+ : +	+ +
+ : +	+ +
- - + Generated by server
- - + Generated by server

diff -r 530e225e1408 -r 17eb647a011b ipa-server/ipa-gui/ipagui/templates/useredit.kid --- a/ipa-server/ipa-gui/ipagui/templates/useredit.kid Mon Sep 10 08:55:36 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/useredit.kid Mon Sep 10 10:02:33 2007 -0700 @@ -6,7 +6,16 @@ Edit Person + +

+ + edit protected fields + +

Edit Person

+ +

+ + + ${value_for(group.cn)} + + + + + + + : + + + + + + + + + + + : + + + + + + + + + + + + + + + +

+ + +	+ + +

+ + +

diff -r 0bf55b38d551 -r c87fc8161f04 ipa-server/ipa-gui/ipagui/templates/grouplist.kid --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ipa-server/ipa-gui/ipagui/templates/grouplist.kid Wed Sep 12 10:40:31 2007 -0700 @@ -0,0 +1,43 @@ + + + + +Find Groups + + +

+ + +

${len(groups)} results returned:

+ + + + + + + + + +

+ +	+ +
+ ${group.cn} +	+ ${group.description} +

No results found for "${criteria}"

+ + diff -r 0bf55b38d551 -r c87fc8161f04 ipa-server/ipa-gui/ipagui/templates/groupnew.kid --- a/ipa-server/ipa-gui/ipagui/templates/groupnew.kid Tue Sep 11 02:48:53 2007 -0400 +++ b/ipa-server/ipa-gui/ipagui/templates/groupnew.kid Wed Sep 12 10:40:31 2007 -0700 @@ -1,6 +1,6 @@ + py:extends="'grouplayout.kid'"> Add Group diff -r 0bf55b38d551 -r c87fc8161f04 ipa-server/ipa-gui/ipagui/templates/groupshow.kid --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid Wed Sep 12 10:40:31 2007 -0700 @@ -0,0 +1,38 @@ + + + + + View Group + + +

View Group

+ +

Group Details

+ + + + + + + + + + + + + + + +

+ : +	${group.get("cn")}
+ : +	${group.get("description")}
+ : +	${group.get("gidnumber")}

+ + edit + + + diff -r 0bf55b38d551 -r c87fc8161f04 ipa-server/ipa-gui/ipagui/templates/master.kid --- a/ipa-server/ipa-gui/ipagui/templates/master.kid Tue Sep 11 02:48:53 2007 -0400 +++ b/ipa-server/ipa-gui/ipagui/templates/master.kid Wed Sep 12 10:40:31 2007 -0700 @@ -70,7 +70,7 @@

Add Group
- Find Groups
+ Find Groups

Manage Policy
-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From ssorce at redhat.com Wed Sep 12 18:00:45 2007 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Sep 2007 14:00:45 -0400 Subject: [Freeipa-devel] [PATCH] don't echo passwords In-Reply-To: <939dd5750709121037i1a55f885w28f8f54a2ac01d58@mail.gmail.com> References: <939dd5750709120827t5c904aaam3b19e619fb6ed2cc@mail.gmail.com> <1189617785.4281.16.camel@localhost.localdomain> <939dd5750709121037i1a55f885w28f8f54a2ac01d58@mail.gmail.com> Message-ID: <1189620045.4281.19.camel@localhost.localdomain> On Wed, 2007-09-12 at 13:37 -0400, William Jon McCann wrote: > On 9/12/07, Simo Sorce wrote: > > On Wed, 2007-09-12 at 11:27 -0400, William Jon McCann wrote: > > > > > > A patch for the password echo is attached. I'll send separate patches > > > for the other issues or any more that I encounter. > > > > Pushed and added also a patch to ask for confirmation. > > Thanks. > > > Couldn't find y/N questions w/o the [y/N] hint, are you looking at the > > mercurial repository or the code in one of the drops/milestones? > > Sorry I wasn't very clear. I mean that there is no guidance as to > what the default is. From looking at the code it seems that the > default answer is 'no'. I would suggest something like: > > Do you want to use DOMAIN as the realm name? [yes] : > > So that a return accepts the default which in this case is "yes". > Also probably good to handle case insensitve "y" and "yes" as > affirmative. > > A minor thing but a lot of people including myself will just choose > the defaults the first time they test the software... The default is the one presented as Capital: [y/N] defaults to N [Y/n] defaults to Y This is what we used in other software too ... Simo. From mccann at jhu.edu Wed Sep 12 18:27:13 2007 From: mccann at jhu.edu (William Jon McCann) Date: Wed, 12 Sep 2007 14:27:13 -0400 Subject: [Freeipa-devel] [PATCH] don't echo passwords In-Reply-To: <1189620045.4281.19.camel@localhost.localdomain> References: <939dd5750709120827t5c904aaam3b19e619fb6ed2cc@mail.gmail.com> <1189617785.4281.16.camel@localhost.localdomain> <939dd5750709121037i1a55f885w28f8f54a2ac01d58@mail.gmail.com> <1189620045.4281.19.camel@localhost.localdomain> Message-ID: <939dd5750709121127x1d4530abx7efe755dba3d368@mail.gmail.com> On 9/12/07, Simo Sorce wrote: > On Wed, 2007-09-12 at 13:37 -0400, William Jon McCann wrote: > > On 9/12/07, Simo Sorce wrote: > > > On Wed, 2007-09-12 at 11:27 -0400, William Jon McCann wrote: > > > > > > > > A patch for the password echo is attached. I'll send separate patches > > > > for the other issues or any more that I encounter. > > > > > > Pushed and added also a patch to ask for confirmation. > > > > Thanks. > > > > > Couldn't find y/N questions w/o the [y/N] hint, are you looking at the > > > mercurial repository or the code in one of the drops/milestones? > > > > Sorry I wasn't very clear. I mean that there is no guidance as to > > what the default is. From looking at the code it seems that the > > default answer is 'no'. I would suggest something like: > > > > Do you want to use DOMAIN as the realm name? [yes] : > > > > So that a return accepts the default which in this case is "yes". > > Also probably good to handle case insensitve "y" and "yes" as > > affirmative. > > > > A minor thing but a lot of people including myself will just choose > > the defaults the first time they test the software... > > The default is the one presented as Capital: > [y/N] defaults to N > [Y/n] defaults to Y > > This is what we used in other software too ... Oh. That wasn't obvious to me. In any case it is probably better to default to "yes" for the suggested realm name. Jon From ssorce at redhat.com Wed Sep 12 18:45:41 2007 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Sep 2007 14:45:41 -0400 Subject: [Freeipa-devel] [PATCH] don't echo passwords In-Reply-To: <939dd5750709121127x1d4530abx7efe755dba3d368@mail.gmail.com> References: <939dd5750709120827t5c904aaam3b19e619fb6ed2cc@mail.gmail.com> <1189617785.4281.16.camel@localhost.localdomain> <939dd5750709121037i1a55f885w28f8f54a2ac01d58@mail.gmail.com> <1189620045.4281.19.camel@localhost.localdomain> <939dd5750709121127x1d4530abx7efe755dba3d368@mail.gmail.com> Message-ID: <1189622741.4281.24.camel@localhost.localdomain> On Wed, 2007-09-12 at 14:27 -0400, William Jon McCann wrote: > Oh. That wasn't obvious to me. In any case it is probably better to > default to "yes" for the suggested realm name. Uhmm not sure about that, opinions? From mccann at jhu.edu Wed Sep 12 18:55:17 2007 From: mccann at jhu.edu (William Jon McCann) Date: Wed, 12 Sep 2007 14:55:17 -0400 Subject: [Freeipa-devel] [PATCH] don't echo passwords In-Reply-To: <1189622741.4281.24.camel@localhost.localdomain> References: <939dd5750709120827t5c904aaam3b19e619fb6ed2cc@mail.gmail.com> <1189617785.4281.16.camel@localhost.localdomain> <939dd5750709121037i1a55f885w28f8f54a2ac01d58@mail.gmail.com> <1189620045.4281.19.camel@localhost.localdomain> <939dd5750709121127x1d4530abx7efe755dba3d368@mail.gmail.com> <1189622741.4281.24.camel@localhost.localdomain> Message-ID: <939dd5750709121155g172d90fci1a64179e575a506b@mail.gmail.com> On 9/12/07, Simo Sorce wrote: > On Wed, 2007-09-12 at 14:27 -0400, William Jon McCann wrote: > > Oh. That wasn't obvious to me. In any case it is probably better to > > default to "yes" for the suggested realm name. > > Uhmm not sure about that, opinions? > Or, what about this: "Please provide a realm name: [PHA.JHU.EDU]: " Don't mean to be annoying about this - it isn't a big deal. But from a first time installer point of view the process seemed a little awkward. In my experience a good rule of thumb is to always produce a workable configuration in response to the user hitting enter for all prompts... Jon From rcritten at redhat.com Wed Sep 12 19:50:24 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Sep 2007 15:50:24 -0400 Subject: [Freeipa-devel] [PATCH] don't echo passwords In-Reply-To: <939dd5750709121155g172d90fci1a64179e575a506b@mail.gmail.com> References: <939dd5750709120827t5c904aaam3b19e619fb6ed2cc@mail.gmail.com> <1189617785.4281.16.camel@localhost.localdomain> <939dd5750709121037i1a55f885w28f8f54a2ac01d58@mail.gmail.com> <1189620045.4281.19.camel@localhost.localdomain> <939dd5750709121127x1d4530abx7efe755dba3d368@mail.gmail.com> <1189622741.4281.24.camel@localhost.localdomain> <939dd5750709121155g172d90fci1a64179e575a506b@mail.gmail.com> Message-ID: <46E84300.5000109@redhat.com> William Jon McCann wrote: > On 9/12/07, Simo Sorce wrote: >> On Wed, 2007-09-12 at 14:27 -0400, William Jon McCann wrote: >>> Oh. That wasn't obvious to me. In any case it is probably better to >>> default to "yes" for the suggested realm name. >> Uhmm not sure about that, opinions? >> > > Or, what about this: > > "Please provide a realm name: [PHA.JHU.EDU]: " > > Don't mean to be annoying about this - it isn't a big deal. But from > a first time installer point of view the process seemed a little > awkward. In my experience a good rule of thumb is to always produce a > workable configuration in response to the user hitting enter for all > prompts... > +1. This is what most other interactive installers do. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Sep 12 22:59:35 2007 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Sep 2007 18:59:35 -0400 Subject: [Freeipa-devel] [PATCH] don't echo passwords In-Reply-To: <939dd5750709121155g172d90fci1a64179e575a506b@mail.gmail.com> References: <939dd5750709120827t5c904aaam3b19e619fb6ed2cc@mail.gmail.com> <1189617785.4281.16.camel@localhost.localdomain> <939dd5750709121037i1a55f885w28f8f54a2ac01d58@mail.gmail.com> <1189620045.4281.19.camel@localhost.localdomain> <939dd5750709121127x1d4530abx7efe755dba3d368@mail.gmail.com> <1189622741.4281.24.camel@localhost.localdomain> <939dd5750709121155g172d90fci1a64179e575a506b@mail.gmail.com> Message-ID: <1189637975.4281.33.camel@localhost.localdomain> On Wed, 2007-09-12 at 14:55 -0400, William Jon McCann wrote: > Or, what about this: > > "Please provide a realm name: [PHA.JHU.EDU]: " > > Don't mean to be annoying about this - it isn't a big deal. But from > a first time installer point of view the process seemed a little > awkward. In my experience a good rule of thumb is to always produce a > workable configuration in response to the user hitting enter for all > prompts... Good idea, implemented and pushed. Thanks, Simo. From kmccarth at redhat.com Thu Sep 13 17:27:12 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Thu, 13 Sep 2007 10:27:12 -0700 Subject: [Freeipa-devel] [PATCH] javascript sorting of user results w/tablekit Message-ID: <20070913172712.GA19864@moon.usersys.redhat.com> This patch adds the tablekit package: http://www.millstream.com.au/view/code/tablekit/ (licensed under MIT) and uses it to add javascript table sorting for the user results. -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1189704395 25200 # Node ID 698d4ac367ffb7c1ad37232aebc629d64a45ad30 # Parent 7efa620853f6437f26f072d82f51401e94485d8f Adds javascript table sorting for user results Adds tablekit: http://www.millstream.com.au/view/code/tablekit/ licensed under MIT. diff -r 7efa620853f6 -r 698d4ac367ff ipa-server/ipa-gui/ipagui/static/css/style.css --- a/ipa-server/ipa-gui/ipagui/static/css/style.css Thu Sep 13 10:18:41 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/static/css/style.css Thu Sep 13 10:26:35 2007 -0700 @@ -194,3 +194,37 @@ body { #resultstable th { background: #eee; } + +/* + * TableKit css + */ + +.sortcol { + cursor: pointer; + padding-right: 20px !important; + background-repeat: no-repeat !important; + background-position: right center !important; +} +.sortasc { + background-image: url(/static/images/up.gif) !important; +} +.sortdesc { + background-image: url(/static/images/down.gif) !important; +} +.nosort { + cursor: default; +} + +th.resize-handle-active { + cursor: e-resize; +} + +div.resize-handle { + cursor: e-resize; + width: 2px; + border-right: 1px dashed #1E90FF; + position:absolute; + top:0; + left:0; +} + diff -r 7efa620853f6 -r 698d4ac367ff ipa-server/ipa-gui/ipagui/static/javascript/tablekit.js --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ipa-server/ipa-gui/ipagui/static/javascript/tablekit.js Thu Sep 13 10:26:35 2007 -0700 @@ -0,0 +1,846 @@ +/* +* +* Copyright (c) 2007 Andrew Tetlaw & Millstream Web Software +* http://www.millstream.com.au/view/code/tablekit/ +* Version: 1.2.1 2007-03-11 +* +* Permission is hereby granted, free of charge, to any person +* obtaining a copy of this software and associated documentation +* files (the "Software"), to deal in the Software without +* restriction, including without limitation the rights to use, copy, +* modify, merge, publish, distribute, sublicense, and/or sell copies +* of the Software, and to permit persons to whom the Software is +* furnished to do so, subject to the following conditions: +* +* The above copyright notice and this permission notice shall be +* included in all copies or substantial portions of the Software. +* +* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS +* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN +* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +* SOFTWARE. +* * +*/ + +// Use the TableKit class constructure if you'd prefer to init your tables as JS objects +var TableKit = Class.create(); + +TableKit.prototype = { + initialize : function(elm, options) { + var table = $(elm); + if(table.tagName !== "TABLE") { + return; + } + TableKit.register(table,Object.extend(TableKit.options,options || {})); + this.id = table.id; + var op = TableKit.option('sortable resizable editable', this.id); + if(op.sortable) { + TableKit.Sortable.init(table); + } + if(op.resizable) { + TableKit.Resizable.init(table); + } + if(op.editable) { + TableKit.Editable.init(table); + } + }, + sort : function(column, order) { + TableKit.Sortable.sort(this.id, column, order); + }, + resizeColumn : function(column, w) { + TableKit.Resizable.resize(this.id, column, w); + }, + editCell : function(row, column) { + TableKit.Editable.editCell(this.id, row, column); + } +}; + +Object.extend(TableKit, { + getBodyRows : function(table) { + table = $(table); + var id = table.id; + if(!TableKit.rows[id]) { + TableKit.rows[id] = (table.tHead && table.tHead.rows.length > 0) ? $A(table.tBodies[0].rows) : $A(table.rows).without(table.rows[0]); + } + return TableKit.rows[id]; + }, + getHeaderCells : function(table, cell) { + if(!table) { table = $(cell).up('table'); } + var id = table.id; + if(!TableKit.heads[id]) { + TableKit.heads[id] = $A((table.tHead && table.tHead.rows.length > 0) ? table.tHead.rows[table.tHead.rows.length-1].cells : table.rows[0].cells); + } + return TableKit.heads[id]; + }, + getCellIndex : function(cell) { + return $A(cell.parentNode.cells).indexOf(cell); + }, + getRowIndex : function(row) { + return $A(row.parentNode.rows).indexOf(row); + }, + getCellText : function(cell, refresh) { + if(!cell) { return ""; } + TableKit.registerCell(cell); + var data = TableKit.cells[cell.id]; + if(refresh || data.refresh || !data.textContent) { + data.textContent = cell.textContent ? cell.textContent : cell.innerText; + data.refresh = false; + } + return data.textContent; + }, + register : function(table, options) { + if(!table.id) { + TableKit._tblcount += 1; + table.id = "tablekit-table-" + TableKit._tblcount; + } + var id = table.id; + TableKit.tables[id] = TableKit.tables[id] ? Object.extend(TableKit.tables[id], options || {}) : Object.extend({sortable:false,resizable:false,editable:false}, options || {}); + }, + registerCell : function(cell) { + if(!cell.id) { + TableKit._cellcount += 1; + cell.id = "tablekit-cell-" + TableKit._cellcount; + } + if(!TableKit.cells[cell.id]) { + TableKit.cells[cell.id] = {textContent : '', htmlContent : '', active : false}; + } + }, + isSortable : function(table) { + return TableKit.tables[table.id] ? TableKit.tables[table.id].sortable : false; + }, + isResizable : function(table) { + return TableKit.tables[table.id] ? TableKit.tables[table.id].resizable : false; + }, + isEditable : function(table) { + return TableKit.tables[table.id] ? TableKit.tables[table.id].editable : false; + }, + setup : function(o) { + Object.extend(TableKit.options, o || {} ); + }, + option : function(s, id, o1, o2) { + o1 = o1 || TableKit.options; + o2 = o2 || (id ? (TableKit.tables[id] ? TableKit.tables[id] : {}) : {}); + var key = id + s; + if(!TableKit._opcache[key]){ + TableKit._opcache[key] = $A($w(s)).inject([],function(a,v){ + a.push(a[v] = o2[v] || o1[v]); + return a; + }); + } + return TableKit._opcache[key]; + }, + e : function(event) { + return event || window.event; + }, + tables : {}, + _opcache : {}, + cells : {}, + rows : {}, + heads : {}, + options : { + autoLoad : true, + stripe : true, + sortable : true, + resizable : true, + editable : true, + rowEvenClass : 'roweven', + rowOddClass : 'rowodd', + sortableSelector : ['table.sortable'], + columnClass : 'sortcol', + descendingClass : 'sortdesc', + ascendingClass : 'sortasc', + noSortClass : 'nosort', + sortFirstAscendingClass : 'sortfirstasc', + sortFirstDecendingClass : 'sortfirstdesc', + resizableSelector : ['table.resizable'], + minWidth : 10, + showHandle : true, + resizeOnHandleClass : 'resize-handle-active', + editableSelector : ['table.editable'], + formClassName : 'editable-cell-form', + noEditClass : 'noedit', + editAjaxURI : '/', + editAjaxOptions : {} + }, + _tblcount : 0, + _cellcount : 0, + load : function() { + if(TableKit.options.autoLoad) { + if(TableKit.options.sortable) { + $A(TableKit.options.sortableSelector).each(function(s){ + $$(s).each(function(t) { + TableKit.Sortable.init(t); + }); + }); + } + if(TableKit.options.resizable) { + $A(TableKit.options.resizableSelector).each(function(s){ + $$(s).each(function(t) { + TableKit.Resizable.init(t); + }); + }); + } + if(TableKit.options.editable) { + $A(TableKit.options.editableSelector).each(function(s){ + $$(s).each(function(t) { + TableKit.Editable.init(t); + }); + }); + } + } + } +}); + +TableKit.Rows = { + stripe : function(table) { + var rows = TableKit.getBodyRows(table); + rows.each(function(r,i) { + TableKit.Rows.addStripeClass(table,r,i); + }); + }, + addStripeClass : function(t,r,i) { + t = t || r.up('table'); + var op = TableKit.option('rowEvenClass rowOddClass', t.id); + var css = ((i+1)%2 === 0 ? op[0] : op[1]); + // using prototype's assClassName/RemoveClassName was not efficient for large tables, hence: + var cn = r.className.split(/\s+/); + var newCn = []; + for(var x = 0, l = cn.length; x < l; x += 1) { + if(cn[x] !== op[0] && cn[x] !== op[1]) { newCn.push(cn[x]); } + } + newCn.push(css); + r.className = newCn.join(" "); + } +}; + +TableKit.Sortable = { + init : function(elm, options){ + var table = $(elm); + if(table.tagName !== "TABLE") { + return; + } + TableKit.register(table,Object.extend(options || {},{sortable:true})); + var sortFirst; + var cells = TableKit.getHeaderCells(table); + var op = TableKit.option('noSortClass columnClass sortFirstAscendingClass sortFirstDecendingClass', table.id); + cells.each(function(c){ + c = $(c); + if(!c.hasClassName(op.noSortClass)) { + Event.observe(c, 'mousedown', TableKit.Sortable._sort); + c.addClassName(op.columnClass); + if(c.hasClassName(op.sortFirstAscendingClass) || c.hasClassName(op.sortFirstDecendingClass)) { + sortFirst = c; + } + } + }); + + if(sortFirst) { + if(sortFirst.hasClassName(op.sortFirstAscendingClass)) { + TableKit.Sortable.sort(table, sortFirst, 1); + } else { + TableKit.Sortable.sort(table, sortFirst, -1); + } + } else { // just add row stripe classes + TableKit.Rows.stripe(table); + } + }, + reload : function(table) { + table = $(table); + var cells = TableKit.getHeaderCells(table); + var op = TableKit.option('noSortClass columnClass', table.id); + cells.each(function(c){ + c = $(c); + if(!c.hasClassName(op.noSortClass)) { + Event.stopObserving(c, 'mousedown', TableKit.Sortable._sort); + c.removeClassName(op.columnClass); + } + }); + TableKit.Sortable.init(table); + }, + _sort : function(e) { + if(TableKit.Resizable._onHandle) {return;} + e = TableKit.e(e); + Event.stop(e); + var cell = Event.element(e); + while(!(cell.tagName && cell.tagName.match(/td|th/gi))) { + cell = cell.parentNode; + } + TableKit.Sortable.sort(null, cell); + }, + sort : function(table, index, order) { + var cell; + if(typeof index === 'number') { + if(!table || (table.tagName && table.tagName !== "TABLE")) { + return; + } + table = $(table); + index = Math.min(table.rows[0].cells.length, index); + index = Math.max(1, index); + index -= 1; + cell = (table.tHead && table.tHead.rows.length > 0) ? $(table.tHead.rows[table.tHead.rows.length-1].cells[index]) : $(table.rows[0].cells[index]); + } else { + cell = $(index); + table = table ? $(table) : cell.up('table'); + index = TableKit.getCellIndex(cell); + } + var op = TableKit.option('noSortClass descendingClass ascendingClass', table.id); + + if(cell.hasClassName(op.noSortClass)) {return;} + + order = order ? order : (cell.hasClassName(op.descendingClass) ? 1 : -1); + var rows = TableKit.getBodyRows(table); + + if(cell.hasClassName(op.ascendingClass) || cell.hasClassName(op.descendingClass)) { + rows.reverse(); // if it was already sorted we just need to reverse it. + } else { + var datatype = TableKit.Sortable.getDataType(cell,index,table); + var tkst = TableKit.Sortable.types; + rows.sort(function(a,b) { + return order * tkst[datatype].compare(TableKit.getCellText(a.cells[index]),TableKit.getCellText(b.cells[index])); + }); + } + var tb = table.tBodies[0]; + var tkr = TableKit.Rows; + rows.each(function(r,i) { + tb.appendChild(r); + tkr.addStripeClass(table,r,i); + }); + var hcells = TableKit.getHeaderCells(null, cell); + $A(hcells).each(function(c,i){ + c = $(c); + c.removeClassName(op.ascendingClass); + c.removeClassName(op.descendingClass); + if(index === i) { + if(order === 1) { + c.removeClassName(op.descendingClass); + c.addClassName(op.ascendingClass); + } else { + c.removeClassName(op.ascendingClass); + c.addClassName(op.descendingClass); + } + } + }); + }, + types : {}, + detectors : [], + addSortType : function() { + $A(arguments).each(function(o){ + TableKit.Sortable.types[o.name] = o; + }); + }, + getDataType : function(cell,index,table) { + cell = $(cell); + index = (index || index === 0) ? index : TableKit.getCellIndex(cell); + + var colcache = TableKit.Sortable._coltypecache; + var cache = colcache[table.id] ? colcache[table.id] : (colcache[table.id] = {}); + + if(!cache[index]) { + var t = ''; + // first look for a data type id on the heading row cell + if(cell.id && TableKit.Sortable.types[cell.id]) { + t = cell.id; + } + t = cell.classNames().detect(function(n){ // then look for a data type classname on the heading row cell + return (TableKit.Sortable.types[n]) ? true : false; + }); + if(!t) { + var rows = TableKit.getBodyRows(table); + cell = rows[0].cells[index]; // grab same index cell from body row to try and match data type + t = TableKit.Sortable.detectors.detect( + function(d){ + return TableKit.Sortable.types[d].detect(TableKit.getCellText(cell)); + }); + } + cache[index] = t; + } + return cache[index]; + }, + _coltypecache : {} +}; + +TableKit.Sortable.detectors = $A($w('date-iso date date-eu date-au time currency datasize number casesensitivetext text')); // setting it here because Safari complained when I did it above... + +TableKit.Sortable.Type = Class.create(); +TableKit.Sortable.Type.prototype = { + initialize : function(name, options){ + this.name = name; + options = Object.extend({ + normal : function(v){ + return v; + }, + pattern : /.*/ + }, options || {}); + this.normal = options.normal; + this.pattern = options.pattern; + if(options.compare) { + this.compare = options.compare; + } + if(options.detect) { + this.detect = options.detect; + } + }, + compare : function(a,b){ + return TableKit.Sortable.Type.compare(this.normal(a), this.normal(b)); + }, + detect : function(v){ + return this.pattern.test(v); + } +}; + +TableKit.Sortable.Type.compare = function(a,b) { + return a < b ? -1 : a === b ? 0 : 1; +}; + +TableKit.Sortable.addSortType( + new TableKit.Sortable.Type('number', { + pattern : /^[-+]?[\d]*\.?[\d]+(?:[eE][-+]?[\d]+)?/, + normal : function(v) { + // This will grab the first thing that looks like a number from a string, so you can use it to order a column of various srings containing numbers. + v = parseFloat(v.replace(/^.*?([-+]?[\d]*\.?[\d]+(?:[eE][-+]?[\d]+)?).*$/,"$1")); + return isNaN(v) ? 0 : v; + }}), + new TableKit.Sortable.Type('text',{ + normal : function(v) { + return v ? v.toLowerCase() : ''; + }}), + new TableKit.Sortable.Type('casesensitivetext',{pattern : /^[A-Z]+$/}), + new TableKit.Sortable.Type('datasize',{ + pattern : /^[-+]?[\d]*\.?[\d]+(?:[eE][-+]?[\d]+)?\s?[k|m|g|t]b$/i, + normal : function(v) { + var r = v.match(/^([-+]?[\d]*\.?[\d]+([eE][-+]?[\d]+)?)\s?([k|m|g|t]?b)?/i); + var b = r[1] ? Number(r[1]).valueOf() : 0; + var m = r[3] ? r[3].substr(0,1).toLowerCase() : ''; + var result = b; + switch(m) { + case 'k': + result = b * 1024; + break; + case 'm': + result = b * 1024 * 1024; + break; + case 'g': + result = b * 1024 * 1024 * 1024; + break; + case 't': + result = b * 1024 * 1024 * 1024 * 1024; + break; + } + return result; + }}), + new TableKit.Sortable.Type('date-au',{ + pattern : /^\d{2}\/\d{2}\/\d{4}\s?(?:\d{1,2}\:\d{2}(?:\:\d{2})?\s?[a|p]?m?)?/i, + normal : function(v) { + if(!this.pattern.test(v)) {return 0;} + var r = v.match(/^(\d{2})\/(\d{2})\/(\d{4})\s?(?:(\d{1,2})\:(\d{2})(?:\:(\d{2}))?\s?([a|p]?m?))?/i); + var yr_num = r[3]; + var mo_num = parseInt(r[2],10)-1; + var day_num = r[1]; + var hr_num = r[4] ? r[4] : 0; + if(r[7] && r[7].toLowerCase().indexOf('p') !== -1) { + hr_num = parseInt(r[4],10) + 12; + } + var min_num = r[5] ? r[5] : 0; + var sec_num = r[6] ? r[6] : 0; + return new Date(yr_num, mo_num, day_num, hr_num, min_num, sec_num, 0).valueOf(); + }}), + new TableKit.Sortable.Type('date-us',{ + pattern : /^\d{2}\/\d{2}\/\d{4}\s?(?:\d{1,2}\:\d{2}(?:\:\d{2})?\s?[a|p]?m?)?/i, + normal : function(v) { + if(!this.pattern.test(v)) {return 0;} + var r = v.match(/^(\d{2})\/(\d{2})\/(\d{4})\s?(?:(\d{1,2})\:(\d{2})(?:\:(\d{2}))?\s?([a|p]?m?))?/i); + var yr_num = r[3]; + var mo_num = parseInt(r[1],10)-1; + var day_num = r[2]; + var hr_num = r[4] ? r[4] : 0; + if(r[7] && r[7].toLowerCase().indexOf('p') !== -1) { + hr_num = parseInt(r[4],10) + 12; + } + var min_num = r[5] ? r[5] : 0; + var sec_num = r[6] ? r[6] : 0; + return new Date(yr_num, mo_num, day_num, hr_num, min_num, sec_num, 0).valueOf(); + }}), + new TableKit.Sortable.Type('date-eu',{ + pattern : /^\d{2}-\d{2}-\d{4}/i, + normal : function(v) { + if(!this.pattern.test(v)) {return 0;} + var r = v.match(/^(\d{2})-(\d{2})-(\d{4})/); + var yr_num = r[3]; + var mo_num = parseInt(r[2],10)-1; + var day_num = r[1]; + return new Date(yr_num, mo_num, day_num).valueOf(); + }}), + new TableKit.Sortable.Type('date-iso',{ + pattern : /[\d]{4}-[\d]{2}-[\d]{2}(?:T[\d]{2}\:[\d]{2}(?:\:[\d]{2}(?:\.[\d]+)?)?(Z|([-+][\d]{2}:[\d]{2})?)?)?/, // 2005-03-26T19:51:34Z + normal : function(v) { + if(!this.pattern.test(v)) {return 0;} + var d = v.match(/([\d]{4})(-([\d]{2})(-([\d]{2})(T([\d]{2}):([\d]{2})(:([\d]{2})(\.([\d]+))?)?(Z|(([-+])([\d]{2}):([\d]{2})))?)?)?)?/); + var offset = 0; + var date = new Date(d[1], 0, 1); + if (d[3]) { date.setMonth(d[3] - 1) ;} + if (d[5]) { date.setDate(d[5]); } + if (d[7]) { date.setHours(d[7]); } + if (d[8]) { date.setMinutes(d[8]); } + if (d[10]) { date.setSeconds(d[10]); } + if (d[12]) { date.setMilliseconds(Number("0." + d[12]) * 1000); } + if (d[14]) { + offset = (Number(d[16]) * 60) + Number(d[17]); + offset *= ((d[15] === '-') ? 1 : -1); + } + offset -= date.getTimezoneOffset(); + if(offset !== 0) { + var time = (Number(date) + (offset * 60 * 1000)); + date.setTime(Number(time)); + } + return date.valueOf(); + }}), + new TableKit.Sortable.Type('date',{ + pattern: /^(?:sun|mon|tue|wed|thu|fri|sat)\,\s\d{1,2}\s(?:jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)\s\d{4}(?:\s\d{2}\:\d{2}(?:\:\d{2})?(?:\sGMT(?:[+-]\d{4})?)?)?/i, //Mon, 18 Dec 1995 17:28:35 GMT + compare : function(a,b) { // must be standard javascript date format + if(a && b) { + return TableKit.Sortable.Type.compare(new Date(a),new Date(b)); + } else { + return TableKit.Sortable.Type.compare(a ? 1 : 0, b ? 1 : 0); + } + }}), + new TableKit.Sortable.Type('time',{ + pattern : /^\d{1,2}\:\d{2}(?:\:\d{2})?(?:\s[a|p]m)?$/i, + compare : function(a,b) { + var d = new Date(); + var ds = d.getMonth() + "/" + d.getDate() + "/" + d.getFullYear() + " "; + return TableKit.Sortable.Type.compare(new Date(ds + a),new Date(ds + b)); + }}), + new TableKit.Sortable.Type('currency',{ + pattern : /^[$????]/, // dollar,pound,yen,euro,generic currency symbol + normal : function(v) { + return v ? parseFloat(v.replace(/[^-\d\.]/g,'')) : 0; + }}) +); + +TableKit.Resizable = { + init : function(elm, options){ + var table = $(elm); + if(table.tagName !== "TABLE") {return;} + TableKit.register(table,Object.extend(options || {},{resizable:true})); + var cells = TableKit.getHeaderCells(table); + cells.each(function(c){ + c = $(c); + Event.observe(c, 'mouseover', TableKit.Resizable.initDetect); + Event.observe(c, 'mouseout', TableKit.Resizable.killDetect); + }); + }, + resize : function(table, index, w) { + var cell; + if(typeof index === 'number') { + if(!table || (table.tagName && table.tagName !== "TABLE")) {return;} + table = $(table); + index = Math.min(table.rows[0].cells.length, index); + index = Math.max(1, index); + index -= 1; + cell = (table.tHead && table.tHead.rows.length > 0) ? $(table.tHead.rows[table.tHead.rows.length-1].cells[index]) : $(table.rows[0].cells[index]); + } else { + cell = $(index); + table = table ? $(table) : cell.up('table'); + index = TableKit.getCellIndex(cell); + } + var pad = parseInt(cell.getStyle('paddingLeft'),10) + parseInt(cell.getStyle('paddingRight'),10); + w = Math.max(w-pad, TableKit.option('minWidth', table.id)[0]); + + cell.setStyle({'width' : w + 'px'}); + }, + initDetect : function(e) { + e = TableKit.e(e); + var cell = Event.element(e); + Event.observe(cell, 'mousemove', TableKit.Resizable.detectHandle); + Event.observe(cell, 'mousedown', TableKit.Resizable.startResize); + }, + detectHandle : function(e) { + e = TableKit.e(e); + var cell = Event.element(e); + if(TableKit.Resizable.pointerPos(cell,Event.pointerX(e),Event.pointerY(e))){ + cell.addClassName(TableKit.option('resizeOnHandleClass', cell.up('table').id)[0]); + TableKit.Resizable._onHandle = true; + } else { + cell.removeClassName(TableKit.option('resizeOnHandleClass', cell.up('table').id)[0]); + TableKit.Resizable._onHandle = false; + } + }, + killDetect : function(e) { + e = TableKit.e(e); + TableKit.Resizable._onHandle = false; + var cell = Event.element(e); + Event.stopObserving(cell, 'mousemove', TableKit.Resizable.detectHandle); + Event.stopObserving(cell, 'mousedown', TableKit.Resizable.startResize); + cell.removeClassName(TableKit.option('resizeOnHandleClass', cell.up('table').id)[0]); + }, + startResize : function(e) { + e = TableKit.e(e); + if(!TableKit.Resizable._onHandle) {return;} + var cell = Event.element(e); + Event.stopObserving(cell, 'mousemove', TableKit.Resizable.detectHandle); + Event.stopObserving(cell, 'mousedown', TableKit.Resizable.startResize); + Event.stopObserving(cell, 'mouseout', TableKit.Resizable.killDetect); + TableKit.Resizable._cell = cell; + var table = cell.up('table'); + TableKit.Resizable._tbl = table; + if(TableKit.option('showHandle', table.id)[0]) { + TableKit.Resizable._handle = $(document.createElement('div')).addClassName('resize-handle').setStyle({ + 'top' : Position.cumulativeOffset(cell)[1] + 'px', + 'left' : Event.pointerX(e) + 'px', + 'height' : table.getDimensions().height + 'px' + }); + document.body.appendChild(TableKit.Resizable._handle); + } + Event.observe(document, 'mousemove', TableKit.Resizable.drag); + Event.observe(document, 'mouseup', TableKit.Resizable.endResize); + Event.stop(e); + }, + endResize : function(e) { + e = TableKit.e(e); + var cell = TableKit.Resizable._cell; + TableKit.Resizable.resize(null, cell, (Event.pointerX(e) - Position.cumulativeOffset(cell)[0])); + Event.stopObserving(document, 'mousemove', TableKit.Resizable.drag); + Event.stopObserving(document, 'mouseup', TableKit.Resizable.endResize); + if(TableKit.option('showHandle', TableKit.Resizable._tbl.id)[0]) { + $$('div.resize-handle').each(function(elm){ + document.body.removeChild(elm); + }); + } + Event.observe(cell, 'mouseout', TableKit.Resizable.killDetect); + TableKit.Resizable._tbl = TableKit.Resizable._handle = TableKit.Resizable._cell = null; + Event.stop(e); + }, + drag : function(e) { + e = TableKit.e(e); + if(TableKit.Resizable._handle === null) { + try { + TableKit.Resizable.resize(TableKit.Resizable._tbl, TableKit.Resizable._cell, (Event.pointerX(e) - Position.cumulativeOffset(TableKit.Resizable._cell)[0])); + } catch(e) {} + } else { + TableKit.Resizable._handle.setStyle({'left' : Event.pointerX(e) + 'px'}); + } + return false; + }, + pointerPos : function(element, x, y) { + var offset = Position.cumulativeOffset(element); + return (y >= offset[1] && + y < offset[1] + element.offsetHeight && + x >= offset[0] + element.offsetWidth - 5 && + x < offset[0] + element.offsetWidth); + }, + _onHandle : false, + _cell : null, + _tbl : null, + _handle : null +}; + + +TableKit.Editable = { + init : function(elm, options){ + var table = $(elm); + if(table.tagName !== "TABLE") {return;} + TableKit.register(table,Object.extend(options || {},{editable:true})); + Event.observe(table.tBodies[0], 'click', TableKit.Editable._editCell); + }, + _editCell : function(e) { + e = TableKit.e(e); + var cell = Event.findElement(e,'td'); + TableKit.Editable.editCell(null, cell); + }, + editCell : function(table, index, cindex) { + var cell, row; + if(typeof index === 'number') { + if(!table || (table.tagName && table.tagName !== "TABLE")) {return;} + table = $(table); + index = Math.min(table.tBodies[0].rows.length, index); + index = Math.max(1, index); + index -= 1; + cindex = Math.min(table.rows[0].cells.length, cindex); + cindex = Math.max(1, cindex); + cindex -= 1; + row = $(table.tBodies[0].rows[index]); + cell = $(row.cells[cindex]); + } else { + cell = $(index); + table = (table && table.tagName && table.tagName !== "TABLE") ? $(table) : cell.up('table'); + row = cell.up('tr'); + } + var op = TableKit.option('noEditClass', table.id); + if(cell.hasClassName(op.noEditClass)) {return;} + + var head = $(TableKit.getHeaderCells(table, cell)[TableKit.getCellIndex(cell)]); + if(head.hasClassName(op.noEditClass)) {return;} + + TableKit.registerCell(cell); + var data = TableKit.cells[cell.id]; + if(data.active) {return;} + data.htmlContent = cell.innerHTML; + var ftype = TableKit.Editable.types['text-input']; + if(head.id && TableKit.Editable.types[head.id]) { + ftype = TableKit.Editable.types[head.id]; + } else { + var n = head.classNames().detect(function(n){ + return (TableKit.Editable.types[n]) ? true : false; + }); + ftype = n ? TableKit.Editable.types[n] : ftype; + } + ftype.edit(cell); + data.active = true; + }, + types : {}, + addCellEditor : function(o) { + if(o && o.name) { TableKit.Editable.types[o.name] = o; } + } +}; + +TableKit.Editable.CellEditor = Class.create(); +TableKit.Editable.CellEditor.prototype = { + initialize : function(name, options){ + this.name = name; + this.options = Object.extend({ + element : 'input', + attributes : {name : 'value', type : 'text'}, + selectOptions : [], + showSubmit : true, + submitText : 'OK', + showCancel : true, + cancelText : 'Cancel', + ajaxURI : null, + ajaxOptions : null + }, options || {}); + }, + edit : function(cell) { + cell = $(cell); + var op = this.options; + var table = cell.up('table'); + + var form = $(document.createElement("form")); + form.id = cell.id + '-form'; + form.addClassName(TableKit.option('formClassName', table.id)[0]); + form.onsubmit = this._submit.bindAsEventListener(this); + + var field = document.createElement(op.element); + $H(op.attributes).each(function(v){ + field[v.key] = v.value; + }); + switch(op.element) { + case 'input': + case 'textarea': + field.value = TableKit.getCellText(cell); + break; + + case 'select': + var txt = TableKit.getCellText(cell); + $A(op.selectOptions).each(function(v){ + field.options[field.options.length] = new Option(v[0], v[1]); + if(txt === v[1]) { + field.options[field.options.length-1].selected = 'selected'; + } + }); + break; + } + form.appendChild(field); + if(op.element === 'textarea') { + form.appendChild(document.createElement("br")); + } + if(op.showSubmit) { + var okButton = document.createElement("input"); + okButton.type = "submit"; + okButton.value = op.submitText; + okButton.className = 'editor_ok_button'; + form.appendChild(okButton); + } + if(op.showCancel) { + var cancelLink = document.createElement("a"); + cancelLink.href = "#"; + cancelLink.appendChild(document.createTextNode(op.cancelText)); + cancelLink.onclick = this._cancel.bindAsEventListener(this); + cancelLink.className = 'editor_cancel'; + form.appendChild(cancelLink); + } + cell.innerHTML = ''; + cell.appendChild(form); + }, + _submit : function(e) { + var cell = Event.findElement(e,'td'); + var form = Event.findElement(e,'form'); + Event.stop(e); + this.submit(cell,form); + }, + submit : function(cell, form) { + var op = this.options; + form = form ? form : cell.down('form'); + var head = $(TableKit.getHeaderCells(null, cell)[TableKit.getCellIndex(cell)]); + var row = cell.up('tr'); + var table = cell.up('table'); + var s = '&row=' + (TableKit.getRowIndex(row)+1) + '&cell=' + (TableKit.getCellIndex(cell)+1) + '&id=' + row.id + '&field=' + head.id + '&' + Form.serialize(form); + this.ajax = new Ajax.Updater(cell, op.ajaxURI || TableKit.option('editAjaxURI', table.id)[0], Object.extend(op.ajaxOptions || TableKit.option('editAjaxOptions', table.id)[0], { + postBody : s, + onComplete : function() { + var data = TableKit.cells[cell.id]; + data.active = false; + data.refresh = true; // mark cell cache for refreshing, in case cell contents has changed and sorting is applied + } + })); + }, + _cancel : function(e) { + var cell = Event.findElement(e,'td'); + Event.stop(e); + this.cancel(cell); + }, + cancel : function(cell) { + this.ajax = null; + var data = TableKit.cells[cell.id]; + cell.innerHTML = data.htmlContent; + data.htmlContent = ''; + data.active = false; + }, + ajax : null +}; + +TableKit.Editable.textInput = function(n,attributes) { + TableKit.Editable.addCellEditor(new TableKit.Editable.CellEditor(n, { + element : 'input', + attributes : Object.extend({name : 'value', type : 'text'}, attributes||{}) + })); +}; +TableKit.Editable.textInput('text-input'); + +TableKit.Editable.multiLineInput = function(n,attributes) { + TableKit.Editable.addCellEditor(new TableKit.Editable.CellEditor(n, { + element : 'textarea', + attributes : Object.extend({name : 'value', rows : '5', cols : '20'}, attributes||{}) + })); +}; +TableKit.Editable.multiLineInput('multi-line-input'); + +TableKit.Editable.selectInput = function(n,attributes,selectOptions) { + TableKit.Editable.addCellEditor(new TableKit.Editable.CellEditor(n, { + element : 'select', + attributes : Object.extend({name : 'value'}, attributes||{}), + 'selectOptions' : selectOptions + })); +}; + +/* +TableKit.Bench = { + bench : [], + start : function(){ + TableKit.Bench.bench[0] = new Date().getTime(); + }, + end : function(s){ + TableKit.Bench.bench[1] = new Date().getTime(); + alert(s + ' ' + ((TableKit.Bench.bench[1]-TableKit.Bench.bench[0])/1000)+' seconds.') //console.log(s + ' ' + ((TableKit.Bench.bench[1]-TableKit.Bench.bench[0])/1000)+' seconds.') + TableKit.Bench.bench = []; + } +} */ + +if(window.FastInit) { + FastInit.addOnLoad(TableKit.load); +} else { + Event.observe(window, 'load', TableKit.load); +} \ No newline at end of file diff -r 7efa620853f6 -r 698d4ac367ff ipa-server/ipa-gui/ipagui/templates/userlist.kid --- a/ipa-server/ipa-gui/ipagui/templates/userlist.kid Thu Sep 13 10:18:41 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/userlist.kid Thu Sep 13 10:26:35 2007 -0700 @@ -6,6 +6,7 @@ Find People +

