0:        http://www.freeipa.org/d
 Source0:        http://www.freeipa.org/downloads/%{name}-%{version}.tgz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch: 	noarch
-BuildRequires: python >= 0:%{pyver}, python < 0:%{pynext}, python-devel <= 0:%{pyver}
-Requires: python >= 0:%{pyver}, python < 0:%{pynext}
+BuildRequires: python-devel
 Requires: PyKerberos
 
 %{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
diff -r a02374271cb7 -r 7058ecd55fe5 ipa-python/freeipa-python.spec.in
--- a/ipa-python/freeipa-python.spec.in	Wed Oct 24 15:39:05 2007 -0400
+++ b/ipa-python/freeipa-python.spec.in	Thu Feb 21 15:23:29 2008 +0000
@@ -1,5 +1,3 @@
-%define pyver  %(%{__python} -c 'import sys ; print sys.version[:3]')
-%define pynext %(%{__python} -c 'print %{pyver} + 0.1')
 
 Name:           freeipa-python
 Version:        VERSION
@@ -12,8 +10,7 @@ Source0:        http://www.freeipa.org/d
 Source0:        http://www.freeipa.org/downloads/%{name}-%{version}.tgz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch: 	noarch
-BuildRequires: python >= 0:%{pyver}, python < 0:%{pynext}, python-devel <= 0:%{pyver}
-Requires: python >= 0:%{pyver}, python < 0:%{pynext}
+BuildRequires: python-devel
 Requires: PyKerberos
 
 %{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}



From markmc at redhat.com  Thu Oct 25 14:39:27 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 25 Oct 2007 14:39:27 -0000
Subject: [Freeipa-devel] [PATCH 3 of 5] Change the layout of the dist dir
In-Reply-To: <patchbomb.1203608092@localhost.localdomain>
Message-ID: <f3a8d25e7a37f194faa7.1203608095@localhost.localdomain>

# HG changeset patch
# User Mark McLoughlin <markmc at redhat.com>
# Date 1203607409 0
# Node ID f3a8d25e7a37f194faa71577e5a19d8627d1da04
# Parent  a04945a85fdc00dac3e0381de7011b149a76b026
Change the layout of the dist dir

Rather than lumping everything together into the dist/ dir,
this patch separates them out into sources/, rpms/ and srpms/.

Signed-off-by: Mark McLoughlin <markmc at redhat.com>

diff -r a04945a85fdc -r f3a8d25e7a37 Makefile
--- a/Makefile	Thu Feb 21 15:23:29 2008 +0000
+++ b/Makefile	Thu Feb 21 15:23:29 2008 +0000
@@ -86,30 +86,32 @@ archive-cleanup:
 	rm -fr dist/freeipa
 
 tarballs:
+	-mkdir -p dist/sources
+
         # ipa-server
 	mv dist/freeipa/ipa-server dist/$(SERV_TARBALL_PREFIX)
-	rm -f dist/$(SERV_TARBALL)
+	rm -f dist/sources/$(SERV_TARBALL)
 	cd dist/$(SERV_TARBALL_PREFIX); ./autogen.sh; make distclean
-	cd dist; tar cfz $(SERV_TARBALL) $(SERV_TARBALL_PREFIX)
+	cd dist; tar cfz sources/$(SERV_TARBALL) $(SERV_TARBALL_PREFIX)
 	rm -fr dist/$(SERV_TARBALL_PREFIX)
 
         # ipa-admintools
 	mv dist/freeipa/ipa-admintools dist/$(ADMIN_TARBALL_PREFIX)
-	rm -f dist/$(ADMIN_TARBALL)
-	cd dist; tar cfz $(ADMIN_TARBALL) $(ADMIN_TARBALL_PREFIX)
+	rm -f dist/sources/$(ADMIN_TARBALL)
+	cd dist; tar cfz sources/$(ADMIN_TARBALL) $(ADMIN_TARBALL_PREFIX)
 	rm -fr dist/$(ADMIN_TARBALL_PREFIX)
 
         # ipa-python
 	mv dist/freeipa/ipa-python dist/$(PYTHON_TARBALL_PREFIX)
-	rm -f dist/$(PYTHON_TARBALL)
-	cd dist; tar cfz $(PYTHON_TARBALL) $(PYTHON_TARBALL_PREFIX)
+	rm -f dist/sources/$(PYTHON_TARBALL)
+	cd dist; tar cfz sources/$(PYTHON_TARBALL) $(PYTHON_TARBALL_PREFIX)
 	rm -fr dist/$(PYTHON_TARBALL_PREFIX)
 
         # ipa-client
 	mv dist/freeipa/ipa-client dist/$(CLI_TARBALL_PREFIX)
-	rm -f dist/$(CLI_TARBALL)
+	rm -f dist/sources/$(CLI_TARBALL)
 	cd dist/$(CLI_TARBALL_PREFIX); ./autogen.sh; make distclean
-	cd dist; tar cfz $(CLI_TARBALL) $(CLI_TARBALL_PREFIX)
+	cd dist; tar cfz sources/$(CLI_TARBALL) $(CLI_TARBALL_PREFIX)
 	rm -fr dist/$(CLI_TARBALL_PREFIX)
 
 rpmroot:
@@ -119,31 +121,35 @@ rpmroot:
 	mkdir -p $(RPMBUILD)/SPECS
 	mkdir -p $(RPMBUILD)/SRPMS
 
+rpmdistdir:
+	mkdir -p dist/rpms
+	mkdir -p dist/srpms
+
 rpm-ipa-server:
-	cp dist/$(SERV_TARBALL) $(RPMBUILD)/SOURCES/.
+	cp dist/sources/$(SERV_TARBALL) $(RPMBUILD)/SOURCES/.
 	rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-server/freeipa-server.spec
-	cp rpmbuild/RPMS/*/$(PRJ_PREFIX)-server-$(SERV_VERSION)-*.rpm dist/.
-	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-server-$(SERV_VERSION)-*.src.rpm dist/.
+	cp rpmbuild/RPMS/*/$(PRJ_PREFIX)-server-$(SERV_VERSION)-*.rpm dist/rpms/
+	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-server-$(SERV_VERSION)-*.src.rpm dist/srpms/
 
 rpm-ipa-admin:
-	cp dist/$(ADMIN_TARBALL) $(RPMBUILD)/SOURCES/.
+	cp dist/sources/$(ADMIN_TARBALL) $(RPMBUILD)/SOURCES/.
 	rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-admintools/freeipa-admintools.spec
-	cp rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-admintools-$(ADMIN_VERSION)-*.rpm dist/.
-	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-admintools-$(ADMIN_VERSION)-*.src.rpm dist/.
+	cp rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-admintools-$(ADMIN_VERSION)-*.rpm dist/rpms/
+	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-admintools-$(ADMIN_VERSION)-*.src.rpm dist/srpms/
 
 rpm-ipa-python:
-	cp dist/$(PYTHON_TARBALL) $(RPMBUILD)/SOURCES/.
+	cp dist/sources/$(PYTHON_TARBALL) $(RPMBUILD)/SOURCES/.
 	rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-python/freeipa-python.spec
-	cp rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-python-$(PYTHON_VERSION)-*.rpm dist/.
-	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-python-$(PYTHON_VERSION)-*.src.rpm dist/.
+	cp rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-python-$(PYTHON_VERSION)-*.rpm dist/rpms/
+	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-python-$(PYTHON_VERSION)-*.src.rpm dist/srpms/
 
 rpm-ipa-client:
-	cp dist/$(CLI_TARBALL) $(RPMBUILD)/SOURCES/.
+	cp dist/sources/$(CLI_TARBALL) $(RPMBUILD)/SOURCES/.
 	rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-client/freeipa-client.spec
-	cp rpmbuild/RPMS/*/$(PRJ_PREFIX)-client-$(CLI_VERSION)-*.rpm dist/.
-	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-client-$(CLI_VERSION)-*.src.rpm dist/.
+	cp rpmbuild/RPMS/*/$(PRJ_PREFIX)-client-$(CLI_VERSION)-*.rpm dist/rpms/
+	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-client-$(CLI_VERSION)-*.src.rpm dist/srpms/
 
-rpms: rpmroot rpm-ipa-server rpm-ipa-admin rpm-ipa-python rpm-ipa-client
+rpms: rpmroot rpmdistdir rpm-ipa-server rpm-ipa-admin rpm-ipa-python rpm-ipa-client
 
 dist: version-update archive tarballs archive-cleanup rpms
 



From markmc at redhat.com  Thu Oct 25 14:39:29 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 25 Oct 2007 14:39:29 -0000
Subject: [Freeipa-devel] [PATCH 5 of 5] Fix host_name buglet in
	ipa-server-install
In-Reply-To: <patchbomb.1203608092@localhost.localdomain>
Message-ID: <200657115003ef4405a8.1203608097@localhost.localdomain>

# HG changeset patch
# User Mark McLoughlin <markmc at redhat.com>
# Date 1203607409 0
# Node ID 200657115003ef4405a84148cc75bd90a8ef34d1
# Parent  a976a68fd8d0b8b2b41af68e816a48c69b72a213
Fix host_name buglet in ipa-server-install

This patch fixes a couple of buglets with read_ip_address():

  1) It writes host_name to /etc/hosts, but isn't currently
     being passed host_name

  2) It doesn't return the IP address even though the caller
     expects it

Signed-off-by: Mark McLoughlin <markmc at redhat.com>

diff -r a976a68fd8d0 -r 200657115003 ipa-server/ipa-install/ipa-server-install
--- a/ipa-server/ipa-install/ipa-server-install	Thu Feb 21 15:23:29 2008 +0000
+++ b/ipa-server/ipa-install/ipa-server-install	Thu Feb 21 15:23:29 2008 +0000
@@ -228,9 +228,8 @@ def verify_ip_address(ip):
             is_ok = False
     return is_ok
 
-def read_ip_address():
-    askip = True
-    while askip:
+def read_ip_address(host_name):
+    while True:
         ip = raw_input("Please provide the IP address to be used for this host name: ")
 
         if ip == "":
@@ -247,7 +246,8 @@ def read_ip_address():
         hosts_fd.seek(0, 2)
         hosts_fd.write(ip+'\t'+host_name+' '+host_name[:host_name.find('.')]+'\n')
         hosts_fd.close()
-        askip = False
+
+        return ip
 
 def port_available(port):
     """Try to bind to a port on the wildcard host
@@ -461,7 +461,7 @@ def main():
             return "-Fatal Error-"
 
     if not ip:
-        ip = read_ip_address ()
+        ip = read_ip_address(host_name)
     ip_address = ip
 
     print "The IPA Master Server will be configured with"



From kmacmill at redhat.com  Thu Oct 25 15:00:58 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 25 Oct 2007 11:00:58 -0400
Subject: [Freeipa-devel] [PATCH] Handle selinux failure
In-Reply-To: <471F66BC.1090909@redhat.com>
References: <9ff6cec98d764acbaefe.1193235038@localhost.localdomain>
	<471F66BC.1090909@redhat.com>
Message-ID: <1193324458.13697.34.camel@mahler.iad.redhat.com>

On Wed, 2007-10-24 at 11:37 -0400, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > # HG changeset patch
> > # User "Karl MacMillan <kmacmill at redhat.com>"
> > # Date 1193235029 14400
> > # Node ID 9ff6cec98d764acbaefe915e0da63d29cd72cea1
> > # Parent  d474654ca48ff4d36dffca6a94ac88ed0e441586
> > Handle selinux failure
> > 
> > Ignore errors if setsebool fails and print a warning.
> > 
> > diff -r d474654ca48f -r 9ff6cec98d76 ipa-server/ipa-install/ipa-server-install
> > --- a/ipa-server/ipa-install/ipa-server-install	Wed Oct 24 10:04:43 2007 -0400
> > +++ b/ipa-server/ipa-install/ipa-server-install	Wed Oct 24 10:10:29 2007 -0400
> > @@ -554,7 +554,16 @@ def main():
> >  
> >          if selinux:
> >              # Allow apache to connect to the turbogears web gui
> > -            run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
> > +            # This can still fail even if selinux is enabled
> > +            try:
> > +                run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
> > +            except:
> > +                print "WARNING: could not set selinux boolean httpd_can_network_connect to true."
> > +                print "The web interface may not function correctly until this boolean is"
> > +                print "successfully change with the command:"
> > +                print "   /usr/sbin/setsebool -P httpd_can_network_connect true"
> > +                print "Try updating the policycoreutils and selinux-policy packages."
> > +                pass
> >  
> >          # Start the web gui
> >          run(["/sbin/service", "ipa-webgui", "start"])
> 
> Um, shouldn't we just have some minimum required version? If we know a 
> setup isn't going to work should we really let them proceed?
> 

Yes - we should set the minimum version (I'll send a patch), but there
are other reasons this could fail. So we should still catch the error
and issue a warning.

A good example of an error that is still possible is that there might be
a fully custom policy on the system. In that case the error will be
somewhat wrong, but should tell someone experienced enough to have a
custom policy what that there may be an issue to deal with.

Karl



From ssorce at redhat.com  Thu Oct 25 15:04:27 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 25 Oct 2007 11:04:27 -0400
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <471F7A6F.40802@redhat.com>
References: <471F6D8F.8090206@redhat.com>
	<20071024164957.GC16414@moon.usersys.redhat.com>
	<471F7A6F.40802@redhat.com>
Message-ID: <1193324667.15848.13.camel@localhost.localdomain>

On Wed, 2007-10-24 at 13:01 -0400, Rob Crittenden wrote:
> Kevin McCarthy wrote:
> > Rob Crittenden wrote:
> >> A quartet of commands to manage delegations from the command-line (man 
> >> pages thrown in for free).
> > 
> > First general comment.  Right now the webgui is not enforcing a unique
> > 'name' field.  This isn't a bad idea - I just haven't implemented such
> > an enforcment in the code.
> > 
> > If people agree using the name as an identifier is fine, then we should
> > add enforcement to the gui too.  (and then perhaps we can use the name
> > instead of the entire acistr to identity an individual aci)
> 
> The only other way to do it on the CLI would have the user paste in the 
> entire value of the ACI. I don't think there is another way if we want a 
> CLI equivalent.

ACIs include a comment field.
Is there a reason why we shouldn't use it as the ACI name ?

Simo.



From kmccarth at redhat.com  Thu Oct 25 15:26:27 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 25 Oct 2007 08:26:27 -0700
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <1193324667.15848.13.camel@localhost.localdomain>
References: <471F6D8F.8090206@redhat.com>
	<20071024164957.GC16414@moon.usersys.redhat.com>
	<471F7A6F.40802@redhat.com>
	<1193324667.15848.13.camel@localhost.localdomain>
Message-ID: <20071025152626.GB11334@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Wed, 2007-10-24 at 13:01 -0400, Rob Crittenden wrote:
> > Kevin McCarthy wrote:
> > > Rob Crittenden wrote:
> > >> A quartet of commands to manage delegations from the command-line (man 
> > >> pages thrown in for free).
> > > 
> > > First general comment.  Right now the webgui is not enforcing a unique
> > > 'name' field.  This isn't a bad idea - I just haven't implemented such
> > > an enforcment in the code.
> > > 
> > > If people agree using the name as an identifier is fine, then we should
> > > add enforcement to the gui too.  (and then perhaps we can use the name
> > > instead of the entire acistr to identity an individual aci)
> > 
> > The only other way to do it on the CLI would have the user paste in the 
> > entire value of the ACI. I don't think there is another way if we want a 
> > CLI equivalent.
> 
> ACIs include a comment field.
> Is there a reason why we shouldn't use it as the ACI name ?

Yeah, actually we are referring to the comment field.  I've just called
it 'name' in the ACI data structure.

The issue is that there is not uniqueness contraint on the comment
(name) field in LDAP.  Nor does the web gui enforce that (although it
can be changed to do so).

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/48074265/attachment.bin>

From kmacmill at redhat.com  Thu Oct 25 15:30:10 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 25 Oct 2007 11:30:10 -0400
Subject: [Freeipa-devel] [PATCH] Print warning about NTP
In-Reply-To: <492654169fe314db9c93.1193068718@laptop.local>
References: <492654169fe314db9c93.1193068718@laptop.local>
Message-ID: <1193326210.13697.47.camel@mahler.iad.redhat.com>

On Mon, 2007-10-22 at 11:58 -0400, Karl MacMillan wrote:
> # HG changeset patch
> # User "Karl MacMillan <kmacmill at redhat.com>"
> # Date 1193068711 14400
> # Node ID 492654169fe314db9c9324849e3e6c8657761c80
> # Parent  f7f85a88b2b4c1f21a97348fc5237be473c3e2fa
> Print warning about NTP
> 

Pushed.



From kmacmill at redhat.com  Thu Oct 25 15:32:01 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 25 Oct 2007 11:32:01 -0400
Subject: [Freeipa-devel] [PATCH] Handle selinux failure
In-Reply-To: <9ff6cec98d764acbaefe.1193235038@localhost.localdomain>
References: <9ff6cec98d764acbaefe.1193235038@localhost.localdomain>
Message-ID: <1193326321.13697.49.camel@mahler.iad.redhat.com>

On Wed, 2007-10-24 at 10:10 -0400, Karl MacMillan wrote:
> # HG changeset patch
> # User "Karl MacMillan <kmacmill at redhat.com>"
> # Date 1193235029 14400
> # Node ID 9ff6cec98d764acbaefe915e0da63d29cd72cea1
> # Parent  d474654ca48ff4d36dffca6a94ac88ed0e441586
> Handle selinux failure
> 

Pushed.



From rcritten at redhat.com  Thu Oct 25 15:32:43 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 25 Oct 2007 11:32:43 -0400
Subject: [Freeipa-devel] [PATCH] Handle selinux failure
In-Reply-To: <1193324458.13697.34.camel@mahler.iad.redhat.com>
References: <9ff6cec98d764acbaefe.1193235038@localhost.localdomain>	
	<471F66BC.1090909@redhat.com>
	<1193324458.13697.34.camel@mahler.iad.redhat.com>
Message-ID: <4720B71B.3010207@redhat.com>

Karl MacMillan wrote:
> On Wed, 2007-10-24 at 11:37 -0400, Rob Crittenden wrote:
>> Karl MacMillan wrote:
>>> # HG changeset patch
>>> # User "Karl MacMillan <kmacmill at redhat.com>"
>>> # Date 1193235029 14400
>>> # Node ID 9ff6cec98d764acbaefe915e0da63d29cd72cea1
>>> # Parent  d474654ca48ff4d36dffca6a94ac88ed0e441586
>>> Handle selinux failure
>>>
>>> Ignore errors if setsebool fails and print a warning.
>>>
>>> diff -r d474654ca48f -r 9ff6cec98d76 ipa-server/ipa-install/ipa-server-install
>>> --- a/ipa-server/ipa-install/ipa-server-install	Wed Oct 24 10:04:43 2007 -0400
>>> +++ b/ipa-server/ipa-install/ipa-server-install	Wed Oct 24 10:10:29 2007 -0400
>>> @@ -554,7 +554,16 @@ def main():
>>>  
>>>          if selinux:
>>>              # Allow apache to connect to the turbogears web gui
>>> -            run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
>>> +            # This can still fail even if selinux is enabled
>>> +            try:
>>> +                run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
>>> +            except:
>>> +                print "WARNING: could not set selinux boolean httpd_can_network_connect to true."
>>> +                print "The web interface may not function correctly until this boolean is"
>>> +                print "successfully change with the command:"
>>> +                print "   /usr/sbin/setsebool -P httpd_can_network_connect true"
>>> +                print "Try updating the policycoreutils and selinux-policy packages."
>>> +                pass
>>>  
>>>          # Start the web gui
>>>          run(["/sbin/service", "ipa-webgui", "start"])
>> Um, shouldn't we just have some minimum required version? If we know a 
>> setup isn't going to work should we really let them proceed?
>>
> 
> Yes - we should set the minimum version (I'll send a patch), but there
> are other reasons this could fail. So we should still catch the error
> and issue a warning.
> 
> A good example of an error that is still possible is that there might be
> a fully custom policy on the system. In that case the error will be
> somewhat wrong, but should tell someone experienced enough to have a
> custom policy what that there may be an issue to deal with.
> 
> Karl
> 

Ah ok, good points. Go ahead and push it then.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/43042686/attachment.bin>

From rcritten at redhat.com  Thu Oct 25 15:35:41 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 25 Oct 2007 11:35:41 -0400
Subject: [Freeipa-devel] [PATCH] webgui custom fields
In-Reply-To: <20071024230854.GF16414@moon.usersys.redhat.com>
References: <20071024230854.GF16414@moon.usersys.redhat.com>
Message-ID: <4720B7CD.8030202@redhat.com>

Kevin McCarthy wrote:
> This is the webgui part of custom fields.  It will take a little more
> thought as to where to store the fields, etc.  But this is my
> recommendation for how to implement them in the UI.
> 
> I have actually included a couple bogus fields, just so you can see it
> in action.  Of course, rip those out when you get the real
> infrastructure in.
> 
> -Kevin

Looks good.

I think that the storage of the custom fields is going to make storage 
of the configuration look simple by comparison.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/9c5dad42/attachment.bin>

From kmacmill at redhat.com  Thu Oct 25 15:38:35 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 25 Oct 2007 11:38:35 -0400
Subject: [Freeipa-devel] [PATCH 0 of 5] Miscellaneous trivial patches
In-Reply-To: <patchbomb.1203608092@localhost.localdomain>
References: <patchbomb.1203608092@localhost.localdomain>
Message-ID: <1193326715.13697.51.camel@mahler.iad.redhat.com>

On Thu, 2008-02-21 at 15:34 +0000, Mark McLoughlin wrote:
> Hi,
>         What follows are just a few trivial patches to fix minor
> packaging issues, "make dist" and a bug in ipa-server-install.
> 

All 5 pushed - thanks Mark.

Karl



From kmccarth at redhat.com  Thu Oct 25 15:40:45 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 25 Oct 2007 08:40:45 -0700
Subject: [Freeipa-devel] [PATCH] webgui custom fields
In-Reply-To: <4720B7CD.8030202@redhat.com>
References: <20071024230854.GF16414@moon.usersys.redhat.com>
	<4720B7CD.8030202@redhat.com>
Message-ID: <20071025154044.GD11334@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> This is the webgui part of custom fields.  It will take a little more
>> thought as to where to store the fields, etc.  But this is my
>> recommendation for how to implement them in the UI.
>> I have actually included a couple bogus fields, just so you can see it
>> in action.  Of course, rip those out when you get the real
>> infrastructure in.
>> -Kevin
>
> Looks good.
>
> I think that the storage of the custom fields is going to make storage of 
> the configuration look simple by comparison.

pushified.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/39a2f630/attachment.bin>

From ssorce at redhat.com  Thu Oct 25 15:41:14 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 25 Oct 2007 11:41:14 -0400
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <20071025152626.GB11334@moon.usersys.redhat.com>
References: <471F6D8F.8090206@redhat.com>
	<20071024164957.GC16414@moon.usersys.redhat.com>
	<471F7A6F.40802@redhat.com>
	<1193324667.15848.13.camel@localhost.localdomain>
	<20071025152626.GB11334@moon.usersys.redhat.com>
Message-ID: <1193326874.15848.20.camel@localhost.localdomain>

On Thu, 2007-10-25 at 08:26 -0700, Kevin McCarthy wrote:
> Simo Sorce wrote:
> > On Wed, 2007-10-24 at 13:01 -0400, Rob Crittenden wrote:
> > > Kevin McCarthy wrote:
> > > > Rob Crittenden wrote:
> > > >> A quartet of commands to manage delegations from the command-line (man 
> > > >> pages thrown in for free).
> > > > 
> > > > First general comment.  Right now the webgui is not enforcing a unique
> > > > 'name' field.  This isn't a bad idea - I just haven't implemented such
> > > > an enforcment in the code.
> > > > 
> > > > If people agree using the name as an identifier is fine, then we should
> > > > add enforcement to the gui too.  (and then perhaps we can use the name
> > > > instead of the entire acistr to identity an individual aci)
> > > 
> > > The only other way to do it on the CLI would have the user paste in the 
> > > entire value of the ACI. I don't think there is another way if we want a 
> > > CLI equivalent.
> > 
> > ACIs include a comment field.
> > Is there a reason why we shouldn't use it as the ACI name ?
> 
> Yeah, actually we are referring to the comment field.  I've just called
> it 'name' in the ACI data structure.
> 
> The issue is that there is not uniqueness contraint on the comment
> (name) field in LDAP.  Nor does the web gui enforce that (although it
> can be changed to do so).

We should enforce it at creation time of course.
We shouldn't barf though on modification.

We need to document this for admins so that they don't do stupid things
like creating a bunch of ACIs in the same object with the same comment

I think it is ok to have the same "name" on different objects though and
define the FQDN of an ACI as name/dn

Simo.



From ssorce at redhat.com  Thu Oct 25 15:46:30 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 25 Oct 2007 11:46:30 -0400
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <1193326874.15848.20.camel@localhost.localdomain>
References: <471F6D8F.8090206@redhat.com>
	<20071024164957.GC16414@moon.usersys.redhat.com>
	<471F7A6F.40802@redhat.com>
	<1193324667.15848.13.camel@localhost.localdomain>
	<20071025152626.GB11334@moon.usersys.redhat.com>
	<1193326874.15848.20.camel@localhost.localdomain>
Message-ID: <1193327190.15848.23.camel@localhost.localdomain>

replying myself

On Thu, 2007-10-25 at 11:41 -0400, Simo Sorce wrote:
> 
> We should enforce it at creation time of course.
> We shouldn't barf though on modification.

If the admin is dumb enough to not follow advice it is ok to "screw up"
and return an error that say: "sorry we determine you have 2 or more
ACIs with the same name, we can't proceed, please manually fix the
naming problem".
This both from the GUI and the CLI.

Simo.



From rcritten at redhat.com  Thu Oct 25 15:49:50 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 25 Oct 2007 11:49:50 -0400
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <1193326874.15848.20.camel@localhost.localdomain>
References: <471F6D8F.8090206@redhat.com>	<20071024164957.GC16414@moon.usersys.redhat.com>	<471F7A6F.40802@redhat.com>	<1193324667.15848.13.camel@localhost.localdomain>	<20071025152626.GB11334@moon.usersys.redhat.com>
	<1193326874.15848.20.camel@localhost.localdomain>
Message-ID: <4720BB1E.3060907@redhat.com>

Simo Sorce wrote:
> On Thu, 2007-10-25 at 08:26 -0700, Kevin McCarthy wrote:
>> Simo Sorce wrote:
>>> On Wed, 2007-10-24 at 13:01 -0400, Rob Crittenden wrote:
>>>> Kevin McCarthy wrote:
>>>>> Rob Crittenden wrote:
>>>>>> A quartet of commands to manage delegations from the command-line (man 
>>>>>> pages thrown in for free).
>>>>> First general comment.  Right now the webgui is not enforcing a unique
>>>>> 'name' field.  This isn't a bad idea - I just haven't implemented such
>>>>> an enforcment in the code.
>>>>>
>>>>> If people agree using the name as an identifier is fine, then we should
>>>>> add enforcement to the gui too.  (and then perhaps we can use the name
>>>>> instead of the entire acistr to identity an individual aci)
>>>> The only other way to do it on the CLI would have the user paste in the 
>>>> entire value of the ACI. I don't think there is another way if we want a 
>>>> CLI equivalent.
>>> ACIs include a comment field.
>>> Is there a reason why we shouldn't use it as the ACI name ?
>> Yeah, actually we are referring to the comment field.  I've just called
>> it 'name' in the ACI data structure.
>>
>> The issue is that there is not uniqueness contraint on the comment
>> (name) field in LDAP.  Nor does the web gui enforce that (although it
>> can be changed to do so).
> 
> We should enforce it at creation time of course.
> We shouldn't barf though on modification.
> 
> We need to document this for admins so that they don't do stupid things
> like creating a bunch of ACIs in the same object with the same comment
> 
> I think it is ok to have the same "name" on different objects though and
> define the FQDN of an ACI as name/dn
> 
>

That's easy then because all ACI's are currently going into the same 
location on the tree: cn=accounts.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/4879a1f9/attachment.bin>

From ssorce at redhat.com  Thu Oct 25 16:21:09 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 25 Oct 2007 12:21:09 -0400
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <4720BB1E.3060907@redhat.com>
References: <471F6D8F.8090206@redhat.com>
	<20071024164957.GC16414@moon.usersys.redhat.com>
	<471F7A6F.40802@redhat.com>
	<1193324667.15848.13.camel@localhost.localdomain>
	<20071025152626.GB11334@moon.usersys.redhat.com>
	<1193326874.15848.20.camel@localhost.localdomain>
	<4720BB1E.3060907@redhat.com>
Message-ID: <1193329269.15848.25.camel@localhost.localdomain>

On Thu, 2007-10-25 at 11:49 -0400, Rob Crittenden wrote:
> 
> That's easy then because all ACI's are currently going into the same 
> location on the tree: cn=accounts. 

