From rcritten at redhat.com Fri Feb 1 15:25:35 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Feb 2008 10:25:35 -0500 Subject: [Freeipa-devel] [PATCH] fix command-line usage In-Reply-To: <1201822018.22772.53.camel@localhost.localdomain> References: <47A1EF1C.5030902@redhat.com> <1201822018.22772.53.camel@localhost.localdomain> Message-ID: <47A339EF.1070303@redhat.com> Simo Sorce wrote: > On Thu, 2008-01-31 at 10:54 -0500, Rob Crittenden wrote: >> Handle the --usage option by actually displaying the usage >> Fix some missing options in --usage >> Remove a few debugging statements > > Ack. > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 1 15:25:44 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Feb 2008 10:25:44 -0500 Subject: [Freeipa-devel] [PATCH] Add option to list available attributes in the ipa-mod* utilities In-Reply-To: <1201822055.22772.55.camel@localhost.localdomain> References: <47A1F6B8.7090005@redhat.com> <1201822055.22772.55.camel@localhost.localdomain> Message-ID: <47A339F8.7050908@redhat.com> Simo Sorce wrote: > On Thu, 2008-01-31 at 11:26 -0500, Rob Crittenden wrote: >> Add option to list common attributes for use with >> --setattr,--addattr,--delattr in the ipa-mod* utilities. > > Ack. > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 1 15:25:53 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Feb 2008 10:25:53 -0500 Subject: [Freeipa-devel] [PATCH] setup log in specfile In-Reply-To: <1201822084.22772.57.camel@localhost.localdomain> References: <47A21F7B.1050606@redhat.com> <1201822084.22772.57.camel@localhost.localdomain> Message-ID: <47A33A01.7030306@redhat.com> Simo Sorce wrote: > On Thu, 2008-01-31 at 14:20 -0500, Rob Crittenden wrote: >> Add a %post script to touch and set ownership & permissions on the >> TurboGears error log. It needs to be owned by apache otherwise the UI >> can't start up. > > Ack. > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 1 15:26:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 01 Feb 2008 10:26:04 -0500 Subject: [Freeipa-devel] [PATCH] don't error out on password changes in UI In-Reply-To: <1201822112.22772.59.camel@localhost.localdomain> References: <47A24E28.1040900@redhat.com> <1201822112.22772.59.camel@localhost.localdomain> Message-ID: <47A33A0C.6000904@redhat.com> Simo Sorce wrote: > On Thu, 2008-01-31 at 17:39 -0500, Rob Crittenden wrote: >> A change happened as some point related to password changes in the UI >> which broke it. This fixes it and adds an extra exception handler so >> rather than erroring out we handle it gracefully. > > Good. > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From taruishi at redhat.com Fri Feb 1 15:33:24 2008 From: taruishi at redhat.com (Masato Taruishi) Date: Sat, 02 Feb 2008 00:33:24 +0900 Subject: [Freeipa-devel] resend: internationalization of kid templates In-Reply-To: <47A228BD.7030603@redhat.com> References: <1199353118.4420.17.camel@freeipa.example.com> <479F6391.3060102@redhat.com> <1201744037.4036.7.camel@freeipa.example.com> <47A228BD.7030603@redhat.com> Message-ID: <1201880004.4569.23.camel@localhost.localdomain> 2008-01-31 (?) ? 14:59 -0500 ? Rob Crittenden ????????: > Masato Taruishi wrote: > > Ah, I'm very sorry about my late reply. > > I missed your reply. > > No worries. > > > > >> Masato Taruishi wrote: > >>> Hi, > >>> > >>> I wrote a patch to internationalize kid templates. In addition > >>> to the general internationalization, the patch also includes > >>> the japanese po file. Please see the attached screenshots. > >>> Of cource, this patch supports the content negotiation feature > >>> so you can see the English page, too. > >>> > >>> I haven't internationalize javascript and python messages yet > >>> because it requires utf-8 safe. I guess it's a next work for > >>> i18n related tasks. > >>> > >>> I hope this would help internationalization support of freeipa. > >>> > >>> Thanks > >>> Best regards > >> > >> Hi. I'm reviewing your patch now and it looks ok, I just have a couple > >> of question. > >> > >> What do we need to do on an ongoing basis to be sure that the messages > >> stay up-to-date? Will we need to run something every time we make a > >> change to a kid file? > > > > You can collect the template pot file by running the following command: > > > > ~/ipa-server/ipa-gui$ tg-admin i18n collect > > > > which creates locales/messages.pot. However, unfotunately, the above > > command doesn't work correctly for .kid files unless you apply the > > following patch: > > > > --- /usr/lib/python2.5/site-packages/turbogears/command/i18n.py > > 2007-07-22 05:08:37.000000000 +0900 > > +++ i18n.py 2008-01-31 01:02:13.000000000 +0900 > > @@ -251,7 +251,12 @@ > > if self.options.loose_kid_support or el.get('lang', > > None): > > tag = re.sub('({[^}]+})?(\w+)', '\\2', el.tag) > > ents = [] > > - if el.text: ents = [el.text.strip()] > > + if el.text and not ( el.text.strip() in keys): > > + if el.tag == "script": > > + ents = [el.text.strip()] > > + else: > > + messages.append((tag, fname, > > el.text.strip())) > > + keys.append(el.text.strip()) > > if el.attrib: ents.extend(el.attrib.values()) > > for k in ents: > > key = None > > How often would we be expected to run this? I assume that ideally we > should do it with any update to the kid files, just to keep things in > sync, right? right. > > > >> The .po files have a header. Currently the translator field is empty. Is > >> it common for this to be the default, FULL NAME ? > > > > Ah, I forgot to change that to my name. Can you change it > > to my name? > > Sure. > > > > >> It pulled in some pure code in some cases. It looks like: > >> > >> +#: ipagui/templates/ipapolicyshow.kid:td > >> +msgid "${ipapolicy.get(\"ipasearchtimelimit\")}" > >> +msgstr "" > >> > >> Should we leave these in there or remove them? > > > > Or use py:content for the code in the td tag. > > And I assume this is something we could go back to and fix later? Yes. > One last question. How would you recommend packaging? Would we want a > separate package that contained the .pot file(s) for each language? No. We don't need to several packages because it's not large. Thanks > thanks > > rob From daobrien at redhat.com Sat Feb 2 08:59:19 2008 From: daobrien at redhat.com (David O'Brien) Date: Sat, 02 Feb 2008 18:59:19 +1000 Subject: [Freeipa-devel] [PATCH] Add option to list available attributes in the ipa-mod* utilities In-Reply-To: <47A339F8.7050908@redhat.com> References: <47A1F6B8.7090005@redhat.com> <1201822055.22772.55.camel@localhost.localdomain> <47A339F8.7050908@redhat.com> Message-ID: <47A430E7.8080205@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Thu, 2008-01-31 at 11:26 -0500, Rob Crittenden wrote: >>> Add option to list common attributes for use with >>> --setattr,--addattr,--delattr in the ipa-mod* utilities. >> I'm a bit confused about this. Do we have the option of using --setattr attr=value OR --set attr=value, or do some commands use the first form and other commands the second form? I realize that many commands support long and short versions of various options (-h,--help) but I wonder if we're overdoing it here. I must admit the second form looks cleaner. just my 2c -- David O'Brien IPA Content Author "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From daobrien at redhat.com Mon Feb 4 06:04:47 2008 From: daobrien at redhat.com (David O'Brien) Date: Mon, 04 Feb 2008 16:04:47 +1000 Subject: [Freeipa-devel] error in ipa-replica-prepare script? Message-ID: <47A6AAFF.9080104@redhat.com> When I run this it tells me that /etc/dirsrv/slapd-AUSTRALIA.COM/ doesn't exist. The directory is actually /etc/dirsrv/slapd-AUSTRALIA-COM/ Where lies the error and can I fix it locally without waiting for a patch, etc? thanks a lot -- David O'Brien IPA Content Author "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From rcritten at redhat.com Mon Feb 4 14:11:23 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Feb 2008 09:11:23 -0500 Subject: [Freeipa-devel] [PATCH] Add option to list available attributes in the ipa-mod* utilities In-Reply-To: <47A430E7.8080205@redhat.com> References: <47A1F6B8.7090005@redhat.com> <1201822055.22772.55.camel@localhost.localdomain> <47A339F8.7050908@redhat.com> <47A430E7.8080205@redhat.com> Message-ID: <47A71D0B.3090607@redhat.com> David O'Brien wrote: > Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Thu, 2008-01-31 at 11:26 -0500, Rob Crittenden wrote: >>>> Add option to list common attributes for use with >>>> --setattr,--addattr,--delattr in the ipa-mod* utilities. >>> > > I'm a bit confused about this. Do we have the option of using --setattr > attr=value OR --set attr=value, or do some commands use the first form > and other commands the second form? I realize that many commands support > long and short versions of various options (-h,--help) but I wonder if > we're overdoing it here. I must admit the second form looks cleaner. > > just my 2c > Well look at that. I thought that the -- argument form required an = between the option and its argument. So --setattr attr=value is groked properly. So I'll re-open the bug and fix the man page. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Feb 4 15:02:23 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Feb 2008 10:02:23 -0500 Subject: [Freeipa-devel] error in ipa-replica-prepare script? In-Reply-To: <47A6AAFF.9080104@redhat.com> References: <47A6AAFF.9080104@redhat.com> Message-ID: <47A728FF.8080407@redhat.com> David O'Brien wrote: > When I run this it tells me that /etc/dirsrv/slapd-AUSTRALIA.COM/ > doesn't exist. The directory is actually /etc/dirsrv/slapd-AUSTRALIA-COM/ > > Where lies the error and can I fix it locally without waiting for a > patch, etc? > > thanks a lot > edit /usr/lib/python2.5/site-packages/ipaserver/dsinstance.py and make config_dirname() look like: def config_dirname(serverid): return "/etc/dirsrv/slapd-" + realm_to_serverid(serverid) + "/" Can you file a bug on this? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Feb 4 16:08:15 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Feb 2008 11:08:15 -0500 Subject: [Freeipa-devel] [PATCH] update/add license Message-ID: <47A7386F.5020600@redhat.com> freeIPA is licensed as GPLv2. Most files were copied from templates and contained "and above." in them. This patch fixes that by specifically saying "version 2 only". It also adds the license text to many more files. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-627-license.patch Type: text/x-patch Size: 185510 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Feb 4 20:16:50 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Feb 2008 15:16:50 -0500 Subject: [Freeipa-devel] [PATCH] update/add license In-Reply-To: <47A7386F.5020600@redhat.com> References: <47A7386F.5020600@redhat.com> Message-ID: <47A772B2.6070908@redhat.com> Rob Crittenden wrote: > freeIPA is licensed as GPLv2. Most files were copied from templates and > contained "and above." in them. This patch fixes that by specifically > saying "version 2 only". It also adds the license text to many more files. > > rob > New patch with some minor changes including not adding the license to things like Makefiles. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-627-license.patch Type: text/x-patch Size: 116471 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From daobrien at redhat.com Mon Feb 4 23:21:17 2008 From: daobrien at redhat.com (David O'Brien) Date: Tue, 05 Feb 2008 09:21:17 +1000 Subject: [Freeipa-devel] error in ipa-replica-prepare script? In-Reply-To: <47A728FF.8080407@redhat.com> References: <47A6AAFF.9080104@redhat.com> <47A728FF.8080407@redhat.com> Message-ID: <47A79DED.3000607@redhat.com> Rob Crittenden wrote: > David O'Brien wrote: >> When I run this it tells me that /etc/dirsrv/slapd-AUSTRALIA.COM/ >> doesn't exist. The directory is actually >> /etc/dirsrv/slapd-AUSTRALIA-COM/ >> >> Where lies the error and can I fix it locally without waiting for a >> patch, etc? >> >> thanks a lot >> > > edit /usr/lib/python2.5/site-packages/ipaserver/dsinstance.py and make > config_dirname() look like: > > def config_dirname(serverid): > return "/etc/dirsrv/slapd-" + realm_to_serverid(serverid) + "/" > > Can you file a bug on this? > > rob that works, ta. Bug 431493 -- David O'Brien IPA Content Author "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From rcritten at redhat.com Tue Feb 5 15:57:14 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Feb 2008 10:57:14 -0500 Subject: [Freeipa-devel] [PATCH] fix up replica creation and installation Message-ID: <47A8875A.9000604@redhat.com> I've made fairly major changes to the way replication is handled. The first is to use file to store the current CA serial number. I could have stored it in LDAP, others are free to add this if they like but a file is good enough for now. No longer create a PKCS#12 file that contains the CA. This is a self-signed cert after all, no need to walk on egg shells. No longer send the entire CA to each replica, generate the SSL certs on master. This is what drove storing the serial number. We used to send the entire CA to each replica it could be used to generate the SSL certs needed. This resulted in duplicate serial numbers and the CA everywhere. Instead I changed ipa-replica-prepare to take a FQDN and we generate the certificates in advance. Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-629-replica.patch Type: text/x-patch Size: 17478 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Feb 5 17:25:20 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Feb 2008 12:25:20 -0500 Subject: [Freeipa-devel] [PATCH] fix up replica creation and installation In-Reply-To: <47A8875A.9000604@redhat.com> References: <47A8875A.9000604@redhat.com> Message-ID: <47A89C00.1060102@redhat.com> Rob Crittenden wrote: > I've made fairly major changes to the way replication is handled. > > The first is to use file to store the current CA serial number. I could > have stored it in LDAP, others are free to add this if they like but a > file is good enough for now. > > No longer create a PKCS#12 file that contains the CA. This is a > self-signed cert after all, no need to walk on egg shells. > > No longer send the entire CA to each replica, generate the SSL certs on > master. This is what drove storing the serial number. We used to send > the entire CA to each replica it could be used to generate the SSL certs > needed. This resulted in duplicate serial numbers and the CA everywhere. > Instead I changed ipa-replica-prepare to take a FQDN and we generate the > certificates in advance. > > Fix number of bugs in ipa-replica-install and prepare > > Produce status output during replica creation > > rob > Simo still wanted to keep the CA PKCS#12 file and add a message during install to be sure this gets backed up. It is only a self-signed cert but it is a single point of failure and the a disk failure could cause the IPA CA to be lost. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-629-replica2.patch Type: text/x-patch Size: 17307 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue Feb 5 17:19:15 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 05 Feb 2008 12:19:15 -0500 Subject: [Freeipa-devel] [PATCH] fix up replica creation and installation In-Reply-To: <47A89C00.1060102@redhat.com> References: <47A8875A.9000604@redhat.com> <47A89C00.1060102@redhat.com> Message-ID: <47A89A93.2010800@redhat.com> Rob Crittenden wrote: > Rob Crittenden wrote: >> I've made fairly major changes to the way replication is handled. >> >> The first is to use file to store the current CA serial number. I >> could have stored it in LDAP, others are free to add this if they like >> but a file is good enough for now. >> >> No longer create a PKCS#12 file that contains the CA. This is a >> self-signed cert after all, no need to walk on egg shells. >> >> No longer send the entire CA to each replica, generate the SSL certs >> on master. This is what drove storing the serial number. We used to >> send the entire CA to each replica it could be used to generate the >> SSL certs needed. This resulted in duplicate serial numbers and the CA >> everywhere. Instead I changed ipa-replica-prepare to take a FQDN and >> we generate the certificates in advance. >> >> Fix number of bugs in ipa-replica-install and prepare >> >> Produce status output during replica creation >> >> rob >> > > Simo still wanted to keep the CA PKCS#12 file and add a message during > install to be sure this gets backed up. It is only a self-signed cert > but it is a single point of failure and the a disk failure could cause > the IPA CA to be lost. Good one! Simo. From rcritten at redhat.com Tue Feb 5 18:53:32 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Feb 2008 13:53:32 -0500 Subject: [Freeipa-devel] [PATCH] fix up replica creation and installation In-Reply-To: <47A89A93.2010800@redhat.com> References: <47A8875A.9000604@redhat.com> <47A89C00.1060102@redhat.com> <47A89A93.2010800@redhat.com> Message-ID: <47A8B0AC.6080704@redhat.com> Simo Sorce wrote: > Rob Crittenden wrote: >> Rob Crittenden wrote: >>> I've made fairly major changes to the way replication is handled. >>> >>> The first is to use file to store the current CA serial number. I >>> could have stored it in LDAP, others are free to add this if they >>> like but a file is good enough for now. >>> >>> No longer create a PKCS#12 file that contains the CA. This is a >>> self-signed cert after all, no need to walk on egg shells. >>> >>> No longer send the entire CA to each replica, generate the SSL certs >>> on master. This is what drove storing the serial number. We used to >>> send the entire CA to each replica it could be used to generate the >>> SSL certs needed. This resulted in duplicate serial numbers and the >>> CA everywhere. Instead I changed ipa-replica-prepare to take a FQDN >>> and we generate the certificates in advance. >>> >>> Fix number of bugs in ipa-replica-install and prepare >>> >>> Produce status output during replica creation >>> >>> rob >>> >> >> Simo still wanted to keep the CA PKCS#12 file and add a message during >> install to be sure this gets backed up. It is only a self-signed cert >> but it is a single point of failure and the a disk failure could cause >> the IPA CA to be lost. > > Good one! > Simo. > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue Feb 5 20:43:32 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 05 Feb 2008 15:43:32 -0500 Subject: [Freeipa-devel] [PATCH] fix ldap.conf installation Message-ID: <47A8CA74.7070704@redhat.com> fixes 431603 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-646-nss_map_member.patch Type: text/x-patch Size: 1016 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 5 21:04:01 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 05 Feb 2008 16:04:01 -0500 Subject: [Freeipa-devel] [PATCH] fix ldap.conf installation In-Reply-To: <47A8CA74.7070704@redhat.com> References: <47A8CA74.7070704@redhat.com> Message-ID: <47A8CF41.3020901@redhat.com> Simo Sorce wrote: > fixes 431603 > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack'd and pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sailer at sailer.dynip.lugs.ch Wed Feb 6 02:19:53 2008 From: sailer at sailer.dynip.lugs.ch (Thomas Sailer) Date: Wed, 06 Feb 2008 03:19:53 +0100 Subject: [Freeipa-devel] freeipa and samba Message-ID: <1202264393.3914.31.camel@unreal.localdomain> I've just installed freeipa on an up-to-date Fedora 8 machine. I used the current rawhide ipa srpm and recompiled it on F8. The biggest problem was that kerberos credentials passing in mod_auth_kerb does not work with krb5-libs-1.6.2-9.fc8. I recompiled and installed the rawhide krb5-1.6.3-4.fc9.src.rpm on F8, now it works. This might be worth an addition to the troubleshooting guide, it took me quite some time to figure this out. Now how am I supposed to configure samba? I can make samba authenticate against LDAP just fine. But what should samba do on user add? password change? The ipa-* scripts currently do not provide a way to create a machine account. smbldap-tools scripts basically work, but do not add the kerberos principal when creating new accounts, which causes subsequent password changes to fail until the principal is added manually. What is the strategy with idm-console and dirsrv-admin? Are they intended to be totally superseded by the ipa command line tools and the web gui? Tom From rcritten at redhat.com Wed Feb 6 16:03:21 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Feb 2008 11:03:21 -0500 Subject: [Freeipa-devel] [PATCH] create pid files in /var/run Message-ID: <47A9DA49.1010801@redhat.com> Create /var/run/.pid to play nicers with the start scripts Need to start ipa_webgui as root and drop privs in order to write in /var/run This is needed because otherwise one can start up ipa_kpasswd and ipa_webgui multiple times. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-633-pid.patch Type: text/x-patch Size: 3358 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Feb 6 20:15:03 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 06 Feb 2008 15:15:03 -0500 Subject: [Freeipa-devel] [PATCH] update/add license In-Reply-To: <47A772B2.6070908@redhat.com> References: <47A7386F.5020600@redhat.com> <47A772B2.6070908@redhat.com> Message-ID: <1202328903.8976.111.camel@localhost.localdomain> On Mon, 2008-02-04 at 15:16 -0500, Rob Crittenden wrote: > > New patch with some minor changes including not adding the license to > things like Makefiles. Ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 6 20:15:26 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 06 Feb 2008 15:15:26 -0500 Subject: [Freeipa-devel] [PATCH] create pid files in /var/run In-Reply-To: <47A9DA49.1010801@redhat.com> References: <47A9DA49.1010801@redhat.com> Message-ID: <1202328926.8976.113.camel@localhost.localdomain> On Wed, 2008-02-06 at 11:03 -0500, Rob Crittenden wrote: > Create /var/run/.pid to play nicers with the start scripts > Need to start ipa_webgui as root and drop privs in order to write in > /var/run > > This is needed because otherwise one can start up ipa_kpasswd and > ipa_webgui multiple times. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 6 20:25:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 06 Feb 2008 15:25:14 -0500 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1202264393.3914.31.camel@unreal.localdomain> References: <1202264393.3914.31.camel@unreal.localdomain> Message-ID: <1202329514.8976.124.camel@localhost.localdomain> On Wed, 2008-02-06 at 03:19 +0100, Thomas Sailer wrote: > I've just installed freeipa on an up-to-date Fedora 8 machine. I used > the current rawhide ipa srpm and recompiled it on F8. > > The biggest problem was that kerberos credentials passing in > mod_auth_kerb does not work with krb5-libs-1.6.2-9.fc8. I recompiled and > installed the rawhide krb5-1.6.3-4.fc9.src.rpm on F8, now it works. This > might be worth an addition to the troubleshooting guide, it took me > quite some time to figure this out. It may be worth to raise a bug against krb5 in F8 so that the proper fix can be release there. Do you feel like doing that? > Now how am I supposed to configure samba? I can make samba authenticate > against LDAP just fine. But what should samba do on user add? password > change? On user add it should call the ipa tools to add a user entry. To do that, right now, the only way is to create an administrative user account and then retrieve a keytab for it (this will reset the account password and store it in the keytab). A script will kinit using such keytab and call the appropriate tool with the correct switches. We plan to do some more integration work with samba, but right now that work has to be done manually. To change password you should use the following configuration option: ldap passwd sync = only This will make samba only do a password change using the password extop and let the server create all the necessary hashes (including LM and NT hashes). This may require some ACI tweaking and using an SSL connection to FDS. > The ipa-* scripts currently do not provide a way to create a machine > account. Yes, in IPA v1.0 the concept of machine accounts still do not exist. For samba anyway, machine accounts are just user accounts and must be available via nss calls, so at all effects what you need for now is just regular user accounts named after the machine name. > smbldap-tools scripts basically work, but do not add the kerberos > principal when creating new accounts, which causes subsequent password > changes to fail until the principal is added manually. True. > What is the strategy with idm-console and dirsrv-admin? Are they > intended to be totally superseded by the ipa command line tools and the > web gui? No they are more advanced tools to tweak an installation, you shouldn't need to use them for day to day operations though. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 6 20:26:06 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 06 Feb 2008 15:26:06 -0500 Subject: [Freeipa-devel] [PATCH] Don't set blank values In-Reply-To: <479FA097.2090303@redhat.com> References: <479FA097.2090303@redhat.com> Message-ID: <1202329566.8976.126.camel@localhost.localdomain> On Tue, 2008-01-29 at 16:54 -0500, Rob Crittenden wrote: > Don't set blank values so we can avoid empty attributes. This is > really > only an issue in the UI so I've limited the changes to there. Ack. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Feb 6 21:01:41 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Feb 2008 16:01:41 -0500 Subject: [Freeipa-devel] [PATCH] update/add license In-Reply-To: <1202328903.8976.111.camel@localhost.localdomain> References: <47A7386F.5020600@redhat.com> <47A772B2.6070908@redhat.com> <1202328903.8976.111.camel@localhost.localdomain> Message-ID: <47AA2035.8070302@redhat.com> Simo Sorce wrote: > On Mon, 2008-02-04 at 15:16 -0500, Rob Crittenden wrote: >> New patch with some minor changes including not adding the license to >> things like Makefiles. > > Ack pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 6 21:01:50 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Feb 2008 16:01:50 -0500 Subject: [Freeipa-devel] [PATCH] create pid files in /var/run In-Reply-To: <1202328926.8976.113.camel@localhost.localdomain> References: <47A9DA49.1010801@redhat.com> <1202328926.8976.113.camel@localhost.localdomain> Message-ID: <47AA203E.8000300@redhat.com> Simo Sorce wrote: > On Wed, 2008-02-06 at 11:03 -0500, Rob Crittenden wrote: >> Create /var/run/.pid to play nicers with the start scripts >> Need to start ipa_webgui as root and drop privs in order to write in >> /var/run >> >> This is needed because otherwise one can start up ipa_kpasswd and >> ipa_webgui multiple times. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 6 21:02:07 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Feb 2008 16:02:07 -0500 Subject: [Freeipa-devel] [PATCH] Don't set blank values In-Reply-To: <1202329566.8976.126.camel@localhost.localdomain> References: <479FA097.2090303@redhat.com> <1202329566.8976.126.camel@localhost.localdomain> Message-ID: <47AA204F.2070807@redhat.com> Simo Sorce wrote: > On Tue, 2008-01-29 at 16:54 -0500, Rob Crittenden wrote: >> Don't set blank values so we can avoid empty attributes. This is >> really >> only an issue in the UI so I've limited the changes to there. > > Ack. > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Feb 6 21:44:17 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 06 Feb 2008 16:44:17 -0500 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1202329514.8976.124.camel@localhost.localdomain> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> Message-ID: <1202334257.8976.131.camel@localhost.localdomain> On Wed, 2008-02-06 at 15:25 -0500, Simo Sorce wrote: > > It may be worth to raise a bug against krb5 in F8 so that the proper > fix > can be release there. Do you feel like doing that? Looking more closely now I remind that there are package in F8 testing that fix the problem, they just need to be pushed into stable. Simo. -- Simo Sorce * Red Hat, Inc * New York From nalin at redhat.com Wed Feb 6 22:01:28 2008 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 6 Feb 2008 17:01:28 -0500 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1202334257.8976.131.camel@localhost.localdomain> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202334257.8976.131.camel@localhost.localdomain> Message-ID: <20080206220127.GD11907@redhat.com> On Wed, Feb 06, 2008 at 04:44:17PM -0500, Simo Sorce wrote: > Looking more closely now I remind that there are package in F8 testing > that fix the problem, they just need to be pushed into stable. My fault. I kept holding off to add a couple more things, and not actually getting that done. No sense in holding back, though, as pushing a different update later is relatively easy. Nalin From ssorce at redhat.com Thu Feb 7 00:52:02 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 06 Feb 2008 19:52:02 -0500 Subject: [Freeipa-devel] [PATCH] List of enctypes for ipa-getkeytab Message-ID: <1202345522.8976.139.camel@localhost.localdomain> Permit ipa-getkeytab to specify a list of enctypes you want in the keytab you are going to request. Fixes 430037 -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-654-getkeytab-enctypes.patch Type: text/x-patch Size: 7155 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 7 16:36:47 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Feb 2008 11:36:47 -0500 Subject: [Freeipa-devel] [PATCH] List of enctypes for ipa-getkeytab In-Reply-To: <1202345522.8976.139.camel@localhost.localdomain> References: <1202345522.8976.139.camel@localhost.localdomain> Message-ID: <47AB339F.5040201@redhat.com> Simo Sorce wrote: > Permit ipa-getkeytab to specify a list of enctypes you want in the > keytab you are going to request. > > Fixes 430037 > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Feb 7 16:51:04 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 07 Feb 2008 11:51:04 -0500 Subject: [Freeipa-devel] [PATCH] List of enctypes for ipa-getkeytab In-Reply-To: <47AB339F.5040201@redhat.com> References: <1202345522.8976.139.camel@localhost.localdomain> <47AB339F.5040201@redhat.com> Message-ID: <1202403064.8976.161.camel@localhost.localdomain> On Thu, 2008-02-07 at 11:36 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > Permit ipa-getkeytab to specify a list of enctypes you want in the > > keytab you are going to request. > > > > Fixes 430037 > ack pushed -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Feb 7 18:04:00 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Feb 2008 13:04:00 -0500 Subject: [Freeipa-devel] [PATCH] feedback during ipa-client-install Message-ID: <47AB4810.9010607@redhat.com> The client installer didn't tell you what it was doing. Add a few messages to show progress. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-635-install.patch Type: text/x-patch Size: 1711 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From pkrul at redhat.com Fri Feb 8 00:00:24 2008 From: pkrul at redhat.com (Pieter D.J. Krul) Date: Fri, 08 Feb 2008 01:00:24 +0100 Subject: [Freeipa-devel] [PATCH] Add service before enabling it in ipa-server-install Message-ID: <47AB9B98.8020109@redhat.com> Hi, ipa-server-install halts upon enabling a service because the service hasn't been added to chkconfig first, resulting in this error: Configuring ipa_kpasswd [1/3]: starting ipa_kpasswd [2/3]: configuring ipa_kpasswd to start on boot Unexpected error - see ipaserver-install.log for details: Command '/sbin/chkconfig --list ipa_kpasswd' returned non-zero exit status 1 This patch fixes this by doing 'chkconfig --add ' first, and "--del" upon uninstall, which are harmless to run IMHO. Cheers, Pieter -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-service-add-del.patch Type: text/x-patch Size: 1401 bytes Desc: not available URL: From rcritten at redhat.com Fri Feb 8 02:51:31 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Feb 2008 21:51:31 -0500 Subject: [Freeipa-devel] [PATCH] Add service before enabling it in ipa-server-install In-Reply-To: <47AB9B98.8020109@redhat.com> References: <47AB9B98.8020109@redhat.com> Message-ID: <47ABC3B3.2070605@redhat.com> Pieter D.J. Krul wrote: > Hi, > > ipa-server-install halts upon enabling a service because the service > hasn't been added to chkconfig first, resulting in this error: > > Configuring ipa_kpasswd > [1/3]: starting ipa_kpasswd > [2/3]: configuring ipa_kpasswd to start on boot > Unexpected error - see ipaserver-install.log for details: > Command '/sbin/chkconfig --list ipa_kpasswd' returned non-zero exit > status 1 > > This patch fixes this by doing 'chkconfig --add ' first, and > "--del" upon uninstall, which are harmless to run IMHO. > > Cheers, > > Pieter Did you install this from the source tree with: make install? Just curious. The patch looks ok, I just want to double-check that re-adding a service is indeed an ok thing to do. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 8 03:23:21 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Feb 2008 22:23:21 -0500 Subject: [Freeipa-devel] resend: internationalization of kid templates In-Reply-To: <1201880004.4569.23.camel@localhost.localdomain> References: <1199353118.4420.17.camel@freeipa.example.com> <479F6391.3060102@redhat.com> <1201744037.4036.7.camel@freeipa.example.com> <47A228BD.7030603@redhat.com> <1201880004.4569.23.camel@localhost.localdomain> Message-ID: <47ABCB29.5020904@redhat.com> I imported the patch into a fresh tree and resolved a few merge issues, added some text and the tg-admin patch. This looks fine to me but wanted to run it past everyone one last time to make sure I didn't screw something up. Do we want to have i18n on by default or let admins turn it on as desired? Is there a downside to having it on by default? thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-631-i18n.patch Type: text/x-patch Size: 45116 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From pkrul at redhat.com Fri Feb 8 08:28:39 2008 From: pkrul at redhat.com (Pieter D.J. Krul) Date: Fri, 08 Feb 2008 09:28:39 +0100 Subject: [Freeipa-devel] [PATCH] Add service before enabling it in ipa-server-install In-Reply-To: <47ABC3B3.2070605@redhat.com> References: <47AB9B98.8020109@redhat.com> <47ABC3B3.2070605@redhat.com> Message-ID: <47AC12B7.6080501@redhat.com> Rob Crittenden wrote: > Pieter D.J. Krul wrote: >> This patch fixes this by doing 'chkconfig --add ' first, and >> "--del" upon uninstall, which are harmless to run IMHO. > > Did you install this from the source tree with: make install? Yes, pulled it from hg, make install, ipa-server-install > Just curious. The patch looks ok, I just want to double-check that > re-adding a service is indeed an ok thing to do. You can --add a service as often as you like, it will not be enabled by default, and it only creates the kill symlinks if they don't exist yet. - "chkconfig --list " will exit with 1 if no kill symlinks for the service exist in /etc/rc* - "chkconfig --add " will only create the kill symlinks if they don't exist yet. - "chkconfig on" will only create the start symlinks. Pieter From rcritten at redhat.com Fri Feb 8 14:16:09 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Feb 2008 09:16:09 -0500 Subject: [Freeipa-devel] [PATCH] Add service before enabling it in ipa-server-install In-Reply-To: <47AC12B7.6080501@redhat.com> References: <47AB9B98.8020109@redhat.com> <47ABC3B3.2070605@redhat.com> <47AC12B7.6080501@redhat.com> Message-ID: <47AC6429.3050804@redhat.com> Pieter D.J. Krul wrote: > Rob Crittenden wrote: >> Pieter D.J. Krul wrote: >>> This patch fixes this by doing 'chkconfig --add ' first, and >>> "--del" upon uninstall, which are harmless to run IMHO. >> >> Did you install this from the source tree with: make install? > > Yes, pulled it from hg, make install, ipa-server-install > >> Just curious. The patch looks ok, I just want to double-check that >> re-adding a service is indeed an ok thing to do. > > You can --add a service as often as you like, it will not be enabled by > default, and it only creates the kill symlinks if they don't exist yet. > > - "chkconfig --list " will exit with 1 if no kill symlinks for > the service exist in /etc/rc* > > - "chkconfig --add " will only create the kill symlinks if > they don't exist yet. > > - "chkconfig on" will only create the start symlinks. > Ok cool. I'll try to get this committed today. thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From clalance at redhat.com Fri Feb 8 15:18:59 2008 From: clalance at redhat.com (Chris Lalancette) Date: Fri, 08 Feb 2008 10:18:59 -0500 Subject: [Freeipa-devel] Documentation for running FreeIPA in a VirtualHost Message-ID: <47AC72E3.3070801@redhat.com> Hello, As promised to Simo and Rob yesterday, attached is a little bit of documentation for running FreeIPA in a VirtualHost container. It's not very complicated, but I figured it might be worthwhile to put up on the website for an easy HOWTO for people. I'm not actually subscribed to the list, so please make sure to CC me on replies. Thanks, Chris Lalancette -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-vhost.txt URL: From daobrien at redhat.com Fri Feb 8 15:42:41 2008 From: daobrien at redhat.com (David O'Brien) Date: Sat, 09 Feb 2008 01:42:41 +1000 Subject: [Freeipa-devel] Documentation for running FreeIPA in a VirtualHost In-Reply-To: <47AC72E3.3070801@redhat.com> References: <47AC72E3.3070801@redhat.com> Message-ID: <47AC7871.1090004@redhat.com> Chris Lalancette wrote: > Hello, > As promised to Simo and Rob yesterday, attached is a little bit of > documentation for running FreeIPA in a VirtualHost container. It's not very > complicated, but I figured it might be worthwhile to put up on the website for > an easy HOWTO for people. I'm not actually subscribed to the list, so please > make sure to CC me on replies. > > Thanks, > Chris Lalancette > > ------------------------------------------------------------------------ > > This document explains how to setup FreeIPA so that it can run on a > different port, instead of port 80. This is useful, for instance, if you > want to run a standard apache instance on your normal port 80 but want to run > FreeIPA on a secondary port (like port 8089). There is a caveat with this; > as of now, I haven't figured out how to make sure it is going over SSL. That > means that all requests will go over standard HTTP. Assuming you already have > FreeIPA up and running properly on port 80, the steps to move it to a > different port: > > 1) Log in as the root user > > 2) Edit /etc/httpd/conf.d/ipa.conf. You'll want to add three lines at the top: > > Listen 8089 > NameVirtualHost *:8089 > > > and one line at the very bottom: > > > > This basically wraps the entire FreeIPA configuration in a VirtualHost, and > makes sure that Apache is listening to that port. Note that you *cannot* > use port 8080, since that is the port the ipa-webgui is listening on. > > 3) Edit /etc/httpd/conf.d/ipa.conf. You'll need to comment out a couple of > the rewrite rules. Basically take all of these lines: > > ---------------------------------------------------------------------- > # Redirect to the fully-qualified hostname. Not redirecting to secure > # port so configuration files can be retrieved without requiring SSL. > RewriteCond %{HTTP_HOST} !