${len(users)} results returned:

- +

+ + + +

- + ${fields.uid.label}	Name @@ -38,6 +40,8 @@ License Plate
${user.uid} @@ -58,6 +62,7 @@ ${user.carLicense}

-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From kmccarth at redhat.com Thu Sep 13 17:29:19 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Thu, 13 Sep 2007 10:29:19 -0700 Subject: [Freeipa-devel] [PATCH] javascript sorting of user results w/tablekit In-Reply-To: <20070913172712.GA19864@moon.usersys.redhat.com> References: <20070913172712.GA19864@moon.usersys.redhat.com> Message-ID: <20070913172919.GB19864@moon.usersys.redhat.com> Kevin McCarthy wrote: > This patch adds the tablekit package: > http://www.millstream.com.au/view/code/tablekit/ (licensed under MIT) > and uses it to add javascript table sorting for the user results. The patch needs the attached two images to be put in ipa-server/ipa-gui/ipagui/static/images Thanks, -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: down.gif Type: image/gif Size: 57 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: up.gif Type: image/gif Size: 56 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From rcritten at redhat.com Thu Sep 13 18:24:17 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Sep 2007 14:24:17 -0400 Subject: [Freeipa-devel] [PATCH] ticket forwarding and TurboGears Message-ID: <46E98051.3020703@redhat.com> I got ticket forwarding working with TurboGears yesterday. This raises some issues though. First an explanation of how I'm doing it. I require Kerberos auth for connections to Apache. If delegation is available then Apache will save a copy of the ticket. For the XML-RPC interface this is enough as it runs through mod_python. We grab a pointer to the file and use the ticket. With TurboGears I'm using mod_proxy to forward the requests after authentication. What I do is grab a copy of the environment variables REMOTE_USER and KRB5CCNAME and include those as request headers to TurboGears. TG then can identify the principle and the location of that users keytab. We will need to restrict the TurboGears listener to localhost. If we wanted to be absolutely sure that nothing funny was going on we could use the Authorization header to re-verify the ticket. I lack the kerberos know-how to do this. This means we can do away with all the proxying mess and not issue a client cert to the web server. Do we want to go ahead and remove that now or leave it in as dead code? We can remove the proxy ACIs which will prevent people from proxying in and leave the code alone for a while I suppose. For GUI developers there is a way to not use mod_proxy and continue contacting it directly. What you'll need to do is look in ipa-gui/ipagui/proxyprovider.py and hardcode the principal name and keytab location. For the keytab run: kinit | grep FILE and use the whole FILE: url. And remember, this requires the mod_auth_kerb that I supplied earlier. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-179-ticket.patch Type: text/x-patch Size: 6874 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From prowley at redhat.com Thu Sep 13 18:39:11 2007 From: prowley at redhat.com (Pete Rowley) Date: Thu, 13 Sep 2007 11:39:11 -0700 Subject: [Freeipa-devel] [PATCH] ticket forwarding and TurboGears In-Reply-To: <46E98051.3020703@redhat.com> References: <46E98051.3020703@redhat.com> Message-ID: <46E983CF.9070002@redhat.com> Rob Crittenden wrote: > This means we can do away with all the proxying mess and not issue a > client cert to the web server. > > Do we want to go ahead and remove that now or leave it in as dead > code? We can remove the proxy ACIs which will prevent people from > proxying in and leave the code alone for a while I suppose. I think that is a decent way of dealing with this. Since the code is already written we can use it as a backup in case ticket forwarding is not appropriate for some reason. Once real deployments have kicked the tires a few times we will be in a better position to see what may be needed. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Sep 13 19:19:06 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Sep 2007 15:19:06 -0400 Subject: [Freeipa-devel] [PATCH] javascript sorting of user results w/tablekit In-Reply-To: <20070913172712.GA19864@moon.usersys.redhat.com> References: <20070913172712.GA19864@moon.usersys.redhat.com> Message-ID: <46E98D2A.6090801@redhat.com> Kevin McCarthy wrote: > This patch adds the tablekit package: > http://www.millstream.com.au/view/code/tablekit/ (licensed under MIT) > and uses it to add javascript table sorting for the user results. > > -Kevin > > +1 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Sep 13 19:29:54 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Sep 2007 15:29:54 -0400 Subject: [Freeipa-devel] [PATCH] javascript sorting of user results w/tablekit In-Reply-To: <20070913172919.GB19864@moon.usersys.redhat.com> References: <20070913172712.GA19864@moon.usersys.redhat.com> <20070913172919.GB19864@moon.usersys.redhat.com> Message-ID: <1189711794.18288.30.camel@localhost.localdomain> On Thu, 2007-09-13 at 10:29 -0700, Kevin McCarthy wrote: > Kevin McCarthy wrote: > > This patch adds the tablekit package: > > http://www.millstream.com.au/view/code/tablekit/ (licensed under MIT) > > and uses it to add javascript table sorting for the user results. > > The patch needs the attached two images to be put in > ipa-server/ipa-gui/ipagui/static/images Can you send them it in form of a patch as well ? Simo. From kmccarth at redhat.com Thu Sep 13 19:44:12 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Thu, 13 Sep 2007 12:44:12 -0700 Subject: [Freeipa-devel] [PATCH] javascript sorting of user results w/tablekit In-Reply-To: <1189711794.18288.30.camel@localhost.localdomain> References: <20070913172712.GA19864@moon.usersys.redhat.com> <20070913172919.GB19864@moon.usersys.redhat.com> <1189711794.18288.30.camel@localhost.localdomain> Message-ID: <20070913194412.GC19864@moon.usersys.redhat.com> Simo Sorce wrote: > On Thu, 2007-09-13 at 10:29 -0700, Kevin McCarthy wrote: > > Kevin McCarthy wrote: > > > This patch adds the tablekit package: > > > http://www.millstream.com.au/view/code/tablekit/ (licensed under MIT) > > > and uses it to add javascript table sorting for the user results. > > > > The patch needs the attached two images to be put in > > ipa-server/ipa-gui/ipagui/static/images > > Can you send them it in form of a patch as well ? No, unfortunately, binary files don't come through as a patch. I don't have a good solution to this problem. :-/ -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From kmccarth at redhat.com Thu Sep 13 19:45:41 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Thu, 13 Sep 2007 12:45:41 -0700 Subject: [Freeipa-devel] [PATCH] ticket forwarding and TurboGears In-Reply-To: <46E98051.3020703@redhat.com> References: <46E98051.3020703@redhat.com> Message-ID: <20070913194540.GD19864@moon.usersys.redhat.com> Rob Crittenden wrote: > I got ticket forwarding working with TurboGears yesterday. This raises some > issues though. First an explanation of how I'm doing it. Looks good. (Of course, I'm not an Kerberos person - just saying that the TG changes look good.) -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From nalin at redhat.com Fri Sep 14 20:08:37 2007 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 14 Sep 2007 16:08:37 -0400 Subject: [Freeipa-devel] [PATCH] ticket forwarding and TurboGears In-Reply-To: <46E98051.3020703@redhat.com> References: <46E98051.3020703@redhat.com> Message-ID: <20070914200837.GA9414@redhat.com> On Thu, Sep 13, 2007 at 02:24:17PM -0400, Rob Crittenden wrote: > With TurboGears I'm using mod_proxy to forward the requests after > authentication. What I do is grab a copy of the environment variables > REMOTE_USER and KRB5CCNAME and include those as request headers to > TurboGears. TG then can identify the principle and the location of that > users keytab. I can't comment on the rest (not enough familiarity with it), but what you're calling a keytab here is actually a credential cache -- a keytab file is something rather different, and the use of the terms here confused the heck out of me. Cheers, Nalin From rcritten at redhat.com Fri Sep 14 21:34:00 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 Sep 2007 17:34:00 -0400 Subject: [Freeipa-devel] [PATCH] ticket forwarding and TurboGears In-Reply-To: <20070914200837.GA9414@redhat.com> References: <46E98051.3020703@redhat.com> <20070914200837.GA9414@redhat.com> Message-ID: <46EAFE48.5090203@redhat.com> Nalin Dahyabhai wrote: > On Thu, Sep 13, 2007 at 02:24:17PM -0400, Rob Crittenden wrote: >> With TurboGears I'm using mod_proxy to forward the requests after >> authentication. What I do is grab a copy of the environment variables >> REMOTE_USER and KRB5CCNAME and include those as request headers to >> TurboGears. TG then can identify the principle and the location of that >> users keytab. > > I can't comment on the rest (not enough familiarity with it), but what > you're calling a keytab here is actually a credential cache -- a keytab > file is something rather different, and the use of the terms here > confused the heck out of me. > > Cheers, > > Nalin Ok, here is a replacement patch for freeipa-179-ticket.patch that uses a better variable name. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-179-ticket.patch2 URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmccarth at redhat.com Fri Sep 14 22:20:00 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Fri, 14 Sep 2007 15:20:00 -0700 Subject: [Freeipa-devel] [PATCH] draft of group member management Message-ID: <20070914221959.GD17116@moon.usersys.redhat.com> This is half finished, but suitable for a code review. I'll also push to demo so you can play with it. This is basic group member management. There are still a lot of issues to deal with, but it is functional. -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1189808409 25200 # Node ID 22f90eaa60da6f1ef6cd85335482f8b65166d9bc # Parent c35fdc2573b634dbdf2b4b219c88666dd1dd66b4 patch queue: groupmember.patch diff -r c35fdc2573b6 -r 22f90eaa60da ipa-server/ipa-gui/ipagui/controllers.py --- a/ipa-server/ipa-gui/ipagui/controllers.py Thu Sep 13 10:55:56 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/controllers.py Fri Sep 14 15:20:09 2007 -0700 @@ -120,17 +120,21 @@ class Root(controllers.RootController): if tg_errors: turbogears.flash("There was a problem with the form!") - client.set_principal(identity.current.user_name) - user = client.get_user_by_uid(uid, user_fields) - user_dict = user.toDict() - # Edit shouldn't fill in the password field. - if user_dict.has_key('userpassword'): - del(user_dict['userpassword']) - - # store a copy of the original user for the update later - user_data = b64encode(dumps(user_dict)) - user_dict['user_orig'] = user_data - return dict(form=user_edit_form, user=user_dict) + try: + client.set_principal(identity.current.user_name) + user = client.get_user_by_uid(uid, user_fields) + user_dict = user.toDict() + # Edit shouldn't fill in the password field. + if user_dict.has_key('userpassword'): + del(user_dict['userpassword']) + + # store a copy of the original user for the update later + user_data = b64encode(dumps(user_dict)) + user_dict['user_orig'] = user_data + return dict(form=user_edit_form, user=user_dict) + except ipaerror.IPAError, e: + turbogears.flash("User edit failed: " + str(e)) + raise turbogears.redirect('/usershow', uid=kw.get('uid')) @expose() @identity.require(identity.not_anonymous()) @@ -204,6 +208,24 @@ class Root(controllers.RootController): return dict(users=users, uid=uid, fields=forms.user.UserFields()) + @expose("ipagui.templates.userlistajax") + @identity.require(identity.not_anonymous()) + def userlist_ajax(self, **kw): + """Searches for users and displays list of results in a table. + This method is used for ajax calls.""" + client.set_principal(identity.current.user_name) + users = [] + uid = kw.get('uid') + if uid != None and len(uid) > 0: + try: + users = client.find_users(uid.encode('utf-8')) + counter = users[0] + users = users[1:] + except ipaerror.IPAError, e: + turbogears.flash("User list failed: " + str(e)) + + return dict(users=users, uid=uid, fields=forms.user.UserFields()) + @expose("ipagui.templates.usershow") @identity.require(identity.not_anonymous()) @@ -371,8 +393,7 @@ class Root(controllers.RootController): rv = client.add_group(new_group) turbogears.flash("%s added!" % kw.get('cn')) - # raise turbogears.redirect('/groupedit', cn=kw['cn']) - raise turbogears.redirect('/') + raise turbogears.redirect('/groupshow', cn=kw.get('cn')) except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE): turbogears.flash("Group with name '%s' already exists" % kw.get('cn')) @@ -390,13 +411,43 @@ class Root(controllers.RootController): turbogears.flash("There was a problem with the form!") client.set_principal(identity.current.user_name) - group = client.get_group_by_cn(cn, group_fields) - group_dict = group.toDict() - - # store a copy of the original group for the update later - group_data = b64encode(dumps(group_dict)) - group_dict['group_orig'] = group_data - return dict(form=group_edit_form, group=group_dict) + try: + group = client.get_group_by_cn(cn, group_fields) + + group_dict = group.toDict() + + # + # convert members to users, for easier manipulation on the page + # + member_dns = [] + if group_dict.has_key('uniquemember'): + member_dns = group_dict.get('uniquemember') + # remove from dict - it's not needed for update + # and we are storing the members in a different form + del group_dict['uniquemember'] + if not(isinstance(member_dns,list) or isinstance(member_dns,tuple)): + member_dns = [member_dns] + + # TODO: convert this into an efficient (single) function call + member_users = map( + lambda dn: client.get_user_by_dn(dn, ['givenname', 'sn', 'uid']), + member_dns) + + # Map users into an array of dicts, which can be serialized + # (so we don't have to do this on each round trip) + member_dicts = map(lambda user: user.toDict(), member_users) + + # store a copy of the original group for the update later + group_data = b64encode(dumps(group_dict)) + member_data = b64encode(dumps(member_dicts)) + group_dict['group_orig'] = group_data + group_dict['member_data'] = member_data + + return dict(form=group_edit_form, group=group_dict, members=member_dicts) + except ipaerror.IPAError, e: + turbogears.flash("User show failed: " + str(e)) + turbogears.flash("Group edit failed: " + str(e)) + raise turbogears.redirect('/groupshow', uid=kw.get('cn')) @expose() @identity.require(identity.not_anonymous()) @@ -408,26 +459,83 @@ class Root(controllers.RootController): turbogears.flash("Edit group cancelled") raise turbogears.redirect('/groupshow', cn=kw.get('cn')) + # Decode the member data, in case we need to round trip + member_dicts = loads(b64decode(kw.get('member_data'))) + + tg_errors, kw = self.groupupdatevalidate(**kw) if tg_errors: - return dict(form=group_edit_form, group=kw, + return dict(form=group_edit_form, group=kw, members=member_dicts, tg_template='ipagui.templates.groupedit') + group_modified = False + + # + # Update group itself + # try: orig_group_dict = loads(b64decode(kw.get('group_orig'))) new_group = ipa.group.Group(orig_group_dict) - new_group.setValue('description', kw.get('description')) + if new_group.description != kw.get('description'): + group_modified = True + new_group.setValue('description', kw.get('description')) if kw.get('gidnumber'): + group_modified = True new_group.setValue('gidnumber', str(kw.get('gidnumber'))) - rv = client.update_group(new_group) - turbogears.flash("%s updated!" % kw['cn']) - raise turbogears.redirect('/groupshow', cn=kw['cn']) + if group_modified: + rv = client.update_group(new_group) + # + # TODO - if the group update succeeds, but below operations fail, + # we needs to make sure a subsequent submit doesn't try to update + # the group again. Probably by overwriting the group_orig hidden + # field blob. + # except ipaerror.IPAError, e: turbogears.flash("User update failed: " + str(e)) - return dict(form=group_edit_form, group=kw, + return dict(form=group_edit_form, group=kw, members=member_dicts, tg_template='ipagui.templates.groupedit') + + # + # Add members + # + try: + uidadds = kw.get('uidadd') + if uidadds != None: + if not(isinstance(uidadds,list) or isinstance(uidadds,tuple)): + uidadds = [uidadds] + failed = client.add_users_to_group(uidadds, kw.get('cn')) + # + # TODO - deal with failed adds + # + except ipaerror.IPAError, e: + turbogears.flash("User update failed: " + str(e)) + return dict(form=group_edit_form, group=kw, members=member_dicts, + tg_template='ipagui.templates.groupedit') + + # + # Remove members + # + try: + uiddels = kw.get('uiddel') + if uiddels != None: + if not(isinstance(uiddels,list) or isinstance(uiddels,tuple)): + uiddels = [uiddels] + failed = client.remove_users_from_group(uiddels, kw.get('cn')) + # + # TODO - deal with failed removals + # + except ipaerror.IPAError, e: + turbogears.flash("User update failed: " + str(e)) + return dict(form=group_edit_form, group=kw, members=member_dicts, + tg_template='ipagui.templates.groupedit') + + # TODO if not group_modified + + turbogears.flash("%s updated!" % kw['cn']) + raise turbogears.redirect('/groupshow', cn=kw['cn']) + @expose("ipagui.templates.grouplist") @identity.require(identity.not_anonymous()) @@ -458,7 +566,25 @@ class Root(controllers.RootController): client.set_principal(identity.current.user_name) try: group = client.get_group_by_cn(cn, group_fields) - return dict(group=group.toDict(), fields=forms.group.GroupFields()) + group_dict = group.toDict() + + # + # convert members to users, for display on the page + # + member_dns = [] + if group_dict.has_key('uniquemember'): + member_dns = group_dict.get('uniquemember') + if not(isinstance(member_dns,list) or isinstance(member_dns,tuple)): + member_dns = [member_dns] + + # TODO: convert this into an efficient (single) function call + member_users = map( + lambda dn: client.get_user_by_dn(dn, ['givenname', 'sn', 'uid']), + member_dns) + member_dicts = map(lambda user: user.toDict(), member_users) + + return dict(group=group_dict, fields=forms.group.GroupFields(), + members = member_dicts) except ipaerror.IPAError, e: turbogears.flash("Group show failed: " + str(e)) raise turbogears.redirect("/") diff -r c35fdc2573b6 -r 22f90eaa60da ipa-server/ipa-gui/ipagui/forms/group.py --- a/ipa-server/ipa-gui/ipagui/forms/group.py Thu Sep 13 10:55:56 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/forms/group.py Fri Sep 14 15:20:09 2007 -0700 @@ -9,6 +9,7 @@ class GroupFields(): cn_hidden = widgets.HiddenField(name="cn") group_orig = widgets.HiddenField(name="group_orig") + member_data = widgets.HiddenField(name="member_data") class GroupNewValidator(validators.Schema): cn = validators.PlainText(not_empty=True) @@ -36,11 +37,11 @@ class GroupEditValidator(validators.Sche description = validators.String(not_empty=False) class GroupEditForm(widgets.Form): - params = ['group'] + params = ['members', 'group'] fields = [GroupFields.gidnumber, GroupFields.description, GroupFields.cn_hidden, - GroupFields.group_orig] + GroupFields.group_orig, GroupFields.member_data] validator = GroupEditValidator() diff -r c35fdc2573b6 -r 22f90eaa60da ipa-server/ipa-gui/ipagui/templates/groupedit.kid --- a/ipa-server/ipa-gui/ipagui/templates/groupedit.kid Thu Sep 13 10:55:56 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/groupedit.kid Fri Sep 14 15:20:09 2007 -0700 @@ -16,6 +16,6 @@