We already have ACIs elsewhere, are we limiting this at the RPC level ??
Or is this just a GUI limitation?

Simo.



From kmccarth at redhat.com  Thu Oct 25 16:26:12 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 25 Oct 2007 09:26:12 -0700
Subject: [Freeipa-devel] [PATCH] rename for fields parameter
Message-ID: <20071025162612.GE11334@moon.usersys.redhat.com>

Very early on, when I was struggling to get the form infrastructure
working I made a bad naming choice for the parameter containing form
fields (not the data - just the field widgets).

I called them 'user' and 'group'.  Unfortunately we use that variable
name all over the code do refer to the hash/entity containing actual
data.  This makes the form unnecessarily confusing.

I've let it sit, but should really rename it now to make the code more
clear  (this is also at Rob's request).

So this largish looking patch is simply renaming one parameter in the
user, group, and delegate forms.

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1193329125 25200
# Node ID 7f39a17e73c4726eaf9ae03601c0329e9d015bdc
# Parent  af34252b443bfcc09f09a6fb2d283d3ebc13f7a7
Rename the form fields parameter to be clearer:
user -> user_fields
group -> group_fields
delegate -> delegate_fields

diff -r af34252b443b -r 7f39a17e73c4 ipa-server/ipa-gui/ipagui/forms/delegate.py
--- a/ipa-server/ipa-gui/ipagui/forms/delegate.py	Thu Oct 25 08:58:58 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/delegate.py	Thu Oct 25 09:18:45 2007 -0700
@@ -69,7 +69,7 @@ class DelegateValidator(validators.Schem
         messages = { 'empty': _("Please select at least one value"), })
 
 class DelegateForm(widgets.Form):
-    params = ['delegate', 'attr_list']
+    params = ['delegate_fields', 'attr_list']
 
     hidden_fields = [
       DelegateFields.source_group_dn,
@@ -85,7 +85,7 @@ class DelegateForm(widgets.Form):
         super(DelegateForm,self).__init__(*args, **kw)
         (self.template_c, self.template) = widgets.meta.load_kid_template(
                 "ipagui.templates.delegateform")
-        self.delegate = DelegateFields
+        self.delegate_fields = DelegateFields
 
     def update_params(self, params):
         super(DelegateForm,self).update_params(params)
diff -r af34252b443b -r 7f39a17e73c4 ipa-server/ipa-gui/ipagui/forms/group.py
--- a/ipa-server/ipa-gui/ipagui/forms/group.py	Thu Oct 25 08:58:58 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/group.py	Thu Oct 25 09:18:45 2007 -0700
@@ -19,7 +19,7 @@ class GroupNewValidator(validators.Schem
 
 
 class GroupNewForm(widgets.Form):
-    params = ['group']
+    params = ['group_fields']
 
     hidden_fields = [
       GroupFields.dn_to_info_json
@@ -30,7 +30,7 @@ class GroupNewForm(widgets.Form):
     def __init__(self, *args, **kw):
         super(GroupNewForm,self).__init__(*args, **kw)
         (self.template_c, self.template) = widgets.meta.load_kid_template("ipagui.templates.groupnewform")
-        self.group = GroupFields
+        self.group_fields = GroupFields
 
     def update_params(self, params):
         super(GroupNewForm,self).update_params(params)
@@ -45,7 +45,7 @@ class GroupEditValidator(validators.Sche
     ]
 
 class GroupEditForm(widgets.Form):
-    params = ['members', 'group']
+    params = ['members', 'group_fields']
 
     hidden_fields = [
       GroupFields.cn_hidden, GroupFields.editprotected_hidden,
@@ -58,4 +58,4 @@ class GroupEditForm(widgets.Form):
     def __init__(self, *args, **kw):
         super(GroupEditForm,self).__init__(*args, **kw)
         (self.template_c, self.template) = widgets.meta.load_kid_template("ipagui.templates.groupeditform")
-        self.group = GroupFields
+        self.group_fields = GroupFields
diff -r af34252b443b -r 7f39a17e73c4 ipa-server/ipa-gui/ipagui/forms/user.py
--- a/ipa-server/ipa-gui/ipagui/forms/user.py	Thu Oct 25 08:58:58 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/forms/user.py	Thu Oct 25 09:18:45 2007 -0700
@@ -75,7 +75,7 @@ class UserNewValidator(validators.Schema
 
 
 class UserNewForm(widgets.Form):
-    params = ['user', 'custom_fields']
+    params = ['user_fields', 'custom_fields']
 
     hidden_fields = [
       UserFields.dn_to_info_json,
@@ -92,7 +92,7 @@ class UserNewForm(widgets.Form):
     def __init__(self, *args, **kw):
         super(UserNewForm,self).__init__(*args, **kw)
         (self.template_c, self.template) = widgets.meta.load_kid_template("ipagui.templates.usernewform")
-        self.user = UserFields
+        self.user_fields = UserFields
 
     def update_params(self, params):
         super(UserNewForm,self).update_params(params)
@@ -116,7 +116,7 @@ class UserEditValidator(validators.Schem
     ]
 
 class UserEditForm(widgets.Form):
-    params = ['user', 'custom_fields']
+    params = ['user_fields', 'custom_fields']
 
     hidden_fields = [
       UserFields.uid_hidden, UserFields.user_orig,
@@ -137,7 +137,7 @@ class UserEditForm(widgets.Form):
     def __init__(self, *args, **kw):
         super(UserEditForm,self).__init__(*args, **kw)
         (self.template_c, self.template) = widgets.meta.load_kid_template("ipagui.templates.usereditform")
-        self.user = UserFields
+        self.user_fields = UserFields
 
 
 # TODO - add dynamic field retrieval:
diff -r af34252b443b -r 7f39a17e73c4 ipa-server/ipa-gui/ipagui/templates/delegateform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/delegateform.kid	Thu Oct 25 08:58:58 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/delegateform.kid	Thu Oct 25 09:18:45 2007 -0700
@@ -89,23 +89,23 @@
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th valign="top">
-          <label class="fieldlabel" for="${delegate.name.field_id}"
-            py:content="delegate.name.label" />:
-        </th>
-        <td>
-          <span py:replace="delegate.name.display(value_for(delegate.name))" />
+          <label class="fieldlabel" for="${delegate_fields.name.field_id}"
+            py:content="delegate_fields.name.label" />:
+        </th>
+        <td>
+          <span py:replace="delegate_fields.name.display(value_for(delegate_fields.name))" />
           <span py:if="tg.errors.get('name')" class="fielderror"
               py:content="tg.errors.get('name')" />
         </td>
       </tr>
       <tr>
         <th valign="top">
-          <label class="fieldlabel" for="${delegate.source_group_cn.field_id}"
-            py:content="delegate.source_group_cn.label" />:
+          <label class="fieldlabel" for="${delegate_fields.source_group_cn.field_id}"
+            py:content="delegate_fields.source_group_cn.label" />:
         </th>
         <td>
           <div>
-            <span id='source_group_cn'>${value_for(delegate.source_group_cn)}</span>
+            <span id='source_group_cn'>${value_for(delegate_fields.source_group_cn)}</span>
             <a href="#" id='source_change_link'
               onclick="new Effect.Appear($('source_searcharea'), {duration: 0.25});
                        new Effect.Fade(this, {duration: 0.25});
@@ -128,23 +128,23 @@
       </tr>
       <tr>
         <th valign="top">
-          <label class="fieldlabel" for="${delegate.attrs.field_id}"
-            py:content="delegate.attrs.label" />:
+          <label class="fieldlabel" for="${delegate_fields.attrs.field_id}"
+            py:content="delegate_fields.attrs.label" />:
         </th>
         <td valign="top">
           <span py:if="tg.errors.get('attrs')" class="fielderror"
               py:content="tg.errors.get('attrs')" />
-          <span py:replace="delegate.attrs.display(value_for(delegate.attrs))" />
-        </td>
-      </tr>
-      <tr>
-        <th valign="top">
-          <label class="fieldlabel" for="${delegate.dest_group_cn.field_id}"
-            py:content="delegate.dest_group_cn.label" />:
+          <span py:replace="delegate_fields.attrs.display(value_for(delegate_fields.attrs))" />
+        </td>
+      </tr>
+      <tr>
+        <th valign="top">
+          <label class="fieldlabel" for="${delegate_fields.dest_group_cn.field_id}"
+            py:content="delegate_fields.dest_group_cn.label" />:
         </th>
         <td>
           <div>
-            <span id='dest_group_cn'>${value_for(delegate.dest_group_cn)}</span>
+            <span id='dest_group_cn'>${value_for(delegate_fields.dest_group_cn)}</span>
             <a href="#" id='dest_change_link'
               onclick="new Effect.Appear($('dest_searcharea'), {duration: 0.25});
                        new Effect.Fade(this, {duration: 0.25});
diff -r af34252b443b -r 7f39a17e73c4 ipa-server/ipa-gui/ipagui/templates/groupeditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Thu Oct 25 08:58:58 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid	Thu Oct 25 09:18:45 2007 -0700
@@ -77,25 +77,25 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${group.cn.field_id}"
-            py:content="group.cn.label" />:
-        </th>
-        <td>
-          <!-- <span py:replace="group.cn.display(value_for(group.cn))" />
+          <label class="fieldlabel" for="${group_fields.cn.field_id}"
+            py:content="group_fields.cn.label" />:
+        </th>
+        <td>
+          <!-- <span py:replace="group_fields.cn.display(value_for(group_fields.cn))" />
           <span py:if="tg.errors.get('cn')" class="fielderror"
               py:content="tg.errors.get('cn')" /> -->
-          ${value_for(group.cn)}
-
-        </td>
-      </tr>
-
-      <tr>
-        <th>
-          <label class="fieldlabel" for="${group.description.field_id}"
-            py:content="group.description.label" />:
-        </th>
-        <td>
-          <span py:replace="group.description.display(value_for(group.description))" />
+          ${value_for(group_fields.cn)}
+
+        </td>
+      </tr>
+
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${group_fields.description.field_id}"
+            py:content="group_fields.description.label" />:
+        </th>
+        <td>
+          <span py:replace="group_fields.description.display(value_for(group_fields.description))" />
           <span py:if="tg.errors.get('description')" class="fielderror"
               py:content="tg.errors.get('description')" />
 
@@ -104,11 +104,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${group.gidnumber.field_id}"
-            py:content="group.gidnumber.label" />:
-        </th>
-        <td>
-          <span py:replace="group.gidnumber.display(value_for(group.gidnumber))" />
+          <label class="fieldlabel" for="${group_fields.gidnumber.field_id}"
+            py:content="group_fields.gidnumber.label" />:
+        </th>
+        <td>
+          <span py:replace="group_fields.gidnumber.display(value_for(group_fields.gidnumber))" />
           <span py:if="tg.errors.get('gidnumber')" class="fielderror"
               py:content="tg.errors.get('gidnumber')" />
 
diff -r af34252b443b -r 7f39a17e73c4 ipa-server/ipa-gui/ipagui/templates/groupnewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/groupnewform.kid	Thu Oct 25 08:58:58 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/groupnewform.kid	Thu Oct 25 09:18:45 2007 -0700
@@ -40,11 +40,11 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${group.cn.field_id}"
-            py:content="group.cn.label" />:
+          <label class="fieldlabel" for="${group_fields.cn.field_id}"
+            py:content="group_fields.cn.label" />:
         </th>
         <td>
-          <span py:replace="group.cn.display(value_for(group.cn))" />
+          <span py:replace="group_fields.cn.display(value_for(group_fields.cn))" />
           <span py:if="tg.errors.get('cn')" class="fielderror"
               py:content="tg.errors.get('cn')" />
 
@@ -53,11 +53,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${group.description.field_id}"
-            py:content="group.description.label" />:
+          <label class="fieldlabel" for="${group_fields.description.field_id}"
+            py:content="group_fields.description.label" />:
         </th>
         <td>
-          <span py:replace="group.description.display(value_for(group.description))" />
+          <span py:replace="group_fields.description.display(value_for(group_fields.description))" />
           <span py:if="tg.errors.get('description')" class="fielderror"
               py:content="tg.errors.get('description')" />
 
@@ -66,8 +66,8 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${group.gidnumber.field_id}"
-            py:content="group.gidnumber.label" />:
+          <label class="fieldlabel" for="${group_fields.gidnumber.field_id}"
+            py:content="group_fields.gidnumber.label" />:
         </th>
         <td>
           Generated by server
diff -r af34252b443b -r 7f39a17e73c4 ipa-server/ipa-gui/ipagui/templates/usereditform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Thu Oct 25 08:58:58 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid	Thu Oct 25 09:18:45 2007 -0700
@@ -114,11 +114,11 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.title.field_id}"
-            py:content="user.title.label" />:
-        </th>
-        <td>
-          <span py:replace="user.title.display(value_for(user.title))" />
+          <label class="fieldlabel" for="${user_fields.title.field_id}"
+            py:content="user_fields.title.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.title.display(value_for(user_fields.title))" />
           <span py:if="tg.errors.get('title')" class="fielderror"
               py:content="tg.errors.get('title')" />
 
@@ -127,11 +127,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.givenname.field_id}"
-            py:content="user.givenname.label" />:
-        </th>
-        <td>
-          <span py:replace="user.givenname.display(value_for(user.givenname))" />
+          <label class="fieldlabel" for="${user_fields.givenname.field_id}"
+            py:content="user_fields.givenname.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.givenname.display(value_for(user_fields.givenname))" />
           <span py:if="tg.errors.get('givenname')" class="fielderror"
               py:content="tg.errors.get('givenname')" />
 
@@ -140,11 +140,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.sn.field_id}"
-            py:content="user.sn.label" />:
-        </th>
-        <td>
-          <span py:replace="user.sn.display(value_for(user.sn))" />
+          <label class="fieldlabel" for="${user_fields.sn.field_id}"
+            py:content="user_fields.sn.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.sn.display(value_for(user_fields.sn))" />
           <span py:if="tg.errors.get('sn')" class="fielderror"
               py:content="tg.errors.get('sn')" />
         </td>
@@ -152,11 +152,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.cn.field_id}"
-            py:content="user.cn.label" />:
-        </th>
-        <td>
-          <span py:replace="user.cn.display(value_for(user.cn))" />
+          <label class="fieldlabel" for="${user_fields.cn.field_id}"
+            py:content="user_fields.cn.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.cn.display(value_for(user_fields.cn))" />
           <span py:if="tg.errors.get('cn')" class="fielderror"
               py:content="tg.errors.get('cn')" />
 
@@ -165,11 +165,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.displayname.field_id}"
-            py:content="user.displayname.label" />:
-        </th>
-        <td>
-          <span py:replace="user.displayname.display(value_for(user.displayname))" />
+          <label class="fieldlabel" for="${user_fields.displayname.field_id}"
+            py:content="user_fields.displayname.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.displayname.display(value_for(user_fields.displayname))" />
           <span py:if="tg.errors.get('displayname')" class="fielderror"
               py:content="tg.errors.get('displayname')" />
 
@@ -178,11 +178,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.initials.field_id}"
-            py:content="user.initials.label" />:
-        </th>
-        <td>
-          <span py:replace="user.initials.display(value_for(user.initials))" />
+          <label class="fieldlabel" for="${user_fields.initials.field_id}"
+            py:content="user_fields.initials.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.initials.display(value_for(user_fields.initials))" />
           <span py:if="tg.errors.get('initials')" class="fielderror"
               py:content="tg.errors.get('initials')" />
 
@@ -194,32 +194,32 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.nsAccountLock.field_id}"
-            py:content="user.nsAccountLock.label" />:
-        </th>
-        <td>
-          <span py:replace="user.nsAccountLock.display(value_for(user.nsAccountLock))" />
+          <label class="fieldlabel" for="${user_fields.nsAccountLock.field_id}"
+            py:content="user_fields.nsAccountLock.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.nsAccountLock.display(value_for(user_fields.nsAccountLock))" />
           <span py:if="tg.errors.get('nsAccountLock')" class="fielderror"
                     py:content="tg.errors.get('nsAccountLock')" />
         </td>
       </tr>
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.uid.field_id}"
-            py:content="user.uid.label" />:
-        </th>
-        <td>
-          ${value_for(user.uid)}
+          <label class="fieldlabel" for="${user_fields.uid.field_id}"
+            py:content="user_fields.uid.label" />:
+        </th>
+        <td>
+          ${value_for(user_fields.uid)}
         </td>
       </tr>
 
       <tr>
         <th valign="top">
-          <label class="fieldlabel" for="${user.userpassword.field_id}"
-            py:content="user.userpassword.label" />:
+          <label class="fieldlabel" for="${user_fields.userpassword.field_id}"
+            py:content="user_fields.userpassword.label" />:
         </th>
         <td valign="top">
-          <span py:replace="user.userpassword.display(value_for(user.userpassword))" />
+          <span py:replace="user_fields.userpassword.display(value_for(user_fields.userpassword))" />
           <span py:if="tg.errors.get('userpassword')" class="fielderror"
               py:content="tg.errors.get('userpassword')" />
 
@@ -266,12 +266,12 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th valign="top">
-          <label class="fieldlabel" for="${user.userpassword_confirm.field_id}"
-            py:content="user.userpassword_confirm.label" />:
+          <label class="fieldlabel" for="${user_fields.userpassword_confirm.field_id}"
+            py:content="user_fields.userpassword_confirm.label" />:
         </th>
         <td valign="top">
-          <span py:replace="user.userpassword_confirm.display(
-               value_for(user.userpassword_confirm))" />
+          <span py:replace="user_fields.userpassword_confirm.display(
+               value_for(user_fields.userpassword_confirm))" />
           <span py:if="tg.errors.get('userpassword_confirm')" class="fielderror"
               py:content="tg.errors.get('userpassword_confirm')" />
 
@@ -283,12 +283,12 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.uidnumber.field_id}"
-            py:content="user.uidnumber.label" />:
-        </th>
-        <td>
-          <span py:replace="user.uidnumber.display(
-               value_for(user.uidnumber))" />
+          <label class="fieldlabel" for="${user_fields.uidnumber.field_id}"
+            py:content="user_fields.uidnumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.uidnumber.display(
+               value_for(user_fields.uidnumber))" />
           <span py:if="tg.errors.get('uidnumber')" class="fielderror"
               py:content="tg.errors.get('uidnumber')" />
 
@@ -300,12 +300,12 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.gidnumber.field_id}"
-            py:content="user.gidnumber.label" />:
-        </th>
-        <td>
-          <span py:replace="user.gidnumber.display(
-               value_for(user.gidnumber))" />
+          <label class="fieldlabel" for="${user_fields.gidnumber.field_id}"
+            py:content="user_fields.gidnumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.gidnumber.display(
+               value_for(user_fields.gidnumber))" />
           <span py:if="tg.errors.get('gidnumber')" class="fielderror"
               py:content="tg.errors.get('gidnumber')" />
 
@@ -317,12 +317,12 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.homedirectory.field_id}"
-            py:content="user.homedirectory.label" />:
-        </th>
-        <td>
-          <span py:replace="user.homedirectory.display(
-               value_for(user.homedirectory))" />
+          <label class="fieldlabel" for="${user_fields.homedirectory.field_id}"
+            py:content="user_fields.homedirectory.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.homedirectory.display(
+               value_for(user_fields.homedirectory))" />
           <span py:if="tg.errors.get('homedirectory')" class="fielderror"
               py:content="tg.errors.get('homedirectory')" />
 
@@ -334,12 +334,12 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.loginshell.field_id}"
-            py:content="user.loginshell.label" />:
-        </th>
-        <td>
-          <span py:replace="user.loginshell.display(
-              value_for(user.loginshell))" />
+          <label class="fieldlabel" for="${user_fields.loginshell.field_id}"
+            py:content="user_fields.loginshell.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.loginshell.display(
+              value_for(user_fields.loginshell))" />
           <span py:if="tg.errors.get('loginshell')" class="fielderror"
               py:content="tg.errors.get('loginshell')" />
         </td>
@@ -347,12 +347,12 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.gecos.field_id}"
-            py:content="user.gecos.label" />:
-        </th>
-        <td>
-          <span py:replace="user.gecos.display(
-              value_for(user.gecos))" />
+          <label class="fieldlabel" for="${user_fields.gecos.field_id}"
+            py:content="user_fields.gecos.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.gecos.display(
+              value_for(user_fields.gecos))" />
           <span py:if="tg.errors.get('gecos')" class="fielderror"
               py:content="tg.errors.get('gecos')" />
         </td>
@@ -363,11 +363,11 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.mail.field_id}"
-            py:content="user.mail.label" />:
-        </th>
-        <td>
-          <span py:replace="user.mail.display(value_for(user.mail))" />
+          <label class="fieldlabel" for="${user_fields.mail.field_id}"
+            py:content="user_fields.mail.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.mail.display(value_for(user_fields.mail))" />
           <span py:if="tg.errors.get('mail')" class="fielderror"
               py:content="tg.errors.get('mail')" />
         </td>
@@ -375,11 +375,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.telephonenumber.field_id}"
-            py:content="user.telephonenumber.label" />:
-        </th>
-        <td>
-          <span py:replace="user.telephonenumber.display(value_for(user.telephonenumber))" />
+          <label class="fieldlabel" for="${user_fields.telephonenumber.field_id}"
+            py:content="user_fields.telephonenumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.telephonenumber.display(value_for(user_fields.telephonenumber))" />
           <span py:if="tg.errors.get('telephonenumber')" class="fielderror"
               py:content="tg.errors.get('telephonenumber')" />
         </td>
@@ -387,11 +387,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.facsimiletelephonenumber.field_id}"
-            py:content="user.facsimiletelephonenumber.label" />:
-        </th>
-        <td>
-          <span py:replace="user.facsimiletelephonenumber.display(value_for(user.facsimiletelephonenumber))" />
+          <label class="fieldlabel" for="${user_fields.facsimiletelephonenumber.field_id}"
+            py:content="user_fields.facsimiletelephonenumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.facsimiletelephonenumber.display(value_for(user_fields.facsimiletelephonenumber))" />
           <span py:if="tg.errors.get('facsimiletelephonenumber')" class="fielderror"
               py:content="tg.errors.get('facsimiletelephonenumber')" />
         </td>
@@ -399,11 +399,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.mobile.field_id}"
-            py:content="user.mobile.label" />:
-        </th>
-        <td>
-          <span py:replace="user.mobile.display(value_for(user.mobile))" />
+          <label class="fieldlabel" for="${user_fields.mobile.field_id}"
+            py:content="user_fields.mobile.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.mobile.display(value_for(user_fields.mobile))" />
           <span py:if="tg.errors.get('mobile')" class="fielderror"
               py:content="tg.errors.get('mobile')" />
         </td>
@@ -411,11 +411,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.pager.field_id}"
-            py:content="user.pager.label" />:
-        </th>
-        <td>
-          <span py:replace="user.pager.display(value_for(user.pager))" />
+          <label class="fieldlabel" for="${user_fields.pager.field_id}"
+            py:content="user_fields.pager.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.pager.display(value_for(user_fields.pager))" />
           <span py:if="tg.errors.get('pager')" class="fielderror"
               py:content="tg.errors.get('pager')" />
         </td>
@@ -423,11 +423,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.homephone.field_id}"
-            py:content="user.homephone.label" />:
-        </th>
-        <td>
-          <span py:replace="user.homephone.display(value_for(user.homephone))" />
+          <label class="fieldlabel" for="${user_fields.homephone.field_id}"
+            py:content="user_fields.homephone.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.homephone.display(value_for(user_fields.homephone))" />
           <span py:if="tg.errors.get('homephone')" class="fielderror"
               py:content="tg.errors.get('homephone')" />
         </td>
@@ -438,11 +438,11 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.street.field_id}"
-            py:content="user.street.label" />:
-        </th>
-        <td>
-          <span py:replace="user.street.display(value_for(user.street))" />
+          <label class="fieldlabel" for="${user_fields.street.field_id}"
+            py:content="user_fields.street.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.street.display(value_for(user_fields.street))" />
           <span py:if="tg.errors.get('street')" class="fielderror"
               py:content="tg.errors.get('street')" />
         </td>
@@ -450,11 +450,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.roomnumber.field_id}"
-            py:content="user.roomnumber.label" />:
-        </th>
-        <td>
-          <span py:replace="user.roomnumber.display(value_for(user.roomnumber))" />
+          <label class="fieldlabel" for="${user_fields.roomnumber.field_id}"
+            py:content="user_fields.roomnumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.roomnumber.display(value_for(user_fields.roomnumber))" />
           <span py:if="tg.errors.get('roomnumber')" class="fielderror"
               py:content="tg.errors.get('roomnumber')" />
         </td>
@@ -462,11 +462,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.l.field_id}"
-            py:content="user.l.label" />:
-        </th>
-        <td>
-          <span py:replace="user.l.display(value_for(user.l))" />
+          <label class="fieldlabel" for="${user_fields.l.field_id}"
+            py:content="user_fields.l.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.l.display(value_for(user_fields.l))" />
           <span py:if="tg.errors.get('l')" class="fielderror"
               py:content="tg.errors.get('l')" />
         </td>
@@ -474,11 +474,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.st.field_id}"
-            py:content="user.st.label" />:
-        </th>
-        <td>
-          <span py:replace="user.st.display(value_for(user.st))" />
+          <label class="fieldlabel" for="${user_fields.st.field_id}"
+            py:content="user_fields.st.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.st.display(value_for(user_fields.st))" />
           <span py:if="tg.errors.get('st')" class="fielderror"
               py:content="tg.errors.get('st')" />
         </td>
@@ -486,11 +486,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.postalcode.field_id}"
-            py:content="user.postalcode.label" />:
-        </th>
-        <td>
-          <span py:replace="user.postalcode.display(value_for(user.postalcode))" />
+          <label class="fieldlabel" for="${user_fields.postalcode.field_id}"
+            py:content="user_fields.postalcode.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.postalcode.display(value_for(user_fields.postalcode))" />
           <span py:if="tg.errors.get('postalcode')" class="fielderror"
               py:content="tg.errors.get('postalcode')" />
         </td>
@@ -501,11 +501,11 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.ou.field_id}"
-            py:content="user.ou.label" />:
-        </th>
-        <td>
-          <span py:replace="user.ou.display(value_for(user.ou))" />
+          <label class="fieldlabel" for="${user_fields.ou.field_id}"
+            py:content="user_fields.ou.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.ou.display(value_for(user_fields.ou))" />
           <span py:if="tg.errors.get('ou')" class="fielderror"
               py:content="tg.errors.get('ou')" />
         </td>
@@ -513,11 +513,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.businesscategory.field_id}"
-            py:content="user.businesscategory.label" />:
-        </th>
-        <td>
-          <span py:replace="user.businesscategory.display(value_for(user.businesscategory))" />
+          <label class="fieldlabel" for="${user_fields.businesscategory.field_id}"
+            py:content="user_fields.businesscategory.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.businesscategory.display(value_for(user_fields.businesscategory))" />
           <span py:if="tg.errors.get('businesscategory')" class="fielderror"
               py:content="tg.errors.get('businesscategory')" />
         </td>
@@ -525,11 +525,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.description.field_id}"
-            py:content="user.description.label" />:
-        </th>
-        <td>
-          <span py:replace="user.description.display(value_for(user.description))" />
+          <label class="fieldlabel" for="${user_fields.description.field_id}"
+            py:content="user_fields.description.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.description.display(value_for(user_fields.description))" />
           <span py:if="tg.errors.get('description')" class="fielderror"
               py:content="tg.errors.get('description')" />
         </td>
@@ -537,11 +537,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.employeetype.field_id}"
-            py:content="user.employeetype.label" />:
-        </th>
-        <td>
-          <span py:replace="user.employeetype.display(value_for(user.employeetype))" />
+          <label class="fieldlabel" for="${user_fields.employeetype.field_id}"
+            py:content="user_fields.employeetype.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.employeetype.display(value_for(user_fields.employeetype))" />
           <span py:if="tg.errors.get('employeetype')" class="fielderror"
               py:content="tg.errors.get('employeetype')" />
         </td>
@@ -549,12 +549,12 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th valign="top">
-          <label class="fieldlabel" for="${user.manager.field_id}"
-            py:content="user.manager.label" />:
+          <label class="fieldlabel" for="${user_fields.manager.field_id}"
+            py:content="user_fields.manager.label" />:
         </th>
         <td valign="top">
           <div>
-            <span id='manager_select_cn'>${value_for(user.manager_cn)}</span>
+            <span id='manager_select_cn'>${value_for(user_fields.manager_cn)}</span>
             <span id='manager_links'>
               <a href="#" onclick="return clearSelect('manager');">clear</a>
               <a href="#" onclick="return startSelect('manager');">change</a>
@@ -578,12 +578,12 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th valign="top">
-          <label class="fieldlabel" for="${user.secretary.field_id}"
-            py:content="user.secretary.label" />:
+          <label class="fieldlabel" for="${user_fields.secretary.field_id}"
+            py:content="user_fields.secretary.label" />:
         </th>
         <td valign="top">
           <div>
-            <span id='secretary_select_cn'>${value_for(user.secretary_cn)}</span>
+            <span id='secretary_select_cn'>${value_for(user_fields.secretary_cn)}</span>
             <span id='secretary_links'>
               <a href="#" onclick="return clearSelect('secretary');">clear</a>
               <a href="#" onclick="return startSelect('secretary');">change</a>
@@ -610,22 +610,22 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.carlicense.field_id}"
-            py:content="user.carlicense.label" />:
-        </th>
-        <td>
-          <span py:replace="user.carlicense.display(value_for(user.carlicense))" />
+          <label class="fieldlabel" for="${user_fields.carlicense.field_id}"
+            py:content="user_fields.carlicense.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.carlicense.display(value_for(user_fields.carlicense))" />
           <span py:if="tg.errors.get('carlicense')" class="fielderror"
               py:content="tg.errors.get('carlicense')" />
         </td>
       </tr>
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.labeleduri.field_id}"
-            py:content="user.labeleduri.label" />:
-        </th>
-        <td>
-          <span py:replace="user.labeleduri.display(value_for(user.labeleduri))" />
+          <label class="fieldlabel" for="${user_fields.labeleduri.field_id}"
+            py:content="user_fields.labeleduri.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.labeleduri.display(value_for(user_fields.labeleduri))" />
           <span py:if="tg.errors.get('labeleduri')" class="fielderror"
               py:content="tg.errors.get('labeleduri')" />
         </td>
diff -r af34252b443b -r 7f39a17e73c4 ipa-server/ipa-gui/ipagui/templates/usernewform.kid
--- a/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Thu Oct 25 08:58:58 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/templates/usernewform.kid	Thu Oct 25 09:18:45 2007 -0700
@@ -65,11 +65,11 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.title.field_id}"
-            py:content="user.title.label" />:
-        </th>
-        <td>
-          <span py:replace="user.title.display(value_for(user.title))" />
+          <label class="fieldlabel" for="${user_fields.title.field_id}"
+            py:content="user_fields.title.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.title.display(value_for(user_fields.title))" />
           <span py:if="tg.errors.get('title')" class="fielderror"
               py:content="tg.errors.get('title')" />
 
@@ -78,11 +78,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.givenname.field_id}"
-            py:content="user.givenname.label" />:
-        </th>
-        <td>
-          <span py:replace="user.givenname.display(value_for(user.givenname))" />
+          <label class="fieldlabel" for="${user_fields.givenname.field_id}"
+            py:content="user_fields.givenname.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.givenname.display(value_for(user_fields.givenname))" />
           <span py:if="tg.errors.get('givenname')" class="fielderror"
               py:content="tg.errors.get('givenname')" />
 
@@ -91,11 +91,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.sn.field_id}"
-            py:content="user.sn.label" />:
-        </th>
-        <td>
-          <span py:replace="user.sn.display(value_for(user.sn))" />
+          <label class="fieldlabel" for="${user_fields.sn.field_id}"
+            py:content="user_fields.sn.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.sn.display(value_for(user_fields.sn))" />
           <span py:if="tg.errors.get('sn')" class="fielderror"
               py:content="tg.errors.get('sn')" />
           <script type="text/javascript">
@@ -171,11 +171,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.cn.field_id}"
-            py:content="user.cn.label" />:
-        </th>
-        <td>
-          <span py:replace="user.cn.display(value_for(user.cn))" />
+          <label class="fieldlabel" for="${user_fields.cn.field_id}"
+            py:content="user_fields.cn.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.cn.display(value_for(user_fields.cn))" />
           <span py:if="tg.errors.get('cn')" class="fielderror"
               py:content="tg.errors.get('cn')" />
 
@@ -184,11 +184,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.displayname.field_id}"
-            py:content="user.displayname.label" />:
-        </th>
-        <td>
-          <span py:replace="user.displayname.display(value_for(user.displayname))" />
+          <label class="fieldlabel" for="${user_fields.displayname.field_id}"
+            py:content="user_fields.displayname.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.displayname.display(value_for(user_fields.displayname))" />
           <span py:if="tg.errors.get('displayname')" class="fielderror"
               py:content="tg.errors.get('displayname')" />
 
@@ -197,11 +197,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.initials.field_id}"
-            py:content="user.initials.label" />:
-        </th>
-        <td>
-          <span py:replace="user.initials.display(value_for(user.initials))" />
+          <label class="fieldlabel" for="${user_fields.initials.field_id}"
+            py:content="user_fields.initials.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.initials.display(value_for(user_fields.initials))" />
           <span py:if="tg.errors.get('initials')" class="fielderror"
               py:content="tg.errors.get('initials')" />
 
@@ -213,22 +213,22 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.nsAccountLock.field_id}"
-            py:content="user.nsAccountLock.label" />:
-        </th>
-        <td>
-          <span py:replace="user.nsAccountLock.display(value_for(user.nsAccountLock))" />
+          <label class="fieldlabel" for="${user_fields.nsAccountLock.field_id}"
+            py:content="user_fields.nsAccountLock.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.nsAccountLock.display(value_for(user_fields.nsAccountLock))" />
           <span py:if="tg.errors.get('nsAccountLock')" class="fielderror"
                     py:content="tg.errors.get('nsAccountLock')" />
         </td>
       </tr>
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.uid.field_id}"
-            py:content="user.uid.label" />:
-        </th>
-        <td>
-          <span py:replace="user.uid.display(value_for(user.uid))" />
+          <label class="fieldlabel" for="${user_fields.uid.field_id}"
+            py:content="user_fields.uid.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.uid.display(value_for(user_fields.uid))" />
           <span py:if="tg.errors.get('uid')" class="fielderror"
               py:content="tg.errors.get('uid')" />
         </td>
@@ -236,11 +236,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.userpassword.field_id}"
-            py:content="user.userpassword.label" />:
-        </th>
-        <td>
-          <span py:replace="user.userpassword.display(value_for(user.userpassword))" />
+          <label class="fieldlabel" for="${user_fields.userpassword.field_id}"
+            py:content="user_fields.userpassword.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.userpassword.display(value_for(user_fields.userpassword))" />
           <span py:if="tg.errors.get('userpassword')" class="fielderror"
               py:content="tg.errors.get('userpassword')" />
 
@@ -260,12 +260,12 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.userpassword_confirm.field_id}"
-            py:content="user.userpassword_confirm.label" />:
-        </th>
-        <td>
-          <span py:replace="user.userpassword_confirm.display(
-              value_for(user.userpassword_confirm))" />
+          <label class="fieldlabel" for="${user_fields.userpassword_confirm.field_id}"
+            py:content="user_fields.userpassword_confirm.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.userpassword_confirm.display(
+              value_for(user_fields.userpassword_confirm))" />
           <span py:if="tg.errors.get('userpassword_confirm')" class="fielderror"
               py:content="tg.errors.get('userpassword_confirm')" />
         </td>
@@ -273,8 +273,8 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.uidnumber.field_id}"
-            py:content="user.uidnumber.label" />:
+          <label class="fieldlabel" for="${user_fields.uidnumber.field_id}"
+            py:content="user_fields.uidnumber.label" />:
         </th>
         <td>
           Generated by server
@@ -283,8 +283,8 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.gidnumber.field_id}"
-            py:content="user.gidnumber.label" />:
+          <label class="fieldlabel" for="${user_fields.gidnumber.field_id}"
+            py:content="user_fields.gidnumber.label" />:
         </th>
         <td>
           Generated by server
@@ -293,8 +293,8 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.homedirectory.field_id}"
-            py:content="user.homedirectory.label" />:
+          <label class="fieldlabel" for="${user_fields.homedirectory.field_id}"
+            py:content="user_fields.homedirectory.label" />:
         </th>
         <td>
           Generated by server
@@ -303,12 +303,12 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.loginshell.field_id}"
-            py:content="user.loginshell.label" />:
-        </th>
-        <td>
-          <span py:replace="user.loginshell.display(
-              value_for(user.loginshell))" />
+          <label class="fieldlabel" for="${user_fields.loginshell.field_id}"
+            py:content="user_fields.loginshell.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.loginshell.display(
+              value_for(user_fields.loginshell))" />
           <span py:if="tg.errors.get('loginshell')" class="fielderror"
               py:content="tg.errors.get('loginshell')" />
         </td>
@@ -316,12 +316,12 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.gecos.field_id}"
-            py:content="user.gecos.label" />:
-        </th>
-        <td>
-          <span py:replace="user.gecos.display(
-              value_for(user.gecos))" />
+          <label class="fieldlabel" for="${user_fields.gecos.field_id}"
+            py:content="user_fields.gecos.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.gecos.display(
+              value_for(user_fields.gecos))" />
           <span py:if="tg.errors.get('gecos')" class="fielderror"
               py:content="tg.errors.get('gecos')" />
         </td>
@@ -332,11 +332,11 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.mail.field_id}"
-            py:content="user.mail.label" />:
-        </th>
-        <td>
-          <span py:replace="user.mail.display(value_for(user.mail))" />
+          <label class="fieldlabel" for="${user_fields.mail.field_id}"
+            py:content="user_fields.mail.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.mail.display(value_for(user_fields.mail))" />
           <span py:if="tg.errors.get('mail')" class="fielderror"
               py:content="tg.errors.get('mail')" />
         </td>
@@ -344,11 +344,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.telephonenumber.field_id}"
-            py:content="user.telephonenumber.label" />:
-        </th>
-        <td>
-          <span py:replace="user.telephonenumber.display(value_for(user.telephonenumber))" />
+          <label class="fieldlabel" for="${user_fields.telephonenumber.field_id}"
+            py:content="user_fields.telephonenumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.telephonenumber.display(value_for(user_fields.telephonenumber))" />
           <span py:if="tg.errors.get('telephonenumber')" class="fielderror"
               py:content="tg.errors.get('telephonenumber')" />
         </td>
@@ -356,11 +356,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.facsimiletelephonenumber.field_id}"
-            py:content="user.facsimiletelephonenumber.label" />:
-        </th>
-        <td>
-          <span py:replace="user.facsimiletelephonenumber.display(value_for(user.facsimiletelephonenumber))" />
+          <label class="fieldlabel" for="${user_fields.facsimiletelephonenumber.field_id}"
+            py:content="user_fields.facsimiletelephonenumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.facsimiletelephonenumber.display(value_for(user_fields.facsimiletelephonenumber))" />
           <span py:if="tg.errors.get('facsimiletelephonenumber')" class="fielderror"
               py:content="tg.errors.get('facsimiletelephonenumber')" />
         </td>
@@ -368,11 +368,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.mobile.field_id}"
-            py:content="user.mobile.label" />:
-        </th>
-        <td>
-          <span py:replace="user.mobile.display(value_for(user.mobile))" />
+          <label class="fieldlabel" for="${user_fields.mobile.field_id}"
+            py:content="user_fields.mobile.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.mobile.display(value_for(user_fields.mobile))" />
           <span py:if="tg.errors.get('mobile')" class="fielderror"
               py:content="tg.errors.get('mobile')" />
         </td>
@@ -380,11 +380,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.pager.field_id}"
-            py:content="user.pager.label" />:
-        </th>
-        <td>
-          <span py:replace="user.pager.display(value_for(user.pager))" />
+          <label class="fieldlabel" for="${user_fields.pager.field_id}"
+            py:content="user_fields.pager.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.pager.display(value_for(user_fields.pager))" />
           <span py:if="tg.errors.get('pager')" class="fielderror"
               py:content="tg.errors.get('pager')" />
         </td>
@@ -392,11 +392,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.homephone.field_id}"
-            py:content="user.homephone.label" />:
-        </th>
-        <td>
-          <span py:replace="user.homephone.display(value_for(user.homephone))" />
+          <label class="fieldlabel" for="${user_fields.homephone.field_id}"
+            py:content="user_fields.homephone.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.homephone.display(value_for(user_fields.homephone))" />
           <span py:if="tg.errors.get('homephone')" class="fielderror"
               py:content="tg.errors.get('homephone')" />
         </td>
@@ -407,11 +407,11 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.street.field_id}"
-            py:content="user.street.label" />:
-        </th>
-        <td>
-          <span py:replace="user.street.display(value_for(user.street))" />
+          <label class="fieldlabel" for="${user_fields.street.field_id}"
+            py:content="user_fields.street.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.street.display(value_for(user_fields.street))" />
           <span py:if="tg.errors.get('street')" class="fielderror"
               py:content="tg.errors.get('street')" />
         </td>
@@ -419,11 +419,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.roomnumber.field_id}"
-            py:content="user.roomnumber.label" />:
-        </th>
-        <td>
-          <span py:replace="user.roomnumber.display(value_for(user.roomnumber))" />
+          <label class="fieldlabel" for="${user_fields.roomnumber.field_id}"
+            py:content="user_fields.roomnumber.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.roomnumber.display(value_for(user_fields.roomnumber))" />
           <span py:if="tg.errors.get('roomnumber')" class="fielderror"
               py:content="tg.errors.get('roomnumber')" />
         </td>
@@ -431,11 +431,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.l.field_id}"
-            py:content="user.l.label" />:
-        </th>
-        <td>
-          <span py:replace="user.l.display(value_for(user.l))" />
+          <label class="fieldlabel" for="${user_fields.l.field_id}"
+            py:content="user_fields.l.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.l.display(value_for(user_fields.l))" />
           <span py:if="tg.errors.get('l')" class="fielderror"
               py:content="tg.errors.get('l')" />
         </td>
@@ -443,11 +443,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.st.field_id}"
-            py:content="user.st.label" />:
-        </th>
-        <td>
-          <span py:replace="user.st.display(value_for(user.st))" />
+          <label class="fieldlabel" for="${user_fields.st.field_id}"
+            py:content="user_fields.st.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.st.display(value_for(user_fields.st))" />
           <span py:if="tg.errors.get('st')" class="fielderror"
               py:content="tg.errors.get('st')" />
         </td>
@@ -455,11 +455,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.postalcode.field_id}"
-            py:content="user.postalcode.label" />:
-        </th>
-        <td>
-          <span py:replace="user.postalcode.display(value_for(user.postalcode))" />
+          <label class="fieldlabel" for="${user_fields.postalcode.field_id}"
+            py:content="user_fields.postalcode.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.postalcode.display(value_for(user_fields.postalcode))" />
           <span py:if="tg.errors.get('postalcode')" class="fielderror"
               py:content="tg.errors.get('postalcode')" />
         </td>
@@ -470,11 +470,11 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.ou.field_id}"
-            py:content="user.ou.label" />:
-        </th>
-        <td>
-          <span py:replace="user.ou.display(value_for(user.ou))" />
+          <label class="fieldlabel" for="${user_fields.ou.field_id}"
+            py:content="user_fields.ou.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.ou.display(value_for(user_fields.ou))" />
           <span py:if="tg.errors.get('ou')" class="fielderror"
               py:content="tg.errors.get('ou')" />
         </td>
@@ -482,11 +482,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.businesscategory.field_id}"
-            py:content="user.businesscategory.label" />:
-        </th>
-        <td>
-          <span py:replace="user.businesscategory.display(value_for(user.businesscategory))" />
+          <label class="fieldlabel" for="${user_fields.businesscategory.field_id}"
+            py:content="user_fields.businesscategory.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.businesscategory.display(value_for(user_fields.businesscategory))" />
           <span py:if="tg.errors.get('businesscategory')" class="fielderror"
               py:content="tg.errors.get('businesscategory')" />
         </td>
@@ -494,11 +494,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.description.field_id}"
-            py:content="user.description.label" />:
-        </th>
-        <td>
-          <span py:replace="user.description.display(value_for(user.description))" />
+          <label class="fieldlabel" for="${user_fields.description.field_id}"
+            py:content="user_fields.description.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.description.display(value_for(user_fields.description))" />
           <span py:if="tg.errors.get('description')" class="fielderror"
               py:content="tg.errors.get('description')" />
         </td>
@@ -506,11 +506,11 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.employeetype.field_id}"
-            py:content="user.employeetype.label" />:
-        </th>
-        <td>
-          <span py:replace="user.employeetype.display(value_for(user.employeetype))" />
+          <label class="fieldlabel" for="${user_fields.employeetype.field_id}"
+            py:content="user_fields.employeetype.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.employeetype.display(value_for(user_fields.employeetype))" />
           <span py:if="tg.errors.get('employeetype')" class="fielderror"
               py:content="tg.errors.get('employeetype')" />
         </td>
@@ -518,12 +518,12 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th valign="top">
-          <label class="fieldlabel" for="${user.manager.field_id}"
-            py:content="user.manager.label" />:
+          <label class="fieldlabel" for="${user_fields.manager.field_id}"
+            py:content="user_fields.manager.label" />:
         </th>
         <td valign="top">
           <div>
-            <span id='manager_select_cn'>${value_for(user.manager)}</span>
+            <span id='manager_select_cn'>${value_for(user_fields.manager)}</span>
             <span id='manager_links'>
               <a href="#" onclick="return clearSelect('manager');">clear</a>
               <a href="#" onclick="return startSelect('manager');">change</a>
@@ -547,12 +547,12 @@ from ipagui.helpers import ipahelper
 
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.secretary.field_id}"
-            py:content="user.secretary.label" />:
+          <label class="fieldlabel" for="${user_fields.secretary.field_id}"
+            py:content="user_fields.secretary.label" />:
         </th>
         <td>
           <div>
-            <span id='secretary_select_cn'>${value_for(user.secretary)}</span>
+            <span id='secretary_select_cn'>${value_for(user_fields.secretary)}</span>
             <span id='secretary_links'>
               <a href="#" onclick="return clearSelect('secretary');">clear</a>
               <a href="#" onclick="return startSelect('secretary');">change</a>
@@ -579,22 +579,22 @@ from ipagui.helpers import ipahelper
     <table class="formtable" cellpadding="2" cellspacing="0" border="0">
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.carlicense.field_id}"
-            py:content="user.carlicense.label" />:
-        </th>
-        <td>
-          <span py:replace="user.carlicense.display(value_for(user.carlicense))" />
+          <label class="fieldlabel" for="${user_fields.carlicense.field_id}"
+            py:content="user_fields.carlicense.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.carlicense.display(value_for(user_fields.carlicense))" />
           <span py:if="tg.errors.get('carlicense')" class="fielderror"
               py:content="tg.errors.get('carlicense')" />
         </td>
       </tr>
       <tr>
         <th>
-          <label class="fieldlabel" for="${user.labeleduri.field_id}"
-            py:content="user.labeleduri.label" />:
-        </th>
-        <td>
-          <span py:replace="user.labeleduri.display(value_for(user.labeleduri))" />
+          <label class="fieldlabel" for="${user_fields.labeleduri.field_id}"
+            py:content="user_fields.labeleduri.label" />:
+        </th>
+        <td>
+          <span py:replace="user_fields.labeleduri.display(value_for(user_fields.labeleduri))" />
           <span py:if="tg.errors.get('labeleduri')" class="fielderror"
               py:content="tg.errors.get('labeleduri')" />
         </td>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/50b3f27d/attachment.bin>

From kmccarth at redhat.com  Thu Oct 25 16:41:16 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 25 Oct 2007 09:41:16 -0700
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <1193329269.15848.25.camel@localhost.localdomain>
References: <471F6D8F.8090206@redhat.com>
	<20071024164957.GC16414@moon.usersys.redhat.com>
	<471F7A6F.40802@redhat.com>
	<1193324667.15848.13.camel@localhost.localdomain>
	<20071025152626.GB11334@moon.usersys.redhat.com>
	<1193326874.15848.20.camel@localhost.localdomain>
	<4720BB1E.3060907@redhat.com>
	<1193329269.15848.25.camel@localhost.localdomain>
Message-ID: <20071025164116.GG11334@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Thu, 2007-10-25 at 11:49 -0400, Rob Crittenden wrote:
> > 
> > That's easy then because all ACI's are currently going into the same 
> > location on the tree: cn=accounts. 
> 
> We already have ACIs elsewhere, are we limiting this at the RPC level ??
> Or is this just a GUI limitation?

This is just the direction Pete provided to me.  Right now, the API and
GUI is written to edit just here.

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/f57e4954/attachment.bin>

From ssorce at redhat.com  Thu Oct 25 16:43:25 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 25 Oct 2007 12:43:25 -0400
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <20071025164116.GG11334@moon.usersys.redhat.com>
References: <471F6D8F.8090206@redhat.com>
	<20071024164957.GC16414@moon.usersys.redhat.com>
	<471F7A6F.40802@redhat.com>
	<1193324667.15848.13.camel@localhost.localdomain>
	<20071025152626.GB11334@moon.usersys.redhat.com>
	<1193326874.15848.20.camel@localhost.localdomain>
	<4720BB1E.3060907@redhat.com>
	<1193329269.15848.25.camel@localhost.localdomain>
	<20071025164116.GG11334@moon.usersys.redhat.com>
Message-ID: <1193330605.15848.32.camel@localhost.localdomain>

On Thu, 2007-10-25 at 09:41 -0700, Kevin McCarthy wrote:
> Simo Sorce wrote:
> > On Thu, 2007-10-25 at 11:49 -0400, Rob Crittenden wrote:
> > > 
> > > That's easy then because all ACI's are currently going into the same 
> > > location on the tree: cn=accounts. 
> > 
> > We already have ACIs elsewhere, are we limiting this at the RPC level ??
> > Or is this just a GUI limitation?
> 
> This is just the direction Pete provided to me.  Right now, the API and
> GUI is written to edit just here.

Would it be difficult to modify the RPC API to add a dn parameter ?

Simo.



From kmccarth at redhat.com  Thu Oct 25 16:47:02 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 25 Oct 2007 09:47:02 -0700
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <1193330605.15848.32.camel@localhost.localdomain>
References: <471F6D8F.8090206@redhat.com>
	<20071024164957.GC16414@moon.usersys.redhat.com>
	<471F7A6F.40802@redhat.com>
	<1193324667.15848.13.camel@localhost.localdomain>
	<20071025152626.GB11334@moon.usersys.redhat.com>
	<1193326874.15848.20.camel@localhost.localdomain>
	<4720BB1E.3060907@redhat.com>
	<1193329269.15848.25.camel@localhost.localdomain>
	<20071025164116.GG11334@moon.usersys.redhat.com>
	<1193330605.15848.32.camel@localhost.localdomain>
Message-ID: <20071025164702.GH11334@moon.usersys.redhat.com>

Simo Sorce wrote:
> On Thu, 2007-10-25 at 09:41 -0700, Kevin McCarthy wrote:
> > Simo Sorce wrote:
> > > On Thu, 2007-10-25 at 11:49 -0400, Rob Crittenden wrote:
> > > > 
> > > > That's easy then because all ACI's are currently going into the same 
> > > > location on the tree: cn=accounts. 
> > > 
> > > We already have ACIs elsewhere, are we limiting this at the RPC level ??
> > > Or is this just a GUI limitation?
> > 
> > This is just the direction Pete provided to me.  Right now, the API and
> > GUI is written to edit just here.
> 
> Would it be difficult to modify the RPC API to add a dn parameter ?

Well, the idea behind it was to hide the need for the client to "know"
about the specific DN that contains the ACI's in order to edit them.  We
can change this assumption, but I'd rather get Pete involved in that
disussion first, since his ideas were what I was going on.  (And I think
there are a lot of conflicting ideas about ACI's within the team).

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/42144e2f/attachment.bin>

From kmccarth at redhat.com  Thu Oct 25 16:52:29 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 25 Oct 2007 09:52:29 -0700
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <20071025164702.GH11334@moon.usersys.redhat.com>
References: <20071024164957.GC16414@moon.usersys.redhat.com>
	<471F7A6F.40802@redhat.com>
	<1193324667.15848.13.camel@localhost.localdomain>
	<20071025152626.GB11334@moon.usersys.redhat.com>
	<1193326874.15848.20.camel@localhost.localdomain>
	<4720BB1E.3060907@redhat.com>
	<1193329269.15848.25.camel@localhost.localdomain>
	<20071025164116.GG11334@moon.usersys.redhat.com>
	<1193330605.15848.32.camel@localhost.localdomain>
	<20071025164702.GH11334@moon.usersys.redhat.com>
Message-ID: <20071025165145.GI11334@moon.usersys.redhat.com>

Kevin McCarthy wrote:
> Simo Sorce wrote:
> > On Thu, 2007-10-25 at 09:41 -0700, Kevin McCarthy wrote:
> > > Simo Sorce wrote:
> > > > On Thu, 2007-10-25 at 11:49 -0400, Rob Crittenden wrote:
> > > > > 
> > > > > That's easy then because all ACI's are currently going into the same 
> > > > > location on the tree: cn=accounts. 
> > > > 
> > > > We already have ACIs elsewhere, are we limiting this at the RPC level ??
> > > > Or is this just a GUI limitation?
> > > 
> > > This is just the direction Pete provided to me.  Right now, the API and
> > > GUI is written to edit just here.
> > 
> > Would it be difficult to modify the RPC API to add a dn parameter ?
> 
> Well, the idea behind it was to hide the need for the client to "know"
> about the specific DN that contains the ACI's in order to edit them.  We
> can change this assumption, but I'd rather get Pete involved in that
> disussion first, since his ideas were what I was going on.  (And I think
> there are a lot of conflicting ideas about ACI's within the team).

Also, replying to myself, there is an API call get_entry_by_dn - so
nothing prevents a client from using that directly to retrieve a
different entry in the tree and directly manipulate the ACIs.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/a6ac03d3/attachment.bin>

From rcritten at redhat.com  Thu Oct 25 16:52:27 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 25 Oct 2007 12:52:27 -0400
Subject: [Freeipa-devel] [PATCH] rename for fields parameter
In-Reply-To: <20071025162612.GE11334@moon.usersys.redhat.com>
References: <20071025162612.GE11334@moon.usersys.redhat.com>
Message-ID: <4720C9CB.6040805@redhat.com>

Kevin McCarthy wrote:
> Very early on, when I was struggling to get the form infrastructure
> working I made a bad naming choice for the parameter containing form
> fields (not the data - just the field widgets).
> 
> I called them 'user' and 'group'.  Unfortunately we use that variable
> name all over the code do refer to the hash/entity containing actual
> data.  This makes the form unnecessarily confusing.
> 
> I've let it sit, but should really rename it now to make the code more
> clear  (this is also at Rob's request).
> 
> So this largish looking patch is simply renaming one parameter in the
> user, group, and delegate forms.
> 
> -Kevin

Looks good and much more understandable now.

Thanks for doing this.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/55e35922/attachment.bin>

From kmccarth at redhat.com  Thu Oct 25 16:55:27 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Thu, 25 Oct 2007 09:55:27 -0700
Subject: [Freeipa-devel] [PATCH] rename for fields parameter
In-Reply-To: <4720C9CB.6040805@redhat.com>
References: <20071025162612.GE11334@moon.usersys.redhat.com>
	<4720C9CB.6040805@redhat.com>
Message-ID: <20071025165526.GJ11334@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Kevin McCarthy wrote:
>> Very early on, when I was struggling to get the form infrastructure
>> working I made a bad naming choice for the parameter containing form
>> fields (not the data - just the field widgets).
>> I called them 'user' and 'group'.  Unfortunately we use that variable
>> name all over the code do refer to the hash/entity containing actual
>> data.  This makes the form unnecessarily confusing.
>> I've let it sit, but should really rename it now to make the code more
>> clear  (this is also at Rob's request).
>> So this largish looking patch is simply renaming one parameter in the
>> user, group, and delegate forms.
>> -Kevin
>
> Looks good and much more understandable now.
>
> Thanks for doing this.

pushed.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/8f6aa4f5/attachment.bin>

From ssorce at redhat.com  Thu Oct 25 16:55:40 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 25 Oct 2007 12:55:40 -0400
Subject: [Freeipa-devel] [PATCH] command-line delegation
In-Reply-To: <20071025165145.GI11334@moon.usersys.redhat.com>
References: <20071024164957.GC16414@moon.usersys.redhat.com>
	<471F7A6F.40802@redhat.com>
	<1193324667.15848.13.camel@localhost.localdomain>
	<20071025152626.GB11334@moon.usersys.redhat.com>
	<1193326874.15848.20.camel@localhost.localdomain>
	<4720BB1E.3060907@redhat.com>
	<1193329269.15848.25.camel@localhost.localdomain>
	<20071025164116.GG11334@moon.usersys.redhat.com>
	<1193330605.15848.32.camel@localhost.localdomain>
	<20071025164702.GH11334@moon.usersys.redhat.com>
	<20071025165145.GI11334@moon.usersys.redhat.com>
Message-ID: <1193331340.15848.38.camel@localhost.localdomain>

On Thu, 2007-10-25 at 09:52 -0700, Kevin McCarthy wrote:
> Kevin McCarthy wrote:
> > Simo Sorce wrote:
> > > On Thu, 2007-10-25 at 09:41 -0700, Kevin McCarthy wrote:
> > > > Simo Sorce wrote:
> > > > > On Thu, 2007-10-25 at 11:49 -0400, Rob Crittenden wrote:
> > > > > > 
> > > > > > That's easy then because all ACI's are currently going into the same 
> > > > > > location on the tree: cn=accounts. 
> > > > > 
> > > > > We already have ACIs elsewhere, are we limiting this at the RPC level ??
> > > > > Or is this just a GUI limitation?
> > > > 
> > > > This is just the direction Pete provided to me.  Right now, the API and
> > > > GUI is written to edit just here.
> > > 
> > > Would it be difficult to modify the RPC API to add a dn parameter ?
> > 
> > Well, the idea behind it was to hide the need for the client to "know"
> > about the specific DN that contains the ACI's in order to edit them.  We
> > can change this assumption, but I'd rather get Pete involved in that
> > disussion first, since his ideas were what I was going on.  (And I think
> > there are a lot of conflicting ideas about ACI's within the team).
> 
> Also, replying to myself, there is an API call get_entry_by_dn - so
> nothing prevents a client from using that directly to retrieve a
> different entry in the tree and directly manipulate the ACIs.

Sure, they can also go directly via LDAP, that's not an issue :-)

Simo.



From jdennis at redhat.com  Thu Oct 25 17:59:15 2007
From: jdennis at redhat.com (John Dennis)
Date: Thu, 25 Oct 2007 13:59:15 -0400
Subject: [Freeipa-devel] IPA radius status
Message-ID: <4720D973.40100@redhat.com>

Hi Karl:

Real quick here is my status on the radius work for IPA.

I was not able to do any additional work on radius after last week's 
Wednesday call due to other obligations, I was able to get back to it 
Tuesday of this week.

My next immediate goal is to get FreeRadius talking to our IPA server to 
retreive user and group radius attributes in LDAP. I had to get a IPA 
instance up and running on my system, that is now done (installation of 
IPA is still not smooth).

I've had to track down the Radius LDAP schema. It turns out there are 4 
or 5 different versions. I've sorted through them and have picked have 
picked what I believe is the correct schema. In a moment I expect I'll 
have Directory Server loading that schema.

Next I've got to add interfaces to IPA to allow the per user radius 
attributes to be set. I believe I've found all the right places in the 
IPA source code where these enhancements need to be made and understand 
the relevant IPA code.

I've had to go back and hone my understanding of Radius operation as it 
was clear there had been some misconceptions and holes in my 
understanding, that work is mostly done.

By the end of today I expect to be able to manually manipulate Radius 
attributes in LDAP, e.g. manually load the schema, use the ldap* command 
line tools and sample LDIF files so I can then verify the Radius server 
can access the LDAP attributes.

Tomorrow morning I expect to start adding the necessary IPA code to 
support the Radius attributes. I expect that work to be completed by the 
end of the day Monday.

On Tuesday I expect to test simple Radius authentication with the Radius 
server talking to the IPA LDAP server. After that I will start 
configuring and testing the more advance Radius usage, such as VPN 
access and EAP. That phase of the work will probably be at least another 
week of work.

-- 
John Dennis <jdennis at redhat.com>



From markmc at redhat.com  Thu Oct 25 18:03:42 2007
From: markmc at redhat.com (Mark McLoughlin)
Date: Thu, 25 Oct 2007 19:03:42 +0100
Subject: [Freeipa-devel] [PATCH] ipa-server needs factl
Message-ID: <21cb607e9adfde02413a.1193335422@localhost.localdomain>

# HG changeset patch
# User Mark McLoughlin <markmc at redhat.com>
# Date 1193335329 -3600
# Node ID 21cb607e9adfde02413a4dbac85d0c2af22ddd21
# Parent  66c59b88c7159fb4ff8bbe6798b3ee658adb7351
ipa-server needs factl

KrbInstance.__add_pwd_extop_module() calls out to facl, so
freeipa-server should require the acl package.

Signed-off-by: Mark McLoughlin <markmc at redhat.com>

diff -r 66c59b88c715 -r 21cb607e9adf ipa-server/freeipa-server.spec
--- a/ipa-server/freeipa-server.spec	Thu Oct 25 09:18:45 2007 -0700
+++ b/ipa-server/freeipa-server.spec	Thu Oct 25 19:02:09 2007 +0100
@@ -11,7 +11,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{ve
 
 BuildRequires: fedora-ds-base-devel openldap-devel krb5-devel nss-devel mozldap-devel openssl-devel
 
-Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears python-krbV
+Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears python-krbV acl
 Requires: mod_nss >= 1.0.7-2
 
 %define httpd_conf /etc/httpd/conf.d
diff -r 66c59b88c715 -r 21cb607e9adf ipa-server/freeipa-server.spec.in
--- a/ipa-server/freeipa-server.spec.in	Thu Oct 25 09:18:45 2007 -0700
+++ b/ipa-server/freeipa-server.spec.in	Thu Oct 25 19:02:09 2007 +0100
@@ -11,7 +11,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{ve
 
 BuildRequires: fedora-ds-base-devel openldap-devel krb5-devel nss-devel mozldap-devel openssl-devel
 
-Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears python-krbV
+Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears python-krbV acl
 Requires: mod_nss >= 1.0.7-2
 
 %define httpd_conf /etc/httpd/conf.d



From kmacmill at redhat.com  Thu Oct 25 18:19:40 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 25 Oct 2007 14:19:40 -0400
Subject: [Freeipa-devel] Autogen uid/gid
Message-ID: <1193336380.13697.63.camel@mahler.iad.redhat.com>

As I was doing some multi-machine testing w/ nfs I realized that forcing
uid/gid generation is not going to work in all circumstances (I needed
to force my uid/gid to be the same as an existing user on an exported
filesystem).

How can we handle this?

Karl



From ssorce at redhat.com  Thu Oct 25 18:26:10 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 25 Oct 2007 14:26:10 -0400
Subject: [Freeipa-devel] [PATCH] ipa-server needs factl
In-Reply-To: <21cb607e9adfde02413a.1193335422@localhost.localdomain>
References: <21cb607e9adfde02413a.1193335422@localhost.localdomain>
Message-ID: <1193336770.15848.48.camel@localhost.localdomain>

On Thu, 2007-10-25 at 19:03 +0100, Mark McLoughlin wrote:
> # HG changeset patch
> # User Mark McLoughlin <markmc at redhat.com>
> # Date 1193335329 -3600
> # Node ID 21cb607e9adfde02413a4dbac85d0c2af22ddd21
> # Parent  66c59b88c7159fb4ff8bbe6798b3ee658adb7351
> ipa-server needs factl
> 
> KrbInstance.__add_pwd_extop_module() calls out to facl, so
> freeipa-server should require the acl package.

Thanks!
Good catch.

Simo.



From ssorce at redhat.com  Thu Oct 25 18:28:10 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 25 Oct 2007 14:28:10 -0400
Subject: [Freeipa-devel] Autogen uid/gid
In-Reply-To: <1193336380.13697.63.camel@mahler.iad.redhat.com>
References: <1193336380.13697.63.camel@mahler.iad.redhat.com>
Message-ID: <1193336890.15848.51.camel@localhost.localdomain>

On Thu, 2007-10-25 at 14:19 -0400, Karl MacMillan wrote:
> As I was doing some multi-machine testing w/ nfs I realized that forcing
> uid/gid generation is not going to work in all circumstances (I needed
> to force my uid/gid to be the same as an existing user on an exported
> filesystem).
> 
> How can we handle this?

We can't easily.
Welcome to migration madness, and the unsuitability of unix platform to
work in heavily networked environments (just kidding but not too
much :-)

Simo.



From kmacmill at redhat.com  Thu Oct 25 18:29:12 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Thu, 25 Oct 2007 14:29:12 -0400
Subject: [Freeipa-devel] Autogen uid/gid
In-Reply-To: <1193336890.15848.51.camel@localhost.localdomain>
References: <1193336380.13697.63.camel@mahler.iad.redhat.com>
	<1193336890.15848.51.camel@localhost.localdomain>
Message-ID: <1193336952.13697.65.camel@mahler.iad.redhat.com>

On Thu, 2007-10-25 at 14:28 -0400, Simo Sorce wrote:
> On Thu, 2007-10-25 at 14:19 -0400, Karl MacMillan wrote:
> > As I was doing some multi-machine testing w/ nfs I realized that forcing
> > uid/gid generation is not going to work in all circumstances (I needed
> > to force my uid/gid to be the same as an existing user on an exported
> > filesystem).
> > 
> > How can we handle this?
> 
> We can't easily.
> Welcome to migration madness, and the unsuitability of unix platform to
> work in heavily networked environments (just kidding but not too
> much :-)
> 

I think we must solve this - even if forcing the uid/gid is problematic
and must be done carefully.

Karl



From kmacmillan at mentalrootkit.com  Thu Oct 25 20:51:17 2007
From: kmacmillan at mentalrootkit.com (Karl MacMillan)
Date: Thu, 25 Oct 2007 16:51:17 -0400
Subject: [Freeipa-devel] [PATCH] Make freeipa-server depend on
	freeipa-admintools
Message-ID: <a87fb42d2b95b07f31ea.1193345477@mahler.iad.redhat.com>

# HG changeset patch
# User "Karl MacMillan <kmacmillan at mentalrootkit.com>"
# Date 1193345442 14400
# Node ID a87fb42d2b95b07f31ea7cc95d8f28e215763ede
# Parent  6e462f2f5b0aff46662a070b511defe649b39ed1
Make freeipa-server depend on freeipa-admintools.

diff -r 6e462f2f5b0a -r a87fb42d2b95 ipa-server/freeipa-server.spec.in
--- a/ipa-server/freeipa-server.spec.in	Wed Oct 24 16:04:17 2007 -0700
+++ b/ipa-server/freeipa-server.spec.in	Thu Oct 25 16:50:42 2007 -0400
@@ -11,7 +11,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{ve
 
 BuildRequires: fedora-ds-base-devel openldap-devel krb5-devel nss-devel mozldap-devel openssl-devel
 
-Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears python-krbV
+Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears python-krbV freeipa-admintools
 Requires: mod_nss >= 1.0.7-2
 
 %define httpd_conf /etc/httpd/conf.d



From rcritten at redhat.com  Fri Oct 26 13:01:31 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 26 Oct 2007 09:01:31 -0400
Subject: [Freeipa-devel] [PATCH] Make freeipa-server depend
	on	freeipa-admintools
In-Reply-To: <a87fb42d2b95b07f31ea.1193345477@mahler.iad.redhat.com>
References: <a87fb42d2b95b07f31ea.1193345477@mahler.iad.redhat.com>
Message-ID: <4721E52B.3070701@redhat.com>

Karl MacMillan wrote:
> # HG changeset patch
> # User "Karl MacMillan <kmacmillan at mentalrootkit.com>"
> # Date 1193345442 14400
> # Node ID a87fb42d2b95b07f31ea7cc95d8f28e215763ede
> # Parent  6e462f2f5b0aff46662a070b511defe649b39ed1
> Make freeipa-server depend on freeipa-admintools.
> 
> diff -r 6e462f2f5b0a -r a87fb42d2b95 ipa-server/freeipa-server.spec.in
> --- a/ipa-server/freeipa-server.spec.in	Wed Oct 24 16:04:17 2007 -0700
> +++ b/ipa-server/freeipa-server.spec.in	Thu Oct 25 16:50:42 2007 -0400
> @@ -11,7 +11,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{ve
>  
>  BuildRequires: fedora-ds-base-devel openldap-devel krb5-devel nss-devel mozldap-devel openssl-devel
>  
> -Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears python-krbV
> +Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears python-krbV freeipa-admintools
>  Requires: mod_nss >= 1.0.7-2
>  
>  %define httpd_conf /etc/httpd/conf.d

Looks ok but we need to remember to bump the changelog every time we 
update something :-)

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071026/7409a77f/attachment.bin>

From kmacmill at redhat.com  Fri Oct 26 15:15:55 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 26 Oct 2007 11:15:55 -0400
Subject: [Freeipa-devel] Generating kerberos keytabs
Message-ID: <1193411755.2895.65.camel@localhost.localdomain>

I'm looking into creating the xml-rpc interface for generating service
principals / keytabs and need some help getting started (since I'm a
kerberos newb). Questions:

1) Is there a way to do this programmatically or am I going to end up
scripting around kadmin?

2) Could / should this be done remotely using kadmin? I'm assuming no
(especially for cross-platform support), but thought I would ask.

3) What principal should we use - the current users? What if we generate
a host keytab always - which I think we should - should we allow that to
be used to generate other service principals? Is that even possible?

Thanks - Karl



From ssorce at redhat.com  Fri Oct 26 15:31:06 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 26 Oct 2007 11:31:06 -0400
Subject: [Freeipa-devel] Generating kerberos keytabs
In-Reply-To: <1193411755.2895.65.camel@localhost.localdomain>
References: <1193411755.2895.65.camel@localhost.localdomain>
Message-ID: <1193412666.26363.3.camel@localhost.localdomain>

On Fri, 2007-10-26 at 11:15 -0400, Karl MacMillan wrote:
> I'm looking into creating the xml-rpc interface for generating service
> principals / keytabs and need some help getting started (since I'm a
> kerberos newb). Questions:
> 
> 1) Is there a way to do this programmatically or am I going to end up
> scripting around kadmin?

Scripting around kadmin.local for now

> 2) Could / should this be done remotely using kadmin? I'm assuming no
> (especially for cross-platform support), but thought I would ask.

Yes we could but that would require high privileges I don't want to give
out.
Scripting around kadmin.local the same way we do in krbinstance.py right
now is much simpler.

> 3) What principal should we use - the current users? What if we generate
> a host keytab always - which I think we should - should we allow that to
> be used to generate other service principals? Is that even possible?

The only downside of using kadmin.local is that it will use an on disk
keytab so we need to do some authorization ... uhmm not ideal indeed,
but I have an idea, let me think a few hours, I am a bit distracted
right now.

Simo.




From kmccarth at redhat.com  Fri Oct 26 15:45:52 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 26 Oct 2007 08:45:52 -0700
Subject: [Freeipa-devel] [PATCH] finish rest of PRD items
Message-ID: <20071026154552.GA30575@moon.usersys.redhat.com>

Patch file attached.

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071026/aceaf80e/attachment.bin>

From rcritten at redhat.com  Fri Oct 26 16:14:43 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 26 Oct 2007 12:14:43 -0400
Subject: [Freeipa-devel] [PATCH] user and group deletion
In-Reply-To: <20071023234951.GG22720@moon.usersys.redhat.com>
References: <20071023234951.GG22720@moon.usersys.redhat.com>
Message-ID: <47221273.9050700@redhat.com>

Kevin McCarthy wrote:
> This adds user and group deletion to the gui.
> 
> It sidesteps the issues of:
> 1) What if the user is a manager or secretary of another user
> 2) What if the user is a member of a group
> 3) What if the group is a member of a group.
> 
> I'm assuming these kinds of things will be solved with a server-side
> plugin.
> 
> The patch also fixes a bug with add user brought on by the
> manager/secretary patch.  Apparently hidden fields don't have a "" value
> by default and so were passing none if not set.

OK, so we never came to a conclusion with this.

1. Are we going to allow completely removing user entries (delete versus 
inactivate)? The CLI currently only inactivates.
2. Are we going to allow completely removing group entries? CLI 
currently deletes groups. There is no group inactivation.

So we need to reconcile these.

And this patch also contains an important fix to the GUI (add user is 
currently broken).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071026/8105d469/attachment.bin>

From rcritten at redhat.com  Fri Oct 26 16:35:58 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 26 Oct 2007 12:35:58 -0400
Subject: [Freeipa-devel] [PATCH] Set user when adding new users
Message-ID: <4722176E.1050003@redhat.com>

Complete a TODO of setting a password when adding new users.

Password is currently not a required field. Should that change?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-328-password.patch
Type: text/x-patch
Size: 1330 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071026/ecc50a6c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071026/ecc50a6c/attachment-0001.bin>

From kmccarth at redhat.com  Fri Oct 26 16:43:18 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 26 Oct 2007 09:43:18 -0700
Subject: [Freeipa-devel] [PATCH] Set user when adding new users
In-Reply-To: <4722176E.1050003@redhat.com>
References: <4722176E.1050003@redhat.com>
Message-ID: <20071026164318.GD30575@moon.usersys.redhat.com>

Rob Crittenden wrote:
> Complete a TODO of setting a password when adding new users.

Looks good.

> Password is currently not a required field. Should that change?

There was some discussion early on about creating password-less
accounts.  Not sure what the final decision was.

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071026/d18ed682/attachment.bin>

From ssorce at redhat.com  Fri Oct 26 17:08:02 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 26 Oct 2007 13:08:02 -0400
Subject: [Freeipa-devel] [PATCH] Set user when adding new users
In-Reply-To: <20071026164318.GD30575@moon.usersys.redhat.com>
References: <4722176E.1050003@redhat.com>
	<20071026164318.GD30575@moon.usersys.redhat.com>
Message-ID: <1193418482.26363.23.camel@localhost.localdomain>

On Fri, 2007-10-26 at 09:43 -0700, Kevin McCarthy wrote:
> Rob Crittenden wrote:
> > Complete a TODO of setting a password when adding new users.
> 
> Looks good.
> 
> > Password is currently not a required field. Should that change?
> 
> There was some discussion early on about creating password-less
> accounts.  Not sure what the final decision was.

I think it's ok not to make password a hard requirement.
Simo.



From kmccarth at redhat.com  Fri Oct 26 17:09:42 2007
From: kmccarth at redhat.com (Kevin McCarthy)
Date: Fri, 26 Oct 2007 10:09:42 -0700
Subject: [Freeipa-devel] [PATCH] finish rest of PRD items
In-Reply-To: <20071026154552.GA30575@moon.usersys.redhat.com>
References: <20071026154552.GA30575@moon.usersys.redhat.com>
Message-ID: <20071026170942.GE30575@moon.usersys.redhat.com>

Kevin McCarthy wrote:
> Patch file attached.

Whoops forgot the patch.

This patch should finish up all of the PRD tasks for IPA v1 and v2.

Patch file attached this time.

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071026/66c7dc0f/attachment.bin>

From jdennis at redhat.com  Fri Oct 26 21:08:38 2007
From: jdennis at redhat.com (John Dennis)
Date: Fri, 26 Oct 2007 17:08:38 -0400
Subject: [Freeipa-devel] LDAP binds, service principals, etc.
Message-ID: <47225756.9070103@redhat.com>

I would like to confirm how we're binding to the LDAP server. Am I 
correct that it will always be kerberos via sasl?

If so I also presume ldap_sasl_bind() will be the mechanism, right?

Do we have a mechanism yet to create and distribute keytabs for service 
principals?

If a service which needs to perform an LDAP bind is not sasl enabled I 
presume the only bind credentials one could use would be password based, 
but we are not going to distribute any passwords for service accounts, 
right? So does that mean if a service which is not currently sasl 
enabled and needs to perform a bind then it's out of luck and it needs 
to be modified to be sasl capabble, right?

Just to put these questions in context, the service in question is 
radius and it's going to need to be able to bind to our LDAP instance to 
perform ldap searches on per user/group radius attributes.

I'm thinking I'm going to need to add support for ldap_sasl_bind() to 
the ldap radius module, because there isn't another viable bind option 
and at the same time I'm wondering how I get the keytab radiusd will use 
for the bind (we don't currently have a mechanism in IPA to generate 
keytab's yet, right?).
-- 
John Dennis <jdennis at redhat.com>



From jdennis at redhat.com  Fri Oct 26 21:21:56 2007
From: jdennis at redhat.com (John Dennis)
Date: Fri, 26 Oct 2007 17:21:56 -0400
Subject: [Freeipa-devel] LDAP binds, service principals, etc.
In-Reply-To: <47225756.9070103@redhat.com>
References: <47225756.9070103@redhat.com>
Message-ID: <47225A74.906@redhat.com>

John Dennis wrote:
> we don't currently have a mechanism in IPA to generate 
> keytab's yet, right?

Well, I should have said, generalized mechanims, we do have the 
following functions:

__create_http_keytab(), __create_ds_keytab(), 
__export_kadmin_changepw_keytab()

which can be cut-n-paste duplicated to generate a keytab, but I thought 
I recalled Karl was working on a general mechanism, is that right?
-- 
John Dennis <jdennis at redhat.com>



From kmacmill at redhat.com  Fri Oct 26 21:30:08 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 26 Oct 2007 17:30:08 -0400
Subject: [Freeipa-devel] LDAP binds, service principals, etc.
In-Reply-To: <47225A74.906@redhat.com>
References: <47225756.9070103@redhat.com>  <47225A74.906@redhat.com>
Message-ID: <1193434208.14041.31.camel@cage.mentalrootkit.com>

On Fri, 2007-10-26 at 17:21 -0400, John Dennis wrote:
> John Dennis wrote:
> > we don't currently have a mechanism in IPA to generate 
> > keytab's yet, right?
> 
> Well, I should have said, generalized mechanims, we do have the 
> following functions:
> 
> __create_http_keytab(), __create_ds_keytab(), 
> __export_kadmin_changepw_keytab()
> 
> which can be cut-n-paste duplicated to generate a keytab, but I thought 
> I recalled Karl was working on a general mechanism, is that right?

Yes - we're working on the mechanism right now, but it will be a few
days at least. You should just generate by hand using kadmin.local for
testing.

Karl



From jdennis at redhat.com  Fri Oct 26 21:35:35 2007
From: jdennis at redhat.com (John Dennis)
Date: Fri, 26 Oct 2007 17:35:35 -0400
Subject: [Freeipa-devel] LDAP binds, service principals, etc.
In-Reply-To: <1193434208.14041.31.camel@cage.mentalrootkit.com>
References: <47225756.9070103@redhat.com> <47225A74.906@redhat.com>
	<1193434208.14041.31.camel@cage.mentalrootkit.com>
Message-ID: <47225DA7.40408@redhat.com>

Karl MacMillan wrote:
> On Fri, 2007-10-26 at 17:21 -0400, John Dennis wrote:
>> John Dennis wrote:
>> I recalled Karl was working on a general mechanism, is that right?

> Yes - we're working on the mechanism right now, but it will be a few
> days at least. You should just generate by hand using kadmin.local for
> testing.

Thanks, that what I thought. Now, as to my other question, any service 
which is part of IPA is going to have to be modified to use SASL, yes/no?

-- 
John Dennis <jdennis at redhat.com>



From kmacmill at redhat.com  Fri Oct 26 21:47:35 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Fri, 26 Oct 2007 17:47:35 -0400
Subject: [Freeipa-devel] LDAP binds, service principals, etc.
In-Reply-To: <47225DA7.40408@redhat.com>
References: <47225756.9070103@redhat.com>  <47225A74.906@redhat.com>
	<1193434208.14041.31.camel@cage.mentalrootkit.com>
	<47225DA7.40408@redhat.com>
Message-ID: <1193435255.14041.34.camel@cage.mentalrootkit.com>

On Fri, 2007-10-26 at 17:35 -0400, John Dennis wrote:
> Karl MacMillan wrote:
> > On Fri, 2007-10-26 at 17:21 -0400, John Dennis wrote:
> >> John Dennis wrote:
> >> I recalled Karl was working on a general mechanism, is that right?
> 
> > Yes - we're working on the mechanism right now, but it will be a few
> > days at least. You should just generate by hand using kadmin.local for
> > testing.
> 
> Thanks, that what I thought. Now, as to my other question, any service 
> which is part of IPA is going to have to be modified to use SASL, yes/no?
> 

I don't think we can absolutely require it - but it would be nice. I'm
certain we will support certificate based auth in the future. What other
options do you have w/ freeradius?

Karl



From ssorce at redhat.com  Fri Oct 26 22:03:28 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Fri, 26 Oct 2007 18:03:28 -0400
Subject: [Freeipa-devel] LDAP binds, service principals, etc.
In-Reply-To: <47225DA7.40408@redhat.com>
References: <47225756.9070103@redhat.com> <47225A74.906@redhat.com>
	<1193434208.14041.31.camel@cage.mentalrootkit.com>
	<47225DA7.40408@redhat.com>
Message-ID: <1193436208.26363.30.camel@localhost.localdomain>

On Fri, 2007-10-26 at 17:35 -0400, John Dennis wrote:
> Karl MacMillan wrote:
> > On Fri, 2007-10-26 at 17:21 -0400, John Dennis wrote:
> >> John Dennis wrote:
> >> I recalled Karl was working on a general mechanism, is that right?
> 
> > Yes - we're working on the mechanism right now, but it will be a few
> > days at least. You should just generate by hand using kadmin.local for
> > testing.
> 
> Thanks, that what I thought. Now, as to my other question, any service 
> which is part of IPA is going to have to be modified to use SASL, yes/no?

I am working toward a bad hack to allow simple binds but still using the
kdc to do authorization.
For testing, if you need a simple bind (ie user/pass) just create an
account like we do for uid=kdc

Simo.



From jdennis at redhat.com  Fri Oct 26 22:56:51 2007
From: jdennis at redhat.com (John Dennis)
Date: Fri, 26 Oct 2007 18:56:51 -0400
Subject: [Freeipa-devel] LDAP binds, service principals, etc.
In-Reply-To: <1193436208.26363.30.camel@localhost.localdomain>
References: <47225756.9070103@redhat.com> <47225A74.906@redhat.com>	
	<1193434208.14041.31.camel@cage.mentalrootkit.com>	
	<47225DA7.40408@redhat.com>
	<1193436208.26363.30.camel@localhost.localdomain>
Message-ID: <472270B3.7060400@redhat.com>

Simo Sorce wrote:
> I am working toward a bad hack to allow simple binds but still using the
> kdc to do authorization.

Does that imply the ldap_sasl_bind() usage is going to be removed? Or 
does it mean ldap_sasl_bind() will continue to be the preferred 
mechanism for tightly integrated IPA components and your simple bind 
hack will be a "friendly" alternative, but not encouraged?


-- 
John Dennis <jdennis at redhat.com>



From ssorce at redhat.com  Sat Oct 27 13:40:04 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Sat, 27 Oct 2007 09:40:04 -0400
Subject: [Freeipa-devel] LDAP binds, service principals, etc.
In-Reply-To: <472270B3.7060400@redhat.com>
References: <47225756.9070103@redhat.com> <47225A74.906@redhat.com>
	<1193434208.14041.31.camel@cage.mentalrootkit.com>
	<47225DA7.40408@redhat.com>
	<1193436208.26363.30.camel@localhost.localdomain>
	<472270B3.7060400@redhat.com>
Message-ID: <1193492404.26363.35.camel@localhost.localdomain>

On Fri, 2007-10-26 at 18:56 -0400, John Dennis wrote:
> Simo Sorce wrote:
> > I am working toward a bad hack to allow simple binds but still using the
> > kdc to do authorization.
> 
> Does that imply the ldap_sasl_bind() usage is going to be removed? Or 
> does it mean ldap_sasl_bind() will continue to be the preferred 
> mechanism for tightly integrated IPA components and your simple bind 
> hack will be a "friendly" alternative, but not encouraged?

The second.
Simo.



From ssorce at redhat.com  Sat Oct 27 17:50:56 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Sat, 27 Oct 2007 13:50:56 -0400
Subject: [Freeipa-devel] [PATCH] user and group deletion
In-Reply-To: <47221273.9050700@redhat.com>
References: <20071023234951.GG22720@moon.usersys.redhat.com>
	<47221273.9050700@redhat.com>
Message-ID: <1193507456.26363.38.camel@localhost.localdomain>

On Fri, 2007-10-26 at 12:14 -0400, Rob Crittenden wrote:
> Kevin McCarthy wrote:
> > This adds user and group deletion to the gui.
> > 
> > It sidesteps the issues of:
> > 1) What if the user is a manager or secretary of another user
> > 2) What if the user is a member of a group
> > 3) What if the group is a member of a group.
> > 
> > I'm assuming these kinds of things will be solved with a server-side
> > plugin.
> > 
> > The patch also fixes a bug with add user brought on by the
> > manager/secretary patch.  Apparently hidden fields don't have a "" value
> > by default and so were passing none if not set.
> 
> OK, so we never came to a conclusion with this.
> 
> 1. Are we going to allow completely removing user entries (delete versus 
> inactivate)? The CLI currently only inactivates.

I think we should allow deletion too.

> 2. Are we going to allow completely removing group entries? CLI 
> currently deletes groups. There is no group inactivation.

I don't see how we could easily do group inactivation, deletion is ok
imo.

> So we need to reconcile these.
> 
> And this patch also contains an important fix to the GUI (add user is 
> currently broken).

I think you can push it.

Simo.



From rcritten at redhat.com  Mon Oct 29 12:38:16 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 29 Oct 2007 08:38:16 -0400
Subject: [Freeipa-devel] [PATCH] Set user when adding new users
In-Reply-To: <1193418482.26363.23.camel@localhost.localdomain>
References: <4722176E.1050003@redhat.com>	<20071026164318.GD30575@moon.usersys.redhat.com>
	<1193418482.26363.23.camel@localhost.localdomain>
Message-ID: <4725D438.2020002@redhat.com>

Simo Sorce wrote:
> On Fri, 2007-10-26 at 09:43 -0700, Kevin McCarthy wrote:
>> Rob Crittenden wrote:
>>> Complete a TODO of setting a password when adding new users.
>> Looks good.
>>
>>> Password is currently not a required field. Should that change?
>> There was some discussion early on about creating password-less
>> accounts.  Not sure what the final decision was.
> 
> I think it's ok not to make password a hard requirement.
> Simo.
> 
>

Ok, pushed without requiring a password.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/4263c33e/attachment.bin>

From rcritten at redhat.com  Mon Oct 29 13:54:56 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 29 Oct 2007 09:54:56 -0400
Subject: [Freeipa-devel] [PATCH] user and group deletion
In-Reply-To: <20071023234951.GG22720@moon.usersys.redhat.com>
References: <20071023234951.GG22720@moon.usersys.redhat.com>
Message-ID: <4725E630.9070105@redhat.com>

Kevin McCarthy wrote:
> This adds user and group deletion to the gui.
> 
> It sidesteps the issues of:
> 1) What if the user is a manager or secretary of another user
> 2) What if the user is a member of a group
> 3) What if the group is a member of a group.
> 
> I'm assuming these kinds of things will be solved with a server-side
> plugin.
> 
> The patch also fixes a bug with add user brought on by the
> manager/secretary patch.  Apparently hidden fields don't have a "" value
> by default and so were passing none if not set.
> 
> -Kevin

Pushed.

Still need to resolve the referential integrity issues.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/2518047c/attachment.bin>

From kmacmill at redhat.com  Mon Oct 29 14:04:49 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 29 Oct 2007 10:04:49 -0400
Subject: [Freeipa-devel] Generating kerberos keytabs
In-Reply-To: <1193412666.26363.3.camel@localhost.localdomain>
References: <1193411755.2895.65.camel@localhost.localdomain>
	<1193412666.26363.3.camel@localhost.localdomain>
Message-ID: <1193666689.3555.11.camel@localhost.localdomain>

On Fri, 2007-10-26 at 11:31 -0400, Simo Sorce wrote:
> On Fri, 2007-10-26 at 11:15 -0400, Karl MacMillan wrote:
> > I'm looking into creating the xml-rpc interface for generating service
> > principals / keytabs and need some help getting started (since I'm a
> > kerberos newb). Questions:
> > 
> > 1) Is there a way to do this programmatically or am I going to end up
> > scripting around kadmin?
> 
> Scripting around kadmin.local for now
> 

Simo, Rob, and I discussed this a bit more on IRC. Using kadmin-local
has a number of drawbacks:

1) we would have to create a setuid helper that would be called by the
web interface.

2) because kadmin.local insists on saving the keytab on the local disk
and barfs when given an existing but empty file, insecure temporary
files would need to be used.

We decided to explore creating a tool to directly add service principals
to ldap and suck those out as keytabs. So far it looks like the keytab
format is simple enough that this shouldn't be that much work.

Karl



From kmacmill at redhat.com  Mon Oct 29 14:37:46 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 29 Oct 2007 10:37:46 -0400
Subject: [Freeipa-devel] When ticket fwding fails
In-Reply-To: <471FAC4E.5030402@redhat.com>
References: <471FAC4E.5030402@redhat.com>
Message-ID: <1193668666.3555.30.camel@localhost.localdomain>

On Wed, 2007-10-24 at 16:34 -0400, Rob Crittenden wrote:
> Sit down for a nice little story.
> 
> Once upon a time we wanted to do kerberos ticket forwarding and use that 
> to authenticate to FDS. Unfortunately our hero (that's me) couldn't get 
> it working.
> 
> So instead we decided to use LDAP proxy authentication instead. What we 
> would do is take the principal that was authenticated and use that to 
> find the DN of the person. We would then send that DN along in a server 
> control when doing LDAP operations.
> 
> Things were fine but the evil ACIs were causing troubles.
> 
> Then our hero found a patch on a mailing list that made mod_auth_kerb 
> play nice and actually do ticket forwarding so we switched to that.
> 
> The code for proxy auth was left in as a fallback but as things 
> progressed that code suffered serious bit-rot and much was ripped out 
> (those evil ACI's for one).
> 
> Here were are in the present day and someone tried to use freeipa 
> without using the magical mod_auth_kerb that does ticket forwarding and 
> it tried to fall back to proxy auth which not only failed, it threw some 
> nasty Python errors because the argument list changed.
> 
> As I see it we have 3 options:
> 
> 1. Slay the beast and remove all vestigates of proxy auth
> 2. Ignore the beast and leave things as they are with the probably 
> unfulfilled promise of tackling it later
> 3. Fix it so proxy auth can work again
> 
> I think I'm inclined to go route #2, perhaps adding an "except" in so we 
> can better tell the user was is wrong rather than having to remember 
> what a cryptic Python stack means.

I was so entertained I forgot to reply . . . #2 w/ better error messages
seems good to me.

Karl



From rcritten at redhat.com  Mon Oct 29 16:01:28 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 29 Oct 2007 12:01:28 -0400
Subject: [Freeipa-devel] [PATCH] create configuration for MIT Windows kerb
	client
Message-ID: <472603D8.7060600@redhat.com>

Create configuration for MIT Windows kerberos client and install into
http://hostname/config so users can point their MIT client at the IPA
server and automatically fetch the configuration.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-330-windows.patch
Type: text/x-patch
Size: 4517 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/fb1b4c55/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/fb1b4c55/attachment-0001.bin>

From rcritten at redhat.com  Mon Oct 29 18:08:08 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 29 Oct 2007 14:08:08 -0400
Subject: [Freeipa-devel] Need ACI to allow self-modification
Message-ID: <47262188.1050609@redhat.com>

I'm surprised we haven't seen this yet. I suppose I've done most unit 
testing as 'admin' myself.

I created a user 'test' and tried to update a couple of attributes. I 
get an error when I do:

Insufficient access: Insufficient 'write' privilege to the 'mail' 
attribute of entry 'uid=test,cn=users,cn=accounts,dc=greyoak,dc=com'.

I think this is the relevent ACI that is failing:

[29/Oct/2007:14:03:04 -0400] NSACLPlugin - Evaluated ACL_FALSE
[29/Oct/2007:14:03:04 -0400] NSACLPlugin - conn=97 op=3 (main): Deny 
write on 
entry(uid=test,cn=users,cn=accounts,dc=greyoak,dc=com).attr(mail): no 
aci matched the subject by aci(7): aciname= "Account Admins can manage 
Users and Groups", acidn="dc=greyoak,dc=com"

I'm guessing that it is more a lack of a "user can modify themselves" ACI.

Pete, can you provide one? This is a bit of a blocker.

I created https://hosted.fedoraproject.org/projects/freeipa/ticket/65 
for tracking.

thanks

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/b6127a06/attachment.bin>

From rcritten at redhat.com  Mon Oct 29 18:15:49 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 29 Oct 2007 14:15:49 -0400
Subject: [Freeipa-devel] [PATCH] small spelling errors
Message-ID: <47262355.6030502@redhat.com>

Fix a couple of spelling errors in the CLI tools.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-331-spelling.patch
Type: text/x-patch
Size: 1594 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/825716ed/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/825716ed/attachment-0001.bin>

From rcritten at redhat.com  Mon Oct 29 18:16:49 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 29 Oct 2007 14:16:49 -0400
Subject: [Freeipa-devel] [PATCH] Install delegation CLI tools
Message-ID: <47262391.8030006@redhat.com>

I forgot to update the Makefile :-(

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-332-insdeleg.patch
Type: text/x-patch
Size: 826 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/2dcae372/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/2dcae372/attachment-0001.bin>

From rcritten at redhat.com  Mon Oct 29 18:23:39 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 29 Oct 2007 14:23:39 -0400
Subject: [Freeipa-devel] [PATCH] small spelling errors
In-Reply-To: <47262355.6030502@redhat.com>
References: <47262355.6030502@redhat.com>
Message-ID: <4726252B.3090503@redhat.com>

Rob Crittenden wrote:
> Fix a couple of spelling errors in the CLI tools.
> 

Oh. This patch also fixes an issue where 'cn' is updated every time. We 
don't want that.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/4bc2a747/attachment.bin>

From rcritten at redhat.com  Mon Oct 29 18:42:57 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 29 Oct 2007 14:42:57 -0400
Subject: [Freeipa-devel] [PATCH] Add --set option to ipa-usermod
Message-ID: <472629B1.1000301@redhat.com>

Add --set option to ipa-usermod to allow setting an arbitrary attribute. 
It is currently limited to one attribute, figured it's a starting point.

Also fixed a few glaring bugs.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-333-usermod.patch
Type: text/x-patch
Size: 2778 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/75fb9a22/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/75fb9a22/attachment-0001.bin>

From ssorce at redhat.com  Mon Oct 29 18:49:57 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 29 Oct 2007 14:49:57 -0400
Subject: [Freeipa-devel] Need ACI to allow self-modification
In-Reply-To: <47262188.1050609@redhat.com>
References: <47262188.1050609@redhat.com>
Message-ID: <1193683797.13652.9.camel@localhost.localdomain>

On Mon, 2007-10-29 at 14:08 -0400, Rob Crittenden wrote:
> I'm surprised we haven't seen this yet. I suppose I've done most unit 
> testing as 'admin' myself.
> 
> I created a user 'test' and tried to update a couple of attributes. I 
> get an error when I do:
> 
> Insufficient access: Insufficient 'write' privilege to the 'mail' 
> attribute of entry 'uid=test,cn=users,cn=accounts,dc=greyoak,dc=com'.
> 
> I think this is the relevent ACI that is failing:
> 
> [29/Oct/2007:14:03:04 -0400] NSACLPlugin - Evaluated ACL_FALSE
> [29/Oct/2007:14:03:04 -0400] NSACLPlugin - conn=97 op=3 (main): Deny 
> write on 
> entry(uid=test,cn=users,cn=accounts,dc=greyoak,dc=com).attr(mail): no 
> aci matched the subject by aci(7): aciname= "Account Admins can
> manage 
> Users and Groups", acidn="dc=greyoak,dc=com"
> 
> I'm guessing that it is more a lack of a "user can modify themselves" ACI.

But should we allow users to modify their own entries?
And if so, which attributes exactly we should let a user modify himself?

"mail" is not something I would allow, but I guess that's depend on the
use case?

Simo.





From ssorce at redhat.com  Mon Oct 29 18:50:47 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 29 Oct 2007 14:50:47 -0400
Subject: [Freeipa-devel] [PATCH] small spelling errors
In-Reply-To: <4726252B.3090503@redhat.com>
References: <47262355.6030502@redhat.com>  <4726252B.3090503@redhat.com>
Message-ID: <1193683847.13652.11.camel@localhost.localdomain>

On Mon, 2007-10-29 at 14:23 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Fix a couple of spelling errors in the CLI tools.
> > 
> 
> Oh. This patch also fixes an issue where 'cn' is updated every time. We 
> don't want that.

Good one, push please.

Simo.



From ssorce at redhat.com  Mon Oct 29 18:52:40 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 29 Oct 2007 14:52:40 -0400
Subject: [Freeipa-devel] [PATCH] create configuration for MIT Windows
	kerb client
In-Reply-To: <472603D8.7060600@redhat.com>
References: <472603D8.7060600@redhat.com>
Message-ID: <1193683960.13652.15.camel@localhost.localdomain>

On Mon, 2007-10-29 at 12:01 -0400, Rob Crittenden wrote:
> Create configuration for MIT Windows kerberos client and install into
> http://hostname/config so users can point their MIT client at the IPA
> server and automatically fetch the configuration.

Ok.



From rcritten at redhat.com  Mon Oct 29 18:58:06 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 29 Oct 2007 14:58:06 -0400
Subject: [Freeipa-devel] Need ACI to allow self-modification
In-Reply-To: <1193683797.13652.9.camel@localhost.localdomain>
References: <47262188.1050609@redhat.com>
	<1193683797.13652.9.camel@localhost.localdomain>
Message-ID: <47262D3E.6090804@redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-29 at 14:08 -0400, Rob Crittenden wrote:
>> I'm surprised we haven't seen this yet. I suppose I've done most unit 
>> testing as 'admin' myself.
>>
>> I created a user 'test' and tried to update a couple of attributes. I 
>> get an error when I do:
>>
>> Insufficient access: Insufficient 'write' privilege to the 'mail' 
>> attribute of entry 'uid=test,cn=users,cn=accounts,dc=greyoak,dc=com'.
>>
>> I think this is the relevent ACI that is failing:
>>
>> [29/Oct/2007:14:03:04 -0400] NSACLPlugin - Evaluated ACL_FALSE
>> [29/Oct/2007:14:03:04 -0400] NSACLPlugin - conn=97 op=3 (main): Deny 
>> write on 
>> entry(uid=test,cn=users,cn=accounts,dc=greyoak,dc=com).attr(mail): no 
>> aci matched the subject by aci(7): aciname= "Account Admins can
>> manage 
>> Users and Groups", acidn="dc=greyoak,dc=com"
>>
>> I'm guessing that it is more a lack of a "user can modify themselves" ACI.
> 
> But should we allow users to modify their own entries?
> And if so, which attributes exactly we should let a user modify himself?
> 
> "mail" is not something I would allow, but I guess that's depend on the
> use case?
> 

This is the "self service" part.

If we limit the updatable attributes we'll need to have that configured 
somewhere unless are ok leaving it hardcoded for V1.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/808313dd/attachment.bin>

From rcritten at redhat.com  Mon Oct 29 19:01:17 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 29 Oct 2007 15:01:17 -0400
Subject: [Freeipa-devel] [PATCH] Add --set option to ipa-usermod
In-Reply-To: <1193684102.13652.18.camel@localhost.localdomain>
References: <472629B1.1000301@redhat.com>
	<1193684102.13652.18.camel@localhost.localdomain>
Message-ID: <47262DFD.1040502@redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-29 at 14:42 -0400, Rob Crittenden wrote:
>> Add --set option to ipa-usermod to allow setting an arbitrary
>> attribute. 
>> It is currently limited to one attribute, figured it's a starting
>> point.
>>
>> Also fixed a few glaring bugs.
> 
> It seem this will completely replace an attribute, and it support only a
> single value. We could provide maybe a "delete attribute" option, and an
> "add" option that just add values. Would give more functionality this
> way.
> 
> What do you think ?
> 
> Simo.
> 

A good idea, thanks. I'll have to ponder about multi-valued fields 
though I'm pretty sure passing in a python list will do the trick.

I'll revert the patch and see what I can do.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/902d0738/attachment.bin>

From rcritten at redhat.com  Mon Oct 29 19:01:54 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 29 Oct 2007 15:01:54 -0400
Subject: [Freeipa-devel] [PATCH] create configuration for MIT Windows
	kerb client
In-Reply-To: <1193683960.13652.15.camel@localhost.localdomain>
References: <472603D8.7060600@redhat.com>
	<1193683960.13652.15.camel@localhost.localdomain>
Message-ID: <47262E22.7020801@redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-29 at 12:01 -0400, Rob Crittenden wrote:
>> Create configuration for MIT Windows kerberos client and install into
>> http://hostname/config so users can point their MIT client at the IPA
>> server and automatically fetch the configuration.
> 
> Ok.

Pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/caabb594/attachment.bin>

From rcritten at redhat.com  Mon Oct 29 19:02:20 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 29 Oct 2007 15:02:20 -0400
Subject: [Freeipa-devel] [PATCH] small spelling errors
In-Reply-To: <1193683847.13652.11.camel@localhost.localdomain>
References: <47262355.6030502@redhat.com> <4726252B.3090503@redhat.com>
	<1193683847.13652.11.camel@localhost.localdomain>
Message-ID: <47262E3C.5020104@redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-29 at 14:23 -0400, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Fix a couple of spelling errors in the CLI tools.
>>>
>> Oh. This patch also fixes an issue where 'cn' is updated every time. We 
>> don't want that.
> 
> Good one, push please.
> 
> Simo.
> 

Pushed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/a790e9dd/attachment.bin>

From ssorce at redhat.com  Mon Oct 29 19:25:17 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 29 Oct 2007 15:25:17 -0400
Subject: [Freeipa-devel] Need ACI to allow self-modification
In-Reply-To: <47262D3E.6090804@redhat.com>
References: <47262188.1050609@redhat.com>
	<1193683797.13652.9.camel@localhost.localdomain>
	<47262D3E.6090804@redhat.com>
Message-ID: <1193685917.13652.21.camel@localhost.localdomain>

On Mon, 2007-10-29 at 14:58 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Mon, 2007-10-29 at 14:08 -0400, Rob Crittenden wrote:
> >> I'm surprised we haven't seen this yet. I suppose I've done most unit 
> >> testing as 'admin' myself.
> >>
> >> I created a user 'test' and tried to update a couple of attributes. I 
> >> get an error when I do:
> >>
> >> Insufficient access: Insufficient 'write' privilege to the 'mail' 
> >> attribute of entry 'uid=test,cn=users,cn=accounts,dc=greyoak,dc=com'.
> >>
> >> I think this is the relevent ACI that is failing:
> >>
> >> [29/Oct/2007:14:03:04 -0400] NSACLPlugin - Evaluated ACL_FALSE
> >> [29/Oct/2007:14:03:04 -0400] NSACLPlugin - conn=97 op=3 (main): Deny 
> >> write on 
> >> entry(uid=test,cn=users,cn=accounts,dc=greyoak,dc=com).attr(mail): no 
> >> aci matched the subject by aci(7): aciname= "Account Admins can
> >> manage 
> >> Users and Groups", acidn="dc=greyoak,dc=com"
> >>
> >> I'm guessing that it is more a lack of a "user can modify themselves" ACI.
> > 
> > But should we allow users to modify their own entries?
> > And if so, which attributes exactly we should let a user modify himself?
> > 
> > "mail" is not something I would allow, but I guess that's depend on the
> > use case?
> > 
> 
> This is the "self service" part.
> 
> If we limit the updatable attributes we'll need to have that configured 
> somewhere unless are ok leaving it hardcoded for V1.

I guess it is ok to hardcode for v1, if someone need to change that they
can change the ACI manually I guess.

For example in an addressbook system letting a user change his email it
may be ok, but if IPA is used by the mail server to deliver mail, then
it is not ok anymore.

Simo.



From rcritten at redhat.com  Mon Oct 29 20:45:25 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 29 Oct 2007 16:45:25 -0400
Subject: [Freeipa-devel] [PATCH] Create default indeces
Message-ID: <47264665.1060402@redhat.com>

Create LDAP indeces on installation for fields the web GUI searches against

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-333-index.patch
Type: text/x-patch
Size: 3630 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/f6f7416c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/f6f7416c/attachment-0001.bin>

From kmacmill at redhat.com  Mon Oct 29 21:22:56 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Mon, 29 Oct 2007 17:22:56 -0400
Subject: [Freeipa-devel] More on NTP
Message-ID: <1193692976.6497.15.camel@localhost.localdomain>

After some additional discussion, we decided that just relying on the
public NTP servers was not ideal since time really must be synchronized
with the IPA server.

So I went back to start configuring ntp on the client and servers. A few
questions / comments:

Ideally we would use the key facility (or something else) since spoofing
the time server might give you an increased chance of a successful
replay attack. Very low priority, but wanted to record the suggestion.

Now for the actual problem - high availability. We can certainly jam
whatever master we happen to have found during configuration of the
client into ntp.conf, but it is going to be hard to configure it to see
all of the masters. Even if we configured it to look at all the masters
at configuration time it would, obviously, not pick up any new masters.

So - should I:

1) stop whining and just implement ntp config on the client.
2) do nothing, and make it the problem of the admins rather than
implementing a half solution.
3) make it optional and put something better on the v2 wish list.

I will configure the master as a NTP server regardless of what I do for
the client configuration.

Karl



From ssorce at redhat.com  Mon Oct 29 21:34:34 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 29 Oct 2007 17:34:34 -0400
Subject: [Freeipa-devel] More on NTP
In-Reply-To: <1193692976.6497.15.camel@localhost.localdomain>
References: <1193692976.6497.15.camel@localhost.localdomain>
Message-ID: <1193693674.13652.27.camel@localhost.localdomain>

On Mon, 2007-10-29 at 17:22 -0400, Karl MacMillan wrote:
> After some additional discussion, we decided that just relying on the
> public NTP servers was not ideal since time really must be synchronized
> with the IPA server.
> 
> So I went back to start configuring ntp on the client and servers. A few
> questions / comments:
> 
> Ideally we would use the key facility (or something else) since spoofing
> the time server might give you an increased chance of a successful
> replay attack. Very low priority, but wanted to record the suggestion.
> 
> Now for the actual problem - high availability. We can certainly jam
> whatever master we happen to have found during configuration of the
> client into ntp.conf, but it is going to be hard to configure it to see
> all of the masters. Even if we configured it to look at all the masters
> at configuration time it would, obviously, not pick up any new masters.
> 
> So - should I:
> 
> 1) stop whining and just implement ntp config on the client.
> 2) do nothing, and make it the problem of the admins rather than
> implementing a half solution.
> 3) make it optional and put something better on the v2 wish list.
> 
> I will configure the master as a NTP server regardless of what I do for
> the client configuration.

I say, configure only the First IPA server in, in v2+ we will do
discovery the right way.

Simo.



From prowley at redhat.com  Mon Oct 29 21:55:15 2007
From: prowley at redhat.com (Pete Rowley)
Date: Mon, 29 Oct 2007 14:55:15 -0700
Subject: [Freeipa-devel] [PATCH] self service aci
Message-ID: <472656C3.4030302@redhat.com>


-- 
Pete

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch.txt
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/9751a99b/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/9751a99b/attachment.bin>

From ssorce at redhat.com  Mon Oct 29 22:22:50 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 29 Oct 2007 22:22:50 +0000
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <472656C3.4030302@redhat.com>
References: <472656C3.4030302@redhat.com>
Message-ID: <1193696570.13652.30.camel@localhost.localdomain>

On Mon, 2007-10-29 at 14:55 -0700, Pete Rowley wrote:
> +aci: (targetattr = "givenName || sn || cn || displayName || initials
> || loginShell || homePhone || mobile || pager ||
> facsimileTelephoneNumber || telephoneNumber || street || roomNumber ||
> l || st || postalCode || manager || description || carLicense ||
> labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version
> 3.0;acl "Self service";allow (write) userdn="ldap:///self";)

Allow users by default to change name (givenName, cn, sn), manager and
loginShell by themselves?

Simo.




From prowley at redhat.com  Mon Oct 29 22:35:59 2007
From: prowley at redhat.com (Pete Rowley)
Date: Mon, 29 Oct 2007 15:35:59 -0700
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <1193696570.13652.30.camel@localhost.localdomain>
References: <472656C3.4030302@redhat.com>
	<1193696570.13652.30.camel@localhost.localdomain>
Message-ID: <4726604F.60503@redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-29 at 14:55 -0700, Pete Rowley wrote:
>   
>> +aci: (targetattr = "givenName || sn || cn || displayName || initials
>> || loginShell || homePhone || mobile || pager ||
>> facsimileTelephoneNumber || telephoneNumber || street || roomNumber ||
>> l || st || postalCode || manager || description || carLicense ||
>> labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version
>> 3.0;acl "Self service";allow (write) userdn="ldap:///self";)
>>     
>
> Allow users by default to change name (givenName, cn, sn), manager and
> loginShell by themselves?
>
>   
loginShell might be a problem, what issue do you have with the others?

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/830f141a/attachment.bin>

From ssorce at redhat.com  Mon Oct 29 22:53:18 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 29 Oct 2007 18:53:18 -0400
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <4726604F.60503@redhat.com>
References: <472656C3.4030302@redhat.com>
	<1193696570.13652.30.camel@localhost.localdomain>
	<4726604F.60503@redhat.com>
Message-ID: <1193698398.13652.33.camel@localhost.localdomain>

On Mon, 2007-10-29 at 15:35 -0700, Pete Rowley wrote:
> Simo Sorce wrote:
> > On Mon, 2007-10-29 at 14:55 -0700, Pete Rowley wrote:
> >   
> >> +aci: (targetattr = "givenName || sn || cn || displayName || initials
> >> || loginShell || homePhone || mobile || pager ||
> >> facsimileTelephoneNumber || telephoneNumber || street || roomNumber ||
> >> l || st || postalCode || manager || description || carLicense ||
> >> labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version
> >> 3.0;acl "Self service";allow (write) userdn="ldap:///self";)
> >>     
> >
> > Allow users by default to change name (givenName, cn, sn), manager and
> > loginShell by themselves?
> >
> >   
> loginShell might be a problem, what issue do you have with the others?

Well I am not sure it makes sense to change your own name, why should
you?
Same for the manager, we might think of ACIs where manager=<something>
may matter

Simo.



From prowley at redhat.com  Mon Oct 29 23:21:34 2007
From: prowley at redhat.com (Pete Rowley)
Date: Mon, 29 Oct 2007 16:21:34 -0700
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <1193698398.13652.33.camel@localhost.localdomain>
References: <472656C3.4030302@redhat.com>	
	<1193696570.13652.30.camel@localhost.localdomain>	
	<4726604F.60503@redhat.com>
	<1193698398.13652.33.camel@localhost.localdomain>
Message-ID: <47266AFE.6000803@redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-29 at 15:35 -0700, Pete Rowley wrote:
>   
>> Simo Sorce wrote:
>>     
>>> On Mon, 2007-10-29 at 14:55 -0700, Pete Rowley wrote:
>>>   
>>>       
>>>> +aci: (targetattr = "givenName || sn || cn || displayName || initials
>>>> || loginShell || homePhone || mobile || pager ||
>>>> facsimileTelephoneNumber || telephoneNumber || street || roomNumber ||
>>>> l || st || postalCode || manager || description || carLicense ||
>>>> labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version
>>>> 3.0;acl "Self service";allow (write) userdn="ldap:///self";)
>>>>     
>>>>         
>>> Allow users by default to change name (givenName, cn, sn), manager and
>>> loginShell by themselves?
>>>
>>>   
>>>       
>> loginShell might be a problem, what issue do you have with the others?
>>     
>
> Well I am not sure it makes sense to change your own name, why should
> you?
>   
Because it changed, or is spelled incorrectly, or you are commonly known 
by another name?
> Same for the manager, we might think of ACIs where manager=<something>
> may matter
>   
If we do we should remove it from the self service list if there is a 
problem with escalation of privilege.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/ba886863/attachment.bin>

From ssorce at redhat.com  Mon Oct 29 23:41:13 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Mon, 29 Oct 2007 19:41:13 -0400
Subject: [Freeipa-devel] How to build without optimizations
Message-ID: <1193701273.13652.42.camel@localhost.localdomain>

Before the auto-tools were introduced I made freeipa tools build with
debugging and without optimizations on purpose.
Since then it seem optimizations have been put back. Is there a quick
clean way to disable optimizations completely for a make local-dist ?

Using gdb with optimizations is almost impossible.

Simo.



From david.obrien at redhat.com  Tue Oct 30 06:21:00 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Tue, 30 Oct 2007 16:21:00 +1000
Subject: [Freeipa-devel] Duplicate UID and GID on ipa demo site
Message-ID: <4726CD4C.3000805@redhat.com>

I've been having a mess around here until I get my own server installed.
I created two users: A User and B User, both of which received the same
UID and GID (501).

This looks like A Bad Thing.

I also noticed that I couldn't create a user without a "See also" value,
but there's no indication of what that might be. I entered "fred" just
to see what would happen. Apparently that was adequate, even though I
have no idea what the system might think "fred" is.

cheers
-- 
David O'Brien		Ph: +61 7 3514 8189
Content Services	Mb: +61 411 760 216
Red Hat Asia Pacific	Fx: +61 7 3514 8199

SIP:
1.866.546.8970 (866LINUX70)
or
+1.480 718.6000, X81 51143
-------------- next part --------------
A non-text attachment was scrubbed...
Name: david.obrien.vcf
Type: text/x-vcard
Size: 258 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/34d1022f/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/34d1022f/attachment.sig>

From rcritten at redhat.com  Tue Oct 30 13:06:02 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 30 Oct 2007 09:06:02 -0400
Subject: [Freeipa-devel] Duplicate UID and GID on ipa demo site
In-Reply-To: <4726CD4C.3000805@redhat.com>
References: <4726CD4C.3000805@redhat.com>
Message-ID: <47272C3A.4010001@redhat.com>

David O'Brien wrote:
> I've been having a mess around here until I get my own server installed.
> I created two users: A User and B User, both of which received the same
> UID and GID (501).
> 
> This looks like A Bad Thing.

It is on our TODO list.

> I also noticed that I couldn't create a user without a "See also" value,
> but there's no indication of what that might be. I entered "fred" just
> to see what would happen. Apparently that was adequate, even though I
> have no idea what the system might think "fred" is.

Right before Kevin left he mocked up a custom attributes mechanism. 
seeAlso is one of the things he added. The contents can be ignored for now.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/ef7695e8/attachment.bin>

From rcritten at redhat.com  Tue Oct 30 13:22:42 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 30 Oct 2007 09:22:42 -0400
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <1193698398.13652.33.camel@localhost.localdomain>
References: <472656C3.4030302@redhat.com>	<1193696570.13652.30.camel@localhost.localdomain>	<4726604F.60503@redhat.com>
	<1193698398.13652.33.camel@localhost.localdomain>
Message-ID: <47273022.4010106@redhat.com>

Simo Sorce wrote:
> On Mon, 2007-10-29 at 15:35 -0700, Pete Rowley wrote:
>> Simo Sorce wrote:
>>> On Mon, 2007-10-29 at 14:55 -0700, Pete Rowley wrote:
>>>   
>>>> +aci: (targetattr = "givenName || sn || cn || displayName || initials
>>>> || loginShell || homePhone || mobile || pager ||
>>>> facsimileTelephoneNumber || telephoneNumber || street || roomNumber ||
>>>> l || st || postalCode || manager || description || carLicense ||
>>>> labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version
>>>> 3.0;acl "Self service";allow (write) userdn="ldap:///self";)
>>>>     
>>> Allow users by default to change name (givenName, cn, sn), manager and
>>> loginShell by themselves?
>>>
>>>   
>> loginShell might be a problem, what issue do you have with the others?
> 
> Well I am not sure it makes sense to change your own name, why should
> you?
> Same for the manager, we might think of ACIs where manager=<something>
> may matter
>

I agree about the name field, it shouldn't be user-modifiable (that is 
what HR is for). I think we should limit changes to phone number, 
address, license, shell, password, etc.

This raises the issue of ACI's for the custom fields as well. We'll need 
some way of dynamically granting access. I suppose we can create a self 
ACI for each attribute, or will that kill performance?

Perhaps this is a time to consider some additional "roles" as well. Such 
as an HR role that can change user information but not system 
information (password, uidnumber, gidnumbet, homedir, etc).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/bca2819c/attachment.bin>

From rcritten at redhat.com  Tue Oct 30 13:55:40 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 30 Oct 2007 09:55:40 -0400
Subject: [Freeipa-devel] index patch breaks things
Message-ID: <472737DC.90802@redhat.com>

I'm not entirely sure why, but creating the indeces causes SASL problems 
with the admin account.

I re-ran setup without that enabled and things are working fine.

I'm going to investigate moving that creation prior to creating the 
admin user, perhaps I simply put it into the wrong place.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/c9e0ee80/attachment.bin>

From rcritten at redhat.com  Tue Oct 30 15:38:21 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 30 Oct 2007 11:38:21 -0400
Subject: [Freeipa-devel] memberOf wierdness
Message-ID: <47274FED.7010005@redhat.com>

In my experimentation with new indeces I found a strange issue with 
memberOf.

If I install IPA, get a ticket for admin and do:

ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" 
"memberof=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org" cn

I get 0 results back.

If I use ipa-adduser and then add that user to the admins group and then 
issue the search again, I get 1 result back, the user I just added.

The user admin has the following OC's:

objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: KrbPrincipalAux

My test user has:

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: inetUser
objectClass: posixAccount
objectClass: krbPrincipalAux

Could this have something to do with it?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/9c00543e/attachment.bin>

From ssorce at redhat.com  Tue Oct 30 15:47:03 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 30 Oct 2007 11:47:03 -0400
Subject: [Freeipa-devel] memberOf wierdness
In-Reply-To: <47274FED.7010005@redhat.com>
References: <47274FED.7010005@redhat.com>
Message-ID: <1193759223.26382.30.camel@localhost.localdomain>

On Tue, 2007-10-30 at 11:38 -0400, Rob Crittenden wrote:
> In my experimentation with new indeces I found a strange issue with 
> memberOf.
> 
> If I install IPA, get a ticket for admin and do:
> 
> ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" 
> "memberof=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org" cn
> 
> I get 0 results back.
> 
> If I use ipa-adduser and then add that user to the admins group and then 
> issue the search again, I get 1 result back, the user I just added.
> 
> The user admin has the following OC's:
> 
> objectClass: top
> objectClass: person
> objectClass: posixAccount
> objectClass: KrbPrincipalAux
> 
> My test user has:
> 
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: inetUser
> objectClass: posixAccount
> objectClass: krbPrincipalAux
> 
> Could this have something to do with it?

No the problem is not with indices.
The problem is that we activate the memberOf plugin "after" the admin
account has been created.

I asked back then Pete to show us how to activate the FDS task to make
the memberOf plugin check the directory, but that must have been
forgotten, I'll open a ticket and assign to Pete.

Simo.



From rcritten at redhat.com  Tue Oct 30 15:58:37 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 30 Oct 2007 11:58:37 -0400
Subject: [Freeipa-devel] memberOf wierdness
In-Reply-To: <1193759223.26382.30.camel@localhost.localdomain>
References: <47274FED.7010005@redhat.com>
	<1193759223.26382.30.camel@localhost.localdomain>
Message-ID: <472754AD.1050101@redhat.com>

Simo Sorce wrote:
> On Tue, 2007-10-30 at 11:38 -0400, Rob Crittenden wrote:
>> In my experimentation with new indeces I found a strange issue with 
>> memberOf.
>>
>> If I install IPA, get a ticket for admin and do:
>>
>> ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" 
>> "memberof=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org" cn
>>
>> I get 0 results back.
>>
>> If I use ipa-adduser and then add that user to the admins group and then 
>> issue the search again, I get 1 result back, the user I just added.
>>
>> The user admin has the following OC's:
>>
>> objectClass: top
>> objectClass: person
>> objectClass: posixAccount
>> objectClass: KrbPrincipalAux
>>
>> My test user has:
>>
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: inetOrgPerson
>> objectClass: inetUser
>> objectClass: posixAccount
>> objectClass: krbPrincipalAux
>>
>> Could this have something to do with it?
> 
> No the problem is not with indices.
> The problem is that we activate the memberOf plugin "after" the admin
> account has been created.
> 
> I asked back then Pete to show us how to activate the FDS task to make
> the memberOf plugin check the directory, but that must have been
> forgotten, I'll open a ticket and assign to Pete.
> 

No, the index is added first. The last thing that happens in 
dsinstance.py is a call to __add_default_layout() which loads 
bootstrap-template.ldif.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/bec91e2b/attachment.bin>

From ssorce at redhat.com  Tue Oct 30 16:18:01 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 30 Oct 2007 12:18:01 -0400
Subject: [Freeipa-devel] memberOf wierdness
In-Reply-To: <472754AD.1050101@redhat.com>
References: <47274FED.7010005@redhat.com>
	<1193759223.26382.30.camel@localhost.localdomain>
	<472754AD.1050101@redhat.com>
Message-ID: <1193761081.26382.41.camel@localhost.localdomain>

On Tue, 2007-10-30 at 11:58 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Tue, 2007-10-30 at 11:38 -0400, Rob Crittenden wrote:
> >> In my experimentation with new indeces I found a strange issue with 
> >> memberOf.
> >>
> >> If I install IPA, get a ticket for admin and do:
> >>
> >> ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" 
> >> "memberof=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org" cn
> >>
> >> I get 0 results back.
> >>
> >> If I use ipa-adduser and then add that user to the admins group and then 
> >> issue the search again, I get 1 result back, the user I just added.
> >>
> >> The user admin has the following OC's:
> >>
> >> objectClass: top
> >> objectClass: person
> >> objectClass: posixAccount
> >> objectClass: KrbPrincipalAux
> >>
> >> My test user has:
> >>
> >> objectClass: top
> >> objectClass: person
> >> objectClass: organizationalPerson
> >> objectClass: inetOrgPerson
> >> objectClass: inetUser
> >> objectClass: posixAccount
> >> objectClass: krbPrincipalAux
> >>
> >> Could this have something to do with it?
> > 
> > No the problem is not with indices.
> > The problem is that we activate the memberOf plugin "after" the admin
> > account has been created.
> > 
> > I asked back then Pete to show us how to activate the FDS task to make
> > the memberOf plugin check the directory, but that must have been
> > forgotten, I'll open a ticket and assign to Pete.
> > 
> 
> No, the index is added first. The last thing that happens in 
> dsinstance.py is a call to __add_default_layout() which loads 
> bootstrap-template.ldif.

Ah I see that changed after the last time I looked at that.
Do you have the memberOf attribute on the admin entry?

Uhmm now that I look at it I wonder if we should use 'account' instead
of 'person' for admin ...

Pete,
why do we use groupOfUniqueNames and uniqueMember instead of
groupOfNames/member in the memberOf plugin? (and therefore in our
entries ?)

It seem that groupOfUniqueNames is a particularly hated objectClass
generally, because uniqueMember syntax is not distinguishedName.

I'd prefer to use groupOfNames/member unless there is a problem doing
that, can you comment please?

Simo.


Simo.



From rcritten at redhat.com  Tue Oct 30 17:43:41 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 30 Oct 2007 13:43:41 -0400
Subject: [Freeipa-devel] [PATCH] Create default indeces (take 2)
Message-ID: <47276D4D.5040403@redhat.com>

There was a bug in the first index ldif I sent out, this corrects it.

Create LDAP indeces on installation for fields the web GUI searches against.

rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-333-index.patch
Type: text/x-patch
Size: 3631 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/d7dfe653/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/d7dfe653/attachment-0001.bin>

From prowley at redhat.com  Tue Oct 30 17:48:56 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 30 Oct 2007 10:48:56 -0700
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <47273022.4010106@redhat.com>
References: <472656C3.4030302@redhat.com>	<1193696570.13652.30.camel@localhost.localdomain>	<4726604F.60503@redhat.com>
	<1193698398.13652.33.camel@localhost.localdomain>
	<47273022.4010106@redhat.com>
Message-ID: <47276E88.6000703@redhat.com>

Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Mon, 2007-10-29 at 15:35 -0700, Pete Rowley wrote:
>>> Simo Sorce wrote:
>>>> On Mon, 2007-10-29 at 14:55 -0700, Pete Rowley wrote:
>>>>  
>>>>> +aci: (targetattr = "givenName || sn || cn || displayName || initials
>>>>> || loginShell || homePhone || mobile || pager ||
>>>>> facsimileTelephoneNumber || telephoneNumber || street || 
>>>>> roomNumber ||
>>>>> l || st || postalCode || manager || description || carLicense ||
>>>>> labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version
>>>>> 3.0;acl "Self service";allow (write) userdn="ldap:///self";)
>>>>>     
>>>> Allow users by default to change name (givenName, cn, sn), manager and
>>>> loginShell by themselves?
>>>>
>>>>   
>>> loginShell might be a problem, what issue do you have with the others?
>>
>> Well I am not sure it makes sense to change your own name, why should
>> you?
>> Same for the manager, we might think of ACIs where manager=<something>
>> may matter
>>
>
> I agree about the name field, it shouldn't be user-modifiable (that is 
> what HR is for). I think we should limit changes to phone number, 
> address, license, shell, password, etc.
>
The basic philosophy here is "if it isn't an out and out security risk 
allow it." Inherent in self service is some level of /trust/, or why 
would we allow any attribute to be changed? If I can trust my employee 
to change their phone number to something that will allow me to call 
them, I think I can trust them not to arbitrarily rename themselves 
Winston Churchill or some such. Still, there may be those that would, 
and what do you suspect would happen in such cases? I suspect not good 
things for the WC wannabe.

This default policy can be changed by the deployment if they disagree, 
and some will.

I still need to go research login shell to see whether it matters.
 



-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/731a8dcf/attachment.bin>

From prowley at redhat.com  Tue Oct 30 17:52:02 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 30 Oct 2007 10:52:02 -0700
Subject: [Freeipa-devel] memberOf wierdness
In-Reply-To: <47274FED.7010005@redhat.com>
References: <47274FED.7010005@redhat.com>
Message-ID: <47276F42.9070608@redhat.com>

Rob Crittenden wrote:
>
> objectClass: inetUser
this is the objectclass that allows memberof

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/548f1da7/attachment.bin>

From prowley at redhat.com  Tue Oct 30 17:58:24 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 30 Oct 2007 10:58:24 -0700
Subject: [Freeipa-devel] [PATCH] user and group deletion
In-Reply-To: <1193507456.26363.38.camel@localhost.localdomain>
References: <20071023234951.GG22720@moon.usersys.redhat.com>	<47221273.9050700@redhat.com>
	<1193507456.26363.38.camel@localhost.localdomain>
Message-ID: <472770C0.6080203@redhat.com>

Simo Sorce wrote:
> I don't see how we could easily do group inactivation, deletion is ok
Clues: Class of service, an "inactivation group" and the memberof 
attribute :)

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/6279d5d0/attachment.bin>

From rcritten at redhat.com  Tue Oct 30 17:58:35 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 30 Oct 2007 13:58:35 -0400
Subject: [Freeipa-devel] memberOf wierdness
In-Reply-To: <47276F42.9070608@redhat.com>
References: <47274FED.7010005@redhat.com> <47276F42.9070608@redhat.com>
Message-ID: <472770CB.5020201@redhat.com>

Pete Rowley wrote:
> Rob Crittenden wrote:
>>
>> objectClass: inetUser
> this is the objectclass that allows memberof
> 

/me smacks head. Of course, we talked about that. I'll update the 
bootstrap ldif.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/66f15b11/attachment.bin>

From rcritten at redhat.com  Tue Oct 30 18:00:43 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 30 Oct 2007 14:00:43 -0400
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <47276E88.6000703@redhat.com>
References: <472656C3.4030302@redhat.com>	<1193696570.13652.30.camel@localhost.localdomain>	<4726604F.60503@redhat.com>
	<1193698398.13652.33.camel@localhost.localdomain>
	<47273022.4010106@redhat.com> <47276E88.6000703@redhat.com>
Message-ID: <4727714B.6010705@redhat.com>

Pete Rowley wrote:
> Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Mon, 2007-10-29 at 15:35 -0700, Pete Rowley wrote:
>>>> Simo Sorce wrote:
>>>>> On Mon, 2007-10-29 at 14:55 -0700, Pete Rowley wrote:
>>>>>  
>>>>>> +aci: (targetattr = "givenName || sn || cn || displayName || initials
>>>>>> || loginShell || homePhone || mobile || pager ||
>>>>>> facsimileTelephoneNumber || telephoneNumber || street || 
>>>>>> roomNumber ||
>>>>>> l || st || postalCode || manager || description || carLicense ||
>>>>>> labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version
>>>>>> 3.0;acl "Self service";allow (write) userdn="ldap:///self";)
>>>>>>     
>>>>> Allow users by default to change name (givenName, cn, sn), manager and
>>>>> loginShell by themselves?
>>>>>
>>>>>   
>>>> loginShell might be a problem, what issue do you have with the others?
>>>
>>> Well I am not sure it makes sense to change your own name, why should
>>> you?
>>> Same for the manager, we might think of ACIs where manager=<something>
>>> may matter
>>>
>>
>> I agree about the name field, it shouldn't be user-modifiable (that is 
>> what HR is for). I think we should limit changes to phone number, 
>> address, license, shell, password, etc.
>>
> The basic philosophy here is "if it isn't an out and out security risk 
> allow it." Inherent in self service is some level of /trust/, or why 
> would we allow any attribute to be changed? If I can trust my employee 
> to change their phone number to something that will allow me to call 
> them, I think I can trust them not to arbitrarily rename themselves 
> Winston Churchill or some such. Still, there may be those that would, 
> and what do you suspect would happen in such cases? I suspect not good 
> things for the WC wannabe.
> 
> This default policy can be changed by the deployment if they disagree, 
> and some will.

True, the trick is how able we'll be to let them change the policy. This 
will likely be a v2 thing with it documented in v1.

> I still need to go research login shell to see whether it matters.

Can't users change their shell today with /usr/bin/chsh? I don't see the 
controversy there. The trick is only letting them put in a legal value 
and that is system-dependant (e.g. mine is set for /bin/zsh and I log 
into an AIX box without that installed).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/2d98a0cf/attachment.bin>

From prowley at redhat.com  Tue Oct 30 18:12:36 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 30 Oct 2007 11:12:36 -0700
Subject: [Freeipa-devel] Autogen uid/gid
In-Reply-To: <1193336952.13697.65.camel@mahler.iad.redhat.com>
References: <1193336380.13697.63.camel@mahler.iad.redhat.com>	<1193336890.15848.51.camel@localhost.localdomain>
	<1193336952.13697.65.camel@mahler.iad.redhat.com>
Message-ID: <47277414.7010505@redhat.com>

Karl MacMillan wrote:
> On Thu, 2007-10-25 at 14:28 -0400, Simo Sorce wrote:
>   
>> On Thu, 2007-10-25 at 14:19 -0400, Karl MacMillan wrote:
>>     
>>> As I was doing some multi-machine testing w/ nfs I realized that forcing
>>> uid/gid generation is not going to work in all circumstances (I needed
>>> to force my uid/gid to be the same as an existing user on an exported
>>> filesystem).
>>>
>>> How can we handle this?
>>>       
>> We can't easily.
>> Welcome to migration madness, and the unsuitability of unix platform to
>> work in heavily networked environments (just kidding but not too
>> much :-)
>>
>>     
>
> I think we must solve this - even if forcing the uid/gid is problematic
> and must be done carefully.
>
>   
The DNA plugin will not generate a value if the attribute in question is 
being set to a specific value. It will generate a new sequence value if 
the value being set is the "magic" value, used to get a new generated 
value for an existing entry (perhaps to fix up clashes from folk doing 
things manually).

The current GUI forces you to have the values generated on creation, but 
you can then go and edit the values to any that you choose after 
creation.  This was done specifically to discourage manual assignment.  
Migration really ought to be done some other way than typing over 
entries one by one so I don't think this is such a hardship.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/b5e37025/attachment.bin>

From ssorce at redhat.com  Tue Oct 30 18:15:33 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 30 Oct 2007 14:15:33 -0400
Subject: [Freeipa-devel] [PATCH] user and group deletion
In-Reply-To: <472770C0.6080203@redhat.com>
References: <20071023234951.GG22720@moon.usersys.redhat.com>
	<47221273.9050700@redhat.com>
	<1193507456.26363.38.camel@localhost.localdomain>
	<472770C0.6080203@redhat.com>
Message-ID: <1193768133.26382.52.camel@localhost.localdomain>

On Tue, 2007-10-30 at 10:58 -0700, Pete Rowley wrote:
> Simo Sorce wrote:
> > I don't see how we could easily do group inactivation, deletion is ok
> Clues: Class of service, an "inactivation group" and the memberof 
> attribute :)

Yes,
but we need to deal with existing clients and how they will interpret
this.

So far for users inactivation is simple as you simply deny them auth,
but for groups there is no auth.

Simo.



From prowley at redhat.com  Tue Oct 30 18:21:13 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 30 Oct 2007 11:21:13 -0700
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <4727714B.6010705@redhat.com>
References: <472656C3.4030302@redhat.com>	<1193696570.13652.30.camel@localhost.localdomain>	<4726604F.60503@redhat.com>
	<1193698398.13652.33.camel@localhost.localdomain>
	<47273022.4010106@redhat.com> <47276E88.6000703@redhat.com>
	<4727714B.6010705@redhat.com>
Message-ID: <47277619.2050702@redhat.com>

Rob Crittenden wrote:
> Pete Rowley wrote:
>> Rob Crittenden wrote:
>
> Can't users change their shell today with /usr/bin/chsh? I don't see 
> the controversy there. The trick is only letting them put in a legal 
> value and that is system-dependant (e.g. mine is set for /bin/zsh and 
> I log into an AIX box without that installed).
Well, I was thinking along the lines of it allowing arbitrary commands 
to be executed with root privilege. For example, an escalation of privilege:

loginShell: /home/prowley/addMeToSudoers

I suspect this is the kind of thing that makes it problem, still need to 
check it out though.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/e85570ff/attachment.bin>

From prowley at redhat.com  Tue Oct 30 18:24:07 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 30 Oct 2007 11:24:07 -0700
Subject: [Freeipa-devel] [PATCH] user and group deletion
In-Reply-To: <1193768133.26382.52.camel@localhost.localdomain>
References: <20071023234951.GG22720@moon.usersys.redhat.com>	
	<47221273.9050700@redhat.com>	
	<1193507456.26363.38.camel@localhost.localdomain>	
	<472770C0.6080203@redhat.com>
	<1193768133.26382.52.camel@localhost.localdomain>
Message-ID: <472776C7.2000305@redhat.com>

Simo Sorce wrote:
> On Tue, 2007-10-30 at 10:58 -0700, Pete Rowley wrote:
>   
>> Simo Sorce wrote:
>>     
>>> I don't see how we could easily do group inactivation, deletion is ok
>>>       
>> Clues: Class of service, an "inactivation group" and the memberof 
>> attribute :)
>>     
>
> Yes,
> but we need to deal with existing clients and how they will interpret
> this.
>
> So far for users inactivation is simple as you simply deny them auth,
> but for groups there is no auth.
>
>   
It is the members of the group that matter.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/310141bc/attachment.bin>

From ssorce at redhat.com  Tue Oct 30 18:25:36 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 30 Oct 2007 14:25:36 -0400
Subject: [Freeipa-devel] [PATCH] Create default indeces (take 2)
In-Reply-To: <47276D4D.5040403@redhat.com>
References: <47276D4D.5040403@redhat.com>
Message-ID: <1193768736.26382.53.camel@localhost.localdomain>

On Tue, 2007-10-30 at 13:43 -0400, Rob Crittenden wrote:
> There was a bug in the first index ldif I sent out, this corrects it.
> 
> Create LDAP indeces on installation for fields the web GUI searches
> against.

Ack, even if carLicense is still there :-)
But I guess we can fine tune later on,
push it.

Simo.



From prowley at redhat.com  Tue Oct 30 18:36:35 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 30 Oct 2007 11:36:35 -0700
Subject: [Freeipa-devel] memberOf wierdness
In-Reply-To: <1193761081.26382.41.camel@localhost.localdomain>
References: <47274FED.7010005@redhat.com>	
	<1193759223.26382.30.camel@localhost.localdomain>	
	<472754AD.1050101@redhat.com>
	<1193761081.26382.41.camel@localhost.localdomain>
Message-ID: <472779B3.3050205@redhat.com>

Simo Sorce wrote:
> On Tue, 2007-10-30 at 11:58 -0400, Rob Crittenden wrote:
>   
>> Simo Sorce wrote:
>>     
>>> On Tue, 2007-10-30 at 11:38 -0400, Rob Crittenden wrote:
>>>       
>>>> In my experimentation with new indeces I found a strange issue with 
>>>> memberOf.
>>>>
>>>> If I install IPA, get a ticket for admin and do:
>>>>
>>>> ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" 
>>>> "memberof=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org" cn
>>>>
>>>> I get 0 results back.
>>>>
>>>> If I use ipa-adduser and then add that user to the admins group and then 
>>>> issue the search again, I get 1 result back, the user I just added.
>>>>
>>>> The user admin has the following OC's:
>>>>
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: posixAccount
>>>> objectClass: KrbPrincipalAux
>>>>
>>>> My test user has:
>>>>
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: inetOrgPerson
>>>> objectClass: inetUser
>>>> objectClass: posixAccount
>>>> objectClass: krbPrincipalAux
>>>>
>>>> Could this have something to do with it?
>>>>         
>>> No the problem is not with indices.
>>> The problem is that we activate the memberOf plugin "after" the admin
>>> account has been created.
>>>
>>> I asked back then Pete to show us how to activate the FDS task to make
>>> the memberOf plugin check the directory, but that must have been
>>> forgotten, I'll open a ticket and assign to Pete.
>>>
>>>       
>> No, the index is added first. The last thing that happens in 
>> dsinstance.py is a call to __add_default_layout() which loads 
>> bootstrap-template.ldif.
>>     
>
> Ah I see that changed after the last time I looked at that.
> Do you have the memberOf attribute on the admin entry?
>
> Uhmm now that I look at it I wonder if we should use 'account' instead
> of 'person' for admin ...
>
> Pete,
> why do we use groupOfUniqueNames and uniqueMember instead of
> groupOfNames/member in the memberOf plugin? (and therefore in our
> entries ?)
>
> It seem that groupOfUniqueNames is a particularly hated objectClass
> generally, because uniqueMember syntax is not distinguishedName.
>
> I'd prefer to use groupOfNames/member unless there is a problem doing
> that, can you comment please?
>
>
>   
Fine with me.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/90849f7e/attachment.bin>

From prowley at redhat.com  Tue Oct 30 18:41:01 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 30 Oct 2007 11:41:01 -0700
Subject: [Freeipa-devel] memberOf wierdness
In-Reply-To: <1193761081.26382.41.camel@localhost.localdomain>
References: <47274FED.7010005@redhat.com>	
	<1193759223.26382.30.camel@localhost.localdomain>	
	<472754AD.1050101@redhat.com>
	<1193761081.26382.41.camel@localhost.localdomain>
Message-ID: <47277ABD.8040305@redhat.com>

Simo Sorce wrote:
> On Tue, 2007-10-30 at 11:58 -0400, Rob Crittenden wrote:
>   
>> Simo Sorce wrote:
>>     
>>> On Tue, 2007-10-30 at 11:38 -0400, Rob Crittenden wrote:
>>>       
>>>> In my experimentation with new indeces I found a strange issue with 
>>>> memberOf.
>>>>
>>>> If I install IPA, get a ticket for admin and do:
>>>>
>>>> ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" 
>>>> "memberof=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org" cn
>>>>
>>>> I get 0 results back.
>>>>
>>>> If I use ipa-adduser and then add that user to the admins group and then 
>>>> issue the search again, I get 1 result back, the user I just added.
>>>>
>>>> The user admin has the following OC's:
>>>>
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: posixAccount
>>>> objectClass: KrbPrincipalAux
>>>>
>>>> My test user has:
>>>>
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: inetOrgPerson
>>>> objectClass: inetUser
>>>> objectClass: posixAccount
>>>> objectClass: krbPrincipalAux
>>>>
>>>> Could this have something to do with it?
>>>>         
>>> No the problem is not with indices.
>>> The problem is that we activate the memberOf plugin "after" the admin
>>> account has been created.
>>>
>>> I asked back then Pete to show us how to activate the FDS task to make
>>> the memberOf plugin check the directory, but that must have been
>>> forgotten, I'll open a ticket and assign to Pete.
>>>
>>>       
>> No, the index is added first. The last thing that happens in 
>> dsinstance.py is a call to __add_default_layout() which loads 
>> bootstrap-template.ldif.
>>     
>
> Ah I see that changed after the last time I looked at that.
> Do you have the memberOf attribute on the admin entry?
>
> Uhmm now that I look at it I wonder if we should use 'account' instead
> of 'person' for admin ...
>
> Pete,
> why do we use groupOfUniqueNames and uniqueMember instead of
> groupOfNames/member in the memberOf plugin? (and therefore in our
> entries ?)
>
>   
Because RFC2307bis recommends that as a MAY.
> It seem that groupOfUniqueNames is a particularly hated objectClass
> generally, because uniqueMember syntax is not distinguishedName.
>
>   
There are some very vocal haters of that objectclass.
> I'd prefer to use groupOfNames/member unless there is a problem doing
> that, can you comment please?
>
>   
Fine with me.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/83c5c2fc/attachment.bin>

From rcritten at redhat.com  Tue Oct 30 18:42:45 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 30 Oct 2007 14:42:45 -0400
Subject: [Freeipa-devel] [PATCH] add inetUser to uid=admin
Message-ID: <47277B25.7090106@redhat.com>

Add inetUser OC to uid=admin user so it will show up in memberOf searches.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-334-admin.patch
Type: text/x-patch
Size: 717 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/7a6ea9ca/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/7a6ea9ca/attachment-0001.bin>

From ssorce at redhat.com  Tue Oct 30 18:45:07 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 30 Oct 2007 14:45:07 -0400
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <47277619.2050702@redhat.com>
References: <472656C3.4030302@redhat.com>
	<1193696570.13652.30.camel@localhost.localdomain>
	<4726604F.60503@redhat.com>
	<1193698398.13652.33.camel@localhost.localdomain>
	<47273022.4010106@redhat.com> <47276E88.6000703@redhat.com>
	<4727714B.6010705@redhat.com>  <47277619.2050702@redhat.com>
Message-ID: <1193769907.26382.55.camel@localhost.localdomain>

On Tue, 2007-10-30 at 11:21 -0700, Pete Rowley wrote:
> Rob Crittenden wrote:
> > Pete Rowley wrote:
> >> Rob Crittenden wrote:
> >
> > Can't users change their shell today with /usr/bin/chsh? I don't see 
> > the controversy there. The trick is only letting them put in a legal 
> > value and that is system-dependant (e.g. mine is set for /bin/zsh and 
> > I log into an AIX box without that installed).
> Well, I was thinking along the lines of it allowing arbitrary commands 
> to be executed with root privilege. For example, an escalation of privilege:
> 
> loginShell: /home/prowley/addMeToSudoers
> 
> I suspect this is the kind of thing that makes it problem, still need to 
> check it out though.

The shell is run as the user, so this is not to worry.

Simo.



From ssorce at redhat.com  Tue Oct 30 18:46:38 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 30 Oct 2007 14:46:38 -0400
Subject: [Freeipa-devel] [PATCH] user and group deletion
In-Reply-To: <472776C7.2000305@redhat.com>
References: <20071023234951.GG22720@moon.usersys.redhat.com>
	<47221273.9050700@redhat.com>
	<1193507456.26363.38.camel@localhost.localdomain>
	<472770C0.6080203@redhat.com>
	<1193768133.26382.52.camel@localhost.localdomain>
	<472776C7.2000305@redhat.com>
Message-ID: <1193769998.26382.58.camel@localhost.localdomain>

On Tue, 2007-10-30 at 11:24 -0700, Pete Rowley wrote:
> Simo Sorce wrote:
> > On Tue, 2007-10-30 at 10:58 -0700, Pete Rowley wrote:
> >   
> >> Simo Sorce wrote:
> >>     
> >>> I don't see how we could easily do group inactivation, deletion is ok
> >>>       
> >> Clues: Class of service, an "inactivation group" and the memberof 
> >> attribute :)
> >>     
> >
> > Yes,
> > but we need to deal with existing clients and how they will interpret
> > this.
> >
> > So far for users inactivation is simple as you simply deny them auth,
> > but for groups there is no auth.
> >
> >   
> It is the members of the group that matter.

I see, so you propose to delete the memberOf attirbute for "disabled"
groups, and re-add it later if the group is enabled again, I see.
But I guess we still have clients that looks at the group's 'member'
attribute, not at the user's memberOf ...

Simo.



From prowley at redhat.com  Tue Oct 30 18:47:26 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 30 Oct 2007 11:47:26 -0700
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <1193769907.26382.55.camel@localhost.localdomain>
References: <472656C3.4030302@redhat.com>	
	<1193696570.13652.30.camel@localhost.localdomain>	
	<4726604F.60503@redhat.com>	
	<1193698398.13652.33.camel@localhost.localdomain>	
	<47273022.4010106@redhat.com> <47276E88.6000703@redhat.com>	
	<4727714B.6010705@redhat.com> <47277619.2050702@redhat.com>
	<1193769907.26382.55.camel@localhost.localdomain>
Message-ID: <47277C3E.8070509@redhat.com>

Simo Sorce wrote:
> On Tue, 2007-10-30 at 11:21 -0700, Pete Rowley wrote:
>   
>> Well, I was thinking along the lines of it allowing arbitrary commands 
>> to be executed with root privilege. For example, an escalation of privilege:
>>
>> loginShell: /home/prowley/addMeToSudoers
>>
>> I suspect this is the kind of thing that makes it problem, still need to 
>> check it out though.
>>     
>
> The shell is run as the user, so this is not to worry.
>
>   
Hmm, yes. So what problem do you envisage with this?

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/fee83fe6/attachment.bin>

From ssorce at redhat.com  Tue Oct 30 18:49:21 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 30 Oct 2007 14:49:21 -0400
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <47277C3E.8070509@redhat.com>
References: <472656C3.4030302@redhat.com>
	<1193696570.13652.30.camel@localhost.localdomain>
	<4726604F.60503@redhat.com>
	<1193698398.13652.33.camel@localhost.localdomain>
	<47273022.4010106@redhat.com> <47276E88.6000703@redhat.com>
	<4727714B.6010705@redhat.com>  <47277619.2050702@redhat.com>
	<1193769907.26382.55.camel@localhost.localdomain>
	<47277C3E.8070509@redhat.com>
Message-ID: <1193770161.26382.61.camel@localhost.localdomain>

On Tue, 2007-10-30 at 11:47 -0700, Pete Rowley wrote:
> Simo Sorce wrote:
> > On Tue, 2007-10-30 at 11:21 -0700, Pete Rowley wrote:
> >   
> >> Well, I was thinking along the lines of it allowing arbitrary commands 
> >> to be executed with root privilege. For example, an escalation of privilege:
> >>
> >> loginShell: /home/prowley/addMeToSudoers
> >>
> >> I suspect this is the kind of thing that makes it problem, still need to 
> >> check it out though.
> >>     
> >
> > The shell is run as the user, so this is not to worry.
> >
> >   
> Hmm, yes. So what problem do you envisage with this?

I guess I have been exposed for too long to control freaks, so anything
that is not cosmetic and allows self-change makes me nervous :-)

Maybe we can have an easy way to switch between
permissive/non-permissive mode easily? Ie, not change the list of
permitted attributes, just enable/disable that ACI on demand?

Simo.



From prowley at redhat.com  Tue Oct 30 18:55:43 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 30 Oct 2007 11:55:43 -0700
Subject: [Freeipa-devel] [PATCH] user and group deletion
In-Reply-To: <1193769998.26382.58.camel@localhost.localdomain>
References: <20071023234951.GG22720@moon.usersys.redhat.com>	
	<47221273.9050700@redhat.com>	
	<1193507456.26363.38.camel@localhost.localdomain>	
	<472770C0.6080203@redhat.com>	
	<1193768133.26382.52.camel@localhost.localdomain>	
	<472776C7.2000305@redhat.com>
	<1193769998.26382.58.camel@localhost.localdomain>
Message-ID: <47277E2F.30000@redhat.com>

Simo Sorce wrote:
> On Tue, 2007-10-30 at 11:24 -0700, Pete Rowley wrote:
>   
>> Simo Sorce wrote:
>>     
>>> On Tue, 2007-10-30 at 10:58 -0700, Pete Rowley wrote:
>>>   
>>>       
>>>> Simo Sorce wrote:
>>>>     
>>>>         
>>>>> I don't see how we could easily do group inactivation, deletion is ok
>>>>>       
>>>>>           
>>>> Clues: Class of service, an "inactivation group" and the memberof 
>>>> attribute :)
>>>>     
>>>>         
>>> Yes,
>>> but we need to deal with existing clients and how they will interpret
>>> this.
>>>
>>> So far for users inactivation is simple as you simply deny them auth,
>>> but for groups there is no auth.
>>>
>>>   
>>>       
>> It is the members of the group that matter.
>>     
>
> I see, so you propose to delete the memberOf attirbute for "disabled"
> groups, and re-add it later if the group is enabled again, I see.
>   
No. The scheme would work like this:

A group called "Inactivated" to which other groups are made a member 
when their membership is to be inactivated.
A classic class of service scheme that uses memberof as its cos 
specifier, a single template with an rdn = dn of the "Inactivated" group 
and delivering nsAccountlock: true

Thusly, any group added to the "inactivated" group will have their 
membership inactivated with nsAccountlock: true showing up in the people 
entries.
> But I guess we still have clients that looks at the group's 'member'
> attribute, not at the user's memberOf ...
>   
Inactivation is not about what other clients think, it is a mechanism to 
prevent binding to the DS.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/0338e59f/attachment.bin>

From prowley at redhat.com  Tue Oct 30 18:58:43 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 30 Oct 2007 11:58:43 -0700
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <1193770161.26382.61.camel@localhost.localdomain>
References: <472656C3.4030302@redhat.com>	
	<1193696570.13652.30.camel@localhost.localdomain>	
	<4726604F.60503@redhat.com>	
	<1193698398.13652.33.camel@localhost.localdomain>	
	<47273022.4010106@redhat.com> <47276E88.6000703@redhat.com>	
	<4727714B.6010705@redhat.com> <47277619.2050702@redhat.com>	
	<1193769907.26382.55.camel@localhost.localdomain>	
	<47277C3E.8070509@redhat.com>
	<1193770161.26382.61.camel@localhost.localdomain>
Message-ID: <47277EE3.5080801@redhat.com>

Simo Sorce wrote:
> On Tue, 2007-10-30 at 11:47 -0700, Pete Rowley wrote:
>   
>> Simo Sorce wrote:
>>     
>>> On Tue, 2007-10-30 at 11:21 -0700, Pete Rowley wrote:
>>>   
>>>       
>>>> Well, I was thinking along the lines of it allowing arbitrary commands 
>>>> to be executed with root privilege. For example, an escalation of privilege:
>>>>
>>>> loginShell: /home/prowley/addMeToSudoers
>>>>
>>>> I suspect this is the kind of thing that makes it problem, still need to 
>>>> check it out though.
>>>>     
>>>>         
>>> The shell is run as the user, so this is not to worry.
>>>
>>>   
>>>       
>> Hmm, yes. So what problem do you envisage with this?
>>     
>
> I guess I have been exposed for too long to control freaks, so anything
> that is not cosmetic and allows self-change makes me nervous :-)
>
> Maybe we can have an easy way to switch between
> permissive/non-permissive mode easily? Ie, not change the list of
> permitted attributes, just enable/disable that ACI on demand?
>
>   
We definitely will need to have ui to help modify this... in the future 
:) i.e. after v1


-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/40e3d5e3/attachment.bin>

From rcritten at redhat.com  Tue Oct 30 19:02:24 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 30 Oct 2007 15:02:24 -0400
Subject: [Freeipa-devel] [PATCH] Create default indeces (take 2)
In-Reply-To: <1193768736.26382.53.camel@localhost.localdomain>
References: <47276D4D.5040403@redhat.com>
	<1193768736.26382.53.camel@localhost.localdomain>
Message-ID: <47277FC0.9080901@redhat.com>

Simo Sorce wrote:
> On Tue, 2007-10-30 at 13:43 -0400, Rob Crittenden wrote:
>> There was a bug in the first index ldif I sent out, this corrects it.
>>
>> Create LDAP indeces on installation for fields the web GUI searches
>> against.
> 
> Ack, even if carLicense is still there :-)
> But I guess we can fine tune later on,
> push it.
> 

Yeah, I agree. I wasn't in on the conversations that picked the 
attributes to index. I just got handed the stuff when Kevin left.

Pushed.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/e8b49f20/attachment.bin>

From prowley at redhat.com  Tue Oct 30 19:05:59 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 30 Oct 2007 12:05:59 -0700
Subject: [Freeipa-devel] [PATCH] Create default indeces (take 2)
In-Reply-To: <47277FC0.9080901@redhat.com>
References: <47276D4D.5040403@redhat.com>	<1193768736.26382.53.camel@localhost.localdomain>
	<47277FC0.9080901@redhat.com>
Message-ID: <47278097.8000506@redhat.com>

Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Tue, 2007-10-30 at 13:43 -0400, Rob Crittenden wrote:
>>> There was a bug in the first index ldif I sent out, this corrects it.
>>>
>>> Create LDAP indeces on installation for fields the web GUI searches
>>> against.
>>
>> Ack, even if carLicense is still there :-)
>> But I guess we can fine tune later on,
>> push it.
>>
>
> Yeah, I agree. I wasn't in on the conversations that picked the 
> attributes to index. I just got handed the stuff when Kevin left.
>
If we search on it, it should be indexed.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/bfc23f04/attachment.bin>

From rcritten at redhat.com  Tue Oct 30 19:08:32 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 30 Oct 2007 15:08:32 -0400
Subject: [Freeipa-devel] [PATCH] expose memberof searches
Message-ID: <47278130.9050603@redhat.com>

This patch creates a new XML-RPC API function memberOf() to expose that 
kind of search.

I've added this to the CLI ipa-findgroup, still need to do so in the GUI 
(it currently loops through and looks up every single user!).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-335-memberof.patch
Type: text/x-patch
Size: 5049 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/eb577768/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/eb577768/attachment-0001.bin>

From ssorce at redhat.com  Tue Oct 30 19:23:36 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 30 Oct 2007 15:23:36 -0400
Subject: [Freeipa-devel] [PATCH] user and group deletion
In-Reply-To: <47277E2F.30000@redhat.com>
References: <20071023234951.GG22720@moon.usersys.redhat.com>
	<47221273.9050700@redhat.com>
	<1193507456.26363.38.camel@localhost.localdomain>
	<472770C0.6080203@redhat.com>
	<1193768133.26382.52.camel@localhost.localdomain>
	<472776C7.2000305@redhat.com>
	<1193769998.26382.58.camel@localhost.localdomain>
	<47277E2F.30000@redhat.com>
Message-ID: <1193772216.26382.63.camel@localhost.localdomain>

On Tue, 2007-10-30 at 11:55 -0700, Pete Rowley wrote:
> Simo Sorce wrote:
> > On Tue, 2007-10-30 at 11:24 -0700, Pete Rowley wrote:
> >   
> >> Simo Sorce wrote:
> >>     
> >>> On Tue, 2007-10-30 at 10:58 -0700, Pete Rowley wrote:
> >>>   
> >>>       
> >>>> Simo Sorce wrote:
> >>>>     
> >>>>         
> >>>>> I don't see how we could easily do group inactivation, deletion is ok
> >>>>>       
> >>>>>           
> >>>> Clues: Class of service, an "inactivation group" and the memberof 
> >>>> attribute :)
> >>>>     
> >>>>         
> >>> Yes,
> >>> but we need to deal with existing clients and how they will interpret
> >>> this.
> >>>
> >>> So far for users inactivation is simple as you simply deny them auth,
> >>> but for groups there is no auth.
> >>>
> >>>   
> >>>       
> >> It is the members of the group that matter.
> >>     
> >
> > I see, so you propose to delete the memberOf attirbute for "disabled"
> > groups, and re-add it later if the group is enabled again, I see.
> >   
> No. The scheme would work like this:
> 
> A group called "Inactivated" to which other groups are made a member 
> when their membership is to be inactivated.
> A classic class of service scheme that uses memberof as its cos 
> specifier, a single template with an rdn = dn of the "Inactivated" group 
> and delivering nsAccountlock: true
> 
> Thusly, any group added to the "inactivated" group will have their 
> membership inactivated with nsAccountlock: true showing up in the people 
> entries.
> > But I guess we still have clients that looks at the group's 'member'
> > attribute, not at the user's memberOf ...
> >   
> Inactivation is not about what other clients think, it is a mechanism to 
> prevent binding to the DS.

Except that we do not bind to the DS to auth users, we use kerberos, and
the KDC does not read nsAccountLock ... just more work to do I guess.

Simo.



From ssorce at redhat.com  Tue Oct 30 19:25:49 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 30 Oct 2007 15:25:49 -0400
Subject: [Freeipa-devel] [PATCH] add inetUser to uid=admin
In-Reply-To: <47277B25.7090106@redhat.com>
References: <47277B25.7090106@redhat.com>
Message-ID: <1193772349.26382.65.camel@localhost.localdomain>

On Tue, 2007-10-30 at 14:42 -0400, Rob Crittenden wrote:
> Add inetUser OC to uid=admin user so it will show up in memberOf
> searches.

Ack.




From rcritten at redhat.com  Tue Oct 30 19:28:11 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 30 Oct 2007 15:28:11 -0400
Subject: [Freeipa-devel] [PATCH] add inetUser to uid=admin
In-Reply-To: <1193772349.26382.65.camel@localhost.localdomain>
References: <47277B25.7090106@redhat.com>
	<1193772349.26382.65.camel@localhost.localdomain>
Message-ID: <472785CB.7000104@redhat.com>

Simo Sorce wrote:
> On Tue, 2007-10-30 at 14:42 -0400, Rob Crittenden wrote:
>> Add inetUser OC to uid=admin user so it will show up in memberOf
>> searches.
> 
> Ack.
> 
>

Pushed.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/f12732b0/attachment.bin>

From prowley at redhat.com  Tue Oct 30 19:33:23 2007
From: prowley at redhat.com (Pete Rowley)
Date: Tue, 30 Oct 2007 12:33:23 -0700
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <472656C3.4030302@redhat.com>
References: <472656C3.4030302@redhat.com>
Message-ID: <47278703.3070107@redhat.com>

Pete Rowley wrote:

So, after discussion are we agreed this patch is fine?

> ------------------------------------------------------------------------
>
> # HG changeset patch
> # User Pete Rowley <prowley at redhat.com>
> # Date 1193694739 25200
> # Node ID b7941c370189043d9da4e7873add53315964eb9f
> # Parent  c8eba97b92c5d2ebd0f27fd2e6e675abec0da3c9
> Add user self service aci
>
> diff -r c8eba97b92c5 -r b7941c370189 ipa-server/ipa-install/share/default-aci.ldif
> --- a/ipa-server/ipa-install/share/default-aci.ldif	Mon Oct 29 14:16:44 2007 -0400
> +++ b/ipa-server/ipa-install/share/default-aci.ldif	Mon Oct 29 14:52:19 2007 -0700
> @@ -8,3 +8,4 @@ aci: (targetattr="krbLastSuccessfulAuth 
>  aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
>  aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
>  aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
> +aci: (targetattr = "givenName || sn || cn || displayName || initials || loginShell || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version 3.0;acl "Self service";allow (write) userdn="ldap:///self";)
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/316ecfc2/attachment.bin>

From david.obrien at redhat.com  Wed Oct 31 08:58:11 2007
From: david.obrien at redhat.com (David O'Brien)
Date: Wed, 31 Oct 2007 18:58:11 +1000
Subject: [Freeipa-devel] Documentation framework available via docbot
Message-ID: <472843A3.6030407@redhat.com>

I've created the framework for all the books required for v1.0 as
specified in
https://idmwiki.sfbay.redhat.com/export/idmwiki/IPA_1.0_PRD#.5BReq26.5DDocumentation_Requirements

You can find these on docbot at
https://engineering.redhat.com/docbot/en-US/Red_Hat_Enterprise_IPA/1.0/html/

Bear in mind that these are essentially skeletons around which I'll grow
flesh over coming days/weeks.

Comments and suggestions welcome.
-- 
David O'Brien		Ph: +61 7 3514 8189
Content Services	Mb: +61 411 760 216
Red Hat Asia Pacific	Fx: +61 7 3514 8199

SIP:
1.866.546.8970 (866LINUX70)
or
+1.480 718.6000, X81 51143
-------------- next part --------------
A non-text attachment was scrubbed...
Name: david.obrien.vcf
Type: text/x-vcard
Size: 258 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071031/bcc27c10/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071031/bcc27c10/attachment.sig>

From rcritten at redhat.com  Wed Oct 31 14:09:38 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 31 Oct 2007 10:09:38 -0400
Subject: [Freeipa-devel] [PATCH] arbitrary attributes in ipa-usermod
Message-ID: <47288CA2.3040008@redhat.com>

Add 3 new options: --add, --del, --set to ipa-usermod.

This will let one add, set or delete arbitrary attributes.

--add adds an attribute or a value to an existing attribute
--set adds an attribute or resets the current value of an existing attribute
--del removes the values from an existing attribute (but doesn't delete 
the attribute)

If we absolutely must delete whole attributes I can add that later.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-336-usermod.patch
Type: text/x-patch
Size: 3672 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071031/8b8ef585/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071031/8b8ef585/attachment-0001.bin>

From rcritten at redhat.com  Wed Oct 31 14:11:49 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 31 Oct 2007 10:11:49 -0400
Subject: [Freeipa-devel] [PATCH] GUI use memberOf()
Message-ID: <47288D25.3060705@redhat.com>

Have the GUI use memberOf() instead of looping through the member DNs 
when displaying groups.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-337-memberof.patch
Type: text/x-patch
Size: 3289 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071031/3e475c5d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071031/3e475c5d/attachment-0001.bin>

From ssorce at redhat.com  Wed Oct 31 14:57:51 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 31 Oct 2007 10:57:51 -0400
Subject: [Freeipa-devel] [patch] Properly increment kvno
Message-ID: <472897EF.1080703@redhat.com>

Tested and works as expected so far.
This properly increments kvno on password changes and keeps around 
material for the time it is useful, drops when not anymore.

Simo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-335-kvno.patch
Type: text/x-patch
Size: 7125 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071031/756062a7/attachment.bin>

From kmacmillan at mentalrootkit.com  Wed Oct 31 15:42:41 2007
From: kmacmillan at mentalrootkit.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 11:42:41 -0400
Subject: [Freeipa-devel] [PATCH] Make freeipa-server depend
	on	freeipa-admintools
In-Reply-To: <4721E52B.3070701@redhat.com>
References: <a87fb42d2b95b07f31ea.1193345477@mahler.iad.redhat.com>
	<4721E52B.3070701@redhat.com>
Message-ID: <1193845361.27580.21.camel@mahler.iad.redhat.com>

On Fri, 2007-10-26 at 09:01 -0400, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > # HG changeset patch
> > # User "Karl MacMillan <kmacmillan at mentalrootkit.com>"
> > # Date 1193345442 14400
> > # Node ID a87fb42d2b95b07f31ea7cc95d8f28e215763ede
> > # Parent  6e462f2f5b0aff46662a070b511defe649b39ed1
> > Make freeipa-server depend on freeipa-admintools.
> > 
> > diff -r 6e462f2f5b0a -r a87fb42d2b95 ipa-server/freeipa-server.spec.in
> > --- a/ipa-server/freeipa-server.spec.in	Wed Oct 24 16:04:17 2007 -0700
> > +++ b/ipa-server/freeipa-server.spec.in	Thu Oct 25 16:50:42 2007 -0400
> > @@ -11,7 +11,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{ve
> >  
> >  BuildRequires: fedora-ds-base-devel openldap-devel krb5-devel nss-devel mozldap-devel openssl-devel
> >  
> > -Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears python-krbV
> > +Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears python-krbV freeipa-admintools
> >  Requires: mod_nss >= 1.0.7-2
> >  
> >  %define httpd_conf /etc/httpd/conf.d
> 
> Looks ok but we need to remember to bump the changelog every time we 
> update something :-)
> 

Actually pushed the attached patch with both the acl change and the
freeipa-admintools.