^host.foo.com$ [NC] > RewriteRule ^/(.*) http://host.foo.com/$1 [L,R=301] > > # Redirect to the secure port if not displaying an error or retrieving > # configuration. > RewriteCond %{SERVER_PORT} !^443$ > RewriteCond %{REQUEST_URI} !^/(errors|config|favicon.ico) > RewriteRule ^/(.*) https://host.foo.com/$1 [L,R=301,NC] > --------------------------------------------------------------------- > > And comment them out. > > 4) # service httpd reload > > That should be it; FreeIPA should now be running on port 8089, and you can run > your normal website on port 80. > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Chris, Thanks a lot for doing this. I'll raise a bugzilla for me to add this to freeipa.com and get to it soon. cheers -- David O'Brien IPA Content Author "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From rcritten at redhat.com Fri Feb 8 16:12:27 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Feb 2008 11:12:27 -0500 Subject: [Freeipa-devel] [PATCH] SELinux policies for ipa_kpasswd and ipa_webgui Message-ID: <47AC7F6B.5010403@redhat.com> This patch was originally done by Karl MacMillan. I just updated it to the current state of the world. Many thanks to Dan Walsh for assisting in fixing some issues. It adds an SELinux policy for ipa_kpasswd and ipa_webgui so we don't have to run them unconfined. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-629-selinux.patch Type: text/x-patch Size: 17414 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From email.marc at gmail.com Fri Feb 8 17:47:06 2008 From: email.marc at gmail.com (Marc Richards) Date: Fri, 08 Feb 2008 12:47:06 -0500 Subject: [Freeipa-devel] Windows Interop/Samba Integration Message-ID: <47AC959A.9040304@gmail.com> What is the plan for Windows Interop and Samba integration in FreeIPA, particularly as it relates to people who don't have Active Directory. I noticed that the 1.0 Requirements doc specifies the following: "[Req11.2] IPA clients: The windows client will rely on the IPA server for account information and Authentication services. The IPA server will act as an NT4 style domain controller. Only NTLM authentication will be supported in this release, no Kerberos" [1] But I can't find anything in the docs that indicates how to achieve that setup. At the end of that same document I find the following seemingly contradictory statement: "The IPA product will not be able to provide authentication services for Windows file and print services" I can't find much else in the 1.2 or 2.0 Requirements docs either. So what is the current plan for 1.0, 1.2 and 2.0? Simply providing a how-to for using IPA as a backend for Samba? Or will there be more than that? I was really hoping that IPA was going to take away all the pain of setting up central authentication for a small office with a mix of Windows, OS X and Linux clients. I definitely don't want to have to deal with (or pay for) Active Directory/Server 2003. Marc [1] http://www.freeipa.org/page/V1PRD#.5BReq11.5D_Windows_interop P.S. Please CC me in your replies. Thanks. From ssorce at redhat.com Fri Feb 8 17:57:20 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 08 Feb 2008 12:57:20 -0500 Subject: [Freeipa-devel] Windows Interop/Samba Integration In-Reply-To: <47AC959A.9040304@gmail.com> References: <47AC959A.9040304@gmail.com> Message-ID: <1202493440.12372.8.camel@localhost.localdomain> On Fri, 2008-02-08 at 12:47 -0500, Marc Richards wrote: > What is the plan for Windows Interop and Samba integration in FreeIPA, > particularly as it relates to people who don't have Active Directory. I > noticed that the 1.0 Requirements doc specifies the following: > > "[Req11.2] IPA clients: The windows client will rely on the IPA server > for account information and Authentication services. The IPA server will > act as an NT4 style domain controller. Only NTLM authentication will be > supported in this release, no Kerberos" [1] We had to drop this requirement for v1.0 We are evaluating various solutions involving either samba3 or samba4 for following versions, but have still not settled on a definitive choice. > But I can't find anything in the docs that indicates how to achieve that > setup. At the end of that same document I find the following seemingly > contradictory statement: "The IPA product will not be able to provide > authentication services for Windows file and print services" > > I can't find much else in the 1.2 or 2.0 Requirements docs either. > > So what is the current plan for 1.0, 1.2 and 2.0? Simply providing a > how-to for using IPA as a backend for Samba? Or will there be more than > that? I was really hoping that IPA was going to take away all the pain > of setting up central authentication for a small office with a mix of > Windows, OS X and Linux clients. I definitely don't want to have to > deal with (or pay for) Active Directory/Server 2003. OS X can use IPA as is apparently, for Windows the problem is the tight integration this client has with AD, esp when it comes to auth vs third servers, this client limitation is the real problem, we are deciding how to tackle it. > Marc > > [1] http://www.freeipa.org/page/V1PRD#.5BReq11.5D_Windows_interop > > P.S. Please CC me in your replies. Thanks. Simo. -- Simo Sorce * Red Hat, Inc * New York From email.marc at gmail.com Fri Feb 8 19:19:07 2008 From: email.marc at gmail.com (Marc Richards) Date: Fri, 08 Feb 2008 14:19:07 -0500 Subject: [Freeipa-devel] Windows Interop/Samba Integration In-Reply-To: <1202493440.12372.8.camel@localhost.localdomain> References: <47AC959A.9040304@gmail.com> <1202493440.12372.8.camel@localhost.localdomain> Message-ID: <47ACAB2B.9030605@gmail.com> Simo Sorce wrote: > On Fri, 2008-02-08 at 12:47 -0500, Marc Richards wrote: > >> What is the plan for Windows Interop and Samba integration in FreeIPA, >> particularly as it relates to people who don't have Active Directory. I >> noticed that the 1.0 Requirements doc specifies the following: >> >> "[Req11.2] IPA clients: The windows client will rely on the IPA server >> for account information and Authentication services. The IPA server will >> act as an NT4 style domain controller. Only NTLM authentication will be >> supported in this release, no Kerberos" [1] >> > > We had to drop this requirement for v1.0 > We are evaluating various solutions involving either samba3 or samba4 > for following versions, but have still not settled on a definitive > choice. > Thanks for the prompt response. Any chance of some kind of wiki document for manually achieving this kind of setup with 1.0? Seems to me like there might be a number of people interested in the use case. Is it much more than setting up Samba as an NT4 style domain controller and using freeIPA as the backend? Could I then tell an samba based file server hosted on another box to use the users and groups from the "freeIPA Samba server"? If you don't have time to document it on the wiki some links to point in the right direction would be appreciated. Marc From rcritten at redhat.com Fri Feb 8 20:13:03 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Feb 2008 15:13:03 -0500 Subject: [Freeipa-devel] [PATCH] ipa-replica-prepare fixes Message-ID: <47ACB7CF.8050803@redhat.com> I missed a spot to translate the realm name into a DS instance name. Add a case for SystemExit so we don't print a stack trace with python 2.4. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-636-replica.patch Type: text/x-patch Size: 1182 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 8 20:17:52 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Feb 2008 15:17:52 -0500 Subject: [Freeipa-devel] [PATCH] Add service before enabling it in ipa-server-install In-Reply-To: <47AB9B98.8020109@redhat.com> References: <47AB9B98.8020109@redhat.com> Message-ID: <47ACB8F0.6000800@redhat.com> Pieter D.J. Krul wrote: > Hi, > > ipa-server-install halts upon enabling a service because the service > hasn't been added to chkconfig first, resulting in this error: > > Configuring ipa_kpasswd > [1/3]: starting ipa_kpasswd > [2/3]: configuring ipa_kpasswd to start on boot > Unexpected error - see ipaserver-install.log for details: > Command '/sbin/chkconfig --list ipa_kpasswd' returned non-zero exit > status 1 > > This patch fixes this by doing 'chkconfig --add ' first, and > "--del" upon uninstall, which are harmless to run IMHO. > > Cheers, > Pushed. Thanks for the contribution. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Feb 8 20:38:51 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 08 Feb 2008 15:38:51 -0500 Subject: [Freeipa-devel] [PATCH] ipa-replica-prepare fixes In-Reply-To: <47ACB7CF.8050803@redhat.com> References: <47ACB7CF.8050803@redhat.com> Message-ID: <1202503131.12372.42.camel@localhost.localdomain> On Fri, 2008-02-08 at 15:13 -0500, Rob Crittenden wrote: > I missed a spot to translate the realm name into a DS instance name. > > Add a case for SystemExit so we don't print a stack trace with python > 2.4. ack -- Simo Sorce * Red Hat, Inc * New York From email.ahmedkamal at googlemail.com Fri Feb 8 20:53:23 2008 From: email.ahmedkamal at googlemail.com (Ahmed Kamal) Date: Fri, 8 Feb 2008 22:53:23 +0200 Subject: [Freeipa-devel] Windows Interop/Samba Integration In-Reply-To: <47ACAB2B.9030605@gmail.com> References: <47AC959A.9040304@gmail.com> <1202493440.12372.8.camel@localhost.localdomain> <47ACAB2B.9030605@gmail.com> Message-ID: <3da3b5b40802081253v2fb9d855id75d39f3e1ed99a9@mail.gmail.com> Unfortunately Windows is a part of any reasonably sized network, even small ones. Being as dumb as it is, it doesn't wanna talk to anything except their own Active Directory. Not sure whether this might be a viable options, but did anyone test pGina. In short, it's like PAM for Windows, with many plugins to handle different sources of authentication. If we couple that with some kind of on-server user profiles automounting, we have some sort of domain for windows. I'm not sure though, if Windows can recognize all domain users/groups, as the way I understand pGina works, is by creating a local user after authenticating them over the network. It's ugly, but I thought I would mention it too. Of course the king would be samba4 ... waiting .... On Feb 8, 2008 9:19 PM, Marc Richards wrote: > Simo Sorce wrote: > > On Fri, 2008-02-08 at 12:47 -0500, Marc Richards wrote: > > > >> What is the plan for Windows Interop and Samba integration in FreeIPA, > >> particularly as it relates to people who don't have Active Directory. I > >> noticed that the 1.0 Requirements doc specifies the following: > >> > >> "[Req11.2] IPA clients: The windows client will rely on the IPA server > >> for account information and Authentication services. The IPA server > will > >> act as an NT4 style domain controller. Only NTLM authentication will be > >> supported in this release, no Kerberos" [1] > >> > > > > We had to drop this requirement for v1.0 > > We are evaluating various solutions involving either samba3 or samba4 > > for following versions, but have still not settled on a definitive > > choice. > > > Thanks for the prompt response. Any chance of some kind of wiki > document for manually achieving this kind of setup with 1.0? Seems to > me like there might be a number of people interested in the use case. Is > it much more than setting up Samba as an NT4 style domain controller and > using freeIPA as the backend? Could I then tell an samba based file > server hosted on another box to use the users and groups from the > "freeIPA Samba server"? > > If you don't have time to document it on the wiki some links to point in > the right direction would be appreciated. > > > Marc > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From chorn at fluxcoil.net Fri Feb 8 21:59:35 2008 From: chorn at fluxcoil.net (Christian Horn) Date: Fri, 8 Feb 2008 22:59:35 +0100 Subject: [Freeipa-devel] Windows Interop/Samba Integration In-Reply-To: <3da3b5b40802081253v2fb9d855id75d39f3e1ed99a9@mail.gmail.com> References: <47AC959A.9040304@gmail.com> <1202493440.12372.8.camel@localhost.localdomain> <47ACAB2B.9030605@gmail.com> <3da3b5b40802081253v2fb9d855id75d39f3e1ed99a9@mail.gmail.com> Message-ID: <20080208215935.GA31781@fluxcoil.net> On Fri, Feb 08, 2008 at 10:53:23PM +0200, Ahmed Kamal wrote: > Unfortunately Windows is a part of any reasonably sized network, even small > ones. Being as dumb as it is, it doesn't wanna talk to anything except their > own Active Directory. I tested a setup with cross-realm communication between an AD-domain and a MIT-kerberos realm, could be quite a solution for integration unix/windows authentication/authorization. At least when your company is heavy enough also microsoft seems to support this setup, at least thats my impression from some kerberos mailinglists. Christian From rcritten at redhat.com Fri Feb 8 21:50:37 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Feb 2008 16:50:37 -0500 Subject: [Freeipa-devel] [PATCH] ipa-replica-prepare fixes In-Reply-To: <1202503131.12372.42.camel@localhost.localdomain> References: <47ACB7CF.8050803@redhat.com> <1202503131.12372.42.camel@localhost.localdomain> Message-ID: <47ACCEAD.8040904@redhat.com> Simo Sorce wrote: > On Fri, 2008-02-08 at 15:13 -0500, Rob Crittenden wrote: >> I missed a spot to translate the realm name into a DS instance name. >> >> Add a case for SystemExit so we don't print a stack trace with python >> 2.4. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 8 22:36:19 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Feb 2008 17:36:19 -0500 Subject: [Freeipa-devel] [PATCH] fix backtrace when group add fails for a new user Message-ID: <47ACD963.404@redhat.com> When adding a new user in the UI you have the option to set the groups for that user. If an error occurs adding the user to any of the groups the user will still be created but then you will be redirected to the edit page in order to fix the group add failure. The problem was that the edit user page supports multi-valued attributes for some things (phone numbers mostly). We weren't initializing these values so it was throwing a Nonetype is not iterable. So I generalized the way we create those extra dict entries. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-639-usernew.patch Type: text/x-patch Size: 5561 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From t.sailer at alumni.ethz.ch Sun Feb 10 19:46:29 2008 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Sun, 10 Feb 2008 20:46:29 +0100 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1202329514.8976.124.camel@localhost.localdomain> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> Message-ID: <1202672789.6603.24.camel@unreal.localdomain> On Wed, 2008-02-06 at 15:25 -0500, Simo Sorce wrote: > Yes, in IPA v1.0 the concept of machine accounts still do not exist. > For samba anyway, machine accounts are just user accounts and must be > available via nss calls, so at all effects what you need for now is just > regular user accounts named after the machine name. Well, machines normally live under ou=Computers, not ou=People. I think I'll stay with smbldap-tools, until IPA has the machine account concept. > No they are more advanced tools to tweak an installation, you shouldn't > need to use them for day to day operations though. True wrt. the configuration dialogs, but the user/group editing GUI does not seem to be usable for IPA, as it isn't able to add sambaSam and krb stuff. I have some problems with accessing the IPA gui. It works with curl, but I couldn't get neither firefox on F8, nor IE and firefox on XP to access the gui. They seem to do SPNEGO, but the ticket does not seem to be delegatable. What exact browser / krb5 library versions are you using on the client? Tom From taruishi at redhat.com Mon Feb 11 07:21:28 2008 From: taruishi at redhat.com (Masato Taruishi) Date: Mon, 11 Feb 2008 16:21:28 +0900 Subject: [Freeipa-devel] resend: internationalization of kid templates In-Reply-To: <47ABCB29.5020904@redhat.com> References: <1199353118.4420.17.camel@freeipa.example.com> <479F6391.3060102@redhat.com> <1201744037.4036.7.camel@freeipa.example.com> <47A228BD.7030603@redhat.com> <1201880004.4569.23.camel@localhost.localdomain> <47ABCB29.5020904@redhat.com> Message-ID: <1202714488.4464.19.camel@freeipa.example.com> > I imported the patch into a fresh tree and resolved a few merge issues, > added some text and the tg-admin patch. Thanks! > This looks fine to me but wanted to run it past everyone one last time > to make sure I didn't screw something up. > > Do we want to have i18n on by default or let admins turn it on as desired? > > Is there a downside to having it on by default? IMHO, Having i18n on is a good choice for modern applications. Having i18n on adds one filter which calls gettext which may influence its performance, but I guess you don't afraid of the overhead because its downside would be very limited. Thanks > thanks > > rob From ssorce at redhat.com Mon Feb 11 18:05:00 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 11 Feb 2008 13:05:00 -0500 Subject: [Freeipa-devel] Windows Interop/Samba Integration In-Reply-To: <3da3b5b40802081253v2fb9d855id75d39f3e1ed99a9@mail.gmail.com> References: <47AC959A.9040304@gmail.com> <1202493440.12372.8.camel@localhost.localdomain> <47ACAB2B.9030605@gmail.com> <3da3b5b40802081253v2fb9d855id75d39f3e1ed99a9@mail.gmail.com> Message-ID: <1202753100.5239.16.camel@localhost.localdomain> On Fri, 2008-02-08 at 22:53 +0200, Ahmed Kamal wrote: > Unfortunately Windows is a part of any reasonably sized network, even > small ones. Being as dumb as it is, it doesn't wanna talk to anything > except their own Active Directory. This is true. > Not sure whether this might be a viable options, but did anyone test > pGina. In short, it's like PAM for Windows, with many plugins to > handle different sources of authentication. If we couple that with > some kind of on-server user profiles automounting, we have some sort > of domain for windows. I'm not sure though, if Windows can recognize > all domain users/groups, as the way I understand pGina works, is by > creating a local user after authenticating them over the network. This is how Novell stuff was built to work. The problem being you don't really want to write code for Windows unless you have some assurance it will not be broken at the next Service Pack release. Although an MS-Gina plugin (and its successor as IIRC Vista has something different), may be evaluated at some point. > It's ugly, but I thought I would mention it too. > Of course the king would be samba4 ... waiting .... I think samba4 will be a better solution for integration, indeed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Feb 11 18:05:26 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 11 Feb 2008 13:05:26 -0500 Subject: [Freeipa-devel] [PATCH] fix backtrace when group add fails for a new user In-Reply-To: <47ACD963.404@redhat.com> References: <47ACD963.404@redhat.com> Message-ID: <1202753126.5239.18.camel@localhost.localdomain> On Fri, 2008-02-08 at 17:36 -0500, Rob Crittenden wrote: > So I generalized the way we create those extra dict entries. Ack. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Feb 11 18:11:01 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 11 Feb 2008 13:11:01 -0500 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1202672789.6603.24.camel@unreal.localdomain> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> Message-ID: <1202753461.5239.25.camel@localhost.localdomain> On Sun, 2008-02-10 at 20:46 +0100, Thomas Sailer wrote: > On Wed, 2008-02-06 at 15:25 -0500, Simo Sorce wrote: > > > Yes, in IPA v1.0 the concept of machine accounts still do not exist. > > For samba anyway, machine accounts are just user accounts and must be > > available via nss calls, so at all effects what you need for now is just > > regular user accounts named after the machine name. > > Well, machines normally live under ou=Computers, not ou=People. I think > I'll stay with smbldap-tools, until IPA has the machine account concept. In IPA we already have the cn=Computers container, and for users we have CN=Users. It's just that we do not have any tool to populate the cn=Computers container yet. > > No they are more advanced tools to tweak an installation, you shouldn't > > need to use them for day to day operations though. > > True wrt. the configuration dialogs, but the user/group editing GUI does > not seem to be usable for IPA, as it isn't able to add sambaSam and krb > stuff. Yes, to manage users you should use the IPA WebUI or CLI tools. > I have some problems with accessing the IPA gui. It works with curl, but > I couldn't get neither firefox on F8, nor IE and firefox on XP to access > the gui. They seem to do SPNEGO, but the ticket does not seem to be > delegatable. What exact browser / krb5 library versions are you using on > the client? It should work fine with Firefox on any Fedora/RedHat box (and probably, but not tested just any other recent Linux distro). When you connect to the server, if Firefox is not correctly configured, you should be presented with a page that will configure Firefox for you if you allow it to mess with your browser configuration (security warning dialogs and all). To make it work you need anyway to kinit admin at REALM on the client before pointing Firefox at the Web UI or using the CLI tools. Can you provide the error you get with Firefox ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Feb 11 19:14:56 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Feb 2008 11:14:56 -0800 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1202753461.5239.25.camel@localhost.localdomain> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> Message-ID: <47B09EB0.6030206@redhat.com> Simo Sorce wrote: > On Sun, 2008-02-10 at 20:46 +0100, Thomas Sailer wrote: >> On Wed, 2008-02-06 at 15:25 -0500, Simo Sorce wrote: >> >>> Yes, in IPA v1.0 the concept of machine accounts still do not exist. >>> For samba anyway, machine accounts are just user accounts and must be >>> available via nss calls, so at all effects what you need for now is just >>> regular user accounts named after the machine name. >> Well, machines normally live under ou=Computers, not ou=People. I think >> I'll stay with smbldap-tools, until IPA has the machine account concept. > > In IPA we already have the cn=Computers container, and for users we have > CN=Users. It's just that we do not have any tool to populate the > cn=Computers container yet. > >>> No they are more advanced tools to tweak an installation, you shouldn't >>> need to use them for day to day operations though. >> True wrt. the configuration dialogs, but the user/group editing GUI does >> not seem to be usable for IPA, as it isn't able to add sambaSam and krb >> stuff. > > Yes, to manage users you should use the IPA WebUI or CLI tools. > >> I have some problems with accessing the IPA gui. It works with curl, but >> I couldn't get neither firefox on F8, nor IE and firefox on XP to access >> the gui. They seem to do SPNEGO, but the ticket does not seem to be >> delegatable. What exact browser / krb5 library versions are you using on >> the client? > > It should work fine with Firefox on any Fedora/RedHat box (and probably, > but not tested just any other recent Linux distro). > > When you connect to the server, if Firefox is not correctly configured, > you should be presented with a page that will configure Firefox for you > if you allow it to mess with your browser configuration (security > warning dialogs and all). > > To make it work you need anyway to kinit admin at REALM on the client > before pointing Firefox at the Web UI or using the CLI tools. > > Can you provide the error you get with Firefox ? > > Simo. > And on Fedora 8 you need krb5-* >= 1.6.2-11 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon Feb 11 19:24:11 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 11 Feb 2008 14:24:11 -0500 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <47B09EB0.6030206@redhat.com> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <47B09EB0.6030206@redhat.com> Message-ID: <1202757851.5239.39.camel@localhost.localdomain> On Mon, 2008-02-11 at 11:14 -0800, Rob Crittenden wrote: > Simo Sorce wrote: > > On Sun, 2008-02-10 at 20:46 +0100, Thomas Sailer wrote: > >> On Wed, 2008-02-06 at 15:25 -0500, Simo Sorce wrote: > >> > >>> Yes, in IPA v1.0 the concept of machine accounts still do not exist. > >>> For samba anyway, machine accounts are just user accounts and must be > >>> available via nss calls, so at all effects what you need for now is just > >>> regular user accounts named after the machine name. > >> Well, machines normally live under ou=Computers, not ou=People. I think > >> I'll stay with smbldap-tools, until IPA has the machine account concept. > > > > In IPA we already have the cn=Computers container, and for users we have > > CN=Users. It's just that we do not have any tool to populate the > > cn=Computers container yet. > > > >>> No they are more advanced tools to tweak an installation, you shouldn't > >>> need to use them for day to day operations though. > >> True wrt. the configuration dialogs, but the user/group editing GUI does > >> not seem to be usable for IPA, as it isn't able to add sambaSam and krb > >> stuff. > > > > Yes, to manage users you should use the IPA WebUI or CLI tools. > > > >> I have some problems with accessing the IPA gui. It works with curl, but > >> I couldn't get neither firefox on F8, nor IE and firefox on XP to access > >> the gui. They seem to do SPNEGO, but the ticket does not seem to be > >> delegatable. What exact browser / krb5 library versions are you using on > >> the client? > > > > It should work fine with Firefox on any Fedora/RedHat box (and probably, > > but not tested just any other recent Linux distro). > > > > When you connect to the server, if Firefox is not correctly configured, > > you should be presented with a page that will configure Firefox for you > > if you allow it to mess with your browser configuration (security > > warning dialogs and all). > > > > To make it work you need anyway to kinit admin at REALM on the client > > before pointing Firefox at the Web UI or using the CLI tools. > > > > Can you provide the error you get with Firefox ? > > > > Simo. > > > > And on Fedora 8 you need krb5-* >= 1.6.2-11 Oh right! This package is still sleeping on the testing queue unfortunately, I am pushing to have it pushed to stable asap. To install it just do: yum install --enablerepo=updates-testing krb5-server This should bring in all the dependencies as well. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Feb 11 19:46:00 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Feb 2008 11:46:00 -0800 Subject: [Freeipa-devel] [PATCH] fix backtrace when group add fails for a new user In-Reply-To: <1202753126.5239.18.camel@localhost.localdomain> References: <47ACD963.404@redhat.com> <1202753126.5239.18.camel@localhost.localdomain> Message-ID: <47B0A5F8.9050509@redhat.com> Simo Sorce wrote: > On Fri, 2008-02-08 at 17:36 -0500, Rob Crittenden wrote: >> So I generalized the way we create those extra dict entries. > > Ack. > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Feb 11 19:54:28 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Feb 2008 11:54:28 -0800 Subject: [Freeipa-devel] Use explode_dn instead of str2dn Message-ID: <47B0A7F4.6020306@redhat.com> So we can support python-ldap 2.2.0 switch to use explode_dn instead of str2dn. str2dn was introduced in python-ldap 2.3.0. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-637-ldap.patch Type: text/x-patch Size: 1190 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon Feb 11 20:02:31 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 11 Feb 2008 15:02:31 -0500 Subject: [Freeipa-devel] Use explode_dn instead of str2dn In-Reply-To: <47B0A7F4.6020306@redhat.com> References: <47B0A7F4.6020306@redhat.com> Message-ID: <1202760151.5239.42.camel@localhost.localdomain> On Mon, 2008-02-11 at 11:54 -0800, Rob Crittenden wrote: > So we can support python-ldap 2.2.0 switch to use explode_dn instead > of > str2dn. str2dn was introduced in python-ldap 2.3.0. Ack. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Feb 12 00:28:58 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Feb 2008 16:28:58 -0800 Subject: [Freeipa-devel] [PATCH] better exception handling, allow 1-character fields Message-ID: <47B0E84A.2040405@redhat.com> Fix bug that prevented single-character fields Fix bug in exception handling where we were sending the wrong thing as detail. Basically we were catching an LDAP error, generating an IPAError from it, catching that, then setting the detail of the 2nd exception to another IPAError rather than the root exception. This caused anything looking at e.detail to crap out rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-638-exception.patch Type: text/x-patch Size: 3894 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Feb 12 00:33:29 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Feb 2008 16:33:29 -0800 Subject: [Freeipa-devel] Use explode_dn instead of str2dn In-Reply-To: <1202760151.5239.42.camel@localhost.localdomain> References: <47B0A7F4.6020306@redhat.com> <1202760151.5239.42.camel@localhost.localdomain> Message-ID: <47B0E959.7070206@redhat.com> Simo Sorce wrote: > On Mon, 2008-02-11 at 11:54 -0800, Rob Crittenden wrote: >> So we can support python-ldap 2.2.0 switch to use explode_dn instead >> of >> str2dn. str2dn was introduced in python-ldap 2.3.0. > > Ack. > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From daobrien at redhat.com Tue Feb 12 00:38:56 2008 From: daobrien at redhat.com (David O'Brien) Date: Tue, 12 Feb 2008 10:38:56 +1000 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1202757851.5239.39.camel@localhost.localdomain> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <47B09EB0.6030206@redhat.com> <1202757851.5239.39.camel@localhost.localdomain> Message-ID: <47B0EAA0.90406@redhat.com> Simo Sorce wrote: > On Mon, 2008-02-11 at 11:14 -0800, Rob Crittenden wrote: > >> Simo Sorce wrote: >> >>> On Sun, 2008-02-10 at 20:46 +0100, Thomas Sailer wrote: >>> >>>> On Wed, 2008-02-06 at 15:25 -0500, Simo Sorce wrote: >>>> >>>> >>>>> Yes, in IPA v1.0 the concept of machine accounts still do not exist. >>>>> For samba anyway, machine accounts are just user accounts and must be >>>>> available via nss calls, so at all effects what you need for now is just >>>>> regular user accounts named after the machine name. >>>>> >>>> Well, machines normally live under ou=Computers, not ou=People. I think >>>> I'll stay with smbldap-tools, until IPA has the machine account concept. >>>> >>> In IPA we already have the cn=Computers container, and for users we have >>> CN=Users. It's just that we do not have any tool to populate the >>> cn=Computers container yet. >>> >>> >>>>> No they are more advanced tools to tweak an installation, you shouldn't >>>>> need to use them for day to day operations though. >>>>> >>>> True wrt. the configuration dialogs, but the user/group editing GUI does >>>> not seem to be usable for IPA, as it isn't able to add sambaSam and krb >>>> stuff. >>>> >>> Yes, to manage users you should use the IPA WebUI or CLI tools. >>> >>> >>>> I have some problems with accessing the IPA gui. It works with curl, but >>>> I couldn't get neither firefox on F8, nor IE and firefox on XP to access >>>> the gui. They seem to do SPNEGO, but the ticket does not seem to be >>>> delegatable. What exact browser / krb5 library versions are you using on >>>> the client? >>>> >>> It should work fine with Firefox on any Fedora/RedHat box (and probably, >>> but not tested just any other recent Linux distro). >>> >>> When you connect to the server, if Firefox is not correctly configured, >>> you should be presented with a page that will configure Firefox for you >>> if you allow it to mess with your browser configuration (security >>> warning dialogs and all). >>> >>> To make it work you need anyway to kinit admin at REALM on the client >>> before pointing Firefox at the Web UI or using the CLI tools. >>> >>> Can you provide the error you get with Firefox ? >>> >>> Simo. >>> >>> >> And on Fedora 8 you need krb5-* >= 1.6.2-11 >> > > Oh right! > This package is still sleeping on the testing queue unfortunately, I am > pushing to have it pushed to stable asap. > > To install it just do: > > yum install --enablerepo=updates-testing krb5-server > > This should bring in all the dependencies as well. > > Simo. > > I added a note about this to the installation doc. -- David O'Brien IPA Content Author "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From ssorce at redhat.com Tue Feb 12 01:13:02 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 11 Feb 2008 20:13:02 -0500 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <47B0EAA0.90406@redhat.com> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <47B09EB0.6030206@redhat.com> <1202757851.5239.39.camel@localhost.localdomain> <47B0EAA0.90406@redhat.com> Message-ID: <1202778782.10617.8.camel@localhost.localdomain> On Tue, 2008-02-12 at 10:38 +1000, David O'Brien wrote: > > > I added a note about this to the installation doc. Make sure you monitor FC8 to know when to remove it (in a few days I guess). Simo. -- Simo Sorce * Red Hat, Inc * New York From daobrien at redhat.com Tue Feb 12 01:38:14 2008 From: daobrien at redhat.com (David O'Brien) Date: Tue, 12 Feb 2008 11:38:14 +1000 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1202778782.10617.8.camel@localhost.localdomain> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <47B09EB0.6030206@redhat.com> <1202757851.5239.39.camel@localhost.localdomain> <47B0EAA0.90406@redhat.com> <1202778782.10617.8.camel@localhost.localdomain> Message-ID: <47B0F886.30209@redhat.com> Simo Sorce wrote: > On Tue, 2008-02-12 at 10:38 +1000, David O'Brien wrote: > >>> >>> >> I added a note about this to the installation doc. >> > > Make sure you monitor FC8 to know when to remove it (in a few days I > guess). > > Simo. > > Yes, bearing that in mind. -- David O'Brien IPA Content Author "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From sailer at sailer.dynip.lugs.ch Tue Feb 12 12:55:39 2008 From: sailer at sailer.dynip.lugs.ch (Thomas Sailer) Date: Tue, 12 Feb 2008 13:55:39 +0100 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1202753461.5239.25.camel@localhost.localdomain> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> Message-ID: <1202820939.4445.42.camel@xbox360.hq.axsem.com> On Mon, 2008-02-11 at 13:11 -0500, Simo Sorce wrote: > Can you provide the error you get with Firefox ? Ok, on the server: krb5-devel-1.6.3-4.fc8.jnx krb5-server-1.6.3-4.fc8.jnx krb5-server-ldap-1.6.3-4.fc8.jnx krb5-workstation-1.6.3-4.fc8.jnx krb5-libs-1.6.3-4.fc8.jnx These are rebuilt from the source RPM from Rawhide. # curl -u : --negotiate -k https://xxx.xxx.com/ipatest/ KRB5CCNAME: FILE:/tmp/krb5cc_apache_iHWoIo