Edit Group

- ${form.display(action="groupupdate", value=group)} + ${form.display(action="groupupdate", value=group, members=members)} diff -r c35fdc2573b6 -r 22f90eaa60da ipa-server/ipa-gui/ipagui/templates/groupeditform.kid --- a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid Thu Sep 13 10:55:56 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid Fri Sep 14 15:20:09 2007 -0700 @@ -2,14 +2,112 @@ class="simpleroster"> + + + @@ -63,6 +161,56 @@ +

Group Members

+ +

To Remove:

+ +

+ + ${member_name} + remove +

+ +

Add Persons

+ +

To Add:

+ +

+ + +

diff -r c35fdc2573b6 -r 22f90eaa60da ipa-server/ipa-gui/ipagui/templates/groupshow.kid --- a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid Thu Sep 13 10:55:56 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid Fri Sep 14 15:20:09 2007 -0700 @@ -32,6 +32,18 @@

Group Members

+ + ${member_name} (${member.get('uid')}) +

+ +
+
+ edit diff -r c35fdc2573b6 -r 22f90eaa60da ipa-server/ipa-gui/ipagui/templates/userlistajax.kid --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ipa-server/ipa-gui/ipagui/templates/userlistajax.kid Fri Sep 14 15:20:09 2007 -0700 @@ -0,0 +1,14 @@ +

${len(users)} results returned:

+ ${user.givenName} ${user.sn} (${user.uid}) + add +

+ No results found for "${uid}" +

- + @@ -178,7 +193,7 @@ member.get('sn', '')) ?> ${member_name} - remove @@ -227,4 +242,40 @@ + + + + + + + + +

- edit protected fields diff -r a2db36c1fc6c -r 364d56d319c1 ipa-server/ipa-gui/ipagui/templates/groupeditform.kid --- a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid Mon Sep 17 15:24:11 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid Tue Sep 18 10:54:53 2007 -0700 @@ -24,8 +24,10 @@ var gidnumberField = $('form_gidnumber'); if (checkbox.checked) { gidnumberField.disabled = false; + $('form_editprotected').value = 'true'; } else { gidnumberField.disabled = true; + $('form_editprotected').value = ''; } } @@ -273,6 +275,11 @@ if ($('form_uid_to_cn_json').value != "") { uid_to_cn_hash = new Hash($('form_uid_to_cn_json').value.evalJSON()); } + + if ($('form_editprotected').value != "") { + $('toggleprotected_checkbox').checked = true; + toggleProtectedFields($('toggleprotected_checkbox')); + }

- edit protected fields diff -r a2db36c1fc6c -r 364d56d319c1 ipa-server/ipa-gui/ipagui/templates/usereditform.kid --- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid Mon Sep 17 15:24:11 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid Tue Sep 18 10:54:53 2007 -0700 @@ -13,11 +13,13 @@ passwordConfirmField.disabled = false; uidnumberField.disabled = false; gidnumberField.disabled = false; + $('form_editprotected').value = 'true'; } else { passwordField.disabled = true; passwordConfirmField.disabled = true; uidnumberField.disabled = true; gidnumberField.disabled = true; + $('form_editprotected').value = ''; } } @@ -228,4 +230,11 @@ + +

Group Members

To Remove:

@@ -229,8 +229,8 @@

Add Persons

To Add:

diff -r 364d56d319c1 -r 88832dc9643b ipa-server/ipa-gui/ipagui/templates/userlistajax.kid --- a/ipa-server/ipa-gui/ipagui/templates/userlistajax.kid Tue Sep 18 10:54:53 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/userlistajax.kid Tue Sep 18 14:58:30 2007 -0700 @@ -23,11 +23,14 @@

diff -r 364d56d319c1 -r 88832dc9643b ipa-server/xmlrpc-server/funcs.py --- a/ipa-server/xmlrpc-server/funcs.py Tue Sep 18 10:54:53 2007 -0700 +++ b/ipa-server/xmlrpc-server/funcs.py Tue Sep 18 14:58:30 2007 -0700 @@ -413,7 +413,7 @@ class IPAServer: return users - def find_users (self, criteria, sattrs=None, opts=None): + def find_users (self, criteria, sattrs=None, searchlimit=0, opts=None): """Returns a list: counter followed by the results. If the results are truncated, counter will be set to -1.""" # Assume the list of fields to search will come from a central @@ -435,13 +435,13 @@ class IPAServer: try: try: exact_results = conn.getListAsync(self.basedn, self.scope, - exact_match_filter, sattrs) + exact_match_filter, sattrs, 0, None, None, -1, searchlimit) except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): exact_results = [0] try: partial_results = conn.getListAsync(self.basedn, self.scope, - partial_match_filter, sattrs) + partial_match_filter, sattrs, 0, None, None, -1, searchlimit) except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): partial_results = [0] finally: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From kmccarth at redhat.com Tue Sep 18 22:53:52 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Tue, 18 Sep 2007 15:53:52 -0700 Subject: [Freeipa-devel] [PATCH] group search improvements Message-ID: <20070918225352.GF21122@moon.usersys.redhat.com> This patch adds the same functionality user search has to group search: - async search with results in the event of size/time limits - return value indicating timeout - configurable search fields. This code is very ripe for re-factoring as there is now significant overlap between group and user search. I didn't want to do it quite yet, as there's some more I want to do with search (field specification) and I think that will be a good time to re-factor. -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1190156196 25200 # Node ID 4002a364c5bdd0be267d88cb2ea2a25ea65c0eef # Parent 88832dc9643b967ffed0aa4377512490accfe0e4 Implement asynchronous search for groups. Use the filter generation code to search on multiple fields. diff -r 88832dc9643b -r 4002a364c5bd ipa-python/ipaclient.py --- a/ipa-python/ipaclient.py Tue Sep 18 14:58:30 2007 -0700 +++ b/ipa-python/ipaclient.py Tue Sep 18 15:56:36 2007 -0700 @@ -158,13 +158,14 @@ class IPAClient: result = self.transport.add_group(group_dict, group_container) return result - def find_groups(self, criteria, sattrs=None): + def find_groups(self, criteria, sattrs=None, searchlimit=0): """Find groups whose cn matches the criteria. Wildcards are acceptable. Returns a list of Group objects.""" - result = self.transport.find_groups(criteria, sattrs) - - groups = [] - for attrs in result: + result = self.transport.find_groups(criteria, sattrs, searchlimit) + counter = result[0] + + groups = [counter] + for attrs in result[1:]: if attrs is not None: groups.append(group.Group(attrs)) diff -r 88832dc9643b -r 4002a364c5bd ipa-python/rpcclient.py --- a/ipa-python/rpcclient.py Tue Sep 18 14:58:30 2007 -0700 +++ b/ipa-python/rpcclient.py Tue Sep 18 15:56:36 2007 -0700 @@ -275,7 +275,7 @@ class RPCClient: except socket.error, (value, msg): raise xmlrpclib.Fault(value, msg) - def find_groups (self, criteria, sattrs=None): + def find_groups (self, criteria, sattrs=None, searchlimit=0): """Return a list containing a Group object for each group that matches the criteria.""" @@ -284,7 +284,7 @@ class RPCClient: # None values are not allowed in XML-RPC if sattrs is None: sattrs = "__NONE__" - result = server.find_groups(criteria, sattrs) + result = server.find_groups(criteria, sattrs, searchlimit) except xmlrpclib.Fault, fault: raise ipaerror.gen_exception(fault.faultCode, fault.faultString) except socket.error, (value, msg): diff -r 88832dc9643b -r 4002a364c5bd ipa-server/ipa-gui/ipagui/controllers.py --- a/ipa-server/ipa-gui/ipagui/controllers.py Tue Sep 18 14:58:30 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/controllers.py Tue Sep 18 15:56:36 2007 -0700 @@ -551,11 +551,11 @@ class Root(controllers.RootController): if criteria != None and len(criteria) > 0: try: groups = client.find_groups(criteria.encode('utf-8')) - # counter = groups[0] - # groups = groups[1:] - # if counter == -1: - # turbogears.flash("These results are truncated.
" + - # "Please refine your search and try again.") + counter = groups[0] + groups = groups[1:] + if counter == -1: + turbogears.flash("These results are truncated.
" + + "Please refine your search and try again.") except ipaerror.IPAError, e: turbogears.flash("Find groups failed: " + str(e)) raise turbogears.redirect("/grouplist") diff -r 88832dc9643b -r 4002a364c5bd ipa-server/xmlrpc-server/funcs.py --- a/ipa-server/xmlrpc-server/funcs.py Tue Sep 18 14:58:30 2007 -0700 +++ b/ipa-server/xmlrpc-server/funcs.py Tue Sep 18 15:56:36 2007 -0700 @@ -603,25 +603,72 @@ class IPAServer: finally: self.releaseConnection(conn) - def find_groups (self, criteria, sattrs=None, opts=None): + def find_groups (self, criteria, sattrs=None, searchlimit=0, opts=None): """Return a list containing a User object for each existing group that matches the criteria. """ + # Assume the list of fields to search will come from a central + # configuration repository. A good format for that would be + # a comma-separated list of fields + search_fields_conf_str = "cn,description" + search_fields = string.split(search_fields_conf_str, ",") + criteria = self.__safe_filter(criteria) - - filter = "(&(cn=%s)(objectClass=posixGroup))" % criteria - conn = self.getConnection(opts) - try: - results = conn.getList(self.basedn, self.scope, filter, sattrs) - except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): - results = [] - finally: - self.releaseConnection(conn) - - groups = [] - for u in results: + criteria_words = re.split(r'\s+', criteria) + criteria_words = filter(lambda value:value!="", criteria_words) + if len(criteria_words) == 0: + return [0] + + (exact_match_filter, partial_match_filter) = self.__generate_match_filters( + search_fields, criteria_words) + + # + # further constrain search to just the objectClass + # TODO - need to parameterize this into generate_match_filters, + # and work it into the field-specification search feature + # + exact_match_filter = "(&(objectClass=posixGroup)%s)" % exact_match_filter + partial_match_filter = "(&(objectClass=posixGroup)%s)" % partial_match_filter + + # + # TODO - copy/paste from find_users. needs to be refactored + # + conn = self.getConnection(opts) + try: + try: + exact_results = conn.getListAsync(self.basedn, self.scope, + exact_match_filter, sattrs, 0, None, None, -1, searchlimit) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + exact_results = [0] + + try: + partial_results = conn.getListAsync(self.basedn, self.scope, + partial_match_filter, sattrs, 0, None, None, -1, searchlimit) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + partial_results = [0] + finally: + self.releaseConnection(conn) + + exact_counter = exact_results[0] + partial_counter = partial_results[0] + + exact_results = exact_results[1:] + partial_results = partial_results[1:] + + # Remove exact matches from the partial_match list + exact_dns = set(map(lambda e: e.dn, exact_results)) + partial_results = filter(lambda e: e.dn not in exact_dns, + partial_results) + + if (exact_counter == -1) or (partial_counter == -1): + counter = -1 + else: + counter = len(exact_results) + len(partial_results) + + groups = [counter] + for u in exact_results + partial_results: groups.append(self.convert_entry(u)) - + return groups def add_user_to_group(self, user, group, opts=None): -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From rcritten at redhat.com Wed Sep 19 12:48:22 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Sep 2007 08:48:22 -0400 Subject: [Freeipa-devel] [PATCH] group search improvements In-Reply-To: <20070918225352.GF21122@moon.usersys.redhat.com> References: <20070918225352.GF21122@moon.usersys.redhat.com> Message-ID: <46F11A96.5040907@redhat.com> Kevin McCarthy wrote: > This patch adds the same functionality user search has to group search: > - async search with results in the event of size/time limits > - return value indicating timeout > - configurable search fields. > > This code is very ripe for re-factoring as there is now significant > overlap between group and user search. I didn't want to do it quite > yet, as there's some more I want to do with search (field specification) > and I think that will be a good time to re-factor. > > -Kevin I see what you mean about refactoring. I think it is ok to go as-is and we'll optimize later (I promise). Can you see if the command-line ipa-findgroup still works? I think the addition of the counter will break it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmccarth at redhat.com Wed Sep 19 15:44:21 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Wed, 19 Sep 2007 08:44:21 -0700 Subject: [Freeipa-devel] [PATCH] group search improvements In-Reply-To: <46F11A96.5040907@redhat.com> References: <20070918225352.GF21122@moon.usersys.redhat.com> <46F11A96.5040907@redhat.com> Message-ID: <20070919154421.GB19392@moon.usersys.redhat.com> Rob Crittenden wrote: > Can you see if the command-line ipa-findgroup still works? I think the > addition of the counter will break it. I did forget to update ipa-findgroup (thanks Rob). Attached is a revised patch including that fix. -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1190216554 25200 # Node ID f7e2e4d1ed705049d26e77eab8829af43abe0055 # Parent 88832dc9643b967ffed0aa4377512490accfe0e4 Implement asynchronous search for groups. Use the filter generation code to search on multiple fields. diff -r 88832dc9643b -r f7e2e4d1ed70 ipa-admintools/ipa-findgroup --- a/ipa-admintools/ipa-findgroup Tue Sep 18 14:58:30 2007 -0700 +++ b/ipa-admintools/ipa-findgroup Wed Sep 19 08:42:34 2007 -0700 @@ -50,7 +50,9 @@ def main(): client = ipaclient.IPAClient() groups = client.find_groups(args[1]) - if len(groups) == 0: + counter = groups[0] + groups = groups[1:] + if counter == 0: print "No entries found for", args[1] return 0 diff -r 88832dc9643b -r f7e2e4d1ed70 ipa-python/ipaclient.py --- a/ipa-python/ipaclient.py Tue Sep 18 14:58:30 2007 -0700 +++ b/ipa-python/ipaclient.py Wed Sep 19 08:42:34 2007 -0700 @@ -158,13 +158,14 @@ class IPAClient: result = self.transport.add_group(group_dict, group_container) return result - def find_groups(self, criteria, sattrs=None): + def find_groups(self, criteria, sattrs=None, searchlimit=0): """Find groups whose cn matches the criteria. Wildcards are acceptable. Returns a list of Group objects.""" - result = self.transport.find_groups(criteria, sattrs) - - groups = [] - for attrs in result: + result = self.transport.find_groups(criteria, sattrs, searchlimit) + counter = result[0] + + groups = [counter] + for attrs in result[1:]: if attrs is not None: groups.append(group.Group(attrs)) diff -r 88832dc9643b -r f7e2e4d1ed70 ipa-python/rpcclient.py --- a/ipa-python/rpcclient.py Tue Sep 18 14:58:30 2007 -0700 +++ b/ipa-python/rpcclient.py Wed Sep 19 08:42:34 2007 -0700 @@ -275,7 +275,7 @@ class RPCClient: except socket.error, (value, msg): raise xmlrpclib.Fault(value, msg) - def find_groups (self, criteria, sattrs=None): + def find_groups (self, criteria, sattrs=None, searchlimit=0): """Return a list containing a Group object for each group that matches the criteria.""" @@ -284,7 +284,7 @@ class RPCClient: # None values are not allowed in XML-RPC if sattrs is None: sattrs = "__NONE__" - result = server.find_groups(criteria, sattrs) + result = server.find_groups(criteria, sattrs, searchlimit) except xmlrpclib.Fault, fault: raise ipaerror.gen_exception(fault.faultCode, fault.faultString) except socket.error, (value, msg): diff -r 88832dc9643b -r f7e2e4d1ed70 ipa-server/ipa-gui/ipagui/controllers.py --- a/ipa-server/ipa-gui/ipagui/controllers.py Tue Sep 18 14:58:30 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/controllers.py Wed Sep 19 08:42:34 2007 -0700 @@ -551,11 +551,11 @@ class Root(controllers.RootController): if criteria != None and len(criteria) > 0: try: groups = client.find_groups(criteria.encode('utf-8')) - # counter = groups[0] - # groups = groups[1:] - # if counter == -1: - # turbogears.flash("These results are truncated.
" + - # "Please refine your search and try again.") + counter = groups[0] + groups = groups[1:] + if counter == -1: + turbogears.flash("These results are truncated.
" + + "Please refine your search and try again.") except ipaerror.IPAError, e: turbogears.flash("Find groups failed: " + str(e)) raise turbogears.redirect("/grouplist") diff -r 88832dc9643b -r f7e2e4d1ed70 ipa-server/xmlrpc-server/funcs.py --- a/ipa-server/xmlrpc-server/funcs.py Tue Sep 18 14:58:30 2007 -0700 +++ b/ipa-server/xmlrpc-server/funcs.py Wed Sep 19 08:42:34 2007 -0700 @@ -603,25 +603,72 @@ class IPAServer: finally: self.releaseConnection(conn) - def find_groups (self, criteria, sattrs=None, opts=None): + def find_groups (self, criteria, sattrs=None, searchlimit=0, opts=None): """Return a list containing a User object for each existing group that matches the criteria. """ + # Assume the list of fields to search will come from a central + # configuration repository. A good format for that would be + # a comma-separated list of fields + search_fields_conf_str = "cn,description" + search_fields = string.split(search_fields_conf_str, ",") + criteria = self.__safe_filter(criteria) - - filter = "(&(cn=%s)(objectClass=posixGroup))" % criteria - conn = self.getConnection(opts) - try: - results = conn.getList(self.basedn, self.scope, filter, sattrs) - except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): - results = [] - finally: - self.releaseConnection(conn) - - groups = [] - for u in results: + criteria_words = re.split(r'\s+', criteria) + criteria_words = filter(lambda value:value!="", criteria_words) + if len(criteria_words) == 0: + return [0] + + (exact_match_filter, partial_match_filter) = self.__generate_match_filters( + search_fields, criteria_words) + + # + # further constrain search to just the objectClass + # TODO - need to parameterize this into generate_match_filters, + # and work it into the field-specification search feature + # + exact_match_filter = "(&(objectClass=posixGroup)%s)" % exact_match_filter + partial_match_filter = "(&(objectClass=posixGroup)%s)" % partial_match_filter + + # + # TODO - copy/paste from find_users. needs to be refactored + # + conn = self.getConnection(opts) + try: + try: + exact_results = conn.getListAsync(self.basedn, self.scope, + exact_match_filter, sattrs, 0, None, None, -1, searchlimit) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + exact_results = [0] + + try: + partial_results = conn.getListAsync(self.basedn, self.scope, + partial_match_filter, sattrs, 0, None, None, -1, searchlimit) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + partial_results = [0] + finally: + self.releaseConnection(conn) + + exact_counter = exact_results[0] + partial_counter = partial_results[0] + + exact_results = exact_results[1:] + partial_results = partial_results[1:] + + # Remove exact matches from the partial_match list + exact_dns = set(map(lambda e: e.dn, exact_results)) + partial_results = filter(lambda e: e.dn not in exact_dns, + partial_results) + + if (exact_counter == -1) or (partial_counter == -1): + counter = -1 + else: + counter = len(exact_results) + len(partial_results) + + groups = [counter] + for u in exact_results + partial_results: groups.append(self.convert_entry(u)) - + return groups def add_user_to_group(self, user, group, opts=None): -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From rcritten at redhat.com Wed Sep 19 19:12:01 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Sep 2007 15:12:01 -0400 Subject: [Freeipa-devel] [PATCH] group search improvements In-Reply-To: <20070919154421.GB19392@moon.usersys.redhat.com> References: <20070918225352.GF21122@moon.usersys.redhat.com> <46F11A96.5040907@redhat.com> <20070919154421.GB19392@moon.usersys.redhat.com> Message-ID: <46F17481.3070708@redhat.com> Kevin McCarthy wrote: > Rob Crittenden wrote: >> Can you see if the command-line ipa-findgroup still works? I think the >> addition of the counter will break it. > > I did forget to update ipa-findgroup (thanks Rob). > > Attached is a revised patch including that fix. > > -Kevin +1 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmccarth at redhat.com Wed Sep 19 20:47:02 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Wed, 19 Sep 2007 13:47:02 -0700 Subject: [Freeipa-devel] [PATCH] handle group add/del errors Message-ID: <20070919204702.GA21467@moon.usersys.redhat.com> This isn't the best solution, but it's a first step. With this commit, I'm considering groups "good enough" and will start mocking out some other parts of the app for discussion. -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1190234632 25200 # Node ID b52e28ce1b72dd28344038cfa0ca8a3576ddf7bf # Parent cd0f7c22cb7ab4811d128d5682795683d86c4abd Handle add/remove failures a little bit better. Still some refinements that can be done, but at least it shows the failures now. diff -r cd0f7c22cb7a -r b52e28ce1b72 ipa-server/ipa-gui/ipagui/controllers.py --- a/ipa-server/ipa-gui/ipagui/controllers.py Tue Sep 11 02:48:53 2007 -0400 +++ b/ipa-server/ipa-gui/ipagui/controllers.py Wed Sep 19 13:43:52 2007 -0700 @@ -446,7 +446,6 @@ class Root(controllers.RootController): return dict(form=group_edit_form, group=group_dict, members=member_dicts) except ipaerror.IPAError, e: - turbogears.flash("User show failed: " + str(e)) turbogears.flash("Group edit failed: " + str(e)) raise turbogears.redirect('/groupshow', uid=kw.get('cn')) @@ -489,12 +488,12 @@ class Root(controllers.RootController): if group_modified: rv = client.update_group(new_group) - # - # TODO - if the group update succeeds, but below operations fail, - # we needs to make sure a subsequent submit doesn't try to update - # the group again. Probably by overwriting the group_orig hidden - # field blob. - # + # + # If the group update succeeds, but below operations fail, we + # need to make sure a subsequent submit doesn't try to update + # the group again. + # + kw['group_orig'] = b64encode(dumps(new_group.toDict())) except ipaerror.IPAError, e: turbogears.flash("User update failed: " + str(e)) return dict(form=group_edit_form, group=kw, members=member_dicts, @@ -503,15 +502,14 @@ class Root(controllers.RootController): # # Add members # + failed_adds = [] try: uidadds = kw.get('uidadd') if uidadds != None: if not(isinstance(uidadds,list) or isinstance(uidadds,tuple)): uidadds = [uidadds] - failed = client.add_users_to_group(uidadds, kw.get('cn')) - # - # TODO - deal with failed adds - # + failed_adds = client.add_users_to_group(uidadds, kw.get('cn')) + kw['uidadd'] = failed_adds except ipaerror.IPAError, e: turbogears.flash("User update failed: " + str(e)) return dict(form=group_edit_form, group=kw, members=member_dicts, @@ -520,21 +518,36 @@ class Root(controllers.RootController): # # Remove members # + failed_dels = [] try: uiddels = kw.get('uiddel') if uiddels != None: if not(isinstance(uiddels,list) or isinstance(uiddels,tuple)): uiddels = [uiddels] - failed = client.remove_users_from_group(uiddels, kw.get('cn')) - # - # TODO - deal with failed removals - # + failed_dels = client.remove_users_from_group(uiddels, kw.get('cn')) + kw['uiddel'] = failed_dels except ipaerror.IPAError, e: turbogears.flash("User update failed: " + str(e)) return dict(form=group_edit_form, group=kw, members=member_dicts, tg_template='ipagui.templates.groupedit') - # TODO if not group_modified + # + # TODO - check failed ops to see if it's because of another update. + # handle "someone else already did it" errors better - perhaps + # not even as an error + # TODO - update the Group Members list. + # (note that we have to handle the above todo first, or else + # there will be an error message, but the add/del lists will + # be empty) + # + if (len(failed_adds) > 0) or (len(failed_dels) > 0): + message = "There was an error updating group members.
" + message += "Failures have been preserved in the add/remove lists." + if group_modified: + message = "Group Details successfully updated.
" + message + turbogears.flash(message) + return dict(form=group_edit_form, group=kw, members=member_dicts, + tg_template='ipagui.templates.groupedit') turbogears.flash("%s updated!" % kw['cn']) raise turbogears.redirect('/groupshow', cn=kw['cn']) diff -r cd0f7c22cb7a -r b52e28ce1b72 ipa-server/xmlrpc-server/funcs.py --- a/ipa-server/xmlrpc-server/funcs.py Tue Sep 11 02:48:53 2007 -0400 +++ b/ipa-server/xmlrpc-server/funcs.py Wed Sep 19 13:43:52 2007 -0700 @@ -715,7 +715,7 @@ class IPAServer: except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST): # User is already in the group failed.append(user) - except ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND): + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): # User or the group does not exist failed.append(user) @@ -773,7 +773,7 @@ class IPAServer: except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST): # User is not in the group failed.append(user) - except ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND): + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): # User or the group does not exist failed.append(user) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From rcritten at redhat.com Wed Sep 19 20:56:17 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Sep 2007 16:56:17 -0400 Subject: [Freeipa-devel] [PATCH] handle group add/del errors In-Reply-To: <20070919204702.GA21467@moon.usersys.redhat.com> References: <20070919204702.GA21467@moon.usersys.redhat.com> Message-ID: <46F18CF1.5040906@redhat.com> Kevin McCarthy wrote: > This isn't the best solution, but it's a first step. With this commit, > I'm considering groups "good enough" and will start mocking out some > other parts of the app for discussion. > > -Kevin > +1 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmccarth at redhat.com Wed Sep 19 22:53:56 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Wed, 19 Sep 2007 15:53:56 -0700 Subject: [Freeipa-devel] [PATCH] add pasword change call to gui Message-ID: <20070919225355.GB21467@moon.usersys.redhat.com> This patch adds in the user password api call to the web gui. Currently, I am getting a permission error for this. Making the big assumption it's a known problem at this point. -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1190242741 25200 # Node ID 0774967a0594d3201ab6837a746682b6b82029f4 # Parent d38d108442e06a986eec88d47aed60cdc61d477f Add password changing call to web gui. diff -r d38d108442e0 -r 0774967a0594 ipa-server/ipa-gui/ipagui/controllers.py --- a/ipa-server/ipa-gui/ipagui/controllers.py Wed Sep 19 15:10:50 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/controllers.py Wed Sep 19 15:59:01 2007 -0700 @@ -151,6 +151,7 @@ class Root(controllers.RootController): return dict(form=user_edit_form, user=kw, tg_template='ipagui.templates.useredit') + password_change = False try: orig_user_dict = loads(b64decode(kw.get('user_orig'))) @@ -165,7 +166,7 @@ class Root(controllers.RootController): new_user.setValue('nsAccountLock', None) if kw.get('editprotected') == 'true': if kw.get('userpassword'): - new_user.setValue('userpassword', kw.get('userpassword')) + password_change = True new_user.setValue('uidnumber', str(kw.get('uidnumber'))) new_user.setValue('gidnumber', str(kw.get('gidnumber'))) @@ -177,12 +178,26 @@ class Root(controllers.RootController): new_user.getValue('sn'))) rv = client.update_user(new_user) - turbogears.flash("%s updated!" % kw['uid']) - raise turbogears.redirect('/usershow', uid=kw['uid']) + except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST), e: + if not password_change: + turbogears.flash("User update failed: " + str(e)) + return dict(form=user_edit_form, user=kw, + tg_template='ipagui.templates.useredit') except ipaerror.IPAError, e: turbogears.flash("User update failed: " + str(e)) return dict(form=user_edit_form, user=kw, tg_template='ipagui.templates.useredit') + + try: + if password_change: + rv = client.modifyPassword(kw['uid'], "", kw.get('userpassword')) + except ipaerror.IPAError, e: + turbogears.flash("User password change failed: " + str(e)) + return dict(form=user_edit_form, user=kw, + tg_template='ipagui.templates.useredit') + + turbogears.flash("%s updated!" % kw['uid']) + raise turbogears.redirect('/usershow', uid=kw['uid']) @expose("ipagui.templates.userlist") -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From rcritten at redhat.com Thu Sep 20 00:21:32 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Sep 2007 20:21:32 -0400 Subject: [Freeipa-devel] [PATCH] add pasword change call to gui In-Reply-To: <20070919225355.GB21467@moon.usersys.redhat.com> References: <20070919225355.GB21467@moon.usersys.redhat.com> Message-ID: <46F1BD0C.1090208@redhat.com> Kevin McCarthy wrote: > This patch adds in the user password api call to the web gui. > > Currently, I am getting a permission error for this. Making the big > assumption it's a known problem at this point. > > -Kevin You're probably still using the old proxy method of authentication. Once the patches get caught up and you are forced to use kerberos things should work much better. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Sep 20 12:46:57 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Sep 2007 08:46:57 -0400 Subject: [Freeipa-devel] [PATCH] add pasword change call to gui In-Reply-To: <20070919225355.GB21467@moon.usersys.redhat.com> References: <20070919225355.GB21467@moon.usersys.redhat.com> Message-ID: <46F26BC1.5020400@redhat.com> Kevin McCarthy wrote: > This patch adds in the user password api call to the web gui. > > Currently, I am getting a permission error for this. Making the big > assumption it's a known problem at this point. > > -Kevin > Patch looks ok. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Sep 20 14:06:35 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Sep 2007 10:06:35 -0400 Subject: [Freeipa-devel] [PATCH] remove proxy support Message-ID: <46F27E6B.1080001@redhat.com> This patch removes the ACI and certificate generation for doing proxy authentication. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-180-noproxy.patch Type: text/x-patch Size: 4059 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Sep 20 19:20:06 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 15:20:06 -0400 Subject: [Freeipa-devel] PATCH: setup bind as part of server configuration Message-ID: <1190316006.2567.113.camel@localhost.localdomain> This patch will help QA, you have to explicitly pass --setup-bind and no question about it is asked if you don't. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-180-setup-bind.patch Type: text/x-patch Size: 17641 bytes Desc: not available URL: From prowley at redhat.com Thu Sep 20 20:17:05 2007 From: prowley at redhat.com (Pete Rowley) Date: Thu, 20 Sep 2007 13:17:05 -0700 Subject: [Freeipa-devel] PATCH: setup bind as part of server configuration In-Reply-To: <1190316006.2567.113.camel@localhost.localdomain> References: <1190316006.2567.113.camel@localhost.localdomain> Message-ID: <46F2D541.6090402@redhat.com> Simo Sorce wrote: > This patch will help QA, you have to explicitly pass --setup-bind and no > question about it is asked if you don't. > Ack > ------------------------------------------------------------------------ > > # HG changeset patch > # User Simo Sorce > # Date 1190315421 14400 > # Node ID 9353b33672ee1bf8afabee1615d2cd4aebcce019 > # Parent 578d26927d915e3c85bded0c2206cf9679a58977 > Initial support for confiuguring a DNS Server during installation. > It's not perfect yet but good enough to include it. > > diff -r 578d26927d91 -r 9353b33672ee ipa-client/ipa-install/ipa-client-install > --- a/ipa-client/ipa-install/ipa-client-install Thu Sep 13 12:10:55 2007 -0400 > +++ b/ipa-client/ipa-install/ipa-client-install Thu Sep 20 15:10:21 2007 -0400 > @@ -31,7 +31,6 @@ import ipaclient.ipadiscovery > import ipaclient.ipadiscovery > import ipaclient.ipachangeconf > from ipa.ipautil import run > -import shutil > > def parse_options(): > parser = OptionParser(version=VERSION) > diff -r 578d26927d91 -r 9353b33672ee ipa-server/ipa-install/ipa-server-install > --- a/ipa-server/ipa-install/ipa-server-install Thu Sep 13 12:10:55 2007 -0400 > +++ b/ipa-server/ipa-install/ipa-server-install Thu Sep 20 15:10:21 2007 -0400 > @@ -36,6 +36,7 @@ from optparse import OptionParser > from optparse import OptionParser > import ipaserver.dsinstance > import ipaserver.krbinstance > +import ipaserver.bindinstance > from ipa.ipautil import run > > def parse_options(): > @@ -51,10 +52,13 @@ def parse_options(): > parser.add_option("-a", "--admin-password", dest="admin_password", > help="admin user kerberos password") > parser.add_option("-d", "--debug", dest="debug", action="store_true", > - dest="debug", default=False, help="print debugging information") > + default=False, help="print debugging information") > parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") > - parser.add_option("-U", "--unattended", dest="unattended", > - help="unattended installation never prompts the user") > + parser.add_option("--ip-address", dest="ip_address", help="Master Server IP Address") > + parser.add_option("--setup-bind", dest="setup_bind", action="store_true", > + default=False, help="configure bind with our zone file") > + parser.add_option("-U", "--unattended", dest="unattended", action="store_true", > + default=False, help="unattended installation never prompts the user") > > options, args = parser.parse_args() > > @@ -63,7 +67,7 @@ def parse_options(): > not options.dm_password or > not options.admin_password or > not options.master_password): > - parser.error("error: In unattended mode you need to provide -u, -r, -p and -P options") > + parser.error("error: In unattended mode you need to provide iat least -u, -r, -p and -P options") > > return options > > @@ -93,34 +97,140 @@ def main(): > ds_user = "" > realm_name = "" > host_name = "" > + domain_name = "" > + ip_address = "" > master_password = "" > dm_password = "" > admin_password = "" > > + # check bind packages are installed > + bind = ipaserver.bindinstance.BindInstance() > + if options.setup_bind: > + if not bind.check_inst(): > + print "--setup-bind was specified but bind is not installed on the system" > + print "Please install bind (you also need the package 'caching-nameserver') and restart the setup program" > + return "-Fatal Error-" > + > # check the hostname is correctly configured, it must be as the kldap > # utilities just use the hostname as returned by gethostbyname to set > # up some of the standard entries > > + host_name = "" > if options.host_name: > host_name = options.host_name > else: > - host_name = socket.gethostname() > - if len(host_name.split(".")) < 2: > - print "Invalid hostname <"+host_name+">" > - print "Check the /etc/hosts file and make sure to have a valid FQDN" > - return "-Fatal Error-" > - > - ip = socket.gethostbyname(host_name) > - if ip == "127.0.0.1": > - print "The hostname resolves to the localhost address (127.0.0.1)" > - print "Please change your /etc/hosts file or your DNS so that the" > - print "hostname resolves to the ip address of your network interface." > - print "The KDC service does not listen on 127.0.0.1" > - print "" > - print "Please fix your /etc/hosts file and restart the setup program" > - return "-Fatal Error-" > - > - print "The Final KDC Host Name will be: " + host_name + ". With IP address: " + ip > + try: > + host_name = socket.gethostname() > + except: > + pass > + if options.unattended: > + if len(host_name.split(".")) < 2 or host_name == "localhost.localdomain": > + print "Invalid hostname: "+host_name > + print "This host name can't be used as a hostname for an IPA Server" > + return "-Fatal Error-" > + else: > + host_ok = False > + while not host_ok: > + if host_name == "": > + print "" > + host_name = raw_input("Please provide a Fully Qualified name to use for your system [master.example.com]: ") > + if host_name != "": > + host_name = "master.example.com" > + > + if len(host_name.split(".")) < 2 or host_name == "localhost.localdomain": > + print "Invalid hostname: "+host_name > + print "This host name can't be used as a hostname for an IPA Server" > + host_name = "" > + continue > + else: > + host_ok = True > + > + yesno = raw_input("Please confirm this ["+host_name+"] is the server hostname you want to use [Y/n]: ") > + if yesno != "" and yesno.lower() != 'y': > + host_name = "" > + host_ok = False > + > + domain_name = host_name[host_name.find(".")+1:] > + > + # Check we have a public IP that is associated with the hostname > + ip = "" > + askip = False > + try: > + ip = socket.gethostbyname(host_name) > + > + if ip == "127.0.0.1" or ip == "::1": > + print "The hostname resolves to the localhost address (127.0.0.1/::1)" > + print "Please change your /etc/hosts file so that the hostname" > + print "resolves to the ip address of your network interface." > + print "The KDC service does not listen on localhost" > + print "" > + print "Please fix your /etc/hosts file and restart the setup program" > + return "-Fatal Error-" > + > + except: > + print "The provided hostname can't actually be use to resolve the IP address" > + if options.ip_address: > + ip = options.ip_address > + else: > + askip = True > + > + if ip != "": > + try: > + socket.inet_pton(socket.AF_INET, ip) > + except: > + try: > + socket.inet_pton(socket.AF_INET6, ip) > + except: > + print "Invalid IP format" > + if options.unattended: > + return "-Fatal Error-" > + else: > + ip = "" > + askip = True > + > + if options.ip_address and options.ip_address != ip: > + if options.setup_bind: > + ip = options.ip_address > + else: > + print "Error: the hostname resolves to an IP that is different from the one provided on the command line" > + print "Please fix your DNS or /etc/hosts file to provide consistent information and restart the setup program" > + return "-Fatal Error-" > + > + if options.unattended: > + if askip or ip == "": > + print "Unable to resolve IP address" > + return "-Fatal Error-" > + > + while askip: > + ip = raw_input("Please provide the IP address to be used for this host name: ") > + > + if ip == "": > + print "An empty IP is not acceptable" > + continue > + if ip == "127.0.0.1" or ip == "::1": > + print "The IPA Server can't use localhost as a valid IP" > + continue > + > + try: > + socket.inet_pton(socket.AF_INET, ip) > + except: > + try: > + socket.inet_pton(socket.AF_INET6, ip) > + except: > + print "Invalid IP format" > + continue > + > + print "Adding ["+ip+" "+host_name+"] to your /etc/hosts file" > + hosts_fd = open('/etc/hosts', 'r+') > + hosts_fd.seek(0, 2) > + hosts_fd.write(ip+'\t'+host_name+' '+host_name[:host_name.find('.')]+'\n') > + hosts_fd.close() > + askip = False > + > + ip_address = ip > + > + print "The IPA Master Server Name will be: " + host_name + ". With IP address: " + ip_address > + print "The IPA Domain Name will be: " + domain_name > print "" > > if not options.ds_user: > @@ -152,7 +262,7 @@ def main(): > print "The kerberos protocol requires a Realm name to be defined." > print "Usually the domain name all in uppercase is used as realm name." > print "" > - upper_dom = (host_name[host_name.find(".")+1:]).upper() > + upper_dom = domain_name.upper() > realm_name = raw_input("Please provide a realm name ["+upper_dom+"]: ") > print "" > if realm_name == "": > @@ -227,6 +337,11 @@ def main(): > else: > admin_password = options.admin_password > > + if not options.unattended: > + print "" > + print "The following operations may take some minutes to complete." > + print "Please wait until the prompt is returned." > + > # Create a directory server instance > ds = ipaserver.dsinstance.DsInstance() > ds.create_instance(ds_user, realm_name, host_name, dm_password) > @@ -235,8 +350,24 @@ def main(): > krb = ipaserver.krbinstance.KrbInstance() > krb.create_instance(ds_user, realm_name, host_name, dm_password, master_password) > > - # Restart ds after the krb instance has changed ds configurations > + bind.setup(host_name, ip_address, realm_name) > + if options.setup_bind: > + skipbind = False > + if not options.unattended: > + print "This program is about to replace the DNS Server configuration," > + print "with an automatically generated one, based on the data gathered so far." > + print "This will REPLACE any existing configuration." > + yesno = raw_input("Are you sure you want to configure the DNS Server ? [y/N]: ") > + if yesno.lower() != 'y': > + skipbind = True > + if not skipbind: > + bind.create_instance() > + else: > + bind.create_sample_bind_zone() > + > + # Restart ds and krb after configurations have been changed > ds.restart() > + krb.restart() > > # Restart apache > run(["/sbin/service", "httpd", "restart"]) > diff -r 578d26927d91 -r 9353b33672ee ipa-server/ipa-install/share/bind.named.conf.template > --- /dev/null Thu Jan 01 00:00:00 1970 +0000 > +++ b/ipa-server/ipa-install/share/bind.named.conf.template Thu Sep 20 15:10:21 2007 -0400 > @@ -0,0 +1,41 @@ > +options { > + /* make named use port 53 for the source of all queries, to allow > + * firewalls to block all ports except 53: > + */ > + query-source port 53; > + query-source-v6 port 53; > + > + // Put files that named is allowed to write in the data/ directory: > + directory "/var/named"; // the default > + dump-file "data/cache_dump.db"; > + statistics-file "data/named_stats.txt"; > + memstatistics-file "data/named_mem_stats.txt"; > + > + /* Not used yet, support only on very recent bind versions */ > +# tkey-gssapi-credential "DNS/$FQDN"; > +# tkey-domain "$REALM"; > +}; > + > +logging { > +/* If you want to enable debugging, eg. using the 'rndc trace' command, > + * By default, SELinux policy does not allow named to modify the /var/named directory, > + * so put the default debug log file in data/ : > + */ > + channel default_debug { > + file "data/named.run"; > + severity dynamic; > + }; > +}; > + > +zone "." IN { > + type hint; > + file "named.ca"; > +}; > + > +include "/etc/named.rfc1912.zones"; > + > +zone "$DOMAIN" { > + type master; > + file "$DOMAIN.zone.db"; > +}; > + > diff -r 578d26927d91 -r 9353b33672ee ipa-server/ipaserver/bindinstance.py > --- /dev/null Thu Jan 01 00:00:00 1970 +0000 > +++ b/ipa-server/ipaserver/bindinstance.py Thu Sep 20 15:10:21 2007 -0400 > @@ -0,0 +1,113 @@ > +#! /usr/bin/python -E > +# Authors: Simo Sorce > +# > +# Copyright (C) 2007 Red Hat > +# see file 'COPYING' for use and warranty information > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of the GNU General Public License as > +# published by the Free Software Foundation; version 2 or later > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > +# > +# You should have received a copy of the GNU General Public License > +# along with this program; if not, write to the Free Software > +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > +# > + > +import string > +import tempfile > +import shutil > +import os > +import socket > +from ipa.ipautil import * > + > +class BindInstance: > + def __init__(self): > + self.fqdn = None > + self.domain = None > + self.host = None > + self.ip_address = None > + self.realm = None > + self.sub_dict = None > + > + def setup(self, fqdn, ip_address, realm_name): > + self.fqdn = fqdn > + self.ip_address = ip_address > + self.realm = realm_name > + self.domain = fqdn[fqdn.find(".")+1:] > + self.host = fqdn[:fqdn.find(".")] > + > + self.__setup_sub_dict() > + > + def check_inst(self): > + # So far this file is always present in both RHEL5 and Fedora if all the necessary > + # bind packages are installed (RHEL5 requires also the pkg: caching-nameserver) > + if not os.path.exists('/etc/named.rfc1912.zones'): > + return False > + > + return True > + > + def create_sample_bind_zone(self): > + bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict) > + [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") > + os.write(bind_fd, bind_txt) > + os.close(bind_fd) > + print "Sample zone file for bind has been created in "+bind_name > + > + def create_instance(self): > + > + try: > + self.stop() > + except: > + pass > + > + self.__setup_zone() > + self.__setup_named_conf() > + > + self.start() > + > + def stop(self): > + run(["/sbin/service", "named", "stop"]) > + > + def start(self): > + run(["/sbin/service", "named", "start"]) > + > + def restart(self): > + run(["/sbin/service", "named", "restart"]) > + > + def __setup_sub_dict(self): > + self.sub_dict = dict(FQDN=self.fqdn, > + IP=self.ip_address, > + DOMAIN=self.domain, > + HOST=self.host, > + REALM=self.realm) > + > + def __setup_zone(self): > + zone_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict) > + zone_fd = open('/var/named/'+self.domain+'.zone.db', 'w') > + zone_fd.write(zone_txt) > + zone_fd.close() > + > + def __setup_named_conf(self): > + if os.path.exists('/etc/named.conf'): > + shutil.copy2('/etc/named.conf', '/etc/named.conf.ipabkp') > + named_txt = template_file(SHARE_DIR + "bind.named.conf.template", self.sub_dict) > + named_fd = open('/etc/named.conf', 'w') > + named_fd.seek(0) > + named_fd.truncate(0) > + named_fd.write(named_txt) > + named_fd.close() > + > + if os.path.exists('/etc/resolve.conf'): > + shutil.copy2('/etc/resolve.conf', '/etc/resolv.conf.ipabkp') > + resolve_txt = "search "+self.domain+"\nnameserver "+self.ip_address+"\n" > + resolve_fd = open('/etc/resolve.conf', 'w') > + resolve_fd.seek(0) > + resolve_fd.truncate(0) > + resolve_fd.write(resolve_txt) > + resolve_fd.close() > + > diff -r 578d26927d91 -r 9353b33672ee ipa-server/ipaserver/krbinstance.py > --- a/ipa-server/ipaserver/krbinstance.py Thu Sep 13 12:10:55 2007 -0400 > +++ b/ipa-server/ipaserver/krbinstance.py Thu Sep 20 15:10:21 2007 -0400 > @@ -73,6 +73,9 @@ class KrbInstance: > > self.suffix = realm_to_suffix(self.realm) > self.kdc_password = generate_kdc_password() > + > + self.stop() > + > self.__configure_kdc_account_password() > > self.__setup_sub_dict() > @@ -88,8 +91,6 @@ class KrbInstance: > self.__create_http_keytab() > > self.__export_kadmin_changepw_keytab() > - > - self.__create_sample_bind_zone() > > self.__add_pwd_extop_module() > > @@ -161,13 +162,6 @@ class KrbInstance: > args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm] > run(args) > > - def __create_sample_bind_zone(self): > - bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict) > - [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") > - os.write(bind_fd, bind_txt) > - os.close(bind_fd) > - print "Sample zone file for bind has been created in "+bind_name > - > def __create_ds_keytab(self): > (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") > kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n") > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Sep 20 21:03:54 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:03:54 -0400 Subject: [Freeipa-devel] [PATCH] small proxyprovider fixes In-Reply-To: <20070911214102.GB32755@moon.usersys.redhat.com> References: <20070911214102.GB32755@moon.usersys.redhat.com> Message-ID: <1190322234.2567.116.camel@localhost.localdomain> On Tue, 2007-09-11 at 14:41 -0700, Kevin McCarthy wrote: > > > > > > > > plain text > document > attachment > (freeipa-189-smallproxyfixes.patch) Pushed From ssorce at redhat.com Thu Sep 20 21:04:08 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:04:08 -0400 Subject: [Freeipa-devel] [PATCH] add group In-Reply-To: <20070911215923.GC32755@moon.usersys.redhat.com> References: <20070911215923.GC32755@moon.usersys.redhat.com> Message-ID: <1190322248.2567.118.camel@localhost.localdomain> On Tue, 2007-09-11 at 14:59 -0700, Kevin McCarthy wrote: > plain text document attachment (freeipa-190-groupadd.patch) Pushed From ssorce at redhat.com Thu Sep 20 21:04:21 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:04:21 -0400 Subject: [Freeipa-devel] [PATCH] basic group list/show/edit In-Reply-To: <20070912173758.GC25543@moon.usersys.redhat.com> References: <20070912173758.GC25543@moon.usersys.redhat.com> Message-ID: <1190322261.2567.120.camel@localhost.localdomain> On Wed, 2007-09-12 at 10:37 -0700, Kevin McCarthy wrote: > > > plain text document attachment > (freeipa-192-grouplistedit.patch) Pushed From ssorce at redhat.com Thu Sep 20 21:04:34 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:04:34 -0400 Subject: [Freeipa-devel] [PATCH] javascript sorting of user results w/tablekit In-Reply-To: <20070913172712.GA19864@moon.usersys.redhat.com> References: <20070913172712.GA19864@moon.usersys.redhat.com> Message-ID: <1190322274.2567.122.camel@localhost.localdomain> On Thu, 2007-09-13 at 10:27 -0700, Kevin McCarthy wrote: > plain text document attachment (freeipa-181-usersort.diff) Pushed From ssorce at redhat.com Thu Sep 20 21:04:49 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:04:49 -0400 Subject: [Freeipa-devel] [PATCH] javascript sorting of user results w/tablekit In-Reply-To: <20070917160511.GA3793@moon.usersys.redhat.com> References: <20070913172712.GA19864@moon.usersys.redhat.com> <20070913172919.GB19864@moon.usersys.redhat.com> <1189711794.18288.30.camel@localhost.localdomain> <20070917160511.GA3793@moon.usersys.redhat.com> Message-ID: <1190322289.2567.124.camel@localhost.localdomain> On Mon, 2007-09-17 at 09:05 -0700, Kevin McCarthy wrote: > plain text document attachment (freeipa-193-sortimages.patch) Pushed From ssorce at redhat.com Thu Sep 20 21:06:44 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:06:44 -0400 Subject: [Freeipa-devel] [PATCH] ticket forwarding and TurboGears In-Reply-To: <46EAFE48.5090203@redhat.com> References: <46E98051.3020703@redhat.com> <20070914200837.GA9414@redhat.com> <46EAFE48.5090203@redhat.com> Message-ID: <1190322404.2567.126.camel@localhost.localdomain> On Fri, 2007-09-14 at 17:34 -0400, Rob Crittenden wrote: > plain text document attachment (freeipa-179-ticket.patch2) Pushed but I had merge conflicts as Kevin imported the previous version. Please check the merge is correct. Simo. From ssorce at redhat.com Thu Sep 20 21:06:56 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:06:56 -0400 Subject: [Freeipa-devel] [PATCH] draft of group member management In-Reply-To: <20070914221959.GD17116@moon.usersys.redhat.com> References: <20070914221959.GD17116@moon.usersys.redhat.com> Message-ID: <1190322416.2567.128.camel@localhost.localdomain> On Fri, 2007-09-14 at 15:20 -0700, Kevin McCarthy wrote: > plain text document attachment (freeipa-195-groupmember.patch) Pushed From ssorce at redhat.com Thu Sep 20 21:07:09 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:07:09 -0400 Subject: [Freeipa-devel] [PATCH] persist group add and remove lists on server round trip In-Reply-To: <20070917184347.GB3793@moon.usersys.redhat.com> References: <20070917184347.GB3793@moon.usersys.redhat.com> Message-ID: <1190322429.2567.130.camel@localhost.localdomain> On Mon, 2007-09-17 at 11:43 -0700, Kevin McCarthy wrote: > plain text document attachment (freeipa-196-persistaddremoves.patch) Pushed From ssorce at redhat.com Thu Sep 20 21:07:21 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:07:21 -0400 Subject: [Freeipa-devel] [PATCH] group refinements In-Reply-To: <20070917223456.GC3793@moon.usersys.redhat.com> References: <20070917223456.GC3793@moon.usersys.redhat.com> Message-ID: <1190322441.2567.132.camel@localhost.localdomain> On Mon, 2007-09-17 at 15:34 -0700, Kevin McCarthy wrote: > plain text document attachment (freeipa-197-groupdoubleadd.patch) Pushed From ssorce at redhat.com Thu Sep 20 21:07:37 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:07:37 -0400 Subject: [Freeipa-devel] [PATCH] fixes to edit protected checkbox In-Reply-To: <20070918174923.GC21122@moon.usersys.redhat.com> References: <20070918174923.GC21122@moon.usersys.redhat.com> Message-ID: <1190322457.2567.134.camel@localhost.localdomain> On Tue, 2007-09-18 at 10:49 -0700, Kevin McCarthy wrote: > plain text document attachment (freeipa-198-editprotectedfixes.patch) Pushed From ssorce at redhat.com Thu Sep 20 21:07:52 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:07:52 -0400 Subject: [Freeipa-devel] [PATCH] user search client-side limit In-Reply-To: <20070918215718.GE21122@moon.usersys.redhat.com> References: <20070918215718.GE21122@moon.usersys.redhat.com> Message-ID: <1190322472.2567.136.camel@localhost.localdomain> On Tue, 2007-09-18 at 14:57 -0700, Kevin McCarthy wrote: > plain text document attachment (freeipa-199-usersearchlimit.patch) Pushed From ssorce at redhat.com Thu Sep 20 21:08:05 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:08:05 -0400 Subject: [Freeipa-devel] [PATCH] group search improvements In-Reply-To: <20070919154421.GB19392@moon.usersys.redhat.com> References: <20070918225352.GF21122@moon.usersys.redhat.com> <46F11A96.5040907@redhat.com> <20070919154421.GB19392@moon.usersys.redhat.com> Message-ID: <1190322485.2567.138.camel@localhost.localdomain> On Wed, 2007-09-19 at 08:44 -0700, Kevin McCarthy wrote: > plain text document attachment (freeipa-200-groupsearch.patch) Pushed From ssorce at redhat.com Thu Sep 20 21:08:19 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:08:19 -0400 Subject: [Freeipa-devel] [PATCH] handle group add/del errors In-Reply-To: <20070919204702.GA21467@moon.usersys.redhat.com> References: <20070919204702.GA21467@moon.usersys.redhat.com> Message-ID: <1190322499.2567.140.camel@localhost.localdomain> On Wed, 2007-09-19 at 13:47 -0700, Kevin McCarthy wrote: > plain text document attachment (freeipa-201-groupfailures.patch) Pushed From ssorce at redhat.com Thu Sep 20 21:08:33 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:08:33 -0400 Subject: [Freeipa-devel] [PATCH] add pasword change call to gui In-Reply-To: <20070919225355.GB21467@moon.usersys.redhat.com> References: <20070919225355.GB21467@moon.usersys.redhat.com> Message-ID: <1190322513.2567.142.camel@localhost.localdomain> On Wed, 2007-09-19 at 15:53 -0700, Kevin McCarthy wrote: > plain text document attachment (freeipa-202-userpassword.patch) Pushed From kmccarth at redhat.com Thu Sep 20 21:19:28 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Thu, 20 Sep 2007 14:19:28 -0700 Subject: [Freeipa-devel] [PATCH] ticket forwarding and TurboGears In-Reply-To: <1190322404.2567.126.camel@localhost.localdomain> References: <46E98051.3020703@redhat.com> <20070914200837.GA9414@redhat.com> <46EAFE48.5090203@redhat.com> <1190322404.2567.126.camel@localhost.localdomain> Message-ID: <20070920211928.GB15868@moon.usersys.redhat.com> Simo Sorce wrote: > On Fri, 2007-09-14 at 17:34 -0400, Rob Crittenden wrote: > > plain text document attachment (freeipa-179-ticket.patch2) > > Pushed but I had merge conflicts as Kevin imported the previous version. > Please check the merge is correct. I missed importing Rob's patch. My subsequent code isn't using the correct new calls. I will submit a patch today to fix this problem. -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From ssorce at redhat.com Thu Sep 20 21:20:38 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:20:38 -0400 Subject: [Freeipa-devel] [PATCH] remove proxy support In-Reply-To: <46F27E6B.1080001@redhat.com> References: <46F27E6B.1080001@redhat.com> Message-ID: <1190323238.2567.144.camel@localhost.localdomain> On Thu, 2007-09-20 at 10:06 -0400, Rob Crittenden wrote: > differences between files attachment (freeipa-180-noproxy.patch) Acked and pushed From ssorce at redhat.com Thu Sep 20 21:20:51 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:20:51 -0400 Subject: [Freeipa-devel] PATCH: setup bind as part of server configuration In-Reply-To: <1190316006.2567.113.camel@localhost.localdomain> References: <1190316006.2567.113.camel@localhost.localdomain> Message-ID: <1190323251.2567.146.camel@localhost.localdomain> On Thu, 2007-09-20 at 15:20 -0400, Simo Sorce wrote: > differences between files attachment (freeipa-180-setup-bind.patch) Pushed From ssorce at redhat.com Thu Sep 20 21:21:32 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 17:21:32 -0400 Subject: [Freeipa-devel] [PATCH] Initial password setting support In-Reply-To: <46E6E758.6030006@redhat.com> References: <46E6E758.6030006@redhat.com> Message-ID: <1190323292.2567.148.camel@localhost.localdomain> On Tue, 2007-09-11 at 15:07 -0400, Rob Crittenden wrote: > differences between files attachment (freeipa-175-password.diff) Pushed From kmccarth at redhat.com Thu Sep 20 21:54:29 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Thu, 20 Sep 2007 14:54:29 -0700 Subject: [Freeipa-devel] [PATCH] krbcache setting fixes Message-ID: <20070920215429.GC15868@moon.usersys.redhat.com> This patch is to add the set_krbcache() calls to the new methods in controller I added. The patch is untested - I'm still having troubles with krb ticket issues. -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1190325203 25200 # Node ID 62a1ecb5573f42faa4453b094678abc6a784c2b5 # Parent e0c187057e32e2e58510023e427f5a615ab17539 Add set_krbccache() calls to new controller methods. Small fix to proxyprovider for anonymous case. diff -r e0c187057e32 -r 62a1ecb5573f ipa-server/ipa-gui/ipagui/controllers.py --- a/ipa-server/ipa-gui/ipagui/controllers.py Thu Sep 20 16:58:54 2007 -0400 +++ b/ipa-server/ipa-gui/ipagui/controllers.py Thu Sep 20 14:53:23 2007 -0700 @@ -228,7 +228,7 @@ class Root(controllers.RootController): def userlist_ajax(self, **kw): """Searches for users and displays list of results in a table. This method is used for ajax calls.""" - client.set_principal(identity.current.user_name) + client.set_krbccache(os.environ["KRB5CCNAME"]) users = [] searchlimit = 100 uid = kw.get('uid') @@ -332,7 +332,7 @@ class Root(controllers.RootController): if (len(givenname) == 0) or (len(sn) == 0): return "" - client.set_principal(identity.current.user_name) + client.set_krbccache(os.environ["KRB5CCNAME"]) givenname = givenname.lower() sn = sn.lower() @@ -384,7 +384,7 @@ class Root(controllers.RootController): if tg_errors: turbogears.flash("There was a problem with the form!") - client.set_principal(identity.current.user_name) + client.set_krbccache(os.environ["KRB5CCNAME"]) return dict(form=group_new_form) @@ -393,7 +393,7 @@ class Root(controllers.RootController): def groupcreate(self, **kw): """Creates a new group""" restrict_post() - client.set_principal(identity.current.user_name) + client.set_krbccache(os.environ["KRB5CCNAME"]) if kw.get('submit') == 'Cancel': turbogears.flash("Add group cancelled") @@ -427,7 +427,7 @@ class Root(controllers.RootController): if tg_errors: turbogears.flash("There was a problem with the form!") - client.set_principal(identity.current.user_name) + client.set_krbccache(os.environ["KRB5CCNAME"]) try: group = client.get_group_by_cn(cn, group_fields) @@ -470,7 +470,7 @@ class Root(controllers.RootController): def groupupdate(self, **kw): """Updates an existing group""" restrict_post() - client.set_principal(identity.current.user_name) + client.set_krbccache(os.environ["KRB5CCNAME"]) if kw.get('submit') == 'Cancel Edit': turbogears.flash("Edit group cancelled") raise turbogears.redirect('/groupshow', cn=kw.get('cn')) @@ -573,7 +573,7 @@ class Root(controllers.RootController): @identity.require(identity.not_anonymous()) def grouplist(self, **kw): """Search for groups and display results""" - client.set_principal(identity.current.user_name) + client.set_krbccache(os.environ["KRB5CCNAME"]) groups = None # counter = 0 criteria = kw.get('criteria') @@ -595,7 +595,7 @@ class Root(controllers.RootController): @identity.require(identity.not_anonymous()) def groupshow(self, cn): """Retrieve a single group for display""" - client.set_principal(identity.current.user_name) + client.set_krbccache(os.environ["KRB5CCNAME"]) try: group = client.get_group_by_cn(cn, group_fields) group_dict = group.toDict() diff -r e0c187057e32 -r 62a1ecb5573f ipa-server/ipa-gui/ipagui/proxyprovider.py --- a/ipa-server/ipa-gui/ipagui/proxyprovider.py Thu Sep 20 16:58:54 2007 -0400 +++ b/ipa-server/ipa-gui/ipagui/proxyprovider.py Thu Sep 20 14:53:23 2007 -0700 @@ -19,8 +19,7 @@ class IPA_User(object): class ProxyIdentity(object): def __init__(self, visit_key, user=None): - if user: - self._user= user + self._user= user self.visit_key= visit_key def _get_user(self): -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From ssorce at redhat.com Thu Sep 20 22:13:13 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Sep 2007 18:13:13 -0400 Subject: [Freeipa-devel] [PATCH] krbcache setting fixes In-Reply-To: <20070920215429.GC15868@moon.usersys.redhat.com> References: <20070920215429.GC15868@moon.usersys.redhat.com> Message-ID: <1190326393.2567.150.camel@localhost.localdomain> On Thu, 2007-09-20 at 14:54 -0700, Kevin McCarthy wrote: > This patch is to add the set_krbcache() calls to the new methods in > controller I added. > > The patch is untested - I'm still having troubles with krb ticket > issues. Acked an pushed. From kmccarth at redhat.com Thu Sep 20 23:44:56 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Thu, 20 Sep 2007 16:44:56 -0700 Subject: [Freeipa-devel] web gui dev env issues Message-ID: <20070920234456.GE15868@moon.usersys.redhat.com> So after the latest push, I've still been unable to get my dev environment working again. My debugging shows the correct file name is making it all the way up to the conn.set_krbccache(krbccache) in funcs.py. In my krb5kdc.log file, I'm seeing a couple interesting errors: Sep 20 14:53:57 tuna.usersys.redhat.com krb5kdc[3602](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.25.136: UNKNOWN_SERVER: authtime 1190325099, test at FREEIPA.ORG for host/dhcp-172-16-25-252.sfbay.redhat.com at FREEIPA.ORG, Server not found in Kerberos database The interesting thing is that my vm running ipa is tuna.usersys.redhat.com (172.16.25.136). The host referenced above in the log file is my main laptop - where I'm running the browser hitting the web gui. Is my browser host information somehow making it all the way through as part of this? The other line that may be relevant is Sep 20 15:55:18 tuna.usersys.redhat.com krb5kdc[3602](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.25.136: NEEDED_PREAUTH: test at FREEIPA.ORG for krbtgt/FREEIPA.ORG at FREEIPA.ORG, Additional pre-authentication required Any ideas? I'm at a loss. Thanks, -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From ssorce at redhat.com Fri Sep 21 13:21:10 2007 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 21 Sep 2007 09:21:10 -0400 Subject: [Freeipa-devel] web gui dev env issues In-Reply-To: <20070920234456.GE15868@moon.usersys.redhat.com> References: <20070920234456.GE15868@moon.usersys.redhat.com> Message-ID: <1190380870.2567.154.camel@localhost.localdomain> On Thu, 2007-09-20 at 16:44 -0700, Kevin McCarthy wrote: > So after the latest push, I've still been unable to get my dev > environment working again. My debugging shows the correct file name is > making it all the way up to the > conn.set_krbccache(krbccache) in funcs.py. > > In my krb5kdc.log file, I'm seeing a couple interesting errors: > > Sep 20 14:53:57 tuna.usersys.redhat.com krb5kdc[3602](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.25.136: UNKNOWN_SERVER: authtime 1190325099, test at FREEIPA.ORG for host/dhcp-172-16-25-252.sfbay.redhat.com at FREEIPA.ORG, Server not found in Kerberos database > > The interesting thing is that my vm running ipa is tuna.usersys.redhat.com > (172.16.25.136). The host referenced above in the log file is my main laptop - > where I'm running the browser hitting the web gui. Is my browser host > information somehow making it all the way through as part of this? This must be a bug, I see no reason why something should try to contact your laptop. > The other line that may be relevant is > > Sep 20 15:55:18 tuna.usersys.redhat.com krb5kdc[3602](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.25.136: NEEDED_PREAUTH: test at FREEIPA.ORG for krbtgt/FREEIPA.ORG at FREEIPA.ORG, Additional pre-authentication required > This means the account does not have the Preauth bit set. When it is set the key material is calculated differently. Uhmm I guess I should set this in the ipa_kpasswd module Meanwhile you can work around this by removing the option from /var/kerberos/krb5kdc/kdc.conf and restart krb5kdc Simo. From rcritten at redhat.com Fri Sep 21 14:50:34 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Sep 2007 10:50:34 -0400 Subject: [Freeipa-devel] [PATCH] command-line interactivity Message-ID: <46F3DA3A.6010801@redhat.com> - Give ipa-adduser, ipa-addgroup and ipa-usermod an interactive mode - Add ipa-passwd tool - Add simple field validation package -This patch adds a package requirement, python-krbV. This is needed to determine the current user based on their kerberos ticket. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-200-interactive.patch Type: text/x-patch Size: 18173 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 21 15:55:50 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Sep 2007 11:55:50 -0400 Subject: [Freeipa-devel] [PATCH] command-line interactivity In-Reply-To: <46F3DA3A.6010801@redhat.com> References: <46F3DA3A.6010801@redhat.com> Message-ID: <46F3E986.30205@redhat.com> Rob Crittenden wrote: > - Give ipa-adduser, ipa-addgroup and ipa-usermod an interactive mode > - Add ipa-passwd tool > - Add simple field validation package > -This patch adds a package requirement, python-krbV. This is needed to > determine the current user based on their kerberos ticket. > > rob Ah crud, ignore this patch. I need to resubmit. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 21 15:58:57 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Sep 2007 11:58:57 -0400 Subject: [Freeipa-devel] [PATCH] command-line interactivity In-Reply-To: <46F3DA3A.6010801@redhat.com> References: <46F3DA3A.6010801@redhat.com> Message-ID: <46F3EA41.3060904@redhat.com> Rob Crittenden wrote: > - Give ipa-adduser, ipa-addgroup and ipa-usermod an interactive mode > - Add ipa-passwd tool > - Add simple field validation package > -This patch adds a package requirement, python-krbV. This is needed to > determine the current user based on their kerberos ticket. I forgot to include the new files in the patch. This one replaces the earlier patch so we can have a unified check-in message. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-200-interactive.patch2 URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 21 16:06:25 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Sep 2007 12:06:25 -0400 Subject: [Freeipa-devel] [PATCH] handle login failures in GUI Message-ID: <46F3EC01.1030705@redhat.com> - Add a failed login page. In theory it should never been seen but it makes things nicer - Remove the login.kid page template - Remove the login link from master.kid rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-202-login.patch Type: text/x-patch Size: 6421 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmccarth at redhat.com Fri Sep 21 16:17:00 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Fri, 21 Sep 2007 09:17:00 -0700 Subject: [Freeipa-devel] [PATCH] handle login failures in GUI In-Reply-To: <46F3EC01.1030705@redhat.com> References: <46F3EC01.1030705@redhat.com> Message-ID: <20070921161659.GA13130@moon.usersys.redhat.com> Rob Crittenden wrote: > - Add a failed login page. In theory it should never been seen but it makes > things nicer > - Remove the login.kid page template > - Remove the login link from master.kid Looks good. A future todo would be to have loginfailed.kid extend master.kid so it uses the same layout automatically. But then we'll need to somehow "hide" links, so it may not be worth the effort. -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From rcritten at redhat.com Fri Sep 21 16:25:54 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Sep 2007 12:25:54 -0400 Subject: [Freeipa-devel] [PATCH] handle login failures in GUI In-Reply-To: <20070921161659.GA13130@moon.usersys.redhat.com> References: <46F3EC01.1030705@redhat.com> <20070921161659.GA13130@moon.usersys.redhat.com> Message-ID: <46F3F092.2060103@redhat.com> Kevin McCarthy wrote: > Rob Crittenden wrote: >> - Add a failed login page. In theory it should never been seen but it makes >> things nicer >> - Remove the login.kid page template >> - Remove the login link from master.kid > > Looks good. > > A future todo would be to have loginfailed.kid extend > master.kid so it uses the same layout automatically. But then we'll > need to somehow "hide" links, so it may not be worth the effort. > > That is why I pulled the logo stuff out of master.kid. I had originally extended it but you could see all the links on the side :-( rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmccarth at redhat.com Fri Sep 21 16:29:12 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Fri, 21 Sep 2007 09:29:12 -0700 Subject: [Freeipa-devel] [PATCH] command-line interactivity In-Reply-To: <46F3EA41.3060904@redhat.com> References: <46F3DA3A.6010801@redhat.com> <46F3EA41.3060904@redhat.com> Message-ID: <20070921162912.GB13130@moon.usersys.redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> - Give ipa-adduser, ipa-addgroup and ipa-usermod an interactive mode >> - Add ipa-passwd tool >> - Add simple field validation package >> -This patch adds a package requirement, python-krbV. This is needed to >> determine the current user based on their kerberos ticket. > > I forgot to include the new files in the patch. This one replaces the > earlier patch so we can have a unified check-in message. Looks good. And unit tests even!!! -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2228 bytes Desc: not available URL: From ssorce at redhat.com Fri Sep 21 17:00:19 2007 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 21 Sep 2007 13:00:19 -0400 Subject: [Freeipa-devel] [PATCH] handle login failures in GUI In-Reply-To: <46F3F092.2060103@redhat.com> References: <46F3EC01.1030705@redhat.com> <20070921161659.GA13130@moon.usersys.redhat.com> <46F3F092.2060103@redhat.com> Message-ID: <1190394019.2567.167.camel@localhost.localdomain> On Fri, 2007-09-21 at 12:25 -0400, Rob Crittenden wrote: > Kevin McCarthy wrote: > > Rob Crittenden wrote: > >> - Add a failed login page. In theory it should never been seen but it makes > >> things nicer > >> - Remove the login.kid page template > >> - Remove the login link from master.kid > > > > Looks good. > > > > A future todo would be to have loginfailed.kid extend > > master.kid so it uses the same layout automatically. But then we'll > > need to somehow "hide" links, so it may not be worth the effort. > > > > > > That is why I pulled the logo stuff out of master.kid. I had originally > extended it but you could see all the links on the side :-( May be split master in a common template for any usage, even anonymous? Then you can have an authedmaster.kid file that inherit from it as well as the loginfailed.kid one ? Just an idea. Simo. From kmccarth at redhat.com Fri Sep 21 17:05:11 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Fri, 21 Sep 2007 10:05:11 -0700 Subject: [Freeipa-devel] [PATCH] handle login failures in GUI In-Reply-To: <1190394019.2567.167.camel@localhost.localdomain> References: <46F3EC01.1030705@redhat.com> <20070921161659.GA13130@moon.usersys.redhat.com> <46F3F092.2060103@redhat.com> <1190394019.2567.167.camel@localhost.localdomain> Message-ID: <20070921170510.GE13130@moon.usersys.redhat.com> Simo Sorce wrote: > May be split master in a common template for any usage, even anonymous? > Then you can have an authedmaster.kid file that inherit from it as well > as the loginfailed.kid one ? I finally got a copy of the TG book this week. The last time I tried to figure out template inheritance it gave me a headache (it's not as simple as it should be). After I look over the template part of the book I'll see if I can make things better. -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4054 bytes Desc: not available URL: From rcritten at redhat.com Fri Sep 21 19:23:15 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Sep 2007 15:23:15 -0400 Subject: [Freeipa-devel] [PATCH] Add a little debugging Message-ID: <46F41A23.2030701@redhat.com> Added an Apache/mod_python config option to enable LDAP debugging. This should help diagnose problems. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-203-debug.patch Type: text/x-patch Size: 5982 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Sat Sep 22 02:24:47 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Sep 2007 22:24:47 -0400 Subject: [Freeipa-devel] gui not packaged Message-ID: <46F47CEF.9010303@redhat.com> I just noticed that we aren't packaging the TurboGears GUI. Now that I think about it, I'm not sure where we should put it. Any bright ideas? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmacmill at redhat.com Mon Sep 24 15:26:34 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 24 Sep 2007 11:26:34 -0400 Subject: [Freeipa-devel] gui not packaged In-Reply-To: <46F47CEF.9010303@redhat.com> References: <46F47CEF.9010303@redhat.com> Message-ID: <1190647594.4732.33.camel@localhost.localdomain> On Fri, 2007-09-21 at 22:24 -0400, Rob Crittenden wrote: > I just noticed that we aren't packaging the TurboGears GUI. > Minor detail. > Now that I think about it, I'm not sure where we should put it. > > Any bright ideas? > No bright ideas, but doesn't this somewhat depend on how we are going to deploy this? If we are going to sit behind apache then perhaps some apache related location is appropriate. Otherwise, I'm not sure. I don't think in the python site-lib (like the setup.py that is there would do) is a good idea. Karl From kmccarth at redhat.com Mon Sep 24 15:42:32 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Mon, 24 Sep 2007 08:42:32 -0700 Subject: [Freeipa-devel] gui not packaged In-Reply-To: <1190647594.4732.33.camel@localhost.localdomain> References: <46F47CEF.9010303@redhat.com> <1190647594.4732.33.camel@localhost.localdomain> Message-ID: <20070924154231.GA3516@moon.usersys.redhat.com> Karl MacMillan wrote: > On Fri, 2007-09-21 at 22:24 -0400, Rob Crittenden wrote: > > I just noticed that we aren't packaging the TurboGears GUI. > > > > Minor detail. > > > Now that I think about it, I'm not sure where we should put it. > > > > Any bright ideas? > > > > No bright ideas, but doesn't this somewhat depend on how we are going to > deploy this? If we are going to sit behind apache then perhaps some > apache related location is appropriate. Otherwise, I'm not sure. I don't > think in the python site-lib (like the setup.py that is there would do) > is a good idea. Yeah, perhaps under a /usr/share/ipa directory or something like that would be a reasonable place. -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4054 bytes Desc: not available URL: From rcritten at redhat.com Mon Sep 24 19:39:20 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Sep 2007 15:39:20 -0400 Subject: [Freeipa-devel] [PATCH] Show unauthenticated page Message-ID: <46F81268.9060401@redhat.com> Show a hopefully useful set of pages when the kerberos connection fails. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-200-interactive.patch Type: text/x-patch Size: 18173 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Sep 24 19:43:22 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Sep 2007 15:43:22 -0400 Subject: [Freeipa-devel] [PATCH] catch more exceptions Message-ID: <46F8135A.6010702@redhat.com> Some of the cmdline tools weren't catching IPAErrors. Fix that. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-205-exception.patch Type: text/x-patch Size: 2035 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Sep 24 19:46:38 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Sep 2007 15:46:38 -0400 Subject: [Freeipa-devel] [PATCH] more no proxy work Message-ID: <46F8141E.80407@redhat.com> Falling back to trying proxy auth was generating some bogus errors that just caused confusion. Don't even try falling back now, just let things fail. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-206-noproxy.patch Type: text/x-patch Size: 1187 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Sep 24 19:48:28 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Sep 2007 15:48:28 -0400 Subject: [Freeipa-devel] [PATCH] a little more debug output Message-ID: <46F8148C.8050208@redhat.com> Print the request environment for debugging purposes. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-207-debug.patch Type: text/x-patch Size: 1381 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Sep 24 19:50:26 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Sep 2007 15:50:26 -0400 Subject: [Freeipa-devel] [PATCH] install the new error pages Message-ID: <46F81502.3040309@redhat.com> Forgot to include the Makefile in the patch to add kerberos auth failure pages. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-208-errors.patch Type: text/x-patch Size: 654 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmacmill at redhat.com Mon Sep 24 19:51:29 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 24 Sep 2007 15:51:29 -0400 Subject: [Freeipa-devel] [PATCH] Show unauthenticated page In-Reply-To: <46F81268.9060401@redhat.com> References: <46F81268.9060401@redhat.com> Message-ID: <1190663489.8631.45.camel@localhost.localdomain> On Mon, 2007-09-24 at 15:39 -0400, Rob Crittenden wrote: > Show a hopefully useful set of pages when the kerberos connection fails. > Is this the correct patch attached? Karl From kmacmill at redhat.com Mon Sep 24 19:52:19 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 24 Sep 2007 15:52:19 -0400 Subject: [Freeipa-devel] [PATCH] catch more exceptions In-Reply-To: <46F8135A.6010702@redhat.com> References: <46F8135A.6010702@redhat.com> Message-ID: <1190663539.8631.47.camel@localhost.localdomain> On Mon, 2007-09-24 at 15:43 -0400, Rob Crittenden wrote: > Some of the cmdline tools weren't catching IPAErrors. Fix that. > Ached and pushed. Karl From rcritten at redhat.com Mon Sep 24 19:54:08 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Sep 2007 15:54:08 -0400 Subject: [Freeipa-devel] [PATCH] client browser setup Message-ID: <46F815E0.1010601@redhat.com> First crack at automated browser configuration. Requires running a script to set things up on the client machine. One will need to run browsersetup.sh in order to get the configuration and links setup properly. This will blow up if Firefox is upgraded though. Each Firefox gets its own /usr/lib/firefox-version directory. This script will need to be run each time a new version of Firefox is installed. Note that I'm fairly sure that this will only affect new profiles, not existing ones. So if you get things setup properly they will work ok even through Firefox updates, but any new profiles created after an upgrade without the script being run won't work properly. Not sure what the right solution for that is, but its a start. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-209-clientsetup.patch Type: text/x-patch Size: 6373 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmacmill at redhat.com Mon Sep 24 19:54:42 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 24 Sep 2007 15:54:42 -0400 Subject: [Freeipa-devel] [PATCH] more no proxy work In-Reply-To: <46F8141E.80407@redhat.com> References: <46F8141E.80407@redhat.com> Message-ID: <1190663682.8631.49.camel@localhost.localdomain> On Mon, 2007-09-24 at 15:46 -0400, Rob Crittenden wrote: > Falling back to trying proxy auth was generating some bogus errors that > just caused confusion. Don't even try falling back now, just let things > fail. Acked and pushed. We could also just delete that code and trust the revision control system. Karl From rcritten at redhat.com Mon Sep 24 19:55:27 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Sep 2007 15:55:27 -0400 Subject: [Freeipa-devel] [PATCH] Show unauthenticated page In-Reply-To: <1190663489.8631.45.camel@localhost.localdomain> References: <46F81268.9060401@redhat.com> <1190663489.8631.45.camel@localhost.localdomain> Message-ID: <46F8162F.5040203@redhat.com> Karl MacMillan wrote: > On Mon, 2007-09-24 at 15:39 -0400, Rob Crittenden wrote: >> Show a hopefully useful set of pages when the kerberos connection fails. >> > > Is this the correct patch attached? > > Karl > Crud. It is now. thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-204-error.patch Type: text/x-patch Size: 4312 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmacmill at redhat.com Mon Sep 24 20:12:06 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 24 Sep 2007 16:12:06 -0400 Subject: [Freeipa-devel] [PATCH] handle login failures in GUI In-Reply-To: <46F3EC01.1030705@redhat.com> References: <46F3EC01.1030705@redhat.com> Message-ID: <1190664726.8631.58.camel@localhost.localdomain> On Fri, 2007-09-21 at 12:06 -0400, Rob Crittenden wrote: > - Add a failed login page. In theory it should never been seen but it > makes things nicer > - Remove the login.kid page template > - Remove the login link from master.kid > Pushed. From kmacmill at redhat.com Mon Sep 24 20:13:13 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 24 Sep 2007 16:13:13 -0400 Subject: [Freeipa-devel] [PATCH] command-line interactivity In-Reply-To: <46F3EA41.3060904@redhat.com> References: <46F3DA3A.6010801@redhat.com> <46F3EA41.3060904@redhat.com> Message-ID: <1190664793.8631.60.camel@localhost.localdomain> On Fri, 2007-09-21 at 11:58 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > - Give ipa-adduser, ipa-addgroup and ipa-usermod an interactive mode > > - Add ipa-passwd tool > > - Add simple field validation package > > -This patch adds a package requirement, python-krbV. This is needed to > > determine the current user based on their kerberos ticket. > > I forgot to include the new files in the patch. This one replaces the > earlier patch so we can have a unified check-in message. > > rob Pushed. From kmacmill at redhat.com Mon Sep 24 20:14:28 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 24 Sep 2007 16:14:28 -0400 Subject: [Freeipa-devel] [PATCH] Add a little debugging In-Reply-To: <46F41A23.2030701@redhat.com> References: <46F41A23.2030701@redhat.com> Message-ID: <1190664868.8631.62.camel@localhost.localdomain> On Fri, 2007-09-21 at 15:23 -0400, Rob Crittenden wrote: > Added an Apache/mod_python config option to enable LDAP debugging. This > should help diagnose problems. > Pushed. From kmacmill at redhat.com Mon Sep 24 20:15:10 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 24 Sep 2007 16:15:10 -0400 Subject: [Freeipa-devel] [PATCH] a little more debug output In-Reply-To: <46F8148C.8050208@redhat.com> References: <46F8148C.8050208@redhat.com> Message-ID: <1190664910.8631.64.camel@localhost.localdomain> On Mon, 2007-09-24 at 15:48 -0400, Rob Crittenden wrote: > Print the request environment for debugging purposes. > Acked and pushed. From kmacmill at redhat.com Mon Sep 24 20:15:56 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 24 Sep 2007 16:15:56 -0400 Subject: [Freeipa-devel] [PATCH] Show unauthenticated page In-Reply-To: <46F8162F.5040203@redhat.com> References: <46F81268.9060401@redhat.com> <1190663489.8631.45.camel@localhost.localdomain> <46F8162F.5040203@redhat.com> Message-ID: <1190664956.8631.66.camel@localhost.localdomain> On Mon, 2007-09-24 at 15:55 -0400, Rob Crittenden wrote: > Karl MacMillan wrote: > > On Mon, 2007-09-24 at 15:39 -0400, Rob Crittenden wrote: > >> Show a hopefully useful set of pages when the kerberos connection fails. > >> > > > > Is this the correct patch attached? > > > > Karl > > > > Crud. It is now. Acked and pushed. "screenies"? Karl From kmacmill at redhat.com Mon Sep 24 20:16:19 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 24 Sep 2007 16:16:19 -0400 Subject: [Freeipa-devel] [PATCH] install the new error pages In-Reply-To: <46F81502.3040309@redhat.com> References: <46F81502.3040309@redhat.com> Message-ID: <1190664979.8631.68.camel@localhost.localdomain> On Mon, 2007-09-24 at 15:50 -0400, Rob Crittenden wrote: > Forgot to include the Makefile in the patch to add kerberos auth failure > pages. > Acked and pushed. Karl From kmacmill at redhat.com Mon Sep 24 20:17:37 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 24 Sep 2007 16:17:37 -0400 Subject: [Freeipa-devel] [PATCH] client browser setup In-Reply-To: <46F815E0.1010601@redhat.com> References: <46F815E0.1010601@redhat.com> Message-ID: <1190665057.8631.70.camel@localhost.localdomain> On Mon, 2007-09-24 at 15:54 -0400, Rob Crittenden wrote: > First crack at automated browser configuration. Requires running a > script to set things up on the client machine. > > One will need to run browsersetup.sh in order to get the configuration > and links setup properly. > > This will blow up if Firefox is upgraded though. Each Firefox gets its > own /usr/lib/firefox-version directory. This script will need to be run > each time a new version of Firefox is installed. Note that I'm fairly > sure that this will only affect new profiles, not existing ones. > > So if you get things setup properly they will work ok even through > Firefox updates, but any new profiles created after an upgrade without > the script being run won't work properly. > > Not sure what the right solution for that is, but its a start. > Acked and pushed. Karl From rcritten at redhat.com Mon Sep 24 20:45:15 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Sep 2007 16:45:15 -0400 Subject: [Freeipa-devel] [PATCH] per-user browser configuration Message-ID: <46F821DB.6050208@redhat.com> The current code will modify the Firefox app.js which will cause the an rpm -V to choke. Add a new script that will change the current user's configuration. This needs more work to not hardcode freeipa.org. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-213-browser.patch Type: text/x-patch Size: 5763 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Sep 24 21:37:49 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Sep 2007 17:37:49 -0400 Subject: [Freeipa-devel] [PATCH] actually commit usersetup.sh Message-ID: <46F82E2D.2010509@redhat.com> In my rush to update the browser settings I forgot to add the new script. It is in this patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-214-usersetup.patch Type: text/x-patch Size: 2222 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Sep 25 13:05:12 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Sep 2007 09:05:12 -0400 Subject: [Freeipa-devel] [PATCH] bugfix for TurboGears Message-ID: <46F90788.1080901@redhat.com> Some new debugging code I added caused TurboGears to throw up. This should fix it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-215-bugfix.patch Type: text/x-patch Size: 842 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Sep 25 13:12:09 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Sep 2007 09:12:09 -0400 Subject: [Freeipa-devel] [PATCH] make testing easier Message-ID: <46F90929.2060804@redhat.com> Simo is having problems with his Apache server seemingly not doing ticket forwarding but only for mod_python. In trying to help him diagnose this it became very apparent that even this low-level testing was difficult to setup. I've redone ipa.conf to not require Kerberos for the / but instead just target it for the things we use (plus /cgi-bin for good measure). I've added a new uri, /ipatest, that is shipped commented out but can be used for this and any future basic testing needs. I also include a simple CGI and a simple mod_python script that uses python-ldap to do a GSSAPI LDAP connection similar to what we do in IPA. Please consider this carefully. I'm a little nervous about the ipa.conf changes but they were necessary because for some reason curl choked when I had protected by Kerberos (either a bug in Apache or curl or both, but regardless testing was impossibe). The only risk is that we (or someone) adds a new URI to do work and it ends up not being protected by Kerberos. A small risk but a real one. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-216-testing.patch Type: text/x-patch Size: 8976 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Sep 25 13:34:45 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Sep 2007 09:34:45 -0400 Subject: [Freeipa-devel] [PATCH] make testing easier In-Reply-To: <46F90929.2060804@redhat.com> References: <46F90929.2060804@redhat.com> Message-ID: <46F90E75.40602@redhat.com> Rob Crittenden wrote: > Simo is having problems with his Apache server seemingly not doing > ticket forwarding but only for mod_python. In trying to help him > diagnose this it became very apparent that even this low-level testing > was difficult to setup. > > I've redone ipa.conf to not require Kerberos for the / but instead just > target it for the things we use (plus /cgi-bin for good measure). > > I've added a new uri, /ipatest, that is shipped commented out but can be > used for this and any future basic testing needs. > > I also include a simple CGI and a simple mod_python script that uses > python-ldap to do a GSSAPI LDAP connection similar to what we do in IPA. > > Please consider this carefully. I'm a little nervous about the ipa.conf > changes but they were necessary because for some reason curl choked when > I had protected by Kerberos (either a bug in Apache or curl > or both, but regardless testing was impossibe). > > The only risk is that we (or someone) adds a new URI to do work and it > ends up not being protected by Kerberos. A small risk but a real one. > Hmm, found an issue with the Apache configuration. Still review the patch but not ready for commit. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Sep 25 14:12:51 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Sep 2007 10:12:51 -0400 Subject: [Freeipa-devel] [PATCH] address issues with previous test patch Message-ID: <46F91763.9060901@redhat.com> This patch depends on the previous patch, freeipa-216-testint.patch. I stupidly used the same directory for both the tests and the real IPA server, oops. This fixes that. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-217-testing.patch Type: text/x-patch Size: 1441 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmccarth at redhat.com Tue Sep 25 17:16:42 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Tue, 25 Sep 2007 10:16:42 -0700 Subject: [Freeipa-devel] [PATCH] bugfix for TurboGears In-Reply-To: <46F90788.1080901@redhat.com> References: <46F90788.1080901@redhat.com> Message-ID: <20070925171642.GC20742@moon.usersys.redhat.com> Rob Crittenden wrote: > Some new debugging code I added caused TurboGears to throw up. This should > fix it. Looks good. -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4054 bytes Desc: not available URL: From kmacmill at redhat.com Tue Sep 25 17:22:50 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Tue, 25 Sep 2007 13:22:50 -0400 Subject: [Freeipa-devel] [PATCH] per-user browser configuration In-Reply-To: <46F821DB.6050208@redhat.com> References: <46F821DB.6050208@redhat.com> Message-ID: <1190740970.4149.6.camel@localhost.localdomain> On Mon, 2007-09-24 at 16:45 -0400, Rob Crittenden wrote: > The current code will modify the Firefox app.js which will cause the an > rpm -V to choke. > > Add a new script that will change the current user's configuration. > > This needs more work to not hardcode freeipa.org. > Acked and pushed this and the next patch to commit usersetup.sh. Karl From kmacmill at redhat.com Tue Sep 25 17:23:28 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Tue, 25 Sep 2007 13:23:28 -0400 Subject: [Freeipa-devel] [PATCH] bugfix for TurboGears In-Reply-To: <20070925171642.GC20742@moon.usersys.redhat.com> References: <46F90788.1080901@redhat.com> <20070925171642.GC20742@moon.usersys.redhat.com> Message-ID: <1190741008.4149.8.camel@localhost.localdomain> On Tue, 2007-09-25 at 10:16 -0700, Kevin McCarthy wrote: > Rob Crittenden wrote: > > Some new debugging code I added caused TurboGears to throw up. This should > > fix it. > > Looks good. > Pushed. From kmacmill at redhat.com Tue Sep 25 17:55:11 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Tue, 25 Sep 2007 13:55:11 -0400 Subject: [Freeipa-devel] [PATCH] Misc small fixes Message-ID: * Remove the rpmbuild tree with the dist-clean target. * Move ipa-server-setupssl from /usr/sbin to /usr/share/ipa * Check in requirement change for generated freeipa-python.spec * Fix interactive hostname in ipa-server-install. Signed-off-by: User "Karl MacMillan " --- diff -r 219dd6d19458 -r b1273ecc5164 Makefile --- a/Makefile Mon Sep 24 15:26:35 2007 -0400 +++ b/Makefile Tue Sep 25 13:52:24 2007 -0400 @@ -155,4 +155,4 @@ local-dist: clean version-update local-a local-dist: clean version-update local-archive tarballs archive-cleanup rpms dist-clean: clean - rm -fr dist + rm -fr rpmbuild dist diff -r 219dd6d19458 -r b1273ecc5164 ipa-python/freeipa-python.spec --- a/ipa-python/freeipa-python.spec Mon Sep 24 15:26:35 2007 -0400 +++ b/ipa-python/freeipa-python.spec Tue Sep 25 13:52:24 2007 -0400 @@ -10,7 +10,7 @@ BuildRoot: %{_tmppath}/%{name}-%{ve BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch -Requires: python PyKerberos python-krbV +Requires: python PyKerberos %{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} diff -r 219dd6d19458 -r b1273ecc5164 ipa-server/Makefile --- a/ipa-server/Makefile Mon Sep 24 15:26:35 2007 -0400 +++ b/ipa-server/Makefile Tue Sep 25 13:52:24 2007 -0400 @@ -1,5 +1,9 @@ SUBDIRS=ipa-install xmlrpc-server ipa-kp SUBDIRS=ipa-install xmlrpc-server ipa-kpasswd ipa-slapi-plugins -PYTHONDIR=$(DESTDIR)/usr/share/ipa/ipaserver + +SHAREDIR=$(DESTDIR)/usr/share/ipa +PYTHONDIR=$(SHAREDIR)/ipaserver +SBINDIR=$(DESTDIR)/usr/sbin + all: @for subdir in $(SUBDIRS); do \ diff -r 219dd6d19458 -r b1273ecc5164 ipa-server/freeipa-server.spec --- a/ipa-server/freeipa-server.spec Mon Sep 24 15:26:35 2007 -0400 +++ b/ipa-server/freeipa-server.spec Tue Sep 25 13:52:24 2007 -0400 @@ -41,7 +41,6 @@ rm -rf %{buildroot} %files %defattr(-,root,root,-) %{_sbindir}/ipa-server-install -%{_sbindir}/ipa-server-setupssl %{_sbindir}/ipa_kpasswd %attr(755,root,root) %{_initrddir}/ipa-kpasswd diff -r 219dd6d19458 -r b1273ecc5164 ipa-server/freeipa-server.spec.in --- a/ipa-server/freeipa-server.spec.in Mon Sep 24 15:26:35 2007 -0400 +++ b/ipa-server/freeipa-server.spec.in Tue Sep 25 13:52:24 2007 -0400 @@ -41,7 +41,6 @@ rm -rf %{buildroot} %files %defattr(-,root,root,-) %{_sbindir}/ipa-server-install -%{_sbindir}/ipa-server-setupssl %{_sbindir}/ipa_kpasswd %attr(755,root,root) %{_initrddir}/ipa-kpasswd diff -r 219dd6d19458 -r b1273ecc5164 ipa-server/ipa-install/Makefile --- a/ipa-server/ipa-install/Makefile Mon Sep 24 15:26:35 2007 -0400 +++ b/ipa-server/ipa-install/Makefile Tue Sep 25 13:52:24 2007 -0400 @@ -1,3 +1,4 @@ SBINDIR=$(DESTDIR)/usr/sbin +SHAREDIR=$(DESTDIR)/usr/share/ipa SBINDIR=$(DESTDIR)/usr/sbin all: ; @@ -5,7 +6,7 @@ install: install: -mkdir $(SBINDIR) install -m 755 ipa-server-install $(SBINDIR) - install -m 755 ipa-server-setupssl $(SBINDIR) + install -m 755 ipa-server-setupssl $(SHAREDIR) $(MAKE) -C share $@ $(MAKE) -C test $@ diff -r 219dd6d19458 -r b1273ecc5164 ipa-server/ipa-install/ipa-server-install --- a/ipa-server/ipa-install/ipa-server-install Mon Sep 24 15:26:35 2007 -0400 +++ b/ipa-server/ipa-install/ipa-server-install Tue Sep 25 13:52:24 2007 -0400 @@ -134,7 +134,7 @@ def main(): if host_name == "": print "" host_name = raw_input("Please provide a Fully Qualified name to use for your system [master.example.com]: ") - if host_name != "": + if host_name == "": host_name = "master.example.com" if len(host_name.split(".")) < 2 or host_name == "localhost.localdomain": diff -r 219dd6d19458 -r b1273ecc5164 ipa-server/ipaserver/dsinstance.py --- a/ipa-server/ipaserver/dsinstance.py Mon Sep 24 15:26:35 2007 -0400 +++ b/ipa-server/ipaserver/dsinstance.py Tue Sep 25 13:52:24 2007 -0400 @@ -156,7 +156,7 @@ class DsInstance: def __enable_ssl(self): logging.debug("configuring ssl for ds instance") dirname = self.config_dirname() - args = ["/usr/sbin/ipa-server-setupssl", self.dm_password, + args = ["/usr/share/ipa/ipa-server-setupssl", self.dm_password, dirname, self.host_name] run(args) logging.debug("done configuring ssl for ds instance") From kmccarth at redhat.com Tue Sep 25 18:30:06 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Tue, 25 Sep 2007 11:30:06 -0700 Subject: [Freeipa-devel] [PATCH] a bunch of small tweeks Message-ID: <20070925183006.GD20742@moon.usersys.redhat.com> This is a set of small tweeks suggested in my meeting with Bob and Pete yesterday. The most controversial is adding a search timeout for find users and groups. I've put this at 2 seconds for now. The problem with this approach is that it makes the number of results that come back random - depending on the server. So, consider it a test. Please send your feedback if you have opinions (it's pushed to demo). Thanks, -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1190744748 25200 # Node ID 5d98050287aaaf9a6e9918f285c35615c6a8da2f # Parent 352318dff857cf339f5385e4ab6062ca4ed85fb2 Misc small fixes: - Members of groups are clickable - Combine name and uid into a single column in find users - Remove license plate from searching - Mailto links on user emails - Add timelimit to finds. This is experimental... - Fix usersearch to only search on objectClass=Person - Change search to use get parameter diff -r 352318dff857 -r 5d98050287aa ipa-server/ipa-gui/ipagui/templates/grouplist.kid --- a/ipa-server/ipa-gui/ipagui/templates/grouplist.kid Tue Sep 25 09:13:14 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/grouplist.kid Tue Sep 25 11:25:48 2007 -0700 @@ -7,7 +7,7 @@

- diff -r 352318dff857 -r 5d98050287aa ipa-server/ipa-gui/ipagui/templates/groupshow.kid --- a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid Tue Sep 25 09:13:14 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid Tue Sep 25 11:25:48 2007 -0700 @@ -37,8 +37,10 @@ - ${member_name} (${member.get('uid')}) + ${member_name} (${member_uid})

diff -r 352318dff857 -r 5d98050287aa ipa-server/ipa-gui/ipagui/templates/userlist.kid --- a/ipa-server/ipa-gui/ipagui/templates/userlist.kid Tue Sep 25 09:13:14 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/userlist.kid Tue Sep 25 11:25:48 2007 -0700 @@ -8,7 +8,7 @@

- @@ -22,10 +22,7 @@ - ${fields.uid.label} - - - Name + Person Phone @@ -36,18 +33,14 @@ Title - - License Plate - - ${user.uid} - - - ${user.givenName} ${user.sn} + ${user.givenName} ${user.sn} + (${user.uid}) ${user.telephoneNumber} @@ -58,9 +51,6 @@ ${user.title} - - ${user.carLicense} - diff -r 352318dff857 -r 5d98050287aa ipa-server/ipa-gui/ipagui/templates/usershow.kid --- a/ipa-server/ipa-gui/ipagui/templates/usershow.kid Tue Sep 25 09:13:14 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/usershow.kid Tue Sep 25 11:25:48 2007 -0700 @@ -70,7 +70,7 @@ else: : - ${user.get("mail")} + ${user.get("mail")} diff -r 352318dff857 -r 5d98050287aa ipa-server/ipaserver/ipaldap.py --- a/ipa-server/ipaserver/ipaldap.py Tue Sep 25 09:13:14 2007 -0700 +++ b/ipa-server/ipaserver/ipaldap.py Tue Sep 25 11:25:48 2007 -0700 @@ -343,7 +343,8 @@ class IPAdmin(SimpleLDAPObject): for result in result_list: entries.append(result) type, result_list = self.result(msgid, 0) - except (ldap.ADMINLIMIT_EXCEEDED, ldap.SIZELIMIT_EXCEEDED), e: + except (ldap.ADMINLIMIT_EXCEEDED, ldap.SIZELIMIT_EXCEEDED, + ldap.TIMELIMIT_EXCEEDED), e: partial = 1 except ldap.LDAPError, e: raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e) diff -r 352318dff857 -r 5d98050287aa ipa-server/xmlrpc-server/funcs.py --- a/ipa-server/xmlrpc-server/funcs.py Tue Sep 25 09:13:14 2007 -0700 +++ b/ipa-server/xmlrpc-server/funcs.py Tue Sep 25 11:25:48 2007 -0700 @@ -424,10 +424,14 @@ class IPAServer: def find_users (self, criteria, sattrs=None, searchlimit=0, opts=None): """Returns a list: counter followed by the results. If the results are truncated, counter will be set to -1.""" + + # TODO - retrieve from config + timelimit = 2 + # Assume the list of fields to search will come from a central # configuration repository. A good format for that would be # a comma-separated list of fields - search_fields_conf_str = "uid,givenName,sn,telephoneNumber,ou,carLicense,title" + search_fields_conf_str = "uid,givenName,sn,telephoneNumber,ou,title" search_fields = string.split(search_fields_conf_str, ",") criteria = self.__safe_filter(criteria) @@ -439,17 +443,27 @@ class IPAServer: (exact_match_filter, partial_match_filter) = self.__generate_match_filters( search_fields, criteria_words) + # + # further constrain search to just the objectClass + # TODO - need to parameterize this into generate_match_filters, + # and work it into the field-specification search feature + # + exact_match_filter = "(&(objectClass=person)%s)" % exact_match_filter + partial_match_filter = "(&(objectClass=person)%s)" % partial_match_filter + conn = self.getConnection(opts) try: try: exact_results = conn.getListAsync(self.basedn, self.scope, - exact_match_filter, sattrs, 0, None, None, -1, searchlimit) + exact_match_filter, sattrs, 0, None, None, timelimit, + searchlimit) except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): exact_results = [0] try: partial_results = conn.getListAsync(self.basedn, self.scope, - partial_match_filter, sattrs, 0, None, None, -1, searchlimit) + partial_match_filter, sattrs, 0, None, None, timelimit, + searchlimit) except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): partial_results = [0] finally: @@ -615,6 +629,10 @@ class IPAServer: """Return a list containing a User object for each existing group that matches the criteria. """ + + # TODO - retrieve from config + timelimit = 2 + # Assume the list of fields to search will come from a central # configuration repository. A good format for that would be # a comma-separated list of fields @@ -645,13 +663,15 @@ class IPAServer: try: try: exact_results = conn.getListAsync(self.basedn, self.scope, - exact_match_filter, sattrs, 0, None, None, -1, searchlimit) + exact_match_filter, sattrs, 0, None, None, timelimit, + searchlimit) except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): exact_results = [0] try: partial_results = conn.getListAsync(self.basedn, self.scope, - partial_match_filter, sattrs, 0, None, None, -1, searchlimit) + partial_match_filter, sattrs, 0, None, None, timelimit, + searchlimit) except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): partial_results = [0] finally: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4054 bytes Desc: not available URL: From kmacmill at redhat.com Tue Sep 25 19:10:48 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Tue, 25 Sep 2007 15:10:48 -0400 Subject: [Freeipa-devel] [PATCH] Make apache work with selinux Message-ID: <6e5bd8def3659ba1dae9.1190747448@localhost.localdomain> The default configuration of the apache selinux policy doesn't allow apache to connect to the turbogears gui. This sets the correct boolean to allow that connection. Signed-off-by: User "Karl MacMillan " --- diff -r b1273ecc5164 -r 6e5bd8def365 ipa-server/ipa-install/ipa-server-install --- a/ipa-server/ipa-install/ipa-server-install Tue Sep 25 13:52:24 2007 -0400 +++ b/ipa-server/ipa-install/ipa-server-install Tue Sep 25 15:09:01 2007 -0400 @@ -369,6 +369,9 @@ def main(): ds.restart() krb.restart() + # Allow apache to connect to the turbogears web gui + run(["/usr/sbin/setsebool", "httpd_can_network", "true"]) + # Restart apache run(["/sbin/service", "httpd", "restart"]) From kmccarth at redhat.com Tue Sep 25 20:32:03 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Tue, 25 Sep 2007 13:32:03 -0700 Subject: [Freeipa-devel] [PATCH] show user groups Message-ID: <20070925203203.GE20742@moon.usersys.redhat.com> This patch adds the list of groups a user belongs to onto the usershow page. -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1190752543 25200 # Node ID a481d970fdc257ff919f72b7a9dc8d0459eab0d3 # Parent 5d98050287aaaf9a6e9918f285c35615c6a8da2f Show the list of groups a user belongs to. diff -r 5d98050287aa -r a481d970fdc2 ipa-python/ipaclient.py --- a/ipa-python/ipaclient.py Tue Sep 25 11:25:48 2007 -0700 +++ b/ipa-python/ipaclient.py Tue Sep 25 13:35:43 2007 -0700 @@ -160,6 +160,15 @@ class IPAClient: result = self.transport.get_group_by_dn(dn,sattrs) return group.Group(result) + def get_groups_by_member(self,member_dn,sattrs=None): + """Gets the groups that member_dn belongs to. + If sattrs is not None then only those + attributes will be returned, otherwise all available + attributes are returned. The result is a list of groups.""" + results = self.transport.get_groups_by_member(member_dn,sattrs) + + return map(lambda result: group.Group(result), results) + def add_group(self,group,group_container=None): """Add a group. group is a ipa.group.Group object""" diff -r 5d98050287aa -r a481d970fdc2 ipa-python/rpcclient.py --- a/ipa-python/rpcclient.py Tue Sep 25 11:25:48 2007 -0700 +++ b/ipa-python/rpcclient.py Tue Sep 25 13:35:43 2007 -0700 @@ -258,6 +258,23 @@ class RPCClient: return ipautil.unwrap_binary_data(result) + def get_groups_by_member(self,member_dn,sattrs=None): + """Gets the groups that member_dn belongs to. + If sattrs is not None then only those + attributes will be returned, otherwise all available + attributes are returned. The result is a list of dicts.""" + server = self.setup_server() + if sattrs is None: + sattrs = "__NONE__" + try: + result = server.get_groups_by_member(member_dn, sattrs) + except xmlrpclib.Fault, fault: + raise ipaerror.gen_exception(fault.faultCode, fault.faultString) + except socket.error, (value, msg): + raise xmlrpclib.Fault(value, msg) + + return ipautil.unwrap_binary_data(result) + def add_group(self,group,group_container=None): """Add a new group. Takes as input a dict where the key is the attribute name and the value is either a string or in the case diff -r 5d98050287aa -r a481d970fdc2 ipa-server/ipa-gui/ipagui/controllers.py --- a/ipa-server/ipa-gui/ipagui/controllers.py Tue Sep 25 11:25:48 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/controllers.py Tue Sep 25 13:35:43 2007 -0700 @@ -251,7 +251,9 @@ class Root(controllers.RootController): client.set_krbccache(os.environ["KRB5CCNAME"]) try: user = client.get_user_by_uid(uid, user_fields) - return dict(user=user.toDict(), fields=forms.user.UserFields()) + user_groups = client.get_groups_by_member(user.dn, ['cn']) + return dict(user=user.toDict(), fields=forms.user.UserFields(), + user_groups=user_groups) except ipaerror.IPAError, e: turbogears.flash("User show failed: " + str(e)) raise turbogears.redirect("/") diff -r 5d98050287aa -r a481d970fdc2 ipa-server/ipa-gui/ipagui/templates/usershow.kid --- a/ipa-server/ipa-gui/ipagui/templates/usershow.kid Tue Sep 25 11:25:48 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/usershow.kid Tue Sep 25 13:35:43 2007 -0700 @@ -90,6 +90,14 @@ else: +

Groups

+ ${group.cn} +

+ +
+
+ edit diff -r 5d98050287aa -r a481d970fdc2 ipa-server/xmlrpc-server/funcs.py --- a/ipa-server/xmlrpc-server/funcs.py Tue Sep 25 11:25:48 2007 -0700 +++ b/ipa-server/xmlrpc-server/funcs.py Tue Sep 25 13:35:43 2007 -0700 @@ -204,6 +204,20 @@ class IPAServer: return self.convert_entry(ent) + def __get_list (self, base, filter, sattrs=None, opts=None): + """Gets a list of entries. Each is converted to a dict of values. + Multi-valued fields are represented as lists. + """ + entries = [] + + conn = self.getConnection(opts) + try: + entries = conn.getList(base, self.scope, filter, sattrs) + finally: + self.releaseConnection(conn) + + return map(self.convert_entry, entries) + def __update_entry (self, oldentry, newentry, opts=None): """Update an LDAP entry @@ -585,7 +599,7 @@ class IPAServer: cn = self.__safe_filter(cn) filter = "(cn=" + cn + ")" return self.__get_entry(self.basedn, filter, sattrs, opts) - + def get_group_by_dn (self, dn, sattrs=None, opts=None): """Get a specific group's entry. Return as a dict of values. Multi-valued fields are represented as lists. @@ -593,7 +607,16 @@ class IPAServer: filter = "(objectClass=*)" return self.__get_entry(dn, filter, sattrs, opts) - + + def get_groups_by_member (self, member_dn, sattrs=None, opts=None): + """Get a specific group's entry. Return as a dict of values. + Multi-valued fields are represented as lists. + """ + + filter = "(&(objectClass=posixGroup)(uniqueMember=%s))" % member_dn + + return self.__get_list(self.basedn, filter, sattrs, opts) + def add_group (self, group, group_container=None, opts=None): """Add a group in LDAP. Takes as input a dict where the key is the attribute name and the value is either a string or in the case diff -r 5d98050287aa -r a481d970fdc2 ipa-server/xmlrpc-server/ipaxmlrpc.py --- a/ipa-server/xmlrpc-server/ipaxmlrpc.py Tue Sep 25 11:25:48 2007 -0700 +++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py Tue Sep 25 13:35:43 2007 -0700 @@ -326,6 +326,7 @@ def handler(req, profiling=False): h.register_function(f.modifyPassword) h.register_function(f.get_group_by_cn) h.register_function(f.get_group_by_dn) + h.register_function(f.get_groups_by_member) h.register_function(f.add_group) h.register_function(f.find_groups) h.register_function(f.add_user_to_group) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4054 bytes Desc: not available URL: From kmccarth at redhat.com Tue Sep 25 22:40:36 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Tue, 25 Sep 2007 15:40:36 -0700 Subject: [Freeipa-devel] [PATCH] managers and direct reports Message-ID: <20070925224035.GF20742@moon.usersys.redhat.com> This patch adds manager and direct reports to the usershow page. It depends on the freeipa-212-usergrouplist.patch, as it fixes a bug in it. -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1190760289 25200 # Node ID 18ac2f4b2b71549356300b311b59d9781b304a32 # Parent a481d970fdc257ff919f72b7a9dc8d0459eab0d3 Adds manager and direct reports to usershow page. Fixes a bug with the group by member where is wasn't trapping not found errors. diff -r a481d970fdc2 -r 18ac2f4b2b71 ipa-python/ipaclient.py --- a/ipa-python/ipaclient.py Tue Sep 25 13:35:43 2007 -0700 +++ b/ipa-python/ipaclient.py Tue Sep 25 15:44:49 2007 -0700 @@ -68,6 +68,15 @@ class IPAClient: result = self.transport.get_user_by_dn(dn,sattrs) return user.User(result) + def get_users_by_manager(self,manager_dn,sattrs=None): + """Gets the users the report to a particular manager. + If sattrs is not None then only those + attributes will be returned, otherwise all available + attributes are returned. The result is a list of groups.""" + results = self.transport.get_users_by_manager(manager_dn, sattrs) + + return map(lambda result: user.User(result), results) + def add_user(self,user,user_container=None): """Add a user. user is a ipa.user.User object""" diff -r a481d970fdc2 -r 18ac2f4b2b71 ipa-python/rpcclient.py --- a/ipa-python/rpcclient.py Tue Sep 25 13:35:43 2007 -0700 +++ b/ipa-python/rpcclient.py Tue Sep 25 15:44:49 2007 -0700 @@ -101,6 +101,23 @@ class RPCClient: return ipautil.unwrap_binary_data(result) + def get_users_by_manager(self,manager_dn,sattrs=None): + """Gets the users that report to a manager. + If sattrs is not None then only those + attributes will be returned, otherwise all available + attributes are returned. The result is a list of dicts.""" + server = self.setup_server() + if sattrs is None: + sattrs = "__NONE__" + try: + result = server.get_users_by_manager(manager_dn, sattrs) + except xmlrpclib.Fault, fault: + raise ipaerror.gen_exception(fault.faultCode, fault.faultString) + except socket.error, (value, msg): + raise xmlrpclib.Fault(value, msg) + + return ipautil.unwrap_binary_data(result) + def add_user(self,user,user_container=None): """Add a new user. Takes as input a dict where the key is the attribute name and the value is either a string or in the case diff -r a481d970fdc2 -r 18ac2f4b2b71 ipa-server/ipa-gui/ipagui/controllers.py --- a/ipa-server/ipa-gui/ipagui/controllers.py Tue Sep 25 13:35:43 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/controllers.py Tue Sep 25 15:44:49 2007 -0700 @@ -252,8 +252,20 @@ class Root(controllers.RootController): try: user = client.get_user_by_uid(uid, user_fields) user_groups = client.get_groups_by_member(user.dn, ['cn']) + user_reports = client.get_users_by_manager(user.dn, + ['givenname', 'sn', 'uid']) + + user_manager = None + try: + if user.manager: + user_manager = client.get_user_by_dn(user.manager, + ['givenname', 'sn', 'uid']) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + pass + return dict(user=user.toDict(), fields=forms.user.UserFields(), - user_groups=user_groups) + user_groups=user_groups, user_reports=user_reports, + user_manager=user_manager) except ipaerror.IPAError, e: turbogears.flash("User show failed: " + str(e)) raise turbogears.redirect("/") diff -r a481d970fdc2 -r 18ac2f4b2b71 ipa-server/ipa-gui/ipagui/templates/usershow.kid --- a/ipa-server/ipa-gui/ipagui/templates/usershow.kid Tue Sep 25 13:35:43 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/usershow.kid Tue Sep 25 15:44:49 2007 -0700 @@ -78,6 +78,15 @@ else: ${user.get("telephonenumber")} + + + Manager: + + + ${user_manager.givenname} ${user_manager.sn} + +

Account Status

@@ -90,6 +99,12 @@ else: +

Direct Reports

+ ${report.givenname} ${report.sn} +

Groups

${group.cn} diff -r a481d970fdc2 -r 18ac2f4b2b71 ipa-server/xmlrpc-server/funcs.py --- a/ipa-server/xmlrpc-server/funcs.py Tue Sep 25 13:35:43 2007 -0700 +++ b/ipa-server/xmlrpc-server/funcs.py Tue Sep 25 15:44:49 2007 -0700 @@ -308,7 +308,18 @@ class IPAServer: filter = "(objectClass=*)" return self.__get_entry(dn, filter, sattrs, opts) - + + def get_users_by_manager (self, manager_dn, sattrs=None, opts=None): + """Gets the users that report to a particular manager. + """ + + filter = "(&(objectClass=person)(manager=%s))" % manager_dn + + try: + return self.__get_list(self.basedn, filter, sattrs, opts) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + return [] + def add_user (self, user, user_container=None, opts=None): """Add a user in LDAP. Takes as input a dict where the key is the attribute name and the value is either a string or in the case @@ -615,7 +626,10 @@ class IPAServer: filter = "(&(objectClass=posixGroup)(uniqueMember=%s))" % member_dn - return self.__get_list(self.basedn, filter, sattrs, opts) + try: + return self.__get_list(self.basedn, filter, sattrs, opts) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + return [] def add_group (self, group, group_container=None, opts=None): """Add a group in LDAP. Takes as input a dict where the key is the diff -r a481d970fdc2 -r 18ac2f4b2b71 ipa-server/xmlrpc-server/ipaxmlrpc.py --- a/ipa-server/xmlrpc-server/ipaxmlrpc.py Tue Sep 25 13:35:43 2007 -0700 +++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py Tue Sep 25 15:44:49 2007 -0700 @@ -316,6 +316,7 @@ def handler(req, profiling=False): h = ModXMLRPCRequestHandler() h.register_function(f.get_user_by_uid) h.register_function(f.get_user_by_dn) + h.register_function(f.get_users_by_manager) h.register_function(f.add_user) h.register_function(f.get_add_schema) h.register_function(f.get_all_users) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4054 bytes Desc: not available URL: From kmccarth at redhat.com Tue Sep 25 23:49:54 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Tue, 25 Sep 2007 16:49:54 -0700 Subject: [Freeipa-devel] [PATCH] favicon file Message-ID: <20070925234954.GG20742@moon.usersys.redhat.com> This patch adds an icon file for IPA. -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1190764459 25200 # Node ID 17f80e1a0426de4ec8181bd7f1735a7795377138 # Parent 916b24d87d516c4bbace661329cfdd8750c790d4 Add IPA icon file. diff --git a/ipa-server/ipa-gui/ipagui/static/images/favicon.ico b/ipa-server/ipa-gui/ipagui/static/images/favicon.ico index 332557bc307647601389c14939be0671c62efcd7..bafbff928ec5d4b1ea316c42d6d4da8443a34810 GIT binary patch literal 3638 zc%0RjXH-8h!hd&O@}sgX$}Jd z(#udC`p~3G7ePTlL`BpP1tqr3J2RS1V!eJ&78eCtSGAQ8AJm at 8!R6nxb9d_MYZw&TaDIAqsmz;VND9A_K? zzcnA`L)XwB=ZX;e78L$M0W--NtfzO7?PmZxZW3ON^`XBq7BYie6zi|XJ*FOf6u$?< zO&@s)E>N##VJgoTT+7`E?c|~^=oI1=7a}P)1P(?!(Rp|!{O`4cQ5XTs9m{aGr2x-s z;_*1v3jF62V1=1M=Rq^NUH2oI=tH;8!*FvZ+H!- at ptS&(hud+muM~gWZh)801|+$t z!)>qzk=%GhXi?$fpa!#RDX8|;!f;Lie(NlQK~V(q!cJgsZy|DN3z2<%1G)nY(O at Nq zRIODQAah4+uSeTiC5&B7z+_P*ZkqfAFC$6R2OYuQhBUOqy5fPSCNkyc;}&Bd@^V6u z>!^aKO&Mr7whsI5RH8z2Dehl1hHYOp;$-LIwzDeuZ=NH~LK;*3EqGgT3FS%dcy%oU zjNV$DJ4r*1nLK`fbQirO#)gAb at X6X(w`Re#ijCCbC`1R);ZT!|;dAov+Bh50Dxw(6 z^v02a8YtE$;6h#;dSV<h{byd3SrtGZM?@YcaicTJ45tnj?M0{rG|@LxPa8+k|k zHVP*Gr; zsI!AM+aS}P2`y7OlH` zyJ*x~3hVv~{Mwv{_Lx&JXBeZM(G3>e*Q57k$)7uF8#yNO7+yl8Bf4qA+iPI at Tphcg> zaD)l6Eo9*1NP}KE8)a9#aOFllvLbEpyr&jLfpi=_p$s<534>V|kY=rki+9@*SyzCg z17%<;uY at Vn9+s-&u)NoRh(ofdk2?d8f(Q)8+r#{lBZjZW!m6zhMNVo^>d!~v)O}>^ zoQ00l+u=Rf2<3-$c$n!0w)~e!*|!Ym15MDw2}06H2aM=a==IP>tj{619o_`3>$!+O zz8gBD)nM#ej26RHaCv$IJcc1g%C5loMkV~n`;M`Yg;{w#UROn-(@_b|e#UrKpN8ms z7G5>wVuBk5CfSQ!#+spCn+oqOb5Iv at jMOKxM#W($Id6tc`c at Pkm%$*Dj!{zQ%#%D3 z5 at do<`9%nLd;?wPlJF``#q}f?Tz-5T3};=W_#8wq=OQkr2f<~l2+p+Rqc6c7vQ_b5 zw{UTyCJj at aB~TkKM}?LsQY=(3Me1=pHvuwzd1$cNg_{8e;9R+YcfXB;KiUfON3GzQ zNFegXDC&~k5nh^z4i9}evi(TioWacf0pzPM#+Ljb3^^*G&EFVTJq&O{Qv%`JzW`Tx zJ}ND?LMb;8d8c;3%|;CkWWSF%AcaJwMbK-=AbYF^hJp?uLw6NM@&aMp%f)DlGm=A2 zBJ0I{DBZaV+re6xM7kllqY?+nGo>ni1>b=NOjff|+9j_!s>FCy zqM)FP$|G2ns``BCJjH5xjXitz)OImBWJJLb6wr7=t(<&ywc-c9r}j?;wFP4Vp7&+UXfy4Kg=)(w+-GKhv8k4hu)do?vKSbJLi zPhJqTK7V~jQZ1Q9Lze>T_3G*zr*zl9czO28W!c((_7;0Sk)uG)N>MS#Y3J83guH3V z^z?yeu5;{nJjst(IPFjP9pZKh;SLJ8UDTWD>6T=!d17q;$@Mi&j|sQ6v#VC=P+BKr zM=a_Mn|(7N-e~iR9sO#u0`5h4yUH?;F#(r}bY!zPULK17#psCZ3r#ke->X4Jrd`GS z*L^G*Vgg>0_nCL=9HWWBroXuL7y1Iu`e|I6E!~n)8gw`K*}5ia0S{%dSSriubT`t9 z<`%jO1j?nQaUNzR at 41^BYt8M&5-FmhN9%igHKyIArI(5Y4ZYH03;1lpMXzmgSfwzP zn`RTE5hFqr?(Pr1I$y$eXA-V3H6^;C^4Pt$hvFhJF&cW8^kSk^7ind0I$ z$9*yOdUfiG6`PHgZ5Id%JG-RF_eslQiZhvKu4G)^{q}J3fi34&JmX#%>FVn26sNx5 zr+HFL at t33D_E~O{5HmfHY#r>eVx+6nl=C4!h*71OJw From ssorce at redhat.com Wed Sep 26 14:46:38 2007 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 26 Sep 2007 10:46:38 -0400 Subject: [Freeipa-devel] [PATCH] Misc small fixes In-Reply-To: References: Message-ID: <1190817998.3915.21.camel@hopeson> On Tue, 2007-09-25 at 13:55 -0400, Karl MacMillan wrote: > * Remove the rpmbuild tree with the dist-clean target. Uhmm I am actually using the rpmbuild tree to hold the rpms (freeipa ones and others), can we separate out the cleaning of rpmbuild ? I think it is nice to clean up the tree but still have the rpms around. > * Move ipa-server-setupssl from /usr/sbin to /usr/share/ipa > * Check in requirement change for generated freeipa-python.spec > * Fix interactive hostname in ipa-server-install. Thanks for this. Simo. From kmacmill at redhat.com Wed Sep 26 14:58:20 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Wed, 26 Sep 2007 10:58:20 -0400 Subject: [Freeipa-devel] [PATCH] Misc small fixes In-Reply-To: <1190817998.3915.21.camel@hopeson> References: <1190817998.3915.21.camel@hopeson> Message-ID: <1190818700.2895.13.camel@localhost.localdomain> On Wed, 2007-09-26 at 10:46 -0400, Simo Sorce wrote: > On Tue, 2007-09-25 at 13:55 -0400, Karl MacMillan wrote: > > * Remove the rpmbuild tree with the dist-clean target. > > Uhmm I am actually using the rpmbuild tree to hold the rpms (freeipa > ones and others), can we separate out the cleaning of rpmbuild ? > > I think it is nice to clean up the tree but still have the rpms around. > There is currently a clean target that doesn't remove any rpms and dist-clean which removes dist and rpmbuild as well. Does just calling clean work for you? Karl From ssorce at redhat.com Wed Sep 26 18:00:25 2007 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 26 Sep 2007 14:00:25 -0400 Subject: [Freeipa-devel] [PATCH] Misc small fixes In-Reply-To: <1190818700.2895.13.camel@localhost.localdomain> References: <1190817998.3915.21.camel@hopeson> <1190818700.2895.13.camel@localhost.localdomain> Message-ID: <1190829625.3798.3.camel@hopeson> On Wed, 2007-09-26 at 10:58 -0400, Karl MacMillan wrote: > On Wed, 2007-09-26 at 10:46 -0400, Simo Sorce wrote: > > On Tue, 2007-09-25 at 13:55 -0400, Karl MacMillan wrote: > > > * Remove the rpmbuild tree with the dist-clean target. > > > > Uhmm I am actually using the rpmbuild tree to hold the rpms (freeipa > > ones and others), can we separate out the cleaning of rpmbuild ? > > > > I think it is nice to clean up the tree but still have the rpms around. > > > > There is currently a clean target that doesn't remove any rpms and > dist-clean which removes dist and rpmbuild as well. Does just calling > clean work for you? I'll try :-P As soon as we don't call dist-clean from any other target I think that's fine. Simo. From kmccarth at redhat.com Wed Sep 26 20:08:06 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Wed, 26 Sep 2007 13:08:06 -0700 Subject: [Freeipa-devel] [PATCH] help text for searches Message-ID: <20070926200806.GE18132@moon.usersys.redhat.com> I removed the mocks from the demo, but wanted to preserve the help text. -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1190837309 25200 # Node ID 0003b3b106655aa0867142b53bf1530f8a5982d7 # Parent fb85b362df17c135cbe7beb0e8733d70021b3700 patch queue: helptext.patch diff -r fb85b362df17 -r 0003b3b10665 ipa-server/ipa-gui/ipagui/templates/grouplist.kid --- a/ipa-server/ipa-gui/ipagui/templates/grouplist.kid Wed Sep 26 09:59:13 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/grouplist.kid Wed Sep 26 13:08:29 2007 -0700 @@ -39,5 +39,22 @@