Karl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: deps.patch
Type: text/x-patch
Size: 2709 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071031/7fce9bc7/attachment.bin>

From kmacmill at redhat.com  Wed Oct 31 15:45:08 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 11:45:08 -0400
Subject: [Freeipa-devel] [PATCH] self service aci
In-Reply-To: <472656C3.4030302@redhat.com>
References: <472656C3.4030302@redhat.com>
Message-ID: <1193845508.28891.0.camel@mahler.iad.redhat.com>

On Mon, 2007-10-29 at 14:55 -0700, Pete Rowley wrote:
> plain text document attachment (patch.txt)
> # HG changeset patch
> # User Pete Rowley <prowley at redhat.com>
> # Date 1193694739 25200
> # Node ID b7941c370189043d9da4e7873add53315964eb9f
> # Parent  c8eba97b92c5d2ebd0f27fd2e6e675abec0da3c9
> Add user self service aci
> 

I read the outcome of this discussion as this patch should be merged. So
I pushed it.

Karl



From kmacmill at redhat.com  Wed Oct 31 15:47:05 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 11:47:05 -0400
Subject: [Freeipa-devel] [PATCH] expose memberof searches
In-Reply-To: <47278130.9050603@redhat.com>
References: <47278130.9050603@redhat.com>
Message-ID: <1193845625.28891.2.camel@mahler.iad.redhat.com>

On Tue, 2007-10-30 at 15:08 -0400, Rob Crittenden wrote:
> This patch creates a new XML-RPC API function memberOf() to expose that 
> kind of search.
> 
> I've added this to the CLI ipa-findgroup, still need to do so in the GUI 
> (it currently loops through and looks up every single user!).
> 

Do we want a more generic name for this? And something that matches the
current style rather than the mixed-caps?

Karl



From kmacmill at redhat.com  Wed Oct 31 15:48:36 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 11:48:36 -0400
Subject: [Freeipa-devel] [PATCH] arbitrary attributes in ipa-usermod
In-Reply-To: <47288CA2.3040008@redhat.com>
References: <47288CA2.3040008@redhat.com>
Message-ID: <1193845716.28891.4.camel@mahler.iad.redhat.com>

On Wed, 2007-10-31 at 10:09 -0400, Rob Crittenden wrote:
> Add 3 new options: --add, --del, --set to ipa-usermod.
> 
> This will let one add, set or delete arbitrary attributes.
> 
> --add adds an attribute or a value to an existing attribute
> --set adds an attribute or resets the current value of an existing attribute
> --del removes the values from an existing attribute (but doesn't delete 
> the attribute)
> 
> If we absolutely must delete whole attributes I can add that later.
> 

Acked and pushed.

Karl



From rcritten at redhat.com  Wed Oct 31 15:55:18 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 31 Oct 2007 11:55:18 -0400
Subject: [Freeipa-devel] [PATCH] expose memberof searches
In-Reply-To: <1193845625.28891.2.camel@mahler.iad.redhat.com>
References: <47278130.9050603@redhat.com>
	<1193845625.28891.2.camel@mahler.iad.redhat.com>
Message-ID: <4728A566.1050007@redhat.com>

Karl MacMillan wrote:
> On Tue, 2007-10-30 at 15:08 -0400, Rob Crittenden wrote:
>> This patch creates a new XML-RPC API function memberOf() to expose that 
>> kind of search.
>>
>> I've added this to the CLI ipa-findgroup, still need to do so in the GUI 
>> (it currently loops through and looks up every single user!).
>>
> 
> Do we want a more generic name for this? And something that matches the
> current style rather than the mixed-caps?
> 
> Karl
> 

You don't get any more generic than memberof do you?

I can live with changing the case though for ease of patching I'd rather 
push this (and the GUI one) and change it in a separate patch.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071031/a6d39ce5/attachment.bin>

From kmacmill at redhat.com  Wed Oct 31 16:55:55 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 12:55:55 -0400
Subject: [Freeipa-devel] [PATCH] expose memberof searches
In-Reply-To: <47278130.9050603@redhat.com>
References: <47278130.9050603@redhat.com>
Message-ID: <1193849755.28891.8.camel@mahler.iad.redhat.com>

On Tue, 2007-10-30 at 15:08 -0400, Rob Crittenden wrote:
> This patch creates a new XML-RPC API function memberOf() to expose that 
> kind of search.
> 
> I've added this to the CLI ipa-findgroup, still need to do so in the GUI 
> (it currently loops through and looks up every single user!).
> 

Pushed.



From kmacmill at redhat.com  Wed Oct 31 16:56:04 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 12:56:04 -0400
Subject: [Freeipa-devel] [PATCH] GUI use memberOf()
In-Reply-To: <47288D25.3060705@redhat.com>
References: <47288D25.3060705@redhat.com>
Message-ID: <1193849764.28891.10.camel@mahler.iad.redhat.com>

On Wed, 2007-10-31 at 10:11 -0400, Rob Crittenden wrote:
> Have the GUI use memberOf() instead of looping through the member DNs 
> when displaying groups.
> 

Pushed.



From kmacmill at redhat.com  Wed Oct 31 20:00:00 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 16:00:00 -0400
Subject: [Freeipa-devel] [PATCH] Allow set/add/del to be called multiple
	times
Message-ID: <5a615adb8952a20ffa0c.1193860800@adams.iad.redhat.com>

# HG changeset patch
# User "Karl MacMillan <kmacmill at redhat.com>"
# Date 1193860768 14400
# Node ID 5a615adb8952a20ffa0ca0fc02b578f464622153
# Parent  1ac86e5c2e662d5ae2e91f56780f7ca1f78f063d
Allow set/add/del to be called multiple times.

Allow the --set/add/del options to be called multiple
times during the same invocation. Also add more robust
checking of errors.

diff -r 1ac86e5c2e66 -r 5a615adb8952 ipa-admintools/ipa-usermod
--- a/ipa-admintools/ipa-usermod	Wed Oct 31 10:08:16 2007 -0400
+++ b/ipa-admintools/ipa-usermod	Wed Oct 31 15:59:28 2007 -0400
@@ -33,6 +33,9 @@ def usage():
 def usage():
     print "ipa-usermod [-c|--gecos STRING] [-d|--directory STRING] [-f|--firstname STRING] [-l|--lastname STRING] [-s|--shell STRING] [--add attribute=value(,value1,..,valuen)] [--del attribute] [--set attribute=value(,value1,..,valuen)] user"
     sys.exit(1)
+
+def set_add_usage(which):
+    print "%s option usage: --%s NAME=VALUE" % (which, which)
 
 def parse_options():
     parser = OptionParser()
@@ -47,11 +50,13 @@ def parse_options():
     parser.add_option("-s", "--shell", dest="shell",
                       help="Set user's login shell to shell")
     parser.add_option("--add", dest="addattr",
-                      help="Adds an attribute or values to that attribute, attr=value(,value1,value2)")
+                      help="Adds an attribute or values to that attribute, attr=value(,value1,value2)",
+                      action="append")
     parser.add_option("--del", dest="delattr",
-                      help="Remove an attribute")
+                      help="Remove an attribute", action="append")
     parser.add_option("--set", dest="setattr",
-                      help="Set an attribute, dropping any existing values that may exist")
+                      help="Set an attribute, dropping any existing values that may exist",
+                      action="append")
     parser.add_option("-M", "--mailAddress", dest="mail",
                       help="Set user's e-mail address")
     parser.add_option("--usage", action="store_true",
@@ -194,24 +199,36 @@ def main():
     if shell:
         user.setValue('loginshell', shell)
 
+    if options.delattr:
+        for d in options.delattr:
+            # doesn't truly delete the attribute but does null out the value
+            user.setValue(d, '')
+
     if options.setattr:
-        (attr,value) = options.setattr.split('=')
-        values = value.split(',')
-        user.setValue(attr, values)
+        for s in options.setattr:
+            s = s.split('=')
+            if len(s) != 2:
+                set_add_usage("set")
+                sys.exit(1)
+            (attr,value) = s            
+            values = value.split(',')
+            user.setValue(attr, values)
 
     if options.addattr:
-        (attr,value) = options.addattr.split('=')
-        values = value.split(',')
-        cvalue = user.getValue(attr)
-        if cvalue:
-            if isinstance(cvalue,str):
-                cvalue = [cvalue]
-            values = cvalue + values
-        user.setValue(attr, values)
-
-    if options.delattr:
-        # doesn't truly delete the attribute but does null out the value
-        user.setValue(options.delattr, '')
+        for a in options.addattr:
+            a = a.split('=')
+            if len(a) != 2:
+                set_add_usage("add")
+                sys.exit(1)
+            (attr,value) = a      
+            values = value.split(',')
+            cvalue = user.getValue(attr)
+            if cvalue:
+                if isinstance(cvalue,str):
+                    cvalue = [cvalue]
+                values = cvalue + values
+            user.setValue(attr, values)
+
 
     try:
         client.update_user(user)



From ssorce at redhat.com  Wed Oct 31 20:22:15 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 31 Oct 2007 16:22:15 -0400
Subject: [Freeipa-devel] [PATCH] Allow set/add/del to be called
	multiple times
In-Reply-To: <5a615adb8952a20ffa0c.1193860800@adams.iad.redhat.com>
References: <5a615adb8952a20ffa0c.1193860800@adams.iad.redhat.com>
Message-ID: <1193862135.26382.104.camel@localhost.localdomain>

On Wed, 2007-10-31 at 16:00 -0400, Karl MacMillan wrote:
> 
> Allow the --set/add/del options to be called multiple
> times during the same invocation. Also add more robust
> checking of errors.

It seem you assume that ',' is a valid separator, but it may well be
part of the value instead.
You need to use some escaping imo (at the very least "values" in
quotes).

Simo.



From ssorce at redhat.com  Wed Oct 31 20:23:56 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 31 Oct 2007 16:23:56 -0400
Subject: [Freeipa-devel] How to build without optimizations
In-Reply-To: <1193701273.13652.42.camel@localhost.localdomain>
References: <1193701273.13652.42.camel@localhost.localdomain>
Message-ID: <1193862236.26382.105.camel@localhost.localdomain>

On Mon, 2007-10-29 at 19:41 -0400, Simo Sorce wrote:
> Before the auto-tools were introduced I made freeipa tools build with
> debugging and without optimizations on purpose.
> Since then it seem optimizations have been put back. Is there a quick
> clean way to disable optimizations completely for a make local-dist ?
> 
> Using gdb with optimizations is almost impossible.

Turned out `export CFLAGS=-g` is a good way to do that.
Simo.



From kmacmillan at mentalrootkit.com  Wed Oct 31 20:37:10 2007
From: kmacmillan at mentalrootkit.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 16:37:10 -0400
Subject: [Freeipa-devel] [PATCH] Rename memberOf to group_members in xml-rpc
	interface
Message-ID: <5c364bb6ca88b0f4d8c7.1193863030@mahler.iad.redhat.com>

# HG changeset patch
# User "Karl MacMillan <kmacmillan at mentalrootkit.com>"
# Date 1193863016 14400
# Node ID 5c364bb6ca88b0f4d8c770f97c4d3a81befd7985
# Parent  5a615adb8952a20ffa0ca0fc02b578f464622153
Rename memberOf to group_members in xml-rpc interface.

diff -r 5a615adb8952 -r 5c364bb6ca88 ipa-admintools/ipa-findgroup
--- a/ipa-admintools/ipa-findgroup	Wed Oct 31 15:59:28 2007 -0400
+++ b/ipa-admintools/ipa-findgroup	Wed Oct 31 16:36:56 2007 -0400
@@ -58,7 +58,7 @@ def main():
 
         for ent in groups:
             try:
-                members = client.memberOf(ent.dn, ['dn','cn'])
+                members = client.group_members(ent.dn, ['dn','cn'])
             except ipa.ipaerror.IPAError, e:
                 print "Error getting members for " + ent.dn
                 print str(e)
diff -r 5a615adb8952 -r 5c364bb6ca88 ipa-python/ipaclient.py
--- a/ipa-python/ipaclient.py	Wed Oct 31 15:59:28 2007 -0400
+++ b/ipa-python/ipaclient.py	Wed Oct 31 16:36:56 2007 -0400
@@ -317,11 +317,11 @@ class IPAClient:
 
         return self.transport.attrs_to_labels(attrs)
 
-    def memberOf(self, groupdn, attr_list):
+    def group_members(self, groupdn, attr_list):
         """Do a memberOf search of groupdn and return the attributes in
            attr_list (an empty list returns everything)."""
 
-        results = self.transport.memberOf(groupdn, attr_list)
+        results = self.transport.group_members(groupdn, attr_list)
 
         counter = results[0]
 
diff -r 5a615adb8952 -r 5c364bb6ca88 ipa-python/rpcclient.py
--- a/ipa-python/rpcclient.py	Wed Oct 31 15:59:28 2007 -0400
+++ b/ipa-python/rpcclient.py	Wed Oct 31 16:36:56 2007 -0400
@@ -575,7 +575,7 @@ class RPCClient:
 
         return ipautil.unwrap_binary_data(result)
 
-    def memberOf(self, groupdn, attr_list=None):
+    def group_members(self, groupdn, attr_list=None):
         """Do a memberOf search of groupdn and return the attributes in
            attr_list (an empty list returns everything)."""
 
@@ -584,10 +584,10 @@ class RPCClient:
 
         server = self.setup_server()
         try:
-            result = server.memberOf(groupdn, attr_list)
-        except xmlrpclib.Fault, fault:
-            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
-        except socket.error, (value, msg):
-            raise xmlrpclib.Fault(value, msg)
-
-        return ipautil.unwrap_binary_data(result)
+            result = server.group_members(groupdn, attr_list)
+        except xmlrpclib.Fault, fault:
+            raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
+        except socket.error, (value, msg):
+            raise xmlrpclib.Fault(value, msg)
+
+        return ipautil.unwrap_binary_data(result)
diff -r 5a615adb8952 -r 5c364bb6ca88 ipa-server/ipa-gui/ipagui/subcontrollers/group.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Wed Oct 31 15:59:28 2007 -0400
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py	Wed Oct 31 16:36:56 2007 -0400
@@ -184,7 +184,7 @@ class GroupController(IPAController):
             # convert members to users, for easier manipulation on the page
             #
 
-            members = client.memberOf(group.dn, ['dn', 'givenname', 'sn', 'uid', 'cn'])
+            members = client.group_members(group.dn, ['dn', 'givenname', 'sn', 'uid', 'cn'])
             members.sort(self.sort_group_member)
 
             # Map users into an array of dicts, which can be serialized
@@ -349,7 +349,7 @@ class GroupController(IPAController):
             # convert members to users, for display on the page
             #
 
-            members = client.memberOf(group.dn, ['dn', 'givenname', 'sn', 'uid', 'cn'])
+            members = client.group_members(group.dn, ['dn', 'givenname', 'sn', 'uid', 'cn'])
             members = members[1:]
             members.sort(self.sort_group_member)
             member_dicts = map(lambda member: member.toDict(), members)
diff -r 5a615adb8952 -r 5c364bb6ca88 ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Wed Oct 31 15:59:28 2007 -0400
+++ b/ipa-server/xmlrpc-server/funcs.py	Wed Oct 31 16:36:56 2007 -0400
@@ -1061,7 +1061,7 @@ class IPAServer:
 
         return label_list
 
-    def memberOf(self, groupdn, attr_list, opts=None):
+    def group_members(self, groupdn, attr_list, opts=None):
         """Do a memberOf search of groupdn and return the attributes in
            attr_list (an empty list returns everything)."""
 
diff -r 5a615adb8952 -r 5c364bb6ca88 ipa-server/xmlrpc-server/ipaxmlrpc.py
--- a/ipa-server/xmlrpc-server/ipaxmlrpc.py	Wed Oct 31 15:59:28 2007 -0400
+++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py	Wed Oct 31 16:36:56 2007 -0400
@@ -350,7 +350,7 @@ def handler(req, profiling=False):
             h.register_function(f.update_group)
             h.register_function(f.delete_group)
             h.register_function(f.attrs_to_labels)
-            h.register_function(f.memberOf)
+            h.register_function(f.group_members)
             h.handle_request(req)
         finally:
              pass



From kmacmill at redhat.com  Wed Oct 31 20:42:09 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 16:42:09 -0400
Subject: [Freeipa-devel] [PATCH] Allow set/add/del to be called
	multiple times
In-Reply-To: <1193862135.26382.104.camel@localhost.localdomain>
References: <5a615adb8952a20ffa0c.1193860800@adams.iad.redhat.com>
	<1193862135.26382.104.camel@localhost.localdomain>
Message-ID: <1193863329.4418.3.camel@mahler.iad.redhat.com>

On Wed, 2007-10-31 at 16:22 -0400, Simo Sorce wrote:
> On Wed, 2007-10-31 at 16:00 -0400, Karl MacMillan wrote:
> > 
> > Allow the --set/add/del options to be called multiple
> > times during the same invocation. Also add more robust
> > checking of errors.
> 
> It seem you assume that ',' is a valid separator, but it may well be
> part of the value instead.
> You need to use some escaping imo (at the very least "values" in
> quotes).
> 

Since we can call add multiple times, maybe the easiest thing is to stop
splitting on "," entirely.

Karl



From ssorce at redhat.com  Wed Oct 31 20:46:34 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 31 Oct 2007 16:46:34 -0400
Subject: [Freeipa-devel] [PATCH] Allow set/add/del to be called
	multiple times
In-Reply-To: <1193863329.4418.3.camel@mahler.iad.redhat.com>
References: <5a615adb8952a20ffa0c.1193860800@adams.iad.redhat.com>
	<1193862135.26382.104.camel@localhost.localdomain>
	<1193863329.4418.3.camel@mahler.iad.redhat.com>
Message-ID: <1193863594.26382.107.camel@localhost.localdomain>

On Wed, 2007-10-31 at 16:42 -0400, Karl MacMillan wrote:
> On Wed, 2007-10-31 at 16:22 -0400, Simo Sorce wrote:
> > On Wed, 2007-10-31 at 16:00 -0400, Karl MacMillan wrote:
> > > 
> > > Allow the --set/add/del options to be called multiple
> > > times during the same invocation. Also add more robust
> > > checking of errors.
> > 
> > It seem you assume that ',' is a valid separator, but it may well be
> > part of the value instead.
> > You need to use some escaping imo (at the very least "values" in
> > quotes).
> > 
> 
> Since we can call add multiple times, maybe the easiest thing is to stop
> splitting on "," entirely.

agreed

Simo.



From kmacmill at redhat.com  Wed Oct 31 20:56:47 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 16:56:47 -0400
Subject: [Freeipa-devel] [PATCH] Remove multi-value set/add in ipa-usermod
Message-ID: <6b23756241f05444a54a.1193864207@adams.iad.redhat.com>

# HG changeset patch
# User "Karl MacMillan <kmacmill at redhat.com>"
# Date 1193864203 14400
# Node ID 6b23756241f05444a54a339aaf5384fc96ad6999
# Parent  5c364bb6ca88b0f4d8c770f97c4d3a81befd7985
Remove multi-value set/add in ipa-usermod.

Calling --add multiple times will accomplish the same
thing without the need for handling splits on ",".

diff -r 5c364bb6ca88 -r 6b23756241f0 ipa-admintools/ipa-usermod
--- a/ipa-admintools/ipa-usermod	Wed Oct 31 16:36:56 2007 -0400
+++ b/ipa-admintools/ipa-usermod	Wed Oct 31 16:56:43 2007 -0400
@@ -31,7 +31,7 @@ import ldap
 import ldap
 
 def usage():
-    print "ipa-usermod [-c|--gecos STRING] [-d|--directory STRING] [-f|--firstname STRING] [-l|--lastname STRING] [-s|--shell STRING] [--add attribute=value(,value1,..,valuen)] [--del attribute] [--set attribute=value(,value1,..,valuen)] user"
+    print "ipa-usermod [-c|--gecos STRING] [-d|--directory STRING] [-f|--firstname STRING] [-l|--lastname STRING] [-s|--shell STRING] [--add attribute=value] [--del attribute] [--set attribute=value] user"
     sys.exit(1)
 
 def set_add_usage(which):
@@ -50,7 +50,7 @@ def parse_options():
     parser.add_option("-s", "--shell", dest="shell",
                       help="Set user's login shell to shell")
     parser.add_option("--add", dest="addattr",
-                      help="Adds an attribute or values to that attribute, attr=value(,value1,value2)",
+                      help="Adds an attribute or values to that attribute, attr=value",
                       action="append")
     parser.add_option("--del", dest="delattr",
                       help="Remove an attribute", action="append")
@@ -167,6 +167,7 @@ def main():
                     print "Must be letters, numbers, spaces or '"
                 else:
                     cont = True
+
         cont = False
         if not options.directory:
             while (cont != True):
@@ -210,9 +211,8 @@ def main():
             if len(s) != 2:
                 set_add_usage("set")
                 sys.exit(1)
-            (attr,value) = s            
-            values = value.split(',')
-            user.setValue(attr, values)
+            (attr,value) = s   
+            user.setValue(attr, value)
 
     if options.addattr:
         for a in options.addattr:
@@ -221,13 +221,12 @@ def main():
                 set_add_usage("add")
                 sys.exit(1)
             (attr,value) = a      
-            values = value.split(',')
             cvalue = user.getValue(attr)
             if cvalue:
                 if isinstance(cvalue,str):
                     cvalue = [cvalue]
-                values = cvalue + values
-            user.setValue(attr, values)
+                value = cvalue + [value]
+            user.setValue(attr, value)
 
 
     try:



From kmacmill at redhat.com  Wed Oct 31 20:57:38 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 16:57:38 -0400
Subject: [Freeipa-devel] [PATCH] Allow set/add/del to be called
	multiple times
In-Reply-To: <1193863594.26382.107.camel@localhost.localdomain>
References: <5a615adb8952a20ffa0c.1193860800@adams.iad.redhat.com>
	<1193862135.26382.104.camel@localhost.localdomain>
	<1193863329.4418.3.camel@mahler.iad.redhat.com>
	<1193863594.26382.107.camel@localhost.localdomain>
Message-ID: <1193864258.4418.5.camel@mahler.iad.redhat.com>

On Wed, 2007-10-31 at 16:46 -0400, Simo Sorce wrote:
> On Wed, 2007-10-31 at 16:42 -0400, Karl MacMillan wrote:
> > On Wed, 2007-10-31 at 16:22 -0400, Simo Sorce wrote:
> > > On Wed, 2007-10-31 at 16:00 -0400, Karl MacMillan wrote:
> > > > 
> > > > Allow the --set/add/del options to be called multiple
> > > > times during the same invocation. Also add more robust
> > > > checking of errors.
> > > 
> > > It seem you assume that ',' is a valid separator, but it may well be
> > > part of the value instead.
> > > You need to use some escaping imo (at the very least "values" in
> > > quotes).
> > > 
> > 
> > Since we can call add multiple times, maybe the easiest thing is to stop
> > splitting on "," entirely.
> 

Sent as separate patch.

Karl



From rcritten at redhat.com  Wed Oct 31 21:02:40 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 31 Oct 2007 17:02:40 -0400
Subject: [Freeipa-devel] [PATCH] Remove multi-value set/add in ipa-usermod
In-Reply-To: <6b23756241f05444a54a.1193864207@adams.iad.redhat.com>
References: <6b23756241f05444a54a.1193864207@adams.iad.redhat.com>
Message-ID: <4728ED70.8000302@redhat.com>

Karl MacMillan wrote:
> # HG changeset patch
> # User "Karl MacMillan <kmacmill at redhat.com>"
> # Date 1193864203 14400
> # Node ID 6b23756241f05444a54a339aaf5384fc96ad6999
> # Parent  5c364bb6ca88b0f4d8c770f97c4d3a81befd7985
> Remove multi-value set/add in ipa-usermod.
> 
> Calling --add multiple times will accomplish the same
> thing without the need for handling splits on ",".

Ok. This makes things much nicer.

rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071031/fe9d14ea/attachment.bin>

From kmacmill at redhat.com  Wed Oct 31 21:06:51 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 17:06:51 -0400
Subject: [Freeipa-devel] [PATCH] Remove multi-value set/add in ipa-usermod
In-Reply-To: <4728ED70.8000302@redhat.com>
References: <6b23756241f05444a54a.1193864207@adams.iad.redhat.com>
	<4728ED70.8000302@redhat.com>
Message-ID: <1193864811.4418.7.camel@mahler.iad.redhat.com>

On Wed, 2007-10-31 at 17:02 -0400, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > # HG changeset patch
> > # User "Karl MacMillan <kmacmill at redhat.com>"
> > # Date 1193864203 14400
> > # Node ID 6b23756241f05444a54a339aaf5384fc96ad6999
> > # Parent  5c364bb6ca88b0f4d8c770f97c4d3a81befd7985
> > Remove multi-value set/add in ipa-usermod.
> > 
> > Calling --add multiple times will accomplish the same
> > thing without the need for handling splits on ",".
> 
> Ok. This makes things much nicer.
> 

Both patches pushed.



From kmacmill at redhat.com  Wed Oct 31 21:07:37 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 17:07:37 -0400
Subject: [Freeipa-devel] [PATCH] Rename memberOf to group_members in
	xml-rpc interface
In-Reply-To: <5c364bb6ca88b0f4d8c7.1193863030@mahler.iad.redhat.com>
References: <5c364bb6ca88b0f4d8c7.1193863030@mahler.iad.redhat.com>
Message-ID: <1193864857.4418.9.camel@mahler.iad.redhat.com>

On Wed, 2007-10-31 at 16:37 -0400, Karl MacMillan wrote:
> # HG changeset patch
> # User "Karl MacMillan <kmacmillan at mentalrootkit.com>"
> # Date 1193863016 14400
> # Node ID 5c364bb6ca88b0f4d8c770f97c4d3a81befd7985
> # Parent  5a615adb8952a20ffa0ca0fc02b578f464622153
> Rename memberOf to group_members in xml-rpc interface.
> 

Accidentally pushed with other patches - object now if you don't like
this and I will revert.

Karl



From kmacmill at redhat.com  Wed Oct 31 21:10:36 2007
From: kmacmill at redhat.com (Karl MacMillan)
Date: Wed, 31 Oct 2007 17:10:36 -0400
Subject: [Freeipa-devel] [patch] Properly increment kvno
In-Reply-To: <472897EF.1080703@redhat.com>
References: <472897EF.1080703@redhat.com>
Message-ID: <1193865036.4841.0.camel@mahler.iad.redhat.com>

On Wed, 2007-10-31 at 10:57 -0400, Simo Sorce wrote:
> Tested and works as expected so far.
> This properly increments kvno on password changes and keeps around 
> material for the time it is useful, drops when not anymore.
> 

Pushed.



From rcritten at redhat.com  Wed Oct 31 21:12:42 2007
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 31 Oct 2007 17:12:42 -0400
Subject: [Freeipa-devel] [PATCH] completely remove an attribute
Message-ID: <4728EFCA.2010103@redhat.com>

This should make ipa-usermod nicer. Add a function to completely remove 
an attribute (if it exists).

Usage is something like: user.delValue('telephonenumber')

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-338-del.patch
Type: text/x-patch
Size: 801 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071031/b6357ae2/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071031/b6357ae2/attachment-0001.bin>

From ssorce at redhat.com  Wed Oct 31 21:30:34 2007
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 31 Oct 2007 17:30:34 -0400
Subject: [Freeipa-devel] [PATCH] Rename memberOf to group_members in
	xml-rpc interface
In-Reply-To: <1193864857.4418.9.camel@mahler.iad.redhat.com>
References: <5c364bb6ca88b0f4d8c7.1193863030@mahler.iad.redhat.com>
	<1193864857.4418.9.camel@mahler.iad.redhat.com>
Message-ID: <1193866234.26382.113.camel@localhost.localdomain>

On Wed, 2007-10-31 at 17:07 -0400, Karl MacMillan wrote:
> On Wed, 2007-10-31 at 16:37 -0400, Karl MacMillan wrote:
> > # HG changeset patch
> > # User "Karl MacMillan <kmacmillan at mentalrootkit.com>"
> > # Date 1193863016 14400
> > # Node ID 5c364bb6ca88b0f4d8c770f97c4d3a81befd7985
> > # Parent  5a615adb8952a20ffa0ca0fc02b578f464622153
> > Rename memberOf to group_members in xml-rpc interface.
> > 
> 
> Accidentally pushed with other patches - object now if you don't like
> this and I will revert.

Fine by me.