HTTPS: on
GATEWAY_INTERFACE: CGI/1.1
SERVER_PROTOCOL: HTTP/1.1
REQUEST_METHOD: GET
QUERY_STRING:
REQUEST_URI: /ipatest/
SCRIPT_NAME: /ipatest/
HTTP_USER_AGENT: curl/7.17.1 (i686-redhat-linux-gnu) libcurl/7.17.1 NSS/3.11.7.1 zlib/1.2.3 libidn/0.6.14
HTTP_HOST: xxx.xxx.com
HTTP_ACCEPT: */*
PATH: /sbin:/usr/sbin:/bin:/usr/bin
SERVER_SIGNATURE:
Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443

SERVER_SOFTWARE: Apache/2.2.6 (Fedora)
SERVER_NAME: xxx.xxx.com
SERVER_ADDR: 192.168.1.2
SERVER_PORT: 443
REMOTE_ADDR: 192.168.1.2
DOCUMENT_ROOT: /var/www/html
SERVER_ADMIN: root at localhost
SCRIPT_FILENAME: /usr/share/ipa/ipatest/
REMOTE_PORT: 59159
REMOTE_USER: admin at XXX.COM
AUTH_TYPE: Negotiate
KRB5CCNAME is FILE:/tmp/krb5cc_apache_iHWoIo
Sucessfully bound to LDAP using SASL mechanism GSSAPI
with firefox: KRB5CCNAME: FILE:/tmp/krb5cc_apache_bpP78u
HTTPS: on
GATEWAY_INTERFACE: CGI/1.1
SERVER_PROTOCOL: HTTP/1.1
REQUEST_METHOD: GET
QUERY_STRING:
REQUEST_URI: /ipatest/
SCRIPT_NAME: /ipatest/
HTTP_HOST: xxx.xxx.com
HTTP_USER_AGENT: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10
HTTP_ACCEPT: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5
HTTP_ACCEPT_ENCODING: gzip,deflate
HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_KEEP_ALIVE: 300
HTTP_CONNECTION: keep-alive
PATH: /sbin:/usr/sbin:/bin:/usr/bin
SERVER_SIGNATURE:
Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443

SERVER_SOFTWARE: Apache/2.2.6 (Fedora)
SERVER_NAME: xxx.xxx.com
SERVER_ADDR: 192.168.1.2
SERVER_PORT: 443
REMOTE_ADDR: 192.168.1.2
DOCUMENT_ROOT: /var/www/html
SERVER_ADMIN: root at localhost
SCRIPT_FILENAME: /usr/share/ipa/ipatest/
REMOTE_PORT: 59165
REMOTE_USER: admin at XXX.COM
AUTH_TYPE: Negotiate
KRB5CCNAME is FILE:/tmp/krb5cc_apache_bpP78u
Error using SASL mechanism GSSAPI {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)', 'desc': 'Local error'}
From rcritten at redhat.com Tue Feb 12 21:43:16 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Feb 2008 13:43:16 -0800 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1202820939.4445.42.camel@xbox360.hq.axsem.com> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <1202820939.4445.42.camel@xbox360.hq.axsem.com> Message-ID: <47B212F4.3010204@redhat.com> Thomas Sailer wrote: > On Mon, 2008-02-11 at 13:11 -0500, Simo Sorce wrote: > >> Can you provide the error you get with Firefox ? > > Ok, on the server: > krb5-devel-1.6.3-4.fc8.jnx > krb5-server-1.6.3-4.fc8.jnx > krb5-server-ldap-1.6.3-4.fc8.jnx > krb5-workstation-1.6.3-4.fc8.jnx > krb5-libs-1.6.3-4.fc8.jnx I don't see a changelog entry in the rawhide version that says discusses the spnego changes required. It may be that this is simply already done in 1.6.3 versus 1.6.1/2. It might be worth it to try 1.6.2-12 from f8. > These are rebuilt from the source RPM from Rawhide. > > > # curl -u : --negotiate -k https://xxx.xxx.com/ipatest/ > KRB5CCNAME: FILE:/tmp/krb5cc_apache_iHWoIo
> HTTPS: on
> GATEWAY_INTERFACE: CGI/1.1
> SERVER_PROTOCOL: HTTP/1.1
> REQUEST_METHOD: GET
> QUERY_STRING:
> REQUEST_URI: /ipatest/
> SCRIPT_NAME: /ipatest/
> HTTP_USER_AGENT: curl/7.17.1 (i686-redhat-linux-gnu) libcurl/7.17.1 > NSS/3.11.7.1 zlib/1.2.3 libidn/0.6.14
> HTTP_HOST: xxx.xxx.com
> HTTP_ACCEPT: */*
> PATH: /sbin:/usr/sbin:/bin:/usr/bin
> SERVER_SIGNATURE:
Apache/2.2.6 (Fedora) Server at xxx.xxx.com > Port 443
>
> SERVER_SOFTWARE: Apache/2.2.6 (Fedora)
> SERVER_NAME: xxx.xxx.com
> SERVER_ADDR: 192.168.1.2
> SERVER_PORT: 443
> REMOTE_ADDR: 192.168.1.2
> DOCUMENT_ROOT: /var/www/html
> SERVER_ADMIN: root at localhost
> SCRIPT_FILENAME: /usr/share/ipa/ipatest/
> REMOTE_PORT: 59159
> REMOTE_USER: admin at XXX.COM
> AUTH_TYPE: Negotiate
> KRB5CCNAME is FILE:/tmp/krb5cc_apache_iHWoIo
> Sucessfully bound to LDAP using SASL mechanism GSSAPI
> > with firefox: > KRB5CCNAME: FILE:/tmp/krb5cc_apache_bpP78u
> HTTPS: on
> GATEWAY_INTERFACE: CGI/1.1
> SERVER_PROTOCOL: HTTP/1.1
> REQUEST_METHOD: GET
> QUERY_STRING:
> REQUEST_URI: /ipatest/
> SCRIPT_NAME: /ipatest/
> HTTP_HOST: xxx.xxx.com
> HTTP_USER_AGENT: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10
> HTTP_ACCEPT: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5
> HTTP_ACCEPT_ENCODING: gzip,deflate
> HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> HTTP_KEEP_ALIVE: 300
> HTTP_CONNECTION: keep-alive
> PATH: /sbin:/usr/sbin:/bin:/usr/bin
> SERVER_SIGNATURE:
Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443
>
> SERVER_SOFTWARE: Apache/2.2.6 (Fedora)
> SERVER_NAME: xxx.xxx.com
> SERVER_ADDR: 192.168.1.2
> SERVER_PORT: 443
> REMOTE_ADDR: 192.168.1.2
> DOCUMENT_ROOT: /var/www/html
> SERVER_ADMIN: root at localhost
> SCRIPT_FILENAME: /usr/share/ipa/ipatest/
> REMOTE_PORT: 59165
> REMOTE_USER: admin at XXX.COM
> AUTH_TYPE: Negotiate
> KRB5CCNAME is FILE:/tmp/krb5cc_apache_bpP78u
> Error using SASL mechanism GSSAPI {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)', 'desc': 'Local error'}
I'm glad you found and were able to setup that debug stuff! I'm a little baffled by this error. It would seem that Firefox is sending the ticket since a ccache is being created by Apache. Just to be sure, can you set these in a shell and then start Firefox from there? export NSPR_LOG_MODULES=negotiateauth:5 export NSPR_LOG_FILE=/tmp/moz.log This will enable some debugging in Firefox that might point to something. And I assume you have network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris set properly or you wouldn't have gotten as far as you have. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sailer at sailer.dynip.lugs.ch Wed Feb 13 15:13:17 2008 From: sailer at sailer.dynip.lugs.ch (Thomas Sailer) Date: Wed, 13 Feb 2008 16:13:17 +0100 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <47B212F4.3010204@redhat.com> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <1202820939.4445.42.camel@xbox360.hq.axsem.com> <47B212F4.3010204@redhat.com> Message-ID: <1202915597.4445.83.camel@xbox360.hq.axsem.com> Ok, now with: krb5-server-ldap-1.6.2-11.fc8 krb5-libs-1.6.2-11.fc8 krb5-workstation-1.6.2-11.fc8 krb5-server-1.6.2-11.fc8 krb5-devel-1.6.2-11.fc8 Same thing with firefox: KRB5CCNAME: FILE:/tmp/krb5cc_apache_ijiXp7
HTTPS: on
GATEWAY_INTERFACE: CGI/1.1
SERVER_PROTOCOL: HTTP/1.1
REQUEST_METHOD: GET
QUERY_STRING:
REQUEST_URI: /ipatest/
SCRIPT_NAME: /ipatest/
HTTP_HOST: xxx.xxx.com
HTTP_USER_AGENT: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10
HTTP_ACCEPT: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5
HTTP_ACCEPT_ENCODING: gzip,deflate
HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_KEEP_ALIVE: 300
HTTP_CONNECTION: keep-alive
HTTP_COOKIE: session_id=333b7a451144029a7f72015cf6280aed73d16336; tg-visit=0dc587193c98bbbdb462e5f560c3205dbda64236
PATH: /sbin:/usr/sbin:/bin:/usr/bin
SERVER_SIGNATURE:
Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443

SERVER_SOFTWARE: Apache/2.2.6 (Fedora)
SERVER_NAME: xxx.xxx.com
SERVER_ADDR: 192.168.1.2
SERVER_PORT: 443
REMOTE_ADDR: 192.168.1.2
DOCUMENT_ROOT: /var/www/html
SERVER_ADMIN: root at localhost
SCRIPT_FILENAME: /usr/share/ipa/ipatest/
REMOTE_PORT: 51194
REMOTE_USER: admin at XXX.COM
AUTH_TYPE: Negotiate
KRB5CCNAME is FILE:/tmp/krb5cc_apache_ijiXp7
Error using SASL mechanism GSSAPI {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)', 'desc': 'Local error'}
The firefox log contains the following repeated four times: -1208858928[8127548]: using REQ_DELEGATE -1208858928[8127548]: service = xxx.xxx.com -1208858928[8127548]: using negotiate-gss -1208858928[8127548]: entering nsAuthGSSAPI::nsAuthGSSAPI() -1208858928[8127548]: Attempting to load gss functions -1208858928[8127548]: entering nsAuthGSSAPI::Init() -1208858928[8127548]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] -1208858928[8127548]: entering nsAuthGSSAPI::GetNextToken() -1208858928[8127548]: leaving nsAuthGSSAPI::GetNextToken [rv=0] -1208858928[8127548]: Sending a token of length 1209 Thanks, Tom From rcritten at redhat.com Wed Feb 13 20:06:10 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Feb 2008 12:06:10 -0800 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1202915597.4445.83.camel@xbox360.hq.axsem.com> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <1202820939.4445.42.camel@xbox360.hq.axsem.com> <47B212F4.3010204@redhat.com> <1202915597.4445.83.camel@xbox360.hq.axsem.com> Message-ID: <47B34DB2.8060407@redhat.com> Can you look to see if there are any SELinux denials? rob Thomas Sailer wrote: > Ok, now with: > > krb5-server-ldap-1.6.2-11.fc8 > krb5-libs-1.6.2-11.fc8 > krb5-workstation-1.6.2-11.fc8 > krb5-server-1.6.2-11.fc8 > krb5-devel-1.6.2-11.fc8 > > Same thing with firefox: > KRB5CCNAME: FILE:/tmp/krb5cc_apache_ijiXp7
> HTTPS: on
> GATEWAY_INTERFACE: CGI/1.1
> SERVER_PROTOCOL: HTTP/1.1
> REQUEST_METHOD: GET
> QUERY_STRING:
> REQUEST_URI: /ipatest/
> SCRIPT_NAME: /ipatest/
> HTTP_HOST: xxx.xxx.com
> HTTP_USER_AGENT: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10
> HTTP_ACCEPT: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5
> HTTP_ACCEPT_ENCODING: gzip,deflate
> HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> HTTP_KEEP_ALIVE: 300
> HTTP_CONNECTION: keep-alive
> HTTP_COOKIE: session_id=333b7a451144029a7f72015cf6280aed73d16336; tg-visit=0dc587193c98bbbdb462e5f560c3205dbda64236
> PATH: /sbin:/usr/sbin:/bin:/usr/bin
> SERVER_SIGNATURE:
Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443
>
> SERVER_SOFTWARE: Apache/2.2.6 (Fedora)
> SERVER_NAME: xxx.xxx.com
> SERVER_ADDR: 192.168.1.2
> SERVER_PORT: 443
> REMOTE_ADDR: 192.168.1.2
> DOCUMENT_ROOT: /var/www/html
> SERVER_ADMIN: root at localhost
> SCRIPT_FILENAME: /usr/share/ipa/ipatest/
> REMOTE_PORT: 51194
> REMOTE_USER: admin at XXX.COM
> AUTH_TYPE: Negotiate
> KRB5CCNAME is FILE:/tmp/krb5cc_apache_ijiXp7
> Error using SASL mechanism GSSAPI {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)', 'desc': 'Local error'}
> > The firefox log contains the following repeated four times: > > -1208858928[8127548]: using REQ_DELEGATE > -1208858928[8127548]: service = xxx.xxx.com > -1208858928[8127548]: using negotiate-gss > -1208858928[8127548]: entering nsAuthGSSAPI::nsAuthGSSAPI() > -1208858928[8127548]: Attempting to load gss functions > -1208858928[8127548]: entering nsAuthGSSAPI::Init() > -1208858928[8127548]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] > -1208858928[8127548]: entering nsAuthGSSAPI::GetNextToken() > -1208858928[8127548]: leaving nsAuthGSSAPI::GetNextToken [rv=0] > -1208858928[8127548]: Sending a token of length 1209 > > > Thanks, > Tom > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sailer at sailer.dynip.lugs.ch Wed Feb 13 20:25:30 2008 From: sailer at sailer.dynip.lugs.ch (Thomas Sailer) Date: Wed, 13 Feb 2008 21:25:30 +0100 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <47B34DB2.8060407@redhat.com> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <1202820939.4445.42.camel@xbox360.hq.axsem.com> <47B212F4.3010204@redhat.com> <1202915597.4445.83.camel@xbox360.hq.axsem.com> <47B34DB2.8060407@redhat.com> Message-ID: <1202934330.6603.36.camel@unreal.localdomain> On Wed, 2008-02-13 at 12:06 -0800, Rob Crittenden wrote: > Can you look to see if there are any SELinux denials? I had selinux in permissive mode, so I don't think selinux is the culprit here... Tom From rcritten at redhat.com Wed Feb 13 22:04:58 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Feb 2008 14:04:58 -0800 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1202934330.6603.36.camel@unreal.localdomain> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <1202820939.4445.42.camel@xbox360.hq.axsem.com> <47B212F4.3010204@redhat.com> <1202915597.4445.83.camel@xbox360.hq.axsem.com> <47B34DB2.8060407@redhat.com> <1202934330.6603.36.camel@unreal.localdomain> Message-ID: <47B3698A.2050008@redhat.com> Thomas Sailer wrote: > On Wed, 2008-02-13 at 12:06 -0800, Rob Crittenden wrote: >> Can you look to see if there are any SELinux denials? > > I had selinux in permissive mode, so I don't think selinux is the > culprit here... Does the CGI test program work? (test.py) It is very strange that the cache is there but seems unusable. On a bright note it looks like Firefox is correctly delegating the credentials, so that's something anyhow. Can you try this really simple test. Create a CGI (/var/www/cgi-bin on Fedora) with this: #!/bin/sh echo "Content-Type: text/plain" echo "" /usr/kerberos/bin/klist It should list your ticket and if not, maybe it will give us a better error message to work with. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Fri Feb 15 00:29:02 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 14 Feb 2008 16:29:02 -0800 Subject: [Freeipa-devel] [PATCH] Handle circular groupings in memberOf plug-in Message-ID: <47B4DCCE.4070804@redhat.com> There were a couple of issues that caused circular groupings to crash in the memberOf plug-in. The first issue was caused by improper checking during a fix-up operation. When a change in membership for a group needs to be processed, the memberOf plug-in starts processing "member" values, tracing through nested groups as needed to update all subordinate members. Once it finds a subordinate member, it updates it's "memberOf" attribute, then it performs a "fix-up" operation. This fix-up operation looks for any other groups in your database that have the group whose membership is being modified as a member. It's essentially looking for parent groups. This fix-up operation was always being performed, but there are a few cases where we do not want to do it. These cases are when the updating of the "memberOf" value failed as well as when we just added a "memberOf" value to ourselves. The other problem was revealed after fixing the first issue. The memberOf plug-in uses a linked list to keep track of groups we've seen when traversing through groups to update membership. We were always adding the group being directly modified in the web interface when we should have been adding the nested groups to this list. This caused us to not be able to detect indirect loops. With the changes made in the patch, I'm able to do the following tests without crashing ns-slapd (all of which would have caused crashes before my fix, or were masked by the first part of the fix): 1 - Create a group with itself as a member. 2 - Create two groups with each other as members. 3 - Create a group like test 1, then create a new group with the first group as a member. 4 - Create three groups that are nested (1->2->3), then add the first group as a member of the third group. -NGK -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-636-memberofcrash.patch Type: text/x-patch Size: 2182 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 15 00:52:15 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Feb 2008 16:52:15 -0800 Subject: [Freeipa-devel] [PATCH] Handle circular groupings in memberOf plug-in In-Reply-To: <47B4DCCE.4070804@redhat.com> References: <47B4DCCE.4070804@redhat.com> Message-ID: <47B4E23F.2000708@redhat.com> Nathan Kinder wrote: > There were a couple of issues that caused circular groupings to crash in > the > memberOf plug-in. > > The first issue was caused by improper checking during a fix-up operation. > When a change in membership for a group needs to be processed, the > memberOf plug-in starts processing "member" values, tracing through nested > groups as needed to update all subordinate members. Once it finds a > subordinate > member, it updates it's "memberOf" attribute, then it performs a > "fix-up" operation. > This fix-up operation looks for any other groups in your database that > have the > group whose membership is being modified as a member. It's essentially > looking > for parent groups. This fix-up operation was always being performed, > but there > are a few cases where we do not want to do it. These cases are when the > updating > of the "memberOf" value failed as well as when we just added a > "memberOf" value to ourselves. > > The other problem was revealed after fixing the first issue. The memberOf > plug-in uses a linked list to keep track of groups we've seen when > traversing > through groups to update membership. We were always adding the group being > directly modified in the web interface when we should have been adding the > nested groups to this list. This caused us to not be able to detect > indirect loops. > > With the changes made in the patch, I'm able to do the following tests > without > crashing ns-slapd (all of which would have caused crashes before my fix, > or were > masked by the first part of the fix): > > 1 - Create a group with itself as a member. > 2 - Create two groups with each other as members. > 3 - Create a group like test 1, then create a new group with the first > group as > a member. > 4 - Create three groups that are nested (1->2->3), then add the first > group as a > member of the third group. > > -NGK > Ack and push -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 15 01:41:45 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 14 Feb 2008 17:41:45 -0800 Subject: [Freeipa-devel] [PATCH] problem with ipa-replica-install Message-ID: <47B4EDD9.7020804@redhat.com> When I added back in the creation of a PKCS#12 file I didn't take into consideration that this would be run on replica's as well which don't have the private key material, thus causing all replica installs to fail. So I've fixed it so we don't do this step on replicas. I also renamed the output file of ipa-replica-prepare to be named after the FQDN passed in as an argument. I went ahead and pushed this as it is blocking replica testing. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-639-replica.patch Type: text/x-patch Size: 3516 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Feb 15 03:50:59 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 14 Feb 2008 22:50:59 -0500 Subject: [Freeipa-devel] [PATCH] problem with ipa-replica-install In-Reply-To: <47B4EDD9.7020804@redhat.com> References: <47B4EDD9.7020804@redhat.com> Message-ID: <1203047459.5304.35.camel@localhost.localdomain> On Thu, 2008-02-14 at 17:41 -0800, Rob Crittenden wrote: > When I added back in the creation of a PKCS#12 file I didn't take > into > consideration that this would be run on replica's as well which don't > have the private key material, thus causing all replica installs to > fail. So I've fixed it so we don't do this step on replicas. > > I also renamed the output file of ipa-replica-prepare to be named > after > the FQDN passed in as an argument. > > I went ahead and pushed this as it is blocking replica testing. Looks good anyway. Simo. -- Simo Sorce * Red Hat, Inc * New York From sailer at sailer.dynip.lugs.ch Fri Feb 15 13:13:25 2008 From: sailer at sailer.dynip.lugs.ch (Thomas Sailer) Date: Fri, 15 Feb 2008 14:13:25 +0100 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <47B3698A.2050008@redhat.com> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <1202820939.4445.42.camel@xbox360.hq.axsem.com> <47B212F4.3010204@redhat.com> <1202915597.4445.83.camel@xbox360.hq.axsem.com> <47B34DB2.8060407@redhat.com> <1202934330.6603.36.camel@unreal.localdomain> <47B3698A.2050008@redhat.com> Message-ID: <1203081205.4445.109.camel@xbox360.hq.axsem.com> Hi Rob, thanks for your suggestions. I used the following test script: test.sh #!/bin/sh ###################################################################### # # Example CGI script that uses Kerberos credentials cached by # mod_auth_kerb compiled with caching option. # # Submitted by: Von Welch # # mod_auth_kerb - Daniel Henninger # ###################################################################### # Output HTML header echo Content-type: text/plain echo # $REMOTE_USER should be set by httpd if [ -z "$REMOTE_USER" ]; then echo '$REMOTE_USER not set.' exit 1 fi echo "REMOTE_USER is $REMOTE_USER" if [ -z "$KRB5CCNAME" ]; then echo 'Kerberos credential cache name $KRB5CCNAME does not exist.' exit 1 fi # Do Kerberos stuff echo "Environment" env|sort echo "/tmp contents" /bin/ls -lZ /tmp/krb* echo "run klist" #/usr/bin/strace /usr/kerberos/bin/klist 2>&1 /usr/kerberos/bin/klist echo "end run klist" #X=`echo ${KRB5CCNAME} | sed -e s,FILE:,,`; #/bin/cp -f ${X} /tmp/krb5cccache #echo "cp -f ${X} /tmp/krb5cccache" exit 0 -- The curl output is: REMOTE_USER is admin at XXX.COM Environment AUTH_TYPE=Negotiate DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on HTTP_ACCEPT=*/* HTTP_HOST=xxx.xxx.com HTTP_USER_AGENT=curl/7.17.1 (i686-redhat-linux-gnu) libcurl/7.17.1 NSS/3.11.7.1 zlib/1.2.3 libidn/0.6.14 KRB5CCNAME=FILE:/tmp/krb5cc_apache_aHfCAu PATH=/sbin:/usr/sbin:/bin:/usr/bin PWD=/var/www/cgi-bin QUERY_STRING= REMOTE_ADDR=192.168.1.2 REMOTE_PORT=36386 REMOTE_USER=admin at XXX.COM REQUEST_METHOD=GET REQUEST_URI=/cgi-bin/test.sh SCRIPT_FILENAME=/var/www/cgi-bin/test.sh SCRIPT_NAME=/cgi-bin/test.sh SERVER_ADDR=192.168.1.2 SERVER_ADMIN=root at localhost SERVER_NAME=xxx.xxx.com SERVER_PORT=443 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE=
Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443
SERVER_SOFTWARE=Apache/2.2.6 (Fedora) SHLVL=1 SSL_CIPHER=RC4 SSL_CIPHER_ALGKEYSIZE=128 SSL_CIPHER_EXPORT=false SSL_CIPHER_NAME=SSL_RSA_WITH_RC4_128_MD5 SSL_CIPHER_USEKEYSIZE=128 SSL_CLIENT_VERIFY=NONE SSL_PROTOCOL=TLSv1 SSL_SERVER_A_KEY=RSA_RSA SSL_SERVER_A_SIG=MD5-RSA SSL_SERVER_I_DN=CN=IPA Test Certificate Authority SSL_SERVER_I_DN_CN=IPA Test Certificate Authority SSL_SERVER_M_SERIAL=2000 SSL_SERVER_M_VERSION=3 SSL_SERVER_S_DN=CN=xxx.xxx.com,OU=Apache Web Server SSL_SERVER_S_DN_CN=xxx.xxx.com SSL_SERVER_S_DN_OU=Apache Web Server SSL_SERVER_V_END=Feb 05 11:30:49 2018 GMT SSL_SERVER_V_START=Feb 05 11:30:49 2008 GMT SSL_SESSION_ID=FChmOVV5RlvItfI6JtGOac+kd5sMM1h3B41NqVT4YYU= SSL_VERSION_INTERFACE=mod_nss/2.2.6 SSL_VERSION_LIBRARY=NSS/3.11.7.1 _=/bin/env /tmp contents -rw-r--r-- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-1.6.3-4.fc9.src.rpm -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-devel-1.6.2-11.fc8.i386.rpm -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-libs-1.6.2-11.fc8.i386.rpm -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-1.6.2-11.fc8.i386.rpm -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-ldap-1.6.2-11.fc8.i386.rpm -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-workstation-1.6.2-11.fc8.i386.rpm -rw------- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_0 -rw------- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_10000 -rw------- apache apache system_u:object_r:httpd_tmp_t:s0 /tmp/krb5cc_apache_aHfCAu run klist Ticket cache: FILE:/tmp/krb5cc_apache_aHfCAu Default principal: admin at XXX.COM Valid starting Expires Service principal 02/15/08 14:02:59 02/17/08 13:53:25 krbtgt/XXX.COM at XXX.COM Kerberos 4 ticket cache: /tmp/tkt48 end run klist -- The firefox output is: REMOTE_USER is admin at XXX.COM Environment AUTH_TYPE=Negotiate DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7 HTTP_ACCEPT_ENCODING=gzip,deflate HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5 HTTP_CACHE_CONTROL=max-age=0, max-age=0 HTTP_CONNECTION=keep-alive HTTP_COOKIE=session_id=2be4da016d07250e719ab15cae48512e680d52a9; tg-visit=7cd94c486e5746e239fb41f7fef1c7344c4f3e45 HTTP_HOST=xxx.xxx.com HTTP_KEEP_ALIVE=300 HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10 KRB5CCNAME=FILE:/tmp/krb5cc_apache_oT62R7 PATH=/sbin:/usr/sbin:/bin:/usr/bin PWD=/var/www/cgi-bin QUERY_STRING= REMOTE_ADDR=192.168.1.2 REMOTE_PORT=36383 REMOTE_USER=admin at XXX.COM REQUEST_METHOD=GET REQUEST_URI=/cgi-bin/test.sh SCRIPT_FILENAME=/var/www/cgi-bin/test.sh SCRIPT_NAME=/cgi-bin/test.sh SERVER_ADDR=192.168.1.2 SERVER_ADMIN=root at localhost SERVER_NAME=xxx.xxx.com SERVER_PORT=443 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE=
Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443
SERVER_SOFTWARE=Apache/2.2.6 (Fedora) SHLVL=1 SSL_CIPHER=AES-256 SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_NAME=TLS_RSA_WITH_AES_256_CBC_SHA SSL_CIPHER_USEKEYSIZE=256 SSL_CLIENT_VERIFY=NONE SSL_PROTOCOL=TLSv1 SSL_SERVER_A_KEY=RSA_RSA SSL_SERVER_A_SIG=SHA1-RSA SSL_SERVER_I_DN=CN=IPA Test Certificate Authority SSL_SERVER_I_DN_CN=IPA Test Certificate Authority SSL_SERVER_M_SERIAL=2000 SSL_SERVER_M_VERSION=3 SSL_SERVER_S_DN=CN=xxx.xxx.com,OU=Apache Web Server SSL_SERVER_S_DN_CN=xxx.xxx.com SSL_SERVER_S_DN_OU=Apache Web Server SSL_SERVER_V_END=Feb 05 11:30:49 2018 GMT SSL_SERVER_V_START=Feb 05 11:30:49 2008 GMT SSL_SESSION_ID=FCWK1o2LsZQBaata5jy0yFlAs8dltfXdurOS7OC5G7A= SSL_VERSION_INTERFACE=mod_nss/2.2.6 SSL_VERSION_LIBRARY=NSS/3.11.7.1 _=/bin/env /tmp contents -rw-r--r-- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-1.6.3-4.fc9.src.rpm -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-devel-1.6.2-11.fc8.i386.rpm -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-libs-1.6.2-11.fc8.i386.rpm -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-1.6.2-11.fc8.i386.rpm -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-ldap-1.6.2-11.fc8.i386.rpm -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-workstation-1.6.2-11.fc8.i386.rpm -rw------- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_0 -rw------- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_10000 run klist Kerberos 4 ticket cache: /tmp/tkt48 end run klist -- Diff between curl and firefox: @@ -5,15 +5,22 @@ DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on -HTTP_ACCEPT=*/* +HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7 +HTTP_ACCEPT_ENCODING=gzip,deflate +HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5 +HTTP_CACHE_CONTROL=max-age=0, max-age=0 +HTTP_CONNECTION=keep-alive +HTTP_COOKIE=session_id=2be4da016d07250e719ab15cae48512e680d52a9; tg-visit=7cd94c486e5746e239fb41f7fef1c7344c4f3e45 HTTP_HOST=xxx.xxx.com -HTTP_USER_AGENT=curl/7.17.1 (i686-redhat-linux-gnu) libcurl/7.17.1 NSS/3.11.7.1 zlib/1.2.3 libidn/0.6.14 -KRB5CCNAME=FILE:/tmp/krb5cc_apache_aHfCAu +HTTP_KEEP_ALIVE=300 +HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10 +KRB5CCNAME=FILE:/tmp/krb5cc_apache_oT62R7 PATH=/sbin:/usr/sbin:/bin:/usr/bin PWD=/var/www/cgi-bin QUERY_STRING= REMOTE_ADDR=192.168.1.2 -REMOTE_PORT=36386 +REMOTE_PORT=36383 REMOTE_USER=admin at XXX.COM REQUEST_METHOD=GET REQUEST_URI=/cgi-bin/test.sh @@ -27,15 +34,15 @@ SERVER_SIGNATURE=
Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443
SERVER_SOFTWARE=Apache/2.2.6 (Fedora) SHLVL=1 -SSL_CIPHER=RC4 -SSL_CIPHER_ALGKEYSIZE=128 +SSL_CIPHER=AES-256 +SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false -SSL_CIPHER_NAME=SSL_RSA_WITH_RC4_128_MD5 -SSL_CIPHER_USEKEYSIZE=128 +SSL_CIPHER_NAME=TLS_RSA_WITH_AES_256_CBC_SHA +SSL_CIPHER_USEKEYSIZE=256 SSL_CLIENT_VERIFY=NONE SSL_PROTOCOL=TLSv1 SSL_SERVER_A_KEY=RSA_RSA -SSL_SERVER_A_SIG=MD5-RSA +SSL_SERVER_A_SIG=SHA1-RSA SSL_SERVER_I_DN=CN=IPA Test Certificate Authority SSL_SERVER_I_DN_CN=IPA Test Certificate Authority SSL_SERVER_M_SERIAL=2000 @@ -45,7 +52,7 @@ SSL_SERVER_S_DN_OU=Apache Web Server SSL_SERVER_V_END=Feb 05 11:30:49 2018 GMT SSL_SERVER_V_START=Feb 05 11:30:49 2008 GMT -SSL_SESSION_ID=FChmOVV5RlvItfI6JtGOac+kd5sMM1h3B41NqVT4YYU= +SSL_SESSION_ID=FCWK1o2LsZQBaata5jy0yFlAs8dltfXdurOS7OC5G7A= SSL_VERSION_INTERFACE=mod_nss/2.2.6 SSL_VERSION_LIBRARY=NSS/3.11.7.1 _=/bin/env @@ -58,13 +65,7 @@ -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-workstation-1.6.2-11.fc8.i386.rpm -rw------- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_0 -rw------- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_10000 --rw------- apache apache system_u:object_r:httpd_tmp_t:s0 /tmp/krb5cc_apache_aHfCAu run klist -Ticket cache: FILE:/tmp/krb5cc_apache_aHfCAu -Default principal: admin at XXX.COM - -Valid starting Expires Service principal -02/15/08 14:02:59 02/17/08 13:53:25 krbtgt/XXX.COM at XXX.COM No significant difference IMO, except that the krb5 credentials cache file just isn't there when the script is called from firefox! Even strace'ing klist does not show any significant difference, except that in the firefox case klist cannot open the krb5 cc file listed in the environment. Tom On Wed, 2008-02-13 at 14:04 -0800, Rob Crittenden wrote: > Thomas Sailer wrote: > > On Wed, 2008-02-13 at 12:06 -0800, Rob Crittenden wrote: > >> Can you look to see if there are any SELinux denials? > > > > I had selinux in permissive mode, so I don't think selinux is the > > culprit here... > > Does the CGI test program work? (test.py) > > It is very strange that the cache is there but seems unusable. > > On a bright note it looks like Firefox is correctly delegating the > credentials, so that's something anyhow. > > Can you try this really simple test. Create a CGI (/var/www/cgi-bin on > Fedora) with this: > > #!/bin/sh > > echo "Content-Type: text/plain" > echo "" > > /usr/kerberos/bin/klist > > It should list your ticket and if not, maybe it will give us a better > error message to work with. > > rob From ssorce at redhat.com Fri Feb 15 13:55:51 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Feb 2008 08:55:51 -0500 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1203081205.4445.109.camel@xbox360.hq.axsem.com> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <1202820939.4445.42.camel@xbox360.hq.axsem.com> <47B212F4.3010204@redhat.com> <1202915597.4445.83.camel@xbox360.hq.axsem.com> <47B34DB2.8060407@redhat.com> <1202934330.6603.36.camel@unreal.localdomain> <47B3698A.2050008@redhat.com> <1203081205.4445.109.camel@xbox360.hq.axsem.com> Message-ID: <1203083751.5304.54.camel@localhost.localdomain> On Fri, 2008-02-15 at 14:13 +0100, Thomas Sailer wrote: > No significant difference IMO, except that the krb5 credentials cache > file just isn't there when the script is called from firefox! > > Even strace'ing klist does not show any significant difference, except > that in the firefox case klist cannot open the krb5 cc file listed in > the environment. This was exactly the point of the test. Now we know that something wrong is going on with Firefox and kerberos auth as not credential cache is generated. As to the why, now we need to investigate further. If you kdestroy your credentials on the client, then kinit and use only FireFox, and then do a klist on the client, do you see a ticket for the HTTP service? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Feb 15 14:40:08 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Feb 2008 09:40:08 -0500 Subject: [Freeipa-devel] [PATCH] better exception handling, allow 1-character fields In-Reply-To: <47B0E84A.2040405@redhat.com> References: <47B0E84A.2040405@redhat.com> Message-ID: <1203086408.5304.58.camel@localhost.localdomain> On Mon, 2008-02-11 at 16:28 -0800, Rob Crittenden wrote: > Fix bug that prevented single-character fields > Fix bug in exception handling where we were sending the wrong thing > as > detail. > Basically we were catching an LDAP error, generating an IPAError from > it, catching that, then setting the detail of the 2nd exception to > another IPAError rather than the root exception. This caused anything > looking at e.detail to crap out Ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Feb 15 14:43:50 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 15 Feb 2008 09:43:50 -0500 Subject: [Freeipa-devel] Windows Interop/Samba Integration In-Reply-To: <47ACAB2B.9030605@gmail.com> References: <47AC959A.9040304@gmail.com> <1202493440.12372.8.camel@localhost.localdomain> <47ACAB2B.9030605@gmail.com> Message-ID: <1203086630.5304.63.camel@localhost.localdomain> On Fri, 2008-02-08 at 14:19 -0500, Marc Richards wrote: > Simo Sorce wrote: > > On Fri, 2008-02-08 at 12:47 -0500, Marc Richards wrote: > > > >> What is the plan for Windows Interop and Samba integration in FreeIPA, > >> particularly as it relates to people who don't have Active Directory. I > >> noticed that the 1.0 Requirements doc specifies the following: > >> > >> "[Req11.2] IPA clients: The windows client will rely on the IPA server > >> for account information and Authentication services. The IPA server will > >> act as an NT4 style domain controller. Only NTLM authentication will be > >> supported in this release, no Kerberos" [1] > >> > > > > We had to drop this requirement for v1.0 > > We are evaluating various solutions involving either samba3 or samba4 > > for following versions, but have still not settled on a definitive > > choice. > > > Thanks for the prompt response. Any chance of some kind of wiki > document for manually achieving this kind of setup with 1.0? I don't think I want to have yet another guide on how to set up samba manually with LDAP honestly, there are many already. But we want seamless integration at some point. When we achieve that then we will add documentation specific to our integration. > Seems to > me like there might be a number of people interested in the use case. Is > it much more than setting up Samba as an NT4 style domain controller and > using freeIPA as the backend? No not really, the only difference from many other installations is that you should make samba sync the password via ldap and let FreeIPA handle everything including generation of NT/LM hashes. > Could I then tell an samba based file > server hosted on another box to use the users and groups from the > "freeIPA Samba server"? Yes, there should be no problem with that. > If you don't have time to document it on the wiki some links to point in > the right direction would be appreciated. I am sure we have a bunch of docs at http://www.samba.org/samba/docs Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Feb 15 16:44:41 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Feb 2008 08:44:41 -0800 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1203081205.4445.109.camel@xbox360.hq.axsem.com> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <1202820939.4445.42.camel@xbox360.hq.axsem.com> <47B212F4.3010204@redhat.com> <1202915597.4445.83.camel@xbox360.hq.axsem.com> <47B34DB2.8060407@redhat.com> <1202934330.6603.36.camel@unreal.localdomain> <47B3698A.2050008@redhat.com> <1203081205.4445.109.camel@xbox360.hq.axsem.com> Message-ID: <47B5C179.3080307@redhat.com> Did you restart httpd after loading the new krb5 rpms? I've seen one other case where Apache was still using the old krb5 libraries after installing the ones that do spnego in a way that Firefox likes. I may add this CGI to our bag of tricks too, or at least a pointer to it. thanks rob Thomas Sailer wrote: > Hi Rob, > > thanks for your suggestions. > > I used the following test script: test.sh > #!/bin/sh > ###################################################################### > # > # Example CGI script that uses Kerberos credentials cached by > # mod_auth_kerb compiled with caching option. > # > # Submitted by: Von Welch > # > # mod_auth_kerb - Daniel Henninger > # > ###################################################################### > > # Output HTML header > echo Content-type: text/plain > echo > > # $REMOTE_USER should be set by httpd > if [ -z "$REMOTE_USER" ]; then > echo '$REMOTE_USER not set.' > exit 1 > fi > > echo "REMOTE_USER is $REMOTE_USER" > > if [ -z "$KRB5CCNAME" ]; then > echo 'Kerberos credential cache name $KRB5CCNAME does not exist.' > exit 1 > fi > > # Do Kerberos stuff > echo "Environment" > env|sort > echo "/tmp contents" > /bin/ls -lZ /tmp/krb* > echo "run klist" > #/usr/bin/strace /usr/kerberos/bin/klist 2>&1 > /usr/kerberos/bin/klist > echo "end run klist" > > #X=`echo ${KRB5CCNAME} | sed -e s,FILE:,,`; > #/bin/cp -f ${X} /tmp/krb5cccache > #echo "cp -f ${X} /tmp/krb5cccache" > > exit 0 > -- > > The curl output is: > REMOTE_USER is admin at XXX.COM > Environment > > AUTH_TYPE=Negotiate > DOCUMENT_ROOT=/var/www/html > GATEWAY_INTERFACE=CGI/1.1 > HTTPS=on > HTTP_ACCEPT=*/* > HTTP_HOST=xxx.xxx.com > HTTP_USER_AGENT=curl/7.17.1 (i686-redhat-linux-gnu) libcurl/7.17.1 NSS/3.11.7.1 zlib/1.2.3 libidn/0.6.14 > KRB5CCNAME=FILE:/tmp/krb5cc_apache_aHfCAu > PATH=/sbin:/usr/sbin:/bin:/usr/bin > PWD=/var/www/cgi-bin > QUERY_STRING= > REMOTE_ADDR=192.168.1.2 > REMOTE_PORT=36386 > REMOTE_USER=admin at XXX.COM > REQUEST_METHOD=GET > REQUEST_URI=/cgi-bin/test.sh > SCRIPT_FILENAME=/var/www/cgi-bin/test.sh > SCRIPT_NAME=/cgi-bin/test.sh > SERVER_ADDR=192.168.1.2 > SERVER_ADMIN=root at localhost > SERVER_NAME=xxx.xxx.com > SERVER_PORT=443 > SERVER_PROTOCOL=HTTP/1.1 > SERVER_SIGNATURE=
Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443
> SERVER_SOFTWARE=Apache/2.2.6 (Fedora) > SHLVL=1 > SSL_CIPHER=RC4 > SSL_CIPHER_ALGKEYSIZE=128 > SSL_CIPHER_EXPORT=false > SSL_CIPHER_NAME=SSL_RSA_WITH_RC4_128_MD5 > SSL_CIPHER_USEKEYSIZE=128 > SSL_CLIENT_VERIFY=NONE > SSL_PROTOCOL=TLSv1 > SSL_SERVER_A_KEY=RSA_RSA > SSL_SERVER_A_SIG=MD5-RSA > SSL_SERVER_I_DN=CN=IPA Test Certificate Authority > SSL_SERVER_I_DN_CN=IPA Test Certificate Authority > SSL_SERVER_M_SERIAL=2000 > SSL_SERVER_M_VERSION=3 > SSL_SERVER_S_DN=CN=xxx.xxx.com,OU=Apache Web Server > SSL_SERVER_S_DN_CN=xxx.xxx.com > SSL_SERVER_S_DN_OU=Apache Web Server > SSL_SERVER_V_END=Feb 05 11:30:49 2018 GMT > SSL_SERVER_V_START=Feb 05 11:30:49 2008 GMT > SSL_SESSION_ID=FChmOVV5RlvItfI6JtGOac+kd5sMM1h3B41NqVT4YYU= > SSL_VERSION_INTERFACE=mod_nss/2.2.6 > SSL_VERSION_LIBRARY=NSS/3.11.7.1 > _=/bin/env > /tmp contents > -rw-r--r-- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-1.6.3-4.fc9.src.rpm > -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-devel-1.6.2-11.fc8.i386.rpm > -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-libs-1.6.2-11.fc8.i386.rpm > -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-1.6.2-11.fc8.i386.rpm > -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-ldap-1.6.2-11.fc8.i386.rpm > -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-workstation-1.6.2-11.fc8.i386.rpm > -rw------- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_0 > -rw------- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_10000 > -rw------- apache apache system_u:object_r:httpd_tmp_t:s0 /tmp/krb5cc_apache_aHfCAu > run klist > Ticket cache: FILE:/tmp/krb5cc_apache_aHfCAu > Default principal: admin at XXX.COM > > Valid starting Expires Service principal > 02/15/08 14:02:59 02/17/08 13:53:25 krbtgt/XXX.COM at XXX.COM > > > Kerberos 4 ticket cache: /tmp/tkt48 > end run klist > -- > > > The firefox output is: > REMOTE_USER is admin at XXX.COM > Environment > > AUTH_TYPE=Negotiate > DOCUMENT_ROOT=/var/www/html > GATEWAY_INTERFACE=CGI/1.1 > HTTPS=on > HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7 > HTTP_ACCEPT_ENCODING=gzip,deflate > HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5 > HTTP_CACHE_CONTROL=max-age=0, max-age=0 > HTTP_CONNECTION=keep-alive > HTTP_COOKIE=session_id=2be4da016d07250e719ab15cae48512e680d52a9; tg-visit=7cd94c486e5746e239fb41f7fef1c7344c4f3e45 > HTTP_HOST=xxx.xxx.com > HTTP_KEEP_ALIVE=300 > HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10 > KRB5CCNAME=FILE:/tmp/krb5cc_apache_oT62R7 > PATH=/sbin:/usr/sbin:/bin:/usr/bin > PWD=/var/www/cgi-bin > QUERY_STRING= > REMOTE_ADDR=192.168.1.2 > REMOTE_PORT=36383 > REMOTE_USER=admin at XXX.COM > REQUEST_METHOD=GET > REQUEST_URI=/cgi-bin/test.sh > SCRIPT_FILENAME=/var/www/cgi-bin/test.sh > SCRIPT_NAME=/cgi-bin/test.sh > SERVER_ADDR=192.168.1.2 > SERVER_ADMIN=root at localhost > SERVER_NAME=xxx.xxx.com > SERVER_PORT=443 > SERVER_PROTOCOL=HTTP/1.1 > SERVER_SIGNATURE=
Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443
> SERVER_SOFTWARE=Apache/2.2.6 (Fedora) > SHLVL=1 > SSL_CIPHER=AES-256 > SSL_CIPHER_ALGKEYSIZE=256 > SSL_CIPHER_EXPORT=false > SSL_CIPHER_NAME=TLS_RSA_WITH_AES_256_CBC_SHA > SSL_CIPHER_USEKEYSIZE=256 > SSL_CLIENT_VERIFY=NONE > SSL_PROTOCOL=TLSv1 > SSL_SERVER_A_KEY=RSA_RSA > SSL_SERVER_A_SIG=SHA1-RSA > SSL_SERVER_I_DN=CN=IPA Test Certificate Authority > SSL_SERVER_I_DN_CN=IPA Test Certificate Authority > SSL_SERVER_M_SERIAL=2000 > SSL_SERVER_M_VERSION=3 > SSL_SERVER_S_DN=CN=xxx.xxx.com,OU=Apache Web Server > SSL_SERVER_S_DN_CN=xxx.xxx.com > SSL_SERVER_S_DN_OU=Apache Web Server > SSL_SERVER_V_END=Feb 05 11:30:49 2018 GMT > SSL_SERVER_V_START=Feb 05 11:30:49 2008 GMT > SSL_SESSION_ID=FCWK1o2LsZQBaata5jy0yFlAs8dltfXdurOS7OC5G7A= > SSL_VERSION_INTERFACE=mod_nss/2.2.6 > SSL_VERSION_LIBRARY=NSS/3.11.7.1 > _=/bin/env > /tmp contents > -rw-r--r-- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-1.6.3-4.fc9.src.rpm > -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-devel-1.6.2-11.fc8.i386.rpm > -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-libs-1.6.2-11.fc8.i386.rpm > -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-1.6.2-11.fc8.i386.rpm > -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-ldap-1.6.2-11.fc8.i386.rpm > -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-workstation-1.6.2-11.fc8.i386.rpm > -rw------- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_0 > -rw------- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_10000 > run klist > > > Kerberos 4 ticket cache: /tmp/tkt48 > end run klist > -- > > Diff between curl and firefox: > @@ -5,15 +5,22 @@ > DOCUMENT_ROOT=/var/www/html > GATEWAY_INTERFACE=CGI/1.1 > HTTPS=on > -HTTP_ACCEPT=*/* > +HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > +HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7 > +HTTP_ACCEPT_ENCODING=gzip,deflate > +HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5 > +HTTP_CACHE_CONTROL=max-age=0, max-age=0 > +HTTP_CONNECTION=keep-alive > +HTTP_COOKIE=session_id=2be4da016d07250e719ab15cae48512e680d52a9; tg-visit=7cd94c486e5746e239fb41f7fef1c7344c4f3e45 > HTTP_HOST=xxx.xxx.com > -HTTP_USER_AGENT=curl/7.17.1 (i686-redhat-linux-gnu) libcurl/7.17.1 NSS/3.11.7.1 zlib/1.2.3 libidn/0.6.14 > -KRB5CCNAME=FILE:/tmp/krb5cc_apache_aHfCAu > +HTTP_KEEP_ALIVE=300 > +HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10 > +KRB5CCNAME=FILE:/tmp/krb5cc_apache_oT62R7 > PATH=/sbin:/usr/sbin:/bin:/usr/bin > PWD=/var/www/cgi-bin > QUERY_STRING= > REMOTE_ADDR=192.168.1.2 > -REMOTE_PORT=36386 > +REMOTE_PORT=36383 > REMOTE_USER=admin at XXX.COM > REQUEST_METHOD=GET > REQUEST_URI=/cgi-bin/test.sh > @@ -27,15 +34,15 @@ > SERVER_SIGNATURE=
Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443
> SERVER_SOFTWARE=Apache/2.2.6 (Fedora) > SHLVL=1 > -SSL_CIPHER=RC4 > -SSL_CIPHER_ALGKEYSIZE=128 > +SSL_CIPHER=AES-256 > +SSL_CIPHER_ALGKEYSIZE=256 > SSL_CIPHER_EXPORT=false > -SSL_CIPHER_NAME=SSL_RSA_WITH_RC4_128_MD5 > -SSL_CIPHER_USEKEYSIZE=128 > +SSL_CIPHER_NAME=TLS_RSA_WITH_AES_256_CBC_SHA > +SSL_CIPHER_USEKEYSIZE=256 > SSL_CLIENT_VERIFY=NONE > SSL_PROTOCOL=TLSv1 > SSL_SERVER_A_KEY=RSA_RSA > -SSL_SERVER_A_SIG=MD5-RSA > +SSL_SERVER_A_SIG=SHA1-RSA > SSL_SERVER_I_DN=CN=IPA Test Certificate Authority > SSL_SERVER_I_DN_CN=IPA Test Certificate Authority > SSL_SERVER_M_SERIAL=2000 > @@ -45,7 +52,7 @@ > SSL_SERVER_S_DN_OU=Apache Web Server > SSL_SERVER_V_END=Feb 05 11:30:49 2018 GMT > SSL_SERVER_V_START=Feb 05 11:30:49 2008 GMT > -SSL_SESSION_ID=FChmOVV5RlvItfI6JtGOac+kd5sMM1h3B41NqVT4YYU= > +SSL_SESSION_ID=FCWK1o2LsZQBaata5jy0yFlAs8dltfXdurOS7OC5G7A= > SSL_VERSION_INTERFACE=mod_nss/2.2.6 > SSL_VERSION_LIBRARY=NSS/3.11.7.1 > _=/bin/env > @@ -58,13 +65,7 @@ > -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-workstation-1.6.2-11.fc8.i386.rpm > -rw------- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_0 > -rw------- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_10000 > --rw------- apache apache system_u:object_r:httpd_tmp_t:s0 /tmp/krb5cc_apache_aHfCAu > run klist > -Ticket cache: FILE:/tmp/krb5cc_apache_aHfCAu > -Default principal: admin at XXX.COM > - > -Valid starting Expires Service principal > -02/15/08 14:02:59 02/17/08 13:53:25 krbtgt/XXX.COM at XXX.COM > > > No significant difference IMO, except that the krb5 credentials cache > file just isn't there when the script is called from firefox! > > Even strace'ing klist does not show any significant difference, except > that in the firefox case klist cannot open the krb5 cc file listed in > the environment. > > Tom > > > > > > On Wed, 2008-02-13 at 14:04 -0800, Rob Crittenden wrote: >> Thomas Sailer wrote: >>> On Wed, 2008-02-13 at 12:06 -0800, Rob Crittenden wrote: >>>> Can you look to see if there are any SELinux denials? >>> I had selinux in permissive mode, so I don't think selinux is the >>> culprit here... >> Does the CGI test program work? (test.py) >> >> It is very strange that the cache is there but seems unusable. >> >> On a bright note it looks like Firefox is correctly delegating the >> credentials, so that's something anyhow. >> >> Can you try this really simple test. Create a CGI (/var/www/cgi-bin on >> Fedora) with this: >> >> #!/bin/sh >> >> echo "Content-Type: text/plain" >> echo "" >> >> /usr/kerberos/bin/klist >> >> It should list your ticket and if not, maybe it will give us a better >> error message to work with. >> >> rob > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Sat Feb 16 01:11:49 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Feb 2008 17:11:49 -0800 Subject: [Freeipa-devel] [PATCH] Verify domain at install time Message-ID: <47B63855.4050704@redhat.com> Verify the domain at install time and use that when creating replicas. We don't want to assume it is everything past the first 'dot' in the FQDN. We also want to use the same domain name when creating replicas. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-639-domain.patch Type: text/x-patch Size: 13865 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sailer at sailer.dynip.lugs.ch Mon Feb 18 16:27:52 2008 From: sailer at sailer.dynip.lugs.ch (Thomas Sailer) Date: Mon, 18 Feb 2008 17:27:52 +0100 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <47B5C179.3080307@redhat.com> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <1202820939.4445.42.camel@xbox360.hq.axsem.com> <47B212F4.3010204@redhat.com> <1202915597.4445.83.camel@xbox360.hq.axsem.com> <47B34DB2.8060407@redhat.com> <1202934330.6603.36.camel@unreal.localdomain> <47B3698A.2050008@redhat.com> <1203081205.4445.109.camel@xbox360.hq.axsem.com> <47B5C179.3080307@redhat.com> Message-ID: <1203352072.4445.125.camel@xbox360.hq.axsem.com> On Fri, 2008-02-15 at 08:44 -0800, Rob Crittenden wrote: > Did you restart httpd after loading the new krb5 rpms? I've seen one Now I feel embarassed. It works now. I restarted just about everything including the kdc, but apparently forgot the obvious... Thanks for pointing this out! Tom From rcritten at redhat.com Mon Feb 18 16:46:23 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Feb 2008 11:46:23 -0500 Subject: [Freeipa-devel] freeipa and samba In-Reply-To: <1203352072.4445.125.camel@xbox360.hq.axsem.com> References: <1202264393.3914.31.camel@unreal.localdomain> <1202329514.8976.124.camel@localhost.localdomain> <1202672789.6603.24.camel@unreal.localdomain> <1202753461.5239.25.camel@localhost.localdomain> <1202820939.4445.42.camel@xbox360.hq.axsem.com> <47B212F4.3010204@redhat.com> <1202915597.4445.83.camel@xbox360.hq.axsem.com> <47B34DB2.8060407@redhat.com> <1202934330.6603.36.camel@unreal.localdomain> <47B3698A.2050008@redhat.com> <1203081205.4445.109.camel@xbox360.hq.axsem.com> <47B5C179.3080307@redhat.com> <1203352072.4445.125.camel@xbox360.hq.axsem.com> Message-ID: <47B9B65F.6060300@redhat.com> Thomas Sailer wrote: > On Fri, 2008-02-15 at 08:44 -0800, Rob Crittenden wrote: >> Did you restart httpd after loading the new krb5 rpms? I've seen one > > Now I feel embarassed. It works now. I restarted just about everything > including the kdc, but apparently forgot the obvious... > > Thanks for pointing this out! > Glad its working. Thank you for your patience. I'm going to review this thread and see if I can come up with a workable debugging process (and I'm glad you figured out how to use the little test programs I included). I just built new Fedora RPMs this morning that have minimum requirements for krb5-server which should help a lot. I still need to push these around to various places (freeipa.org for one). Hopefully will have this done by the end of today. Note that I'm probably going to leave F-7 and F-8 in the testing repo for now since this build is more or less a daily build. There are still a number of bugs in it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Feb 18 20:18:43 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Feb 2008 15:18:43 -0500 Subject: [Freeipa-devel] [PATCH] Don't replicate memberof Message-ID: <47B9E823.8050105@redhat.com> We don't want to replicate the memberof attribute. It will get re-created automatically on each replica. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-671-memberof.patch Type: text/x-patch Size: 905 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Feb 18 21:02:17 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Feb 2008 16:02:17 -0500 Subject: [Freeipa-devel] [PATCH] Handle a ^C gracefully while getting the new password Message-ID: <47B9F259.40709@redhat.com> If one was use ipa-passwd to change a password and hit ctrl-C to break out it would throw a python error. Catch that so it works nicer. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-672-password.patch Type: text/x-patch Size: 1776 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Feb 18 21:46:45 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Feb 2008 16:46:45 -0500 Subject: [Freeipa-devel] objectclass updated by user Message-ID: <47B9FCC5.7020704@redhat.com> We let the IPA admin determine which objectclasses should appear in an entry by default and when a user is updated or added these are synced. There is a problem with self-service though. If this list has changed and the user needs to add the new objectclass(es) it will fail because currently they don't have write access to this attribute of their record. So what do we want to do? Not update OC on self-service or grant write access to this attribute? The former is slightly more work than the former but still in the doable range. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Feb 18 22:46:11 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Feb 2008 17:46:11 -0500 Subject: [Freeipa-devel] [PATCH] Use proper access method in ipapolicy subcontroller Message-ID: <47BA0AB3.8030905@redhat.com> I wasn't using a method compatible with lists/dicts in the policy subcontroller which made it look as if the policy was always changing. So if you didn't actually make a change you got back 'no modifications to perform'. This cause the password policy to never fire off at all, basically inactivating that section. So use the Entity.getValues() instead so we get everything. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-673-method.patch Type: text/x-patch Size: 6456 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Feb 19 03:42:29 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Feb 2008 22:42:29 -0500 Subject: [Freeipa-devel] [PATCH] Don't let user's delete themselves in UI Message-ID: <47BA5025.7080906@redhat.com> Don't show the Delete button for non-editors and admins and don't let a user delete them self. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-674-delete.patch Type: text/x-patch Size: 1634 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Feb 19 15:22:02 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Feb 2008 10:22:02 -0500 Subject: [Freeipa-devel] [PATCH] add error handling to ipa-replica-install Message-ID: <47BAF41A.7030000@redhat.com> Add some error handling for LDAP connection issues (like the remote serve is down or the local instance failed to start). Also verify the DM password earlier in the process. Previously this would happen AFTER the local DS has already been installed. I also added a try/except around the password entry so a ctrl-C will gracefully break out rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-675-replica.patch Type: text/x-patch Size: 4516 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Feb 19 15:49:43 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Feb 2008 10:49:43 -0500 Subject: [Freeipa-devel] [PATCH] warn if installing replica on wrong host Message-ID: <47BAFA97.9060904@redhat.com> We embed the target hostname in the filename that ipa-replica-prepare creates. Use this in ipa-replica-install to see if the wrong replica file is being used on a given host. It will just warn and let the user continue if they do not match. It could be a multi-homed machine, for example. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-676-warn.patch Type: text/x-patch Size: 1212 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Feb 19 17:03:27 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 19 Feb 2008 10:03:27 -0700 Subject: [Freeipa-devel] [Fwd: OT: PyKerberos] Message-ID: <47BB0BDF.3000300@redhat.com> -------------- next part -------------- An embedded message was scrubbed... From: Torsten Kurbad Subject: OT: PyKerberos Date: Mon, 18 Feb 2008 14:56:03 +0100 Size: 5853 URL: From ssorce at redhat.com Tue Feb 19 21:01:16 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 19 Feb 2008 16:01:16 -0500 Subject: [Freeipa-devel] [Patch] Run client install script in server install script Message-ID: <47BB439C.4060505@redhat.com> A non-text attachment was scrubbed... Name: freeipa-644-srv-cli-install.patch Type: text/x-patch Size: 9312 bytes Desc: not available URL: From ssorce at redhat.com Tue Feb 19 21:01:55 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 19 Feb 2008 16:01:55 -0500 Subject: [Freeipa-devel] [PATCH] Do not ignore parms in client install script Message-ID: <47BB43C3.2000009@redhat.com> A non-text attachment was scrubbed... Name: freeipa-645-params-ignored.patch Type: text/x-patch Size: 2187 bytes Desc: not available URL: From ssorce at redhat.com Tue Feb 19 21:03:12 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 19 Feb 2008 16:03:12 -0500 Subject: [Freeipa-devel] [PATCH] start ntpd and synchronize the date first Message-ID: <47BB4410.2070108@redhat.com> This is to avoid nasty problems with certificates, LDAP entries creation dates, password expiration dates, account expiration dates, and in short, any dates :) -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-646-ntp-first.patch Type: text/x-patch Size: 5774 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 19 21:45:21 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Feb 2008 16:45:21 -0500 Subject: [Freeipa-devel] [PATCH] updated CSS Message-ID: <47BB4DF1.1060001@redhat.com> M?ir?n Duffy sent me an updated version of our CSS that is broken out to be more manageable. She also added some per-object images so we can have little icon thingers representing users, groups, etc. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-679-css.patch Type: text/x-patch Size: 33484 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Feb 19 22:07:36 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Feb 2008 17:07:36 -0500 Subject: [Freeipa-devel] [Patch] Run client install script in server install script In-Reply-To: <47BB439C.4060505@redhat.com> References: <47BB439C.4060505@redhat.com> Message-ID: <47BB5328.1000408@redhat.com> Simo Sorce wrote: > > This is going to badly conflict with a patch I submitted last week: [PATCH] Verify domain at install time It will conflict both in code and in purpose, particularly in the replication pieces. I already have the replica's setup to use the domain name from the master. I think we need to test the server with the client bits installed during bootup to be sure that anything that uses nss_ldap starts after the DS otherwise things will hang. I think that "nss_ldap seem not able to use DNS disccovery!" should be "nss_ldap is not able to use DNS discovery." Also, we should have a more user-friendly error message than "Error configuring the client side bits!" rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 20 03:16:44 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Feb 2008 22:16:44 -0500 Subject: [Freeipa-devel] [PATCH] better user input handling in ipa-find[user|group] Message-ID: <47BB9B9C.6040502@redhat.com> The top of the range wasn't being handled properly nor was KeyboardInterrupt being caught, resulting in a backtrace on error. This should tighten things up. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-680-input.patch Type: text/x-patch Size: 3446 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 20 03:19:24 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Feb 2008 22:19:24 -0500 Subject: [Freeipa-devel] [PATCH] Do not ignore parms in client install script In-Reply-To: <47BB43C3.2000009@redhat.com> References: <47BB43C3.2000009@redhat.com> Message-ID: <47BB9C3C.5080407@redhat.com> Simo Sorce wrote: > > ------------------------------------------------------------------------ Generally looks ok but do we want to prompt the user to continue if the realm doesn't match or just fail? If we provide flexibility do we allow them to hose things up? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 20 03:22:41 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Feb 2008 22:22:41 -0500 Subject: [Freeipa-devel] [PATCH] start ntpd and synchronize the date first In-Reply-To: <47BB4410.2070108@redhat.com> References: <47BB4410.2070108@redhat.com> Message-ID: <47BB9D01.7070905@redhat.com> Simo Sorce wrote: > This is to avoid nasty problems with certificates, LDAP entries creation > dates, password expiration dates, account expiration dates, and in > short, any dates :) > Did you forget include ntpd.sysconfig.template? And a minor nit, you misspelled Configure in: + # Cponfigure apache rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 20 05:07:05 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 00:07:05 -0500 Subject: [Freeipa-devel] [PATCH] SELinux policies for ipa_kpasswd and ipa_webgui In-Reply-To: <47AC7F6B.5010403@redhat.com> References: <47AC7F6B.5010403@redhat.com> Message-ID: <47BBB579.6010204@redhat.com> Rob Crittenden wrote: > This patch was originally done by Karl MacMillan. I just updated it to > the current state of the world. Many thanks to Dan Walsh for assisting > in fixing some issues. > > It adds an SELinux policy for ipa_kpasswd and ipa_webgui so we don't > have to run them unconfined. > > rob pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 20 05:07:24 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 00:07:24 -0500 Subject: [Freeipa-devel] resend: internationalization of kid templates In-Reply-To: <1202714488.4464.19.camel@freeipa.example.com> References: <1199353118.4420.17.camel@freeipa.example.com> <479F6391.3060102@redhat.com> <1201744037.4036.7.camel@freeipa.example.com> <47A228BD.7030603@redhat.com> <1201880004.4569.23.camel@localhost.localdomain> <47ABCB29.5020904@redhat.com> <1202714488.4464.19.camel@freeipa.example.com> Message-ID: <47BBB58C.1070309@redhat.com> Masato Taruishi wrote: >> I imported the patch into a fresh tree and resolved a few merge issues, >> added some text and the tg-admin patch. > > Thanks! > >> This looks fine to me but wanted to run it past everyone one last time >> to make sure I didn't screw something up. >> >> Do we want to have i18n on by default or let admins turn it on as desired? >> >> Is there a downside to having it on by default? > > IMHO, Having i18n on is a good choice for modern applications. > Having i18n on adds one filter which calls gettext which may influence > its performance, but I guess you don't afraid of the overhead because > its downside would be very limited. > > Thanks I pushed the patch rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From pbatkowski at gmail.com Wed Feb 20 11:43:40 2008 From: pbatkowski at gmail.com (Paul Batkowski) Date: Wed, 20 Feb 2008 06:43:40 -0500 Subject: [Freeipa-devel] [PATCH] start ntpd and synchronize the date first In-Reply-To: <47BB4410.2070108@redhat.com> References: <47BB4410.2070108@redhat.com> Message-ID: <7d9a0cb40802200343t4127a4d8h60affa778e587aa9@mail.gmail.com> On Tue, Feb 19, 2008 at 4:03 PM, Simo Sorce wrote: > This is to avoid nasty problems with certificates, LDAP entries creation > dates, password expiration dates, account expiration dates, and in > short, any dates :) > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > Maybe there shoud also be a check whether this is a virtualized guest or not before running ntpd? For example, if you are running freeipa inside of a para-virtualized guest on Xen, it doesn't make sense to run ntpd inside the domU -- Paul Batkowski (pbat) GPG Public Key ID: 0xE9A6AF81 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Wed Feb 20 13:40:02 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 08:40:02 -0500 Subject: [Freeipa-devel] [PATCH] start ntpd and synchronize the date first In-Reply-To: <47BB9D01.7070905@redhat.com> References: <47BB4410.2070108@redhat.com> <47BB9D01.7070905@redhat.com> Message-ID: <1203514802.679.61.camel@localhost.localdomain> On Tue, 2008-02-19 at 22:22 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > This is to avoid nasty problems with certificates, LDAP entries creation > > dates, password expiration dates, account expiration dates, and in > > short, any dates :) > > > > Did you forget include ntpd.sysconfig.template? Ouch yes. > And a minor nit, you misspelled Configure in: > > + # Cponfigure apache Ok will rebase to latest pushes and re-send patches. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 20 13:41:44 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 08:41:44 -0500 Subject: [Freeipa-devel] [PATCH] start ntpd and synchronize the date first In-Reply-To: <7d9a0cb40802200343t4127a4d8h60affa778e587aa9@mail.gmail.com> References: <47BB4410.2070108@redhat.com> <7d9a0cb40802200343t4127a4d8h60affa778e587aa9@mail.gmail.com> Message-ID: <1203514904.679.63.camel@localhost.localdomain> On Wed, 2008-02-20 at 06:43 -0500, Paul Batkowski wrote: > On Tue, Feb 19, 2008 at 4:03 PM, Simo Sorce wrote: > This is to avoid nasty problems with certificates, LDAP > entries creation > dates, password expiration dates, account expiration dates, > and in > short, any dates :) > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Maybe there shoud also be a check whether this is a virtualized guest > or not before running ntpd? For example, if you are running freeipa > inside of a para-virtualized guest on Xen, it doesn't make sense to > run ntpd inside the domU There is option -N in that case. Admin responsibility IMO. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 20 13:43:55 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 08:43:55 -0500 Subject: [Freeipa-devel] [Patch] Run client install script in server install script In-Reply-To: <47BB5328.1000408@redhat.com> References: <47BB439C.4060505@redhat.com> <47BB5328.1000408@redhat.com> Message-ID: <1203515035.679.66.camel@localhost.localdomain> On Tue, 2008-02-19 at 17:07 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > > > > > This is going to badly conflict with a patch I submitted last week: > [PATCH] Verify domain at install time > > It will conflict both in code and in purpose, particularly in the > replication pieces. I already have the replica's setup to use the domain > name from the master. Can you push your patch ? I'll rebase my tree and make a new one. > I think we need to test the server with the client bits installed during > bootup to be sure that anything that uses nss_ldap starts after the DS > otherwise things will hang. I've done this already, the current initd startup levels should be fine. > I think that "nss_ldap seem not able to use DNS disccovery!" should be > "nss_ldap is not able to use DNS discovery." ok. > Also, we should have a more user-friendly error message than "Error > configuring the client side bits!" :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 20 13:45:43 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 08:45:43 -0500 Subject: [Freeipa-devel] [PATCH] better user input handling in ipa-find[user|group] In-Reply-To: <47BB9B9C.6040502@redhat.com> References: <47BB9B9C.6040502@redhat.com> Message-ID: <1203515143.679.68.camel@localhost.localdomain> On Tue, 2008-02-19 at 22:16 -0500, Rob Crittenden wrote: > The top of the range wasn't being handled properly nor was > KeyboardInterrupt being caught, resulting in a backtrace on error. > This > should tighten things up. Shouldn't we return an error on kbd interrupt ? Actually7 I see you return 0. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 20 13:46:25 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 08:46:25 -0500 Subject: [Freeipa-devel] [PATCH] updated CSS In-Reply-To: <47BB4DF1.1060001@redhat.com> References: <47BB4DF1.1060001@redhat.com> Message-ID: <1203515185.679.70.camel@localhost.localdomain> On Tue, 2008-02-19 at 16:45 -0500, Rob Crittenden wrote: > M?ir?n Duffy sent me an updated version of our CSS that is broken out to > be more manageable. She also added some per-object images so we can have > little icon thingers representing users, groups, etc. Ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 20 13:46:43 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 08:46:43 -0500 Subject: [Freeipa-devel] [PATCH] Don't replicate memberof In-Reply-To: <47B9E823.8050105@redhat.com> References: <47B9E823.8050105@redhat.com> Message-ID: <1203515203.679.72.camel@localhost.localdomain> On Mon, 2008-02-18 at 15:18 -0500, Rob Crittenden wrote: > We don't want to replicate the memberof attribute. It will get > re-created automatically on each replica. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 20 13:47:42 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 08:47:42 -0500 Subject: [Freeipa-devel] [PATCH] Handle a ^C gracefully while getting the new password In-Reply-To: <47B9F259.40709@redhat.com> References: <47B9F259.40709@redhat.com> Message-ID: <1203515262.679.74.camel@localhost.localdomain> On Mon, 2008-02-18 at 16:02 -0500, Rob Crittenden wrote: > If one was use ipa-passwd to change a password and hit ctrl-C to > break > out it would throw a python error. Catch that so it works nicer. ack, but shouldn't we return an error instead of 0 ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 20 13:48:07 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 08:48:07 -0500 Subject: [Freeipa-devel] [PATCH] Use proper access method in ipapolicy subcontroller In-Reply-To: <47BA0AB3.8030905@redhat.com> References: <47BA0AB3.8030905@redhat.com> Message-ID: <1203515287.679.76.camel@localhost.localdomain> On Mon, 2008-02-18 at 17:46 -0500, Rob Crittenden wrote: > I wasn't using a method compatible with lists/dicts in the policy > subcontroller which made it look as if the policy was always > changing. > So if you didn't actually make a change you got back 'no > modifications > to perform'. This cause the password policy to never fire off at all, > basically inactivating that section. > > So use the Entity.getValues() instead so we get everything. ack -- Simo Sorce * Red Hat, Inc * New York From jdennis at redhat.com Wed Feb 20 14:01:03 2008 From: jdennis at redhat.com (John Dennis) Date: Wed, 20 Feb 2008 09:01:03 -0500 Subject: [Freeipa-devel] Python i18n (was: IPA patches pushed) In-Reply-To: <47BBBAAA.9080706@redhat.com> References: <47BBBAAA.9080706@redhat.com> Message-ID: <47BC329F.4030104@redhat.com> Rob Crittenden wrote: > I pushed a fairly large i18n patch this evening. It includes a Japanese > locale so if you set your browser up properly you should be able to see > Japanese characters in the UI. We haven't done any i18n work for the > command-line yet. I haven't had a chance to look at how the i18n handling is being done in our Python code yet, but I've learned the hard way it's not as obvious as one might think. I spent a while tracing through all the logic in various components to fix some i18n bugs and came up with some notes and a conclusion as to optimal way to do i18n in python and the rationale for why. So I thought I would share it. The key item to note here is in our python installations it is not possible for a python program to reset the default encoding from ascii to utf-8 (I don't know why this is prohibited). Also, when I say 'output a string' what I mean is when CPython passes a string to another C library or via IO writes. It's the other C library which is of particular importance. # i18n (internationalization) Handling # # Python has two builtin types which can contain strings, 'str' which # is a conventional byte sequence where each byte contains a charater # and 'unicode' which depending on how python was compiled is # implemented using wide characters using 2 or 4 bytes per character # (UCS-2, UCS-4 respectively). The Red Hat builds use UCS-4 for # unicode. # # # There are two fundamental ways a i18n string can enter a python # application, either hardcoded via the 'u' unicode type coercion # (e.g. u'some i18n string') or most commonly by looking up a i18n # string in a translation catalog via the gettext package using the # _() method(e.g. _(some i18n string'). # # This application also utilizes many other packages to which i18n # strings must be passed, by convention most packages accept i18n # strings in the UTF-8 encoding. UTF-8 is byte orientated representing # a character is a single byte if possble and optionally expanding to # a multi-byte sequence if necessary, thus ascii and UTF-8 are # byte identical. # # When python outputs a unicode string it will attempt to convert it # to the default encoding set in site.py. It is not possible to for a # python application to set the default encoding, this is # prohibited. In many python implementations the default encoding is # set to ascii :-( Thus when python attempts to output a unicode # string (UCS-2 or UCS-4) it will in try to apply the default encoding # to it (typically ascii) and the translation will fail because many # wide UCS code points (characters) lie outside the aacii numeric # range. # # Because the external packages we 'link' with expect UTF-8 we need to # assure strings we output to them are encoded in UTF-8. There are two # ways to accomplish this: # # 1) set the default encoding to UTF-8 and internally use unicode # strings. # # 2) internally use UTF-8, not unicode. Thus all i18n strings will be # conventional byte orientated 'str' objects, not wide unicode # (UCS). Python will happily pass these UTF-8 strings around as plain # strings and because they are plain strings will not attempt to apply # encoding translations to them, thus on output an i18n string encoded # in UTF-8 remains UTF-8. The downside is len() no longer returns the # correct number of characters (if there are multibyte characters in the # string) and it's difficult to apply basic string operations # (e.g. concatenation). However, it's not common to need to perform # such string operations on i18n strings originating from an i18n # translation catalog. # # Our adopted solution is 2. We eschew use of unicode strings, all # strings are represented as 'str', not unicode and are encoded in # UTF-8. We instruct gettext to not return translations via _() in # unicode, but rather in UTF-8 by specifying the gettext codeset to be # UTF-8. This also means any i18n strings which are not obtained by # _() translation catalog lookup must use str.encode('utf-8'). # # WARNING: It is vital that gettext.install() be called as soon as # possible in the import loading sequence as other loaded modules may # call _() to obtain to an i18n translation from the catalog. Example for a program, this installs the _() method in the global namespace: gettext.install(domain = get_config('general', 'i18n_text_domain'), localedir = get_config('general', 'i18n_locale_dir'), unicode = False, codeset = 'utf-8') Example for a module (note fallback setting), this sets _() locally within the module: import gettext _ = gettext.translation(get_config('general', 'i18n_text_domain'), get_config('general', 'i18n_locale_dir'), fallback=True).lgettext -- John Dennis From rcritten at redhat.com Wed Feb 20 14:12:44 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 09:12:44 -0500 Subject: [Freeipa-devel] [PATCH] Handle a ^C gracefully while getting the new password In-Reply-To: <1203515262.679.74.camel@localhost.localdomain> References: <47B9F259.40709@redhat.com> <1203515262.679.74.camel@localhost.localdomain> Message-ID: <47BC355C.2040301@redhat.com> Simo Sorce wrote: > On Mon, 2008-02-18 at 16:02 -0500, Rob Crittenden wrote: >> If one was use ipa-passwd to change a password and hit ctrl-C to >> break >> out it would throw a python error. Catch that so it works nicer. > > ack, but shouldn't we return an error instead of 0 ? > > Simo. > Yes, I think you are right. kpasswd returns 1 in that case. I'll fix that up when I push it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kwirth at redhat.com Wed Feb 20 14:49:15 2008 From: kwirth at redhat.com (Karl Wirth) Date: Wed, 20 Feb 2008 09:49:15 -0500 Subject: [Freeipa-devel] Update on freeIPA progress Message-ID: <47BC3DEB.1050805@redhat.com> Hello, Its been a few months since we've sent out an update to the freeIPA-interest list. We have made a lot of progress. Here are some updates and some ways you can participate: - /Test version 0.99./ Thanks especially to Simo Sorce and Rob Crittenden, we are now at version 0.99. We would love for you to test it. http://www.freeipa.org/page/Downloads - /Distros./ freeIPA was accepted into Fedora and other projects there are looking to leverage it. Any of you with connections to other distros interested in helping freeIPA get picked up? - /Interest./ Interest in freeIPA is strong generally and our community has grown substantially. It seems like there are a lot of us who are looking to enhance the management of identity, policy, and audit in the Linux and Unix world. - /Docs./ Thanks to David O'Brien, we've made a big step forward in documentation. http://www.freeipa.org/page/Documentation - /Planning./ We are well into planning for the next major freeIPA versions. Requirements docs are already posted here: http://www.freeipa.org/page/Roadmap. As we advance the designs and plans via discussion on freeIPA-devel we will post them on freeIPA.org. Feedback welcome! - /Help code./ As always, we would love your help and contributions to the project. Regards, Karl -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Feb 20 15:09:43 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 10:09:43 -0500 Subject: [Freeipa-devel] [PATCH] better user input handling in ipa-find[user|group] In-Reply-To: <1203515143.679.68.camel@localhost.localdomain> References: <47BB9B9C.6040502@redhat.com> <1203515143.679.68.camel@localhost.localdomain> Message-ID: <47BC42B7.9080308@redhat.com> Simo Sorce wrote: > On Tue, 2008-02-19 at 22:16 -0500, Rob Crittenden wrote: >> The top of the range wasn't being handled properly nor was >> KeyboardInterrupt being caught, resulting in a backtrace on error. >> This >> should tighten things up. > > Shouldn't we return an error on kbd interrupt ? > Actually7 I see you return 0. > > Simo. > Fixed to return 1 and pushed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 20 15:09:59 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 10:09:59 -0500 Subject: [Freeipa-devel] [PATCH] updated CSS In-Reply-To: <1203515185.679.70.camel@localhost.localdomain> References: <47BB4DF1.1060001@redhat.com> <1203515185.679.70.camel@localhost.localdomain> Message-ID: <47BC42C7.7080606@redhat.com> Simo Sorce wrote: > On Tue, 2008-02-19 at 16:45 -0500, Rob Crittenden wrote: >> M?ir?n Duffy sent me an updated version of our CSS that is broken out to >> be more manageable. She also added some per-object images so we can have >> little icon thingers representing users, groups, etc. > > > Ack > Pushed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 20 15:10:05 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 10:10:05 -0500 Subject: [Freeipa-devel] [PATCH] Don't replicate memberof In-Reply-To: <1203515203.679.72.camel@localhost.localdomain> References: <47B9E823.8050105@redhat.com> <1203515203.679.72.camel@localhost.localdomain> Message-ID: <47BC42CD.9000607@redhat.com> Simo Sorce wrote: > On Mon, 2008-02-18 at 15:18 -0500, Rob Crittenden wrote: >> We don't want to replicate the memberof attribute. It will get >> re-created automatically on each replica. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 20 15:10:16 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 10:10:16 -0500 Subject: [Freeipa-devel] [PATCH] Handle a ^C gracefully while getting the new password In-Reply-To: <1203515262.679.74.camel@localhost.localdomain> References: <47B9F259.40709@redhat.com> <1203515262.679.74.camel@localhost.localdomain> Message-ID: <47BC42D8.3080404@redhat.com> Simo Sorce wrote: > On Mon, 2008-02-18 at 16:02 -0500, Rob Crittenden wrote: >> If one was use ipa-passwd to change a password and hit ctrl-C to >> break >> out it would throw a python error. Catch that so it works nicer. > > ack, but shouldn't we return an error instead of 0 ? > > Simo. > Pushed after fixing it to return 1 instead of 0. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 20 15:10:23 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 10:10:23 -0500 Subject: [Freeipa-devel] [PATCH] Use proper access method in ipapolicy subcontroller In-Reply-To: <1203515287.679.76.camel@localhost.localdomain> References: <47BA0AB3.8030905@redhat.com> <1203515287.679.76.camel@localhost.localdomain> Message-ID: <47BC42DF.80200@redhat.com> Simo Sorce wrote: > On Mon, 2008-02-18 at 17:46 -0500, Rob Crittenden wrote: >> I wasn't using a method compatible with lists/dicts in the policy >> subcontroller which made it look as if the policy was always >> changing. >> So if you didn't actually make a change you got back 'no >> modifications >> to perform'. This cause the password policy to never fire off at all, >> basically inactivating that section. >> >> So use the Entity.getValues() instead so we get everything. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Feb 20 15:56:43 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 10:56:43 -0500 Subject: [Freeipa-devel] [PATCH] Don't let user's delete themselves in UI In-Reply-To: <47BA5025.7080906@redhat.com> References: <47BA5025.7080906@redhat.com> Message-ID: <1203523003.679.86.camel@localhost.localdomain> On Mon, 2008-02-18 at 22:42 -0500, Rob Crittenden wrote: > Don't show the Delete button for non-editors and admins and don't let > a > user delete them self. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 20 16:18:07 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 11:18:07 -0500 Subject: [Freeipa-devel] [PATCH] Do not ignore parms in client install script In-Reply-To: <47BB9C3C.5080407@redhat.com> References: <47BB43C3.2000009@redhat.com> <47BB9C3C.5080407@redhat.com> Message-ID: <1203524287.679.89.camel@localhost.localdomain> On Tue, 2008-02-19 at 22:19 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > > > ------------------------------------------------------------------------ > > Generally looks ok but do we want to prompt the user to continue if the > realm doesn't match or just fail? If we provide flexibility do we allow > them to hose things up? I think we should fail, as the server the user is pointing to does not host the requested REALM. Any Kerberos request would simply fail. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 20 16:16:26 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 11:16:26 -0500 Subject: [Freeipa-devel] [PATCH] Server install call client install Message-ID: <47BC525A.5010907@redhat.com> Patch corrected as requested. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-655-srv-cli-install.patch Type: text/x-patch Size: 6833 bytes Desc: not available URL: From ssorce at redhat.com Wed Feb 20 16:17:09 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 11:17:09 -0500 Subject: [Freeipa-devel] [PATCH] Start ntp first Message-ID: <47BC5285.9020005@redhat.com> Patch corrected and also make sure we support -N in replica. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-656-ntp-first.patch Type: text/x-patch Size: 7148 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 20 16:52:01 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 11:52:01 -0500 Subject: [Freeipa-devel] [PATCH] Server install call client install In-Reply-To: <47BC525A.5010907@redhat.com> References: <47BC525A.5010907@redhat.com> Message-ID: <47BC5AB1.2070906@redhat.com> Simo Sorce wrote: > Patch corrected as requested. > > ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 20 16:53:22 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 11:53:22 -0500 Subject: [Freeipa-devel] [PATCH] Start ntp first In-Reply-To: <47BC5285.9020005@redhat.com> References: <47BC5285.9020005@redhat.com> Message-ID: <47BC5B02.20907@redhat.com> Simo Sorce wrote: > Patch corrected and also make sure we support -N in replica. > > ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 20 16:55:37 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 11:55:37 -0500 Subject: [Freeipa-devel] [PATCH] Do not ignore parms in client install script In-Reply-To: <1203524287.679.89.camel@localhost.localdomain> References: <47BB43C3.2000009@redhat.com> <47BB9C3C.5080407@redhat.com> <1203524287.679.89.camel@localhost.localdomain> Message-ID: <47BC5B89.9010306@redhat.com> Simo Sorce wrote: > On Tue, 2008-02-19 at 22:19 -0500, Rob Crittenden wrote: >> Simo Sorce wrote: >>> ------------------------------------------------------------------------ >> Generally looks ok but do we want to prompt the user to continue if the >> realm doesn't match or just fail? If we provide flexibility do we allow >> them to hose things up? > > I think we should fail, as the server the user is pointing to does not > host the requested REALM. Any Kerberos request would simply fail. > > Simo. > Ok. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Feb 20 17:15:09 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 12:15:09 -0500 Subject: [Freeipa-devel] [PATCH] Server install call client install In-Reply-To: <47BC5AB1.2070906@redhat.com> References: <47BC525A.5010907@redhat.com> <47BC5AB1.2070906@redhat.com> Message-ID: <1203527709.679.90.camel@localhost.localdomain> On Wed, 2008-02-20 at 11:52 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > Patch corrected as requested. > > > > > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 20 17:15:21 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 12:15:21 -0500 Subject: [Freeipa-devel] [PATCH] Start ntp first In-Reply-To: <47BC5B02.20907@redhat.com> References: <47BC5285.9020005@redhat.com> <47BC5B02.20907@redhat.com> Message-ID: <1203527721.679.92.camel@localhost.localdomain> On Wed, 2008-02-20 at 11:53 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > Patch corrected and also make sure we support -N in replica. > > > > > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 20 17:15:43 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 12:15:43 -0500 Subject: [Freeipa-devel] [PATCH] Do not ignore parms in client install script In-Reply-To: <47BC5B89.9010306@redhat.com> References: <47BB43C3.2000009@redhat.com> <47BB9C3C.5080407@redhat.com> <1203524287.679.89.camel@localhost.localdomain> <47BC5B89.9010306@redhat.com> Message-ID: <1203527743.679.94.camel@localhost.localdomain> On Wed, 2008-02-20 at 11:55 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 2008-02-19 at 22:19 -0500, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> ------------------------------------------------------------------------ > >> Generally looks ok but do we want to prompt the user to continue if the > >> realm doesn't match or just fail? If we provide flexibility do we allow > >> them to hose things up? > > > > I think we should fail, as the server the user is pointing to does not > > host the requested REALM. Any Kerberos request would simply fail. > > > > Simo. > > > > Ok. pushed -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Feb 20 17:55:24 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 12:55:24 -0500 Subject: [Freeipa-devel] [PATCH] fix for building SELinux Message-ID: <47BC698C.1030402@redhat.com> The SELinux rules wouldn't build on RHEL 5. Dan Walsh contributed a fix. I've gone ahead and pushed this 2-liner. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-695-selinux.patch Type: text/x-patch Size: 1560 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From email.marc at gmail.com Wed Feb 20 19:37:56 2008 From: email.marc at gmail.com (Marc Richards) Date: Wed, 20 Feb 2008 14:37:56 -0500 Subject: [Freeipa-devel] CentOS binaries/repositiory Message-ID: <47BC8194.60705@gmail.com> Are you guys planning on releasing binaries and/or setting up a yum repository for CentOS? If so, will it be done through EPEL or distributed via freeipa.org? Marc From ssorce at redhat.com Wed Feb 20 20:06:02 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 20 Feb 2008 15:06:02 -0500 Subject: [Freeipa-devel] CentOS binaries/repositiory In-Reply-To: <47BC8194.60705@gmail.com> References: <47BC8194.60705@gmail.com> Message-ID: <1203537962.679.100.camel@localhost.localdomain> On Wed, 2008-02-20 at 14:37 -0500, Marc Richards wrote: > Are you guys planning on releasing binaries and/or setting up a yum > repository for CentOS? If so, will it be done through EPEL or > distributed via freeipa.org? Actually we have never discussed about this, something we need to think about I guess. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Feb 20 20:17:30 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 15:17:30 -0500 Subject: [Freeipa-devel] CentOS binaries/repositiory In-Reply-To: <1203537962.679.100.camel@localhost.localdomain> References: <47BC8194.60705@gmail.com> <1203537962.679.100.camel@localhost.localdomain> Message-ID: <47BC8ADA.60100@redhat.com> Simo Sorce wrote: > On Wed, 2008-02-20 at 14:37 -0500, Marc Richards wrote: >> Are you guys planning on releasing binaries and/or setting up a yum >> repository for CentOS? If so, will it be done through EPEL or >> distributed via freeipa.org? > > Actually we have never discussed about this, > something we need to think about I guess. > > Simo. > The biggest hurdle I see is that it will require much more than just the ipa packages. Also required will be TurboGears and its dependencies, a newer krb5 with the spnego fixes and krb5-server-ldap will need to be built. Plus python-kerberos, python-krbV, python-pyasn1 and perhaps a couple others that I'm missing. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From email.marc at gmail.com Wed Feb 20 20:50:21 2008 From: email.marc at gmail.com (Marc Richards) Date: Wed, 20 Feb 2008 15:50:21 -0500 Subject: [Freeipa-devel] CentOS binaries/repositiory In-Reply-To: <47BC8ADA.60100@redhat.com> References: <47BC8194.60705@gmail.com> <1203537962.679.100.camel@localhost.localdomain> <47BC8ADA.60100@redhat.com> Message-ID: <47BC928D.70903@gmail.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Wed, 2008-02-20 at 14:37 -0500, Marc Richards wrote: >>> Are you guys planning on releasing binaries and/or setting up a yum >>> repository for CentOS? If so, will it be done through EPEL or >>> distributed via freeipa.org? >> >> Actually we have never discussed about this, >> something we need to think about I guess. >> >> Simo. >> > > The biggest hurdle I see is that it will require much more than just the > ipa packages. Also required will be TurboGears and its dependencies, a > newer krb5 with the spnego fixes and krb5-server-ldap will need to be > built. Plus python-kerberos, python-krbV, python-pyasn1 and perhaps a > couple others that I'm missing. > > rob TurboGears and python-krbV are in EPEL. http://download.fedora.redhat.com/pub/epel/5/i386/repoview/TurboGears.html http://download.fedora.redhat.com/pub/epel/5/i386/repoview/python-krbV.html The other python modules probably wouldn't be too hard to package for EPEL, especially for experienced programmers such as yourselves ;-) The newer version on krb5 sounds like it may be an issue though. Is the required version newer than what shipped in RHEL/CentOS 5.1? Marc From rcritten at redhat.com Wed Feb 20 20:59:21 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 15:59:21 -0500 Subject: [Freeipa-devel] CentOS binaries/repositiory In-Reply-To: <47BC928D.70903@gmail.com> References: <47BC8194.60705@gmail.com> <1203537962.679.100.camel@localhost.localdomain> <47BC8ADA.60100@redhat.com> <47BC928D.70903@gmail.com> Message-ID: <47BC94A9.2090907@redhat.com> Marc Richards wrote: > Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Wed, 2008-02-20 at 14:37 -0500, Marc Richards wrote: >>>> Are you guys planning on releasing binaries and/or setting up a yum >>>> repository for CentOS? If so, will it be done through EPEL or >>>> distributed via freeipa.org? >>> >>> Actually we have never discussed about this, >>> something we need to think about I guess. >>> >>> Simo. >>> >> >> The biggest hurdle I see is that it will require much more than just >> the ipa packages. Also required will be TurboGears and its >> dependencies, a newer krb5 with the spnego fixes and krb5-server-ldap >> will need to be built. Plus python-kerberos, python-krbV, >> python-pyasn1 and perhaps a couple others that I'm missing. >> >> rob > > TurboGears and python-krbV are in EPEL. > > http://download.fedora.redhat.com/pub/epel/5/i386/repoview/TurboGears.html > http://download.fedora.redhat.com/pub/epel/5/i386/repoview/python-krbV.html > > The other python modules probably wouldn't be too hard to package for > EPEL, especially for experienced programmers such as yourselves ;-) The > newer version on krb5 sounds like it may be an issue though. > > Is the required version newer than what shipped in RHEL/CentOS 5.1? > No, the required version isn't in RHEL 5.1 (so I assume not CentOS). Plus it is built without LDAP backend support. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 20 21:34:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 16:34:04 -0500 Subject: [Freeipa-devel] [PATCH] some error handling in ipa-replica-prepare Message-ID: <47BC9CCC.1060905@redhat.com> Add some extra error handling when creating certificates for replicas so we can avoid back traces. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-696-errors.patch Type: text/x-patch Size: 1965 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 20 21:58:39 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 16:58:39 -0500 Subject: [Freeipa-devel] [PATCH] keep uid in session until successful update Message-ID: <47BCA28F.9070101@redhat.com> Don't clear the session until a successful update. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-697-session.patch Type: text/x-patch Size: 1454 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Feb 21 03:34:18 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 22:34:18 -0500 Subject: [Freeipa-devel] [PATCH] check for both str and unicode types Message-ID: <47BCF13A.2060001@redhat.com> This is broken due to the i18n patch. string values may now be of type unicode. There are places where we have a multi-valued attribute that needs to be a python list but if there is one value it defaults to being a string or unicode type. Added a helper function that checks for both. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-700-type.patch Type: text/x-patch Size: 6626 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Feb 21 04:26:17 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Feb 2008 23:26:17 -0500 Subject: [Freeipa-devel] [PATCH] self-edit changes Message-ID: <47BCFD69.1090100@redhat.com> Don't let a regular user edit their own active status or manager Those in 'editors' or 'admins' groups will still be able to edit their own manager. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-701-selfedit.patch Type: text/x-patch Size: 1630 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mike at flyn.org Thu Feb 21 08:06:50 2008 From: mike at flyn.org (W. Michael Petullo) Date: Thu, 21 Feb 2008 12:36:50 +0430 Subject: [Freeipa-devel] FreeIPA Footprint Message-ID: <20080221080650.GA21400@imp.flyn.org> I have been piecing together an authentication and authorization solution using Kerberos and OpenLDAP for about two years [1]. I have recently begun looking at FreeIPA. I may be able to help with the integration of Mac OS X clients into a FreeIPA-based network. I do have a few questions about FreeIPA, related to my interest in a very low-footprint solution. 1. Is there a good document on reducing the memory footprint of the Fedora Directory Server? On my computer, FDS / ns-slapd seems to use 500 MB of memory. A similar configuration using OpenLDAP / slapd used only 20 MB. 2. Is there any interest in making the Fedora IPA packages more fine-grained? For example, the web-based configuration tools brings in quite a few dependencies. Could this be split into an separate package? In this case, I am interested in disk space. [1] http://www.redhatmagazine.com/2008/01/17/serving-apples-integrating-mac-os-x-clients-into-a-fedora-network/ From ssorce at redhat.com Thu Feb 21 14:06:47 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Feb 2008 09:06:47 -0500 Subject: [Freeipa-devel] [PATCH] some error handling in ipa-replica-prepare In-Reply-To: <47BC9CCC.1060905@redhat.com> References: <47BC9CCC.1060905@redhat.com> Message-ID: <1203602807.679.120.camel@localhost.localdomain> On Wed, 2008-02-20 at 16:34 -0500, Rob Crittenden wrote: > Add some extra error handling when creating certificates for replicas > so > we can avoid back traces. Ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Feb 21 14:07:18 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Feb 2008 09:07:18 -0500 Subject: [Freeipa-devel] [PATCH] keep uid in session until successful update In-Reply-To: <47BCA28F.9070101@redhat.com> References: <47BCA28F.9070101@redhat.com> Message-ID: <1203602838.679.122.camel@localhost.localdomain> On Wed, 2008-02-20 at 16:58 -0500, Rob Crittenden wrote: > Don't clear the session until a successful update. Can you explain what does this change involve? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Feb 21 14:09:04 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Feb 2008 09:09:04 -0500 Subject: [Freeipa-devel] [PATCH] check for both str and unicode types In-Reply-To: <47BCF13A.2060001@redhat.com> References: <47BCF13A.2060001@redhat.com> Message-ID: <1203602944.679.124.camel@localhost.localdomain> On Wed, 2008-02-20 at 22:34 -0500, Rob Crittenden wrote: > This is broken due to the i18n patch. string values may now be of type > unicode. > > There are places where we have a multi-valued attribute that needs to be > a python list but if there is one value it defaults to being a string or > unicode type. > > Added a helper function that checks for both. Ack, looks strange tho. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Feb 21 14:11:39 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Feb 2008 09:11:39 -0500 Subject: [Freeipa-devel] [PATCH] self-edit changes In-Reply-To: <47BCFD69.1090100@redhat.com> References: <47BCFD69.1090100@redhat.com> Message-ID: <1203603099.679.126.camel@localhost.localdomain> On Wed, 2008-02-20 at 23:26 -0500, Rob Crittenden wrote: > Don't let a regular user edit their own active status or manager > > Those in 'editors' or 'admins' groups will still be able to edit their > own manager. Wouldn't it be better to have a list of editable fields (by admin/editors/self/...) somewhere instead of special casing every single thing ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Thu Feb 21 14:23:11 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 21 Feb 2008 07:23:11 -0700 Subject: [Freeipa-devel] FreeIPA Footprint In-Reply-To: <20080221080650.GA21400@imp.flyn.org> References: <20080221080650.GA21400@imp.flyn.org> Message-ID: <47BD894F.1030908@redhat.com> W. Michael Petullo wrote: > I have been piecing together an authentication and authorization solution > using Kerberos and OpenLDAP for about two years [1]. I have recently begun > looking at FreeIPA. I may be able to help with the integration of Mac > OS X clients into a FreeIPA-based network. > > I do have a few questions about FreeIPA, related to my interest in a > very low-footprint solution. > > 1. Is there a good document on reducing the memory footprint of the Fedora > Directory Server? On my computer, FDS / ns-slapd seems to use 500 MB of > memory. A similar configuration using OpenLDAP / slapd used only 20 MB. > I'm not sure, but I believe some (all?) of that is the cache size. By default Fedora DS uses a large-ish cache size. See - http://tinyurl.com/3cyqxh and and http://tinyurl.com/3eyegb > 2. Is there any interest in making the Fedora IPA packages more > fine-grained? For example, the web-based configuration tools brings in > quite a few dependencies. Could this be split into an separate package? In > this case, I am interested in disk space. > > [1] http://www.redhatmagazine.com/2008/01/17/serving-apples-integrating-mac-os-x-clients-into-a-fedora-network/ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From felix.schwarz at web.de Thu Feb 21 14:52:46 2008 From: felix.schwarz at web.de (Felix Schwarz) Date: Thu, 21 Feb 2008 15:52:46 +0100 Subject: [Freeipa-devel] Re: [PATCH] check for both str and unicode types In-Reply-To: <47BCF13A.2060001@redhat.com> References: <47BCF13A.2060001@redhat.com> Message-ID: <47BD903E.3030308@web.de> Robert, Rob Crittenden wrote: > +def is_string(value): > + """Return True if value is an instance of str or unicode.""" > + if (isinstance(value, str) or isinstance(value,unicode)): > + return True > + else: > + return False IMHO you should check for "isinstance(value, basestring)" which does the right thing (tm). fs From rcritten at redhat.com Thu Feb 21 14:54:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 09:54:04 -0500 Subject: [Freeipa-devel] FreeIPA Footprint In-Reply-To: <20080221080650.GA21400@imp.flyn.org> References: <20080221080650.GA21400@imp.flyn.org> Message-ID: <47BD908C.1050305@redhat.com> W. Michael Petullo wrote: > I have been piecing together an authentication and authorization solution > using Kerberos and OpenLDAP for about two years [1]. I have recently begun > looking at FreeIPA. I may be able to help with the integration of Mac > OS X clients into a FreeIPA-based network. Great! We have some amount of documentation on it at http://www.freeipa.com/page/ConfiguringOtherClients#Mac_OS_X but it could use another set of eyes and some other enhancements. Currently it just adds the OS X machine to the realm. > I do have a few questions about FreeIPA, related to my interest in a > very low-footprint solution. > > 1. Is there a good document on reducing the memory footprint of the Fedora > Directory Server? On my computer, FDS / ns-slapd seems to use 500 MB of > memory. A similar configuration using OpenLDAP / slapd used only 20 MB. DS by default has very large caches. It is possible to tune these down. We haven't done much IPA-specific tuning beyond creating an index for each attribute we search on. > 2. Is there any interest in making the Fedora IPA packages more > fine-grained? For example, the web-based configuration tools brings in > quite a few dependencies. Could this be split into an separate package? In > this case, I am interested in disk space. You raise a good point. Can you file a bug on this so it doesn't fall thru the cracks? I'll have to think a bit about how this would work. Separating the files is probably fairly straightforward but what it means to have IPA w/o the UI I'm not sure. It will require other changes so we don't configure Apache to forward requests. Or we could just leave Apache as it is and let it proxy things to nowhere :-) > > [1] http://www.redhatmagazine.com/2008/01/17/serving-apples-integrating-mac-os-x-clients-into-a-fedora-network/ I'll make sure our docs writer takes a look at this. BTW, I saw your bug on the acutil dependency. I think you need to install authconfig to fix this. regards rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Feb 21 14:54:11 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Feb 2008 09:54:11 -0500 Subject: [Freeipa-devel] [PATCH] Let users change their own password Message-ID: <47BD9093.1090304@redhat.com> ... Using directly LDAP (WEBUI) and not going through ipa-kpasswd. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-667-self-password-aci.patch Type: text/x-patch Size: 2130 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 21 15:17:17 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 10:17:17 -0500 Subject: [Freeipa-devel] [PATCH] keep uid in session until successful update In-Reply-To: <1203602838.679.122.camel@localhost.localdomain> References: <47BCA28F.9070101@redhat.com> <1203602838.679.122.camel@localhost.localdomain> Message-ID: <47BD95FD.1080304@redhat.com> Simo Sorce wrote: > On Wed, 2008-02-20 at 16:58 -0500, Rob Crittenden wrote: >> Don't clear the session until a successful update. > > Can you explain what does this change involve? > Simo. > Ok, so the purpose of this originally was to prevent someone being tricked into doing a POST to the self-service site and change their password. There is a server-side session that tries to keep track of the user you are editing. When it comes time to save any changes it verifies that the changes that are being saved are being done to the user that was loaded. The problem is that very early in the update process I clear this value. It is a problem because if there is an error on the page (like missing required field, formatting problem, whatever) the user is redirected to the edit page but the session has already been cleared. So I've moved the clearing of the session value to after the update is successful. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Feb 21 15:27:53 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 10:27:53 -0500 Subject: [Freeipa-devel] [PATCH] self-edit changes In-Reply-To: <1203603099.679.126.camel@localhost.localdomain> References: <47BCFD69.1090100@redhat.com> <1203603099.679.126.camel@localhost.localdomain> Message-ID: <47BD9879.70703@redhat.com> Simo Sorce wrote: > On Wed, 2008-02-20 at 23:26 -0500, Rob Crittenden wrote: >> Don't let a regular user edit their own active status or manager >> >> Those in 'editors' or 'admins' groups will still be able to edit their >> own manager. > > Wouldn't it be better to have a list of editable fields (by > admin/editors/self/...) somewhere instead of special casing every single > thing ? > > Simo. > I agree that it is not the best but I'm not sure how we'd do that in Javascript though. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Feb 21 15:35:11 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Feb 2008 10:35:11 -0500 Subject: [Freeipa-devel] [PATCH] keep uid in session until successful update In-Reply-To: <47BD95FD.1080304@redhat.com> References: <47BCA28F.9070101@redhat.com> <1203602838.679.122.camel@localhost.localdomain> <47BD95FD.1080304@redhat.com> Message-ID: <1203608111.679.131.camel@localhost.localdomain> On Thu, 2008-02-21 at 10:17 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Wed, 2008-02-20 at 16:58 -0500, Rob Crittenden wrote: > >> Don't clear the session until a successful update. > > > > Can you explain what does this change involve? > > Simo. > > > > Ok, so the purpose of this originally was to prevent someone being > tricked into doing a POST to the self-service site and change their > password. > > There is a server-side session that tries to keep track of the user you > are editing. When it comes time to save any changes it verifies that the > changes that are being saved are being done to the user that was loaded. > > The problem is that very early in the update process I clear this value. > It is a problem because if there is an error on the page (like missing > required field, formatting problem, whatever) the user is redirected to > the edit page but the session has already been cleared. > > So I've moved the clearing of the session value to after the update is > successful. ok, then ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Feb 21 15:35:36 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Feb 2008 10:35:36 -0500 Subject: [Freeipa-devel] [PATCH] self-edit changes In-Reply-To: <47BD9879.70703@redhat.com> References: <47BCFD69.1090100@redhat.com> <1203603099.679.126.camel@localhost.localdomain> <47BD9879.70703@redhat.com> Message-ID: <1203608136.679.133.camel@localhost.localdomain> On Thu, 2008-02-21 at 10:27 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Wed, 2008-02-20 at 23:26 -0500, Rob Crittenden wrote: > >> Don't let a regular user edit their own active status or manager > >> > >> Those in 'editors' or 'admins' groups will still be able to edit their > >> own manager. > > > > Wouldn't it be better to have a list of editable fields (by > > admin/editors/self/...) somewhere instead of special casing every single > > thing ? > > > > Simo. > > > > I agree that it is not the best but I'm not sure how we'd do that in > Javascript though. Ok, I'd ack, but let's keep in mind to try and see if there is a way. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Feb 21 15:46:56 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 10:46:56 -0500 Subject: [Freeipa-devel] CentOS binaries/repositiory In-Reply-To: <47BC928D.70903@gmail.com> References: <47BC8194.60705@gmail.com> <1203537962.679.100.camel@localhost.localdomain> <47BC8ADA.60100@redhat.com> <47BC928D.70903@gmail.com> Message-ID: <47BD9CF0.6060708@redhat.com> Marc Richards wrote: > Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Wed, 2008-02-20 at 14:37 -0500, Marc Richards wrote: >>>> Are you guys planning on releasing binaries and/or setting up a yum >>>> repository for CentOS? If so, will it be done through EPEL or >>>> distributed via freeipa.org? >>> >>> Actually we have never discussed about this, >>> something we need to think about I guess. >>> >>> Simo. >>> >> >> The biggest hurdle I see is that it will require much more than just >> the ipa packages. Also required will be TurboGears and its >> dependencies, a newer krb5 with the spnego fixes and krb5-server-ldap >> will need to be built. Plus python-kerberos, python-krbV, >> python-pyasn1 and perhaps a couple others that I'm missing. >> >> rob > > TurboGears and python-krbV are in EPEL. > > http://download.fedora.redhat.com/pub/epel/5/i386/repoview/TurboGears.html > http://download.fedora.redhat.com/pub/epel/5/i386/repoview/python-krbV.html > > The other python modules probably wouldn't be too hard to package for > EPEL, especially for experienced programmers such as yourselves ;-) The > newer version on krb5 sounds like it may be an issue though. > > Is the required version newer than what shipped in RHEL/CentOS 5.1? > Let me just add that the question was will *we* (freeIPA) do the CentOS builds and provide the repo? I think the answer to that will be no, at least for now. It should be entirely possible to get freeIPA working on CentOS once the appropriate package requirements are available, The tricky one will be krb5 with spnego fixes and building the LDAP backend. It looks like the rest should be relatively straightforward. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jdennis at redhat.com Thu Feb 21 16:08:35 2008 From: jdennis at redhat.com (John Dennis) Date: Thu, 21 Feb 2008 11:08:35 -0500 Subject: [Freeipa-devel] Re: [PATCH] check for both str and unicode types In-Reply-To: <47BD903E.3030308@web.de> References: <47BCF13A.2060001@redhat.com> <47BD903E.3030308@web.de> Message-ID: <47BDA203.2010207@redhat.com> Felix Schwarz wrote: > Robert, > > Rob Crittenden wrote: >> +def is_string(value): >> + """Return True if value is an instance of str or unicode.""" >> + if (isinstance(value, str) or isinstance(value,unicode)): >> + return True >> + else: >> + return False > > IMHO you should check for "isinstance(value, basestring)" which does > the right thing (tm). Yes, that's a good solution. Just for completeness if one is testing for a type with pythons builtin types you can also use types.StringTypes which contains both types.StringType and types.UnicodeType -- John Dennis From rcritten at redhat.com Thu Feb 21 16:11:40 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 11:11:40 -0500 Subject: [Freeipa-devel] Re: [PATCH] check for both str and unicode types In-Reply-To: <47BD903E.3030308@web.de> References: <47BCF13A.2060001@redhat.com> <47BD903E.3030308@web.de> Message-ID: <47BDA2BC.9010208@redhat.com> Felix Schwarz wrote: > Robert, > > Rob Crittenden wrote: >> +def is_string(value): >> + """Return True if value is an instance of str or unicode.""" >> + if (isinstance(value, str) or isinstance(value,unicode)): >> + return True >> + else: >> + return False > > IMHO you should check for "isinstance(value, basestring)" which does > the right thing (tm). Thank you, you're right. New patch attached. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-667-unicode.patch Type: text/x-patch Size: 5690 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Feb 21 20:53:25 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 15:53:25 -0500 Subject: [Freeipa-devel] [PATCH] set version to 0.99 in source Message-ID: <47BDE4C5.9030805@redhat.com> The version was still set for Milestone 6. Update to 0.99. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-668-version.patch Type: text/x-patch Size: 5284 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Feb 21 20:54:40 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 15:54:40 -0500 Subject: [Freeipa-devel] [PATCH] set version to 0.99 in source In-Reply-To: <47BDE4C5.9030805@redhat.com> References: <47BDE4C5.9030805@redhat.com> Message-ID: <47BDE510.7010100@redhat.com> Rob Crittenden wrote: > The version was still set for Milestone 6. Update to 0.99. > > rob > Ah crud, I forgot something. Ignore this, I'll resubmit in a minute. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Feb 21 21:12:39 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 16:12:39 -0500 Subject: [Freeipa-devel] [PATCH] set version to 0.99 in source Message-ID: <47BDE947.9080103@redhat.com> I had forgotten to update the changelog in the previous patch. This should be correct. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-668-version.patch Type: text/x-patch Size: 12821 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Feb 21 21:27:10 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 16:27:10 -0500 Subject: [Freeipa-devel] [PATCH] redirect on SSL port too Message-ID: <47BDECAE.4030103@redhat.com> We want to ensure that users are going to the FQDN when they hit the web UI. The current rewrite rules work fine when going to the non-secure port but don't fire on the secure port. This patch makes the rewrite rules a separate configuration that is included in ipa.conf and mod_nss.conf. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-669-redirect.patch Type: text/x-patch Size: 6568 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Feb 21 22:32:21 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Feb 2008 17:32:21 -0500 Subject: [Freeipa-devel] [PATCH] Fix typo syntax error in xmlrpc code Message-ID: <47BDFBF5.2000605@redhat.com> A non-text attachment was scrubbed... Name: freeipa-670-synerror.patch Type: text/x-patch Size: 982 bytes Desc: not available URL: From ssorce at redhat.com Thu Feb 21 22:32:58 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Feb 2008 17:32:58 -0500 Subject: [Freeipa-devel] [PATCH] implement krbPrincipalName attribute uniqueness Message-ID: <47BDFC1A.7010407@redhat.com> A non-text attachment was scrubbed... Name: freeipa-671-krbName-unique.patch Type: text/x-patch Size: 4494 bytes Desc: not available URL: From ssorce at redhat.com Thu Feb 21 22:47:55 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Feb 2008 17:47:55 -0500 Subject: [Freeipa-devel] [PATCH] set version to 0.99 in source In-Reply-To: <47BDE4C5.9030805@redhat.com> References: <47BDE4C5.9030805@redhat.com> Message-ID: <1203634075.679.175.camel@localhost.localdomain> On Thu, 2008-02-21 at 15:53 -0500, Rob Crittenden wrote: > The version was still set for Milestone 6. Update to 0.99. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Feb 21 22:49:59 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Feb 2008 17:49:59 -0500 Subject: [Freeipa-devel] [PATCH] redirect on SSL port too In-Reply-To: <47BDECAE.4030103@redhat.com> References: <47BDECAE.4030103@redhat.com> Message-ID: <1203634199.679.178.camel@localhost.localdomain> On Thu, 2008-02-21 at 16:27 -0500, Rob Crittenden wrote: > We want to ensure that users are going to the FQDN when they hit the > web > UI. The current rewrite rules work fine when going to the non-secure > port but don't fire on the secure port. > > This patch makes the rewrite rules a separate configuration that is > included in ipa.conf and mod_nss.conf. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Feb 22 03:10:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 22:10:04 -0500 Subject: [Freeipa-devel] [PATCH] Fix typo syntax error in xmlrpc code In-Reply-To: <47BDFBF5.2000605@redhat.com> References: <47BDFBF5.2000605@redhat.com> Message-ID: <47BE3D0C.5050509@redhat.com> Simo Sorce wrote: > ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 22 03:12:01 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 22:12:01 -0500 Subject: [Freeipa-devel] [PATCH] implement krbPrincipalName attribute uniqueness In-Reply-To: <47BDFC1A.7010407@redhat.com> References: <47BDFC1A.7010407@redhat.com> Message-ID: <47BE3D81.8060204@redhat.com> Simo Sorce wrote: > Looks good but we may have a space/tab difference. In the change: + self.step("configuring uniqueness plugin", self.__set_unique_attrs) It is off by on space in the diff and this usually means a tab/space problem. Otherwise ack. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 22 03:12:54 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 22:12:54 -0500 Subject: [Freeipa-devel] [PATCH] set version to 0.99 in source In-Reply-To: <1203634075.679.175.camel@localhost.localdomain> References: <47BDE4C5.9030805@redhat.com> <1203634075.679.175.camel@localhost.localdomain> Message-ID: <47BE3DB6.3090508@redhat.com> Simo Sorce wrote: > On Thu, 2008-02-21 at 15:53 -0500, Rob Crittenden wrote: >> The version was still set for Milestone 6. Update to 0.99. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 22 03:13:02 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 22:13:02 -0500 Subject: [Freeipa-devel] [PATCH] redirect on SSL port too In-Reply-To: <1203634199.679.178.camel@localhost.localdomain> References: <47BDECAE.4030103@redhat.com> <1203634199.679.178.camel@localhost.localdomain> Message-ID: <47BE3DBE.5010407@redhat.com> Simo Sorce wrote: > On Thu, 2008-02-21 at 16:27 -0500, Rob Crittenden wrote: >> We want to ensure that users are going to the FQDN when they hit the >> web >> UI. The current rewrite rules work fine when going to the non-secure >> port but don't fire on the secure port. >> >> This patch makes the rewrite rules a separate configuration that is >> included in ipa.conf and mod_nss.conf. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Feb 22 03:43:22 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Feb 2008 22:43:22 -0500 Subject: [Freeipa-devel] [PATCH] Fix typo syntax error in xmlrpc code In-Reply-To: <47BE3D0C.5050509@redhat.com> References: <47BDFBF5.2000605@redhat.com> <47BE3D0C.5050509@redhat.com> Message-ID: <1203651803.679.185.camel@localhost.localdomain> pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Feb 22 03:43:44 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 21 Feb 2008 22:43:44 -0500 Subject: [Freeipa-devel] [PATCH] implement krbPrincipalName attribute uniqueness In-Reply-To: <47BE3D81.8060204@redhat.com> References: <47BDFC1A.7010407@redhat.com> <47BE3D81.8060204@redhat.com> Message-ID: <1203651824.679.187.camel@localhost.localdomain> On Thu, 2008-02-21 at 22:12 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > > > Looks good but we may have a space/tab difference. In the change: > > + self.step("configuring uniqueness plugin", self.__set_unique_attrs) > > It is off by on space in the diff and this usually means a tab/space > problem. > > Otherwise ack. well spotted, pushed a fixed version. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Feb 22 04:35:01 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Feb 2008 23:35:01 -0500 Subject: [Freeipa-devel] [PATCH] implement krbPrincipalName attribute uniqueness In-Reply-To: <1203651824.679.187.camel@localhost.localdomain> References: <47BDFC1A.7010407@redhat.com> <47BE3D81.8060204@redhat.com> <1203651824.679.187.camel@localhost.localdomain> Message-ID: <47BE50F5.3060307@redhat.com> Simo Sorce wrote: > On Thu, 2008-02-21 at 22:12 -0500, Rob Crittenden wrote: >> Simo Sorce wrote: >> Looks good but we may have a space/tab difference. In the change: >> >> + self.step("configuring uniqueness plugin", self.__set_unique_attrs) >> >> It is off by on space in the diff and this usually means a tab/space >> problem. >> >> Otherwise ack. > > well spotted, pushed a fixed version. > I'm not sure how but unique-attributes.ldif didn't get committed. I went ahead and added this file from your patches to fix the build. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Feb 22 13:32:15 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Feb 2008 08:32:15 -0500 Subject: [Freeipa-devel] [PATCH] implement krbPrincipalName attribute uniqueness In-Reply-To: <47BE50F5.3060307@redhat.com> References: <47BDFC1A.7010407@redhat.com> <47BE3D81.8060204@redhat.com> <1203651824.679.187.camel@localhost.localdomain> <47BE50F5.3060307@redhat.com> Message-ID: <1203687135.679.189.camel@localhost.localdomain> On Thu, 2008-02-21 at 23:35 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 2008-02-21 at 22:12 -0500, Rob Crittenden wrote: > >> Simo Sorce wrote: > >> Looks good but we may have a space/tab difference. In the change: > >> > >> + self.step("configuring uniqueness plugin", self.__set_unique_attrs) > >> > >> It is off by on space in the diff and this usually means a tab/space > >> problem. > >> > >> Otherwise ack. > > > > well spotted, pushed a fixed version. > > > > I'm not sure how but unique-attributes.ldif didn't get committed. I went > ahead and added this file from your patches to fix the build. My fault, to fix the problem I committed to a clean tree and forgot to do an hg add :-( Thanks for fixing it. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Feb 22 14:37:15 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Feb 2008 09:37:15 -0500 Subject: [Freeipa-devel] [PATCH] remove HTML from javascript output Message-ID: <47BEDE1B.4040300@redhat.com> Remove HTML from Javascript error message and fix up language to be clearer. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-671-message.patch Type: text/x-patch Size: 988 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Feb 22 16:31:40 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 22 Feb 2008 11:31:40 -0500 Subject: [Freeipa-devel] [PATCH] remove HTML from javascript output In-Reply-To: <47BEDE1B.4040300@redhat.com> References: <47BEDE1B.4040300@redhat.com> Message-ID: <1203697900.679.217.camel@localhost.localdomain> On Fri, 2008-02-22 at 09:37 -0500, Rob Crittenden wrote: > Remove HTML from Javascript error message and fix up language to be > clearer. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Feb 22 19:49:34 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Feb 2008 14:49:34 -0500 Subject: [Freeipa-devel] [PATCH] Add failover to the XML-RPC client Message-ID: <47BF274E.8040307@redhat.com> Took Simo's advice and added a new XML-RPC function, ping(), that we can use just to see if the remote server is up and answering. Modified the config class to be able to return multiple servers in a list. We simply run thru that list each time a new rpcclient is instantiated. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-672-failover.patch Type: text/x-patch Size: 5208 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 22 20:41:16 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Feb 2008 15:41:16 -0500 Subject: [Freeipa-devel] [PATCH] Don't allow a group to be a member of itself Message-ID: <47BF336C.2070808@redhat.com> It makes no sense to allow a group to be a member of itself, so don't. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-673-group.patch Type: text/x-patch Size: 2019 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mike at flyn.org Sun Feb 24 14:10:40 2008 From: mike at flyn.org (W. Michael Petullo) Date: Sun, 24 Feb 2008 18:40:40 +0430 Subject: [Freeipa-devel] [PATCH] Replace OpenLDAP with mozldap Message-ID: <20080224141040.GA19318@imp.flyn.org> I've attached a patch that begins the process of replacing OpenLDAP with mozldap. FreeIPA relies on RedHat's Directory Server, which uses mozldap. A FreeIPA build using mozldap would reduce the project's dependencies and redundant code. In addition, mozldap uses NSS instead of OpenSSL. This is beneficial for the reasons listed in [1]. [1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation -- Mike -------------- next part -------------- diff -u --recursive freeipa-0.99-vanilla/ipa-client/configure.ac freeipa-0.99/ipa-client/configure.ac --- freeipa-0.99-vanilla/ipa-client/configure.ac 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-client/configure.ac 2008-02-24 16:56:55.000000000 +0430 @@ -82,42 +82,10 @@ AC_SUBST(KRB5_LIBS) dnl --------------------------------------------------------------------------- -dnl - Check for LDAP +dnl - Check for Mozilla LDAP SDK dnl --------------------------------------------------------------------------- -LDAP_LIBS= -AC_CHECK_HEADER(ldap.h) -AC_CHECK_HEADER(lber.h) - -AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes) -dnl Check for other libraries we need to link with to get the main routines. -test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) } -test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) } -test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) } -dnl Recently, we need -lber even though the main routines are elsewhere, -dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just -dnl check for that (it's a variable not a fun but that doesn't seem to -dnl matter in these checks) and stick in -lber if so. Can't hurt (even to -dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who -dnl #### understands LDAP needs to fix this properly. -test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) } - -if test "$with_ldap" = "yes"; then - if test "$with_ldap_des" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -ldes" - fi - if test "$with_ldap_krb" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -lkrb" - fi - if test "$with_ldap_lber" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -llber" - fi - LDAP_LIBS="${LDAP_LIBS} -lldap" -else - AC_MSG_ERROR([LDAP not found]) -fi - -AC_SUBST(LDAP_LIBS) +PKG_CHECK_MODULES(MOZLDAP, mozldap > 6) dnl --------------------------------------------------------------------------- dnl - Check for POPT diff -u --recursive freeipa-0.99-vanilla/ipa-client/ipa-getkeytab.c freeipa-0.99/ipa-client/ipa-getkeytab.c --- freeipa-0.99-vanilla/ipa-client/ipa-getkeytab.c 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-client/ipa-getkeytab.c 2008-02-24 18:16:03.000000000 +0430 @@ -31,7 +31,7 @@ #include #include #include -#include +#include #include #include @@ -275,7 +275,6 @@ BerElement *ctrl = NULL; BerElement *sctrl = NULL; struct berval *control = NULL; - char *ldap_uri = NULL; struct berval **ncvals; char *ldap_base = NULL; char *retoid = NULL; @@ -306,23 +305,16 @@ goto error_out; } - /* connect to ldap server */ - ret = asprintf(&ldap_uri, "ldap://%s:389", servername); - if (ret == -1) { - fprintf(stderr, "Unable to determine server URI!\n"); - goto error_out; - } - /* TODO: support referrals ? */ - ret = ldap_initialize(&ld, ldap_uri); - if(ret != LDAP_SUCCESS) { + ld = ldap_init(servername, 389); + if(ld == NULL) { fprintf(stderr, "Unable to initialize ldap library!\n"); goto error_out; } version = LDAP_VERSION3; ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); - if (ret != LDAP_OPT_SUCCESS) { + if (ret != LDAP_SUCCESS) { fprintf(stderr, "Unable to set ldap options!\n"); goto error_out; } @@ -427,8 +419,7 @@ ber_free(sctrl, 1); ldap_controls_free(srvctrl); ldap_msgfree(res); - ldap_unbind_ext_s(ld, NULL, NULL); - free(ldap_uri); + ldap_unbind_ext(ld, NULL, NULL); return kvno; error_out: @@ -436,8 +427,7 @@ if (srvctrl) ldap_controls_free(srvctrl); if (err) ldap_memfree(err); if (res) ldap_msgfree(res); - if (ld) ldap_unbind_ext_s(ld, NULL, NULL); - if (ldap_uri) free(ldap_uri); + if (ld) ldap_unbind_ext(ld, NULL, NULL); if (control) ber_bvfree(control); if (encs) free(encs); return 0; diff -u --recursive freeipa-0.99-vanilla/ipa-client/Makefile.am freeipa-0.99/ipa-client/Makefile.am --- freeipa-0.99-vanilla/ipa-client/Makefile.am 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-client/Makefile.am 2008-02-24 16:45:47.000000000 +0430 @@ -13,7 +13,7 @@ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ $(KRB5_CFLAGS) \ - $(LDAP_CFLAGS) \ + $(MOZLDAP_CFLAGS) \ $(SASL_CFLAGS) \ $(POPT_CFLAGS) \ $(WARN_CFLAGS) \ @@ -29,7 +29,7 @@ ipa_getkeytab_LDADD = \ $(KRB5_LIBS) \ - $(LDAP_LIBS) \ + $(MOZLDAP_LIBS) \ $(SASL_LIBS) \ $(POPT_LIBS) \ $(NULL) diff -u --recursive freeipa-0.99-vanilla/ipa-server/configure.ac freeipa-0.99/ipa-server/configure.ac --- freeipa-0.99-vanilla/ipa-server/configure.ac 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-server/configure.ac 2008-02-24 16:56:32.000000000 +0430 @@ -87,44 +87,6 @@ AC_SUBST(KRB5_LIBS) dnl --------------------------------------------------------------------------- -dnl - Check for LDAP -dnl --------------------------------------------------------------------------- - -LDAP_LIBS= -AC_CHECK_HEADER(ldap.h) -AC_CHECK_HEADER(lber.h) - -AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes) -dnl Check for other libraries we need to link with to get the main routines. -test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) } -test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) } -test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) } -dnl Recently, we need -lber even though the main routines are elsewhere, -dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just -dnl check for that (it's a variable not a fun but that doesn't seem to -dnl matter in these checks) and stick in -lber if so. Can't hurt (even to -dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who -dnl #### understands LDAP needs to fix this properly. -test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) } - -if test "$with_ldap" = "yes"; then - if test "$with_ldap_des" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -ldes" - fi - if test "$with_ldap_krb" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -lkrb" - fi - if test "$with_ldap_lber" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -llber" - fi - LDAP_LIBS="${LDAP_LIBS} -lldap" -else - AC_MSG_ERROR([LDAP not found]) -fi - -AC_SUBST(LDAP_LIBS) - -dnl --------------------------------------------------------------------------- dnl - Check for Mozilla LDAP SDK dnl --------------------------------------------------------------------------- @@ -257,7 +219,7 @@ source code location: ${srcdir} compiler: ${CC} cflags: ${CFLAGS} - LDAP libs: ${LDAP_LIBS} + LDAP libs: ${MOZLDAP_LIBS} KRB5 libs: ${KRB5_LIBS} OpenSSL libs: ${SSL_LIBS} Maintainer mode: ${USE_MAINTAINER_MODE} diff -u --recursive freeipa-0.99-vanilla/ipa-server/ipa-kpasswd/ipa_kpasswd.c freeipa-0.99/ipa-server/ipa-kpasswd/ipa_kpasswd.c --- freeipa-0.99-vanilla/ipa-server/ipa-kpasswd/ipa_kpasswd.c 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-server/ipa-kpasswd/ipa_kpasswd.c 2008-02-24 18:13:30.000000000 +0430 @@ -39,13 +39,17 @@ #include #include #include -#include +#include #include #define DEFAULT_KEYTAB "FILE:/var/kerberos/krb5kdc/kpasswd.keytab" #define TMP_TEMPLATE "/tmp/kpasswd.XXXXXX" #define KPASSWD_PORT 464 +/* From OpenLDAP's ldap.h */ +#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U) +#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U) + /* blacklist entries are released only BLCAKLIST_TIMEOUT seconds * after the children performing the noperation has finished. * this is to avoid races */ @@ -310,7 +314,6 @@ struct berval control; struct berval newpw; char hostname[1024]; - char *ldap_uri = NULL; struct berval **ncvals; char *ldap_base = NULL; char *filter; @@ -367,17 +370,10 @@ goto done; } - ret = asprintf(&ldap_uri, "ldap://%s:389", hostname); - if (ret == -1) { - syslog(LOG_ERR, "Out of memory!"); - ret = KRB5_KPASSWD_HARDERROR; - goto done; - } - /* connect to ldap server */ /* TODO: support referrals ? */ - ret = ldap_initialize(&ld, ldap_uri); - if(ret != LDAP_SUCCESS) { + ld = ldap_init(hostname, 389); + if(ld == NULL) { syslog(LOG_ERR, "Unable to connect to ldap server"); ret = KRB5_KPASSWD_HARDERROR; goto done; @@ -385,7 +381,7 @@ version = LDAP_VERSION3; ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); - if (ret != LDAP_OPT_SUCCESS) { + if (ret != LDAP_SUCCESS) { syslog(LOG_ERR, "Unable to set ldap protocol version"); ret = KRB5_KPASSWD_HARDERROR; goto done; @@ -480,11 +476,12 @@ ret = KRB5_KPASSWD_HARDERROR; goto done; } + ber_printf(ctrl, "{tstON}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, userdn, LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, &newpw); - ret = ber_flatten2(ctrl, &control, 0); + ret = ber_flatten(ctrl, &control); if (ret < 0) { syslog(LOG_ERR, "ber flattening failed!"); ret = KRB5_KPASSWD_HARDERROR; @@ -645,8 +642,7 @@ if (exterr1) free(exterr1); if (exterr2) free(exterr2); if (userdn) free(userdn); - if (ld) ldap_unbind_ext_s(ld, NULL, NULL); - if (ldap_uri) free(ldap_uri); + if (ld) ldap_unbind_ext(ld, NULL, NULL); if (tmp_file) { unlink(tmp_file); free(tmp_file); diff -u --recursive freeipa-0.99-vanilla/ipa-server/ipa-kpasswd/Makefile.am freeipa-0.99/ipa-server/ipa-kpasswd/Makefile.am --- freeipa-0.99-vanilla/ipa-server/ipa-kpasswd/Makefile.am 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-server/ipa-kpasswd/Makefile.am 2008-02-24 16:24:57.000000000 +0430 @@ -8,7 +8,7 @@ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ - $(LDAP_CFLAGS) \ + $(MOZLDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) @@ -22,7 +22,7 @@ $(NULL) ipa_kpasswd_LDADD = \ - $(LDAP_LIBS) \ + $(MOZLDAP_LIBS) \ $(KRB5_LIBS) \ $(NULL) From rcritten at redhat.com Mon Feb 25 18:16:41 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Feb 2008 13:16:41 -0500 Subject: [Freeipa-devel] [PATCH] add command-line utility to manage password policy Message-ID: <47C30609.8030105@redhat.com> This adds a command-line utility to view and update the password policy. Up until now you could only do it in the UI. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-674-pwpolicy.patch Type: text/x-patch Size: 9055 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon Feb 25 18:33:48 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Feb 2008 13:33:48 -0500 Subject: [Freeipa-devel] [PATCH] add command-line utility to manage password policy In-Reply-To: <47C30609.8030105@redhat.com> References: <47C30609.8030105@redhat.com> Message-ID: <1203964428.679.285.camel@localhost.localdomain> On Mon, 2008-02-25 at 13:16 -0500, Rob Crittenden wrote: > This adds a command-line utility to view and update the password policy. > Up until now you could only do it in the UI. Ack, but shouldn't we warn people that this tool (as well as the UI) handle only the general password policies? If someone set a more specific password policy dee in a OU they will not be able to see/manipulate it with CLI/UI commands but only via LDAP. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Feb 25 18:35:40 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Feb 2008 13:35:40 -0500 Subject: [Freeipa-devel] [PATCH] Add failover to the XML-RPC client In-Reply-To: <47BF274E.8040307@redhat.com> References: <47BF274E.8040307@redhat.com> Message-ID: <1203964540.679.288.camel@localhost.localdomain> On Fri, 2008-02-22 at 14:49 -0500, Rob Crittenden wrote: > Took Simo's advice and added a new XML-RPC function, ping(), that we can > use just to see if the remote server is up and answering. > > Modified the config class to be able to return multiple servers in a > list. We simply run thru that list each time a new rpcclient is > instantiated. Can we add an argument to both the client and the server? It would be useful to be able to exchange the cli/srv versions through this command for future use: ping pong Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Feb 25 18:36:27 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Feb 2008 13:36:27 -0500 Subject: [Freeipa-devel] [PATCH] Don't allow a group to be a member of itself In-Reply-To: <47BF336C.2070808@redhat.com> References: <47BF336C.2070808@redhat.com> Message-ID: <1203964587.679.290.camel@localhost.localdomain> On Fri, 2008-02-22 at 15:41 -0500, Rob Crittenden wrote: > It makes no sense to allow a group to be a member of itself, so don't. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Feb 25 18:50:52 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Feb 2008 13:50:52 -0500 Subject: [Freeipa-devel] [PATCH] Add failover to the XML-RPC client In-Reply-To: <1203964540.679.288.camel@localhost.localdomain> References: <47BF274E.8040307@redhat.com> <1203964540.679.288.camel@localhost.localdomain> Message-ID: <47C30E0C.5070108@redhat.com> Simo Sorce wrote: > On Fri, 2008-02-22 at 14:49 -0500, Rob Crittenden wrote: >> Took Simo's advice and added a new XML-RPC function, ping(), that we can >> use just to see if the remote server is up and answering. >> >> Modified the config class to be able to return multiple servers in a >> list. We simply run thru that list each time a new rpcclient is >> instantiated. > > Can we add an argument to both the client and the server? > It would be useful to be able to exchange the cli/srv versions through > this command for future use: > > ping > pong > > Simo. > I think that is a nice-to-have for later. Neither the server nor client currently have any knowledge of versions of anything. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon Feb 25 18:59:07 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Feb 2008 13:59:07 -0500 Subject: [Freeipa-devel] [PATCH] Add failover to the XML-RPC client In-Reply-To: <47C30E0C.5070108@redhat.com> References: <47BF274E.8040307@redhat.com> <1203964540.679.288.camel@localhost.localdomain> <47C30E0C.5070108@redhat.com> Message-ID: <1203965947.679.292.camel@localhost.localdomain> On Mon, 2008-02-25 at 13:50 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Fri, 2008-02-22 at 14:49 -0500, Rob Crittenden wrote: > >> Took Simo's advice and added a new XML-RPC function, ping(), that we can > >> use just to see if the remote server is up and answering. > >> > >> Modified the config class to be able to return multiple servers in a > >> list. We simply run thru that list each time a new rpcclient is > >> instantiated. > > > > Can we add an argument to both the client and the server? > > It would be useful to be able to exchange the cli/srv versions through > > this command for future use: > > > > ping > > pong > > > > Simo. > > > > I think that is a nice-to-have for later. Neither the server nor client > currently have any knowledge of versions of anything. The idea is exactly to be able to recognize we are using outdated tools (or too much up to date ones :) later. Maybe there are other means too ... Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Feb 25 19:04:21 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Feb 2008 14:04:21 -0500 Subject: [Freeipa-devel] [PATCH] Add failover to the XML-RPC client In-Reply-To: <1203965947.679.292.camel@localhost.localdomain> References: <47BF274E.8040307@redhat.com> <1203964540.679.288.camel@localhost.localdomain> <47C30E0C.5070108@redhat.com> <1203965947.679.292.camel@localhost.localdomain> Message-ID: <47C31135.3070004@redhat.com> Simo Sorce wrote: > On Mon, 2008-02-25 at 13:50 -0500, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Fri, 2008-02-22 at 14:49 -0500, Rob Crittenden wrote: >>>> Took Simo's advice and added a new XML-RPC function, ping(), that we can >>>> use just to see if the remote server is up and answering. >>>> >>>> Modified the config class to be able to return multiple servers in a >>>> list. We simply run thru that list each time a new rpcclient is >>>> instantiated. >>> Can we add an argument to both the client and the server? >>> It would be useful to be able to exchange the cli/srv versions through >>> this command for future use: >>> >>> ping >>> pong >>> >>> Simo. >>> >> I think that is a nice-to-have for later. Neither the server nor client >> currently have any knowledge of versions of anything. > > The idea is exactly to be able to recognize we are using outdated tools > (or too much up to date ones :) later. Maybe there are other means > too ... > > Simo. I know what the purpose is but it is more than just sticking a number somewhere for it to actually do what we want. I don't think that needs to hold things up. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Feb 25 19:58:59 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Feb 2008 14:58:59 -0500 Subject: [Freeipa-devel] [PATCH] move ipa-getkeytab man page Message-ID: <47C31E03.5050707@redhat.com> The ipa-getkeytab command was moved out of ipa-admintools and into ipa-client but the man page was not. This patch moves it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-675-man.patch Type: text/x-patch Size: 8219 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Feb 25 20:46:34 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Feb 2008 15:46:34 -0500 Subject: [Freeipa-devel] [PATCH] add command-line utility to manage password policy In-Reply-To: <1203964428.679.285.camel@localhost.localdomain> References: <47C30609.8030105@redhat.com> <1203964428.679.285.camel@localhost.localdomain> Message-ID: <47C3292A.1060107@redhat.com> Simo Sorce wrote: > On Mon, 2008-02-25 at 13:16 -0500, Rob Crittenden wrote: >> This adds a command-line utility to view and update the password policy. >> Up until now you could only do it in the UI. > > Ack, but shouldn't we warn people that this tool (as well as the UI) > handle only the general password policies? > If someone set a more specific password policy dee in a OU they will not > be able to see/manipulate it with CLI/UI commands but only via LDAP. > > Simo. > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Feb 25 20:46:42 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Feb 2008 15:46:42 -0500 Subject: [Freeipa-devel] [PATCH] Don't allow a group to be a member of itself In-Reply-To: <1203964587.679.290.camel@localhost.localdomain> References: <47BF336C.2070808@redhat.com> <1203964587.679.290.camel@localhost.localdomain> Message-ID: <47C32932.5050709@redhat.com> Simo Sorce wrote: > On Fri, 2008-02-22 at 15:41 -0500, Rob Crittenden wrote: >> It makes no sense to allow a group to be a member of itself, so don't. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Feb 25 20:46:50 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Feb 2008 15:46:50 -0500 Subject: [Freeipa-devel] [PATCH] remove HTML from javascript output In-Reply-To: <1203697900.679.217.camel@localhost.localdomain> References: <47BEDE1B.4040300@redhat.com> <1203697900.679.217.camel@localhost.localdomain> Message-ID: <47C3293A.1040702@redhat.com> Simo Sorce wrote: > On Fri, 2008-02-22 at 09:37 -0500, Rob Crittenden wrote: >> Remove HTML from Javascript error message and fix up language to be >> clearer. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon Feb 25 20:48:26 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Feb 2008 15:48:26 -0500 Subject: [Freeipa-devel] [PATCH] move ipa-getkeytab man page In-Reply-To: <47C31E03.5050707@redhat.com> References: <47C31E03.5050707@redhat.com> Message-ID: <1203972506.679.294.camel@localhost.localdomain> On Mon, 2008-02-25 at 14:58 -0500, Rob Crittenden wrote: > The ipa-getkeytab command was moved out of ipa-admintools and into > ipa-client but the man page was not. This patch moves it. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Feb 25 20:50:00 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Feb 2008 15:50:00 -0500 Subject: [Freeipa-devel] [PATCH] move ipa-getkeytab man page In-Reply-To: <1203972506.679.294.camel@localhost.localdomain> References: <47C31E03.5050707@redhat.com> <1203972506.679.294.camel@localhost.localdomain> Message-ID: <47C329F8.60607@redhat.com> Simo Sorce wrote: > On Mon, 2008-02-25 at 14:58 -0500, Rob Crittenden wrote: >> The ipa-getkeytab command was moved out of ipa-admintools and into >> ipa-client but the man page was not. This patch moves it. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jdennis at redhat.com Mon Feb 25 21:54:22 2008 From: jdennis at redhat.com (John Dennis) Date: Mon, 25 Feb 2008 16:54:22 -0500 Subject: [Freeipa-devel] Re: Python i18n In-Reply-To: <47BC329F.4030104@redhat.com> References: <47BBBAAA.9080706@redhat.com> <47BC329F.4030104@redhat.com> Message-ID: <47C3390E.5020909@redhat.com> Recently I posted a recommendation for i18n coding practices in python which raised some questions. I've investigated further and would like to share what I've learned. The recommendation I posted came about because of broken Python bindings to C libraries. The fact many Python bindings seem to be broken is a an unfortunate reality we're going to have to deal with. How are the bindings broken? When you author a Python binding for a C library you use the CPython API. Since Python is written in C you're effectively just using the Python internal API. Everything in a Python program is an object. When C code is passed a Python object it must convert the object to something C code can operate on. This conversion occurs in a family of API routines, most notably PyArg_ParseTuple() whose role is to convert each argument in the tuple to a C type. The expected C type is passed to PyArg_ParseTuple() in a format string much like sscanf(). For example a function which expects a single string might use the format string "s", where "s" means return a pointer to a standard NULL terminated C string. Most Python bindings use the "s" format specifier for strings. Perhaps this is the case because many of the bindings were written before Python had wide spread i18n support via the 'unicode' string object. Python added Unicode string objects supplanting the traditional 'str' string object (characters represented as one byte). Internally Python implements unicode objects in either the UCS-2 or UCS-4 encodings (e.g. 2 byte or 4 byte characters). The use of UCS-2 vs. UCS-4 is a compile time option. The 's' format conversion specifier in CPython was expanded to accept unicode objects in addition to str objects. Recall that the 's' format specifier returns a pointer to a NULL terminated C string. For str objects this conversion was for all practical purposes an identity transformation, it just returned the pointer to the character buffer inside the str object used to hold the string. But what happens for unicode string objects when the 's' format conversion is specified? The first thing to note is the unicode object has to be re-encoded from UCS-2 or UCS-4 to the destination encoding. But what is the destination encoding for a traditional C string? The fact is traditional C strings never had an encoding specified for historical reasons, the best consensus guess is ascii. Since the 's' format conversion does not specify the desired destination encoding the global default-encoding is used. For historical reasons the default-encoding is initialized to ascii. To implement the conversion from the unicode source to a destination format one must know the destination encoding, know how big the destination will be after conversion, and have available a buffer of sufficient size to write the destination conversion into. Recalling the 's' format conversion returns a pointer this means the conversion code must allocate a buffer of the right size for the destination encoding. But who owns this buffer and who is responsible for freeing it? The caller of PyArg_ParseTuple does not free the pointer it is returned, that would violate the API. CPython solves this problem and at the same time adds a performance optimization by caching the buffer for the default-encoding inside the unicode Python object. Thus a Python unicode object has a buffer in the UCS-{2,4} encoding and optionally a buffer for the string represented in the default-encoding. When PyArg_ParseTuple is passed a unicode object with the 's' format conversion specifier it checks to see if there is already a buffer in the unicode object representing the current string value in the default-encoding, if not it allocates a default-encoding buffer and calls a conversion routine to convert from UCS-{2,4} to the default-encoding passing it the default-encoding buffer in the unicode object. The 's' format conversion code then returns the pointer to the cached default-encoding buffer in the unicode object. Internal bookkeeping assures the default-encoding buffer is updated at appropriate times whenever unicode version of the string is modified. When the unicode object is freed the UCS-{2,4] buffer is freed as well as the optional default-encoding buffer. This allows the caller of the 's' conversion to be ignorant of memory management issues and optimizes by performing the conversion from unicode to the default-encoding only once and then caching it along side the UCS-{2,4} version. What are the problems with the above? The most significant issue is that the default-encoding is global. Different C libraries many have vastly different expectations concerning the encoding they expect for strings, one size does not fit all. One library might expect the byte orientated UTF-8 encoding while another might expect 4 byte wide characters, a third might expect 2 byte wide characters and a fourth library might only accept 7 bit ascii. The next most significant problem is the selection of the default-encoding and any subsequent modification of the default-encoding when some strings have already had their default encodings cached prior to the default-encoding modification. What should the default-encoding be? Many argue for historical reasons the only sensible default-encoding is ascii. Thus in many Python implementations the default-encoding is set to ascii. This is typically done in site.py. But my Linux system uses UTF-8 as the default encoding, why can't I just set the default-encoding to UTF-8? Then all the C libraries that various Python bindings wrap will get their strings in UTF-8 when the format conversion specifier is 's'. Problem solved right? Unfortunately no. The default-encoding is ascii. If you change the default encoding then cached default encodings for strings will be in the wrong encoding. At the moment there isn't a way for Python to invalidate cached encodings so there is no way to know if a cached encoding matches the current default-encoding. To protect against this problem site.py removes the sys.setdefaultencoding() entry point preventing Python applications from modifying the default-encoding once Python initializes. So unless your Python implementation shipped with the default-encoding set to UTF-8 you're out of luck. Setting the default-encoding is not the right solution because as noted above it is global setting affecting every CPython binding which may not share the same encoding requirements. So what is the solution? The solution is simple, each CPython binding must explicitly specify the encoding it wants to use. PyArg_ParseTuple supports format conversion specifiers for strings other than 's', for example 'es' which stands for "encoded string". The caller specifies both the desired encoding and a pointer to a pointer to receive an allocated buffer containing the string in the specified encoding. After using the encoded string it is the callers responsibility to free it. If the solution is so simple why are so many bindings still using the incorrect 's' format conversion? For many reasons. The most likely is 's' works for applications which do not use multi-byte internationalized strings and the library expects ascii. They don't know it's broken and they've gotten away with it for a long time. The second reason is the code in the CPython binding has to be augmented when using the 'es' specifier to both specify the encoding and more importantly to free the returned string, neither of which was required with the simple 's' specifier. Some python bindings are automatically created by code generators. These code generators would have to be modified to also insert code to check for buffers and free them at all exit points in the generated binding function. This can be non-trivial. But wait a minute, PyGTK+ works with unicode and it uses the 's' format specifier, what's up with that? Your analysis must be wrong! The PyGTK+ binding to GTK+ gets around this problem with a nasty trick documented in this bug report: http://bugzilla.gnome.org/show_bug.cgi?id=132040 by calling PyUnicode_SetDefaultEncoding("utf-8") from the binding's C code. Thus changing the default-encoding from 'ascii' to 'utf-8'. But remember changing the default-encoding is so highly frowned upon by Python developers they actually made it impossible to do from Python code. It can only be set internally from C code. This means an optional Python module (gtk) which during its load phase modifies Python global state and creates inconsistencies with cached encodings. It also does this silently. ">>> import sys >>> print sys.getdefaultencoding() 'ascii' >>> import gtk >>> print sys.getdefaultencoding() 'utf-8' This means when and if you import gtk the application's entire i18n handling will change and you may experience inexplicable encoding errors or have problems with incorrectly coded libraries/modules being masked until you change the order of imports or the set of modules imported. The above bug report suggests one can reset the old default-encoding thusly: > It is actually possible*, so you could do something like this if you > want: > old = sys.getdefaultencoding() > import gtk > import sys > reload(sys) > sys.setdefaultencoding(old) > *) the default site.py deletes the setdefaultencoding function from > sys. Fortunately for the small group of persistent hackers, that > technique is worked around by using reload, which re-creates the > module namespace. However, the above comment does not address the fundamental issue, which is the only reason to reset the default-encoding back is if you have libraries which expect the old default encoding. Because the default-encoding is global to all of CPython you can't have it both ways at once! Summary: If you import extension modules implemented in CPython (e.g. a Python binding written in C) unicode strings will only work if that extension module uses the 'es' family of format specifiers (unfortunately this is rare). If you pass a unicode string to that module you will likely get an encoding error (something like "cannot convert xxx ordinal not in range(128)"). I only know of two ways to fix this in preferential ordering: 1) modify the binding to use 'es' 2) don't use unicode in your python application, use str's encoded in utf-8 (see original post, assumes all extension libraries want UTF-8). 