No results found for "${criteria}"

+ Search automatically looks across multiple fields. If you want to find + Joe in Finance, try typing "joe finance" into the search box. +

+ Exact matches are listed first, followed by partial matches. If your search + is too broad, you will get a warning that the search returned too many + results. Try being more specific. +

+ The results that come back are sortable. Simply click on a column + header to sort on that header. A triangle will indicate the sorted + column, along with its direction. Clicking and dragging between headers + will allow you to resize the header. +

diff -r fb85b362df17 -r 0003b3b10665 ipa-server/ipa-gui/ipagui/templates/userlist.kid --- a/ipa-server/ipa-gui/ipagui/templates/userlist.kid Wed Sep 26 09:59:13 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/userlist.kid Wed Sep 26 13:08:29 2007 -0700 @@ -58,5 +58,22 @@

No results found for "${uid}"

+ Search automatically looks across multiple fields. If you want to find + Joe in Finance, try typing "joe finance" into the search box. +

+ Exact matches are listed first, followed by partial matches. If your search + is too broad, you will get a warning that the search returned too many + results. Try being more specific. +

diff -r fb85b362df17 -r 0003b3b10665 ipa-server/ipa-gui/ipagui/templates/welcome.kid --- a/ipa-server/ipa-gui/ipagui/templates/welcome.kid Wed Sep 26 09:59:13 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/welcome.kid Wed Sep 26 13:08:29 2007 -0700 @@ -10,6 +10,20 @@

Welcome to Free IPA

+ +

+ IPA is used to manage Identity, Policy, and Auditing for your + organization. +

+ To get started, you can use the search box in the top right to find + users or groups you need to work on. Search automatically looks + across multiple fields. If you want to find Joe in Finance, try typing + "joe finance" into the search box. +

+ Alternatively, select a task from the left sidebar. +

-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4054 bytes Desc: not available URL: From rcritten at redhat.com Wed Sep 26 20:55:10 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 26 Sep 2007 16:55:10 -0400 Subject: [Freeipa-devel] [PATCH] list xml-rpc methods Message-ID: <46FAC72E.4030905@redhat.com> One of the things that XML-RPC clients are going to want to do is interrogate the server to find out what it can do. Some parts of that were broken. Should be fixed here. Now one thing I may need to tweak is that all functions include the variable opts in it. This isn't actually sent by the client, it is appended in the server. I'll need to figure out how to not show that as an argument. Later. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-218-methods.patch Type: text/x-patch Size: 4144 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmccarth at redhat.com Wed Sep 26 22:44:04 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Wed, 26 Sep 2007 15:44:04 -0700 Subject: [Freeipa-devel] [PATCH] add group dn operation methods Message-ID: <20070926224403.GF18132@moon.usersys.redhat.com> This patch adds api calls that manipulate group members using dns. My apache set up isn't quite working right now, so I wasn't able to test over the xmlrpc calls. I might have made a typo although I tried to be careful. The calls do work for the gui. -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1190846854 25200 # Node ID 5bc5ed865060671057635f21456c561b4402416c # Parent db401a2fa6ac3b1c64d2892d6271ab8e5f5e3f5c Adds methods to manipulate groups by dns. Renamed some of the user_group parameters to be self-evident. Binary wrapping isn't necessary on strings, so removed from xmlrpc calls. diff -r db401a2fa6ac -r 5bc5ed865060 ipa-python/ipaclient.py --- a/ipa-python/ipaclient.py Wed Sep 26 15:04:09 2007 -0700 +++ b/ipa-python/ipaclient.py Wed Sep 26 15:47:34 2007 -0700 @@ -205,41 +205,65 @@ class IPAClient: return groups - def add_user_to_group(self, user, group): + def add_member_to_group(self, member_dn, group_cn): + """Add a member to an existing group. + """ + + return self.transport.add_member_to_group(member_dn, group_cn) + + def add_members_to_group(self, member_dns, group_cn): + """Add several members to an existing group. + member_dns is a list of dns to add + + Returns a list of the dns that were not added. + """ + + return self.transport.add_members_to_group(member_dns, group_cn) + + def remove_member_from_group(self, member_dn, group_cn): + """Remove a member from an existing group. + """ + + return self.transport.remove_member_from_group(member_dn, group_cn) + + def remove_members_from_group(self, member_dns, group_cn): + """Remove several members from an existing group. + member_dns is a list of dns to remove + + Returns a list of the dns that were not removed. + """ + + return self.transport.remove_members_from_group(member_dns, group_cn) + + def add_user_to_group(self, user_uid, group_cn): """Add a user to an existing group. - user is a uid of the user to add - group is the cn of the group to be added to - """ - - return self.transport.add_user_to_group(user, group) - - def add_users_to_group(self, users, group): + """ + + return self.transport.add_user_to_group(user_uid, group_cn) + + def add_users_to_group(self, user_uids, group_cn): """Add several users to an existing group. - user is a list of uids of the users to add - group is the cn of the group to be added to - - Returns a list of the users that were not added. - """ - - return self.transport.add_users_to_group(users, group) - - def remove_user_from_group(self, user, group): + user_uids is a list of uids of the users to add + + Returns a list of the user uids that were not added. + """ + + return self.transport.add_users_to_group(user_uids, group_cn) + + def remove_user_from_group(self, user_uid, group_cn): """Remove a user from an existing group. - user is a uid of the user to remove - group is the cn of the group to be removed from - """ - - return self.transport.remove_user_from_group(user, group) - - def remove_users_from_group(self, users, group): + """ + + return self.transport.remove_user_from_group(user_uid, group_cn) + + def remove_users_from_group(self, user_uids, group_cn): """Remove several users from an existing group. - user is a list of uids of the users to remove - group is the cn of the group to be removed from - - Returns a list of the users that were not removed. - """ - - return self.transport.remove_users_from_group(users, group) + user_uids is a list of uids of the users to remove + + Returns a list of the user uids that were not removed. + """ + + return self.transport.remove_users_from_group(user_uids, group_cn) def update_group(self,group): """Update a group entry.""" diff -r db401a2fa6ac -r 5bc5ed865060 ipa-python/rpcclient.py --- a/ipa-python/rpcclient.py Wed Sep 26 15:04:09 2007 -0700 +++ b/ipa-python/rpcclient.py Wed Sep 26 15:47:34 2007 -0700 @@ -326,68 +326,114 @@ class RPCClient: return ipautil.unwrap_binary_data(result) - def add_user_to_group(self, user, group): + def add_member_to_group(self, member_dn, group_cn): + """Add a new member to an existing group. + """ + server = self.setup_server() + try: + result = server.add_member_to_group(member_dn, group_cn) + except xmlrpclib.Fault, fault: + raise ipaerror.gen_exception(fault.faultCode, fault.faultString) + except socket.error, (value, msg): + raise xmlrpclib.Fault(value, msg) + + return ipautil.unwrap_binary_data(result) + + def add_members_to_group(self, member_dns, group_cn): + """Add several members to an existing group. + member_dns is a list of the dns to add + + Returns a list of the dns that were not added. + """ + server = self.setup_server() + try: + result = server.add_members_to_group(member_dns, group_cn) + except xmlrpclib.Fault, fault: + raise ipaerror.gen_exception(fault.faultCode, fault.faultString) + except socket.error, (value, msg): + raise xmlrpclib.Fault(value, msg) + + return ipautil.unwrap_binary_data(result) + + def remove_member_from_group(self, member_dn, group_cn): + """Remove a member from an existing group. + """ + server = self.setup_server() + try: + result = server.remove_member_from_group(member_dn, group_cn) + except xmlrpclib.Fault, fault: + raise ipaerror.gen_exception(fault.faultCode, fault.faultString) + except socket.error, (value, msg): + raise xmlrpclib.Fault(value, msg) + + return ipautil.unwrap_binary_data(result) + + def remove_members_from_group(self, member_dns, group_cn): + """Remove several members from an existing group. + + Returns a list of the dns that were not removed. + """ + server = self.setup_server() + try: + result = server.remove_members_from_group(member_dns, group_cn) + except xmlrpclib.Fault, fault: + raise ipaerror.gen_exception(fault.faultCode, fault.faultString) + except socket.error, (value, msg): + raise xmlrpclib.Fault(value, msg) + + return ipautil.unwrap_binary_data(result) + + def add_user_to_group(self, user_uid, group_cn): """Add a user to an existing group. - user is a uid of the user to add - group is the cn of the group to be added to - """ - server = self.setup_server() - try: - result = server.add_user_to_group(ipautil.wrap_binary_data(user), - ipautil.wrap_binary_data(group)) - except xmlrpclib.Fault, fault: - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) - except socket.error, (value, msg): - raise xmlrpclib.Fault(value, msg) - - return ipautil.unwrap_binary_data(result) - - def add_users_to_group(self, users, group): + """ + server = self.setup_server() + try: + result = server.add_user_to_group(user_uid, group_cn) + except xmlrpclib.Fault, fault: + raise ipaerror.gen_exception(fault.faultCode, fault.faultString) + except socket.error, (value, msg): + raise xmlrpclib.Fault(value, msg) + + return ipautil.unwrap_binary_data(result) + + def add_users_to_group(self, user_uids, group_cn): """Add several users to an existing group. - user is a list of the uids of the users to add - group is the cn of the group to be added to - - Returns a list of the users that were not added. - """ - server = self.setup_server() - try: - result = server.add_users_to_group(ipautil.wrap_binary_data(users), - ipautil.wrap_binary_data(group)) - except xmlrpclib.Fault, fault: - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) - except socket.error, (value, msg): - raise xmlrpclib.Fault(value, msg) - - return ipautil.unwrap_binary_data(result) - - def remove_user_from_group(self, user, group): + user_uids is a list of the uids of the users to add + + Returns a list of the user uids that were not added. + """ + server = self.setup_server() + try: + result = server.add_users_to_group(user_uids, group_cn) + except xmlrpclib.Fault, fault: + raise ipaerror.gen_exception(fault.faultCode, fault.faultString) + except socket.error, (value, msg): + raise xmlrpclib.Fault(value, msg) + + return ipautil.unwrap_binary_data(result) + + def remove_user_from_group(self, user_uid, group_cn): """Remove a user from an existing group. - user is a uid of the user to remove - group is the cn of the group to be removed from - """ - server = self.setup_server() - try: - result = server.remove_user_from_group(ipautil.wrap_binary_data(user), - ipautil.wrap_binary_data(group)) - except xmlrpclib.Fault, fault: - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) - except socket.error, (value, msg): - raise xmlrpclib.Fault(value, msg) - - return ipautil.unwrap_binary_data(result) - - def remove_users_from_group(self, users, group): + """ + server = self.setup_server() + try: + result = server.remove_user_from_group(user_uid, group_cn) + except xmlrpclib.Fault, fault: + raise ipaerror.gen_exception(fault.faultCode, fault.faultString) + except socket.error, (value, msg): + raise xmlrpclib.Fault(value, msg) + + return ipautil.unwrap_binary_data(result) + + def remove_users_from_group(self, user_uids, group_cn): """Remove several users from an existing group. - user is a list of the uids of the users to remove - group is the cn of the group to be removed from - - Returns a list of the users that were not removed. - """ - server = self.setup_server() - try: - result = server.remove_users_from_group( - ipautil.wrap_binary_data(users), - ipautil.wrap_binary_data(group)) + user_uids is a list of the uids of the users to remove + + Returns a list of the user uids that were not removed. + """ + server = self.setup_server() + try: + result = server.remove_users_from_group(user_uids, group_cn) except xmlrpclib.Fault, fault: raise ipaerror.gen_exception(fault.faultCode, fault.faultString) except socket.error, (value, msg): diff -r db401a2fa6ac -r 5bc5ed865060 ipa-server/ipaserver/ipaldap.py --- a/ipa-server/ipaserver/ipaldap.py Wed Sep 26 15:04:09 2007 -0700 +++ b/ipa-server/ipaserver/ipaldap.py Wed Sep 26 15:47:34 2007 -0700 @@ -215,7 +215,7 @@ class IPAdmin(SimpleLDAPObject): out this way so that we can call them from places other than instance creation e.g. when we just need to reconnect, not create a new instance""" - if debug.lower() == "on": + if debug and debug.lower() == "on": ldap.set_option(ldap.OPT_DEBUG_LEVEL,255) if cacert is not None: ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,cacert) diff -r db401a2fa6ac -r 5bc5ed865060 ipa-server/xmlrpc-server/funcs.py --- a/ipa-server/xmlrpc-server/funcs.py Wed Sep 26 15:04:09 2007 -0700 +++ b/ipa-server/xmlrpc-server/funcs.py Wed Sep 26 15:47:34 2007 -0700 @@ -66,6 +66,8 @@ class IPAConnPool: return conn def releaseConn(self, conn): + if conn is None: + return # We can't re-use SASL connections. If proxydn is None it means # we have a Kerberos credentails cache set. See ipaldap.set_krbccache if conn.proxydn is None: @@ -736,27 +738,24 @@ class IPAServer: return groups - def add_user_to_group(self, user, group, opts=None): - """Add a user to an existing group. - user is a uid of the user to add - group is the cn of the group to be added to - """ - - old_group = self.get_group_by_cn(group, None, opts) + def add_member_to_group(self, member_dn, group_cn, opts=None): + """Add a member to an existing group. + """ + + old_group = self.get_group_by_cn(group_cn, None, opts) if old_group is None: raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) new_group = copy.deepcopy(old_group) - user_dn = self.get_user_by_uid(user, ['dn', 'uid', 'objectclass'], opts) - if user_dn is None: - raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) + # check to make sure member_dn exists + member_entry = self.__get_entry(member_dn, "(objectClass=*)", ['dn','uid'], opts) if new_group.get('uniquemember') is not None: if ((isinstance(new_group.get('uniquemember'), str)) or (isinstance(new_group.get('uniquemember'), unicode))): new_group['uniquemember'] = [new_group['uniquemember']] - new_group['uniquemember'].append(user_dn['dn']) - else: - new_group['uniquemember'] = user_dn['dn'] + new_group['uniquemember'].append(member_dn) + else: + new_group['uniquemember'] = member_dn try: ret = self.__update_entry(old_group, new_group, opts) @@ -764,50 +763,44 @@ class IPAServer: raise return ret - def add_users_to_group(self, users, group, opts=None): - """Given a list of user uid's add them to the group cn denoted by group - Returns a list of the users were not added to the group. + def add_members_to_group(self, member_dns, group_cn, opts=None): + """Given a list of dn's, add them to the group cn denoted by group + Returns a list of the member_dns that were not added to the group. """ failed = [] - if (isinstance(users, str)): - users = [users] - - for user in users: + if (isinstance(member_dns, str)): + member_dns = [member_dns] + + for member_dn in member_dns: try: - self.add_user_to_group(user, group, opts) + self.add_member_to_group(member_dn, group_cn, opts) except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST): # User is already in the group - failed.append(user) + failed.append(member_dn) except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): # User or the group does not exist - failed.append(user) + failed.append(member_dn) return failed - def remove_user_from_group(self, user, group, opts=None): - """Remove a user from an existing group. - user is a uid of the user to remove - group is the cn of the group to be removed from - """ - - old_group = self.get_group_by_cn(group, None, opts) + def remove_member_from_group(self, member_dn, group_cn, opts=None): + """Remove a member_dn from an existing group. + """ + + old_group = self.get_group_by_cn(group_cn, None, opts) if old_group is None: raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) new_group = copy.deepcopy(old_group) - - user_dn = self.get_user_by_uid(user, ['dn', 'uid', 'objectclass'], opts) - if user_dn is None: - raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) if new_group.get('uniquemember') is not None: if ((isinstance(new_group.get('uniquemember'), str)) or (isinstance(new_group.get('uniquemember'), unicode))): new_group['uniquemember'] = [new_group['uniquemember']] try: - new_group['uniquemember'].remove(user_dn['dn']) + new_group['uniquemember'].remove(member_dn) except ValueError: - # User is not in the group + # member is not in the group # FIXME: raise more specific error? raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) else: @@ -821,26 +814,89 @@ class IPAServer: raise return ret - def remove_users_from_group(self, users, group, opts=None): - """Given a list of user uid's remove them from the group cn denoted - by group - Returns a list of the users were not removed from the group. + def remove_members_from_group(self, member_dns, group_cn, opts=None): + """Given a list of member dn's remove them from the group. + Returns a list of the members not removed from the group. """ failed = [] - if (isinstance(users, str)): - users = [users] - - for user in users: + if (isinstance(member_dns, str)): + member_dns = [member_dns] + + for member_dn in member_dns: try: - self.remove_user_from_group(user, group, opts) + self.remove_member_from_group(member_dn, group_cn, opts) + except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST): + # member is not in the group + failed.append(member_dn) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + # member_dn or the group does not exist + failed.append(member_dn) + + return failed + + def add_user_to_group(self, user_uid, group_cn, opts=None): + """Add a user to an existing group. + """ + + user = self.get_user_by_uid(user_uid, ['dn', 'uid', 'objectclass'], opts) + if user is None: + raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) + + return self.add_member_to_group(user['dn'], group_cn, opts) + + def add_users_to_group(self, user_uids, group_cn, opts=None): + """Given a list of user uid's add them to the group cn denoted by group + Returns a list of the users were not added to the group. + """ + + failed = [] + + if (isinstance(user_uids, str)): + user_uids = [user_uids] + + for user_uid in user_uids: + try: + self.add_user_to_group(user_uid, group_cn, opts) + except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST): + # User is already in the group + failed.append(user_uid) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + # User or the group does not exist + failed.append(user_uid) + + return failed + + def remove_user_from_group(self, user_uid, group_cn, opts=None): + """Remove a user from an existing group. + """ + + user = self.get_user_by_uid(user_uid, ['dn', 'uid', 'objectclass'], opts) + if user is None: + raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND) + + return self.remove_member_from_group(user['dn'], group_cn, opts) + + def remove_users_from_group(self, user_uids, group_cn, opts=None): + """Given a list of user uid's remove them from the group + Returns a list of the user uids not removed from the group. + """ + + failed = [] + + if (isinstance(user_uids, str)): + user_uids = [user_uids] + + for user_uid in user_uids: + try: + self.remove_user_from_group(user_uid, group_cn, opts) except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST): # User is not in the group - failed.append(user) + failed.append(user_uid) except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): # User or the group does not exist - failed.append(user) + failed.append(user_uid) return failed diff -r db401a2fa6ac -r 5bc5ed865060 ipa-server/xmlrpc-server/ipaxmlrpc.py --- a/ipa-server/xmlrpc-server/ipaxmlrpc.py Wed Sep 26 15:04:09 2007 -0700 +++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py Wed Sep 26 15:47:34 2007 -0700 @@ -330,6 +330,10 @@ def handler(req, profiling=False): h.register_function(f.get_groups_by_member) h.register_function(f.add_group) h.register_function(f.find_groups) + h.register_function(f.add_member_to_group) + h.register_function(f.add_members_to_group) + h.register_function(f.remove_member_from_group) + h.register_function(f.remove_members_from_group) h.register_function(f.add_user_to_group) h.register_function(f.add_users_to_group) h.register_function(f.add_group_to_group) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4054 bytes Desc: not available URL: From kmacmill at redhat.com Thu Sep 27 13:44:13 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 27 Sep 2007 09:44:13 -0400 Subject: [Freeipa-devel] [PATCH] make testing easier In-Reply-To: <46F90929.2060804@redhat.com> References: <46F90929.2060804@redhat.com> Message-ID: <1190900653.2798.9.camel@localhost.localdomain> On Tue, 2007-09-25 at 09:12 -0400, Rob Crittenden wrote: > Simo is having problems with his Apache server seemingly not doing > ticket forwarding but only for mod_python. In trying to help him > diagnose this it became very apparent that even this low-level testing > was difficult to setup. > > I've redone ipa.conf to not require Kerberos for the / but instead just > target it for the things we use (plus /cgi-bin for good measure). > Is this the right approach or should we have specific urls for testing / error. I don't think I understand the changes well enough to assess the risks. > I've added a new uri, /ipatest, that is shipped commented out but can be > used for this and any future basic testing needs. > > I also include a simple CGI and a simple mod_python script that uses > python-ldap to do a GSSAPI LDAP connection similar to what we do in IPA. > > Please consider this carefully. I'm a little nervous about the ipa.conf > changes but they were necessary because for some reason curl choked when > I had protected by Kerberos (either a bug in Apache or curl > or both, but regardless testing was impossibe). > > The only risk is that we (or someone) adds a new URI to do work and it > ends up not being protected by Kerberos. A small risk but a real one. > I went ahead and pushed this patch and the related fixes. Karl From kmacmill at redhat.com Thu Sep 27 13:44:13 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 27 Sep 2007 09:44:13 -0400 Subject: [Freeipa-devel] [PATCH] make testing easier In-Reply-To: <46F90929.2060804@redhat.com> References: <46F90929.2060804@redhat.com> Message-ID: <1190900653.2798.9.camel@localhost.localdomain> On Tue, 2007-09-25 at 09:12 -0400, Rob Crittenden wrote: > Simo is having problems with his Apache server seemingly not doing > ticket forwarding but only for mod_python. In trying to help him > diagnose this it became very apparent that even this low-level testing > was difficult to setup. > > I've redone ipa.conf to not require Kerberos for the / but instead just > target it for the things we use (plus /cgi-bin for good measure). > Is this the right approach or should we have specific urls for testing / error. I don't think I understand the changes well enough to assess the risks. > I've added a new uri, /ipatest, that is shipped commented out but can be > used for this and any future basic testing needs. > > I also include a simple CGI and a simple mod_python script that uses > python-ldap to do a GSSAPI LDAP connection similar to what we do in IPA. > > Please consider this carefully. I'm a little nervous about the ipa.conf > changes but they were necessary because for some reason curl choked when > I had protected by Kerberos (either a bug in Apache or curl > or both, but regardless testing was impossibe). > > The only risk is that we (or someone) adds a new URI to do work and it > ends up not being protected by Kerberos. A small risk but a real one. > I went ahead and pushed this patch and the related fixes. Karl From kmacmill at redhat.com Thu Sep 27 13:49:12 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 27 Sep 2007 09:49:12 -0400 Subject: [Freeipa-devel] [PATCH] a bunch of small tweeks In-Reply-To: <20070925183006.GD20742@moon.usersys.redhat.com> References: <20070925183006.GD20742@moon.usersys.redhat.com> Message-ID: <1190900952.4543.1.camel@localhost.localdomain> On Tue, 2007-09-25 at 11:30 -0700, Kevin McCarthy wrote: > This is a set of small tweeks suggested in my meeting with Bob and Pete > yesterday. > > The most controversial is adding a search timeout for find users and > groups. I've put this at 2 seconds for now. The problem with this > approach is that it makes the number of results that come back random - > depending on the server. > > So, consider it a test. Please send your feedback if you have opinions > (it's pushed to demo). > It looks like the time limit will effect all clients, including xml-rpc clients? If so, that doesn't seem like a good idea. Should we expose a timeout parameter in the xml-rpc layer and let the gui have a configurable value that it always passes? Karl From kmacmill at redhat.com Thu Sep 27 13:51:11 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 27 Sep 2007 09:51:11 -0400 Subject: [Freeipa-devel] [PATCH] show user groups In-Reply-To: <20070925203203.GE20742@moon.usersys.redhat.com> References: <20070925203203.GE20742@moon.usersys.redhat.com> Message-ID: <1190901071.4543.3.camel@localhost.localdomain> On Tue, 2007-09-25 at 13:32 -0700, Kevin McCarthy wrote: > This patch adds the list of groups a user belongs to onto the usershow > page. > Acked and pushed. Karl From kmacmill at redhat.com Thu Sep 27 13:52:15 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 27 Sep 2007 09:52:15 -0400 Subject: [Freeipa-devel] [PATCH] managers and direct reports In-Reply-To: <20070925224035.GF20742@moon.usersys.redhat.com> References: <20070925224035.GF20742@moon.usersys.redhat.com> Message-ID: <1190901135.4543.5.camel@localhost.localdomain> On Tue, 2007-09-25 at 15:40 -0700, Kevin McCarthy wrote: > This patch adds manager and direct reports to the usershow page. > > It depends on the freeipa-212-usergrouplist.patch, as it fixes a bug in > it. > Acked and pushed. Karl From kmacmill at redhat.com Thu Sep 27 13:52:57 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 27 Sep 2007 09:52:57 -0400 Subject: [Freeipa-devel] [PATCH] favicon file In-Reply-To: <20070925234954.GG20742@moon.usersys.redhat.com> References: <20070925234954.GG20742@moon.usersys.redhat.com> Message-ID: <1190901177.4543.7.camel@localhost.localdomain> On Tue, 2007-09-25 at 16:49 -0700, Kevin McCarthy wrote: > This patch adds an icon file for IPA. > Acked and pushed. From kmacmill at redhat.com Thu Sep 27 13:53:40 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 27 Sep 2007 09:53:40 -0400 Subject: [Freeipa-devel] [PATCH] help text for searches In-Reply-To: <20070926200806.GE18132@moon.usersys.redhat.com> References: <20070926200806.GE18132@moon.usersys.redhat.com> Message-ID: <1190901220.4543.9.camel@localhost.localdomain> On Wed, 2007-09-26 at 13:08 -0700, Kevin McCarthy wrote: > I removed the mocks from the demo, but wanted to preserve the help text. > Acked and pushed. From kmacmill at redhat.com Thu Sep 27 13:54:11 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 27 Sep 2007 09:54:11 -0400 Subject: [Freeipa-devel] [PATCH] list xml-rpc methods In-Reply-To: <46FAC72E.4030905@redhat.com> References: <46FAC72E.4030905@redhat.com> Message-ID: <1190901251.4543.11.camel@localhost.localdomain> On Wed, 2007-09-26 at 16:55 -0400, Rob Crittenden wrote: > One of the things that XML-RPC clients are going to want to do is > interrogate the server to find out what it can do. Some parts of that > were broken. Should be fixed here. > > Now one thing I may need to tweak is that all functions include the > variable opts in it. This isn't actually sent by the client, it is > appended in the server. I'll need to figure out how to not show that as > an argument. Later. > Acked and pushed. From kmacmill at redhat.com Thu Sep 27 13:55:03 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 27 Sep 2007 09:55:03 -0400 Subject: [Freeipa-devel] [PATCH] add group dn operation methods In-Reply-To: <20070926224403.GF18132@moon.usersys.redhat.com> References: <20070926224403.GF18132@moon.usersys.redhat.com> Message-ID: <1190901303.4543.13.camel@localhost.localdomain> On Wed, 2007-09-26 at 15:44 -0700, Kevin McCarthy wrote: > This patch adds api calls that manipulate group members using dns. > > My apache set up isn't quite working right now, so I wasn't able to test > over the xmlrpc calls. I might have made a typo although I tried to be > careful. > > The calls do work for the gui. > Acked and pushed. From rcritten at redhat.com Thu Sep 27 14:06:12 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 Sep 2007 10:06:12 -0400 Subject: [Freeipa-devel] [PATCH] make testing easier In-Reply-To: <1190900653.2798.9.camel@localhost.localdomain> References: <46F90929.2060804@redhat.com> <1190900653.2798.9.camel@localhost.localdomain> Message-ID: <46FBB8D4.7020302@redhat.com> Karl MacMillan wrote: > On Tue, 2007-09-25 at 09:12 -0400, Rob Crittenden wrote: >> Simo is having problems with his Apache server seemingly not doing >> ticket forwarding but only for mod_python. In trying to help him >> diagnose this it became very apparent that even this low-level testing >> was difficult to setup. >> >> I've redone ipa.conf to not require Kerberos for the / but instead just >> target it for the things we use (plus /cgi-bin for good measure). >> > > Is this the right approach or should we have specific urls for testing / > error. I don't think I understand the changes well enough to assess the > risks. I don't understand. Isn't /ipatest a specific url for testing? I was thinking this would be disabled by default. We need a specific url for errors because it needs to be unauthenticated (so the user has a place to go on the same machine if their auth fails). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmacmill at redhat.com Thu Sep 27 14:41:19 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 27 Sep 2007 10:41:19 -0400 Subject: [Freeipa-devel] [PATCH] make testing easier In-Reply-To: <46FBB8D4.7020302@redhat.com> References: <46F90929.2060804@redhat.com> <1190900653.2798.9.camel@localhost.localdomain> <46FBB8D4.7020302@redhat.com> Message-ID: <1190904079.4862.2.camel@localhost.localdomain> On Thu, 2007-09-27 at 10:06 -0400, Rob Crittenden wrote: > Karl MacMillan wrote: > > On Tue, 2007-09-25 at 09:12 -0400, Rob Crittenden wrote: > >> Simo is having problems with his Apache server seemingly not doing > >> ticket forwarding but only for mod_python. In trying to help him > >> diagnose this it became very apparent that even this low-level testing > >> was difficult to setup. > >> > >> I've redone ipa.conf to not require Kerberos for the / but instead just > >> target it for the things we use (plus /cgi-bin for good measure). > >> > > > > Is this the right approach or should we have specific urls for testing / > > error. I don't think I understand the changes well enough to assess the > > risks. > > I don't understand. Isn't /ipatest a specific url for testing? I was > thinking this would be disabled by default. > > We need a specific url for errors because it needs to be unauthenticated > (so the user has a place to go on the same machine if their auth fails). > That was my understanding from the patch, but you mentioned that / would not be authenticated and that posed some risk. I was trying to understand that portion of your comments. Karl From rcritten at redhat.com Thu Sep 27 15:22:56 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 Sep 2007 11:22:56 -0400 Subject: [Freeipa-devel] [PATCH] make testing easier In-Reply-To: <1190904079.4862.2.camel@localhost.localdomain> References: <46F90929.2060804@redhat.com> <1190900653.2798.9.camel@localhost.localdomain> <46FBB8D4.7020302@redhat.com> <1190904079.4862.2.camel@localhost.localdomain> Message-ID: <46FBCAD0.3090601@redhat.com> Karl MacMillan wrote: > On Thu, 2007-09-27 at 10:06 -0400, Rob Crittenden wrote: >> Karl MacMillan wrote: >>> On Tue, 2007-09-25 at 09:12 -0400, Rob Crittenden wrote: >>>> Simo is having problems with his Apache server seemingly not doing >>>> ticket forwarding but only for mod_python. In trying to help him >>>> diagnose this it became very apparent that even this low-level testing >>>> was difficult to setup. >>>> >>>> I've redone ipa.conf to not require Kerberos for the / but instead just >>>> target it for the things we use (plus /cgi-bin for good measure). >>>> >>> Is this the right approach or should we have specific urls for testing / >>> error. I don't think I understand the changes well enough to assess the >>> risks. >> I don't understand. Isn't /ipatest a specific url for testing? I was >> thinking this would be disabled by default. >> >> We need a specific url for errors because it needs to be unauthenticated >> (so the user has a place to go on the same machine if their auth fails). >> > > That was my understanding from the patch, but you mentioned that / would > not be authenticated and that posed some risk. I was trying to > understand that portion of your comments. > > Karl > Oh. The risk is if someone decides to put some other content on the web server it won't be automatically protected by kerberos. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Sep 27 15:59:53 2007 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 27 Sep 2007 11:59:53 -0400 Subject: [Freeipa-devel] [PATCH] make testing easier In-Reply-To: <46FBCAD0.3090601@redhat.com> References: <46F90929.2060804@redhat.com> <1190900653.2798.9.camel@localhost.localdomain> <46FBB8D4.7020302@redhat.com> <1190904079.4862.2.camel@localhost.localdomain> <46FBCAD0.3090601@redhat.com> Message-ID: <1190908793.3476.13.camel@hopeson> On Thu, 2007-09-27 at 11:22 -0400, Rob Crittenden wrote: > Karl MacMillan wrote: > > On Thu, 2007-09-27 at 10:06 -0400, Rob Crittenden wrote: > >> Karl MacMillan wrote: > >>> On Tue, 2007-09-25 at 09:12 -0400, Rob Crittenden wrote: > >>>> Simo is having problems with his Apache server seemingly not doing > >>>> ticket forwarding but only for mod_python. In trying to help him > >>>> diagnose this it became very apparent that even this low-level testing > >>>> was difficult to setup. > >>>> > >>>> I've redone ipa.conf to not require Kerberos for the / but instead just > >>>> target it for the things we use (plus /cgi-bin for good measure). > >>>> > >>> Is this the right approach or should we have specific urls for testing / > >>> error. I don't think I understand the changes well enough to assess the > >>> risks. > >> I don't understand. Isn't /ipatest a specific url for testing? I was > >> thinking this would be disabled by default. > >> > >> We need a specific url for errors because it needs to be unauthenticated > >> (so the user has a place to go on the same machine if their auth fails). > >> > > > > That was my understanding from the patch, but you mentioned that / would > > not be authenticated and that posed some risk. I was trying to > > understand that portion of your comments. > > > > Karl > > > > Oh. The risk is if someone decides to put some other content on the web > server it won't be automatically protected by kerberos. Uhmm I say it is a low level risk, as by default admins are used to know that content is anonymous. Anyways, is it possible to server a page under / as anonymous while / is not? Maybe using a rewrite rule ? Simo. From rcritten at redhat.com Thu Sep 27 17:12:05 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 Sep 2007 13:12:05 -0400 Subject: [Freeipa-devel] [PATCH] make testing easier In-Reply-To: <1190908793.3476.13.camel@hopeson> References: <46F90929.2060804@redhat.com> <1190900653.2798.9.camel@localhost.localdomain> <46FBB8D4.7020302@redhat.com> <1190904079.4862.2.camel@localhost.localdomain> <46FBCAD0.3090601@redhat.com> <1190908793.3476.13.camel@hopeson> Message-ID: <46FBE465.4080802@redhat.com> Simo Sorce wrote: > On Thu, 2007-09-27 at 11:22 -0400, Rob Crittenden wrote: >> Karl MacMillan wrote: >>> On Thu, 2007-09-27 at 10:06 -0400, Rob Crittenden wrote: >>>> Karl MacMillan wrote: >>>>> On Tue, 2007-09-25 at 09:12 -0400, Rob Crittenden wrote: >>>>>> Simo is having problems with his Apache server seemingly not doing >>>>>> ticket forwarding but only for mod_python. In trying to help him >>>>>> diagnose this it became very apparent that even this low-level testing >>>>>> was difficult to setup. >>>>>> >>>>>> I've redone ipa.conf to not require Kerberos for the / but instead just >>>>>> target it for the things we use (plus /cgi-bin for good measure). >>>>>> >>>>> Is this the right approach or should we have specific urls for testing / >>>>> error. I don't think I understand the changes well enough to assess the >>>>> risks. >>>> I don't understand. Isn't /ipatest a specific url for testing? I was >>>> thinking this would be disabled by default. >>>> >>>> We need a specific url for errors because it needs to be unauthenticated >>>> (so the user has a place to go on the same machine if their auth fails). >>>> >>> That was my understanding from the patch, but you mentioned that / would >>> not be authenticated and that posed some risk. I was trying to >>> understand that portion of your comments. >>> >>> Karl >>> >> Oh. The risk is if someone decides to put some other content on the web >> server it won't be automatically protected by kerberos. > > Uhmm I say it is a low level risk, as by default admins are used to know > that content is anonymous. > Anyways, is it possible to server a page under / as anonymous while / is > not? > Maybe using a rewrite rule ? > > Simo. > You add a "Satisfy Any" and "Allow from all" into the Directory/Location entry. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmccarth at redhat.com Thu Sep 27 17:18:03 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Thu, 27 Sep 2007 10:18:03 -0700 Subject: [Freeipa-devel] [PATCH] a bunch of small tweeks In-Reply-To: <1190900952.4543.1.camel@localhost.localdomain> References: <20070925183006.GD20742@moon.usersys.redhat.com> <1190900952.4543.1.camel@localhost.localdomain> Message-ID: <20070927171803.GA16797@moon.usersys.redhat.com> Karl MacMillan wrote: > On Tue, 2007-09-25 at 11:30 -0700, Kevin McCarthy wrote: > > This is a set of small tweeks suggested in my meeting with Bob and Pete > > yesterday. > > > > The most controversial is adding a search timeout for find users and > > groups. I've put this at 2 seconds for now. The problem with this > > approach is that it makes the number of results that come back random - > > depending on the server. > > > > So, consider it a test. Please send your feedback if you have opinions > > (it's pushed to demo). > > > > It looks like the time limit will effect all clients, including xml-rpc > clients? If so, that doesn't seem like a good idea. Should we expose a > timeout parameter in the xml-rpc layer and let the gui have a > configurable value that it always passes? I'm not sure why it matters differently for xml-rpc clients? The time limit it on the ldap search operation. Or, do we expect the xml-rpc clients to be used more for reporting (in which case I agree it's a problem). -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4054 bytes Desc: not available URL: From kmacmill at redhat.com Thu Sep 27 17:30:09 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 27 Sep 2007 13:30:09 -0400 Subject: [Freeipa-devel] [PATCH] a bunch of small tweeks In-Reply-To: <20070927171803.GA16797@moon.usersys.redhat.com> References: <20070925183006.GD20742@moon.usersys.redhat.com> <1190900952.4543.1.camel@localhost.localdomain> <20070927171803.GA16797@moon.usersys.redhat.com> Message-ID: <1190914209.2765.0.camel@localhost.localdomain> On Thu, 2007-09-27 at 10:18 -0700, Kevin McCarthy wrote: > Karl MacMillan wrote: > > On Tue, 2007-09-25 at 11:30 -0700, Kevin McCarthy wrote: > > > This is a set of small tweeks suggested in my meeting with Bob and Pete > > > yesterday. > > > > > > The most controversial is adding a search timeout for find users and > > > groups. I've put this at 2 seconds for now. The problem with this > > > approach is that it makes the number of results that come back random - > > > depending on the server. > > > > > > So, consider it a test. Please send your feedback if you have opinions > > > (it's pushed to demo). > > > > > > > It looks like the time limit will effect all clients, including xml-rpc > > clients? If so, that doesn't seem like a good idea. Should we expose a > > timeout parameter in the xml-rpc layer and let the gui have a > > configurable value that it always passes? > > I'm not sure why it matters differently for xml-rpc clients? The time > limit it on the ldap search operation. Or, do we expect the xml-rpc > clients to be used more for reporting (in which case I agree it's a > problem). > I was thinking that the xml-rpc clients might be used in ways that we don't want the timeout - reporting being a good example. Karl From kmccarth at redhat.com Thu Sep 27 17:45:34 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Thu, 27 Sep 2007 10:45:34 -0700 Subject: [Freeipa-devel] [PATCH] a bunch of small tweeks In-Reply-To: <1190914209.2765.0.camel@localhost.localdomain> References: <20070925183006.GD20742@moon.usersys.redhat.com> <1190900952.4543.1.camel@localhost.localdomain> <20070927171803.GA16797@moon.usersys.redhat.com> <1190914209.2765.0.camel@localhost.localdomain> Message-ID: <20070927174533.GB16797@moon.usersys.redhat.com> Karl MacMillan wrote: > On Thu, 2007-09-27 at 10:18 -0700, Kevin McCarthy wrote: > > Karl MacMillan wrote: > > > On Tue, 2007-09-25 at 11:30 -0700, Kevin McCarthy wrote: > > > > This is a set of small tweeks suggested in my meeting with Bob and Pete > > > > yesterday. > > > > > > > > The most controversial is adding a search timeout for find users and > > > > groups. I've put this at 2 seconds for now. The problem with this > > > > approach is that it makes the number of results that come back random - > > > > depending on the server. > > > > > > > > So, consider it a test. Please send your feedback if you have opinions > > > > (it's pushed to demo). > > > > > > > > > > It looks like the time limit will effect all clients, including xml-rpc > > > clients? If so, that doesn't seem like a good idea. Should we expose a > > > timeout parameter in the xml-rpc layer and let the gui have a > > > configurable value that it always passes? > > > > I'm not sure why it matters differently for xml-rpc clients? The time > > limit it on the ldap search operation. Or, do we expect the xml-rpc > > clients to be used more for reporting (in which case I agree it's a > > problem). > > > > I was thinking that the xml-rpc clients might be used in ways that we > don't want the timeout - reporting being a good example. Okay, I will add a timeout parameter then, and default it to "no timeout". I'm buried in the group edit stuff right now, so if you don't mind pushing it would work better for me to add that as a separate patch later today/tomorrow. :-) -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4054 bytes Desc: not available URL: From kmacmill at redhat.com Thu Sep 27 18:03:48 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 27 Sep 2007 14:03:48 -0400 Subject: [Freeipa-devel] [PATCH] a bunch of small tweeks In-Reply-To: <20070927174533.GB16797@moon.usersys.redhat.com> References: <20070925183006.GD20742@moon.usersys.redhat.com> <1190900952.4543.1.camel@localhost.localdomain> <20070927171803.GA16797@moon.usersys.redhat.com> <1190914209.2765.0.camel@localhost.localdomain> <20070927174533.GB16797@moon.usersys.redhat.com> Message-ID: <1190916228.3197.0.camel@localhost.localdomain> On Thu, 2007-09-27 at 10:45 -0700, Kevin McCarthy wrote: > Karl MacMillan wrote: > > On Thu, 2007-09-27 at 10:18 -0700, Kevin McCarthy wrote: > > > Karl MacMillan wrote: > > > > On Tue, 2007-09-25 at 11:30 -0700, Kevin McCarthy wrote: > > > > > This is a set of small tweeks suggested in my meeting with Bob and Pete > > > > > yesterday. > > > > > > > > > > The most controversial is adding a search timeout for find users and > > > > > groups. I've put this at 2 seconds for now. The problem with this > > > > > approach is that it makes the number of results that come back random - > > > > > depending on the server. > > > > > > > > > > So, consider it a test. Please send your feedback if you have opinions > > > > > (it's pushed to demo). > > > > > > > > > > > > > It looks like the time limit will effect all clients, including xml-rpc > > > > clients? If so, that doesn't seem like a good idea. Should we expose a > > > > timeout parameter in the xml-rpc layer and let the gui have a > > > > configurable value that it always passes? > > > > > > I'm not sure why it matters differently for xml-rpc clients? The time > > > limit it on the ldap search operation. Or, do we expect the xml-rpc > > > clients to be used more for reporting (in which case I agree it's a > > > problem). > > > > > > > I was thinking that the xml-rpc clients might be used in ways that we > > don't want the timeout - reporting being a good example. > > Okay, I will add a timeout parameter then, and default it to "no > timeout". > > I'm buried in the group edit stuff right now, so if you don't mind > pushing it would work better for me to add that as a separate patch > later today/tomorrow. :-) > You got it - pushed. Karl From kmccarth at redhat.com Thu Sep 27 18:34:18 2007 From: kmccarth at redhat.com (Kevin McCarthy) Date: Thu, 27 Sep 2007 11:34:18 -0700 Subject: [Freeipa-devel] [PATCH] change groupedit to perform operations on dn's for users Message-ID: <20070927183417.GD16797@moon.usersys.redhat.com> This patch changes the groupedit.kid page to manipulate users using their dns. It adds proper escaping to the dynamically generated javascript strings (at the python -> javascript) boundary don't fail if they python variable contains a ' or " Previously, the uids were being translated into dns using a search. Now the dns come directly from TG, so need to be translated into utf-8. Next step is changing the page to work with groups too. -Kevin -------------- next part -------------- # HG changeset patch # User Kevin McCarthy # Date 1190917653 25200 # Node ID d9bfdc313e9522daeaa5cfdcc9295da12190003d # Parent 5bc5ed865060671057635f21456c561b4402416c patch queue: group_users_use_dns.patch diff -r 5bc5ed865060 -r d9bfdc313e95 ipa-server/ipa-gui/ipagui/controllers.py --- a/ipa-server/ipa-gui/ipagui/controllers.py Wed Sep 26 15:47:34 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/controllers.py Thu Sep 27 11:27:33 2007 -0700 @@ -17,6 +17,7 @@ import ipa.config import ipa.config import ipa.ipaclient import ipa.user +from ipa.entity import utf8_encode_values import xmlrpclib import forms.user import forms.group @@ -534,12 +535,13 @@ class Root(controllers.RootController): # failed_adds = [] try: - uidadds = kw.get('uidadd') - if uidadds != None: - if not(isinstance(uidadds,list) or isinstance(uidadds,tuple)): - uidadds = [uidadds] - failed_adds = client.add_users_to_group(uidadds, kw.get('cn')) - kw['uidadd'] = failed_adds + dnadds = kw.get('dnadd') + if dnadds != None: + if not(isinstance(dnadds,list) or isinstance(dnadds,tuple)): + dnadds = [dnadds] + failed_adds = client.add_members_to_group( + utf8_encode_values(dnadds), kw.get('cn')) + kw['dnadd'] = failed_adds except ipaerror.IPAError, e: turbogears.flash("User update failed: " + str(e)) return dict(form=group_edit_form, group=kw, members=member_dicts, @@ -550,12 +552,13 @@ class Root(controllers.RootController): # failed_dels = [] try: - uiddels = kw.get('uiddel') - if uiddels != None: - if not(isinstance(uiddels,list) or isinstance(uiddels,tuple)): - uiddels = [uiddels] - failed_dels = client.remove_users_from_group(uiddels, kw.get('cn')) - kw['uiddel'] = failed_dels + dndels = kw.get('dndel') + if dndels != None: + if not(isinstance(dndels,list) or isinstance(dndels,tuple)): + dndels = [dndels] + failed_dels = client.remove_members_from_group( + utf8_encode_values(dndels), kw.get('cn')) + kw['dndel'] = failed_dels except ipaerror.IPAError, e: turbogears.flash("User update failed: " + str(e)) return dict(form=group_edit_form, group=kw, members=member_dicts, diff -r 5bc5ed865060 -r d9bfdc313e95 ipa-server/ipa-gui/ipagui/forms/group.py --- a/ipa-server/ipa-gui/ipagui/forms/group.py Wed Sep 26 15:47:34 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/forms/group.py Thu Sep 27 11:27:33 2007 -0700 @@ -11,7 +11,7 @@ class GroupFields(): group_orig = widgets.HiddenField(name="group_orig") member_data = widgets.HiddenField(name="member_data") - uid_to_cn_json = widgets.HiddenField(name="uid_to_cn_json") + dn_to_cn_json = widgets.HiddenField(name="dn_to_cn_json") class GroupNewValidator(validators.Schema): cn = validators.String(not_empty=True) @@ -48,7 +48,7 @@ class GroupEditForm(widgets.Form): fields = [GroupFields.gidnumber, GroupFields.description, GroupFields.cn_hidden, GroupFields.editprotected_hidden, GroupFields.group_orig, GroupFields.member_data, - GroupFields.uid_to_cn_json] + GroupFields.dn_to_cn_json] validator = GroupEditValidator() diff -r 5bc5ed865060 -r d9bfdc313e95 ipa-server/ipa-gui/ipagui/helpers/ipahelper.py --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ipa-server/ipa-gui/ipagui/helpers/ipahelper.py Thu Sep 27 11:27:33 2007 -0700 @@ -0,0 +1,9 @@ +import re + +def javascript_string_escape(input): + """Escapes the ' " and \ characters in a string so + it can be embedded inside a dynamically generated string.""" + + return re.sub(r'[\'\"\\]', + lambda match: "\\%s" % match.group(), + input) diff -r 5bc5ed865060 -r d9bfdc313e95 ipa-server/ipa-gui/ipagui/static/javascript/ipautil.js --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ipa-server/ipa-gui/ipagui/static/javascript/ipautil.js Thu Sep 27 11:27:33 2007 -0700 @@ -0,0 +1,8 @@ + +/* + * Escapes the ' " and \ characters in a string, so + * it can be embedded inside a dynamically generated string. + */ +function jsStringEscape(input) { + return input.gsub(/(['"\\])/, function(match){ return "\\" + match[0]} ); +} diff -r 5bc5ed865060 -r d9bfdc313e95 ipa-server/ipa-gui/ipagui/templates/groupeditform.kid --- a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid Wed Sep 26 15:47:34 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid Thu Sep 27 11:27:33 2007 -0700 @@ -3,21 +3,30 @@

+ +

${member_name} (${member_uid}) remove +

@@ -272,8 +294,8 @@ * This section restores the contents of the add and remove lists * dynamically if we have to refresh the page */ - if ($('form_uid_to_cn_json').value != "") { - uid_to_cn_hash = new Hash($('form_uid_to_cn_json').value.evalJSON()); + if ($('form_dn_to_cn_json').value != "") { + dn_to_cn_hash = new Hash($('form_dn_to_cn_json').value.evalJSON()); } if ($('form_editprotected').value != "") { @@ -283,30 +305,37 @@ - -

diff -r 5bc5ed865060 -r d9bfdc313e95 ipa-server/ipa-gui/ipagui/templates/master.kid --- a/ipa-server/ipa-gui/ipagui/templates/master.kid Wed Sep 26 15:47:34 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/master.kid Thu Sep 27 11:27:33 2007 -0700 @@ -11,6 +11,7 @@ + diff -r 5bc5ed865060 -r d9bfdc313e95 ipa-server/ipa-gui/ipagui/templates/userlistajax.kid --- a/ipa-server/ipa-gui/ipagui/templates/userlistajax.kid Wed Sep 26 15:47:34 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/userlistajax.kid Thu Sep 27 11:27:33 2007 -0700 @@ -1,24 +1,42 @@

+ +

+ ${user.givenName} ${user.sn} (${user.uid}) - add +

+ +

+ + + ${ent_cn} + add + +

+ + +

diff -r d9bfdc313e95 -r a716a9835fd7 ipa-server/ipa-gui/ipagui/templates/groupshow.kid --- a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid Thu Sep 27 11:27:33 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid Thu Sep 27 14:51:35 2007 -0700 @@ -35,12 +35,19 @@

Group Members

- ${member_name} (${member_uid}) + ${member_cn} ${member_desc}

diff -r d9bfdc313e95 -r a716a9835fd7 ipa-server/ipa-gui/ipagui/templates/userlistajax.kid --- a/ipa-server/ipa-gui/ipagui/templates/userlistajax.kid Thu Sep 27 11:27:33 2007 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,54 +0,0 @@ -

- - -

- - - -

- - - ${user.givenName} ${user.sn} (${user.uid}) - add - -

- - -

+ + +

+ + + +

+ + + + add + +

+ + +

diff -r ea4707434a51 -r 27fb698fd454 ipa-server/ipa-gui/ipagui/templates/groupeditform.kid --- a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid Fri Sep 28 09:59:04 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid Fri Sep 28 11:55:56 2007 -0700 @@ -7,40 +7,12 @@ from ipagui.helpers import ipahelper from ipagui.helpers import ipahelper ?> + diff -r ea4707434a51 -r 27fb698fd454 ipa-server/ipa-gui/ipagui/templates/groupeditsearch.kid --- a/ipa-server/ipa-gui/ipagui/templates/groupeditsearch.kid Fri Sep 28 09:59:04 2007 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,73 +0,0 @@ -

- - -

- - - -

- - - - add - -

- - -

- ${form.display(action="userupdate", value=user)} + ${form.display(action="userupdate", value=user, user_groups=user_groups)} diff -r 2a638a7907c4 -r 0a3bb27f723b ipa-server/ipa-gui/ipagui/templates/usereditform.kid --- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid Fri Sep 28 14:29:12 2007 -0700 +++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid Fri Sep 28 16:01:42 2007 -0700 @@ -1,6 +1,16 @@

- + + + + + + + @@ -213,6 +257,81 @@ +

Groups

+ +

To Remove:

+ +

+ + + + remove + + +

+ +

Add Groups

+ +

To Add:

+ +

+ + +

+ + + +

@@ -232,9 +351,52 @@ + + + + + + + diff -r 2a638a7907c4 -r 0a3bb27f723b ipa-server/xmlrpc-server/funcs.py --- a/ipa-server/xmlrpc-server/funcs.py Fri Sep 28 14:29:12 2007 -0700 +++ b/ipa-server/xmlrpc-server/funcs.py Fri Sep 28 16:01:42 2007 -0700 @@ -899,6 +899,56 @@ class IPAServer: return failed + def add_groups_to_user(self, group_dns, user_dn, opts=None): + """Given a list of group dn's add them to the user. + + Returns a list of the group dns that were not added. + """ + + failed = [] + + if (isinstance(group_dns, str)): + group_dns = [group_dns] + + for group_dn in group_dns: + # TODO - change add_member_to_group to take a group_dn + try: + group = self.get_group_by_dn(group_dn, ['cn'], opts) + self.add_member_to_group(user_dn, group.get('cn'), opts) + except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST): + # User is already in the group + failed.append(group_dn) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + # User or the group does not exist + failed.append(group_dn) + + return failed + + def remove_groups_from_user(self, group_dns, user_dn, opts=None): + """Given a list of group dn's remove them from the user. + + Returns a list of the group dns that were not removed. + """ + + failed = [] + + if (isinstance(group_dns, str)): + group_dns = [group_dns] + + for group_dn in group_dns: + # TODO - change remove_member_from_group to take a group_dn + try: + group = self.get_group_by_dn(group_dn, ['cn'], opts) + self.remove_member_from_group(user_dn, group.get('cn'), opts) + except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST): + # User is not in the group + failed.append(group_dn) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + # User or the group does not exist + failed.append(group_dn) + + return failed + def update_group (self, oldgroup, newgroup, opts=None): """Update a group in LDAP""" return self.__update_entry(oldgroup, newgroup, opts) diff -r 2a638a7907c4 -r 0a3bb27f723b ipa-server/xmlrpc-server/ipaxmlrpc.py --- a/ipa-server/xmlrpc-server/ipaxmlrpc.py Fri Sep 28 14:29:12 2007 -0700 +++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py Fri Sep 28 16:01:42 2007 -0700 @@ -339,6 +339,8 @@ def handler(req, profiling=False): h.register_function(f.add_group_to_group) h.register_function(f.remove_user_from_group) h.register_function(f.remove_users_from_group) + h.register_function(f.add_groups_to_user) + h.register_function(f.remove_groups_from_user) h.register_function(f.update_group) h.register_function(f.delete_group) h.handle_request(req) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4054 bytes Desc: not available URL: From ssorce at redhat.com Sun Sep 30 17:28:22 2007 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 30 Sep 2007 13:28:22 -0400 Subject: [Freeipa-devel] Milestone 4 almost done In-Reply-To: <1191013043.12112.60.camel@laptop.local> References: <1191013043.12112.60.camel@laptop.local> Message-ID: <1191173302.3284.3.camel@localhost.localdomain> On Fri, 2007-09-28 at 16:57 -0400, Karl MacMillan wrote: > I'm planning on pushing out a milestone 4 release on Monday after doing > some testing. Other than some pending patches from Kevin, anything else > need to be merged for this release? I am still having problems with apache and kerberos My debugging on the plane turns out to show that a call to the kerberos library tells back that I have no delegated credentials (but klist shows the ticket is forwardable). It would be nice to understand if it is something in my environment that is wrong or if there is a more general problem and what causes it. On Monday I hope to have the time to install an F-7 from scratch and see if I can install and make it working. Another problem we have and that we ditched so far is installing on dirty systems. So far we thought we should not support it because we install on clean systems. Yesterday (always on the plane) I found out why we are wrong: I hit ctrl-c in the middle of the installation. Rerunning ipa-server-install didn't work. This is not acceptable IMO. Not sure if this should impact at all Milestone 4, comments are welcome. Simo. From ssorce at redhat.com Sun Sep 30 20:50:07 2007 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 30 Sep 2007 16:50:07 -0400 Subject: [Freeipa-devel] [PATCH] do not allow empty passwords Message-ID: <1191185407.4736.0.camel@hopeson> see $SUBJECT :) -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-222-no-empty-pwds.patch Type: text/x-patch Size: 2029 bytes Desc: not available URL: From kmacmill at redhat.com Sun Sep 30 22:15:49 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Sun, 30 Sep 2007 18:15:49 -0400 Subject: [Freeipa-devel] Milestone 4 almost done In-Reply-To: <1191173302.3284.3.camel@localhost.localdomain> References: <1191013043.12112.60.camel@laptop.local> <1191173302.3284.3.camel@localhost.localdomain> Message-ID: <1191190549.28109.4.camel@laptop.local> On Sun, 2007-09-30 at 13:28 -0400, Simo Sorce wrote: > On Fri, 2007-09-28 at 16:57 -0400, Karl MacMillan wrote: > > I'm planning on pushing out a milestone 4 release on Monday after doing > > some testing. Other than some pending patches from Kevin, anything else > > need to be merged for this release? > > I am still having problems with apache and kerberos > > My debugging on the plane turns out to show that a call to the kerberos > library tells back that I have no delegated credentials (but klist shows > the ticket is forwardable). > > It would be nice to understand if it is something in my environment that > is wrong or if there is a more general problem and what causes it. > > On Monday I hope to have the time to install an F-7 from scratch and see > if I can install and make it working. > Have you upgraded your mod_auth_kerb and installed the new PyKerberos that Rob posted Fri? That (and setting my hostname correctly) fixed all of my problems. It would be great if you could test everything on Mon. and let me know if it works. If it does that would mean that at least 3 of us have everything working - which would count as well tested at this point :) > Another problem we have and that we ditched so far is installing on > dirty systems. So far we thought we should not support it because we > install on clean systems. Yesterday (always on the plane) I found out > why we are wrong: I hit ctrl-c in the middle of the installation. > Rerunning ipa-server-install didn't work. This is not acceptable IMO. > Not sure if this should impact at all Milestone 4, comments are welcome. > The only thing I have to do to reinstall is: a) stop all of the ipa components b) delete the dirsrv instance Does that match your experience? We could automate that, but I hesitate to delete data. Maybe offer to move aside the dirsrv instance data? Also - do we _really_ need the guid naming for the dirsrv instance. It is really a pain and I'm not convinced that we need uniqueness like that. Also - do we need a convenient way to start/stop all of the IPA related daemons? Regardless, let's put some solution on the list of things to do, but not delay milestone 4. Karl

Edit Person

View Person

Edit Person

${len(groups)} results returned:

No results found for "${criteria}"

View Group

${len(users)} results returned:

Edit Group

No results found for "${criteria}"

No results found for "${uid}"

Welcome to Free IPA