3) set the default-encoding to utf-8 with all the attendant problems listed above. The bottom nasty line: To know whether we're going to have a problem using unicode in our Python code we're going to have to examine the source code of each and every extension module we load (or is loaded as a consequence of any other module load) and ascertain if they are using 'es' instead of 's'. If any of the extension modules fail to do that we can't blindly use unicode and may have to fall back to the workarounds referred to above and accept the problems which go with each of them. Yuck! Observation: Is it any wonder people have such problems with i18n? Few take to the time to understand it when their code breaks, instead they tweak things in mostly ignorant ways until it works for their isolated case and then publish their mistakes into the larger universe of code contributing to the endless speculation over what is correct i18n handling. It's not a pretty picture. -- John Dennis From ssorce at redhat.com Mon Feb 25 22:21:11 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Feb 2008 17:21:11 -0500 Subject: [Freeipa-devel] [PATCH] Fix unattended install Message-ID: <47C33F57.1010403@redhat.com> A non-text attachment was scrubbed... Name: freeipa-672-fix-unattended.patch Type: text/x-patch Size: 3502 bytes Desc: not available URL: From ssorce at redhat.com Mon Feb 25 22:23:09 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Feb 2008 17:23:09 -0500 Subject: [Freeipa-devel] [PATCH] Fix options Message-ID: <47C33FCD.2010207@redhat.com> Do not require the master password in unattended installations. Fix the error message to say we require an admin password instead. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-673-fix-pwd-options.patch Type: text/x-patch Size: 1719 bytes Desc: not available URL: From rcritten at redhat.com Mon Feb 25 22:48:47 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Feb 2008 17:48:47 -0500 Subject: [Freeipa-devel] [PATCH] Fix unattended install In-Reply-To: <47C33F57.1010403@redhat.com> References: <47C33F57.1010403@redhat.com> Message-ID: <47C345CF.3020706@redhat.com> Simo Sorce wrote: > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Feb 25 22:49:06 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Feb 2008 17:49:06 -0500 Subject: [Freeipa-devel] [PATCH] Fix options In-Reply-To: <47C33FCD.2010207@redhat.com> References: <47C33FCD.2010207@redhat.com> Message-ID: <47C345E2.2080202@redhat.com> Simo Sorce wrote: > Do not require the master password in unattended installations. > Fix the error message to say we require an admin password instead. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon Feb 25 22:56:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 25 Feb 2008 17:56:14 -0500 Subject: [Freeipa-devel] [PATCH] Fix options In-Reply-To: <47C345E2.2080202@redhat.com> References: <47C33FCD.2010207@redhat.com> <47C345E2.2080202@redhat.com> Message-ID: <1203980174.5684.2.camel@localhost.localdomain> On Mon, 2008-02-25 at 17:49 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > Do not require the master password in unattended installations. > > Fix the error message to say we require an admin password instead. > ack pushed -- Simo Sorce * Red Hat, Inc * New York From daobrien at redhat.com Tue Feb 26 06:15:59 2008 From: daobrien at redhat.com (David O'Brien) Date: Tue, 26 Feb 2008 16:15:59 +1000 Subject: [Freeipa-devel] [PATCH] add command-line utility to manage password policy In-Reply-To: <1203964428.679.285.camel@localhost.localdomain> References: <47C30609.8030105@redhat.com> <1203964428.679.285.camel@localhost.localdomain> Message-ID: <47C3AE9F.9000303@redhat.com> Simo Sorce wrote: > On Mon, 2008-02-25 at 13:16 -0500, Rob Crittenden wrote: > >> This adds a command-line utility to view and update the password policy. >> Up until now you could only do it in the UI. >> > > Ack, but shouldn't we warn people that this tool (as well as the UI) > handle only the general password policies? > If someone set a more specific password policy dee in a OU they will not > be able to see/manipulate it with CLI/UI commands but only via LDAP. > > Simo. > > I created BZ 434907 for both the utility itself and also the comment about only handling general passwd policies. -- David O'Brien IPA Content Author "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From agx at sigxcpu.org Tue Feb 26 08:01:11 2008 From: agx at sigxcpu.org (Guido =?iso-8859-1?Q?G=FCnther?=) Date: Tue, 26 Feb 2008 09:01:11 +0100 Subject: [Freeipa-devel] [Fwd: OT: PyKerberos] In-Reply-To: <47BB0BDF.3000300@redhat.com> References: <47BB0BDF.3000300@redhat.com> Message-ID: <20080226080111.GA3462@bogon.ms20.nix> Hi Torsten, On Tue, Feb 19, 2008 at 10:03:27AM -0700, Rich Megginson wrote: > Searching for a useable Python interface to KAdmin, I finally decided > to wrap some functions on my own. The result is a branch of Apple's > PyKerberos, enriched by a kadm5 module, which provides basic methods to > connect to a remote kerberos admin server and maintain principals. > (Simplified creation, check for existance, list all princs, delete, > chpass) It's written purely in C. That's great news. I also added some more stuff to pykerberos like user password changing: http://trac.macosforge.org/projects/calendarserver/ticket/256 and very basic GSSWrap/Unwrap support (just enough to talk to dovecot). Some of this has already been merged on the more-kerberos branch of pykerberos's SVN but things move slowly there. We already have a packages in Debian that has these patches and I could a add yours too if that makes sense. > If someone wants to use and/or extend this code, you can check it out > at: > > http://svn.kmrc.de/projects/devel/PyKerberos/trunk The server doesn't answer - not even to a ping. Cheers, -- Guido From rcritten at redhat.com Tue Feb 26 15:49:15 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Feb 2008 10:49:15 -0500 Subject: [Freeipa-devel] [PATCH] Don't log passwords during install Message-ID: <47C434FB.2000205@redhat.com> Don't log passwords in ipaserver-install.log. We were logging the template used to create the DS instance and this contained the password. Use a regular expression to drop it before logging the rest. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-678-password.patch Type: text/x-patch Size: 1290 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue Feb 26 17:37:42 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 Feb 2008 12:37:42 -0500 Subject: [Freeipa-devel] [PATCH] Add rhel4 setup script Message-ID: <47C44E66.9070502@redhat.com> This patches add a /contrib directory for contributed scripts. It ideally should contain scripts for platforms that cannot use directly the ipa-client-install script because of missing dependencies or components. This patch also add an initial very basic RHEL4 script. It still lacks any configure/make/make install files, they will come later. Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-693-contrib-rhel4.patch Type: text/x-patch Size: 28922 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 26 18:53:09 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Feb 2008 13:53:09 -0500 Subject: [Freeipa-devel] [PATCH] Require DNS A record for service principals Message-ID: <47C46015.1010904@redhat.com> Require that service principals resolve to a DNS A record. There is a --force option for those who know what they are doing. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-679-dns.patch Type: text/x-patch Size: 6742 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue Feb 26 19:23:39 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 Feb 2008 14:23:39 -0500 Subject: [Freeipa-devel] [PATCH] Require DNS A record for service principals In-Reply-To: <47C46015.1010904@redhat.com> References: <47C46015.1010904@redhat.com> Message-ID: <1204053819.5684.14.camel@localhost.localdomain> On Tue, 2008-02-26 at 13:53 -0500, Rob Crittenden wrote: > Require that service principals resolve to a DNS A record. > > There is a --force option for those who know what they are doing. ack! -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Feb 26 19:42:19 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Feb 2008 14:42:19 -0500 Subject: [Freeipa-devel] [PATCH] ipa-client-install fixes Message-ID: <47C46B9B.4010105@redhat.com> Don't try to use options.realm_name unless it was passed in (can cause a crash concatonating None with a string). Don't allow empty responses to domain and realm name Handle ctrl-C rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-680-install.patch Type: text/x-patch Size: 215 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Feb 26 19:53:13 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Feb 2008 14:53:13 -0500 Subject: [Freeipa-devel] [PATCH] Add rhel4 setup script In-Reply-To: <47C44E66.9070502@redhat.com> References: <47C44E66.9070502@redhat.com> Message-ID: <47C46E29.7030408@redhat.com> Simo Sorce wrote: > This patches add a /contrib directory for contributed scripts. > It ideally should contain scripts for platforms that cannot use directly > the ipa-client-install script because of missing dependencies or > components. > > This patch also add an initial very basic RHEL4 script. It still lacks > any configure/make/make install files, they will come later. > > Simo. ack. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Feb 26 20:06:29 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Feb 2008 15:06:29 -0500 Subject: [Freeipa-devel] [PATCH] ipa-client-install fixes In-Reply-To: <47C46B9B.4010105@redhat.com> References: <47C46B9B.4010105@redhat.com> Message-ID: <47C47145.3040708@redhat.com> Rob Crittenden wrote: > Don't try to use options.realm_name unless it was passed in (can cause a > crash concatonating None with a string). > Don't allow empty responses to domain and realm name > Handle ctrl-C > > rob > Actually export the patch this time. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-680-install.patch Type: text/x-patch Size: 3067 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue Feb 26 20:21:42 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 Feb 2008 15:21:42 -0500 Subject: [Freeipa-devel] [PATCH] ipa-client-install fixes In-Reply-To: <47C47145.3040708@redhat.com> References: <47C46B9B.4010105@redhat.com> <47C47145.3040708@redhat.com> Message-ID: <1204057302.5684.26.camel@localhost.localdomain> On Tue, 2008-02-26 at 15:06 -0500, Rob Crittenden wrote: > + while srv = "": not sure this is ok, should be == The rest seem fine, although it is not clear to me why you break the print statement later in multiple ones. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Feb 26 20:30:31 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Feb 2008 15:30:31 -0500 Subject: [Freeipa-devel] [PATCH] ipa-client-install fixes In-Reply-To: <1204057302.5684.26.camel@localhost.localdomain> References: <47C46B9B.4010105@redhat.com> <47C47145.3040708@redhat.com> <1204057302.5684.26.camel@localhost.localdomain> Message-ID: <47C476E7.7070109@redhat.com> Simo Sorce wrote: > On Tue, 2008-02-26 at 15:06 -0500, Rob Crittenden wrote: >> + while srv = "": > > not sure this is ok, should be == > > The rest seem fine, although it is not clear to me why you break the > print statement later in multiple ones. > > Yikes, you're right. I saw that on my test box and fixed it but didn't fix it in the tree. Good catch! I broke the print statement so a given line is not > ~75 characters. Basically so it looks nicer on a standard console. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue Feb 26 20:44:41 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 Feb 2008 15:44:41 -0500 Subject: [Freeipa-devel] [PATCH] Add rhel4 setup script In-Reply-To: <47C46E29.7030408@redhat.com> References: <47C44E66.9070502@redhat.com> <47C46E29.7030408@redhat.com> Message-ID: <1204058681.5684.28.camel@localhost.localdomain> On Tue, 2008-02-26 at 14:53 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > This patches add a /contrib directory for contributed scripts. > > It ideally should contain scripts for platforms that cannot use directly > > the ipa-client-install script because of missing dependencies or > > components. > > > > This patch also add an initial very basic RHEL4 script. It still lacks > > any configure/make/make install files, they will come later. > > > > Simo. > > ack. Pushed. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Feb 26 20:57:37 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Feb 2008 15:57:37 -0500 Subject: [Freeipa-devel] [PATCH] ipa-client-install fixes In-Reply-To: <1204057302.5684.26.camel@localhost.localdomain> References: <47C46B9B.4010105@redhat.com> <47C47145.3040708@redhat.com> <1204057302.5684.26.camel@localhost.localdomain> Message-ID: <47C47D41.30906@redhat.com> Simo Sorce wrote: > On Tue, 2008-02-26 at 15:06 -0500, Rob Crittenden wrote: >> + while srv = "": > > not sure this is ok, should be == > > The rest seem fine, although it is not clear to me why you break the > print statement later in multiple ones. > > Simo. > pushed with fixes -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Feb 26 21:01:14 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Feb 2008 16:01:14 -0500 Subject: [Freeipa-devel] [PATCH] Require DNS A record for service principals In-Reply-To: <1204053819.5684.14.camel@localhost.localdomain> References: <47C46015.1010904@redhat.com> <1204053819.5684.14.camel@localhost.localdomain> Message-ID: <47C47E1A.50300@redhat.com> Simo Sorce wrote: > On Tue, 2008-02-26 at 13:53 -0500, Rob Crittenden wrote: >> Require that service principals resolve to a DNS A record. >> >> There is a --force option for those who know what they are doing. > > ack! > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Feb 26 21:03:16 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Feb 2008 16:03:16 -0500 Subject: [Freeipa-devel] [PATCH] Add failover to the XML-RPC client In-Reply-To: <47C31135.3070004@redhat.com> References: <47BF274E.8040307@redhat.com> <1203964540.679.288.camel@localhost.localdomain> <47C30E0C.5070108@redhat.com> <1203965947.679.292.camel@localhost.localdomain> <47C31135.3070004@redhat.com> Message-ID: <47C47E94.8040401@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Mon, 2008-02-25 at 13:50 -0500, Rob Crittenden wrote: >>> Simo Sorce wrote: >>>> On Fri, 2008-02-22 at 14:49 -0500, Rob Crittenden wrote: >>>>> Took Simo's advice and added a new XML-RPC function, ping(), that >>>>> we can use just to see if the remote server is up and answering. >>>>> >>>>> Modified the config class to be able to return multiple servers in >>>>> a list. We simply run thru that list each time a new rpcclient is >>>>> instantiated. >>>> Can we add an argument to both the client and the server? >>>> It would be useful to be able to exchange the cli/srv versions through >>>> this command for future use: >>>> >>>> ping >>>> pong >>>> >>>> Simo. >>>> >>> I think that is a nice-to-have for later. Neither the server nor >>> client currently have any knowledge of versions of anything. >> >> The idea is exactly to be able to recognize we are using outdated tools >> (or too much up to date ones :) later. Maybe there are other means >> too ... >> >> Simo. > > I know what the purpose is but it is more than just sticking a number > somewhere for it to actually do what we want. I don't think that needs > to hold things up. > I pushed the patch and opened a new bug to investigate doing API versioning between the client and server. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue Feb 26 22:53:58 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 Feb 2008 17:53:58 -0500 Subject: [Freeipa-devel] [PATCH] Replace OpenLDAP with mozldap In-Reply-To: <20080224141040.GA19318@imp.flyn.org> References: <20080224141040.GA19318@imp.flyn.org> Message-ID: <1204066438.5684.47.camel@localhost.localdomain> On Sun, 2008-02-24 at 18:40 +0430, W. Michael Petullo wrote: > I've attached a patch that begins the process of replacing OpenLDAP with > mozldap. FreeIPA relies on RedHat's Directory Server, which uses mozldap. A > FreeIPA build using mozldap would reduce the project's dependencies and > redundant code. In addition, mozldap uses NSS instead of OpenSSL. This is > beneficial for the reasons listed in [1]. > > [1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation Hi Mike, patch may make sense for shipping for Fedora, but it would be better to have a patch that makes the choice between mozldap or openldap libraries a compile time option. This is because admin tools and client tools are not meant to be run on the server only and other distributions may not ship the mozldap bits. Do you think you can modify the patch to make it possible to select either library through a configure option ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Feb 27 03:35:55 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Feb 2008 22:35:55 -0500 Subject: [Freeipa-devel] [PATCH] fix domain zone file creation Message-ID: <47C4DA9B.9040000@redhat.com> Use fqdn to determine the hostname in the domain zone file. I pushed this under the 1-liner rule. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-705-dns.patch Type: text/x-patch Size: 771 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mike at flyn.org Wed Feb 27 12:20:00 2008 From: mike at flyn.org (W. Michael Petullo) Date: Wed, 27 Feb 2008 16:50:00 +0430 Subject: [Freeipa-devel] FreeIPA Footprint In-Reply-To: <47BD908C.1050305@redhat.com> References: <20080221080650.GA21400@imp.flyn.org> <47BD908C.1050305@redhat.com> Message-ID: <20080227122000.GA19415@imp.flyn.org> >> I do have a few questions about FreeIPA, related to my interest in a >> very low-footprint solution. >> >> 1. Is there a good document on reducing the memory footprint of the Fedora >> Directory Server? On my computer, FDS / ns-slapd seems to use 500 MB of >> memory. A similar configuration using OpenLDAP / slapd used only 20 MB. > > DS by default has very large caches. It is possible to tune these down. We > haven't done much IPA-specific tuning beyond creating an index for each > attribute we search on. Well, I modified nsslapd-dbcachesize, nsslapd-import-cachesize and nsslapd-cachememsize. None of these had the affect I had hoped for on the amount of memory that ns-slapd uses. It's still at around 1/2 GB. Mike From rcritten at redhat.com Wed Feb 27 15:42:56 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Feb 2008 10:42:56 -0500 Subject: [Freeipa-devel] [PATCH] restructure tools Message-ID: <47C58500.2030400@redhat.com> This is a potentially disruptive patch to all the admin tools. I wanted to be able to catch KeyboardInterrupt but I needed to move all the imports under a try/except in order to catch it in all cases. If one interrupted early enough you'd catch it in the import phase which wasn't covered. So I moved all the imports into a main try/except which calls our main. I moved most other exceptions out of main into this top level try/except to make the individual functions more readable. I also found a difference in the way GSSError is handled in python 2.4 and python 2.5 so I added a small helper to deal with it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-706-tools.patch Type: text/x-patch Size: 78193 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 27 15:52:38 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Feb 2008 10:52:38 -0500 Subject: [Freeipa-devel] [PATCH] admins group name is immutable Message-ID: <47C58746.7090702@redhat.com> The main admin group 'admins' is not changeable currently because it is deeply embedded in a lot of ACI's and other things. Return a more useful error message than "Insufficient Access" if someone tries to rename it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-707-admins.patch Type: text/x-patch Size: 1245 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Feb 27 16:39:55 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 27 Feb 2008 11:39:55 -0500 Subject: [Freeipa-devel] [PATCH] admins group name is immutable In-Reply-To: <47C58746.7090702@redhat.com> References: <47C58746.7090702@redhat.com> Message-ID: <1204130395.5684.61.camel@localhost.localdomain> On Wed, 2008-02-27 at 10:52 -0500, Rob Crittenden wrote: > The main admin group 'admins' is not changeable currently because it > is > deeply embedded in a lot of ACI's and other things. Return a more > useful > error message than "Insufficient Access" if someone tries to rename > it. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Feb 27 20:15:35 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Feb 2008 15:15:35 -0500 Subject: [Freeipa-devel] [PATCH] Fix delegation Message-ID: <47C5C4E7.2070102@redhat.com> In the UI we don't want to display Edit links unless someone can actually edit things. We use the 'editors' group for this. This group itself grants no permission other than displaying certain things in the UI. In order to be in the editors group a user must be a member of a group that is the source group in a delegation. The memberof plugin will do all thehard work to be sure that a user's memberof contains cn=editors if they are in a delegated group. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-708-delegation.patch Type: text/x-patch Size: 10816 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 27 21:18:55 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Feb 2008 16:18:55 -0500 Subject: [Freeipa-devel] [PATCH] fix client install Message-ID: <47C5D3BF.50300@redhat.com> Adding a missing 'action' statement to the ldap.conf updater. Fixed a small typo. Moved the imports into a try/except so that ctrl-C is always caught. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-709-client.patch Type: text/x-patch Size: 2500 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 27 21:20:49 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Feb 2008 16:20:49 -0500 Subject: [Freeipa-devel] [PATCH] admins group name is immutable In-Reply-To: <1204130395.5684.61.camel@localhost.localdomain> References: <47C58746.7090702@redhat.com> <1204130395.5684.61.camel@localhost.localdomain> Message-ID: <47C5D431.8080603@redhat.com> Simo Sorce wrote: > On Wed, 2008-02-27 at 10:52 -0500, Rob Crittenden wrote: >> The main admin group 'admins' is not changeable currently because it >> is >> deeply embedded in a lot of ACI's and other things. Return a more >> useful >> error message than "Insufficient Access" if someone tries to rename >> it. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Feb 27 22:08:50 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 27 Feb 2008 17:08:50 -0500 Subject: [Freeipa-devel] [PATCH] restructure tools In-Reply-To: <47C58500.2030400@redhat.com> References: <47C58500.2030400@redhat.com> Message-ID: <1204150130.5684.78.camel@localhost.localdomain> On Wed, 2008-02-27 at 10:42 -0500, Rob Crittenden wrote: > This is a potentially disruptive patch to all the admin tools. I > wanted > to be able to catch KeyboardInterrupt but I needed to move all the > imports under a try/except in order to catch it in all cases. If one > interrupted early enough you'd catch it in the import phase which > wasn't > covered. > > So I moved all the imports into a main try/except which calls our > main. > I moved most other exceptions out of main into this top level > try/except > to make the individual functions more readable. > > I also found a difference in the way GSSError is handled in python > 2.4 > and python 2.5 so I added a small helper to deal with it. Wow, huge beast, but seem fine. Haven't gone through every single line, just reviewed the general changes, I trust you tested every single corner case :-P Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 27 22:13:42 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 27 Feb 2008 17:13:42 -0500 Subject: [Freeipa-devel] [PATCH] Fix delegation In-Reply-To: <47C5C4E7.2070102@redhat.com> References: <47C5C4E7.2070102@redhat.com> Message-ID: <1204150422.5684.80.camel@localhost.localdomain> On Wed, 2008-02-27 at 15:15 -0500, Rob Crittenden wrote: > In the UI we don't want to display Edit links unless someone can > actually edit things. We use the 'editors' group for this. This group > itself grants no permission other than displaying certain things in > the UI. > > In order to be in the editors group a user must be a member of a > group > that is the source group in a delegation. The memberof plugin will do > all thehard work to be sure that a user's memberof contains > cn=editors > if they are in a delegated group. ack, good job -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 27 22:14:00 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 27 Feb 2008 17:14:00 -0500 Subject: [Freeipa-devel] [PATCH] fix client install In-Reply-To: <47C5D3BF.50300@redhat.com> References: <47C5D3BF.50300@redhat.com> Message-ID: <1204150440.5684.82.camel@localhost.localdomain> On Wed, 2008-02-27 at 16:18 -0500, Rob Crittenden wrote: > dding a missing 'action' statement to the ldap.conf updater. > > Fixed a small typo. > > Moved the imports into a try/except so that ctrl-C is always caught. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 27 22:18:21 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 27 Feb 2008 17:18:21 -0500 Subject: [Freeipa-devel] [PATCH] Don't log passwords during install In-Reply-To: <47C434FB.2000205@redhat.com> References: <47C434FB.2000205@redhat.com> Message-ID: <1204150701.5684.84.camel@localhost.localdomain> On Tue, 2008-02-26 at 10:49 -0500, Rob Crittenden wrote: > Don't log passwords in ipaserver-install.log. We were logging the > template used to create the DS instance and this contained the > password. > Use a regular expression to drop it before logging the rest. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Feb 27 22:24:52 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Feb 2008 17:24:52 -0500 Subject: [Freeipa-devel] [PATCH] restructure tools In-Reply-To: <1204150130.5684.78.camel@localhost.localdomain> References: <47C58500.2030400@redhat.com> <1204150130.5684.78.camel@localhost.localdomain> Message-ID: <47C5E334.90802@redhat.com> Simo Sorce wrote: > On Wed, 2008-02-27 at 10:42 -0500, Rob Crittenden wrote: >> This is a potentially disruptive patch to all the admin tools. I >> wanted >> to be able to catch KeyboardInterrupt but I needed to move all the >> imports under a try/except in order to catch it in all cases. If one >> interrupted early enough you'd catch it in the import phase which >> wasn't >> covered. >> >> So I moved all the imports into a main try/except which calls our >> main. >> I moved most other exceptions out of main into this top level >> try/except >> to make the individual functions more readable. >> >> I also found a difference in the way GSSError is handled in python >> 2.4 >> and python 2.5 so I added a small helper to deal with it. > > Wow, huge beast, but seem fine. > Haven't gone through every single line, just reviewed the general > changes, I trust you tested every single corner case :-P > > Simo. > I sure hope so. I tried to run each combination of add/find/mod/del. pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 27 22:24:59 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Feb 2008 17:24:59 -0500 Subject: [Freeipa-devel] [PATCH] Fix delegation In-Reply-To: <1204150422.5684.80.camel@localhost.localdomain> References: <47C5C4E7.2070102@redhat.com> <1204150422.5684.80.camel@localhost.localdomain> Message-ID: <47C5E33B.2090607@redhat.com> Simo Sorce wrote: > On Wed, 2008-02-27 at 15:15 -0500, Rob Crittenden wrote: >> In the UI we don't want to display Edit links unless someone can >> actually edit things. We use the 'editors' group for this. This group >> itself grants no permission other than displaying certain things in >> the UI. >> >> In order to be in the editors group a user must be a member of a >> group >> that is the source group in a delegation. The memberof plugin will do >> all thehard work to be sure that a user's memberof contains >> cn=editors >> if they are in a delegated group. > > ack, good job > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 27 22:25:10 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Feb 2008 17:25:10 -0500 Subject: [Freeipa-devel] [PATCH] fix client install In-Reply-To: <1204150440.5684.82.camel@localhost.localdomain> References: <47C5D3BF.50300@redhat.com> <1204150440.5684.82.camel@localhost.localdomain> Message-ID: <47C5E346.1080503@redhat.com> Simo Sorce wrote: > On Wed, 2008-02-27 at 16:18 -0500, Rob Crittenden wrote: >> dding a missing 'action' statement to the ldap.conf updater. >> >> Fixed a small typo. >> >> Moved the imports into a try/except so that ctrl-C is always caught. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Feb 27 22:25:17 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Feb 2008 17:25:17 -0500 Subject: [Freeipa-devel] [PATCH] Don't log passwords during install In-Reply-To: <1204150701.5684.84.camel@localhost.localdomain> References: <47C434FB.2000205@redhat.com> <1204150701.5684.84.camel@localhost.localdomain> Message-ID: <47C5E34D.7090607@redhat.com> Simo Sorce wrote: > On Tue, 2008-02-26 at 10:49 -0500, Rob Crittenden wrote: >> Don't log passwords in ipaserver-install.log. We were logging the >> template used to create the DS instance and this contained the >> password. >> Use a regular expression to drop it before logging the rest. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mike at flyn.org Thu Feb 28 09:15:14 2008 From: mike at flyn.org (W. Michael Petullo) Date: Thu, 28 Feb 2008 13:45:14 +0430 Subject: [Freeipa-devel] [PATCH] Replace OpenLDAP with mozldap In-Reply-To: <1204066438.5684.47.camel@localhost.localdomain> References: <20080224141040.GA19318@imp.flyn.org> <1204066438.5684.47.camel@localhost.localdomain> Message-ID: <20080228091514.GA21896@imp.flyn.org> >> I've attached a patch that begins the process of replacing OpenLDAP with >> mozldap. FreeIPA relies on RedHat's Directory Server, which uses mozldap. A >> FreeIPA build using mozldap would reduce the project's dependencies and >> redundant code. In addition, mozldap uses NSS instead of OpenSSL. This is >> beneficial for the reasons listed in [1]. >> >> [1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation > patch may make sense for shipping for Fedora, but it would be better to > have a patch that makes the choice between mozldap or openldap libraries > a compile time option. > This is because admin tools and client tools are not meant to be run on > the server only and other distributions may not ship the mozldap bits. > > Do you think you can modify the patch to make it possible to select > either library through a configure option ? > > Simo. Attached is a new patch. This patch now allows one to specify --with-openldap if they want to continue using OpenLDAP, otherwise mozldap is used. The exception is ipa-server's ipa-slapi-plugins, which will not build against OpenLDAP. -- Mike :wq -------------- next part -------------- Only in freeipa-0.99/ipa-client: aclocal.m4 Only in freeipa-0.99/ipa-client: autom4te.cache Only in freeipa-0.99/ipa-client: config.guess Only in freeipa-0.99/ipa-client: config.h.in Only in freeipa-0.99/ipa-client: config.sub Only in freeipa-0.99/ipa-client: configure diff -u --recursive freeipa-0.99-vanilla/ipa-client/configure.ac freeipa-0.99/ipa-client/configure.ac --- freeipa-0.99-vanilla/ipa-client/configure.ac 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-client/configure.ac 2008-02-28 01:22:57.000000000 +0430 @@ -82,42 +82,47 @@ AC_SUBST(KRB5_LIBS) dnl --------------------------------------------------------------------------- -dnl - Check for LDAP +dnl - Check for Mozilla LDAP or OpenLDAP SDK dnl --------------------------------------------------------------------------- -LDAP_LIBS= -AC_CHECK_HEADER(ldap.h) -AC_CHECK_HEADER(lber.h) - -AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes) -dnl Check for other libraries we need to link with to get the main routines. -test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) } -test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) } -test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) } -dnl Recently, we need -lber even though the main routines are elsewhere, -dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just -dnl check for that (it's a variable not a fun but that doesn't seem to -dnl matter in these checks) and stick in -lber if so. Can't hurt (even to -dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who -dnl #### understands LDAP needs to fix this properly. -test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) } - -if test "$with_ldap" = "yes"; then - if test "$with_ldap_des" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -ldes" - fi - if test "$with_ldap_krb" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -lkrb" - fi - if test "$with_ldap_lber" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -llber" - fi - LDAP_LIBS="${LDAP_LIBS} -lldap" +AC_ARG_WITH(openldap, [ --with-openldap Use OpenLDAP]) + +if test x$with_openldap = xyes; then + AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes) + dnl Check for other libraries we need to link with to get the main routines. + test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) } + test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) } + test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) } + dnl Recently, we need -lber even though the main routines are elsewhere, + dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just + dnl check for that (it's a variable not a fun but that doesn't seem to + dnl matter in these checks) and stick in -lber if so. Can't hurt (even to + dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who + dnl #### understands LDAP needs to fix this properly. + test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) } + + if test "$with_ldap" = "yes"; then + if test "$with_ldap_des" = "yes" ; then + OPENLDAP_LIBS="${OPENLDAP_LIBS} -ldes" + fi + if test "$with_ldap_krb" = "yes" ; then + OPENLDAP_LIBS="${OPENLDAP_LIBS} -lkrb" + fi + if test "$with_ldap_lber" = "yes" ; then + OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber" + fi + OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap" + else + AC_MSG_ERROR([OpenLDAP not found]) + fi + + AC_SUBST(OPENLDAP_LIBS) else - AC_MSG_ERROR([LDAP not found]) + PKG_CHECK_MODULES(MOZLDAP, mozldap > 6) + MOZLDAP_CFLAGS="${MOZLDAP_CFLAGS} -DWITH_MOZLDAP" + AC_SUBST(MOZLDAP_CFLAGS) fi -AC_SUBST(LDAP_LIBS) dnl --------------------------------------------------------------------------- dnl - Check for POPT Only in freeipa-0.99/ipa-client: COPYING Only in freeipa-0.99/ipa-client: depcomp Only in freeipa-0.99/ipa-client/firefox: Makefile.in Only in freeipa-0.99/ipa-client: INSTALL Only in freeipa-0.99/ipa-client: install-sh Only in freeipa-0.99/ipa-client/ipaclient: Makefile.in diff -u --recursive freeipa-0.99-vanilla/ipa-client/ipa-getkeytab.c freeipa-0.99/ipa-client/ipa-getkeytab.c --- freeipa-0.99-vanilla/ipa-client/ipa-getkeytab.c 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-client/ipa-getkeytab.c 2008-02-28 09:42:09.000000000 +0430 @@ -31,7 +31,11 @@ #include #include #include +#ifdef WITH_MOZLDAP +#include +#else #include +#endif #include #include @@ -275,7 +279,6 @@ BerElement *ctrl = NULL; BerElement *sctrl = NULL; struct berval *control = NULL; - char *ldap_uri = NULL; struct berval **ncvals; char *ldap_base = NULL; char *retoid = NULL; @@ -306,23 +309,16 @@ goto error_out; } - /* connect to ldap server */ - ret = asprintf(&ldap_uri, "ldap://%s:389", servername); - if (ret == -1) { - fprintf(stderr, "Unable to determine server URI!\n"); - goto error_out; - } - /* TODO: support referrals ? */ - ret = ldap_initialize(&ld, ldap_uri); - if(ret != LDAP_SUCCESS) { + ld = ldap_init(servername, 389); + if(ld == NULL) { fprintf(stderr, "Unable to initialize ldap library!\n"); goto error_out; } version = LDAP_VERSION3; ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); - if (ret != LDAP_OPT_SUCCESS) { + if (ret != LDAP_SUCCESS) { fprintf(stderr, "Unable to set ldap options!\n"); goto error_out; } @@ -427,8 +423,7 @@ ber_free(sctrl, 1); ldap_controls_free(srvctrl); ldap_msgfree(res); - ldap_unbind_ext_s(ld, NULL, NULL); - free(ldap_uri); + ldap_unbind_ext(ld, NULL, NULL); return kvno; error_out: @@ -436,8 +431,7 @@ if (srvctrl) ldap_controls_free(srvctrl); if (err) ldap_memfree(err); if (res) ldap_msgfree(res); - if (ld) ldap_unbind_ext_s(ld, NULL, NULL); - if (ldap_uri) free(ldap_uri); + if (ld) ldap_unbind_ext(ld, NULL, NULL); if (control) ber_bvfree(control); if (encs) free(encs); return 0; Only in freeipa-0.99/ipa-client/ipa-install: Makefile.in Only in freeipa-0.99/ipa-client: ltmain.sh diff -u --recursive freeipa-0.99-vanilla/ipa-client/Makefile.am freeipa-0.99/ipa-client/Makefile.am --- freeipa-0.99-vanilla/ipa-client/Makefile.am 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-client/Makefile.am 2008-02-28 00:42:37.000000000 +0430 @@ -13,7 +13,8 @@ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ $(KRB5_CFLAGS) \ - $(LDAP_CFLAGS) \ + $(OPENLDAP_CFLAGS) \ + $(MOZLDAP_CFLAGS) \ $(SASL_CFLAGS) \ $(POPT_CFLAGS) \ $(WARN_CFLAGS) \ @@ -29,7 +30,8 @@ ipa_getkeytab_LDADD = \ $(KRB5_LIBS) \ - $(LDAP_LIBS) \ + $(OPENLDAP_LIBS) \ + $(MOZLDAP_LIBS) \ $(SASL_LIBS) \ $(POPT_LIBS) \ $(NULL) Only in freeipa-0.99/ipa-client: Makefile.in Only in freeipa-0.99/ipa-client: missing Only in freeipa-0.99/ipa-client: py-compile Only in freeipa-0.99/ipa-server: aclocal.m4 Only in freeipa-0.99/ipa-server: autom4te.cache Only in freeipa-0.99/ipa-server: config.guess Only in freeipa-0.99/ipa-server: config.h.in Only in freeipa-0.99/ipa-server: config.sub Only in freeipa-0.99/ipa-server: configure diff -u --recursive freeipa-0.99-vanilla/ipa-server/configure.ac freeipa-0.99/ipa-server/configure.ac --- freeipa-0.99-vanilla/ipa-server/configure.ac 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-server/configure.ac 2008-02-28 13:13:16.000000000 +0430 @@ -87,48 +87,55 @@ AC_SUBST(KRB5_LIBS) dnl --------------------------------------------------------------------------- -dnl - Check for LDAP +dnl - Check for Mozilla LDAP or OpenLDAP SDK dnl --------------------------------------------------------------------------- -LDAP_LIBS= -AC_CHECK_HEADER(ldap.h) -AC_CHECK_HEADER(lber.h) - -AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes) -dnl Check for other libraries we need to link with to get the main routines. -test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) } -test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) } -test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) } -dnl Recently, we need -lber even though the main routines are elsewhere, -dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just -dnl check for that (it's a variable not a fun but that doesn't seem to -dnl matter in these checks) and stick in -lber if so. Can't hurt (even to -dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who -dnl #### understands LDAP needs to fix this properly. -test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) } - -if test "$with_ldap" = "yes"; then - if test "$with_ldap_des" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -ldes" - fi - if test "$with_ldap_krb" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -lkrb" - fi - if test "$with_ldap_lber" = "yes" ; then - LDAP_LIBS="${LDAP_LIBS} -llber" - fi - LDAP_LIBS="${LDAP_LIBS} -lldap" -else - AC_MSG_ERROR([LDAP not found]) -fi +AC_ARG_WITH(openldap, [ --with-openldap Use OpenLDAP]) -AC_SUBST(LDAP_LIBS) +dnl The mozldap libraries are always needed because ipa-slapi-plugins/dna/ +dnl will not build against OpenLDAP. +PKG_CHECK_MODULES(MOZLDAP, mozldap > 6) -dnl --------------------------------------------------------------------------- -dnl - Check for Mozilla LDAP SDK -dnl --------------------------------------------------------------------------- +if test x$with_openldap = xyes; then + AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes) + dnl Check for other libraries we need to link with to get the main routines. + test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) } + test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) } + test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) } + dnl Recently, we need -lber even though the main routines are elsewhere, + dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just + dnl check for that (it's a variable not a fun but that doesn't seem to + dnl matter in these checks) and stick in -lber if so. Can't hurt (even to + dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who + dnl #### understands LDAP needs to fix this properly. + test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) } + + if test "$with_ldap" = "yes"; then + if test "$with_ldap_des" = "yes" ; then + LDAP_LIBS="${LDAP_LIBS} -ldes" + fi + if test "$with_ldap_krb" = "yes" ; then + LDAP_LIBS="${LDAP_LIBS} -lkrb" + fi + if test "$with_ldap_lber" = "yes" ; then + LDAP_LIBS="${LDAP_LIBS} -llber" + fi + LDAP_LIBS="${LDAP_LIBS} -lldap" + else + AC_MSG_ERROR([OpenLDAP not found]) + fi + + AC_SUBST(LDAP_LIBS) -PKG_CHECK_MODULES(MOZLDAP, mozldap > 6) + LDAP_CFLAGS="${LDAP_CFLAGS} -DWITH_OPENLDAP" + AC_SUBST(LDAP_CFLAGS) +else + LDAP_LIBS="${MOZLDAP_LIBS}" + AC_SUBST(LDAP_LIBS) + + LDAP_CFLAGS="${LDAP_CFLAGS} -DWITH_MOZLDAP" + AC_SUBST(LDAP_CFLAGS) +fi dnl --------------------------------------------------------------------------- dnl - Check for OpenSSL Crypto library Only in freeipa-0.99/ipa-server: COPYING Only in freeipa-0.99/ipa-server: depcomp Only in freeipa-0.99/ipa-server: INSTALL Only in freeipa-0.99/ipa-server: install-sh Only in freeipa-0.99/ipa-server/ipa-gui/ipagui/config: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui/ipagui/forms: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui/ipagui/helpers: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui/ipagui: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui/ipagui/static/css: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui/ipagui/static/images/branding: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui/ipagui/static/images: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui/ipagui/static/images/template: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui/ipagui/static/javascript: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui/ipagui/static: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui/ipagui/subcontrollers: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui/ipagui/templates: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui/ipagui/tests: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui/ipa_gui.egg-info: Makefile.in Only in freeipa-0.99/ipa-server/ipa-gui: Makefile.in Only in freeipa-0.99/ipa-server/ipa-install: Makefile.in Only in freeipa-0.99/ipa-server/ipa-install/share: Makefile.in diff -u --recursive freeipa-0.99-vanilla/ipa-server/ipa-kpasswd/ipa_kpasswd.c freeipa-0.99/ipa-server/ipa-kpasswd/ipa_kpasswd.c --- freeipa-0.99-vanilla/ipa-server/ipa-kpasswd/ipa_kpasswd.c 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-server/ipa-kpasswd/ipa_kpasswd.c 2008-02-28 09:41:37.000000000 +0430 @@ -39,13 +39,23 @@ #include #include #include +#ifdef WITH_MOZLDAP +#include +#else #include +#endif #include #define DEFAULT_KEYTAB "FILE:/var/kerberos/krb5kdc/kpasswd.keytab" #define TMP_TEMPLATE "/tmp/kpasswd.XXXXXX" #define KPASSWD_PORT 464 +#ifdef WITH_MOZLDAP +/* From OpenLDAP's ldap.h */ +#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U) +#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U) +#endif + /* blacklist entries are released only BLCAKLIST_TIMEOUT seconds * after the children performing the noperation has finished. * this is to avoid races */ @@ -310,7 +320,6 @@ struct berval control; struct berval newpw; char hostname[1024]; - char *ldap_uri = NULL; struct berval **ncvals; char *ldap_base = NULL; char *filter; @@ -367,17 +376,10 @@ goto done; } - ret = asprintf(&ldap_uri, "ldap://%s:389", hostname); - if (ret == -1) { - syslog(LOG_ERR, "Out of memory!"); - ret = KRB5_KPASSWD_HARDERROR; - goto done; - } - /* connect to ldap server */ /* TODO: support referrals ? */ - ret = ldap_initialize(&ld, ldap_uri); - if(ret != LDAP_SUCCESS) { + ld = ldap_init(hostname, 389); + if(ld == NULL) { syslog(LOG_ERR, "Unable to connect to ldap server"); ret = KRB5_KPASSWD_HARDERROR; goto done; @@ -385,7 +387,7 @@ version = LDAP_VERSION3; ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); - if (ret != LDAP_OPT_SUCCESS) { + if (ret != LDAP_SUCCESS) { syslog(LOG_ERR, "Unable to set ldap protocol version"); ret = KRB5_KPASSWD_HARDERROR; goto done; @@ -480,11 +482,12 @@ ret = KRB5_KPASSWD_HARDERROR; goto done; } + ber_printf(ctrl, "{tstON}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, userdn, LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, &newpw); - ret = ber_flatten2(ctrl, &control, 0); + ret = ber_flatten(ctrl, &control); if (ret < 0) { syslog(LOG_ERR, "ber flattening failed!"); ret = KRB5_KPASSWD_HARDERROR; @@ -645,8 +648,7 @@ if (exterr1) free(exterr1); if (exterr2) free(exterr2); if (userdn) free(userdn); - if (ld) ldap_unbind_ext_s(ld, NULL, NULL); - if (ldap_uri) free(ldap_uri); + if (ld) ldap_unbind_ext(ld, NULL, NULL); if (tmp_file) { unlink(tmp_file); free(tmp_file); Only in freeipa-0.99/ipa-server/ipa-kpasswd: Makefile.in Only in freeipa-0.99/ipa-server/ipaserver: Makefile.in diff -u --recursive freeipa-0.99-vanilla/ipa-server/ipa-slapi-plugins/dna/Makefile.am freeipa-0.99/ipa-server/ipa-slapi-plugins/dna/Makefile.am --- freeipa-0.99-vanilla/ipa-server/ipa-slapi-plugins/dna/Makefile.am 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-server/ipa-slapi-plugins/dna/Makefile.am 2008-02-28 13:05:26.000000000 +0430 @@ -9,7 +9,6 @@ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ $(MOZLDAP_CFLAGS) \ - $(LDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) Only in freeipa-0.99/ipa-server/ipa-slapi-plugins/dna: Makefile.in diff -u --recursive freeipa-0.99-vanilla/ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am freeipa-0.99/ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am --- freeipa-0.99-vanilla/ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am 2008-02-28 13:05:17.000000000 +0430 @@ -9,7 +9,6 @@ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ $(MOZLDAP_CFLAGS) \ - $(LDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) Only in freeipa-0.99/ipa-server/ipa-slapi-plugins/ipa-memberof: Makefile.in diff -u --recursive freeipa-0.99-vanilla/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am freeipa-0.99/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am --- freeipa-0.99-vanilla/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am 2008-02-18 18:21:39.000000000 +0430 +++ freeipa-0.99/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am 2008-02-28 13:04:58.000000000 +0430 @@ -9,7 +9,6 @@ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ $(MOZLDAP_CFLAGS) \ - $(LDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(SSL_CFLAGS) \ $(WARN_CFLAGS) \ Only in freeipa-0.99-vanilla/ipa-server/ipa-slapi-plugins/ipa-pwd-extop: .Makefile.am.swp Only in freeipa-0.99/ipa-server/ipa-slapi-plugins/ipa-pwd-extop: Makefile.in Only in freeipa-0.99/ipa-server/ipa-slapi-plugins: Makefile.in Only in freeipa-0.99/ipa-server: ltmain.sh Only in freeipa-0.99/ipa-server: Makefile.in Only in freeipa-0.99/ipa-server: missing Only in freeipa-0.99/ipa-server: py-compile Only in freeipa-0.99/ipa-server/xmlrpc-server: Makefile.in Only in freeipa-0.99/ipa-server/xmlrpc-server/test: Makefile.in From rcritten at redhat.com Thu Feb 28 16:34:28 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Feb 2008 11:34:28 -0500 Subject: [Freeipa-devel] [PATCH] ipa-modgroup update Message-ID: <47C6E294.90703@redhat.com> Update ipa-modgroup to allow groups to be added as a group member. It used to support just users. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-710-modgroup.patch Type: text/x-patch Size: 4382 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Feb 28 16:40:26 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Feb 2008 11:40:26 -0500 Subject: [Freeipa-devel] [PATCH] ipactl script Message-ID: <47C6E3FA.5050509@redhat.com> The services that IPA uses need to be started in a particular order for them to work in concert together. Attached is a small script that will start/stop/restart the services in the proper order. The big one is that dirsrv needs to start before the KDC since it is the backend. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-711-ipactl.patch Type: text/x-patch Size: 4287 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Feb 28 18:37:17 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 28 Feb 2008 13:37:17 -0500 Subject: [Freeipa-devel] [PATCH] Fix DS bootsrap process Message-ID: <47C6FF5D.1080408@redhat.com> Avoids creation of default entries that we don't use by DS's setup scripts. Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-694-fix-bootstrap.patch Type: text/x-patch Size: 3549 bytes Desc: not available URL: From daobrien at redhat.com Fri Feb 29 00:18:48 2008 From: daobrien at redhat.com (David O'Brien) Date: Fri, 29 Feb 2008 10:18:48 +1000 Subject: [Freeipa-devel] [PATCH] ipactl script In-Reply-To: <47C6E3FA.5050509@redhat.com> References: <47C6E3FA.5050509@redhat.com> Message-ID: <47C74F68.1010000@redhat.com> Can I get a bit more info on this? "ipactl" is the name of the script that starts/stops the list of services that IPA relies on? So, I can run /usr/sbin/ipactl start|stop to start or stop all the IPA-related services? Or, will it be implemented as a service itself (service ipactl start|stop)? The latter seems less likely... Is there a restart option or do you have to do stop and then start? Does start check for running instances? Is there the possibility of getting multiple instances of a service? Questions, questions, questions... :) cheers /dob Rob Crittenden wrote: > The services that IPA uses need to be started in a particular order > for them to work in concert together. Attached is a small script that > will start/stop/restart the services in the proper order. > > The big one is that dirsrv needs to start before the KDC since it is > the backend. > > rob > ------------------------------------------------------------------------ > > # HG changeset patch > # User Rob Crittenden > # Date 1204216626 18000 > # Node ID e95a447bef88f25c2e47f757f3db2c0ca09fdef4 > # Parent 6cda4822300d6c9e559f1dce3f76777d5eb044ff > Add small script to start/stop all of the services that IPA requires in the > proper order. > > 435026 > > diff -r 6cda4822300d -r e95a447bef88 ipa-server/ipa-install/Makefile.am > --- a/ipa-server/ipa-install/Makefile.am Thu Feb 28 11:34:34 2008 -0500 > +++ b/ipa-server/ipa-install/Makefile.am Thu Feb 28 11:37:06 2008 -0500 > @@ -10,6 +10,7 @@ sbin_SCRIPTS = \ > ipa-replica-prepare \ > ipa-replica-manage \ > ipa-server-certinstall \ > + ipactl \ > $(NULL) > > EXTRA_DIST = \ > diff -r 6cda4822300d -r e95a447bef88 ipa-server/ipa-install/ipactl > --- /dev/null Thu Jan 01 00:00:00 1970 +0000 > +++ b/ipa-server/ipa-install/ipactl Thu Feb 28 11:37:06 2008 -0500 > @@ -0,0 +1,57 @@ > +#!/bin/sh > +# > +# Copyright (C) 2008 Red Hat > +# see file 'COPYING' for use and warranty information > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of the GNU General Public License as > +# published by the Free Software Foundation; version 2 only > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > +# > +# You should have received a copy of the GNU General Public License > +# along with this program; if not, write to the Free Software > +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > +# > +# > +# IPA control to start/stop the various services required for IPA in the > +# proper order > +# > + > +function start() { > + /sbin/service ntpd start > + /sbin/service dirsrv start > + /sbin/service krb5kdc start > + /sbin/service httpd start > + /sbin/service ipa_kpasswd start > + /sbin/service ipa_webgui start > +} > + > +function stop() { > + /sbin/service ipa_webgui stop > + /sbin/service ipa_kpasswd stop > + /sbin/service httpd stop > + /sbin/service krb5kdc stop > + /sbin/service dirsrv stop > + /sbin/service ntpd stop > +} > + > +case "$1" in > +restart) > + stop > + start > + ;; > +start) > + start > + ;; > +stop) > + stop > + ;; > +*) > + echo "Usage: ipactl {start|stop|restart}" > + exit 1 > + ;; > +esac > diff -r 6cda4822300d -r e95a447bef88 ipa-server/ipa-server.spec > --- a/ipa-server/ipa-server.spec Thu Feb 28 11:34:34 2008 -0500 > +++ b/ipa-server/ipa-server.spec Thu Feb 28 11:37:06 2008 -0500 > @@ -1,6 +1,6 @@ Name: ipa-server > Name: ipa-server > Version: 0.99.0 > -Release: 2%{?dist} > +Release: 3%{?dist} > Summary: IPA authentication server > > Group: System Environment/Base > @@ -112,6 +112,7 @@ fi > %{_sbindir}/ipa-replica-prepare > %{_sbindir}/ipa-replica-manage > %{_sbindir}/ipa-server-certinstall > +%{_sbindir}/ipactl > %{_sbindir}/ipa_kpasswd > %{_sbindir}/ipa_webgui > %attr(755,root,root) %{_initrddir}/ipa_kpasswd > @@ -151,6 +152,9 @@ fi > %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions > > %changelog > +* Thu Feb 26 2008 Rob Crittenden - 0.99.0-3 > +- Add ipactl command > + > * Thu Feb 21 2008 Rob Crittenden - 0.99.0-2 > - package new file ipa-rewrite.conf > > diff -r 6cda4822300d -r e95a447bef88 ipa-server/ipa-server.spec.in > --- a/ipa-server/ipa-server.spec.in Thu Feb 28 11:34:34 2008 -0500 > +++ b/ipa-server/ipa-server.spec.in Thu Feb 28 11:37:06 2008 -0500 > @@ -1,6 +1,6 @@ Name: ipa-server > Name: ipa-server > Version: VERSION > -Release: 2%{?dist} > +Release: 3%{?dist} > Summary: IPA authentication server > > Group: System Environment/Base > @@ -112,6 +112,7 @@ fi > %{_sbindir}/ipa-replica-prepare > %{_sbindir}/ipa-replica-manage > %{_sbindir}/ipa-server-certinstall > +%{_sbindir}/ipactl > %{_sbindir}/ipa_kpasswd > %{_sbindir}/ipa_webgui > %attr(755,root,root) %{_initrddir}/ipa_kpasswd > @@ -151,6 +152,9 @@ fi > %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions > > %changelog > +* Thu Feb 26 2008 Rob Crittenden - 0.99.0-3 > +- Add ipactl command > + > * Thu Feb 21 2008 Rob Crittenden - 0.99.0-2 > - package new file ipa-rewrite.conf > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- David O'Brien IPA Content Author There are 10 types of people in the world: Those who understand binary, and those who don't. From daobrien at redhat.com Fri Feb 29 01:02:58 2008 From: daobrien at redhat.com (David O'Brien) Date: Fri, 29 Feb 2008 11:02:58 +1000 Subject: [Freeipa-devel] [PATCH] ipactl script In-Reply-To: <47C74F68.1010000@redhat.com> References: <47C6E3FA.5050509@redhat.com> <47C74F68.1010000@redhat.com> Message-ID: <47C759C2.4070904@redhat.com> Just found the bug related to this with some info: # /usr/sbin/ipactl Usage: ipactl {start|stop|restart} I take it rgmanager is not currently used, so some of the other questions remain. David O'Brien wrote: > Can I get a bit more info on this? > > "ipactl" is the name of the script that starts/stops the list of > services that IPA relies on? So, I can run /usr/sbin/ipactl start|stop > to start or stop all the IPA-related services? Or, will it be > implemented as a service itself (service ipactl start|stop)? The > latter seems less likely... > > Is there a restart option or do you have to do stop and then start? > Does start check for running instances? Is there the possibility of > getting multiple instances of a service? > > Questions, questions, questions... :) > > cheers > /dob > > Rob Crittenden wrote: >> The services that IPA uses need to be started in a particular order >> for them to work in concert together. Attached is a small script that >> will start/stop/restart the services in the proper order. >> >> The big one is that dirsrv needs to start before the KDC since it is >> the backend. >> >> rob >> ------------------------------------------------------------------------ >> >> # HG changeset patch >> # User Rob Crittenden >> # Date 1204216626 18000 >> # Node ID e95a447bef88f25c2e47f757f3db2c0ca09fdef4 >> # Parent 6cda4822300d6c9e559f1dce3f76777d5eb044ff >> Add small script to start/stop all of the services that IPA requires >> in the >> proper order. >> >> 435026 >> >> diff -r 6cda4822300d -r e95a447bef88 ipa-server/ipa-install/Makefile.am >> --- a/ipa-server/ipa-install/Makefile.am Thu Feb 28 11:34:34 2008 >> -0500 >> +++ b/ipa-server/ipa-install/Makefile.am Thu Feb 28 11:37:06 2008 >> -0500 >> @@ -10,6 +10,7 @@ sbin_SCRIPTS = \ >> ipa-replica-prepare \ >> ipa-replica-manage \ >> ipa-server-certinstall \ >> + ipactl \ >> $(NULL) >> >> EXTRA_DIST = \ >> diff -r 6cda4822300d -r e95a447bef88 ipa-server/ipa-install/ipactl >> --- /dev/null Thu Jan 01 00:00:00 1970 +0000 >> +++ b/ipa-server/ipa-install/ipactl Thu Feb 28 11:37:06 2008 -0500 >> @@ -0,0 +1,57 @@ >> +#!/bin/sh >> +# >> +# Copyright (C) 2008 Red Hat >> +# see file 'COPYING' for use and warranty information >> +# >> +# This program is free software; you can redistribute it and/or >> +# modify it under the terms of the GNU General Public License as >> +# published by the Free Software Foundation; version 2 only >> +# >> +# This program is distributed in the hope that it will be useful, >> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >> +# GNU General Public License for more details. >> +# >> +# You should have received a copy of the GNU General Public License >> +# along with this program; if not, write to the Free Software >> +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA >> 02111-1307 USA >> +# >> +# >> +# IPA control to start/stop the various services required for IPA in >> the >> +# proper order >> +# + >> +function start() { >> + /sbin/service ntpd start >> + /sbin/service dirsrv start >> + /sbin/service krb5kdc start >> + /sbin/service httpd start >> + /sbin/service ipa_kpasswd start >> + /sbin/service ipa_webgui start >> +} >> + >> +function stop() { >> + /sbin/service ipa_webgui stop >> + /sbin/service ipa_kpasswd stop >> + /sbin/service httpd stop >> + /sbin/service krb5kdc stop >> + /sbin/service dirsrv stop >> + /sbin/service ntpd stop >> +} >> + >> +case "$1" in >> +restart) >> + stop >> + start >> + ;; >> +start) >> + start >> + ;; >> +stop) >> + stop >> + ;; >> +*) >> + echo "Usage: ipactl {start|stop|restart}" >> + exit 1 >> + ;; >> +esac >> diff -r 6cda4822300d -r e95a447bef88 ipa-server/ipa-server.spec >> --- a/ipa-server/ipa-server.spec Thu Feb 28 11:34:34 2008 -0500 >> +++ b/ipa-server/ipa-server.spec Thu Feb 28 11:37:06 2008 -0500 >> @@ -1,6 +1,6 @@ Name: ipa-server >> Name: ipa-server >> Version: 0.99.0 >> -Release: 2%{?dist} >> +Release: 3%{?dist} >> Summary: IPA authentication server >> >> Group: System Environment/Base >> @@ -112,6 +112,7 @@ fi >> %{_sbindir}/ipa-replica-prepare >> %{_sbindir}/ipa-replica-manage >> %{_sbindir}/ipa-server-certinstall >> +%{_sbindir}/ipactl >> %{_sbindir}/ipa_kpasswd >> %{_sbindir}/ipa_webgui >> %attr(755,root,root) %{_initrddir}/ipa_kpasswd >> @@ -151,6 +152,9 @@ fi >> %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions >> >> %changelog >> +* Thu Feb 26 2008 Rob Crittenden - 0.99.0-3 >> +- Add ipactl command >> + >> * Thu Feb 21 2008 Rob Crittenden - 0.99.0-2 >> - package new file ipa-rewrite.conf >> >> diff -r 6cda4822300d -r e95a447bef88 ipa-server/ipa-server.spec.in >> --- a/ipa-server/ipa-server.spec.in Thu Feb 28 11:34:34 2008 -0500 >> +++ b/ipa-server/ipa-server.spec.in Thu Feb 28 11:37:06 2008 -0500 >> @@ -1,6 +1,6 @@ Name: ipa-server >> Name: ipa-server >> Version: VERSION >> -Release: 2%{?dist} >> +Release: 3%{?dist} >> Summary: IPA authentication server >> >> Group: System Environment/Base >> @@ -112,6 +112,7 @@ fi >> %{_sbindir}/ipa-replica-prepare >> %{_sbindir}/ipa-replica-manage >> %{_sbindir}/ipa-server-certinstall >> +%{_sbindir}/ipactl >> %{_sbindir}/ipa_kpasswd >> %{_sbindir}/ipa_webgui >> %attr(755,root,root) %{_initrddir}/ipa_kpasswd >> @@ -151,6 +152,9 @@ fi >> %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions >> >> %changelog >> +* Thu Feb 26 2008 Rob Crittenden - 0.99.0-3 >> +- Add ipactl command >> + >> * Thu Feb 21 2008 Rob Crittenden - 0.99.0-2 >> - package new file ipa-rewrite.conf >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- David O'Brien IPA Content Author "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From mike at flyn.org Fri Feb 29 11:16:13 2008 From: mike at flyn.org (W. Michael Petullo) Date: Fri, 29 Feb 2008 15:46:13 +0430 Subject: [Freeipa-devel] FreeIPA and mobile users Message-ID: <20080229111613.GA15636@imp.flyn.org> Is anyone thinking about how to integrate mobile users into a FreeIPA network? When a laptop is away from a LAN, its owner should still be able to log in. Windows allows one to do this -- account information is cached. The pam_ccreds module will cache account information, but does not work with SELinux, see [1]. nss_updatedb will maintain a local cache of network directory user and group information. However, people have commented that this may not be a good solution for large installations because all information is cached. nscd will also cache directory information, but it isn't really meant to support disconnected operations. For example, while the timeout period of cached information can be increased, it will supercede the server's information if it was updated during this period. So, there may be discontinuity when a laptop is reconnected to a network whose directory has changed. See [2]. Some notes I have taken on this issue are available at [3]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=154133 [2] http://sources.redhat.com/bugzilla/show_bug.cgi?id=2132 [3] http://www.flyn.org/laptopldap/laptopldap.html -- Mike From jdennis at redhat.com Fri Feb 29 15:19:22 2008 From: jdennis at redhat.com (John Dennis) Date: Fri, 29 Feb 2008 10:19:22 -0500 Subject: [Freeipa-devel] FreeIPA and mobile users In-Reply-To: <20080229111613.GA15636@imp.flyn.org> References: <20080229111613.GA15636@imp.flyn.org> Message-ID: <47C8227A.3090002@redhat.com> W. Michael Petullo wrote: > Is anyone thinking about how to integrate mobile users into a FreeIPA > network? Absolutely, this is very much a goal of IPA, although not in the very first release. The functionality will be provided by a component called BlueBox. The name derives from white board architectural discussions in which the functionality was contained in a blue box on the white board. I went looking for a current public document on BlueBox, but I didn't find one of much merit, I believe Simo has a task on his plate to update the BlueBox design so stay tuned. -- John Dennis From rcritten at redhat.com Fri Feb 29 16:00:16 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Feb 2008 11:00:16 -0500 Subject: [Freeipa-devel] [PATCH] type checking for XML-RPC interface Message-ID: <47C82C10.7030907@redhat.com> Add type checking for the XML-RPC interface. Also fixes a bug in service principals where I wasn't extracting the service from the name passed in so the DNS lookups were always failing. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-699-xmlrpc.patch Type: text/x-patch Size: 27815 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Feb 29 21:51:38 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 29 Feb 2008 16:51:38 -0500 Subject: [Freeipa-devel] [PATCH] ipa-modgroup update In-Reply-To: <47C6E294.90703@redhat.com> References: <47C6E294.90703@redhat.com> Message-ID: <1204321898.26342.4.camel@localhost.localdomain> On Thu, 2008-02-28 at 11:34 -0500, Rob Crittenden wrote: > Update ipa-modgroup to allow groups to be added as a group member. It > used to support just users. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Feb 29 21:52:13 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 29 Feb 2008 16:52:13 -0500 Subject: [Freeipa-devel] [PATCH] ipactl script In-Reply-To: <47C6E3FA.5050509@redhat.com> References: <47C6E3FA.5050509@redhat.com> Message-ID: <1204321933.26342.6.camel@localhost.localdomain> On Thu, 2008-02-28 at 11:40 -0500, Rob Crittenden wrote: > The services that IPA uses need to be started in a particular order > for > them to work in concert together. Attached is a small script that > will > start/stop/restart the services in the proper order. > > The big one is that dirsrv needs to start before the KDC since it is > the > backend. If someone find it useful, then ack. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Feb 29 21:53:40 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 29 Feb 2008 16:53:40 -0500 Subject: [Freeipa-devel] [PATCH] type checking for XML-RPC interface In-Reply-To: <47C82C10.7030907@redhat.com> References: <47C82C10.7030907@redhat.com> Message-ID: <1204322020.26342.8.camel@localhost.localdomain> On Fri, 2008-02-29 at 11:00 -0500, Rob Crittenden wrote: > Add type checking for the XML-RPC interface. > > Also fixes a bug in service principals where I wasn't extracting the > service from the name passed in so the DNS lookups were always > failing. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Feb 29 22:07:59 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Feb 2008 17:07:59 -0500 Subject: [Freeipa-devel] [PATCH] Fix DS bootsrap process In-Reply-To: <47C6FF5D.1080408@redhat.com> References: <47C6FF5D.1080408@redhat.com> Message-ID: <47C8823F.80406@redhat.com> Simo Sorce wrote: > Avoids creation of default entries that we don't use by DS's setup scripts. > > Simo. > Looks good. ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Feb 29 22:10:34 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 29 Feb 2008 17:10:34 -0500 Subject: [Freeipa-devel] [PATCH] Fix DS bootsrap process In-Reply-To: <47C8823F.80406@redhat.com> References: <47C6FF5D.1080408@redhat.com> <47C8823F.80406@redhat.com> Message-ID: <1204323034.26342.10.camel@localhost.localdomain> On Fri, 2008-02-29 at 17:07 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > Avoids creation of default entries that we don't use by DS's setup scripts. > > > > Simo. > > > > Looks good. ack pushed -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Feb 29 22:18:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Feb 2008 17:18:04 -0500 Subject: [Freeipa-devel] [PATCH] ipa-modgroup update In-Reply-To: <1204321898.26342.4.camel@localhost.localdomain> References: <47C6E294.90703@redhat.com> <1204321898.26342.4.camel@localhost.localdomain> Message-ID: <47C8849C.9030405@redhat.com> Simo Sorce wrote: > On Thu, 2008-02-28 at 11:34 -0500, Rob Crittenden wrote: >> Update ipa-modgroup to allow groups to be added as a group member. It >> used to support just users. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 29 22:18:10 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Feb 2008 17:18:10 -0500 Subject: [Freeipa-devel] [PATCH] ipactl script In-Reply-To: <1204321933.26342.6.camel@localhost.localdomain> References: <47C6E3FA.5050509@redhat.com> <1204321933.26342.6.camel@localhost.localdomain> Message-ID: <47C884A2.4020208@redhat.com> Simo Sorce wrote: > On Thu, 2008-02-28 at 11:40 -0500, Rob Crittenden wrote: >> The services that IPA uses need to be started in a particular order >> for >> them to work in concert together. Attached is a small script that >> will >> start/stop/restart the services in the proper order. >> >> The big one is that dirsrv needs to start before the KDC since it is >> the >> backend. > > If someone find it useful, then ack. > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Feb 29 22:18:16 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Feb 2008 17:18:16 -0500 Subject: [Freeipa-devel] [PATCH] type checking for XML-RPC interface In-Reply-To: <1204322020.26342.8.camel@localhost.localdomain> References: <47C82C10.7030907@redhat.com> <1204322020.26342.8.camel@localhost.localdomain> Message-ID: <47C884A8.5020601@redhat.com> Simo Sorce wrote: > On Fri, 2008-02-29 at 11:00 -0500, Rob Crittenden wrote: >> Add type checking for the XML-RPC interface. >> >> Also fixes a bug in service principals where I wasn't extracting the >> service from the name passed in so the DNS lookups were always >> failing. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: