From jdennis at redhat.com Wed Jan 2 21:21:00 2008 From: jdennis at redhat.com (John Dennis) Date: Wed, 02 Jan 2008 16:21:00 -0500 Subject: [Freeipa-devel] sshd, gssapi postinstall cleanup Message-ID: <477C003C.3010104@redhat.com> I lost my ability to ssh into one of the boxes I had IPA installed on. I'm not currently testing IPA on that box anymore so I disabled many of the IPA services and reset my /etc/krb5.conf file back to it's original content (pointing to our corporate KDC). When I tried to ssh in the connection would appear to hang, so I ran ssh in verbose mode and discovered it was hanging while attempting GSSAPI authentication. I'm perplexed as to why and I'm wondering if something in the IPA installation might have done something (I believe each IPA rpm had been installed, but only the server install script had been run). Here are the relevant facts: * kerberos works fine, only our corporate KDC is configured. * disabling gssapi auth in /etc/ssh/sshd.conf makes the problem go away (but gssapi auth is enabled by default, so disabling this is non-standard). * local logons work * /etc/nsswitch.conf has only "files" for passwd,shadow,group * pam ssh points to pam system-auth * pam system-auth is normal * /etc/gssapi_mech.conf seems normal (?) * the local IPA KDC is shutdown and there is no reference to it in krb5.conf So, any ideas as to why sshd on that box would hang as it attempted gssapi auth and how might a previous IPA install be responsible for that? -- John Dennis From kmacmill at redhat.com Wed Jan 2 21:46:20 2008 From: kmacmill at redhat.com (Karl MacMillan) Date: Wed, 02 Jan 2008 16:46:20 -0500 Subject: [Freeipa-devel] sshd, gssapi postinstall cleanup In-Reply-To: <477C003C.3010104@redhat.com> References: <477C003C.3010104@redhat.com> Message-ID: <1199310380.4749.5.camel@clapton.mentalrootkit.com> On Wed, 2008-01-02 at 16:21 -0500, John Dennis wrote: > I lost my ability to ssh into one of the boxes I had IPA installed on. > I'm not currently testing IPA on that box anymore so I disabled many of > the IPA services and reset my /etc/krb5.conf file back to it's original > content (pointing to our corporate KDC). When I tried to ssh in the > connection would appear to hang, so I ran ssh in verbose mode and > discovered it was hanging while attempting GSSAPI authentication. I'm > perplexed as to why and I'm wondering if something in the IPA > installation might have done something (I believe each IPA rpm had been > installed, but only the server install script had been run). Here are > the relevant facts: > I've seen problems when I have tickets in my cache but the KDC is not reachable - this is on the client side. Worst part is that this makes it impossible to ssh to *any* host, which makes it confusing to debug (it's clear why, but it still manages to confuse me). Doesn't seem like this is your issue, but I thought I would mention it anyway. Karl From taruishi at redhat.com Thu Jan 3 09:38:37 2008 From: taruishi at redhat.com (Masato Taruishi) Date: Thu, 03 Jan 2008 18:38:37 +0900 Subject: [Freeipa-devel] internationalization of kid templates Message-ID: <1199353118.4420.17.camel@freeipa.example.com> Hi, I wrote a patch to internationalize kid templates. In addition to the general internationalization, the patch also includes the japanese po file. Please see the attached screenshots. Of cource, this patch supports the content negotiation feature so you can see the English page, too. I haven't internationalize javascript and python messages yet because it requires utf-8 safe. I guess it's a next work for i18n related tasks. I hope this would help internationalization support of freeipa. Thanks Best regards -- Masato Taruishi -------------- next part -------------- A non-text attachment was scrubbed... Name: i18n.patch Type: text/x-patch Size: 41111 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ????_1199352360781.png Type: image/png Size: 87075 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Welcome_1199352721518.png Type: image/png Size: 54137 bytes Desc: not available URL: From rcritten at redhat.com Thu Jan 3 18:10:29 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Jan 2008 13:10:29 -0500 Subject: [Freeipa-devel] [PATCH] enable sessions in the GUI Message-ID: <477D2515.1020504@redhat.com> This enables server-side file-based sessions on the server side. In production the sessions will be stored in /var/cache/ipa. I've also added a simple mechanism to try ensure that a record that is being updated is the record that was last edited. This is an attempt around a phishing attack that might trick a user to click on a link that will do a POST and update their password in the UI. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jan 3 18:11:08 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Jan 2008 13:11:08 -0500 Subject: [Freeipa-devel] [PATCH] enable sessions in the GUI In-Reply-To: <477D2515.1020504@redhat.com> References: <477D2515.1020504@redhat.com> Message-ID: <477D253C.6050608@redhat.com> Rob Crittenden wrote: > This enables server-side file-based sessions on the server side. In > production the sessions will be stored in /var/cache/ipa. > > I've also added a simple mechanism to try ensure that a record that is > being updated is the record that was last edited. This is an attempt > around a phishing attack that might trick a user to click on a link that > will do a POST and update their password in the UI. > > rob And here is the patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-568-sessions.patch Type: text/x-patch Size: 3811 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Jan 3 22:26:39 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 03 Jan 2008 17:26:39 -0500 Subject: [Freeipa-devel] sshd, gssapi postinstall cleanup In-Reply-To: <477C003C.3010104@redhat.com> References: <477C003C.3010104@redhat.com> Message-ID: <1199399199.16418.2.camel@hopeson> On Wed, 2008-01-02 at 16:21 -0500, John Dennis wrote: > I lost my ability to ssh into one of the boxes I had IPA installed on. > I'm not currently testing IPA on that box anymore so I disabled many of > the IPA services and reset my /etc/krb5.conf file back to it's original > content (pointing to our corporate KDC). When I tried to ssh in the > connection would appear to hang, so I ran ssh in verbose mode and > discovered it was hanging while attempting GSSAPI authentication. I'm > perplexed as to why and I'm wondering if something in the IPA > installation might have done something (I believe each IPA rpm had been > installed, but only the server install script had been run). Here are > the relevant facts: > > * kerberos works fine, only our corporate KDC is configured. > > * disabling gssapi auth in /etc/ssh/sshd.conf makes the problem go away > (but gssapi auth is enabled by default, so disabling this is non-standard). > > * local logons work > > * /etc/nsswitch.conf has only "files" for passwd,shadow,group > > * pam ssh points to pam system-auth > > * pam system-auth is normal > > * /etc/gssapi_mech.conf seems normal (?) > > * the local IPA KDC is shutdown and there is no reference to it in krb5.conf > > So, any ideas as to why sshd on that box would hang as it attempted > gssapi auth and how might a previous IPA install be responsible for that? I bet you have a /etc/krb5.keytab file left over from latest IPA installations. Simo. From jdennis at redhat.com Fri Jan 4 16:12:53 2008 From: jdennis at redhat.com (John Dennis) Date: Fri, 04 Jan 2008 11:12:53 -0500 Subject: [Freeipa-devel] sshd, gssapi postinstall cleanup In-Reply-To: <1199399199.16418.2.camel@hopeson> References: <477C003C.3010104@redhat.com> <1199399199.16418.2.camel@hopeson> Message-ID: <477E5B05.9030206@redhat.com> Simo Sorce wrote: >> So, any ideas as to why sshd on that box would hang as it attempted >> gssapi auth and how might a previous IPA install be responsible for that? > > I bet you have a /etc/krb5.keytab file left over from latest IPA > installations. Good thought, I don't think this was the case but certainly worth a check. I do think I figured out what the culprit was as well as a temporary workaround that will at least allow one to ssh in. I think the problem was partly a result of my own limited thinking :-) I had presumed the problem must be on the remote server I was trying to connect to. This erroneous conclusion was further supported by my observation if GSSAPIAuthentication was disabled in the server's sshd.conf file the problem went away. However, the problem was on the ssh client machine which also had a bad /etc/krb5.conf file also left over from an IPA test installation. I believe what was actually happening was that when ssh<-->sshd tried to negotiate GSSAPI Authentication ssh on the client attempted to get a ticket for me which failed because it could not talk to the KDC configured on the client. The sshd server had no role in this other than agreeing it would accept GSSAPI Authentication. When I disabled GSSAPI Authentication on the sshd server the client did not attempt to get a ticket for me and everything worked. It was a case of mistaken identity (pun intended :-) BTW, I discovered you can temporally get around problems like this if on the ssh command line you an an option parameter like this: % ssh -o GSSAPIAuthentication=no somehost -- John Dennis From rcritten at redhat.com Fri Jan 4 16:23:16 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Jan 2008 11:23:16 -0500 Subject: [Freeipa-devel] [PATCH] Change subject of self-signed CA Message-ID: <477E5D74.2050108@redhat.com> This patch changes the subject of the self-signed CA we generate during installation. This should make it easier for people to find it in their browser when they add trust for it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-569-caname.patch Type: text/x-patch Size: 933 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 4 21:41:43 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Jan 2008 16:41:43 -0500 Subject: [Freeipa-devel] [PATCH] add function to make ipa-adddelegation easier to use Message-ID: <477EA817.9040600@redhat.com> Add function to retrieve a short list of attributes to make ipa-adddelegation easier to use. Also add an example to the man page. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-570-list.patch Type: text/x-patch Size: 5926 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 4 21:44:37 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Jan 2008 16:44:37 -0500 Subject: [Freeipa-devel] [PATCH] add man page for ipa-addservice Message-ID: <477EA8C5.8040508@redhat.com> I noticed we didn't have a man page for ipa-addservice. Here is one. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-571-addservice.patch Type: text/x-patch Size: 2054 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 4 21:45:08 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Jan 2008 16:45:08 -0500 Subject: [Freeipa-devel] [PATCH] general manpage cleanup Message-ID: <477EA8E4.5020207@redhat.com> Cleaned up a couple of man pages, hopefully making them clearer. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-572-mancleanup.patch Type: text/x-patch Size: 3738 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Jan 7 18:52:34 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 07 Jan 2008 13:52:34 -0500 Subject: [Freeipa-devel] [PATCH] don't let user set realm in service principals Message-ID: <478274F2.1010903@redhat.com> In add_service_principal() don't let the user pass in the realm. This could result in a principal of the form: service/host at something@REALM rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-573-norealm.patch Type: text/x-patch Size: 894 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Jan 7 20:50:13 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 07 Jan 2008 15:50:13 -0500 Subject: [Freeipa-devel] [PATCH] fix button text Message-ID: <47829085.3020108@redhat.com> Make button test consistent with rest of page on Find Service Principals page. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-574-button.patch Type: text/x-patch Size: 985 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Jan 7 21:25:01 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 07 Jan 2008 16:25:01 -0500 Subject: [Freeipa-devel] PyKerberos now python-kerberos Message-ID: <478298AD.1050106@redhat.com> I submitted PyKerberos to Fedora as python-kerberos. This is partly to match existing python extension names and also because Ubuntu also uses this name. It is currently in testing in F-7 and F-8. Once it gets pushed to stable I'll make the change in the rpm spec Requires. If anyone wants to try it and give it some karma even better :-) https://admin.fedoraproject.org/updates/F7/pending/python-kerberos-1.0-2.fc7 https://admin.fedoraproject.org/updates/F8/pending/python-kerberos-1.0-2.fc8 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ukaagsncm at aagsnc.org Mon Jan 7 11:56:02 2008 From: ukaagsncm at aagsnc.org (Suzanna Paulson) Date: Tue, 7 Jan 2008 06:56:02 -0500 Subject: [Freeipa-devel] Software range expansion-price downfall Message-ID: <847835825.18780525131901@aagsnc.org> Appreciate a brilliant combination of high quality software and low prices. All popular and widely used software in many languages of the world. Only complete and fully-functional programs. Free access to all updates. Customer service is always ready to help with installation and to find necessary software for you if you don't see it in the list.http://geocities.com/juliemoody58/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rebcmm at bcm.nl Mon Jan 7 14:31:48 2008 From: rebcmm at bcm.nl (Lee Glass) Date: Tue, 7 Jan 2008 17:31:48 +0300 Subject: [Freeipa-devel] MS Office cheap as chips Message-ID: <008645605.66417726936769@bcm.nl> Anybody who is going to purchase legal PC and Mac software at low prices will definitely find necessary software products here, hether he/she is a corporate buyer, or owner of a small company, or just purchasing software for his/her own needs. ENJOY OF OUR PRODUCTS http://geocities.com/mabel.cooley/ Most popular materials in sight are: *Office System Professional 2003 (5 Cds): Retail price for this time - $469.95; Our only - $59.95 *Adobe Creative Suite 3 Web Premium: Retail price for now - $1599.95; Our only - $219.95 *Adobe Acrobat 7 Professional: Retail price today - $449.95; Our only today - $59.95 *Autodesk Map 3D 2007: Retail price this day - $5299.95; Our just - $99.95 *Adobe Dreamweaver CS3: Retail price for now - $399.00; Our only for today - $59.95 *Windows Vista Ultimate 32-bit: Retail price this day - $359.95; Our just - $79.95 *Adobe Photoshop CS2 with ImageReady CS2: Retail price for this time - $849.95; Our just - $79.95 COME TO US! http://geocities.com/mabel.cooley/ ScarAs oft it loses all I will. Are thou so confident. within. King languishes of.I would it. Duke of Florences camp.Upon. I have not muchWhether dost thou. Sent to herBy this same coxcomb. TouchIs powerful to araise. Be thineWhen midnight comes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rebusynetm at busynet.net Tue Jan 8 00:18:52 2008 From: rebusynetm at busynet.net (Lissette Goldman) Date: Tue, 7 Jan 2008 18:18:52 -0600 Subject: [Freeipa-devel] Purchase software at surprisingly low prices Message-ID: <468815160.74744783935558@busynet.net> Our main goal is to render low cost PC and Macintosh lawful soft and computer solutions for any budget. Whether you're a corporate buyer, a proprietor of small enterprise, or shopping for your home personal computer, we believe that we can assist you. VIEW ALL PRODUCTS http://geocities.com/dalton.winfred/ Most popular software in sight are: *Windows Vista Ultimate 32-bit: Retail price today - $359.95; Our only - $79.95 *Adobe Creative Suite 3 Master Collection: Retail price for this time - $2499.95; Our now just - $299.95 *Adobe Acrobat 7 Professional: Retail price for now - $449.95; Our just - $59.95 *Autodesk Maya 2008 Unlimited: Retail price for now - $6995.95; Our only for today - $149.95 *Adobe Fireworks CS3: Retail price today - $299.00; Our only - $59.95 *Windows XP Professional With SP2 Full Version: Retail price today - $259.99; Our only today - $59.95 *Adobe Photoshop CS2 with ImageReady CS2: Retail price today - $849.95; Our only for today - $79.95 COME IN RIGHT NOW! http://geocities.com/dalton.winfred/ Her to me andshe herself. Heed of themThey say our. Much will speed her foot. If this suit be wonThat you. O my sweet lord that you will. What is not holy that we. Lords but they may jestTill. Service is noheritage and I. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jan 9 04:33:41 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Jan 2008 23:33:41 -0500 Subject: [Freeipa-devel] Solaris 10 x86 client Message-ID: <47844EA5.90607@redhat.com> Trying to get a Solaris 10 x86 client talking to my IPA server makes it ever so clear why IPA is needed. It took me the better part of a day to get it sort of working. The steps are still very rough around the edges so I'm not ready to provide any documentation yet but I did run into some problems that I need some guidance on. 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By commenting this out in the IPA kdc.conf I was able to generate a usable keytab. If this was there I got all sorts of errors. What is the impact, if any, if we drop this. Or is there some other workaround? I tried pulling just one enctype into the keytab, perhaps more than 1 is needed. 2. We need to add shadowAccount to the default list of user objectclasses 3. There is no pam_mkhomedir for Solaris. I have a super-ugly hack in place using the Linux-PAM-0.99.9.0 so it works but has problems like zero error reporting. 4. I'm not entirely certain that the pam.conf I have is doing the right thing. I'll see about cleaning it up and posting it for review. I run Solaris in a VM so this may be part of the problem but I was getting an error about a non-matching network address. This was likely due to some NATing between my Solaris VM and my IPA VM. I worked around it for the short term by adding no_addresses=true to the Solaris krb5.conf. I also haven't configured LDAP to use SSL. Right now it does anonymous searches for things. I also don't have all the mappings in place, just passwd and group. Anyway, the things that do work: 1. getent passwd and getent group 2. id 3. local user login using Kerberos credentials 4. non-local user login using Kerberos credentials 5. automatic home directory creation (hacky) 6. local user login using local credentails and no Kerberos password lets me in rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ukadcompletem at adcomplete.net Tue Jan 8 12:01:08 2008 From: ukadcompletem at adcomplete.net (Izabella Lundy) Date: Wed, 8 Jan 2008 06:01:08 -0600 Subject: [Freeipa-devel] Our half price offer is valid till the end of the New Year Message-ID: <594379735.39487402432632@adcomplete.net> Dear freeipa-devel at redhat.comhttp://geocities.com/bret.blanchard/Everyone wants to better themselves, whether its improving their health or elevating their attractiveness to others. Most will never make any real attempt at changing themselves for the better.. and thats a very unfortunate fact!Now you can be one of those that takes the small steps towards increasing their vitality, energy and confidence.Visit our new Health Products Supersite and chose one or more products thats right for YOU. Because only you know what you want to improve with yourself :) Click here to visit our New Supersite-Price discount specials now in effect! http://geocities.com/bret.blanchard/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Wed Jan 9 13:06:51 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 09 Jan 2008 08:06:51 -0500 Subject: [Freeipa-devel] Solaris 10 x86 client In-Reply-To: <47844EA5.90607@redhat.com> References: <47844EA5.90607@redhat.com> Message-ID: <1199884011.5294.19.camel@localhost.localdomain> On Tue, 2008-01-08 at 23:33 -0500, Rob Crittenden wrote: > Trying to get a Solaris 10 x86 client talking to my IPA server makes it > ever so clear why IPA is needed. It took me the better part of a day to > get it sort of working. > > The steps are still very rough around the edges so I'm not ready to > provide any documentation yet but I did run into some problems that I > need some guidance on. > > 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By > commenting this out in the IPA kdc.conf I was able to generate a usable > keytab. If this was there I got all sorts of errors. What is the impact, > if any, if we drop this. Or is there some other workaround? I tried > pulling just one enctype into the keytab, perhaps more than 1 is needed. ipa-getkeytab should be run on the machine that will get the keytab, as it selects only the locally supported encryption types. Another way is to use it on a box where you customize the permitted encryption types in krb5.conf to match what Solaris supports > 2. We need to add shadowAccount to the default list of user objectclasses No please, why would we ? > 3. There is no pam_mkhomedir for Solaris. I have a super-ugly hack in > place using the Linux-PAM-0.99.9.0 so it works but has problems like > zero error reporting. Not our concern in 1.0 > 4. I'm not entirely certain that the pam.conf I have is doing the right > thing. I'll see about cleaning it up and posting it for review. ok > I run Solaris in a VM so this may be part of the problem but I was > getting an error about a non-matching network address. This was likely > due to some NATing between my Solaris VM and my IPA VM. I worked around > it for the short term by adding no_addresses=true to the Solaris krb5.conf. we need to document these tweaks > I also haven't configured LDAP to use SSL. Right now it does anonymous > searches for things. I also don't have all the mappings in place, just > passwd and group. This is ok for now, SSL adds a lot of load and I think we shouldn't force people to use it by default for now. > Anyway, the things that do work: > > 1. getent passwd and getent group > 2. id > 3. local user login using Kerberos credentials > 4. non-local user login using Kerberos credentials > 5. automatic home directory creation (hacky) > 6. local user login using local credentails and no Kerberos password > lets me in Great, very good job, thanks! Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From rcritten at redhat.com Wed Jan 9 15:25:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Jan 2008 10:25:04 -0500 Subject: [Freeipa-devel] Solaris 10 x86 client In-Reply-To: <1199884011.5294.19.camel@localhost.localdomain> References: <47844EA5.90607@redhat.com> <1199884011.5294.19.camel@localhost.localdomain> Message-ID: <4784E750.7020903@redhat.com> Simo Sorce wrote: > On Tue, 2008-01-08 at 23:33 -0500, Rob Crittenden wrote: >> Trying to get a Solaris 10 x86 client talking to my IPA server makes it >> ever so clear why IPA is needed. It took me the better part of a day to >> get it sort of working. >> >> The steps are still very rough around the edges so I'm not ready to >> provide any documentation yet but I did run into some problems that I >> need some guidance on. >> >> 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By >> commenting this out in the IPA kdc.conf I was able to generate a usable >> keytab. If this was there I got all sorts of errors. What is the impact, >> if any, if we drop this. Or is there some other workaround? I tried >> pulling just one enctype into the keytab, perhaps more than 1 is needed. > > ipa-getkeytab should be run on the machine that will get the keytab, as > it selects only the locally supported encryption types. > Another way is to use it on a box where you customize the permitted > encryption types in krb5.conf to match what Solaris supports Ok, so practically does this mean we'll need to install ipa-admintools on all client machines? Or how will we provide an automated way to provide keytabs to new client machines? > >> 2. We need to add shadowAccount to the default list of user objectclasses > > No please, why would we ? It is apparently required for non-local accounts on Solaris machines. Login fails without this objectclass and works when it exists in the entry for non-local accounts. So I have a local 'rcrit' account and I can login fine with ssh using my kerberos password. My 'test' account from IPA fails when shadowAccount isn't in the entry. > >> 3. There is no pam_mkhomedir for Solaris. I have a super-ugly hack in >> place using the Linux-PAM-0.99.9.0 so it works but has problems like >> zero error reporting. > > Not our concern in 1.0 Ok. >> 4. I'm not entirely certain that the pam.conf I have is doing the right >> thing. I'll see about cleaning it up and posting it for review. > > ok > >> I run Solaris in a VM so this may be part of the problem but I was >> getting an error about a non-matching network address. This was likely >> due to some NATing between my Solaris VM and my IPA VM. I worked around >> it for the short term by adding no_addresses=true to the Solaris krb5.conf. > > we need to document these tweaks Definitely! > >> I also haven't configured LDAP to use SSL. Right now it does anonymous >> searches for things. I also don't have all the mappings in place, just >> passwd and group. > > This is ok for now, SSL adds a lot of load and I think we shouldn't > force people to use it by default for now. Oh, ok. Simple is good then. > >> Anyway, the things that do work: >> >> 1. getent passwd and getent group >> 2. id >> 3. local user login using Kerberos credentials >> 4. non-local user login using Kerberos credentials >> 5. automatic home directory creation (hacky) >> 6. local user login using local credentails and no Kerberos password >> lets me in > > Great, very good job, thanks! Hopefully this will easily translate into a working sparc Solaris configuration too :-) I'm a little nervous about that since I can't as easily revert the box. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Jan 9 15:41:15 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 09 Jan 2008 10:41:15 -0500 Subject: [Freeipa-devel] Solaris 10 x86 client In-Reply-To: <4784E750.7020903@redhat.com> References: <47844EA5.90607@redhat.com> <1199884011.5294.19.camel@localhost.localdomain> <4784E750.7020903@redhat.com> Message-ID: <1199893275.5294.27.camel@localhost.localdomain> On Wed, 2008-01-09 at 10:25 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 2008-01-08 at 23:33 -0500, Rob Crittenden wrote: > >> Trying to get a Solaris 10 x86 client talking to my IPA server makes it > >> ever so clear why IPA is needed. It took me the better part of a day to > >> get it sort of working. > >> > >> The steps are still very rough around the edges so I'm not ready to > >> provide any documentation yet but I did run into some problems that I > >> need some guidance on. > >> > >> 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By > >> commenting this out in the IPA kdc.conf I was able to generate a usable > >> keytab. If this was there I got all sorts of errors. What is the impact, > >> if any, if we drop this. Or is there some other workaround? I tried > >> pulling just one enctype into the keytab, perhaps more than 1 is needed. > > > > ipa-getkeytab should be run on the machine that will get the keytab, as > > it selects only the locally supported encryption types. > > Another way is to use it on a box where you customize the permitted > > encryption types in krb5.conf to match what Solaris supports > > Ok, so practically does this mean we'll need to install ipa-admintools > on all client machines? Or how will we provide an automated way to > provide keytabs to new client machines? I think the keytab util is in the client tools, I put it there on purpose. > > > >> 2. We need to add shadowAccount to the default list of user objectclasses > > > > No please, why would we ? > > It is apparently required for non-local accounts on Solaris machines. > Login fails without this objectclass and works when it exists in the > entry for non-local accounts. Bah, is there any chance there is a toggle to switch this requirement off ? Do they have the shadow target in nsswitch ? Maybe remove ldap from it ? > So I have a local 'rcrit' account and I can login fine with ssh using my > kerberos password. My 'test' account from IPA fails when shadowAccount > isn't in the entry. I hope it can be toggled, shadowAccount is not nice, and would add a lot of parameters we simply ignore that control user accounts (in theory), like expiration and other things. Adding support to synchronize those fields would require a new module which I am not will to build just for Solaris unless we have no other option. Plus that objectclass sucks :) > Hopefully this will easily translate into a working sparc Solaris > configuration too :-) I'm a little nervous about that since I can't as > easily revert the box. I think testing on Solairs 10 x86 gets us reasonably close to assume that once it works, the sparc version will work too. Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From rcritten at redhat.com Wed Jan 9 20:42:30 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Jan 2008 15:42:30 -0500 Subject: [Freeipa-devel] Solaris 10 x86 client In-Reply-To: <1199893275.5294.27.camel@localhost.localdomain> References: <47844EA5.90607@redhat.com> <1199884011.5294.19.camel@localhost.localdomain> <4784E750.7020903@redhat.com> <1199893275.5294.27.camel@localhost.localdomain> Message-ID: <478531B6.3080803@redhat.com> Simo Sorce wrote: > On Wed, 2008-01-09 at 10:25 -0500, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Tue, 2008-01-08 at 23:33 -0500, Rob Crittenden wrote: >>>> Trying to get a Solaris 10 x86 client talking to my IPA server makes it >>>> ever so clear why IPA is needed. It took me the better part of a day to >>>> get it sort of working. >>>> >>>> The steps are still very rough around the edges so I'm not ready to >>>> provide any documentation yet but I did run into some problems that I >>>> need some guidance on. >>>> >>>> 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By >>>> commenting this out in the IPA kdc.conf I was able to generate a usable >>>> keytab. If this was there I got all sorts of errors. What is the impact, >>>> if any, if we drop this. Or is there some other workaround? I tried >>>> pulling just one enctype into the keytab, perhaps more than 1 is needed. >>> ipa-getkeytab should be run on the machine that will get the keytab, as >>> it selects only the locally supported encryption types. >>> Another way is to use it on a box where you customize the permitted >>> encryption types in krb5.conf to match what Solaris supports >> Ok, so practically does this mean we'll need to install ipa-admintools >> on all client machines? Or how will we provide an automated way to >> provide keytabs to new client machines? > > I think the keytab util is in the client tools, I put it there on > purpose. Ok I see it now. Unfortunately it doesn't build on a stock Solaris 10 machine. It seems to require some MIT kerberos headers that aren't available. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From daobrien at redhat.com Thu Jan 10 06:34:59 2008 From: daobrien at redhat.com (David O'Brien) Date: Thu, 10 Jan 2008 16:34:59 +1000 Subject: [Freeipa-devel] Solaris 10 x86 client In-Reply-To: <1199884011.5294.19.camel@localhost.localdomain> References: <47844EA5.90607@redhat.com> <1199884011.5294.19.camel@localhost.localdomain> Message-ID: <4785BC93.1090708@redhat.com> Simo Sorce wrote: > On Tue, 2008-01-08 at 23:33 -0500, Rob Crittenden wrote: > >> Trying to get a Solaris 10 x86 client talking to my IPA server makes it >> ever so clear why IPA is needed. It took me the better part of a day to >> get it sort of working. >> >> The steps are still very rough around the edges so I'm not ready to >> provide any documentation yet but I did run into some problems that I >> need some guidance on. >> >> 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By >> commenting this out in the IPA kdc.conf I was able to generate a usable >> keytab. If this was there I got all sorts of errors. What is the impact, >> if any, if we drop this. Or is there some other workaround? I tried >> pulling just one enctype into the keytab, perhaps more than 1 is needed. >> > > ipa-getkeytab should be run on the machine that will get the keytab, as > it selects only the locally supported encryption types. > Another way is to use it on a box where you customize the permitted > encryption types in krb5.conf to match what Solaris supports > > >> 2. We need to add shadowAccount to the default list of user objectclasses >> > > No please, why would we ? > > >> 3. There is no pam_mkhomedir for Solaris. I have a super-ugly hack in >> place using the Linux-PAM-0.99.9.0 so it works but has problems like >> zero error reporting. >> > > Not our concern in 1.0 > > >> 4. I'm not entirely certain that the pam.conf I have is doing the right >> thing. I'll see about cleaning it up and posting it for review. >> > > ok > > >> I run Solaris in a VM so this may be part of the problem but I was >> getting an error about a non-matching network address. This was likely >> due to some NATing between my Solaris VM and my IPA VM. I worked around >> it for the short term by adding no_addresses=true to the Solaris krb5.conf. >> > > we need to document these tweaks > I'm assuming this is only a Solaris issue? I do all my testing in VMs and haven't had an error like that, but so far I've only used F7. I'm due to start on Solaris and Mac soon so anything you discover and find fixes for the better it'll be for me :-) > >> I also haven't configured LDAP to use SSL. Right now it does anonymous >> searches for things. I also don't have all the mappings in place, just >> passwd and group. >> > > This is ok for now, SSL adds a lot of load and I think we shouldn't > force people to use it by default for now. > > >> Anyway, the things that do work: >> >> 1. getent passwd and getent group >> 2. id >> 3. local user login using Kerberos credentials >> 4. non-local user login using Kerberos credentials >> 5. automatic home directory creation (hacky) >> 6. local user login using local credentails and no Kerberos password >> lets me in >> > > Great, very good job, thanks! > > Simo. > > +1 ! The more you find & fix before I get to it the better I like it :) In fact, your first comment prompts me to wait until you smooth out the rough edges and have some initial doc for me to play with, since I'll be learning Solaris at the same time... cheers /dob -- David O'Brien RHCT Red Hat is #1 in value. Again. http://apac.redhat.com/promo/vendor/ From chorn at fluxcoil.net Thu Jan 10 12:54:52 2008 From: chorn at fluxcoil.net (Christian Horn) Date: Thu, 10 Jan 2008 13:54:52 +0100 Subject: [Freeipa-devel] Solaris 10 x86 client In-Reply-To: <47844EA5.90607@redhat.com> References: <47844EA5.90607@redhat.com> Message-ID: <20080110125452.GA9875@fluxcoil.net> On Tue, Jan 08, 2008 at 11:33:41PM -0500, Rob Crittenden wrote: > > 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By > commenting this out in the IPA kdc.conf I was able to generate a usable > keytab. If this was there I got all sorts of errors. What is the impact, > if any, if we drop this. Or is there some other workaround? I tried > pulling just one enctype into the keytab, perhaps more than 1 is needed. Should be provided by the 'Solaris 10 Data Encryption Kit': "The Solaris 10 Data Encryption Kit provides AES 256-bit and 448-bit Blowfish Cryptographic encryption algorithms for use on Solaris 10 SPARC and x86". > 2. We need to add shadowAccount to the default list of user objectclasses IBM aix and hp-ux defaults on using ldap-directories could also be exotic, in case they are also in focus. Christian From bbaker at priefert.com Thu Jan 10 17:31:39 2008 From: bbaker at priefert.com (William Baker) Date: Thu, 10 Jan 2008 11:31:39 -0600 Subject: [Freeipa-devel] fedora-ds schema for DNS Message-ID: <4786567B.3070002@priefert.com> I am attemping to find the schema used for storing DNS records in fedora-ds. In particular, I was looking for the objectclass of dNSZone. All that I have found is a little bit of contraversy about schema defs for aRecord and dNSRecord regarding old RFC's and Netscape Directory. There are four missing pieces of documentation on the fedora directory site. The two that I am interested in are "Howto: BIND" and "Howto: DHCP". I would like to write the "Howto: BIND". As a starting point, I either need to find or create the schema for storing DNS records. I was hoping this project would have the "blessed" schema. I downloaded FreeIPA sources and did some searching but didn't find this schema. I hope to have a machine set up soon where I can install the current freeipa and see how it works a little more closely, but that won't happen until next week. Does anybody currently have such a schema? Any insight into putting DNS information into FDS? bbaker From ssorce at redhat.com Thu Jan 10 17:44:50 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 10 Jan 2008 12:44:50 -0500 Subject: [Freeipa-devel] fedora-ds schema for DNS In-Reply-To: <4786567B.3070002@priefert.com> References: <4786567B.3070002@priefert.com> Message-ID: <1199987090.31403.24.camel@localhost.localdomain> On Thu, 2008-01-10 at 11:31 -0600, William Baker wrote: > I am attemping to find the schema used for storing DNS records in > fedora-ds. In particular, I was looking for the objectclass of > dNSZone. All that I have found is a little bit of contraversy about > schema defs for aRecord and dNSRecord regarding old RFC's and Netscape > Directory. > > There are four missing pieces of documentation on the fedora directory > site. The two that I am interested in are "Howto: BIND" and "Howto: > DHCP". I would like to write the "Howto: BIND". > > As a starting point, I either need to find or create the schema for > storing DNS records. I was hoping this project would have the "blessed" > schema. I downloaded FreeIPA sources and did some searching but didn't > find this schema. I hope to have a machine set up soon where I can > install the current freeipa and see how it works a little more closely, > but that won't happen until next week. > > Does anybody currently have such a schema? > Any insight into putting DNS information into FDS? We have long term plans to let people integrate DNS and DHCP modules and have a standard schema for these. Unfortunately we have not yet had the time to get to this point yet. We had some talks about how that should work, but nothing definitive. On the schema side I've done a bit of research and there are different schema options, BIND has at least 3 different modules to deal with LDAP but honestly none of them is completely satisfactory. We are delaying work around BIND until we have a better idea and more resource to throw at the problem. Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From bbaker at priefert.com Thu Jan 10 18:29:20 2008 From: bbaker at priefert.com (William Baker) Date: Thu, 10 Jan 2008 12:29:20 -0600 Subject: [Freeipa-devel] fedora-ds schema for DNS In-Reply-To: <1199987090.31403.24.camel@localhost.localdomain> References: <4786567B.3070002@priefert.com> <1199987090.31403.24.camel@localhost.localdomain> Message-ID: <47866400.9060902@priefert.com> I would love to review that "standard schema", even if all you can do is point me to a particular RFC. bbaker > On Thu, 2008-01-10 at 11:31 -0600, William Baker wrote: > >> I am attemping to find the schema used for storing DNS records in >> fedora-ds. In particular, I was looking for the objectclass of >> dNSZone. All that I have found is a little bit of contraversy about >> schema defs for aRecord and dNSRecord regarding old RFC's and Netscape >> Directory. >> >> There are four missing pieces of documentation on the fedora directory >> site. The two that I am interested in are "Howto: BIND" and "Howto: >> DHCP". I would like to write the "Howto: BIND". >> >> As a starting point, I either need to find or create the schema for >> storing DNS records. I was hoping this project would have the "blessed" >> schema. I downloaded FreeIPA sources and did some searching but didn't >> find this schema. I hope to have a machine set up soon where I can >> install the current freeipa and see how it works a little more closely, >> but that won't happen until next week. >> >> Does anybody currently have such a schema? >> Any insight into putting DNS information into FDS? >> > > We have long term plans to let people integrate DNS and DHCP modules and > have a standard schema for these. Unfortunately we have not yet had the > time to get to this point yet. We had some talks about how that should > work, but nothing definitive. > On the schema side I've done a bit of research and there are different > schema options, BIND has at least 3 different modules to deal with LDAP > but honestly none of them is completely satisfactory. > > We are delaying work around BIND until we have a better idea and more > resource to throw at the problem. > > Simo. > > From rcritten at redhat.com Thu Jan 10 19:23:34 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Jan 2008 14:23:34 -0500 Subject: [Freeipa-devel] ipa-getkeytab problems Message-ID: <478670B6.10800@redhat.com> I'm having no luck with the new ipa-getkeytab on either F-7 or Solaris 10. On F-7 I get: % kinit admin % ipa-getkeytab -s ipa -p host/drew.greyoak.com at GREYOAK.COM -k foo SASL/GSSAPI authentication started SASL username: admin SASL SSF: 56 SASL installing layers Operation failed! PrincipalName not found. *** glibc detected *** ./ipa-getkeytab: double free or corruption (out): 0x081ae2a8 *** ======= Backtrace: ========= /lib/libc.so.6[0xbf3df1] /lib/libc.so.6(cfree+0x90)[0xbf7430] /usr/lib/liblber-2.3.so.0(ber_memfree_x+0x4a)[0x47ed34a] /usr/lib/liblber-2.3.so.0(ber_bvfree_x+0x37)[0x47ed477] /usr/lib/liblber-2.3.so.0(ber_bvfree+0x25)[0x47ed575] ./ipa-getkeytab[0x8049550] /lib/libc.so.6(__libc_start_main+0xe0)[0xba1f70] ./ipa-getkeytab[0x8048d91] ======= Memory map: ======== 00110000-00111000 r-xp 00110000 00:00 0 [vdso] 00111000-0011b000 r-xp 00000000 fd:00 2025704 /lib/libnss_files-2.6.so 0011b000-0011c000 r-xp 00009000 fd:00 2025704 /lib/libnss_files-2.6.so 0011c000-0011d000 rwxp 0000a000 fd:00 2025704 /lib/libnss_files-2.6.so 0011d000-00121000 r-xp 00000000 fd:00 1603090 /usr/lib/sasl2/libanonymous.so.2.0.22 00121000-00122000 rwxp 00003000 fd:00 1603090 /usr/lib/sasl2/libanonymous.so.2.0.22 00122000-00126000 r-xp 00000000 fd:00 882149 /usr/lib/sasl2/libcrammd5.so.2.0.22 00126000-00127000 rwxp 00003000 fd:00 882149 /usr/lib/sasl2/libcrammd5.so.2.0.22 00127000-00132000 r-xp 00000000 fd:00 882153 /usr/lib/sasl2/libdigestmd5.so.2.0.22 00132000-00133000 rwxp 0000b000 fd:00 882153 /usr/lib/sasl2/libdigestmd5.so.2.0.22 00133000-00137000 r-xp 00000000 fd:00 1604547 /usr/lib/sasl2/libplain.so.2.0.22 00137000-00138000 rwxp 00003000 fd:00 1604547 /usr/lib/sasl2/libplain.so.2.0.22 00138000-0013c000 r-xp 00000000 fd:00 1604543 /usr/lib/sasl2/liblogin.so.2.0.22 0013c000-0013d000 rwxp 00003000 fd:00 1604543 /usr/lib/sasl2/liblogin.so.2.0.22 0013d000-00144000 r-xp 00000000 fd:00 1603250 /usr/lib/sasl2/libgssapiv2.so.2.0.22 00144000-00145000 rwxp 00006000 fd:00 1603250 /usr/lib/sasl2/libgssapiv2.so.2.0.22 00205000-00240000 r-xp 00000000 fd:00 2031778 /lib/libsepol.so.1 00240000-00241000 rwxp 0003b000 fd:00 2031778 /lib/libsepol.so.1 00241000-0024b000 rwxp 00241000 00:00 0 0024d000-00263000 r-xp 00000000 fd:00 2025780 /lib/libselinux.so.1 00263000-00265000 rwxp 00015000 fd:00 2025780 /lib/libselinux.so.1 00267000-0026f000 r-xp 00000000 fd:00 1553917 /usr/lib/libkrb5support.so.0.1 0026f000-00270000 rwxp 00007000 fd:00 1553917 /usr/lib/libkrb5support.so.0.1 00270000-0037f000 r-xp 00000000 fd:00 1603094 /usr/lib/sasl2/libsasldb.so.2.0.22 0037f000-00381000 rwxp 0010f000 fd:00 1603094 /usr/lib/sasl2/libsasldb.so.2.0.22 0042e000-0043e000 r-xp 00000000 fd:00 2031707 /lib/libresolv-2.6.so 0043e000-0043f000 r-xp 0000f000 fd:00 2031707 /lib/libresolv-2.6.so 0043f000-00440000 rwxp 00010000 fd:00 2031707 /lib/libresolv-2.6.so 00440000-00442000 rwxp 00440000 00:00 0 00496000-004c3000 r-xp 00000000 fd:00 1559448 /usr/lib/libgssapi_krb5.so.2.2 004c3000-004c4000 rwxp 0002d000 fd:00 1559448 /usr/lib/libgssapi_krb5.so.2.2 004c6000-004eb000 r-xp 00000000 fd:00 1558539 /usr/lib/libk5crypto.so.3.1 004eb000-004ec000 rwxp 00025000 fd:00 1558539 /usr/lib/libk5crypto.so.3.1 006ee000-0080b000 r-xp 00000000 fd:00 2026015 /lib/libcrypto.so.0.9.8b 0080b000-0081e000 rwxp 0011c000 fd:00 2026015 /lib/libcrypto.so.0.9.8b 0081e000-00821000 rwxp 0081e000 00:00 0 00823000-00864000 r-xp 00000000 fd:00 2025718 /lib/libssl.so.0.9.8b 00864000-00868000 rwxp 00040000 fd:00 2025718 /lib/libssl.so.0.9.8b 00949000-0094b000 r-xp 00000000 fd:00 2031655 /lib/libkeyutils-1.2.so 0094b000-0094c000 rwxp 00001000 fd:00 2031655 /lib/libkeyutils-1.2.so 00ad2000-00ad9000 r-xp 00000000 fd:00 1539224 /usr/lib/libpopt.so.0.0.0 00ad9000-00ada000 rwxp 00006000 fd:00 1539224 /usr/lib/libpopt.so.0.0.0 00ae3000-00ae5000 r-xp 00000000 fd:00 2026014 /lib/libcom_err.so.2.1 00ae5000-00ae6000 rwxp 00001000 fd:00 2026014 /lib/libcom_err.so.2.1 00b04000-00b0f000 r-xp 00000000 fd:00 2025916 /lib/libgcc_s-4.1.2-20070925.so.1 00b0f000-00b10000 rwxp 0000a000 fd:00 2025916 /lib/libgcc_s-4.1.2-20070925.so.1 00b6d000-00b88000 r-xp 00000000 fd:00 2030905 /lib/ld-2.6.so 00b88000-00b89000 r-xp 0001a000 fd:00 2030905 /lib/ld-2.6.so 00b89000-00b8a000 rwxp 0001b000 fd:00 2030905 /lib/ld-2.6.so 00b8c000-00cda000 r-xp 00000000 fd:00 2030906 /lib/libc-2.6.so 00cda000-00cdc000 r-xp 0014e000 fd:00 2030906 /lib/libc-2.6.so 00cdc000-00cdd000 rwxp 00150000 fd:00 2030906 /lib/libc-2.6.so 00cdd000-00ce0000 rwxp 00cdd000 00:00 0 00d0d000-00d10000 r-xp 00000000 fd:00 882155 /lib/libdl-2.6.so 00d10000-00d11000 r-Aborted I don't have openldap libraries installed on Solaris 10, just the Sun/Mozilla ones. The API is slightly different and I haven't been able to get ldap_sasl_interactive_bind_s() working. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jan 10 19:45:05 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Jan 2008 14:45:05 -0500 Subject: [Freeipa-devel] solaris 10 x86 client instructions Message-ID: <478675C1.9070803@redhat.com> I know that the pam.conf here is wrong but I'm posting it so we can get it fixed up. These instructions also will need to be updated once ipa-getkeytab is ported to work on Solaris. These instructions work enough to get a vanilla Solaris 10 x86 U4 8/7 client working. For this example my IPA server is ipa.freeipa.org (192.168.0.1) and my Solaris 10 box is drew.freeipa.org (192.168.0.2). On the IPA server do (as root): 1. edit /var/kerberos/krb5kdc/kdc.conf and remove aes256-cts:normal from supported_enctypes 2. service krb5kdc restart 3. kadmin.local 4. addprinc -randkey host/drew.freeipa.org at FREEIPA.ORG 5. ktadd -k /tmp/drew host/drew.freeipa.org at FREEIPA.ORG 6. quit 7. chmod 666 /tmp/drew On the Solaris server do (as root): 1. scp @ipa:/etc/krb5.conf /etc/krb5/krb5.conf 2. scp @ipa:/tmp/drew /etc/krb5/krb5.keytab 3. chown root:root /etc/krb5/krb5.keytab 4. chmod 600 /etc/krb5/krb5.keytab 5. kinit admin (you should be able to authenticate) 6. edit /etc/hosts and make sure that it looks something like: 192.168.0.2 drew.freeipa.org drew loghost 7. edit /etc/nodename and make it fully qualified 8. Run this: ldapclient manual -a authenticationMethod=none \ -a defaultSearchBase=dc=freeipa,dc=org \ -a defaultServerList=192.168.0.1 \ -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=freeipa,dc=org \ -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=freeipa,dc=org 9. Fix the hosts line in /etc/nsswitch.conf to read: dns files 10. Plop in the attached pam.conf into /etc/pam.conf and make sure the owner is root. You should be able to do things like this now: % getent passwd % getent passwd For IPA-only users you will need to add the objectclass shadowAccount to the entry. You can do that with: ldapmodify -x -D "cn=directory manager" -w dn: uid=test,cn=users,cn=accounts,dc=freeipa,dc=org changetype: modify add: objectclass objectclass: shadowAccount ^D I have a semi-working pam_mkhomedir but it isn't ready for prime-time yet so you'll need to pre-make any home directories or non-local users. Now in theory you should be able to log into the Solaris 10 x86 box using just your kerberos credentials for either local or non-local users. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: pam.conf URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmacmill at redhat.com Thu Jan 10 20:31:20 2008 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 10 Jan 2008 15:31:20 -0500 Subject: [Freeipa-devel] [PATCH] replication manager In-Reply-To: <1198253424.4038.5.camel@clapton.mentalrootkit.com> References: <1198253424.4038.5.camel@clapton.mentalrootkit.com> Message-ID: <1199997080.3027.42.camel@localhost.localdomain> On Fri, 2007-12-21 at 11:10 -0500, Karl MacMillan wrote: > Add a replication manager tool that allows listing, adding, and deleting > replication agreements. This is instead of setting up a mesh topology by > default - with this tool users can set whatever topology they want. > Pushed. From kmacmill at redhat.com Thu Jan 10 20:32:23 2008 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 10 Jan 2008 15:32:23 -0500 Subject: [Freeipa-devel] [PATCH] Do not require REALM foir principal name In-Reply-To: <1198269778.3602.1.camel@hopeson> References: <1198269778.3602.1.camel@hopeson> Message-ID: <1199997143.3027.44.camel@localhost.localdomain> On Fri, 2007-12-21 at 15:42 -0500, Simo Sorce wrote: > Attached patch allows you to 'assume' the default REALM and pass in a > service principal name without the REALM part. > Helps shorten the options for ipa-getkeytab > Pushed. From kmacmill at redhat.com Thu Jan 10 20:33:00 2008 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 10 Jan 2008 15:33:00 -0500 Subject: [Freeipa-devel] [PATCH] Change subject of self-signed CA In-Reply-To: <477E5D74.2050108@redhat.com> References: <477E5D74.2050108@redhat.com> Message-ID: <1199997180.3027.46.camel@localhost.localdomain> On Fri, 2008-01-04 at 11:23 -0500, Rob Crittenden wrote: > This patch changes the subject of the self-signed CA we generate during > installation. This should make it easier for people to find it in their > browser when they add trust for it. Excellent idea - pushed. From kmacmill at redhat.com Thu Jan 10 20:33:39 2008 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 10 Jan 2008 15:33:39 -0500 Subject: [Freeipa-devel] [PATCH] don't let user set realm in service principals In-Reply-To: <478274F2.1010903@redhat.com> References: <478274F2.1010903@redhat.com> Message-ID: <1199997219.3027.48.camel@localhost.localdomain> On Mon, 2008-01-07 at 13:52 -0500, Rob Crittenden wrote: > In add_service_principal() don't let the user pass in the realm. > > This could result in a principal of the form: > > service/host at something@REALM > Pushed. From kmacmill at redhat.com Thu Jan 10 20:34:11 2008 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 10 Jan 2008 15:34:11 -0500 Subject: [Freeipa-devel] [PATCH] fix button text In-Reply-To: <47829085.3020108@redhat.com> References: <47829085.3020108@redhat.com> Message-ID: <1199997251.3027.50.camel@localhost.localdomain> On Mon, 2008-01-07 at 15:50 -0500, Rob Crittenden wrote: > Make button test consistent with rest of page on Find Service Principals > page. > Pushed. From kmacmill at redhat.com Thu Jan 10 20:34:44 2008 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 10 Jan 2008 15:34:44 -0500 Subject: [Freeipa-devel] [PATCH] add function to make ipa-adddelegation easier to use In-Reply-To: <477EA817.9040600@redhat.com> References: <477EA817.9040600@redhat.com> Message-ID: <1199997285.3027.52.camel@localhost.localdomain> On Fri, 2008-01-04 at 16:41 -0500, Rob Crittenden wrote: > Add function to retrieve a short list of attributes to make > ipa-adddelegation easier to use. > > Also add an example to the man page. > Pushed. From kmacmill at redhat.com Thu Jan 10 20:35:20 2008 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 10 Jan 2008 15:35:20 -0500 Subject: [Freeipa-devel] [PATCH] add man page for ipa-addservice In-Reply-To: <477EA8C5.8040508@redhat.com> References: <477EA8C5.8040508@redhat.com> Message-ID: <1199997320.3027.54.camel@localhost.localdomain> On Fri, 2008-01-04 at 16:44 -0500, Rob Crittenden wrote: > I noticed we didn't have a man page for ipa-addservice. Here is one. > Pushed. From kmacmill at redhat.com Thu Jan 10 20:35:57 2008 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 10 Jan 2008 15:35:57 -0500 Subject: [Freeipa-devel] [PATCH] general manpage cleanup In-Reply-To: <477EA8E4.5020207@redhat.com> References: <477EA8E4.5020207@redhat.com> Message-ID: <1199997357.3027.56.camel@localhost.localdomain> On Fri, 2008-01-04 at 16:45 -0500, Rob Crittenden wrote: > Cleaned up a couple of man pages, hopefully making them clearer. > Pushed. From rcritten at redhat.com Thu Jan 10 21:07:38 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Jan 2008 16:07:38 -0500 Subject: [Freeipa-devel] [PATCH] resend enable sessions in the GUI Message-ID: <4786891A.1080307@redhat.com> This enables server-side file-based sessions on the server side. In production the sessions will be stored in /var/cache/ipa. I've also added a simple mechanism to try ensure that a record that is being updated is the record that was last edited. This is an attempt around a phishing attack that might trick a user to click on a link that will do a POST and update their password in the UI. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-568-sessions.patch Type: text/x-patch Size: 3811 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Jan 10 22:17:16 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 10 Jan 2008 17:17:16 -0500 Subject: [Freeipa-devel] solaris 10 x86 client instructions In-Reply-To: <478675C1.9070803@redhat.com> References: <478675C1.9070803@redhat.com> Message-ID: <1200003436.31403.41.camel@localhost.localdomain> On Thu, 2008-01-10 at 14:45 -0500, Rob Crittenden wrote: > On the IPA server do (as root): > > 1. edit /var/kerberos/krb5kdc/kdc.conf and remove aes256-cts:normal > from > supported_enctypes > 2. service krb5kdc restart > 3. kadmin.local > 4. addprinc -randkey host/drew.freeipa.org at FREEIPA.ORG > 5. ktadd -k /tmp/drew host/drew.freeipa.org at FREEIPA.ORG > 6. quit > 7. chmod 666 /tmp/drew This will work, but it is really a dirty way of doing it. First of all changing just /var/kerberos/krb5kdc/kdc.conf will make it inconsistent with the list we store in LDAP and that's not nice. Also this step is unnecessary as you can give ktadd the list of encryption types you want to use IIRC. Second, using kadmin.local you will create the service principal under cn=kerberos and not under cn=services, until we have real computer objects I think we should store host/fqdn principals under services. A better procedure would be to just use ipa-getkeytab on a fedora client where you set the preferred enctypes in /etc/krb5.conf after you create the service principal host/fqnd at realm with the tool ipa-addservice (or via the webui). I am opening a ticket to myself to remember to allow to specify the list of enctypes on the ipa-getkeytab, this will solve the problem in a more cleaner way. Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From ssorce at redhat.com Thu Jan 10 22:20:21 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 10 Jan 2008 17:20:21 -0500 Subject: [Freeipa-devel] ipa-getkeytab problems In-Reply-To: <478670B6.10800@redhat.com> References: <478670B6.10800@redhat.com> Message-ID: <1200003621.31403.43.camel@localhost.localdomain> On Thu, 2008-01-10 at 14:23 -0500, Rob Crittenden wrote: > % kinit admin > % ipa-getkeytab -s ipa -p host/drew.greyoak.com at GREYOAK.COM -k foo > SASL/GSSAPI authentication started > SASL username: admin > SASL SSF: 56 > SASL installing layers > Operation failed! PrincipalName not found. You need to create the service principal with ipa-addservice first. Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From rcritten at redhat.com Thu Jan 10 22:30:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Jan 2008 17:30:04 -0500 Subject: [Freeipa-devel] solaris 10 x86 client instructions In-Reply-To: <1200003436.31403.41.camel@localhost.localdomain> References: <478675C1.9070803@redhat.com> <1200003436.31403.41.camel@localhost.localdomain> Message-ID: <47869C6C.1010404@redhat.com> Simo Sorce wrote: > On Thu, 2008-01-10 at 14:45 -0500, Rob Crittenden wrote: >> On the IPA server do (as root): >> >> 1. edit /var/kerberos/krb5kdc/kdc.conf and remove aes256-cts:normal >> from >> supported_enctypes >> 2. service krb5kdc restart >> 3. kadmin.local >> 4. addprinc -randkey host/drew.freeipa.org at FREEIPA.ORG >> 5. ktadd -k /tmp/drew host/drew.freeipa.org at FREEIPA.ORG >> 6. quit >> 7. chmod 666 /tmp/drew > > This will work, but it is really a dirty way of doing it. > First of all changing just /var/kerberos/krb5kdc/kdc.conf will make it > inconsistent with the list we store in LDAP and that's not nice.\ > > Also this step is unnecessary as you can give ktadd the list of > encryption types you want to use IIRC. Ok, as I had said, this is just a workaround until ipa-getkeytab is ported. > Second, using kadmin.local you will create the service principal under > cn=kerberos and not under cn=services, until we have real computer > objects I think we should store host/fqdn principals under services. That probably explains why ipa-getkeytab isn't find the principal in F-7 for me then. > > A better procedure would be to just use ipa-getkeytab on a fedora client > where you set the preferred enctypes in /etc/krb5.conf after you create > the service principal host/fqnd at realm with the tool ipa-addservice (or > via the webui). > > I am opening a ticket to myself to remember to allow to specify the list > of enctypes on the ipa-getkeytab, this will solve the problem in a more > cleaner way. That will be good too. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Jan 10 22:32:42 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 10 Jan 2008 17:32:42 -0500 Subject: [Freeipa-devel] solaris 10 x86 client instructions In-Reply-To: <47869C6C.1010404@redhat.com> References: <478675C1.9070803@redhat.com> <1200003436.31403.41.camel@localhost.localdomain> <47869C6C.1010404@redhat.com> Message-ID: <1200004362.31403.46.camel@localhost.localdomain> On Thu, 2008-01-10 at 17:30 -0500, Rob Crittenden wrote: > > Second, using kadmin.local you will create the service principal under > > cn=kerberos and not under cn=services, until we have real computer > > objects I think we should store host/fqdn principals under services. > > That probably explains why ipa-getkeytab isn't find the principal in F-7 > for me then. IIRC ipa-getkeytab will get you a keytab for just any principal at this time (even users wiping out their previous password :-), I can't remember limiting it to the cn=services tree. Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From ssorce at redhat.com Thu Jan 10 22:34:08 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 10 Jan 2008 17:34:08 -0500 Subject: [Freeipa-devel] [PATCH] resend enable sessions in the GUI In-Reply-To: <4786891A.1080307@redhat.com> References: <4786891A.1080307@redhat.com> Message-ID: <1200004448.31403.48.camel@localhost.localdomain> On Thu, 2008-01-10 at 16:07 -0500, Rob Crittenden wrote: > + > + def __create_cache_dir(self): > + try: > + os.makedirs("/var/cache/ipa", 0700) > + except: > + pass Should this be chowned to the apache user as well ? Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From daobrien at redhat.com Fri Jan 11 07:15:56 2008 From: daobrien at redhat.com (David O'Brien) Date: Fri, 11 Jan 2008 17:15:56 +1000 Subject: [Freeipa-devel] ports for RADIUS? Message-ID: <478717AC.1070504@redhat.com> I'd like to update the following for RADIUS ports, but I don't know which ones freeIPA uses: http://www.freeipa.org/page/InstallAndDeploy#Required_Ports The "official" ports are 1812 and 1813 but 1645/6 seem to be the default ones. Can anyone shed light here? thanks -- David O'Brien RHCT Red Hat is #1 in value. Again. http://apac.redhat.com/promo/vendor/ From daobrien at redhat.com Fri Jan 11 07:27:02 2008 From: daobrien at redhat.com (David O'Brien) Date: Fri, 11 Jan 2008 17:27:02 +1000 Subject: [Freeipa-devel] help setting up RADIUS? Message-ID: <47871A46.1090603@redhat.com> How do I go about getting RADIUS configured? I installed the package and ran ipa-radius-install but don't know what to do next :-S cheers -- David O'Brien RHCT Red Hat is #1 in value. Again. http://apac.redhat.com/promo/vendor/ From daobrien at redhat.com Fri Jan 11 07:31:23 2008 From: daobrien at redhat.com (David O'Brien) Date: Fri, 11 Jan 2008 17:31:23 +1000 Subject: [Freeipa-devel] naming for radius.conf? Message-ID: <47871B4B.1010604@redhat.com> There's probably a good reason for this, but why is this file /etc/raddb/radiusd.conf and not /etc/radius/radiusd.conf ? I figure there is a db involved, etc., etc., but it didn't seem a very logical directory name. I ended up using locate to, er.., locate it. -- David O'Brien RHCT Red Hat is #1 in value. Again. http://apac.redhat.com/promo/vendor/ From daobrien at redhat.com Fri Jan 11 07:39:47 2008 From: daobrien at redhat.com (David O'Brien) Date: Fri, 11 Jan 2008 17:39:47 +1000 Subject: [Freeipa-devel] help setting up RADIUS? In-Reply-To: <47871A46.1090603@redhat.com> References: <47871A46.1090603@redhat.com> Message-ID: <47871D43.4060504@redhat.com> David O'Brien wrote: > How do I go about getting RADIUS configured? I installed the package > and ran ipa-radius-install but don't know what to do next :-S > > cheers > and, should it show up somewhere in the webUI? I notice a few commands (ipa-radiusclientmod and profilemod) but there don't appear to be man pages. -- David O'Brien RHCT From markmc at redhat.com Fri Jan 11 08:01:29 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 11 Jan 2008 08:01:29 +0000 Subject: [Freeipa-devel] [PATCH] resend enable sessions in the GUI In-Reply-To: <1200004448.31403.48.camel@localhost.localdomain> References: <4786891A.1080307@redhat.com> <1200004448.31403.48.camel@localhost.localdomain> Message-ID: <1200038489.6013.4.camel@muff> On Thu, 2008-01-10 at 17:34 -0500, Simo Sorce wrote: > On Thu, 2008-01-10 at 16:07 -0500, Rob Crittenden wrote: > > + > > + def __create_cache_dir(self): > > + try: > > + os.makedirs("/var/cache/ipa", 0700) > > + except: > > + pass > > Should this be chowned to the apache user as well ? Also, it'd be better to create this dir via a Makefile so that it can be owned by the RPM. Cheers, Mark. From mpoole at redhat.com Fri Jan 11 10:42:04 2008 From: mpoole at redhat.com (Martin Poole) Date: Fri, 11 Jan 2008 10:42:04 +0000 Subject: [Freeipa-devel] ports for RADIUS? In-Reply-To: <478717AC.1070504@redhat.com> References: <478717AC.1070504@redhat.com> Message-ID: <478747FC.7000202@redhat.com> David O'Brien wrote: > I'd like to update the following for RADIUS ports, but I don't know > which ones freeIPA uses: > http://www.freeipa.org/page/InstallAndDeploy#Required_Ports > > The "official" ports are 1812 and 1813 but 1645/6 seem to be the default > ones. Can anyone shed light here? > > thanks > Pure history. That's what the original protocol and code used before it was cleaned up and redefined to use 1812 as specced in rfc2138. -- Martin Poole (still recovering from Livingston portmonsters and servers) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2661 bytes Desc: S/MIME Cryptographic Signature URL: From markmc at redhat.com Fri Jan 11 12:00:40 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 11 Jan 2008 12:00:40 +0000 Subject: [Freeipa-devel] [PATCH 3 of 8] Use service.py helpers In-Reply-To: Message-ID: <85547227bc31c8b12e05.1200052840@localhost.localdomain> # HG changeset patch # User Mark McLoughlin # Date 1200047785 0 # Node ID 85547227bc31c8b12e0569f04ccfb77d2d986f27 # Parent 454a6aa17f5a039c1d96e30df02c49599b15f972 Use service.py helpers In dsinstance.py, there's one place we could use the service.py helpers where we don't currently. Signed-off-by: Mark McLoughlin diff -r 454a6aa17f5a -r 85547227bc31 ipa-server/ipaserver/dsinstance.py --- a/ipa-server/ipaserver/dsinstance.py Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipaserver/dsinstance.py Fri Jan 11 10:36:25 2008 +0000 @@ -80,7 +80,7 @@ def check_existing_installation(): sys.exit(1) try: - ipautil.run(["/sbin/service", "dirsrv", "stop"]) + service.stop("dirsrv") except: pass for d in dirs: From markmc at redhat.com Fri Jan 11 12:00:39 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 11 Jan 2008 12:00:39 +0000 Subject: [Freeipa-devel] [PATCH 2 of 8] Add service.is_enabled() helper In-Reply-To: Message-ID: <454a6aa17f5a039c1d96.1200052839@localhost.localdomain> # HG changeset patch # User Mark McLoughlin # Date 1200047785 0 # Node ID 454a6aa17f5a039c1d96e30df02c49599b15f972 # Parent b5037ba7a95d0ec53356625778d28da508545ab0 Add service.is_enabled() helper Add a simple helper to check whether a service is enabled. Signed-off-by: Mark McLoughlin diff -r b5037ba7a95d -r 454a6aa17f5a ipa-python/ipautil.py --- a/ipa-python/ipautil.py Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-python/ipautil.py Fri Jan 11 10:36:25 2008 +0000 @@ -82,6 +82,8 @@ def run(args, stdin=None): if p.returncode != 0: raise CalledProcessError(p.returncode, ' '.join(args)) + + return (stdout, stderr) def file_exists(filename): try: diff -r b5037ba7a95d -r 454a6aa17f5a ipa-server/ipaserver/service.py --- a/ipa-server/ipaserver/service.py Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipaserver/service.py Fri Jan 11 10:36:25 2008 +0000 @@ -34,7 +34,7 @@ def is_running(service_name): ret = True try: ipautil.run(["/sbin/service", service_name, "status"]) - except CalledProcessError: + except ipautil.CalledProcessError: ret = False return ret @@ -43,6 +43,26 @@ def chkconfig_on(service_name): def chkconfig_off(service_name): ipautil.run(["/sbin/chkconfig", service_name, "off"]) + +def is_enabled(service_name): + (stdout, stderr) = ipautil.run(["/sbin/chkconfig", "--list", service_name]) + + runlevels = {} + for runlevel in range(0, 7): + runlevels[runlevel] = False + + for line in stdout.split("\n"): + parts = line.split() + if parts[0] == service_name: + for s in parts[1:]: + (runlevel, status) = s.split(":")[0:2] + try: + runlevels[int(runlevel)] = status == "on" + except ValueError: + pass + break + + return (runlevels[3] and runlevels[4] and runlevels[5]) def print_msg(message, output_fd=sys.stdout): logging.debug(message) @@ -77,6 +97,9 @@ class Service: def chkconfig_off(self): chkconfig_off(self.service_name) + def is_enabled(self): + return is_enabled(self.service_name) + def print_msg(self, message): print_msg(message, self.output_fd) From markmc at redhat.com Fri Jan 11 12:00:37 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 11 Jan 2008 12:00:37 +0000 Subject: [Freeipa-devel] [PATCH 0 of 8] Add ipa-server-install --uninstall Message-ID: Hey, It's a bit of a pain getting your system back into a clean state after running ipa-server-install, so I've hacked up a series of patches which adds "uninstall" funcionality to ipa-server-install. The final two patches is where this is all implemented; the preceeding patches are fairly miscellaneous. Cheers, Mark. From markmc at redhat.com Fri Jan 11 12:00:45 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 11 Jan 2008 12:00:45 +0000 Subject: [Freeipa-devel] [PATCH 8 of 8] Add ipa-server-install --uninstall In-Reply-To: Message-ID: <3f47b8dc521125eb72e5.1200052845@localhost.localdomain> # HG changeset patch # User Mark McLoughlin # Date 1200052656 0 # Node ID 3f47b8dc521125eb72e567883b4b3460390020e2 # Parent 8640eee04855769ce8d0592e0fd7580e63d81dcf Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin diff -r 8640eee04855 -r 3f47b8dc5211 ipa-server/ipa-install/ipa-server-install --- a/ipa-server/ipa-install/ipa-server-install Fri Jan 11 11:06:33 2008 +0000 +++ b/ipa-server/ipa-install/ipa-server-install Fri Jan 11 11:57:36 2008 +0000 @@ -74,15 +74,21 @@ def parse_options(): default=False, help="configure bind with our zone file") parser.add_option("-U", "--unattended", dest="unattended", action="store_true", default=False, help="unattended installation never prompts the user") + parser.add_option("", "--uninstall", dest="uninstall", action="store_true", + default=False, help="uninstall an existing installation") options, args = parser.parse_args() - if options.unattended and (not options.ds_user or - not options.realm_name or - not options.dm_password or - not options.admin_password or - not options.master_password): - parser.error("error: In unattended mode you need to provide at least -u, -r, -p and -P options") + if options.uninstall: + if (options.ds_user or options.realm_name or + options.dm_password or options.admin_password or + options.master_password): + parser.error("error: In uninstall mode, -u, r, -p and -P options are not allowed") + elif options.unattended: + if (not options.ds_user or not options.realm_name or + not options.dm_password or not options.admin_password or + not options.master_password): + parser.error("error: In unattended mode you need to provide at least -u, -r, -p and -P options") return options @@ -241,6 +247,17 @@ def read_admin_password(): admin_password = read_password("IPA admin") return admin_password +def uninstall(): + ipaserver.ntpinstance.NTPInstance().uninstall() + ipaserver.bindinstance.BindInstance().uninstall() + ipaserver.webguiinstance.WebGuiInstance().uninstall() + ipaserver.httpinstance.HTTPInstance().uninstall() + ipaserver.krbinstance.KrbInstance().uninstall() + ipaserver.dsinstance.DsInstance().uninstall() + sysrestore.restore_file("/etc/hosts") + sysrestore.restore_file("/etc/ipa/ipa.conf") + return 0 + def main(): global ds ds = None @@ -255,6 +272,9 @@ def main(): signal.signal(signal.SIGINT, signal_handler) standard_logging_setup("ipaserver-install.log", options.debug) + + if options.uninstall: + return uninstall() print "==============================================================================" print "This program will setup the FreeIPA Server." diff -r 8640eee04855 -r 3f47b8dc5211 ipa-server/ipaserver/bindinstance.py --- a/ipa-server/ipaserver/bindinstance.py Fri Jan 11 11:06:33 2008 +0000 +++ b/ipa-server/ipaserver/bindinstance.py Fri Jan 11 11:57:36 2008 +0000 @@ -110,3 +110,18 @@ class BindInstance(service.Service): resolve_fd.write(resolve_txt) resolve_fd.close() + def uninstall(self): + running = self.restore_state("running") + domain = self.restore_state("domain") + + if not running is None: + self.stop() + + if not domain is None: + sysrestore.restore_file(os.path.join ("/var/named/", self.domain + ".zone.db")) + + sysrestore.restore_file('/etc/named.conf') + sysrestore.restore_file('/etc/resolve.conf') + + if not running is None and running: + self.start() diff -r 8640eee04855 -r 3f47b8dc5211 ipa-server/ipaserver/dsinstance.py --- a/ipa-server/ipaserver/dsinstance.py Fri Jan 11 11:06:33 2008 +0000 +++ b/ipa-server/ipaserver/dsinstance.py Fri Jan 11 11:57:36 2008 +0000 @@ -333,3 +333,28 @@ class DsInstance(service.Service): print "Unable to set admin password", e logging.debug("Unable to set admin password %s" % e) + def uninstall(self): + running = self.restore_state("running") + enabled = self.restore_state("enabled") + + if not running is None: + self.stop() + + if not enabled is None and not enabled: + self.chkconfig_off() + + serverid = self.restore_state("serverid") + if not serverid is None: + erase_ds_instance_data(serverid) + + ds_user = self.restore_state("user") + user_exists = self.restore_state("user_exists") + + if not ds_user is None and not user_exists is None and not user_exists: + try: + ipautil.run(["/usr/sbin/userdel", ds_user]) + except ipautil.CalledProcessError, e: + logging.critical("failed to delete user %s" % e) + + if self.restore_state("running"): + self.start() diff -r 8640eee04855 -r 3f47b8dc5211 ipa-server/ipaserver/httpinstance.py --- a/ipa-server/ipaserver/httpinstance.py Fri Jan 11 11:06:33 2008 +0000 +++ b/ipa-server/ipaserver/httpinstance.py Fri Jan 11 11:57:36 2008 +0000 @@ -158,3 +158,26 @@ class HTTPInstance(service.Service): "-e", ".html", tmpdir]) shutil.rmtree(tmpdir) + + def uninstall(self): + running = self.restore_state("running") + enabled = self.restore_state("enabled") + + if not running is None: + self.stop() + + if not enabled is None and not enabled: + self.chkconfig_off() + + for f in ["/etc/httpd/conf.d/ipa.conf", SSL_CONF, NSS_CONF]: + sysrestore.restore_file(f) + + sebool_state = self.restore_state("httpd_can_network_connect") + if not sebool_state is None: + try: + ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", sebool_state]) + except: + self.print_msg(selinux_warning) + + if not running is None and running: + self.start() diff -r 8640eee04855 -r 3f47b8dc5211 ipa-server/ipaserver/krbinstance.py --- a/ipa-server/ipaserver/krbinstance.py Fri Jan 11 11:06:33 2008 +0000 +++ b/ipa-server/ipaserver/krbinstance.py Fri Jan 11 11:57:36 2008 +0000 @@ -379,4 +379,37 @@ class KrbInstance(service.Service): pent = pwd.getpwnam(self.ds_user) os.chown("/var/kerberos/krb5kdc/kpasswd.keytab", pent.pw_uid, pent.pw_gid) - + def uninstall(self): + running = self.restore_state("running") + enabled = self.restore_state("enabled") + + kpasswd_running = sysrestore.restore_state("ipa-kpasswd", "running") + kpasswd_enabled = sysrestore.restore_state("ipa-kpasswd", "enabled") + + if not running is None: + self.stop() + if not kpasswd_running is None: + service.stop("ipa-kpasswd") + + if not enabled is None and not enabled: + self.chkconfig_off() + if not kpasswd_enabled is None and not kpasswd_enabled: + service.chkconfig_off("ipa-kpasswd") + + for f in ["/var/kerberos/krb5kdc/ldappwd", + "/var/kerberos/krb5kdc/kdc.conf", + "/etc/krb5.conf", + "/usr/share/ipa/html/krb5.ini", + "/usr/share/ipa/html/krb.con", + "/usr/share/ipa/html/krbrealm.con", + "/etc/dirsrv/ds.keytab", + "/etc/sysconfig/dirsrv", + "/etc/krb5.keytab", + "/var/kerberos/krb5kdc/kpasswd.keytab", + "/etc/sysconfig/ipa-kpasswd"]: + sysrestore.restore_file(f) + + if not running is None and running: + self.start() + if not kpasswd_running is None and kpasswd_running: + service.start("ipa-kpasswd") diff -r 8640eee04855 -r 3f47b8dc5211 ipa-server/ipaserver/ntpinstance.py --- a/ipa-server/ipaserver/ntpinstance.py Fri Jan 11 11:06:33 2008 +0000 +++ b/ipa-server/ipaserver/ntpinstance.py Fri Jan 11 11:57:36 2008 +0000 @@ -70,3 +70,17 @@ class NTPInstance(service.Service): self.step("configuring ntpd to start on boot", self.__enable) self.start_creation("Configuring ntpd") + + def uninstall(self): + running = self.restore_state("running") + enabled = self.restore_state("enabled") + + if not running is None: + self.stop() + if not enabled is None and not enabled: + self.chkconfig_off() + + sysrestore.restore_file("/etc/ntp.conf") + + if not running is None and running: + self.start() diff -r 8640eee04855 -r 3f47b8dc5211 ipa-server/ipaserver/service.py --- a/ipa-server/ipaserver/service.py Fri Jan 11 11:06:33 2008 +0000 +++ b/ipa-server/ipaserver/service.py Fri Jan 11 11:57:36 2008 +0000 @@ -104,6 +104,9 @@ class Service: def backup_state(self, key, value): sysrestore.backup_state(self.service_name, key, value) + def restore_state(self, key): + return sysrestore.restore_state(self.service_name, key) + def print_msg(self, message): print_msg(message, self.output_fd) diff -r 8640eee04855 -r 3f47b8dc5211 ipa-server/ipaserver/webguiinstance.py --- a/ipa-server/ipaserver/webguiinstance.py Fri Jan 11 11:06:33 2008 +0000 +++ b/ipa-server/ipaserver/webguiinstance.py Fri Jan 11 11:57:36 2008 +0000 @@ -35,3 +35,12 @@ class WebGuiInstance(service.Service): def __enable(self): self.backup_state("enabled", self.is_enabled()) self.chkconfig_on() + + def uninstall(self): + running = self.restore_state("running") + enabled = not self.restore_state("enabled") + + if not running is None and not running: + self.stop() + if not enabled is None and not enabled: + self.chkconfig_off() From markmc at redhat.com Fri Jan 11 12:00:38 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 11 Jan 2008 12:00:38 +0000 Subject: [Freeipa-devel] [PATCH 1 of 8] Add service.is_running() helper In-Reply-To: Message-ID: # HG changeset patch # User Mark McLoughlin # Date 1200047785 0 # Node ID b5037ba7a95d0ec53356625778d28da508545ab0 # Parent b7a80814c4703b9e16e6dea17884f546f997b8da Add service.is_running() helper Add a simple helper to check whether a service is running and make ipa-server-install use it to check whether ntpd is running. Signed-off-by: Mark McLoughlin diff -r b7a80814c470 -r b5037ba7a95d ipa-server/ipa-install/ipa-server-install --- a/ipa-server/ipa-install/ipa-server-install Fri Jan 04 16:44:33 2008 -0500 +++ b/ipa-server/ipa-install/ipa-server-install Fri Jan 11 10:36:25 2008 +0000 @@ -239,15 +239,6 @@ def read_admin_password(): admin_password = read_password("IPA admin") return admin_password -def check_ntp(): - ret_code = 1 - p = subprocess.Popen(["/sbin/service", "ntpd", "status"], stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - stdout, stderr = p.communicate() - - return p.returncode - - def main(): global ds ds = None @@ -452,7 +443,7 @@ def main(): print "\t This ticket will allow you to use the IPA tools (e.g., ipa-adduser)" print "\t and the web user interface." - if check_ntp() != 0: + if not service.is_running("ntpd"): print "\t3. Kerberos requires time synchronization between clients" print "\t and servers for correct operation. You should consider enabling ntpd." diff -r b7a80814c470 -r b5037ba7a95d ipa-server/ipaserver/service.py --- a/ipa-server/ipaserver/service.py Fri Jan 04 16:44:33 2008 -0500 +++ b/ipa-server/ipaserver/service.py Fri Jan 11 10:36:25 2008 +0000 @@ -29,6 +29,14 @@ def start(service_name): def restart(service_name): ipautil.run(["/sbin/service", service_name, "restart"]) + +def is_running(service_name): + ret = True + try: + ipautil.run(["/sbin/service", service_name, "status"]) + except CalledProcessError: + ret = False + return ret def chkconfig_on(service_name): ipautil.run(["/sbin/chkconfig", service_name, "on"]) @@ -60,6 +68,9 @@ class Service: def restart(self): restart(self.service_name) + def is_running(self): + return is_running(self.service_name) + def chkconfig_on(self): chkconfig_on(self.service_name) From markmc at redhat.com Fri Jan 11 12:00:42 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 11 Jan 2008 12:00:42 +0000 Subject: [Freeipa-devel] [PATCH 5 of 8] Use tempfile.mkdtemp() rather than hardcoded tmpdir In-Reply-To: Message-ID: <6ac6e1ca0049e22e03b5.1200052842@localhost.localdomain> # HG changeset patch # User Mark McLoughlin # Date 1200047785 0 # Node ID 6ac6e1ca0049e22e03b5a8df56e0efd232eb672b # Parent 47a30c3995b2198532255777511d96878fade079 Use tempfile.mkdtemp() rather than hardcoded tmpdir httpinstance.py currently uses a hardcoded /tmp/ipa temporary directory. Make it use tempfile.mkdtemp() instead. Signed-off-by: Mark McLoughlin diff -r 47a30c3995b2 -r 6ac6e1ca0049 ipa-server/ipaserver/httpinstance.py --- a/ipa-server/ipaserver/httpinstance.py Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipaserver/httpinstance.py Fri Jan 11 10:36:25 2008 +0000 @@ -131,15 +131,10 @@ class HTTPInstance(service.Service): shutil.copy(ds_ca.cacert_fname, "/usr/share/ipa/html/ca.crt") os.chmod("/usr/share/ipa/html/ca.crt", 0444) - try: - shutil.rmtree("/tmp/ipa") - except: - pass - os.mkdir("/tmp/ipa") - shutil.copy("/usr/share/ipa/html/preferences.html", "/tmp/ipa") - + tmpdir = tempfile.mkdtemp(prefix = "tmp-") + shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir) ca.run_signtool(["-k", "Signing-Cert", "-Z", "/usr/share/ipa/html/configure.jar", "-e", ".html", - "/tmp/ipa"]) - shutil.rmtree("/tmp/ipa") + tmpdir]) + shutil.rmtree(tmpdir) From markmc at redhat.com Fri Jan 11 12:00:43 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 11 Jan 2008 12:00:43 +0000 Subject: [Freeipa-devel] [PATCH 6 of 8] Update the .spec filenames in EXTRA_DIST In-Reply-To: Message-ID: # HG changeset patch # User Mark McLoughlin # Date 1200047785 0 # Node ID dbe13997b7a29237a134d0c23f6e34503e91898d # Parent 6ac6e1ca0049e22e03b5a8df56e0efd232eb672b Update the .spec filenames in EXTRA_DIST Signed-off-by: Mark McLoughlin diff -r 6ac6e1ca0049 -r dbe13997b7a2 ipa-client/Makefile.am --- a/ipa-client/Makefile.am Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-client/Makefile.am Fri Jan 11 10:36:25 2008 +0000 @@ -41,7 +41,7 @@ SUBDIRS = \ $(NULL) EXTRA_DIST = \ - freeipa-client.spec \ + ipa-client.spec \ COPYING \ AUTHORS \ INSTALL \ diff -r 6ac6e1ca0049 -r dbe13997b7a2 ipa-server/Makefile.am --- a/ipa-server/Makefile.am Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/Makefile.am Fri Jan 11 10:36:25 2008 +0000 @@ -14,7 +14,7 @@ SUBDIRS = \ $(NULL) EXTRA_DIST = \ - freeipa-server.spec \ + ipa-server.spec \ COPYING \ AUTHORS \ INSTALL \ From markmc at redhat.com Fri Jan 11 12:00:44 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 11 Jan 2008 12:00:44 +0000 Subject: [Freeipa-devel] [PATCH 7 of 8] Backup system state in ipa-server-install In-Reply-To: Message-ID: <8640eee04855769ce8d0.1200052844@localhost.localdomain> # HG changeset patch # User Mark McLoughlin # Date 1200049593 0 # Node ID 8640eee04855769ce8d0592e0fd7580e63d81dcf # Parent dbe13997b7a29237a134d0c23f6e34503e91898d Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin diff -r dbe13997b7a2 -r 8640eee04855 Makefile --- a/Makefile Fri Jan 11 10:36:25 2008 +0000 +++ b/Makefile Fri Jan 11 11:06:33 2008 +0000 @@ -57,12 +57,12 @@ all: bootstrap-autogen done bootstrap-autogen: - cd ipa-server; if [ ! -e Makefile ]; then ./autogen.sh --prefix=/usr --sysconfdir=/etc --libdir=$(LIBDIR); fi - cd ipa-client; if [ ! -e Makefile ]; then ./autogen.sh --prefix=/usr --sysconfdir=/etc --libdir=$(LIBDIR); fi + cd ipa-server; if [ ! -e Makefile ]; then ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi + cd ipa-client; if [ ! -e Makefile ]; then ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi autogen: - cd ipa-server; ./autogen.sh --prefix=/usr --sysconfdir=/etc --libdir=$(LIBDIR) - cd ipa-client; ./autogen.sh --prefix=/usr --sysconfdir=/etc --libdir=$(LIBDIR) + cd ipa-server; ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR) + cd ipa-client; ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR) configure: cd ipa-server; ./configure --prefix=/usr --sysconfdir=/etc diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/Makefile.am --- a/ipa-server/Makefile.am Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/Makefile.am Fri Jan 11 11:06:33 2008 +0000 @@ -12,6 +12,13 @@ SUBDIRS = \ ipa-slapi-plugins \ xmlrpc-server \ $(NULL) + +install-exec-local: + mkdir -p $(DESTDIR)$(localstatedir)/cache/ipa/sysrestore + +uninstall-local: + rmdir $(DESTDIR)$(localstatedir)/cache/watercooler/sys + rmdir $(DESTDIR)$(localstatedir)/cache/watercooler EXTRA_DIST = \ ipa-server.spec \ diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipa-install/ipa-server-install --- a/ipa-server/ipa-install/ipa-server-install Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipa-install/ipa-server-install Fri Jan 11 11:06:33 2008 +0000 @@ -49,6 +49,7 @@ import ipaserver.webguiinstance import ipaserver.webguiinstance from ipaserver import service +from ipaserver import sysrestore from ipaserver.installutils import * from ipa.ipautil import * @@ -167,6 +168,7 @@ def read_ip_address(host_name): continue print "Adding ["+ip+" "+host_name+"] to your /etc/hosts file" + sysrestore.backup_file("/etc/hosts") hosts_fd = open('/etc/hosts', 'r+') hosts_fd.seek(0, 2) hosts_fd.write(ip+'\t'+host_name+' '+host_name[:host_name.find('.')]+'\n') @@ -420,6 +422,7 @@ def main(): ds.change_admin_password(admin_password) # Create the config file + sysrestore.backup_file("/etc/ipa/ipa.conf") fd = open("/etc/ipa/ipa.conf", "w") fd.write("[defaults]\n") fd.write("server=" + host_name + "\n") diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipa-server.spec --- a/ipa-server/ipa-server.spec Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipa-server.spec Fri Jan 11 11:06:33 2008 +0000 @@ -48,7 +48,7 @@ Ipa is a server for identity, policy, an %prep %setup -q -./configure --prefix=%{buildroot}/usr --libdir=%{buildroot}/%{_libdir} --sysconfdir=%{buildroot}/etc +./configure --prefix=%{buildroot}/usr --libdir=%{buildroot}/%{_libdir} --sysconfdir=%{buildroot}/etc --localstatedir=%{buildroot}/var %build @@ -106,6 +106,7 @@ fi %attr(755,root,root) %{plugin_dir}/libipa-memberof-plugin.so %attr(755,root,root) %{plugin_dir}/libipa-dna-plugin.so +%dir %{_localstatedir}/cache/ipa %changelog * Fri Dec 21 2007 Karl MacMillan - 0.6.0-1 diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipa-server.spec.in --- a/ipa-server/ipa-server.spec.in Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipa-server.spec.in Fri Jan 11 11:06:33 2008 +0000 @@ -48,7 +48,7 @@ Ipa is a server for identity, policy, an %prep %setup -q -./configure --prefix=%{buildroot}/usr --libdir=%{buildroot}/%{_libdir} --sysconfdir=%{buildroot}/etc +./configure --prefix=%{buildroot}/usr --libdir=%{buildroot}/%{_libdir} --sysconfdir=%{buildroot}/etc --localstatedir=%{buildroot}/var %build @@ -107,6 +107,7 @@ fi %attr(755,root,root) %{plugin_dir}/libipa-memberof-plugin.so %attr(755,root,root) %{plugin_dir}/libipa-dna-plugin.so +%dir %{_localstatedir}/cache/ipa %changelog * Fri Dec 21 2007 Karl MacMillan - 0.6.0-1 diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipaserver/Makefile.am --- a/ipa-server/ipaserver/Makefile.am Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipaserver/Makefile.am Fri Jan 11 11:06:33 2008 +0000 @@ -14,6 +14,7 @@ app_PYTHON = \ installutils.py \ replication.py \ certs.py \ + sysrestore.py \ $(NULL) EXTRA_DIST = \ diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipaserver/bindinstance.py --- a/ipa-server/ipaserver/bindinstance.py Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipaserver/bindinstance.py Fri Jan 11 11:06:33 2008 +0000 @@ -25,6 +25,7 @@ import socket import socket import service +import sysrestore from ipa import ipautil class BindInstance(service.Service): @@ -72,6 +73,7 @@ class BindInstance(service.Service): self.__setup_named_conf() try: + self.backup_state("running", self.is_running()) self.start() except: print "named service failed to start" @@ -84,14 +86,15 @@ class BindInstance(service.Service): REALM=self.realm) def __setup_zone(self): + self.backup_state("domain", self.domain) zone_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict) + sysrestore.backup_file('/var/named/'+self.domain+'.zone.db') zone_fd = open('/var/named/'+self.domain+'.zone.db', 'w') zone_fd.write(zone_txt) zone_fd.close() def __setup_named_conf(self): - if os.path.exists('/etc/named.conf'): - shutil.copy2('/etc/named.conf', '/etc/named.conf.ipabkp') + sysrestore.backup_file('/etc/named.conf') named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict) named_fd = open('/etc/named.conf', 'w') named_fd.seek(0) @@ -99,8 +102,7 @@ class BindInstance(service.Service): named_fd.write(named_txt) named_fd.close() - if os.path.exists('/etc/resolve.conf'): - shutil.copy2('/etc/resolve.conf', '/etc/resolv.conf.ipabkp') + sysrestore.backup_file('/etc/resolve.conf') resolve_txt = "search "+self.domain+"\nnameserver "+self.ip_address+"\n" resolve_fd = open('/etc/resolve.conf', 'w') resolve_fd.seek(0) diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipaserver/certs.py --- a/ipa-server/ipaserver/certs.py Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipaserver/certs.py Fri Jan 11 11:06:33 2008 +0000 @@ -318,4 +318,17 @@ class CertDB(object): self.trust_root_cert(nickname) self.create_pin_file() self.export_ca_cert() + + def backup_files(self): + sysrestore.backup_file(self.noise_fname) + sysrestore.backup_file(self.passwd_fname) + sysrestore.backup_file(self.certdb_fname) + sysrestore.backup_file(self.keydb_fname) + sysrestore.backup_file(self.secmod_fname) + sysrestore.backup_file(self.cacert_fname) + sysrestore.backup_file(self.pk12_fname) + sysrestore.backup_file(self.pin_fname) + sysrestore.backup_file(self.certreq_fname) + sysrestore.backup_file(self.certder_fname) + diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipaserver/dsinstance.py --- a/ipa-server/ipaserver/dsinstance.py Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipaserver/dsinstance.py Fri Jan 11 11:06:33 2008 +0000 @@ -154,9 +154,13 @@ class DsInstance(service.Service): self.step("initializing group membership", self.__init_memberof) - self.step("configuring directory to start on boot", self.chkconfig_on) + self.step("configuring directory to start on boot", self.__enable) self.start_creation("Configuring directory server:") + + def __enable(self): + self.backup_state("enabled", self.is_enabled()) + self.chkconfig_on() def __setup_sub_dict(self): server_root = find_server_root() @@ -166,10 +170,12 @@ class DsInstance(service.Service): SERVER_ROOT=server_root, DOMAIN=self.domain) def __create_ds_user(self): + user_exists = True try: pwd.getpwnam(self.ds_user) logging.debug("ds user %s exists" % self.ds_user) except KeyError: + user_exists = False logging.debug("adding ds user %s" % self.ds_user) args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user] try: @@ -178,7 +184,12 @@ class DsInstance(service.Service): except ipautil.CalledProcessError, e: logging.critical("failed to add user %s" % e) + self.backup_state("user", self.ds_user) + self.backup_state("user_exists", user_exists) + def __create_instance(self): + self.backup_state("running", self.is_running()) + self.backup_state("serverid", self.serverid) inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict) logging.debug(inf_txt) inf_fd = ipautil.write_tmp_file(inf_txt) diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipaserver/httpinstance.py --- a/ipa-server/ipaserver/httpinstance.py Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipaserver/httpinstance.py Fri Jan 11 11:06:33 2008 +0000 @@ -29,6 +29,7 @@ import shutil import shutil import service +import sysrestore import certs import dsinstance import installutils @@ -63,10 +64,18 @@ class HTTPInstance(service.Service): self.step("Setting up ssl", self.__setup_ssl) self.step("Setting up browser autoconfig", self.__setup_autoconfig) self.step("configuring SELinux for httpd", self.__selinux_config) - self.step("restarting httpd", self.restart) - self.step("configuring httpd to start on boot", self.chkconfig_on) + self.step("restarting httpd", self.__start) + self.step("configuring httpd to start on boot", self.__enable) self.start_creation("Configuring the web interface") + + def __start(self): + self.backup_state("running", self.is_running()) + self.restart() + + def __enable(self): + self.backup_state("enabled", self.is_running()) + self.chkconfig_on() def __selinux_config(self): selinux=0 @@ -79,6 +88,14 @@ class HTTPInstance(service.Service): pass if selinux: + try: + # returns e.g. "httpd_can_network_connect --> off" + (stdout, stderr) = ipautils.run(["/usr/sbin/getsebool", + "httpd_can_network_connect"]) + self.backup_state("httpd_can_network_connect", stdout.split()[2]) + except: + pass + # Allow apache to connect to the turbogears web gui # This can still fail even if selinux is enabled try: @@ -96,6 +113,7 @@ class HTTPInstance(service.Service): def __configure_http(self): http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) + sysrestore.backup_file("/etc/httpd/conf.d/ipa.conf") http_fd = open("/etc/httpd/conf.d/ipa.conf", "w") http_fd.write(http_txt) http_fd.close() @@ -103,9 +121,11 @@ class HTTPInstance(service.Service): def __disable_mod_ssl(self): if os.path.exists(SSL_CONF): - os.rename(SSL_CONF, "%s.moved_by_ipa" % SSL_CONF) + sysrestore.backup_file(SSL_CONF) + os.unlink(SSL_CONF) def __set_mod_nss_port(self): + sysrestore.backup_file(NSS_CONF) if installutils.update_file(NSS_CONF, '8443', '443') != 0: print "Updating %s failed." % NSS_CONF diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipaserver/krbinstance.py --- a/ipa-server/ipaserver/krbinstance.py Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipaserver/krbinstance.py Fri Jan 11 11:06:33 2008 +0000 @@ -32,6 +32,7 @@ import shutil import shutil import service +import sysrestore import installutils from ipa import ipautil from ipa import ipaerror @@ -107,6 +108,7 @@ class KrbInstance(service.Service): logging.critical("Could not connect to DS") raise e + self.backup_state("running", self.is_running()) try: self.stop() except: @@ -115,7 +117,7 @@ class KrbInstance(service.Service): def __common_post_setup(self): self.step("starting the KDC", self.__start_instance) - self.step("configuring KDC to start on boot", self.chkconfig_on) + self.step("configuring KDC to start on boot", self.__enable) self.step("enabling and starting ipa-kpasswd", self.__enable_kpasswd) def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password): @@ -155,6 +157,7 @@ class KrbInstance(service.Service): self.start_creation("Configuring Kerberos KDC") def __copy_ldap_passwd(self, filename): + sysrestore.backup_file("/var/kerberos/krb5kdc/ldappwd") shutil.copy(filename, "/var/kerberos/krb5kdc/ldappwd") os.chmod("/var/kerberos/krb5kdc/ldappwd", 0600) @@ -163,11 +166,16 @@ class KrbInstance(service.Service): hexpwd = '' for x in self.kdc_password: hexpwd += (hex(ord(x))[2:]) + sysrestore.backup_file("/var/kerberos/krb5kdc/ldappwd") pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "w") pwd_fd.write("uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix+"#{HEX}"+hexpwd+"\n") pwd_fd.close() os.chmod("/var/kerberos/krb5kdc/ldappwd", 0600) + def __enable(self): + self.backup_state("enabled", self.is_enabled()) + self.chkconfig_on() + def __start_instance(self): try: self.start() @@ -175,6 +183,8 @@ class KrbInstance(service.Service): logging.critical("krb5kdc service failed to start") def __enable_kpasswd(self): + sysrestore.backup_state("ipa-kpasswd", "enabled", service.is_enabled("ipa-kpasswd")) + sysrestore.backup_state("ipa-kpasswd", "running", service.is_running("ipa-kpasswd")) service.chkconfig_on("ipa-kpasswd") service.start("ipa-kpasswd") @@ -265,6 +275,7 @@ class KrbInstance(service.Service): def __template_file(self, path): template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template") conf = ipautil.template_file(template, self.sub_dict) + sysrestore.backup_file(path) fd = open(path, "w+") fd.write(conf) fd.close() @@ -337,8 +348,11 @@ class KrbInstance(service.Service): def __create_ds_keytab(self): ldap_principal = "ldap/" + self.fqdn + "@" + self.realm installutils.kadmin_addprinc(ldap_principal) + + sysrestore.backup_file("/etc/dirsrv/ds.keytab") installutils.create_keytab("/etc/dirsrv/ds.keytab", ldap_principal) + sysrestore.backup_file("/etc/sysconfig/dirsrv") update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab") pent = pwd.getpwnam(self.ds_user) os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid) @@ -346,6 +360,8 @@ class KrbInstance(service.Service): def __create_host_keytab(self): host_principal = "host/" + self.fqdn + "@" + self.realm installutils.kadmin_addprinc(host_principal) + + sysrestore.backup_file("/etc/krb5.keytab") installutils.create_keytab("/etc/krb5.keytab", host_principal) # Make sure access is strictly reserved to root only for now @@ -354,8 +370,11 @@ class KrbInstance(service.Service): def __export_kadmin_changepw_keytab(self): installutils.kadmin_modprinc("kadmin/changepw", "+requires_preauth") + + sysrestore.backup_file("/var/kerberos/krb5kdc/kpasswd.keytab") installutils.create_keytab("/var/kerberos/krb5kdc/kpasswd.keytab", "kadmin/changepw") + sysrestore.backup_file("/etc/sysconfig/ipa-kpasswd") update_key_val_in_file("/etc/sysconfig/ipa-kpasswd", "export KRB5_KTNAME", "/var/kerberos/krb5kdc/kpasswd.keytab") pent = pwd.getpwnam(self.ds_user) os.chown("/var/kerberos/krb5kdc/kpasswd.keytab", pent.pw_uid, pent.pw_gid) diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipaserver/ntpinstance.py --- a/ipa-server/ipaserver/ntpinstance.py Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipaserver/ntpinstance.py Fri Jan 11 11:06:33 2008 +0000 @@ -20,6 +20,7 @@ import shutil import shutil import service +import sysrestore from ipa import ipautil class NTPInstance(service.Service): @@ -45,11 +46,19 @@ class NTPInstance(service.Service): ntp_conf = ipautil.template_file(ipautil.SHARE_DIR + "ntp.conf.server.template", sub_dict) - shutil.copy("/etc/ntp.conf", "/etc/ntp.conf.ipasave") + sysrestore.backup_file("/etc/ntp.conf") fd = open("/etc/ntp.conf", "w") fd.write(ntp_conf) fd.close() + + def __start(self): + self.backup_state("running", self.is_running()) + self.start() + + def __enable(self): + self.backup_state("enabled", self.is_enabled()) + self.chkconfig_on() def create_instance(self): self.step("writing configuration", self.__write_config) @@ -57,7 +66,7 @@ class NTPInstance(service.Service): # we might consider setting the date manually using ntpd -qg in case # the current time is very far off. - self.step("starting ntpd", self.start) - self.step("configuring ntpd to start on boot", self.chkconfig_on) + self.step("starting ntpd", self.__start) + self.step("configuring ntpd to start on boot", self.__enable) self.start_creation("Configuring ntpd") diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipaserver/service.py --- a/ipa-server/ipaserver/service.py Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipaserver/service.py Fri Jan 11 11:06:33 2008 +0000 @@ -18,6 +18,7 @@ # import logging, sys +import sysrestore from ipa import ipautil @@ -100,6 +101,9 @@ class Service: def is_enabled(self): return is_enabled(self.service_name) + def backup_state(self, key, value): + sysrestore.backup_state(self.service_name, key, value) + def print_msg(self, message): print_msg(message, self.output_fd) diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipaserver/sysrestore.py --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ipa-server/ipaserver/sysrestore.py Fri Jan 11 11:06:33 2008 +0000 @@ -0,0 +1,253 @@ +# Authors: Mark McLoughlin +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 or later +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +# +# This module provides a very simple API which allows +# ipa-server-install --uninstall to restore certain +# parts of the system configuration to the way it was +# before ipa-server-install was first run +# + +import os +import os.path +import errno +import shutil +import logging +import ConfigParser + +from ipa import ipautil + +SYSRESTORE_CACHE_PATH = "/var/cache/ipa/sysrestore" +SYSRESTORE_STATEFILE_PATH = "/var/cache/ipa/sysrestore.state" + +def _mktree(basedir, reldir): + """Create the tree of directories specified by @reldir + under the directory @base. + + Caveats: + - @basedir must exist + - @reldir must not be absolute + - @reldir must refer to a directory + """ + (parentdir, subdir) = os.path.split(reldir) + if parentdir: + _mktree(basedir, parentdir) + + absdir = os.path.join(basedir, reldir) + try: + logging.debug("Creating directory '%s'", absdir) + os.mkdir(absdir) + except OSError, err: + if err.errno != errno.EEXIST: + raise err + +def _rmtree(basedir, reldir): + """Delete a tree of directories specified by @reldir + under the directory @base, excluding the @base itself. + Only empty directories will be deleted. + + Caveats: + - @reldir must not be absolute + - @reldir must refer to a directory + """ + absdir = os.path.join(basedir, reldir) + try: + logging.debug("Deleting directory '%s'", absdir) + os.rmdir(absdir) + except OSError, err: + if err.errno == errno.ENOTEMPTY: + logging.debug("Directory '%s' not empty", absdir) + return + else: + raise err + + (parentdir, subdir) = os.path.split(reldir) + if parentdir: + _rmtree(basedir, parentdir) + +def backup_file(path): + """Create a copy of the file at @path - so long as a copy + does not already exist - which will be restored to its + original location by restore_files(). + """ + logging.debug("Backing up system configuration file '%s'", path) + + if not os.path.isabs(path): + raise ValueError("Absolute path required") + + if not os.path.isfile(path): + logging.debug(" -> Not backing up - '%s' doesn't exist", path) + return + + relpath = path[1:] + + backup_path = os.path.join(SYSRESTORE_CACHE_PATH, relpath) + if os.path.exists(backup_path): + logging.debug(" -> Not backing up - already have a copy of '%s'", path) + return + + (reldir, file) = os.path.split(relpath) + if reldir: + _mktree(SYSRESTORE_CACHE_PATH, reldir) + + shutil.copy2(path, backup_path) + +def restore_file(path): + """Restore the copy of a file at @path to its original + location and delete the copy. + + Returns #True if the file was restored, #False if there + was no backup file to restore + """ + logging.debug("Restoring system configuration file '%s'", path) + + if not os.path.isabs(path): + raise ValueError("Absolute path required") + + relpath = path[1:] + + backup_path = os.path.join(SYSRESTORE_CACHE_PATH, relpath) + if not os.path.exists(backup_path): + logging.debug(" -> Not restoring - '%s' doesn't exist", backup_path) + return False + + shutil.move(backup_path, path) + + ipautil.run(["/sbin/restorecon", path]) + + (reldir, file) = os.path.split(relpath) + if reldir: + _rmtree(SYSRESTORE_CACHE_PATH, reldir) + + return True + +class _StateFile: + """A metadata file for recording system state which can + be backed up and later restored. The format is something + like: + + [httpd] + running=True + enabled=False + """ + + def __init__(self, path = SYSRESTORE_STATEFILE_PATH): + """Create a _StateFile object, loading from @path. + + The dictionary @modules, a member of the returned object, + is where the state can be modified. @modules is indexed + using a module name to return another dictionary containing + key/value pairs with the saved state of that module. + + The keys in these latter dictionaries are arbitrary strings + and the values may either be strings or booleans. + """ + self._path = path + + self.modules = {} + + self._load() + + def _load(self): + """Load the modules from the file @_path. @modules will + be an empty dictionary if the file doesn't exist. + """ + logging.debug("Loading StateFile from '%s'", self._path) + + self.modules = {} + + p = ConfigParser.SafeConfigParser() + p.read(self._path) + + for module in p.sections(): + self.modules[module] = {} + for (key, value) in p.items(module): + if value == str(True): + value = True + elif value == str(False): + value = False + self.modules[module][key] = value + + def save(self): + """Save the modules to @_path. If @modules is an empty + dict, then @_path should be removed. + """ + logging.debug("Saving StateFile to '%s'", self._path) + + for module in self.modules.keys(): + if len(self.modules[module]) == 0: + del self.modules[module] + + if len(self.modules) == 0: + logging.debug(" -> no modules, removing file") + if os.path.exists(self._path): + os.remove(self._path) + return + + p = ConfigParser.SafeConfigParser() + + for module in self.modules.keys(): + p.add_section(module) + for (key, value) in self.modules[module].items(): + p.set(module, key, str(value)) + + f = file(self._path, "w") + p.write(f) + f.close() + +def backup_state(module, key, value): + """Backup an item of system state from @module, identified + by the string @key and with the value @value. @value may be + a string or boolean. + """ + if not (isinstance(value, str) or isinstance(value, bool)): + raise ValueError("Only strings or booleans supported") + + state = _StateFile() + + if not state.modules.has_key(module): + state.modules[module] = {} + + if not state.modules.has_key(key): + state.modules[module][key] = value + + state.save() + +def restore_state(module, key): + """Return the value of an item of system state from @module, + identified by the string @key, and remove it from the backed + up system state. + + If the item doesn't exist, #None will be returned, otherwise + the original string or boolean value is returned. + """ + state = _StateFile() + + if not state.modules.has_key(module): + return None + + if not state.modules[module].has_key(key): + return None + + value = state.modules[module][key] + del state.modules[module][key] + + state.save() + + return value diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipaserver/webguiinstance.py --- a/ipa-server/ipaserver/webguiinstance.py Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipaserver/webguiinstance.py Fri Jan 11 11:06:33 2008 +0000 @@ -24,6 +24,14 @@ class WebGuiInstance(service.Service): service.Service.__init__(self, "ipa-webgui") def create_instance(self): - self.step("starting ipa-webgui", self.restart) - self.step("configuring ipa-webgui to start on boot", self.chkconfig_on) + self.step("starting ipa-webgui", self.__start) + self.step("configuring ipa-webgui to start on boot", self.__enable) self.start_creation("Configuring ipa-webgui") + + def __start(self): + self.backup_state("running", self.is_running()) + self.restart() + + def __enable(self): + self.backup_state("enabled", self.is_enabled()) + self.chkconfig_on() From markmc at redhat.com Fri Jan 11 12:00:41 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 11 Jan 2008 12:00:41 +0000 Subject: [Freeipa-devel] [PATCH 4 of 8] Refactor some krbinstance templating code In-Reply-To: Message-ID: <47a30c3995b219853225.1200052841@localhost.localdomain> # HG changeset patch # User Mark McLoughlin # Date 1200047785 0 # Node ID 47a30c3995b2198532255777511d96878fade079 # Parent 85547227bc31c8b12e0569f04ccfb77d2d986f27 Refactor some krbinstance templating code Signed-off-by: Mark McLoughlin diff -r 85547227bc31 -r 47a30c3995b2 ipa-server/ipaserver/krbinstance.py --- a/ipa-server/ipaserver/krbinstance.py Fri Jan 11 10:36:25 2008 +0000 +++ b/ipa-server/ipaserver/krbinstance.py Fri Jan 11 10:36:25 2008 +0000 @@ -262,32 +262,19 @@ class KrbInstance(service.Service): def __create_replica_instance(self): self.__create_instance(replica=True) + def __template_file(self, path): + template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template") + conf = ipautil.template_file(template, self.sub_dict) + fd = open(path, "w+") + fd.write(conf) + fd.close() + def __create_instance(self, replica=False): - kdc_conf = ipautil.template_file(ipautil.SHARE_DIR+"kdc.conf.template", self.sub_dict) - kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+") - kdc_fd.write(kdc_conf) - kdc_fd.close() - - krb5_conf = ipautil.template_file(ipautil.SHARE_DIR+"krb5.conf.template", self.sub_dict) - krb5_fd = open("/etc/krb5.conf", "w+") - krb5_fd.write(krb5_conf) - krb5_fd.close() - - # Windows configuration files - krb5_ini = ipautil.template_file(ipautil.SHARE_DIR+"krb5.ini.template", self.sub_dict) - krb5_fd = open("/usr/share/ipa/html/krb5.ini", "w+") - krb5_fd.write(krb5_ini) - krb5_fd.close() - - krb_con = ipautil.template_file(ipautil.SHARE_DIR+"krb.con.template", self.sub_dict) - krb_fd = open("/usr/share/ipa/html/krb.con", "w+") - krb_fd.write(krb_con) - krb_fd.close() - - krb_realm = ipautil.template_file(ipautil.SHARE_DIR+"krbrealm.con.template", self.sub_dict) - krb_fd = open("/usr/share/ipa/html/krbrealm.con", "w+") - krb_fd.write(krb_realm) - krb_fd.close() + self.__template_file("/var/kerberos/krb5kdc/kdc.conf") + self.__template_file("/etc/krb5.conf") + self.__template_file("/usr/share/ipa/html/krb5.ini") + self.__template_file("/usr/share/ipa/html/krb.con") + self.__template_file("/usr/share/ipa/html/krbrealm.con") if not replica: #populate the directory with the realm structure From markmc at redhat.com Fri Jan 11 12:14:21 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 11 Jan 2008 12:14:21 +0000 Subject: [Freeipa-devel] [PATCH] resend enable sessions in the GUI In-Reply-To: <4786891A.1080307@redhat.com> References: <4786891A.1080307@redhat.com> Message-ID: <1200053661.31518.4.camel@muff> On Thu, 2008-01-10 at 16:07 -0500, Rob Crittenden wrote: > + def __create_cache_dir(self): > + try: > + os.makedirs("/var/cache/ipa", 0700) In the patches I just sent, I also used /var/cache/ipa - could you use /var/cache/ipa/sessions ? Cheers, Mark. From markmc at redhat.com Fri Jan 11 12:16:15 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 11 Jan 2008 12:16:15 +0000 Subject: [Freeipa-devel] [PATCH] resend enable sessions in the GUI In-Reply-To: <1200004448.31403.48.camel@localhost.localdomain> References: <4786891A.1080307@redhat.com> <1200004448.31403.48.camel@localhost.localdomain> Message-ID: <1200053775.31518.7.camel@muff> On Thu, 2008-01-10 at 17:34 -0500, Simo Sorce wrote: > On Thu, 2008-01-10 at 16:07 -0500, Rob Crittenden wrote: > > + > > + def __create_cache_dir(self): > > + try: > > + os.makedirs("/var/cache/ipa", 0700) > > + except: > > + pass > > Should this be chowned to the apache user as well ? Hold on; ipa-webgui runs as root, not apache ... I noticed that the other day and found it very suprising ... was that not intentional, then? Cheers, Mark. From ssorce at redhat.com Fri Jan 11 13:43:41 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 11 Jan 2008 08:43:41 -0500 Subject: [Freeipa-devel] [PATCH] resend enable sessions in the GUI In-Reply-To: <1200053775.31518.7.camel@muff> References: <4786891A.1080307@redhat.com> <1200004448.31403.48.camel@localhost.localdomain> <1200053775.31518.7.camel@muff> Message-ID: <1200059021.3873.2.camel@localhost.localdomain> On Fri, 2008-01-11 at 12:16 +0000, Mark McLoughlin wrote: > On Thu, 2008-01-10 at 17:34 -0500, Simo Sorce wrote: > > On Thu, 2008-01-10 at 16:07 -0500, Rob Crittenden wrote: > > > + > > > + def __create_cache_dir(self): > > > + try: > > > + os.makedirs("/var/cache/ipa", 0700) > > > + except: > > > + pass > > > > Should this be chowned to the apache user as well ? > > Hold on; ipa-webgui runs as root, not apache ... I noticed that the > other day and found it very suprising ... was that not intentional, > then? I think we had to for some reason, but we should review it a bit. Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From j.barber at dundee.ac.uk Fri Jan 11 13:45:17 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Fri, 11 Jan 2008 13:45:17 +0000 Subject: [Freeipa-devel] fedora-ds schema for DNS In-Reply-To: <47866400.9060902@priefert.com> References: <4786567B.3070002@priefert.com> <1199987090.31403.24.camel@localhost.localdomain> <47866400.9060902@priefert.com> Message-ID: <20080111134502.GE8451@flea.lifesci.dundee.ac.uk> On Thu, Jan 10, 2008 at 12:29:20PM -0600, William Baker wrote: > > I would love to review that "standard schema", even if all you can do is > point me to a particular RFC. When I last looked (about a year ago) there was no such thing - all of the implementations difered (at least those that were modifications of ISC's bind/dhcpd implementations). > bbaker > > >On Thu, 2008-01-10 at 11:31 -0600, William Baker wrote: > > > >>I am attemping to find the schema used for storing DNS records in > >>fedora-ds. In particular, I was looking for the objectclass of > >>dNSZone. All that I have found is a little bit of contraversy about > >>schema defs for aRecord and dNSRecord regarding old RFC's and Netscape > >>Directory. > >> > >>There are four missing pieces of documentation on the fedora directory > >>site. The two that I am interested in are "Howto: BIND" and "Howto: > >>DHCP". I would like to write the "Howto: BIND". > >> > >>As a starting point, I either need to find or create the schema for > >>storing DNS records. I was hoping this project would have the "blessed" > >>schema. I downloaded FreeIPA sources and did some searching but didn't > >>find this schema. I hope to have a machine set up soon where I can > >>install the current freeipa and see how it works a little more closely, > >>but that won't happen until next week. > >> > >>Does anybody currently have such a schema? > >>Any insight into putting DNS information into FDS? > >> > > > >We have long term plans to let people integrate DNS and DHCP modules and > >have a standard schema for these. Unfortunately we have not yet had the > >time to get to this point yet. We had some talks about how that should > >work, but nothing definitive. > >On the schema side I've done a bit of research and there are different > >schema options, BIND has at least 3 different modules to deal with LDAP > >but honestly none of them is completely satisfactory. > > > >We are delaying work around BIND until we have a better idea and more > >resource to throw at the problem. > > > >Simo. > > > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From jdennis at redhat.com Fri Jan 11 14:10:42 2008 From: jdennis at redhat.com (John Dennis) Date: Fri, 11 Jan 2008 09:10:42 -0500 Subject: [Freeipa-devel] naming for radius.conf? In-Reply-To: <47871B4B.1010604@redhat.com> References: <47871B4B.1010604@redhat.com> Message-ID: <478778E2.8070301@redhat.com> David O'Brien wrote: > There's probably a good reason for this, but why is this file > /etc/raddb/radiusd.conf and not /etc/radius/radiusd.conf ? I figure > there is a db involved, etc., etc., but it didn't seem a very logical > directory name. I ended up using locate to, er.., locate it. Because that is how upstream FREERadius names the directory which also means that's the directory name RPM is going to create and install it under when the rpm package is installed. We don't and can't rename components belonging to package dependencies. FWIW, I'm not a fan of the name either, but it is what it is :-) P.S.: It does contain database files which is probably why it got it's name and yes that means according to FHS and Fedora packaging guidelines those files are in the wrong place :-( -- John Dennis From rcritten at redhat.com Fri Jan 11 14:11:40 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jan 2008 09:11:40 -0500 Subject: [Freeipa-devel] help setting up RADIUS? In-Reply-To: <47871D43.4060504@redhat.com> References: <47871A46.1090603@redhat.com> <47871D43.4060504@redhat.com> Message-ID: <4787791C.1010501@redhat.com> David O'Brien wrote: > David O'Brien wrote: >> How do I go about getting RADIUS configured? I installed the package >> and ran ipa-radius-install but don't know what to do next :-S >> >> cheers >> > and, should it show up somewhere in the webUI? > I notice a few commands (ipa-radiusclientmod and profilemod) but there > don't appear to be man pages. > radius is not configurable in the UI yet. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 11 14:24:36 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jan 2008 09:24:36 -0500 Subject: [Freeipa-devel] [PATCH] resend enable sessions in the GUI In-Reply-To: <1200059021.3873.2.camel@localhost.localdomain> References: <4786891A.1080307@redhat.com> <1200004448.31403.48.camel@localhost.localdomain> <1200053775.31518.7.camel@muff> <1200059021.3873.2.camel@localhost.localdomain> Message-ID: <47877C24.50809@redhat.com> Simo Sorce wrote: > On Fri, 2008-01-11 at 12:16 +0000, Mark McLoughlin wrote: >> On Thu, 2008-01-10 at 17:34 -0500, Simo Sorce wrote: >>> On Thu, 2008-01-10 at 16:07 -0500, Rob Crittenden wrote: >>>> + >>>> + def __create_cache_dir(self): >>>> + try: >>>> + os.makedirs("/var/cache/ipa", 0700) >>>> + except: >>>> + pass >>> Should this be chowned to the apache user as well ? >> Hold on; ipa-webgui runs as root, not apache ... I noticed that the >> other day and found it very suprising ... was that not intentional, >> then? > > I think we had to for some reason, but we should review it a bit. > > Simo. > It should run as apache. I'll file a bug against it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jdennis at redhat.com Fri Jan 11 14:32:14 2008 From: jdennis at redhat.com (John Dennis) Date: Fri, 11 Jan 2008 09:32:14 -0500 Subject: [Freeipa-devel] help setting up RADIUS? In-Reply-To: <47871A46.1090603@redhat.com> References: <47871A46.1090603@redhat.com> Message-ID: <47877DEE.2080207@redhat.com> David O'Brien wrote: > How do I go about getting RADIUS configured? I installed the package and > ran ipa-radius-install but don't know what to do next :-S The Radius work is incomplete, we just got the equipment a couple of days ago to begin exercising the radius server, that work has not been done. There are no man pages yet and it hasn't been folded into the web GUI yet either. But the command line tool exist to manipulate the radius data in LDAP and one can verify the radius server is in fact reading this information. Some basic testing instructions appear here: https://www.redhat.com/archives/freeipa-devel/2007-November/msg00388.html -- John Dennis From jdennis at redhat.com Fri Jan 11 14:38:54 2008 From: jdennis at redhat.com (John Dennis) Date: Fri, 11 Jan 2008 09:38:54 -0500 Subject: [Freeipa-devel] ports for RADIUS? In-Reply-To: <478717AC.1070504@redhat.com> References: <478717AC.1070504@redhat.com> Message-ID: <47877F7E.3080204@redhat.com> David O'Brien wrote: > I'd like to update the following for RADIUS ports, but I don't know > which ones freeIPA uses: > http://www.freeipa.org/page/InstallAndDeploy#Required_Ports > > The "official" ports are 1812 and 1813 but 1645/6 seem to be the default > ones. Can anyone shed light here? # The default port that most NAS boxes use is 1645, which is historical. # RFC 2138 defines 1812 to be the new port. Many new servers and # NAS boxes use 1812, which can create interoperability problems. # # The port is defined here to be 0 so that the server will pick up # the machine's local configuration for the radius port, as defined # in /etc/services. # # If you want to use the default RADIUS port as defined on your server, # (usually through 'grep radius /etc/services') set this to 0 (zero). # -- John Dennis From rcritten at redhat.com Fri Jan 11 16:37:05 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jan 2008 11:37:05 -0500 Subject: [Freeipa-devel] [PATCH] service principal deletion Message-ID: <47879B31.50601@redhat.com> This adds a principal show page to the UI and a button to delete a given principal. Currently I just show the hostname and the service. There isn't anything else that I know of that we can show. At some point hopefully we can add back the download link so a keytab can be retrieved via the UI. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-575-delete.patch Type: text/x-patch Size: 8778 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 11 17:51:49 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jan 2008 12:51:49 -0500 Subject: [Freeipa-devel] [PATCH] find and delete service principles from CLI Message-ID: <4787ACB5.3020403@redhat.com> Find and delete service principals from the command-line. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-576-delete.patch Type: text/x-patch Size: 8586 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 11 18:04:44 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jan 2008 13:04:44 -0500 Subject: [Freeipa-devel] [PATCH] run ipa-webgui as apache not root Message-ID: <4787AFBC.8080401@redhat.com> Add the --user argument to daemon in the ipa-webgui init file to run TurboGears as apache and not as root. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-578-gui.patch Type: text/x-patch Size: 705 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Jan 11 18:31:04 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 11 Jan 2008 13:31:04 -0500 Subject: [Freeipa-devel] [PATCH] service principal deletion In-Reply-To: <47879B31.50601@redhat.com> References: <47879B31.50601@redhat.com> Message-ID: <1200076264.18086.17.camel@localhost.localdomain> On Fri, 2008-01-11 at 11:37 -0500, Rob Crittenden wrote: > This adds a principal show page to the UI and a button to delete a given > principal. > > Currently I just show the hostname and the service. There isn't anything > else that I know of that we can show. > > At some point hopefully we can add back the download link so a keytab > can be retrieved via the UI. Should we add filters to avoid deleting users by mistake? It seems the code just resolves any principal into a DN, it seem to me it will work to delete users too. I guess we need a servicePrincipal Objectclass at some point ... Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From ssorce at redhat.com Fri Jan 11 18:31:50 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 11 Jan 2008 13:31:50 -0500 Subject: [Freeipa-devel] [PATCH] find and delete service principles from CLI In-Reply-To: <4787ACB5.3020403@redhat.com> References: <4787ACB5.3020403@redhat.com> Message-ID: <1200076310.18086.19.camel@localhost.localdomain> On Fri, 2008-01-11 at 12:51 -0500, Rob Crittenden wrote: > Find and delete service principals from the command-line. +1 I know this patch depends on the previous on which I had comments, but once the other goes in, this can follow immediately too. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From ssorce at redhat.com Fri Jan 11 18:32:07 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 11 Jan 2008 13:32:07 -0500 Subject: [Freeipa-devel] [PATCH] run ipa-webgui as apache not root In-Reply-To: <4787AFBC.8080401@redhat.com> References: <4787AFBC.8080401@redhat.com> Message-ID: <1200076327.18086.21.camel@localhost.localdomain> On Fri, 2008-01-11 at 13:04 -0500, Rob Crittenden wrote: > Add the --user argument to daemon in the ipa-webgui init file to run > TurboGears as apache and not as root. Ack -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From rcritten at redhat.com Fri Jan 11 18:38:30 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jan 2008 13:38:30 -0500 Subject: [Freeipa-devel] [PATCH] service principal deletion In-Reply-To: <1200076264.18086.17.camel@localhost.localdomain> References: <47879B31.50601@redhat.com> <1200076264.18086.17.camel@localhost.localdomain> Message-ID: <4787B7A6.6020808@redhat.com> Simo Sorce wrote: > On Fri, 2008-01-11 at 11:37 -0500, Rob Crittenden wrote: >> This adds a principal show page to the UI and a button to delete a given >> principal. >> >> Currently I just show the hostname and the service. There isn't anything >> else that I know of that we can show. >> >> At some point hopefully we can add back the download link so a keytab >> can be retrieved via the UI. > > Should we add filters to avoid deleting users by mistake? > It seems the code just resolves any principal into a DN, it seem to me > it will work to delete users too. I guess we need a servicePrincipal > Objectclass at some point ... > > Simo. > It is true that one could fake a POST and pass in the DN of a user and in all likelihood a delete would be attempted I'm not sure how much of a risk this really is. Users will never be displayed as the search filter includes (!(objectClass=person)) rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 11 18:39:58 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jan 2008 13:39:58 -0500 Subject: [Freeipa-devel] [PATCH] run ipa-webgui as apache not root In-Reply-To: <1200076327.18086.21.camel@localhost.localdomain> References: <4787AFBC.8080401@redhat.com> <1200076327.18086.21.camel@localhost.localdomain> Message-ID: <4787B7FE.1010206@redhat.com> Simo Sorce wrote: > On Fri, 2008-01-11 at 13:04 -0500, Rob Crittenden wrote: >> Add the --user argument to daemon in the ipa-webgui init file to run >> TurboGears as apache and not as root. > > Ack > Pushed rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 11 18:42:07 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jan 2008 13:42:07 -0500 Subject: [Freeipa-devel] [PATCH] remove non-existent function Message-ID: <4787B87F.1010702@redhat.com> I'm pushed the attached patch. It should resolve the 500 errors people may have been seeing. The problem was that a non-existent function was registered in the XML-RPC interface. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-567-get_keytab.patch Type: text/x-patch Size: 905 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Jan 11 18:51:28 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 11 Jan 2008 13:51:28 -0500 Subject: [Freeipa-devel] [PATCH] remove non-existent function In-Reply-To: <4787B87F.1010702@redhat.com> References: <4787B87F.1010702@redhat.com> Message-ID: <1200077488.18086.25.camel@localhost.localdomain> On Fri, 2008-01-11 at 13:42 -0500, Rob Crittenden wrote: > I'm pushed the attached patch. It should resolve the 500 errors > people > may have been seeing. > > The problem was that a non-existent function was registered in the > XML-RPC interface. Ouch, I guess this was my fault :-( Thanks for fixing it. Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From ssorce at redhat.com Fri Jan 11 18:55:50 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 11 Jan 2008 13:55:50 -0500 Subject: [Freeipa-devel] [PATCH] service principal deletion In-Reply-To: <4787B7A6.6020808@redhat.com> References: <47879B31.50601@redhat.com> <1200076264.18086.17.camel@localhost.localdomain> <4787B7A6.6020808@redhat.com> Message-ID: <1200077750.18086.30.camel@localhost.localdomain> On Fri, 2008-01-11 at 13:38 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Fri, 2008-01-11 at 11:37 -0500, Rob Crittenden wrote: > >> This adds a principal show page to the UI and a button to delete a given > >> principal. > >> > >> Currently I just show the hostname and the service. There isn't anything > >> else that I know of that we can show. > >> > >> At some point hopefully we can add back the download link so a keytab > >> can be retrieved via the UI. > > > > Should we add filters to avoid deleting users by mistake? > > It seems the code just resolves any principal into a DN, it seem to me > > it will work to delete users too. I guess we need a servicePrincipal > > Objectclass at some point ... > > > > Simo. > > > > It is true that one could fake a POST and pass in the DN of a user and > in all likelihood a delete would be attempted I'm not sure how much of a > risk this really is. It's not a security risk, so as long as find_service_principal() actually filters out anything not a service I guess this is all ok, please push. Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From rcritten at redhat.com Fri Jan 11 19:00:33 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jan 2008 14:00:33 -0500 Subject: [Freeipa-devel] [PATCH] service principal deletion In-Reply-To: <1200077750.18086.30.camel@localhost.localdomain> References: <47879B31.50601@redhat.com> <1200076264.18086.17.camel@localhost.localdomain> <4787B7A6.6020808@redhat.com> <1200077750.18086.30.camel@localhost.localdomain> Message-ID: <4787BCD1.5000507@redhat.com> Simo Sorce wrote: > On Fri, 2008-01-11 at 13:38 -0500, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Fri, 2008-01-11 at 11:37 -0500, Rob Crittenden wrote: >>>> This adds a principal show page to the UI and a button to delete a given >>>> principal. >>>> >>>> Currently I just show the hostname and the service. There isn't anything >>>> else that I know of that we can show. >>>> >>>> At some point hopefully we can add back the download link so a keytab >>>> can be retrieved via the UI. >>> Should we add filters to avoid deleting users by mistake? >>> It seems the code just resolves any principal into a DN, it seem to me >>> it will work to delete users too. I guess we need a servicePrincipal >>> Objectclass at some point ... >>> >>> Simo. >>> >> It is true that one could fake a POST and pass in the DN of a user and >> in all likelihood a delete would be attempted I'm not sure how much of a >> risk this really is. > > It's not a security risk, so as long as find_service_principal() > actually filters out anything not a service I guess this is all ok, > please push. > > Simo. Ok, pushed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 11 19:00:43 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jan 2008 14:00:43 -0500 Subject: [Freeipa-devel] [PATCH] find and delete service principles from CLI In-Reply-To: <1200076310.18086.19.camel@localhost.localdomain> References: <4787ACB5.3020403@redhat.com> <1200076310.18086.19.camel@localhost.localdomain> Message-ID: <4787BCDB.1080709@redhat.com> Simo Sorce wrote: > On Fri, 2008-01-11 at 12:51 -0500, Rob Crittenden wrote: >> Find and delete service principals from the command-line. > > +1 > I know this patch depends on the previous on which I had comments, but > once the other goes in, this can follow immediately too. > Pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 11 20:21:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jan 2008 15:21:04 -0500 Subject: [Freeipa-devel] [PATCH 7 of 8] Backup system state in ipa-server-install In-Reply-To: <8640eee04855769ce8d0.1200052844@localhost.localdomain> References: <8640eee04855769ce8d0.1200052844@localhost.localdomain> Message-ID: <4787CFB0.3060208@redhat.com> Mark McLoughlin wrote: > # HG changeset patch > # User Mark McLoughlin > # Date 1200049593 0 > # Node ID 8640eee04855769ce8d0592e0fd7580e63d81dcf > # Parent dbe13997b7a29237a134d0c23f6e34503e91898d > Backup system state in ipa-server-install > > This patch adds a sysrestore module which allows ipa-server-install > code to backup any system state so that it can be restored again > with e.g. ipa-server-install --uninstall. > > The idea is that any files ipa-server-install modifies gets backed > up to /var/cache/ipa/sysrestore/ while any "meta" state, like > whether a service is enabled with chkconfig, is saved to > /var/cache/ipa/sysrestore.state. > > Signed-off-by: Mark McLoughlin > > --- a/ipa-server/Makefile.am Fri Jan 11 10:36:25 2008 +0000 > +++ b/ipa-server/Makefile.am Fri Jan 11 11:06:33 2008 +0000 > @@ -12,6 +12,13 @@ SUBDIRS = \ > ipa-slapi-plugins \ > xmlrpc-server \ > $(NULL) > + > +install-exec-local: > + mkdir -p $(DESTDIR)$(localstatedir)/cache/ipa/sysrestore > + > +uninstall-local: > + rmdir $(DESTDIR)$(localstatedir)/cache/watercooler/sys > + rmdir $(DESTDIR)$(localstatedir)/cache/watercooler Is this supposed to be ipa? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 11 20:50:33 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Jan 2008 15:50:33 -0500 Subject: [Freeipa-devel] internationalization of kid templates In-Reply-To: <1199353118.4420.17.camel@freeipa.example.com> References: <1199353118.4420.17.camel@freeipa.example.com> Message-ID: <4787D699.5040506@redhat.com> Masato Taruishi wrote: > Hi, > > I wrote a patch to internationalize kid templates. In addition > to the general internationalization, the patch also includes > the japanese po file. Please see the attached screenshots. > Of cource, this patch supports the content negotiation feature > so you can see the English page, too. > > I haven't internationalize javascript and python messages yet > because it requires utf-8 safe. I guess it's a next work for > i18n related tasks. > > I hope this would help internationalization support of freeipa. > > Thanks > Best regards Hi. I'm reviewing your patch now and it looks ok, I just have a couple of question. What do we need to do on an ongoing basis to be sure that the messages stay up-to-date? Will we need to run something every time we make a change to a kid file? The .po files have a header. Currently the translator field is empty. Is it common for this to be the default, FULL NAME ? It pulled in some pure code in some cases. It looks like: +#: ipagui/templates/ipapolicyshow.kid:td +msgid "${ipapolicy.get(\"ipasearchtimelimit\")}" +msgstr "" Should we leave these in there or remove them? thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From daobrien at redhat.com Sun Jan 13 22:22:50 2008 From: daobrien at redhat.com (David O'Brien) Date: Mon, 14 Jan 2008 08:22:50 +1000 Subject: [Freeipa-devel] naming for radius.conf? In-Reply-To: <478778E2.8070301@redhat.com> References: <47871B4B.1010604@redhat.com> <478778E2.8070301@redhat.com> Message-ID: <478A8F3A.9080304@redhat.com> John Dennis wrote: > David O'Brien wrote: >> There's probably a good reason for this, but why is this file >> /etc/raddb/radiusd.conf and not /etc/radius/radiusd.conf ? I figure >> there is a db involved, etc., etc., but it didn't seem a very logical >> directory name. I ended up using locate to, er.., locate it. > > Because that is how upstream FREERadius names the directory which also > means that's the directory name RPM is going to create and install it > under when the rpm package is installed. We don't and can't rename > components belonging to package dependencies. > > FWIW, I'm not a fan of the name either, but it is what it is :-) > > P.S.: It does contain database files which is probably why it got it's > name and yes that means according to FHS and Fedora packaging > guidelines those files are in the wrong place :-( > > well, like you said, it is what it is. I'll make sure I advertise its location in the doc. Thanks for that. -- David O'Brien RHCT From daobrien at redhat.com Sun Jan 13 22:27:38 2008 From: daobrien at redhat.com (David O'Brien) Date: Mon, 14 Jan 2008 08:27:38 +1000 Subject: [Freeipa-devel] help setting up RADIUS? In-Reply-To: <4787791C.1010501@redhat.com> References: <47871A46.1090603@redhat.com> <47871D43.4060504@redhat.com> <4787791C.1010501@redhat.com> Message-ID: <478A905A.1010204@redhat.com> Rob Crittenden wrote: > David O'Brien wrote: >> David O'Brien wrote: >>> How do I go about getting RADIUS configured? I installed the package >>> and ran ipa-radius-install but don't know what to do next :-S >>> >>> cheers >>> >> and, should it show up somewhere in the webUI? >> I notice a few commands (ipa-radiusclientmod and profilemod) but >> there don't appear to be man pages. >> > > radius is not configurable in the UI yet. > > rob roger that. Is it planned for 1.0? Should I be looking to the cli or just ignore it (radius) for now? I'm also wondering how much testing I'll be able to do with it; e.g., will I need some sort of dial-up access to get my hands dirty? Will I be limited to documenting what one *should* be able to do with it and how it *should* work? cheers -- David O'Brien RHCT From daobrien at redhat.com Sun Jan 13 22:28:47 2008 From: daobrien at redhat.com (David O'Brien) Date: Mon, 14 Jan 2008 08:28:47 +1000 Subject: [Freeipa-devel] help setting up RADIUS? In-Reply-To: <47877DEE.2080207@redhat.com> References: <47871A46.1090603@redhat.com> <47877DEE.2080207@redhat.com> Message-ID: <478A909F.4050603@redhat.com> John Dennis wrote: > David O'Brien wrote: >> How do I go about getting RADIUS configured? I installed the package >> and ran ipa-radius-install but don't know what to do next :-S > > The Radius work is incomplete, we just got the equipment a couple of > days ago to begin exercising the radius server, that work has not been > done. There are no man pages yet and it hasn't been folded into the > web GUI yet either. But the command line tool exist to manipulate the > radius data in LDAP and one can verify the radius server is in fact > reading this information. Some basic testing instructions appear here: > > https://www.redhat.com/archives/freeipa-devel/2007-November/msg00388.html > ah, and here's the answer to my previous post... :D -- David O'Brien RHCT From daobrien at redhat.com Sun Jan 13 22:45:09 2008 From: daobrien at redhat.com (David O'Brien) Date: Mon, 14 Jan 2008 08:45:09 +1000 Subject: [Freeipa-devel] [PATCH 0 of 8] Add ipa-server-install --uninstall In-Reply-To: References: Message-ID: <478A9475.4010809@redhat.com> Mark McLoughlin wrote: > Hey, > It's a bit of a pain getting your system back into a clean > state after running ipa-server-install, so I've hacked up a series of > patches which adds "uninstall" funcionality to ipa-server-install. > > The final two patches is where this is all implemented; the > preceeding patches are fairly miscellaneous. > > Cheers, > Mark. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Cool, I was hoping somebody would put something like this together. I'm assuming it does the tasks, and more, listed here: http://freeipa.org/page/InstallAndDeploy#Performing_a_Re-install -- David O'Brien RHCT From markmc at redhat.com Mon Jan 14 11:49:41 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Mon, 14 Jan 2008 11:49:41 +0000 Subject: [Freeipa-devel] [PATCH 7 of 8] Backup system state in ipa-server-install In-Reply-To: <4787CFB0.3060208@redhat.com> References: <8640eee04855769ce8d0.1200052844@localhost.localdomain> <4787CFB0.3060208@redhat.com> Message-ID: <1200311381.6118.22.camel@muff> On Fri, 2008-01-11 at 15:21 -0500, Rob Crittenden wrote: > > +uninstall-local: > > + rmdir $(DESTDIR)$(localstatedir)/cache/watercooler/sys > > + rmdir $(DESTDIR)$(localstatedir)/cache/watercooler > > Is this supposed to be ipa? Heh, yeah, well spotted. Fixed in the attached patch. Much of the code comes from an old dead project I worked on that needed to do something similar. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-server-sysrestore.patch Type: text/x-patch Size: 28046 bytes Desc: not available URL: From markmc at redhat.com Mon Jan 14 11:50:18 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Mon, 14 Jan 2008 11:50:18 +0000 Subject: [Freeipa-devel] [PATCH 0 of 8] Add ipa-server-install --uninstall In-Reply-To: <478A9475.4010809@redhat.com> References: <478A9475.4010809@redhat.com> Message-ID: <1200311418.6118.24.camel@muff> On Mon, 2008-01-14 at 08:45 +1000, David O'Brien wrote: > Cool, I was hoping somebody would put something like this together. I'm > assuming it does the tasks, and more, listed here: > http://freeipa.org/page/InstallAndDeploy#Performing_a_Re-install Yep, it does all that. Cheers, Mark. From rcritten at redhat.com Mon Jan 14 16:13:10 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Jan 2008 11:13:10 -0500 Subject: [Freeipa-devel] [PATCH 7 of 8] Backup system state in ipa-server-install In-Reply-To: <8640eee04855769ce8d0.1200052844@localhost.localdomain> References: <8640eee04855769ce8d0.1200052844@localhost.localdomain> Message-ID: <478B8A16.80805@redhat.com> Mark McLoughlin wrote: > diff -r dbe13997b7a2 -r 8640eee04855 ipa-server/ipa-server.spec.in > --- a/ipa-server/ipa-server.spec.in Fri Jan 11 10:36:25 2008 +0000 > +++ b/ipa-server/ipa-server.spec.in Fri Jan 11 11:06:33 2008 +0000 > @@ -48,7 +48,7 @@ Ipa is a server for identity, policy, an > > %prep > %setup -q > -./configure --prefix=%{buildroot}/usr --libdir=%{buildroot}/%{_libdir} --sysconfdir=%{buildroot}/etc > +./configure --prefix=%{buildroot}/usr --libdir=%{buildroot}/%{_libdir} --sysconfdir=%{buildroot}/etc --localstatedir=%{buildroot}/var > > %build > > @@ -107,6 +107,7 @@ fi > %attr(755,root,root) %{plugin_dir}/libipa-memberof-plugin.so > %attr(755,root,root) %{plugin_dir}/libipa-dna-plugin.so > > +%dir %{_localstatedir}/cache/ipa > > %changelog > * Fri Dec 21 2007 Karl MacMillan - 0.6.0-1 Is it adequate for the rpm to own just the top level directory or does it need to own all the subdirs as well? I can't recall if a %dir is recursive. In any case in testing I get: Configuring Kerberos KDC [0/13]: setting KDC account password Unexpected error - see ipaserver-install.log for details: [Errno 2] No such file or directory: '/var/cache/ipa/sysrestore/var' I gather we need to make this in a 'make install' as well, right? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From markmc at redhat.com Mon Jan 14 16:54:38 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Mon, 14 Jan 2008 16:54:38 +0000 Subject: [Freeipa-devel] [PATCH 7 of 8] Backup system state in ipa-server-install In-Reply-To: <478B8A16.80805@redhat.com> References: <8640eee04855769ce8d0.1200052844@localhost.localdomain> <478B8A16.80805@redhat.com> Message-ID: <1200329679.2279.98.camel@muff> On Mon, 2008-01-14 at 11:13 -0500, Rob Crittenden wrote: > Mark McLoughlin wrote: > > @@ -107,6 +107,7 @@ fi > > %attr(755,root,root) %{plugin_dir}/libipa-memberof-plugin.so > > %attr(755,root,root) %{plugin_dir}/libipa-dna-plugin.so > > > > +%dir %{_localstatedir}/cache/ipa > > > > %changelog > > * Fri Dec 21 2007 Karl MacMillan - 0.6.0-1 > > Is it adequate for the rpm to own just the top level directory or does > it need to own all the subdirs as well? I can't recall if a %dir is > recursive. No, %dir is not recursive. So we also need: %dir %{_localstatedir}/cache/ipa/sysrestore Fixed version attached. > In any case in testing I get: > > Configuring Kerberos KDC > [0/13]: setting KDC account password > Unexpected error - see ipaserver-install.log for details: > [Errno 2] No such file or directory: '/var/cache/ipa/sysrestore/var' > > I gather we need to make this in a 'make install' as well, right? We do need /var/cache/sysrestore, but not subdirs of that - the sysrestore code handles creating the subdirs. I only tested with "make install", not by installing the ipa-server RPM, so that's probably why I didn't see this. Thanks, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-server-sysrestore.patch Type: text/x-patch Size: 28381 bytes Desc: not available URL: From rcritten at redhat.com Mon Jan 14 17:42:21 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Jan 2008 12:42:21 -0500 Subject: [Freeipa-devel] [PATCH 0 of 8] Add ipa-server-install --uninstall In-Reply-To: References: Message-ID: <478B9EFD.9010008@redhat.com> Mark McLoughlin wrote: > Hey, > It's a bit of a pain getting your system back into a clean > state after running ipa-server-install, so I've hacked up a series of > patches which adds "uninstall" funcionality to ipa-server-install. > > The final two patches is where this is all implemented; the > preceeding patches are fairly miscellaneous. > > Cheers, > Mark. Pushed all 8 patches. Thanks for the contribution. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jan 16 15:28:03 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Jan 2008 10:28:03 -0500 Subject: [Freeipa-devel] [PATCH] require cyrus-sasl-gssapi in ipa-client Message-ID: <478E2283.4070803@redhat.com> Pushed this patch to add cyrus-sasl-gssapi to ipa-client Requires. Without this Firefox won't be able to authenticate. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-594-gssapi.patch Type: text/x-patch Size: 1359 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Jan 16 15:36:26 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 16 Jan 2008 10:36:26 -0500 Subject: [Freeipa-devel] [PATCH] require cyrus-sasl-gssapi in ipa-client In-Reply-To: <478E2283.4070803@redhat.com> References: <478E2283.4070803@redhat.com> Message-ID: <1200497786.10767.4.camel@localhost.localdomain> On Wed, 2008-01-16 at 10:28 -0500, Rob Crittenden wrote: > Pushed this patch to add cyrus-sasl-gssapi to ipa-client Requires. > > Without this Firefox won't be able to authenticate. ACK -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From rcritten at redhat.com Wed Jan 16 21:51:52 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Jan 2008 16:51:52 -0500 Subject: [Freeipa-devel] Moving from /usr/share/ Message-ID: <478E7C78.8090401@redhat.com> I'm working on a specfile so we can submit IPA to be included in Fedora. Fedora follows the FHS, we do not (my fault, mostly). We install a slew of stuff into /usr/share/ipaserver. /usr/share is really for architecture-independent stuff. We should probably be using /usr/lib/ipaserver instead. Any objections to switching? We also have some static web content. That is currently in our ipaserver directory. I wonder if we should put that elsewhere as well, perhaps making an ipa directory in /var/www/html? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 16 22:11:43 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 16 Jan 2008 15:11:43 -0700 Subject: [Freeipa-devel] Moving from /usr/share/ In-Reply-To: <478E7C78.8090401@redhat.com> References: <478E7C78.8090401@redhat.com> Message-ID: <478E811F.7050807@redhat.com> Rob Crittenden wrote: > I'm working on a specfile so we can submit IPA to be included in Fedora. > > Fedora follows the FHS, we do not (my fault, mostly). > > We install a slew of stuff into /usr/share/ipaserver. /usr/share is > really for architecture-independent stuff. We should probably be using > /usr/lib/ipaserver instead. > > Any objections to switching? What will you use /usr/lib/ipaserver for? > > We also have some static web content. That is currently in our > ipaserver directory. I wonder if we should put that elsewhere as well, > perhaps making an ipa directory in /var/www/html? No, you are not supposed to use /var/www/html - see http://fedoraproject.org/wiki/Packaging/Guidelines#head-5d1681fa7cf3714ad490fbf7c095a0cfe16da27f > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jan 16 22:18:45 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Jan 2008 17:18:45 -0500 Subject: [Freeipa-devel] Moving from /usr/share/ In-Reply-To: <478E811F.7050807@redhat.com> References: <478E7C78.8090401@redhat.com> <478E811F.7050807@redhat.com> Message-ID: <478E82C5.6020203@redhat.com> Rich Megginson wrote: > Rob Crittenden wrote: >> I'm working on a specfile so we can submit IPA to be included in Fedora. >> >> Fedora follows the FHS, we do not (my fault, mostly). >> >> We install a slew of stuff into /usr/share/ipaserver. /usr/share is >> really for architecture-independent stuff. We should probably be using >> /usr/lib/ipaserver instead. >> >> Any objections to switching? > What will you use /usr/lib/ipaserver for? We have python libraries there, some of which we might be able to coerce into /usr/lib/python*/site-packages, but not all. A few of them are the XML-RPC interface used by Apache. >> We also have some static web content. That is currently in our >> ipaserver directory. I wonder if we should put that elsewhere as well, >> perhaps making an ipa directory in /var/www/html? > No, you are not supposed to use /var/www/html - see > http://fedoraproject.org/wiki/Packaging/Guidelines#head-5d1681fa7cf3714ad490fbf7c095a0cfe16da27f Ok, guess I should have read the entire FHS. I guess that content stays in /usr/share. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmacmill at redhat.com Thu Jan 17 18:39:18 2008 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 17 Jan 2008 13:39:18 -0500 Subject: [Freeipa-devel] Moving from /usr/share/ In-Reply-To: <478E82C5.6020203@redhat.com> References: <478E7C78.8090401@redhat.com> <478E811F.7050807@redhat.com> <478E82C5.6020203@redhat.com> Message-ID: <1200595158.3183.1.camel@vai.mentalrootkit.com> On Wed, 2008-01-16 at 17:18 -0500, Rob Crittenden wrote: > Rich Megginson wrote: > > Rob Crittenden wrote: > >> I'm working on a specfile so we can submit IPA to be included in Fedora. > >> > >> Fedora follows the FHS, we do not (my fault, mostly). > >> > >> We install a slew of stuff into /usr/share/ipaserver. /usr/share is > >> really for architecture-independent stuff. We should probably be using > >> /usr/lib/ipaserver instead. > >> > >> Any objections to switching? > > What will you use /usr/lib/ipaserver for? > > We have python libraries there, some of which we might be able to coerce > into /usr/lib/python*/site-packages, but not all. A few of them are the > XML-RPC interface used by Apache. > A lot of that code I don't think we want to expose as a python library - it's not ready to be used that way. It's really the guts of applications. Are you certain that /usr/share is not appropriate? I thought that .pyc files were portable, so all of that is arch-independent. Additionally, other python apps store their code there. Karl From rcritten at redhat.com Thu Jan 17 18:53:05 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Jan 2008 13:53:05 -0500 Subject: [Freeipa-devel] Moving from /usr/share/ In-Reply-To: <1200595158.3183.1.camel@vai.mentalrootkit.com> References: <478E7C78.8090401@redhat.com> <478E811F.7050807@redhat.com> <478E82C5.6020203@redhat.com> <1200595158.3183.1.camel@vai.mentalrootkit.com> Message-ID: <478FA411.4060406@redhat.com> Karl MacMillan wrote: > On Wed, 2008-01-16 at 17:18 -0500, Rob Crittenden wrote: >> Rich Megginson wrote: >>> Rob Crittenden wrote: >>>> I'm working on a specfile so we can submit IPA to be included in Fedora. >>>> >>>> Fedora follows the FHS, we do not (my fault, mostly). >>>> >>>> We install a slew of stuff into /usr/share/ipaserver. /usr/share is >>>> really for architecture-independent stuff. We should probably be using >>>> /usr/lib/ipaserver instead. >>>> >>>> Any objections to switching? >>> What will you use /usr/lib/ipaserver for? >> We have python libraries there, some of which we might be able to coerce >> into /usr/lib/python*/site-packages, but not all. A few of them are the >> XML-RPC interface used by Apache. >> > > A lot of that code I don't think we want to expose as a python library - > it's not ready to be used that way. It's really the guts of > applications. > > Are you certain that /usr/share is not appropriate? I thought that .pyc > files were portable, so all of that is arch-independent. Additionally, > other python apps store their code there. > Well rpmlint didn't like them there, though now I suspect it was more the #!/usr/bin/python -E that many of the files had that was the real problem. I really think it is cleaner to limit the number of files in /usr/share/ipa/ipaserver. Putting the installation stuff there always confused me. It also lets us move away from the sys.path.append("/usr/share/ipa") stuff. I'm easy though. I've got the .spec files down to warning just about missing documentation. I think that I can probably move the stuff I put into /usr/lib/python*/site-packages/ipaserver back into /usr/share/ipa/ipaserver with little problem. I hope to have a patch out by COB if you want to wait to see what I've done. I'm testing an 'make local-dist' rpm install on a vanilla box right now and so far so good. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jan 17 19:39:48 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Jan 2008 14:39:48 -0500 Subject: [Freeipa-devel] [PATCH] Fix slew of errors reported by rpmlint (and do some re-org) Message-ID: <478FAF04.1040309@redhat.com> This started as an effort to move everything out of /usr/share because I thought we weren't FHS compliant. Turns out that we probably are, I think my confusion was the shebangs (#!) in many of the scripts. I still moved most of /usr/share/ipa/ipaserver into python/site-packages/ipaserver and I moved ipaclient as well. Mark had good reasoning for moving the stuff from ipaserver: it is shared between the UI and XML-RPC so it makes more sense to be in the standard python shared code location. ipaclient was so self-contained it made sense to move that too. The result is a much cleaner ipaserver directory in /usr/share/ipa. The rest of the fixes related to issues in the init scripts such as using a variable name with the locks. It confused the heck out of rpmlint and it just seemed easier to quiet it down. I also added the status command to ipa-webgui.init and ipa_kpasswd.ini. Renamed ipa-kpasswd.init to ipa_kpasswd.init to be consistent with the underlying binary. So now we have no rpmlint errors beyond no documentation in many of the RPMs. We can quiet those down by including the GPLv2+ LICENSE and/or actually populating the various README's spread throughout the tree. Most are empty. You won't hurt my feelings if you hate what I've done so speak up now. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-595-rpmlint.patch Type: text/x-patch Size: 34848 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmacmill at redhat.com Thu Jan 17 19:49:06 2008 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 17 Jan 2008 14:49:06 -0500 Subject: [Freeipa-devel] [PATCH] selinux policies Message-ID: <1200599346.3183.5.camel@vai.mentalrootkit.com> Add selinux policies for the ipa-webgui and ipa-kpasswd. These policies will need some additional testing - if you notice any strange behavior with this you should check for AVC messages (audit2allow -al). I added them as a separate directory and a separate rpm to make it easier to port to non-selinux platforms. Dan - could you review these policies? Thanks - Karl -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-selinux.diff Type: text/x-patch Size: 14840 bytes Desc: not available URL: From kmacmill at redhat.com Thu Jan 17 19:51:33 2008 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 17 Jan 2008 14:51:33 -0500 Subject: [Freeipa-devel] [PATCH] Fix slew of errors reported by rpmlint (and do some re-org) In-Reply-To: <478FAF04.1040309@redhat.com> References: <478FAF04.1040309@redhat.com> Message-ID: <1200599493.3183.7.camel@vai.mentalrootkit.com> On Thu, 2008-01-17 at 14:39 -0500, Rob Crittenden wrote: > This started as an effort to move everything out of /usr/share because I > thought we weren't FHS compliant. Turns out that we probably are, I > think my confusion was the shebangs (#!) in many of the scripts. > > I still moved most of /usr/share/ipa/ipaserver into > python/site-packages/ipaserver and I moved ipaclient as well. > > Mark had good reasoning for moving the stuff from ipaserver: it is > shared between the UI and XML-RPC so it makes more sense to be in the > standard python shared code location. > > ipaclient was so self-contained it made sense to move that too. > > The result is a much cleaner ipaserver directory in /usr/share/ipa. > > The rest of the fixes related to issues in the init scripts such as > using a variable name with the locks. It confused the heck out of > rpmlint and it just seemed easier to quiet it down. > > I also added the status command to ipa-webgui.init and ipa_kpasswd.ini. > > Renamed ipa-kpasswd.init to ipa_kpasswd.init to be consistent with the > underlying binary. > > So now we have no rpmlint errors beyond no documentation in many of the > RPMs. We can quiet those down by including the GPLv2+ LICENSE and/or > actually populating the various README's spread throughout the tree. > Most are empty. > > You won't hurt my feelings if you hate what I've done so speak up now. > Ack. From rcritten at redhat.com Thu Jan 17 21:13:26 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Jan 2008 16:13:26 -0500 Subject: [Freeipa-devel] [PATCH] Don't ask questions in unattended mode in ipa-client-install Message-ID: <478FC4F6.70000@redhat.com> Fix case where a question was being asked in unattended mode. Catch permission errors on install. Initialize srv so the error message works if the user presses enter rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-596-client.patch Type: text/x-patch Size: 2393 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Jan 17 21:22:18 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 17 Jan 2008 16:22:18 -0500 Subject: [Freeipa-devel] [PATCH] Don't ask questions in unattended mode in ipa-client-install In-Reply-To: <478FC4F6.70000@redhat.com> References: <478FC4F6.70000@redhat.com> Message-ID: <1200604938.10767.101.camel@localhost.localdomain> On Thu, 2008-01-17 at 16:13 -0500, Rob Crittenden wrote: > Fix case where a question was being asked in unattended mode. > Catch permission errors on install. > Initialize srv so the error message works if the user presses enter ACK -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From rcritten at redhat.com Thu Jan 17 21:34:11 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Jan 2008 16:34:11 -0500 Subject: [Freeipa-devel] [PATCH] Don't ask questions in unattended mode in ipa-client-install In-Reply-To: <1200604938.10767.101.camel@localhost.localdomain> References: <478FC4F6.70000@redhat.com> <1200604938.10767.101.camel@localhost.localdomain> Message-ID: <478FC9D3.90500@redhat.com> Simo Sorce wrote: > On Thu, 2008-01-17 at 16:13 -0500, Rob Crittenden wrote: >> Fix case where a question was being asked in unattended mode. >> Catch permission errors on install. >> Initialize srv so the error message works if the user presses enter > > ACK > Pushed, thanks. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From markmc at redhat.com Fri Jan 18 16:54:39 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 18 Jan 2008 16:54:39 +0000 Subject: [Freeipa-devel] [PATCH] Fix slew of errors reported by rpmlint (and do some re-org) In-Reply-To: <478FAF04.1040309@redhat.com> References: <478FAF04.1040309@redhat.com> Message-ID: <1200675279.6248.22.camel@muff> Hi Rob, On Thu, 2008-01-17 at 14:39 -0500, Rob Crittenden wrote: > diff -r 4b1cc593766e -r 34d00b243c8e ipa-client/ipa-client.spec > --- a/ipa-client/ipa-client.spec Wed Jan 16 10:26:53 2008 -0500 > +++ b/ipa-client/ipa-client.spec Thu Jan 17 14:57:34 2008 -0500 ... > > Requires: python python-ldap python-krbV ipa-python cyrus-sasl-gssapi > + > +%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} > +%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} You only need %{python_sitelib} > %description > IPA is a server for identity, policy, and audit. > @@ -41,7 +44,13 @@ rm -rf %{buildroot} > %dir %{_usr}/share/ipa > %{_usr}/share/ipa/* > > +%{python_sitearch}/* > + This would break on x86_64, you want to use %{python_sitelib} instead, and probably something more like: %dir %{python_sitelib}/ipaclient %{python_sitelib}/ipaclient/*.py* See: http://fedoraproject.org/wiki/Packaging/Python (The page is inconsistent on whether *.pyo should be packaged or not) > diff -r 4b1cc593766e -r 34d00b243c8e ipa-server/ipa-gui/ipa-webgui.init > --- a/ipa-server/ipa-gui/ipa-webgui.init Wed Jan 16 10:26:53 2008 -0500 > +++ b/ipa-server/ipa-gui/ipa-webgui.init Thu Jan 17 14:57:34 2008 -0500 > @@ -33,7 +33,7 @@ start() { > daemon --user $RUNAS $PROG > RETVAL=$? > echo > - [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$NAME || \ > + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ipa-webgui || \ Out of curiosity, why? > diff -r 4b1cc593766e -r 34d00b243c8e ipa-server/ipa-kpasswd/Makefile.am > --- a/ipa-server/ipa-kpasswd/Makefile.am Wed Jan 16 10:26:53 2008 -0500 > +++ b/ipa-server/ipa-kpasswd/Makefile.am Thu Jan 17 14:57:34 2008 -0500 > @@ -28,7 +28,7 @@ ipa_kpasswd_LDADD = \ > > EXTRA_DIST = \ > README \ > - ipa-kpasswd.init \ > + ipa_kpasswd.init \ Personally, I'd prefer to rename ipa_kpasswd to ipa-kpasswd in order to be consistent with ipa-webgui and save all those poor baby seals :-) > @@ -38,10 +38,12 @@ Requires: python-tgexpandingformwidget > Requires: python-tgexpandingformwidget > Requires: acl > Requires: pyasn1 > -Requires: libcap Not doubting this, but I don't think you had anything in the changelog for this. > > %define httpd_conf /etc/httpd/conf.d > %define plugin_dir %{_libdir}/dirsrv/plugins > + > +%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} > +%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} > %{_usr}/share/ipa/* > + > +%{python_sitearch}/* Same thing here, should be using %{python_sitelib} - %{python_sitearch} is for shlib modules. > diff -r 4b1cc593766e -r 34d00b243c8e ipa-server/xmlrpc-server/Makefile.am > --- a/ipa-server/xmlrpc-server/Makefile.am Wed Jan 16 10:26:53 2008 -0500 > +++ b/ipa-server/xmlrpc-server/Makefile.am Thu Jan 17 14:57:34 2008 -0500 > @@ -10,10 +10,14 @@ html_DATA = \ > unauthorized.html \ > $(NULL) > > +funcdir = $(pythondir)/ipaserver > +func_PYTHON = \ > + attrs.py \ > + funcs.py \ > + $(NULL) > + Just one point on this - it'd be nice to easily be able to run ipa-webgui out of a hg working dir; this makes it harder. Why not move the code under ipa-server/ipaserver/ ? From rcritten at redhat.com Fri Jan 18 17:06:26 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Jan 2008 12:06:26 -0500 Subject: [Freeipa-devel] [PATCH] Fix slew of errors reported by rpmlint (and do some re-org) In-Reply-To: <1200675279.6248.22.camel@muff> References: <478FAF04.1040309@redhat.com> <1200675279.6248.22.camel@muff> Message-ID: <4790DC92.7090407@redhat.com> Mark McLoughlin wrote: > Hi Rob, > > On Thu, 2008-01-17 at 14:39 -0500, Rob Crittenden wrote: > >> diff -r 4b1cc593766e -r 34d00b243c8e ipa-client/ipa-client.spec >> --- a/ipa-client/ipa-client.spec Wed Jan 16 10:26:53 2008 -0500 >> +++ b/ipa-client/ipa-client.spec Thu Jan 17 14:57:34 2008 -0500 > ... >> >> Requires: python python-ldap python-krbV ipa-python cyrus-sasl-gssapi >> + >> +%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} >> +%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} > > You only need %{python_sitelib} Ok, goof on my part. We ship some arch-specific binaries in the ipa-client package but no shared libs so python_sitelib should be good enough. > >> %description >> IPA is a server for identity, policy, and audit. >> @@ -41,7 +44,13 @@ rm -rf %{buildroot} >> %dir %{_usr}/share/ipa >> %{_usr}/share/ipa/* >> >> +%{python_sitearch}/* >> + > > This would break on x86_64, you want to use %{python_sitelib} instead, > and probably something more like: > > %dir %{python_sitelib}/ipaclient > %{python_sitelib}/ipaclient/*.py* > > See: > > http://fedoraproject.org/wiki/Packaging/Python > > (The page is inconsistent on whether *.pyo should be packaged or not) Ok. > >> diff -r 4b1cc593766e -r 34d00b243c8e ipa-server/ipa-gui/ipa-webgui.init >> --- a/ipa-server/ipa-gui/ipa-webgui.init Wed Jan 16 10:26:53 2008 -0500 >> +++ b/ipa-server/ipa-gui/ipa-webgui.init Thu Jan 17 14:57:34 2008 -0500 >> @@ -33,7 +33,7 @@ start() { >> daemon --user $RUNAS $PROG >> RETVAL=$? >> echo >> - [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$NAME || \ >> + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ipa-webgui || \ > > Out of curiosity, why? To shut up rpmlint. It complains if you have a variable. I figured that there was a low probability of changing the init script name in the future so a variable wasn't really necessary. I can add this to the changelog. > >> diff -r 4b1cc593766e -r 34d00b243c8e ipa-server/ipa-kpasswd/Makefile.am >> --- a/ipa-server/ipa-kpasswd/Makefile.am Wed Jan 16 10:26:53 2008 -0500 >> +++ b/ipa-server/ipa-kpasswd/Makefile.am Thu Jan 17 14:57:34 2008 -0500 >> @@ -28,7 +28,7 @@ ipa_kpasswd_LDADD = \ >> >> EXTRA_DIST = \ >> README \ >> - ipa-kpasswd.init \ >> + ipa_kpasswd.init \ > > Personally, I'd prefer to rename ipa_kpasswd to ipa-kpasswd in order to > be consistent with ipa-webgui and save all those poor baby seals :-) Ok, I'll check with Simo to be sure. This will affect the SELinux policy that Karl just submitted though. > > >> @@ -38,10 +38,12 @@ Requires: python-tgexpandingformwidget >> Requires: python-tgexpandingformwidget >> Requires: acl >> Requires: pyasn1 >> -Requires: libcap > > Not doubting this, but I don't think you had anything in the changelog > for this. rpmlint whined about explicit libraries in Requires. > >> >> %define httpd_conf /etc/httpd/conf.d >> %define plugin_dir %{_libdir}/dirsrv/plugins >> + >> +%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} >> +%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} > >> %{_usr}/share/ipa/* >> + >> +%{python_sitearch}/* > > Same thing here, should be using %{python_sitelib} - %{python_sitearch} > is for shlib modules. Ok, same issue as before. I was doing global multilib even when it didn't apply to python. > >> diff -r 4b1cc593766e -r 34d00b243c8e ipa-server/xmlrpc-server/Makefile.am >> --- a/ipa-server/xmlrpc-server/Makefile.am Wed Jan 16 10:26:53 2008 -0500 >> +++ b/ipa-server/xmlrpc-server/Makefile.am Thu Jan 17 14:57:34 2008 -0500 >> @@ -10,10 +10,14 @@ html_DATA = \ >> unauthorized.html \ >> $(NULL) >> >> +funcdir = $(pythondir)/ipaserver >> +func_PYTHON = \ >> + attrs.py \ >> + funcs.py \ >> + $(NULL) >> + > > Just one point on this - it'd be nice to easily be able to run > ipa-webgui out of a hg working dir; this makes it harder. Why not move > the code under ipa-server/ipaserver/ ? It should still work (it did for me). One is always going to have to do a make install before running the gui. I'll double check this though. I do all my UI development in the tree so this is pretty important. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Jan 18 17:16:19 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 18 Jan 2008 12:16:19 -0500 Subject: [Freeipa-devel] [PATCH] Fix slew of errors reported by rpmlint (and do some re-org) In-Reply-To: <4790DC92.7090407@redhat.com> References: <478FAF04.1040309@redhat.com> <1200675279.6248.22.camel@muff> <4790DC92.7090407@redhat.com> Message-ID: <1200676579.10767.143.camel@localhost.localdomain> On Fri, 2008-01-18 at 12:06 -0500, Rob Crittenden wrote: > > Personally, I'd prefer to rename ipa_kpasswd to ipa-kpasswd in > order to > > be consistent with ipa-webgui and save all those poor baby seals :-) > > Ok, I'll check with Simo to be sure. This will affect the SELinux > policy > that Karl just submitted though. I named it with _ so that you do not mix it with a regular admin tool as they all stay in /usr/bin and an ipa- would bring it up. maybe ipa-webgui can go ipa_webgui :-) Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From rcritten at redhat.com Fri Jan 18 18:27:53 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Jan 2008 13:27:53 -0500 Subject: [Freeipa-devel] [PATCH] Fix slew of errors reported by rpmlint (and do some re-org) In-Reply-To: <1200676579.10767.143.camel@localhost.localdomain> References: <478FAF04.1040309@redhat.com> <1200675279.6248.22.camel@muff> <4790DC92.7090407@redhat.com> <1200676579.10767.143.camel@localhost.localdomain> Message-ID: <4790EFA9.4060004@redhat.com> Simo Sorce wrote: > On Fri, 2008-01-18 at 12:06 -0500, Rob Crittenden wrote: >>> Personally, I'd prefer to rename ipa_kpasswd to ipa-kpasswd in >> order to >>> be consistent with ipa-webgui and save all those poor baby seals :-) >> Ok, I'll check with Simo to be sure. This will affect the SELinux >> policy >> that Karl just submitted though. > > I named it with _ so that you do not mix it with a regular admin tool as > they all stay in /usr/bin and an ipa- would bring it up. > > maybe ipa-webgui can go ipa_webgui :-) > > Simo. > I think I'm going to stick with my original change. I agree that consistency is good but Simo has a point about ipa-kpasswd. I can see someone trying to run that thinking it is a cmd-line app. I doubt they'd be as confused about ipa-webgui. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 18 19:48:46 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Jan 2008 14:48:46 -0500 Subject: [Freeipa-devel] [PATCH] Fix slew of errors reported by rpmlint (and do some re-org) In-Reply-To: <1200675279.6248.22.camel@muff> References: <478FAF04.1040309@redhat.com> <1200675279.6248.22.camel@muff> Message-ID: <4791029E.2080704@redhat.com> I've poke at this some more and have a few other questions/comments. I added the Requires: libcap in because it wasn't being added as a dependency automatically. I'm not sure if Simo was kidding or not but I think I'm going to take his suggestion and go ahead and rename ipa-webgui to ipa_webgui for consistency (- for tools, _ for daemons). I'll resubmit the patch for review when I'm done. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 18 21:19:35 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Jan 2008 16:19:35 -0500 Subject: [Freeipa-devel] [PATCH] Fix slew of errors reported by rpmlint (take 2) Message-ID: <479117E7.1010409@redhat.com> Taking another stab at this. I incorporated Mark's feedback so using python_sitelib instead of python_sitearch and renamed ipa-webgui to ipa_webgui. I also fixed up some of the wildcards to be slightly more specific: *.py* over *. I also removed some more #! from some python libraries and ran pychecker on a couple of them and fixed a few more issues. We should probably take time real soon to run pychecker on everything. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-590-rpmlint2.patch Type: text/x-patch Size: 54160 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From miriamhuber25 at web.de Sat Jan 19 01:56:42 2008 From: miriamhuber25 at web.de (miriam) Date: Sat, 19 Jan 2008 02:56:42 +0100 Subject: [Freeipa-devel] RE: Hallo nochmal Message-ID: <6ada5537ddf5f8d30331567001313111@web.de> Hallo super kostenloser online TV sender auf http://www.doenertreff.de ausserdem kannst du hier leute aus deiner umgebung kennenlernen http://adultfriendfinder.com/go/p409433 gruss From ClaudiaMeier74 at web.de Sat Jan 19 22:50:51 2008 From: ClaudiaMeier74 at web.de (meier claudia) Date: Sat, 19 Jan 2008 23:50:51 +0100 Subject: [Freeipa-devel] RE: Hallo nochmal Message-ID: Hallo super kostenloser online TV sender auf http://www.doenertreff.de ausserdem kannst du hier leute aus deiner umgebung kennenlernen http://adultfriendfinder.com/go/g869222-pmo gruss From markmc at redhat.com Mon Jan 21 07:53:33 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Mon, 21 Jan 2008 07:53:33 +0000 Subject: [Freeipa-devel] [PATCH] Fix slew of errors reported by rpmlint (take 2) In-Reply-To: <479117E7.1010409@redhat.com> References: <479117E7.1010409@redhat.com> Message-ID: <1200902013.3319.2.camel@muff> On Fri, 2008-01-18 at 16:19 -0500, Rob Crittenden wrote: > Taking another stab at this. I incorporated Mark's feedback so using > python_sitelib instead of python_sitearch and renamed ipa-webgui to > ipa_webgui. I also fixed up some of the wildcards to be slightly more > specific: *.py* over *. > > I also removed some more #! from some python libraries and ran pychecker > on a couple of them and fixed a few more issues. We should probably take > time real soon to run pychecker on everything. Looks good, ACK. Mark. From rcritten at redhat.com Mon Jan 21 13:43:15 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Jan 2008 08:43:15 -0500 Subject: [Freeipa-devel] [PATCH] Fix slew of errors reported by rpmlint (take 2) In-Reply-To: <1200902013.3319.2.camel@muff> References: <479117E7.1010409@redhat.com> <1200902013.3319.2.camel@muff> Message-ID: <4794A173.4000300@redhat.com> Mark McLoughlin wrote: > On Fri, 2008-01-18 at 16:19 -0500, Rob Crittenden wrote: >> Taking another stab at this. I incorporated Mark's feedback so using >> python_sitelib instead of python_sitearch and renamed ipa-webgui to >> ipa_webgui. I also fixed up some of the wildcards to be slightly more >> specific: *.py* over *. >> >> I also removed some more #! from some python libraries and ran pychecker >> on a couple of them and fixed a few more issues. We should probably take >> time real soon to run pychecker on everything. > > Looks good, ACK. > > Mark. > Pushed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Jan 21 15:34:26 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Jan 2008 10:34:26 -0500 Subject: [Freeipa-devel] [REVIEW] unified ipa.spec Message-ID: <4794BB82.4010103@redhat.com> I've combined all 6 spec files into one in preparation for submission to Fedora. Can you take a quick peek at this to see if I'm completely off-base before I submit it? NOTE: I haven't actually done a branch/tag for 1.0 yet. All I did was do a source pull today and name it freeipa-1.0 and tar/gz it up. thanks rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ipa.spec URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Jan 21 17:51:38 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Jan 2008 12:51:38 -0500 Subject: [Freeipa-devel] branching 1.0 Message-ID: <4794DBAA.8080908@redhat.com> We are rapidly approaching 1.0 so we need to start thinking about branching. I've done a little reading on mercurial branches in http://hgbook.red-bean.com/hgbookch8.html I'm not sure which the best method for us is. It seems to boil down to 2 methods: 1. Create a new repository that reprsents the 1.0 branch. 2. Keep all branch information within a single repository. #1 has the advantage that you have a logical and physical separation of the code in each branch. I'm not sure if our hoster supports that, I'll check in #fedora-admin. If not then we'll do a more traditional branch-in-repo method. It just seems so nice to have things completely separate so we don't have to worry about working in the wrong tree. Anyway, this is my first mercurial project, wasn't sure if we had anyone more seasoned with some advice on how to proceed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon Jan 21 18:04:55 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 21 Jan 2008 13:04:55 -0500 Subject: [Freeipa-devel] branching 1.0 In-Reply-To: <4794DBAA.8080908@redhat.com> References: <4794DBAA.8080908@redhat.com> Message-ID: <1200938695.10767.165.camel@localhost.localdomain> On Mon, 2008-01-21 at 12:51 -0500, Rob Crittenden wrote: > We are rapidly approaching 1.0 so we need to start thinking about > branching. I've done a little reading on mercurial branches in > http://hgbook.red-bean.com/hgbookch8.html > > I'm not sure which the best method for us is. > > It seems to boil down to 2 methods: > > 1. Create a new repository that reprsents the 1.0 branch. > 2. Keep all branch information within a single repository. > > #1 has the advantage that you have a logical and physical separation of > the code in each branch. I'm not sure if our hoster supports that, I'll > check in #fedora-admin. > > If not then we'll do a more traditional branch-in-repo method. It just > seems so nice to have things completely separate so we don't have to > worry about working in the wrong tree. > > Anyway, this is my first mercurial project, wasn't sure if we had anyone > more seasoned with some advice on how to proceed. In samba we keep all git branches in the same repo and this has some very good advantage when you have to merge back fixes and such When working locally I just have 2 checkouts to avoid mixing code I am not sure having 2 separate trees buys us anything good esp from the merge pov. Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From markmc at redhat.com Mon Jan 21 18:06:03 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Mon, 21 Jan 2008 18:06:03 +0000 Subject: [Freeipa-devel] branching 1.0 In-Reply-To: <4794DBAA.8080908@redhat.com> References: <4794DBAA.8080908@redhat.com> Message-ID: <1200938763.28826.68.camel@muff> Hi Rob, On Mon, 2008-01-21 at 12:51 -0500, Rob Crittenden wrote: > We are rapidly approaching 1.0 so we need to start thinking about > branching. I've done a little reading on mercurial branches in > http://hgbook.red-bean.com/hgbookch8.html > > I'm not sure which the best method for us is. > > It seems to boil down to 2 methods: > > 1. Create a new repository that reprsents the 1.0 branch. The only other mercurial based projects I've seen have used this method and it works just fine. (i.e. just make a new copy of the repo at the 1.0 branchpoint) Cheers, Mark. From rcritten at redhat.com Mon Jan 21 18:10:00 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Jan 2008 13:10:00 -0500 Subject: [Freeipa-devel] branching 1.0 In-Reply-To: <4794DBAA.8080908@redhat.com> References: <4794DBAA.8080908@redhat.com> Message-ID: <4794DFF8.3060300@redhat.com> Rob Crittenden wrote: > We are rapidly approaching 1.0 so we need to start thinking about > branching. I've done a little reading on mercurial branches in > http://hgbook.red-bean.com/hgbookch8.html > > I'm not sure which the best method for us is. > > It seems to boil down to 2 methods: > > 1. Create a new repository that reprsents the 1.0 branch. > 2. Keep all branch information within a single repository. > > #1 has the advantage that you have a logical and physical separation of > the code in each branch. I'm not sure if our hoster supports that, I'll > check in #fedora-admin. > > If not then we'll do a more traditional branch-in-repo method. It just > seems so nice to have things completely separate so we don't have to > worry about working in the wrong tree. > > Anyway, this is my first mercurial project, wasn't sure if we had anyone > more seasoned with some advice on how to proceed. > > rob I talked to the folks in #fedora-admin and #1 is not supported. So we'll need to do in-tree branching. There are some gotcha's I need to investigate there before doing the branching. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Jan 22 20:43:20 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Jan 2008 15:43:20 -0500 Subject: [Freeipa-devel] bugzilla for bugs Message-ID: <47965568.3020509@redhat.com> We're switching bug systems from Trac to Bugzilla. The new bug system is available at https://bugzilla.redhat.com/ Use freeIPA as the product. The currently opened bugs in Trac are being manually migrated to Bugzilla now, so it will take a little bit. The old Trac system is currently not accepting new bugs but old ones are still visible. So the bottom line is: open all new bugs in bugzilla. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jdennis at redhat.com Tue Jan 22 20:58:49 2008 From: jdennis at redhat.com (John Dennis) Date: Tue, 22 Jan 2008 15:58:49 -0500 Subject: [Freeipa-devel] bugzilla for bugs In-Reply-To: <47965568.3020509@redhat.com> References: <47965568.3020509@redhat.com> Message-ID: <47965909.8030208@redhat.com> Rob Crittenden wrote: > The new bug system is available at https://bugzilla.redhat.com/ Use > freeIPA as the product. Isn't the name freeIPA deprecated in favor of IPA? The new spec file also uses the name ipa (not freeIPA). It is horribly confusing when component names in bugzilla do not match package names. Can we make sure the bugzilla component is ipa not freeipa. -- John Dennis From rcritten at redhat.com Tue Jan 22 22:10:20 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Jan 2008 17:10:20 -0500 Subject: [Freeipa-devel] [PATCH] resend enable sessions in the GUI In-Reply-To: <1200053661.31518.4.camel@muff> References: <4786891A.1080307@redhat.com> <1200053661.31518.4.camel@muff> Message-ID: <479669CC.9070105@redhat.com> Mark McLoughlin wrote: > On Thu, 2008-01-10 at 16:07 -0500, Rob Crittenden wrote: >> + def __create_cache_dir(self): >> + try: >> + os.makedirs("/var/cache/ipa", 0700) > > In the patches I just sent, I also used /var/cache/ipa - could you > use /var/cache/ipa/sessions ? > > Cheers, > Mark. > Revised the patch to use /var/cache/ipa/sessions instead and include it properly in the in-tree spec file. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-591-sessions.patch Type: text/x-patch Size: 5831 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From markmc at redhat.com Wed Jan 23 09:30:41 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Wed, 23 Jan 2008 09:30:41 +0000 Subject: [Freeipa-devel] [PATCH] resend enable sessions in the GUI In-Reply-To: <479669CC.9070105@redhat.com> References: <4786891A.1080307@redhat.com> <1200053661.31518.4.camel@muff> <479669CC.9070105@redhat.com> Message-ID: <1201080641.3377.0.camel@muff> On Tue, 2008-01-22 at 17:10 -0500, Rob Crittenden wrote: > +++ b/ipa-server/ipa-gui/ipa_webgui.cfg Tue Jan 22 17:24:00 2008 -0500 > @@ -47,6 +47,12 @@ server.thread_pool = 10 > # Set to True if you'd like to abort execution if a controller gets > an > # unexpected parameter. False by default > # tg.strict_parameters = False > + > +# TurboGears sessions. > +session_filter.on = True > +session_filter.storage_type='File' > +session_filter.storage_path='/var/cache/ipa' Apart from this forgotten one, looks good. ACK. Cheers, Mark. From daobrien at redhat.com Wed Jan 23 00:58:12 2008 From: daobrien at redhat.com (David O'Brien) Date: Wed, 23 Jan 2008 10:58:12 +1000 Subject: [Freeipa-devel] bugzilla for bugs In-Reply-To: <47965909.8030208@redhat.com> References: <47965568.3020509@redhat.com> <47965909.8030208@redhat.com> Message-ID: <47969124.3090402@redhat.com> John Dennis wrote: > Rob Crittenden wrote: >> The new bug system is available at https://bugzilla.redhat.com/ Use >> freeIPA as the product. > > Isn't the name freeIPA deprecated in favor of IPA? The new spec file > also uses the name ipa (not freeIPA). It is horribly confusing when > component names in bugzilla do not match package names. Can we make > sure the bugzilla component is ipa not freeipa. > And the doc components are all against RHEIPA as requested. I can ask that they be duplicated for IPA if somebody tells me to. -- David O'Brien IPA Content Author From daobrien at redhat.com Wed Jan 23 01:58:42 2008 From: daobrien at redhat.com (David O'Brien) Date: Wed, 23 Jan 2008 11:58:42 +1000 Subject: [Freeipa-devel] bugzilla for bugs In-Reply-To: <47965909.8030208@redhat.com> References: <47965568.3020509@redhat.com> <47965909.8030208@redhat.com> Message-ID: <47969F52.50501@redhat.com> John Dennis wrote: > Rob Crittenden wrote: >> The new bug system is available at https://bugzilla.redhat.com/ Use >> freeIPA as the product. > > Isn't the name freeIPA deprecated in favor of IPA? The new spec file > also uses the name ipa (not freeIPA). It is horribly confusing when > component names in bugzilla do not match package names. Can we make > sure the bugzilla component is ipa not freeipa. > While we're on the topic, how does this affect the doc/website? There are a few exceptions, but mostly that talks about freeIPA. -- David O'Brien IPA Content Author From rcritten at redhat.com Wed Jan 23 14:46:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Jan 2008 09:46:04 -0500 Subject: [Freeipa-devel] [PATCH] resend enable sessions in the GUI In-Reply-To: <1201080641.3377.0.camel@muff> References: <4786891A.1080307@redhat.com> <1200053661.31518.4.camel@muff> <479669CC.9070105@redhat.com> <1201080641.3377.0.camel@muff> Message-ID: <4797532C.1080109@redhat.com> Mark McLoughlin wrote: > On Tue, 2008-01-22 at 17:10 -0500, Rob Crittenden wrote: >> +++ b/ipa-server/ipa-gui/ipa_webgui.cfg Tue Jan 22 17:24:00 2008 -0500 >> @@ -47,6 +47,12 @@ server.thread_pool = 10 >> # Set to True if you'd like to abort execution if a controller gets >> an >> # unexpected parameter. False by default >> # tg.strict_parameters = False >> + >> +# TurboGears sessions. >> +session_filter.on = True >> +session_filter.storage_type='File' >> +session_filter.storage_path='/var/cache/ipa' > > Apart from this forgotten one, looks good. ACK. > > Cheers, > Mark. > Bah, I have a clear memory in changing that :-( Oh well, fixed now and pushed. thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jan 23 15:30:23 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Jan 2008 10:30:23 -0500 Subject: [Freeipa-devel] [PATCH] add license and readme's Message-ID: <47975D8F.2050906@redhat.com> I added a copy of the GPLv2 and filled in some README's. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-592-readme.patch Type: text/x-patch Size: 25312 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From markmc at redhat.com Wed Jan 23 16:01:09 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Wed, 23 Jan 2008 16:01:09 +0000 Subject: [Freeipa-devel] [PATCH 5 of 7] Fix not so random random passwords In-Reply-To: Message-ID: <32943922b23b325fbc63.1201104069@localhost.localdomain> # HG changeset patch # User Mark McLoughlin # Date 1201020165 0 # Node ID 32943922b23b325fbc63527ba469c0a2fd0dd3d7 # Parent 2f52fe548d870069fdcea8ff9959007977f4da93 Fix not so random random passwords If you run ipa_generate_password() multiple times, one after the other, then you get the same password each time. This is because it uses the current time to seed the pseudo random number generator. The easiest solution is to just use the default method which seeds itself from /dev/urandom if available, and uses a fractional time value otherwise. Signed-off-by: Mark McLoughlin diff -r 2f52fe548d87 -r 32943922b23b ipa-python/ipautil.py --- a/ipa-python/ipautil.py Tue Jan 22 11:58:06 2008 +0000 +++ b/ipa-python/ipautil.py Tue Jan 22 16:42:45 2008 +0000 @@ -24,8 +24,7 @@ import tempfile import tempfile import logging import subprocess -from random import Random -from time import gmtime +import random import os, sys, traceback, readline import stat import shutil @@ -364,8 +363,7 @@ def parse_generalized_time(timestr): def ipa_generate_password(): rndpwd = '' - r = Random() - r.seed(gmtime()) + r = random.Random() for x in range(12): # rndpwd += chr(r.randint(32,126)) rndpwd += chr(r.randint(65,90)) #stricter set for testing From markmc at redhat.com Wed Jan 23 16:01:06 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Wed, 23 Jan 2008 16:01:06 +0000 Subject: [Freeipa-devel] [PATCH 2 of 7] Small refactor of dsinstance.config_dirname() In-Reply-To: Message-ID: <88b7b4b3b16ddf1770ab.1201104066@localhost.localdomain> # HG changeset patch # User Mark McLoughlin # Date 1201003079 0 # Node ID 88b7b4b3b16ddf1770ab6ecf3f43b39b0d97fe63 # Parent 8fea038a7fc9219cacad0234ac7f124fb206caad Small refactor of dsinstance.config_dirname() If, in future, we change the server ID so that it's not derived from the realm name, there's a fair few places that need to be changed. Make that easier by having config_dirname() take the server ID rather than the realm name. That makes sense anyway so we don't have to realm_to_serverid() so much. Signed-off-by: Mark McLoughlin diff -r 8fea038a7fc9 -r 88b7b4b3b16d ipa-server/ipaserver/dsinstance.py --- a/ipa-server/ipaserver/dsinstance.py Tue Jan 22 08:03:06 2008 +0000 +++ b/ipa-server/ipaserver/dsinstance.py Tue Jan 22 11:57:59 2008 +0000 @@ -48,11 +48,11 @@ def realm_to_serverid(realm_name): def realm_to_serverid(realm_name): return "-".join(realm_name.split(".")) -def config_dirname(realm_name): - return "/etc/dirsrv/slapd-" + realm_to_serverid(realm_name) + "/" - -def schema_dirname(realm_name): - return config_dirname(realm_name) + "/schema/" +def config_dirname(serverid): + return "/etc/dirsrv/slapd-" + serverid + "/" + +def schema_dirname(serverid): + return config_dirname(serverid) + "/schema/" def erase_ds_instance_data(serverid): try: @@ -198,13 +198,13 @@ class DsInstance(service.Service): def __add_default_schemas(self): shutil.copyfile(ipautil.SHARE_DIR + "60kerberos.ldif", - schema_dirname(self.realm_name) + "60kerberos.ldif") + schema_dirname(self.serverid) + "60kerberos.ldif") shutil.copyfile(ipautil.SHARE_DIR + "60samba.ldif", - schema_dirname(self.realm_name) + "60samba.ldif") + schema_dirname(self.serverid) + "60samba.ldif") shutil.copyfile(ipautil.SHARE_DIR + "60radius.ldif", - schema_dirname(self.realm_name) + "60radius.ldif") + schema_dirname(self.serverid) + "60radius.ldif") shutil.copyfile(ipautil.SHARE_DIR + "60ipaconfig.ldif", - schema_dirname(self.realm_name) + "60ipaconfig.ldif") + schema_dirname(self.serverid) + "60ipaconfig.ldif") def __restart_instance(self): try: @@ -252,7 +252,7 @@ class DsInstance(service.Service): self.__ldap_mod("master-entry.ldif", self.sub_dict) def __enable_ssl(self): - dirname = config_dirname(self.realm_name) + dirname = config_dirname(self.serverid) ca = certs.CertDB(dirname) if self.pkcs12_info: ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) @@ -296,11 +296,11 @@ class DsInstance(service.Service): def __certmap_conf(self): shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template", - config_dirname(self.realm_name) + "certmap.conf") + config_dirname(self.serverid) + "certmap.conf") def change_admin_password(self, password): logging.debug("Changing admin password") - dirname = config_dirname(self.realm_name) + dirname = config_dirname(self.serverid) if ipautil.dir_exists("/usr/lib64/mozldap"): app = "/usr/lib64/mozldap/ldappasswd" else: diff -r 8fea038a7fc9 -r 88b7b4b3b16d ipa-server/ipaserver/httpinstance.py --- a/ipa-server/ipaserver/httpinstance.py Tue Jan 22 08:03:06 2008 +0000 +++ b/ipa-server/ipaserver/httpinstance.py Tue Jan 22 11:57:59 2008 +0000 @@ -130,7 +130,7 @@ class HTTPInstance(service.Service): print "Updating %s failed." % NSS_CONF def __setup_ssl(self): - ds_ca = certs.CertDB(dsinstance.config_dirname(self.realm)) + ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm))) ca = certs.CertDB(NSS_DIR) ds_ca.cur_serial = 2000 ca.create_from_cacert(ds_ca.cacert_fname) @@ -144,7 +144,7 @@ class HTTPInstance(service.Service): prefs_fd.close() # The signing cert is generated in __setup_ssl - ds_ca = certs.CertDB(dsinstance.config_dirname(self.realm)) + ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm))) ca = certs.CertDB(NSS_DIR) # Publish the CA certificate From markmc at redhat.com Wed Jan 23 16:01:04 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Wed, 23 Jan 2008 16:01:04 +0000 Subject: [Freeipa-devel] [PATCH 0 of 7] Misc. queued up patches Message-ID: Hi, I'm making some progress on replacing the questions asked by ipa-server-install with a "firstboot" web UI. The following series is just a bunch of patches I've queued up from that work that are (IMHO) worthwhile independent of the firstboot patches. I'm just getting these off my laptop to make life easier for myself :-) Cheers, Mark. From markmc at redhat.com Wed Jan 23 16:01:05 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Wed, 23 Jan 2008 16:01:05 +0000 Subject: [Freeipa-devel] [PATCH 1 of 7] Remove questions from ipaserver.dsinstance In-Reply-To: Message-ID: <8fea038a7fc9219cacad.1201104065@localhost.localdomain> # HG changeset patch # User Mark McLoughlin # Date 1200988986 0 # Node ID 8fea038a7fc9219cacad0234ac7f124fb206caad # Parent 09304c90f377b8f53701a6df7db6949a6474daa5 Remove questions from ipaserver.dsinstance Let's assume that all ipaserver.dsinstance could be used somewhere where asking questions on stdout/stdin is not approriate and re-factor the code to be suitable in those situations too. i.e. make check_existing_installation() return a list of server IDs and make check_ports() return an (unsecure, secure) tuple indication which ports are in use. Signed-off-by: Mark McLoughlin diff -r 09304c90f377 -r 8fea038a7fc9 ipa-server/ipa-install/ipa-server-install --- a/ipa-server/ipa-install/ipa-server-install Fri Jan 18 16:20:36 2008 -0500 +++ b/ipa-server/ipa-install/ipa-server-install Tue Jan 22 08:03:06 2008 +0000 @@ -245,6 +245,33 @@ def read_admin_password(): admin_password = read_password("IPA admin") return admin_password +def check_dirsrv(): + serverids = ipaserver.dsinstance.check_existing_installation() + if serverids: + print "" + print "An existing Directory Server has been detected." + yesno = raw_input("Do you wish to remove it and create a new one? [no]: ") + if not yesno or yesno.lower()[0] != "y": + sys.exit(1) + + try: + service.stop("dirsrv") + except: + pass + + for serverid in serverids: + ipaserver.dsinstance.erase_ds_instance_data(serverid) + + (ds_unsecure, ds_secure) = ipaserver.dsinstance.check_ports() + if not ds_unsecure or not ds_secure: + print "IPA requires ports 389 and 636 for the Directory Server." + print "These are currently in use:" + if not ds_unsecure: + print "\t389" + if not ds_secure: + print "\t636" + sys.exit(1) + def uninstall(): ipaserver.ntpinstance.NTPInstance().uninstall() ipaserver.bindinstance.BindInstance().uninstall() @@ -280,9 +307,7 @@ def main(): print "To accept the default shown in brackets, press the Enter key." print "" - ipaserver.dsinstance.check_existing_installation() - ipaserver.dsinstance.check_ports() - + check_dirsrv() ds_user = "" realm_name = "" diff -r 09304c90f377 -r 8fea038a7fc9 ipa-server/ipaserver/dsinstance.py --- a/ipa-server/ipaserver/dsinstance.py Fri Jan 18 16:20:36 2008 -0500 +++ b/ipa-server/ipaserver/dsinstance.py Tue Jan 22 08:03:06 2008 +0000 @@ -71,34 +71,18 @@ def check_existing_installation(): def check_existing_installation(): dirs = glob.glob("/etc/dirsrv/slapd-*") if not dirs: - return - print "" - print "An existing Directory Server has been detected." - yesno = raw_input("Do you wish to remove it and create a new one? [no]: ") - if not yesno or yesno.lower()[0] != "y": - sys.exit(1) - - try: - service.stop("dirsrv") - except: - pass + return [] + + serverids = [] for d in dirs: - serverid = os.path.basename(d).split("slapd-", 1)[1] - if serverid: - erase_ds_instance_data(serverid) + serverids.append(os.path.basename(d).split("slapd-", 1)[1]) + + return serverids def check_ports(): ds_unsecure = installutils.port_available(389) ds_secure = installutils.port_available(636) - if not ds_unsecure or not ds_secure: - print "IPA requires ports 389 and 636 for the Directory Server." - print "These are currently in use:" - if not ds_unsecure: - print "\t389" - if not ds_secure: - print "\t636" - sys.exit(1) - + return (ds_unsecure, ds_secure) INF_TEMPLATE = """ [General] From markmc at redhat.com Wed Jan 23 16:01:10 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Wed, 23 Jan 2008 16:01:10 +0000 Subject: [Freeipa-devel] [PATCH 6 of 7] Re-work template substitution code In-Reply-To: Message-ID: <72921ec04550af04a518.1201104070@localhost.localdomain> # HG changeset patch # User Mark McLoughlin # Date 1201102495 0 # Node ID 72921ec04550af04a518218bac5440f4e1e6da96 # Parent 32943922b23b325fbc63527ba469c0a2fd0dd3d7 Re-work template substitution code In several places, we currently set up a dictionary of variables to substitute into template files and then use that same dictionary for multiple files. In terms of code reduction, this is convenient, but it terms out to be a nightmare to verify what files need what variables. For example, if you wanted to be able to re-write configuration files when the hostname changes, then you can't tell from looking at the code which files need the hostname. This patch re-works the substitution code so that only the variables that are actually needed for a given file are substituted in e.g. self.__ldap_mod("memberof-task.ldif", SUFFIX = self.suffix) Signed-off-by: Mark McLoughlin diff -r 32943922b23b -r 72921ec04550 ipa-client/ipaclient/ntpconf.py --- a/ipa-client/ipaclient/ntpconf.py Tue Jan 22 16:42:45 2008 +0000 +++ b/ipa-client/ipaclient/ntpconf.py Wed Jan 23 15:34:55 2008 +0000 @@ -71,10 +71,7 @@ keys /etc/ntp/keys """ def config_ntp(server_fqdn): - sub_dict = { } - sub_dict["SERVER"] = server_fqdn - - nc = template_str(ntp_conf, sub_dict) + nc = template_str(ntp_conf, SERVER = server_fqdn) shutil.copy("/etc/ntp.conf", "/etc/ntp.conf.ipasave") diff -r 32943922b23b -r 72921ec04550 ipa-python/ipautil.py --- a/ipa-python/ipautil.py Tue Jan 22 16:42:45 2008 +0000 +++ b/ipa-python/ipautil.py Wed Jan 23 15:34:55 2008 +0000 @@ -56,12 +56,12 @@ def realm_to_suffix(realm_name): terms = ["dc=" + x.lower() for x in s] return ",".join(terms) -def template_str(txt, vars): +def template_str(txt, **vars): return string.Template(txt).substitute(vars) -def template_file(infilename, vars): +def template_file(infilename, **vars): txt = open(infilename).read() - return template_str(txt, vars) + return template_str(txt, **vars) def write_tmp_file(txt): fd = tempfile.NamedTemporaryFile() diff -r 32943922b23b -r 72921ec04550 ipa-server/ipaserver/bindinstance.py --- a/ipa-server/ipaserver/bindinstance.py Tue Jan 22 16:42:45 2008 +0000 +++ b/ipa-server/ipaserver/bindinstance.py Wed Jan 23 15:34:55 2008 +0000 @@ -35,7 +35,6 @@ class BindInstance(service.Service): self.host = None self.ip_address = None self.realm = None - self.sub_dict = None def setup(self, fqdn, ip_address, realm_name): self.fqdn = fqdn @@ -43,8 +42,6 @@ class BindInstance(service.Service): self.realm = realm_name self.domain = fqdn[fqdn.find(".")+1:] self.host = fqdn[:fqdn.find(".")] - - self.__setup_sub_dict() def check_inst(self): # So far this file is always present in both RHEL5 and Fedora if all the necessary @@ -55,7 +52,11 @@ class BindInstance(service.Service): return True def create_sample_bind_zone(self): - bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict) + bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", + REALM = self.realm, + HOST = self.host, + IP = self.ip_address, + DOMAIN = self.domain) [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") os.write(bind_fd, bind_txt) os.close(bind_fd) @@ -77,16 +78,13 @@ class BindInstance(service.Service): except: print "named service failed to start" - def __setup_sub_dict(self): - self.sub_dict = dict(FQDN=self.fqdn, - IP=self.ip_address, - DOMAIN=self.domain, - HOST=self.host, - REALM=self.realm) - def __setup_zone(self): self.backup_state("domain", self.domain) - zone_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict) + zone_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", + REALM = self.realm, + HOST = self.host, + IP = self.ip_address, + DOMAIN = self.domain) sysrestore.backup_file('/var/named/'+self.domain+'.zone.db') zone_fd = open('/var/named/'+self.domain+'.zone.db', 'w') zone_fd.write(zone_txt) @@ -94,7 +92,10 @@ class BindInstance(service.Service): def __setup_named_conf(self): sysrestore.backup_file('/etc/named.conf') - named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict) + named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", + FQDN = self.fqdn, + DOMAIN = self.domain, + REALM = self.realm) named_fd = open('/etc/named.conf', 'w') named_fd.seek(0) named_fd.truncate(0) diff -r 32943922b23b -r 72921ec04550 ipa-server/ipaserver/dsinstance.py --- a/ipa-server/ipaserver/dsinstance.py Tue Jan 22 16:42:45 2008 +0000 +++ b/ipa-server/ipaserver/dsinstance.py Wed Jan 23 15:34:55 2008 +0000 @@ -105,7 +105,6 @@ class DsInstance(service.Service): self.suffix = None self.host_name = None self.dm_password = None - self.sub_dict = None self.domain = None self.pkcs12_info = None @@ -118,7 +117,6 @@ class DsInstance(service.Service): self.dm_password = dm_password self.domain = host_name[host_name.find(".")+1:] self.pkcs12_info = pkcs12_info - self.__setup_sub_dict() self.step("creating directory server user", self.__create_ds_user) self.step("creating directory server instance", self.__create_instance) @@ -146,13 +144,6 @@ class DsInstance(service.Service): self.backup_state("enabled", self.is_enabled()) self.chkconfig_on() - def __setup_sub_dict(self): - server_root = find_server_root() - self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, - PASSWORD=self.dm_password, SUFFIX=self.suffix.lower(), - REALM=self.realm_name, USER=self.ds_user, - SERVER_ROOT=server_root, DOMAIN=self.domain) - def __create_ds_user(self): user_exists = True try: @@ -174,7 +165,13 @@ class DsInstance(service.Service): def __create_instance(self): self.backup_state("running", self.is_running()) self.backup_state("serverid", self.serverid) - inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict) + inf_txt = ipautil.template_str(INF_TEMPLATE, + FQHN = self.host_name, + USER = self.ds_user, + SERVER_ROOT = find_server_root(), + SERVERID = self.serverid, + SUFFIX = self.suffix, + PASSWORD = self.dm_password) logging.debug(inf_txt) inf_fd = ipautil.write_tmp_file(inf_txt) logging.debug("writing inf template") @@ -214,12 +211,12 @@ class DsInstance(service.Service): # TODO: roll back here? logging.critical("Failed to restart the ds instance") - def __ldap_mod(self, ldif, sub_dict = None): + def __ldap_mod(self, ldif, **kw): fd = None path = ipautil.SHARE_DIR + ldif - if not sub_dict is None: - txt = ipautil.template_file(path, sub_dict) + if kw: + txt = ipautil.template_file(path, **kw) fd = ipautil.write_tmp_file(txt) path = fd.name @@ -238,7 +235,7 @@ class DsInstance(service.Service): self.__ldap_mod("memberof-conf.ldif") def __init_memberof(self): - self.__ldap_mod("memberof-task.ldif", self.sub_dict) + self.__ldap_mod("memberof-task.ldif", SUFFIX = self.suffix) def __add_referint_module(self): self.__ldap_mod("referint-conf.ldif") @@ -247,10 +244,12 @@ class DsInstance(service.Service): self.__ldap_mod("dna-conf.ldif") def __config_uidgid_gen_first_master(self): - self.__ldap_mod("dna-posix.ldif", self.sub_dict) + self.__ldap_mod("dna-posix.ldif", SUFFIX = self.suffix) def __add_master_entry_first_master(self): - self.__ldap_mod("master-entry.ldif", self.sub_dict) + self.__ldap_mod("master-entry.ldif", + SUFFIX = self.suffix, + FQHN = self.host_name) def __enable_ssl(self): dirname = config_dirname(self.serverid) @@ -290,7 +289,10 @@ class DsInstance(service.Service): conn.unbind() def __add_default_layout(self): - self.__ldap_mod("bootstrap-template.ldif", self.sub_dict) + self.__ldap_mod("bootstrap-template.ldif", + SUFFIX = self.suffix, + REALM = self.realm_name, + DOMAIN = self.domain) def __create_indeces(self): self.__ldap_mod("indeces.ldif") diff -r 32943922b23b -r 72921ec04550 ipa-server/ipaserver/httpinstance.py --- a/ipa-server/ipaserver/httpinstance.py Tue Jan 22 16:42:45 2008 +0000 +++ b/ipa-server/ipaserver/httpinstance.py Wed Jan 23 15:34:55 2008 +0000 @@ -59,7 +59,6 @@ class HTTPInstance(service.Service): self.fqdn = fqdn self.realm = realm self.domain = fqdn[fqdn.find(".")+1:] - self.sub_dict = { "REALM" : realm, "FQDN": fqdn, "DOMAIN" : self.domain } self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl) self.step("Setting mod_nss port to 443", self.__set_mod_nss_port) @@ -116,7 +115,9 @@ class HTTPInstance(service.Service): os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) def __configure_http(self): - http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) + http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", + FQDN = self.fqdn, + REALM = self.realm) sysrestore.backup_file("/etc/httpd/conf.d/ipa.conf") http_fd = open("/etc/httpd/conf.d/ipa.conf", "w") http_fd.write(http_txt) @@ -142,7 +143,8 @@ class HTTPInstance(service.Service): ca.create_signing_cert("Signing-Cert", "cn=%s,ou=Signing Certificate,o=Identity Policy Audit" % self.fqdn, ds_ca) def __setup_autoconfig(self): - prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict) + prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", + DOMAIN = self.domain) prefs_fd = open("/usr/share/ipa/html/preferences.html", "w") prefs_fd.write(prefs_txt) prefs_fd.close() diff -r 32943922b23b -r 72921ec04550 ipa-server/ipaserver/krbinstance.py --- a/ipa-server/ipaserver/krbinstance.py Tue Jan 22 16:42:45 2008 +0000 +++ b/ipa-server/ipaserver/krbinstance.py Wed Jan 23 15:34:55 2008 +0000 @@ -88,7 +88,6 @@ class KrbInstance(service.Service): self.master_password = None self.suffix = None self.kdc_password = None - self.sub_dict = None self.kpasswd = KpasswdInstance() @@ -103,8 +102,6 @@ class KrbInstance(service.Service): self.kdc_password = ipautil.ipa_generate_password() self.admin_password = admin_password - self.__setup_sub_dict() - # get a connection to the DS try: self.conn = ipaldap.IPAdmin(self.fqdn) @@ -190,17 +187,8 @@ class KrbInstance(service.Service): except: logging.critical("krb5kdc service failed to start") - def __setup_sub_dict(self): - self.sub_dict = dict(FQDN=self.fqdn, - IP=self.ip, - PASSWORD=self.kdc_password, - SUFFIX=self.suffix, - DOMAIN=self.domain, - HOST=self.host, - REALM=self.realm) - - def __ldap_mod(self, ldif): - txt = ipautil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict) + def __ldap_mod(self, ldif, **kw): + txt = ipautil.template_file(ipautil.SHARE_DIR + ldif, **kw) fd = ipautil.write_tmp_file(txt) args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", @@ -263,31 +251,49 @@ class KrbInstance(service.Service): raise e def __add_krb_entries(self): - self.__ldap_mod("kerberos.ldif") + self.__ldap_mod("kerberos.ldif", + SUFFIX = self.suffix, + PASSWORD = self.kdc_password) def __add_default_acis(self): - self.__ldap_mod("default-aci.ldif") + self.__ldap_mod("default-aci.ldif", + SUFFIX = self.suffix, + REALM = self.realm, + FQDN = self.fqdn) def __add_default_keytypes(self): - self.__ldap_mod("default-keytypes.ldif") + self.__ldap_mod("default-keytypes.ldif", + REALM = self.realm, + SUFFIX = self.suffix) def __create_replica_instance(self): self.__create_instance(replica=True) - def __template_file(self, path): + def __template_file(self, path, **kw): template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template") - conf = ipautil.template_file(template, self.sub_dict) + conf = ipautil.template_file(template, **kw) sysrestore.backup_file(path) fd = open(path, "w+") fd.write(conf) fd.close() def __create_instance(self, replica=False): - self.__template_file("/var/kerberos/krb5kdc/kdc.conf") - self.__template_file("/etc/krb5.conf") - self.__template_file("/usr/share/ipa/html/krb5.ini") - self.__template_file("/usr/share/ipa/html/krb.con") - self.__template_file("/usr/share/ipa/html/krbrealm.con") + self.__template_file("/var/kerberos/krb5kdc/kdc.conf", + REALM = self.realm) + self.__template_file("/etc/krb5.conf", + REALM = self.realm, + DOMAIN = self.domain, + FQDN = self.fqdn, + SUFFIX = self.suffix) + self.__template_file("/usr/share/ipa/html/krb5.ini", + REALM = self.realm, + DOMAIN = self.domain, + FQDN = self.fqdn) + self.__template_file("/usr/share/ipa/html/krb.con", + REALM = self.realm, + DOMAIN = self.domain) + self.__template_file("/usr/share/ipa/html/krbrealm.con", + REALM = self.realm) if not replica: #populate the directory with the realm structure @@ -319,7 +325,7 @@ class KrbInstance(service.Service): #add the password extop module def __add_pwd_extop_module(self): - self.__ldap_mod("pwd-extop-conf.ldif") + self.__ldap_mod("pwd-extop-conf.ldif", SUFFIX = self.suffix) #get the Master Key from the stash file try: diff -r 32943922b23b -r 72921ec04550 ipa-server/ipaserver/ntpinstance.py --- a/ipa-server/ipaserver/ntpinstance.py Tue Jan 22 16:42:45 2008 +0000 +++ b/ipa-server/ipaserver/ntpinstance.py Wed Jan 23 15:34:55 2008 +0000 @@ -39,12 +39,10 @@ class NTPInstance(service.Service): elif ipautil.file_exists("/etc/redhat-release"): os = "rhel." - sub_dict = { } - sub_dict["SERVERA"] = "0.%spool.ntp.org" % os - sub_dict["SERVERB"] = "1.%spool.ntp.org" % os - sub_dict["SERVERC"] = "2.%spool.ntp.org" % os - - ntp_conf = ipautil.template_file(ipautil.SHARE_DIR + "ntp.conf.server.template", sub_dict) + ntp_conf = ipautil.template_file(ipautil.SHARE_DIR + "ntp.conf.server.template", + SERVERA = "0.%spool.ntp.org" % os, + SERVERB = "1.%spool.ntp.org" % os, + SERVERC = "2.%spool.ntp.org" % os) sysrestore.backup_file("/etc/ntp.conf") From markmc at redhat.com Wed Jan 23 16:01:08 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Wed, 23 Jan 2008 16:01:08 +0000 Subject: [Freeipa-devel] [PATCH 4 of 7] Re-factor the ipa_webgui and ipa_kpasswd instance code In-Reply-To: Message-ID: <2f52fe548d870069fdce.1201104068@localhost.localdomain> # HG changeset patch # User Mark McLoughlin # Date 1201003086 0 # Node ID 2f52fe548d870069fdcea8ff9959007977f4da93 # Parent c869f9c37414333ed4ce5915c9a29241aedf53f9 Re-factor the ipa_webgui and ipa_kpasswd instance code The ipa_webgui and ipa_kpasswd instance code is identical and I want to add another similar instance down the line, so re-factor the code into a service.SimpleServiceInstance class. Signed-off-by: Mark McLoughlin diff -r c869f9c37414 -r 2f52fe548d87 ipa-server/ipa-install/ipa-server-install --- a/ipa-server/ipa-install/ipa-server-install Tue Jan 22 11:58:06 2008 +0000 +++ b/ipa-server/ipa-install/ipa-server-install Tue Jan 22 11:58:06 2008 +0000 @@ -44,7 +44,6 @@ import ipaserver.bindinstance import ipaserver.bindinstance import ipaserver.httpinstance import ipaserver.ntpinstance -import ipaserver.webguiinstance from ipaserver import service from ipaserver import sysrestore @@ -275,7 +274,7 @@ def uninstall(): def uninstall(): ipaserver.ntpinstance.NTPInstance().uninstall() ipaserver.bindinstance.BindInstance().uninstall() - ipaserver.webguiinstance.WebGuiInstance().uninstall() + ipaserver.httpinstance.WebGuiInstance().uninstall() ipaserver.httpinstance.HTTPInstance().uninstall() ipaserver.krbinstance.KrbInstance().uninstall() ipaserver.dsinstance.DsInstance().uninstall() @@ -432,7 +431,7 @@ def main(): http.create_instance(realm_name, host_name) # Create a Web Gui instance - webgui = ipaserver.webguiinstance.WebGuiInstance() + webgui = ipaserver.httpinstance.WebGuiInstance() webgui.create_instance() bind.setup(host_name, ip_address, realm_name) diff -r c869f9c37414 -r 2f52fe548d87 ipa-server/ipaserver/Makefile.am --- a/ipa-server/ipaserver/Makefile.am Tue Jan 22 11:58:06 2008 +0000 +++ b/ipa-server/ipaserver/Makefile.am Tue Jan 22 11:58:06 2008 +0000 @@ -9,7 +9,6 @@ app_PYTHON = \ krbinstance.py \ httpinstance.py \ ntpinstance.py \ - webguiinstance.py \ service.py \ installutils.py \ replication.py \ diff -r c869f9c37414 -r 2f52fe548d87 ipa-server/ipaserver/httpinstance.py --- a/ipa-server/ipaserver/httpinstance.py Tue Jan 22 11:58:06 2008 +0000 +++ b/ipa-server/ipaserver/httpinstance.py Tue Jan 22 11:58:06 2008 +0000 @@ -46,6 +46,10 @@ successfully change with the command: /usr/sbin/setsebool -P httpd_can_network_connect true Try updating the policycoreutils and selinux-policy packages. """ + +class WebGuiInstance(service.SimpleServiceInstance): + def __init__(self): + service.SimpleServiceInstance.__init__(self, "ipa_webgui") class HTTPInstance(service.Service): def __init__(self): diff -r c869f9c37414 -r 2f52fe548d87 ipa-server/ipaserver/krbinstance.py --- a/ipa-server/ipaserver/krbinstance.py Tue Jan 22 11:58:06 2008 +0000 +++ b/ipa-server/ipaserver/krbinstance.py Tue Jan 22 11:58:06 2008 +0000 @@ -71,6 +71,10 @@ def update_key_val_in_file(filename, key f = open(filename, "a") f.write("%s=%s\n" % (key, val)) f.close() + +class KpasswdInstance(service.SimpleServiceInstance): + def __init__(self): + service.SimpleServiceInstance.__init__(self, "ipa_kpasswd") class KrbInstance(service.Service): def __init__(self): @@ -86,6 +90,8 @@ class KrbInstance(service.Service): self.kdc_password = None self.sub_dict = None + self.kpasswd = KpasswdInstance() + def __common_setup(self, ds_user, realm_name, host_name, admin_password): self.ds_user = ds_user self.fqdn = host_name @@ -117,7 +123,6 @@ class KrbInstance(service.Service): def __common_post_setup(self): self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) - self.step("enabling and starting ipa_kpasswd", self.__enable_kpasswd) def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password): self.master_password = master_password @@ -139,6 +144,8 @@ class KrbInstance(service.Service): self.start_creation("Configuring Kerberos KDC") + self.kpasswd.create_instance() + def create_replica(self, ds_user, realm_name, host_name, admin_password, ldap_passwd_filename): self.__copy_ldap_passwd(ldap_passwd_filename) @@ -154,6 +161,8 @@ class KrbInstance(service.Service): self.__common_post_setup() self.start_creation("Configuring Kerberos KDC") + + self.kpasswd.create_instance() def __copy_ldap_passwd(self, filename): sysrestore.backup_file("/var/kerberos/krb5kdc/ldappwd") @@ -180,12 +189,6 @@ class KrbInstance(service.Service): self.start() except: logging.critical("krb5kdc service failed to start") - - def __enable_kpasswd(self): - sysrestore.backup_state("ipa_kpasswd", "enabled", service.is_enabled("ipa_kpasswd")) - sysrestore.backup_state("ipa_kpasswd", "running", service.is_running("ipa_kpasswd")) - service.chkconfig_on("ipa_kpasswd") - service.start("ipa_kpasswd") def __setup_sub_dict(self): self.sub_dict = dict(FQDN=self.fqdn, @@ -379,21 +382,16 @@ class KrbInstance(service.Service): os.chown("/var/kerberos/krb5kdc/kpasswd.keytab", pent.pw_uid, pent.pw_gid) def uninstall(self): + self.kpasswd.uninstall() + running = self.restore_state("running") enabled = self.restore_state("enabled") - kpasswd_running = sysrestore.restore_state("ipa_kpasswd", "running") - kpasswd_enabled = sysrestore.restore_state("ipa_kpasswd", "enabled") - if not running is None: self.stop() - if not kpasswd_running is None: - service.stop("ipa_kpasswd") if not enabled is None and not enabled: self.chkconfig_off() - if not kpasswd_enabled is None and not kpasswd_enabled: - service.chkconfig_off("ipa_kpasswd") for f in ["/var/kerberos/krb5kdc/ldappwd", "/var/kerberos/krb5kdc/kdc.conf", @@ -410,5 +408,3 @@ class KrbInstance(service.Service): if not running is None and running: self.start() - if not kpasswd_running is None and kpasswd_running: - service.start("ipa_kpasswd") diff -r c869f9c37414 -r 2f52fe548d87 ipa-server/ipaserver/service.py --- a/ipa-server/ipaserver/service.py Tue Jan 22 11:58:06 2008 +0000 +++ b/ipa-server/ipaserver/service.py Tue Jan 22 11:58:06 2008 +0000 @@ -125,3 +125,26 @@ class Service: self.print_msg("done configuring %s." % self.service_name) self.steps = [] + +class SimpleServiceInstance(Service): + def create_instance(self): + self.step("starting %s " % self.service_name, self.__start) + self.step("configuring %s to start on boot" % self.service_name, self.__enable) + self.start_creation("Configuring %s" % self.service_name) + + def __start(self): + self.backup_state("running", self.is_running()) + self.restart() + + def __enable(self): + self.backup_state("enabled", self.is_enabled()) + self.chkconfig_on() + + def uninstall(self): + running = self.restore_state("running") + enabled = not self.restore_state("enabled") + + if not running is None and not running: + self.stop() + if not enabled is None and not enabled: + self.chkconfig_off() diff -r c869f9c37414 -r 2f52fe548d87 ipa-server/ipaserver/webguiinstance.py --- a/ipa-server/ipaserver/webguiinstance.py Tue Jan 22 11:58:06 2008 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,46 +0,0 @@ -# Authors: Karl MacMillan -# -# Copyright (C) 2007 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 or later -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -import service - -class WebGuiInstance(service.Service): - def __init__(self): - service.Service.__init__(self, "ipa_webgui") - - def create_instance(self): - self.step("starting ipa_webgui", self.__start) - self.step("configuring ipa_webgui to start on boot", self.__enable) - self.start_creation("Configuring ipa_webgui") - - def __start(self): - self.backup_state("running", self.is_running()) - self.restart() - - def __enable(self): - self.backup_state("enabled", self.is_enabled()) - self.chkconfig_on() - - def uninstall(self): - running = self.restore_state("running") - enabled = not self.restore_state("enabled") - - if not running is None and not running: - self.stop() - if not enabled is None and not enabled: - self.chkconfig_off() From markmc at redhat.com Wed Jan 23 16:01:11 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Wed, 23 Jan 2008 16:01:11 +0000 Subject: [Freeipa-devel] [PATCH 7 of 7] Re-work httpd configuration a little In-Reply-To: Message-ID: <4d18560f8e46a650764b.1201104071@localhost.localdomain> # HG changeset patch # User Mark McLoughlin # Date 1201102497 0 # Node ID 4d18560f8e46a650764ba5d49472241fac36c31a # Parent 72921ec04550af04a518218bac5440f4e1e6da96 Re-work httpd configuration a little IPA's httpd configuration contains 10 lines of kerberos authentication configuration repeated several times. This patch pulls those 10 lines into a separate file which is then included from the main file. Apart from purely removing duplication, this allows you to e.g. set up httpd without kerberos auth by writing an empty httpd-auth.conf file. Or, in other words, it makes the main httpd configuration know nothing about kerberos. Signed-off-by: Mark McLoughlin diff -r 72921ec04550 -r 4d18560f8e46 ipa-server/ipaserver/httpinstance.py --- a/ipa-server/ipaserver/httpinstance.py Wed Jan 23 15:34:55 2008 +0000 +++ b/ipa-server/ipaserver/httpinstance.py Wed Jan 23 15:34:57 2008 +0000 @@ -114,15 +114,23 @@ class HTTPInstance(service.Service): pent = pwd.getpwnam("apache") os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) + def __configure_http_auth(self, txt): + sysrestore.backup_file("/etc/httpd/conf/httpd-auth.conf") + auth_fd = open("/etc/httpd/conf/httpd-auth.conf", "w") + auth_fd.write(txt) + auth_fd.close() + def __configure_http(self): http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", - FQDN = self.fqdn, - REALM = self.realm) + FQDN = self.fqdn) sysrestore.backup_file("/etc/httpd/conf.d/ipa.conf") http_fd = open("/etc/httpd/conf.d/ipa.conf", "w") http_fd.write(http_txt) - http_fd.close() - + http_fd.close() + + auth_txt = ipautil.template_file(ipautil.SHARE_DIR + "httpd-auth-krb.conf", + REALM = self.realm) + self.__configure_http_auth(auth_txt) def __disable_mod_ssl(self): if os.path.exists(SSL_CONF): @@ -175,7 +183,9 @@ class HTTPInstance(service.Service): if not enabled is None and not enabled: self.chkconfig_off() - for f in ["/etc/httpd/conf.d/ipa.conf", SSL_CONF, NSS_CONF]: + for f in ["/etc/httpd/conf.d/ipa.conf", + "/etc/httpd/conf/httpd-auth.conf", + SSL_CONF, NSS_CONF]: sysrestore.restore_file(f) sebool_state = self.restore_state("httpd_can_network_connect") diff -r 72921ec04550 -r 4d18560f8e46 ipa-server/xmlrpc-server/Makefile.am --- a/ipa-server/xmlrpc-server/Makefile.am Wed Jan 23 15:34:55 2008 +0000 +++ b/ipa-server/xmlrpc-server/Makefile.am Wed Jan 23 15:34:57 2008 +0000 @@ -24,6 +24,7 @@ appdir = $(IPA_DATA_DIR) appdir = $(IPA_DATA_DIR) app_DATA = \ ipa.conf \ + httpd-auth-krb.conf \ $(NULL) EXTRA_DIST = \ diff -r 72921ec04550 -r 4d18560f8e46 ipa-server/xmlrpc-server/httpd-auth-krb.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ipa-server/xmlrpc-server/httpd-auth-krb.conf Wed Jan 23 15:34:57 2008 +0000 @@ -0,0 +1,10 @@ +AuthType Kerberos +AuthName "Kerberos Login" +KrbMethodNegotiate on +KrbMethodK5Passwd off +KrbServiceName HTTP +KrbAuthRealms $REALM +Krb5KeyTab /etc/httpd/conf/ipa.keytab +KrbSaveCredentials on +Require valid-user +ErrorDocument 401 /errors/unauthorized.html diff -r 72921ec04550 -r 4d18560f8e46 ipa-server/xmlrpc-server/ipa.conf --- a/ipa-server/xmlrpc-server/ipa.conf Wed Jan 23 15:34:55 2008 +0000 +++ b/ipa-server/xmlrpc-server/ipa.conf Wed Jan 23 15:34:57 2008 +0000 @@ -19,16 +19,8 @@ AddType application/java-archive AddType application/java-archive jar - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate on - KrbMethodK5Passwd off - KrbServiceName HTTP - KrbAuthRealms $REALM - Krb5KeyTab /etc/httpd/conf/ipa.keytab - KrbSaveCredentials on - Require valid-user - ErrorDocument 401 /errors/unauthorized.html + Include conf/httpd-auth.conf + RewriteEngine on Order deny,allow Allow from all @@ -64,16 +56,7 @@ Alias /config "/usr/share/ipa/html" Alias /config "/usr/share/ipa/html" - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate on - KrbMethodK5Passwd off - KrbServiceName HTTP - KrbAuthRealms $REALM - Krb5KeyTab /etc/httpd/conf/ipa.keytab - KrbSaveCredentials on - Require valid-user - ErrorDocument 401 /errors/unauthorized.html + Include conf/httpd-auth.conf SetHandler mod_python PythonHandler ipaxmlrpc @@ -95,31 +78,13 @@ Alias /config "/usr/share/ipa/html" # Protect our CGIs - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate on - KrbMethodK5Passwd off - KrbServiceName HTTP - KrbAuthRealms $REALM - Krb5KeyTab /etc/httpd/conf/ipa.keytab - KrbSaveCredentials on - Require valid-user - ErrorDocument 401 /errors/unauthorized.html + Include conf/httpd-auth.conf #Alias /ipatest "/usr/share/ipa/ipatest" # -# AuthType Kerberos -# AuthName "Kerberos Login" -# KrbMethodNegotiate on -# KrbMethodK5Passwd off -# KrbServiceName HTTP -# KrbAuthRealms $REALM -# Krb5KeyTab /etc/httpd/conf/ipa.keytab -# KrbSaveCredentials on -# Require valid-user -# ErrorDocument 401 /errors/unauthorized.html +# Include conf/httpd-auth.conf # # SetHandler mod_python # PythonHandler test_mod_python From markmc at redhat.com Wed Jan 23 16:01:07 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Wed, 23 Jan 2008 16:01:07 +0000 Subject: [Freeipa-devel] [PATCH 3 of 7] Initialise DsInstance.pkcs12_info In-Reply-To: Message-ID: # HG changeset patch # User Mark McLoughlin # Date 1201003086 0 # Node ID c869f9c37414333ed4ce5915c9a29241aedf53f9 # Parent 88b7b4b3b16ddf1770ab6ecf3f43b39b0d97fe63 Initialise DsInstance.pkcs12_info DsInstance.pkcs12_info isn't currently initialised in the constructore so, e.g. __enable_ssl() assumes that create_instance() has initialised it. Signed-off-by: Mark McLoughlin diff -r 88b7b4b3b16d -r c869f9c37414 ipa-server/ipaserver/dsinstance.py --- a/ipa-server/ipaserver/dsinstance.py Tue Jan 22 11:57:59 2008 +0000 +++ b/ipa-server/ipaserver/dsinstance.py Tue Jan 22 11:58:06 2008 +0000 @@ -107,6 +107,7 @@ class DsInstance(service.Service): self.dm_password = None self.sub_dict = None self.domain = None + self.pkcs12_info = None def create_instance(self, ds_user, realm_name, host_name, dm_password, pkcs12_info=None): self.ds_user = ds_user From rcritten at redhat.com Thu Jan 24 14:43:21 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 24 Jan 2008 09:43:21 -0500 Subject: [Freeipa-devel] [PATCH] add license and readme's In-Reply-To: <47975D8F.2050906@redhat.com> References: <47975D8F.2050906@redhat.com> Message-ID: <4798A409.4030205@redhat.com> Rob Crittenden wrote: > I added a copy of the GPLv2 and filled in some README's. > > rob > I've gone ahead and pushed this. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jan 24 19:02:58 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 24 Jan 2008 14:02:58 -0500 Subject: [Freeipa-devel] [PATCH] switching some package names Message-ID: <4798E0E2.8020306@redhat.com> It just occurred to me that I've changed some of the package names used in Fedora which is going to break things. Here is a patch that will fix that up. I've renamed: PyKerberos -> python-kerberos pyasn1 -> python-pyasn1 I went ahead and pushed this. Now in theory all dependencies are now in Fedora so if you stuck these rpms (from make local-dist or make dist) into a repo you could get a smooth install. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-593-requires.patch Type: text/x-patch Size: 4885 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jan 24 21:43:57 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 24 Jan 2008 16:43:57 -0500 Subject: [Freeipa-devel] opinion on tool naming needed Message-ID: <4799069D.3000301@redhat.com> David O'Brien has noticed that there is some inconsistent naming in some of the ipa-admintools, notably ipa-groupmod and ipa-usermod. Every other command has user/group at the end (ipa-adduser, ipa-deluser, etc). Shall we rename these for consistencies sake? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Jan 24 21:51:13 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 24 Jan 2008 16:51:13 -0500 Subject: [Freeipa-devel] opinion on tool naming needed In-Reply-To: <4799069D.3000301@redhat.com> References: <4799069D.3000301@redhat.com> Message-ID: <1201211473.3793.30.camel@localhost.localdomain> On Thu, 2008-01-24 at 16:43 -0500, Rob Crittenden wrote: > David O'Brien has noticed that there is some inconsistent naming in some > of the ipa-admintools, notably ipa-groupmod and ipa-usermod. Every other > command has user/group at the end (ipa-adduser, ipa-deluser, etc). > > Shall we rename these for consistencies sake? +1 -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From jdennis at redhat.com Thu Jan 24 22:15:25 2008 From: jdennis at redhat.com (John Dennis) Date: Thu, 24 Jan 2008 17:15:25 -0500 Subject: [Freeipa-devel] opinion on tool naming needed In-Reply-To: <4799069D.3000301@redhat.com> References: <4799069D.3000301@redhat.com> Message-ID: <47990DFD.9060101@redhat.com> Rob Crittenden wrote: > David O'Brien has noticed that there is some inconsistent naming in some > of the ipa-admintools, notably ipa-groupmod and ipa-usermod. Every other > command has user/group at the end (ipa-adduser, ipa-deluser, etc). > > Shall we rename these for consistencies sake? +1 yes The inconsistency always kind of drove me crazy. The naming should follow what admins are already familiar with. Historically there have been adduser and usermod commands, which have the naming reversed, but I think this has since been cleaned up, note adduser is just a symlink to useradd. I prefer consistency, the radius commands will need to renamed as well. -- John Dennis From rcritten at redhat.com Thu Jan 24 22:41:03 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 24 Jan 2008 17:41:03 -0500 Subject: [Freeipa-devel] [PATCH] ipa_webgui patch Message-ID: <479913FF.7020308@redhat.com> I totally goofed and added sessions to the wrong place. No idea why I did this but this patch fixes it. I pushed this already. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-596-webgui.patch Type: text/x-patch Size: 782 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From markmc at redhat.com Fri Jan 25 08:19:11 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 25 Jan 2008 08:19:11 +0000 Subject: [Freeipa-devel] [PATCH] ipa_webgui patch In-Reply-To: <479913FF.7020308@redhat.com> References: <479913FF.7020308@redhat.com> Message-ID: <1201249151.3406.2.camel@muff> On Thu, 2008-01-24 at 17:41 -0500, Rob Crittenden wrote: > - sys.path.append("/usr/share/ipa/sessions") > + sys.path.append("/usr/share/ipa") Strange indeed :-) ACK Cheers, Mark. From rcritten at redhat.com Fri Jan 25 15:17:32 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 10:17:32 -0500 Subject: [Freeipa-devel] [PATCH] Listen only on localhost in production Message-ID: <4799FD8C.80606@redhat.com> Listen only on localhost in production so all requests go through Apache/mod_proxy. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-598-listen.patch Type: text/x-patch Size: 851 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From markmc at redhat.com Fri Jan 25 15:45:27 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 25 Jan 2008 15:45:27 +0000 Subject: [Freeipa-devel] [PATCH] ipa_webgui patch In-Reply-To: <1201249151.3406.2.camel@muff> References: <479913FF.7020308@redhat.com> <1201249151.3406.2.camel@muff> Message-ID: <1201275927.1164.3.camel@master.markmc.org> Hey, Just noticing the sessions stuff seems to be broken for me using python-cherrypy-2.2.1-8.fc8: File "/usr/lib/python2.5/site-packages/cherrypy/filters/sessionfilter.py", line 329, in _get_file_path if not os.path.normpath(filePath).startswith(storagePath): NameError: global name 'filePath' is not defined Seems to be a botched backport that is fixed in python-cherrypy-2.3.0-3.fc8, which is only available in updates/testing at the moment. Cheers, Mark. From markmc at redhat.com Fri Jan 25 15:46:33 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 25 Jan 2008 15:46:33 +0000 Subject: [Freeipa-devel] [PATCH] Listen only on localhost in production In-Reply-To: <4799FD8C.80606@redhat.com> References: <4799FD8C.80606@redhat.com> Message-ID: <1201275993.1164.5.camel@master.markmc.org> On Fri, 2008-01-25 at 10:17 -0500, Rob Crittenden wrote: > Listen only on localhost in production so all requests go through > Apache/mod_proxy. > +# Listen only on the local interface so all requests go through > +# Apache/mod_auth_kerb/mod_proxy. > +server.server_port = 8080 > +server.socket_host="127.0.0.1" Sounds like a plan. ACK. Cheers, Mark. From rcritten at redhat.com Fri Jan 25 16:13:19 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 11:13:19 -0500 Subject: [Freeipa-devel] [PATCH] Use consistent naming for tools Message-ID: <479A0A9F.6090903@redhat.com> Rename the 'mod' tools to be the form ipa-modTYPE where TYPE is user, group, etc. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-599-rename.patch Type: text/x-patch Size: 87372 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Jan 25 16:32:28 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 25 Jan 2008 11:32:28 -0500 Subject: [Freeipa-devel] [PATCH] Use consistent naming for tools In-Reply-To: <479A0A9F.6090903@redhat.com> References: <479A0A9F.6090903@redhat.com> Message-ID: <1201278748.3793.48.camel@localhost.localdomain> On Fri, 2008-01-25 at 11:13 -0500, Rob Crittenden wrote: > Rename the 'mod' tools to be the form ipa-modTYPE where TYPE is user, > group, etc. ACK -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From markmc at redhat.com Fri Jan 25 18:12:44 2008 From: markmc at redhat.com (Mark McLoughlin) Date: Fri, 25 Jan 2008 18:12:44 +0000 Subject: [Freeipa-devel] [RFC] IPA "firstboot" UI Message-ID: <1201284764.4570.21.camel@muff> Hi, I wanted to get people's feedback on a proposal I have to replace the questions currently asked on the command line by ipa-server-install with a "firstboot" type web UI. The basic idea would be that you'd run ipa-server-install with no arguments and then use the firstboot web UI to configure the realm name, administrator password and hostname (if needed). The reason I'm looking to do this is for an IPA appliance - the first time a user boots the appliance they would use this UI instead of running ipa-server-install. However, I think this is a much model for first-time configuration for IPA as a whole. The changes I'm proposing to support this include: - ipa-server-install will set up the directory server, apache and the web UI - The realm name, hostname, etc. configuration should be stored in the directory server in cn=config,dc=IPA - The web UI will merely modify this configuration in the directory - A daemon will run as root, watch the directory for any configuration changes and apply those changes to the system - So, e.g. the firstboot UI code will set the ipaRealmName attribute and the daemon will create that realm - In the future a UI will also be added to support changing the realm name at a later stage - Also in the future I hope to be able to add some system configuration to the UI e.g. timezone, networking etc. and this would be implemented using the same mechanism I've uploaded my rough patches for people to look at rather than spamming the list, but I lamely failed to quickly publish these patches as a nice mercurial repo which could be easily used with mq, so here's how to apply them: $> hg clone http://hg.fedoraproject.org/hg/freeipa ipa-firstboot $> mkdir -p ipa-firstboot/.hg/patches $> cd ipa-firstboot/.hg/patches $> wget http://markmc.fedorapeople.org/ipa/ipa-firstboot-patches/series $> grep '^[^#]' series | xargs -i wget http://markmc.fedorapeople.org/ipa/ipa-firstboot-patches/{} $> hg qpush -a To try it out, run ipa-server-install and login connect to http://master.example.com/firstboot I've also posted a TODO list here: http://markmc.fedorapeople.org/ipa/ipa-firstboot-patches/TODO Any and all feedback welcome ... I'm hoping to have this in 1.2. Thanks, Mark. From rcritten at redhat.com Fri Jan 25 18:30:02 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 13:30:02 -0500 Subject: [Freeipa-devel] [PATCH] fix misspelling Message-ID: <479A2AAA.1070306@redhat.com> I goofed in the plural for index as indeces rather than indices. This fixes it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-600-spelling.patch Type: text/x-patch Size: 5413 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 25 18:32:41 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 13:32:41 -0500 Subject: [Freeipa-devel] [PATCH] Listen only on localhost in production In-Reply-To: <1201275993.1164.5.camel@master.markmc.org> References: <4799FD8C.80606@redhat.com> <1201275993.1164.5.camel@master.markmc.org> Message-ID: <479A2B49.5050309@redhat.com> Mark McLoughlin wrote: > On Fri, 2008-01-25 at 10:17 -0500, Rob Crittenden wrote: >> Listen only on localhost in production so all requests go through >> Apache/mod_proxy. > >> +# Listen only on the local interface so all requests go through >> +# Apache/mod_auth_kerb/mod_proxy. >> +server.server_port = 8080 >> +server.socket_host="127.0.0.1" > > Sounds like a plan. ACK. > > Cheers, > Mark. > > Thanks, pushed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 25 18:33:18 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 13:33:18 -0500 Subject: [Freeipa-devel] [PATCH] Use consistent naming for tools In-Reply-To: <1201278748.3793.48.camel@localhost.localdomain> References: <479A0A9F.6090903@redhat.com> <1201278748.3793.48.camel@localhost.localdomain> Message-ID: <479A2B6E.5080109@redhat.com> Simo Sorce wrote: > On Fri, 2008-01-25 at 11:13 -0500, Rob Crittenden wrote: >> Rename the 'mod' tools to be the form ipa-modTYPE where TYPE is user, >> group, etc. > > ACK > Thanks, pushed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 25 18:49:58 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 13:49:58 -0500 Subject: [Freeipa-devel] [PATCH] Fix discrepencies between built-in help and the man page. Message-ID: <479A2F56.7000502@redhat.com> I must've goofed at some point and overwritten the ipa-moduser man page with the usage from ipa-modgroup. That or I never went back and updated things properly. In any case this patch brings it into line with reality. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-602-moduser.patch Type: text/x-patch Size: 2571 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 25 19:14:45 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 14:14:45 -0500 Subject: [Freeipa-devel] [PATCH 2 of 7] Small refactor of dsinstance.config_dirname() In-Reply-To: <88b7b4b3b16ddf1770ab.1201104066@localhost.localdomain> References: <88b7b4b3b16ddf1770ab.1201104066@localhost.localdomain> Message-ID: <479A3525.5090106@redhat.com> I'm not sure about this one. I think we purposely chose to link the serverid and the realm name when we switched from using a GUID. Simo, do you have any issues with this? You were more involved in that than I was. rob Mark McLoughlin wrote: > # HG changeset patch > # User Mark McLoughlin > # Date 1201003079 0 > # Node ID 88b7b4b3b16ddf1770ab6ecf3f43b39b0d97fe63 > # Parent 8fea038a7fc9219cacad0234ac7f124fb206caad > Small refactor of dsinstance.config_dirname() > > If, in future, we change the server ID so that it's not > derived from the realm name, there's a fair few places > that need to be changed. > > Make that easier by having config_dirname() take the > server ID rather than the realm name. That makes sense > anyway so we don't have to realm_to_serverid() so > much. > > Signed-off-by: Mark McLoughlin > > diff -r 8fea038a7fc9 -r 88b7b4b3b16d ipa-server/ipaserver/dsinstance.py > --- a/ipa-server/ipaserver/dsinstance.py Tue Jan 22 08:03:06 2008 +0000 > +++ b/ipa-server/ipaserver/dsinstance.py Tue Jan 22 11:57:59 2008 +0000 > @@ -48,11 +48,11 @@ def realm_to_serverid(realm_name): > def realm_to_serverid(realm_name): > return "-".join(realm_name.split(".")) > > -def config_dirname(realm_name): > - return "/etc/dirsrv/slapd-" + realm_to_serverid(realm_name) + "/" > - > -def schema_dirname(realm_name): > - return config_dirname(realm_name) + "/schema/" > +def config_dirname(serverid): > + return "/etc/dirsrv/slapd-" + serverid + "/" > + > +def schema_dirname(serverid): > + return config_dirname(serverid) + "/schema/" > > def erase_ds_instance_data(serverid): > try: > @@ -198,13 +198,13 @@ class DsInstance(service.Service): > > def __add_default_schemas(self): > shutil.copyfile(ipautil.SHARE_DIR + "60kerberos.ldif", > - schema_dirname(self.realm_name) + "60kerberos.ldif") > + schema_dirname(self.serverid) + "60kerberos.ldif") > shutil.copyfile(ipautil.SHARE_DIR + "60samba.ldif", > - schema_dirname(self.realm_name) + "60samba.ldif") > + schema_dirname(self.serverid) + "60samba.ldif") > shutil.copyfile(ipautil.SHARE_DIR + "60radius.ldif", > - schema_dirname(self.realm_name) + "60radius.ldif") > + schema_dirname(self.serverid) + "60radius.ldif") > shutil.copyfile(ipautil.SHARE_DIR + "60ipaconfig.ldif", > - schema_dirname(self.realm_name) + "60ipaconfig.ldif") > + schema_dirname(self.serverid) + "60ipaconfig.ldif") > > def __restart_instance(self): > try: > @@ -252,7 +252,7 @@ class DsInstance(service.Service): > self.__ldap_mod("master-entry.ldif", self.sub_dict) > > def __enable_ssl(self): > - dirname = config_dirname(self.realm_name) > + dirname = config_dirname(self.serverid) > ca = certs.CertDB(dirname) > if self.pkcs12_info: > ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) > @@ -296,11 +296,11 @@ class DsInstance(service.Service): > > def __certmap_conf(self): > shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template", > - config_dirname(self.realm_name) + "certmap.conf") > + config_dirname(self.serverid) + "certmap.conf") > > def change_admin_password(self, password): > logging.debug("Changing admin password") > - dirname = config_dirname(self.realm_name) > + dirname = config_dirname(self.serverid) > if ipautil.dir_exists("/usr/lib64/mozldap"): > app = "/usr/lib64/mozldap/ldappasswd" > else: > diff -r 8fea038a7fc9 -r 88b7b4b3b16d ipa-server/ipaserver/httpinstance.py > --- a/ipa-server/ipaserver/httpinstance.py Tue Jan 22 08:03:06 2008 +0000 > +++ b/ipa-server/ipaserver/httpinstance.py Tue Jan 22 11:57:59 2008 +0000 > @@ -130,7 +130,7 @@ class HTTPInstance(service.Service): > print "Updating %s failed." % NSS_CONF > > def __setup_ssl(self): > - ds_ca = certs.CertDB(dsinstance.config_dirname(self.realm)) > + ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm))) > ca = certs.CertDB(NSS_DIR) > ds_ca.cur_serial = 2000 > ca.create_from_cacert(ds_ca.cacert_fname) > @@ -144,7 +144,7 @@ class HTTPInstance(service.Service): > prefs_fd.close() > > # The signing cert is generated in __setup_ssl > - ds_ca = certs.CertDB(dsinstance.config_dirname(self.realm)) > + ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm))) > ca = certs.CertDB(NSS_DIR) > > # Publish the CA certificate -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Jan 25 19:33:12 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 25 Jan 2008 14:33:12 -0500 Subject: [Freeipa-devel] [PATCH 2 of 7] Small refactor of dsinstance.config_dirname() In-Reply-To: <479A3525.5090106@redhat.com> References: <88b7b4b3b16ddf1770ab.1201104066@localhost.localdomain> <479A3525.5090106@redhat.com> Message-ID: <1201289592.3793.60.camel@localhost.localdomain> On Fri, 2008-01-25 at 14:14 -0500, Rob Crittenden wrote: > I'm not sure about this one. I think we purposely chose to link the > serverid and the realm name when we switched from using a GUID. > > Simo, do you have any issues with this? You were more involved in that > than I was. It was changed because we thought that the UUID was a burden because it was difficult to remember and look for. But I have no big objections to go back using the UUID, as a scenario like the one Mark is heading was one of the reason I choose the UUID initially as naming scheme. Maybe we can provide symlinks to help admins? (As long as they will not confuse FDS's init scripts). Or maybe we can have a symlink under /etc/ipa, something like: /etc/ipa/ds-instance-REALM -> /etc/dirsrv/slapd-1234-12345678-ABCD Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From rcritten at redhat.com Fri Jan 25 19:36:25 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 14:36:25 -0500 Subject: [Freeipa-devel] [PATCH 2 of 7] Small refactor of dsinstance.config_dirname() In-Reply-To: <1201289592.3793.60.camel@localhost.localdomain> References: <88b7b4b3b16ddf1770ab.1201104066@localhost.localdomain> <479A3525.5090106@redhat.com> <1201289592.3793.60.camel@localhost.localdomain> Message-ID: <479A3A39.5030802@redhat.com> Simo Sorce wrote: > On Fri, 2008-01-25 at 14:14 -0500, Rob Crittenden wrote: >> I'm not sure about this one. I think we purposely chose to link the >> serverid and the realm name when we switched from using a GUID. >> >> Simo, do you have any issues with this? You were more involved in that >> than I was. > > It was changed because we thought that the UUID was a burden because it > was difficult to remember and look for. > > But I have no big objections to go back using the UUID, as a scenario > like the one Mark is heading was one of the reason I choose the UUID > initially as naming scheme. > > Maybe we can provide symlinks to help admins? (As long as they will not > confuse FDS's init scripts). > Or maybe we can have a symlink under /etc/ipa, something like: > /etc/ipa/ds-instance-REALM -> /etc/dirsrv/slapd-1234-12345678-ABCD > > Simo. This patch doesn't go back to using a GUID but it does allow one to de-couple the serverid from the realm. It doesn't actually do that yet but it looks like step one down that path. I was just wondering if this would cause problems later. It sounds like it won't. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 25 20:08:11 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 15:08:11 -0500 Subject: [Freeipa-devel] [PATCH 1 of 7] Remove questions from ipaserver.dsinstance In-Reply-To: <8fea038a7fc9219cacad.1201104065@localhost.localdomain> References: <8fea038a7fc9219cacad.1201104065@localhost.localdomain> Message-ID: <479A41AB.3010904@redhat.com> Mark McLoughlin wrote: > # HG changeset patch > # User Mark McLoughlin > # Date 1200988986 0 > # Node ID 8fea038a7fc9219cacad0234ac7f124fb206caad > # Parent 09304c90f377b8f53701a6df7db6949a6474daa5 > Remove questions from ipaserver.dsinstance > > Let's assume that all ipaserver.dsinstance could be used > somewhere where asking questions on stdout/stdin is not > approriate and re-factor the code to be suitable in > those situations too. > > i.e. make check_existing_installation() return a list of > server IDs and make check_ports() return an (unsecure, > secure) tuple indication which ports are in use. > > Signed-off-by: Mark McLoughlin > ack and push rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 25 20:08:24 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 15:08:24 -0500 Subject: [Freeipa-devel] [PATCH 2 of 7] Small refactor of dsinstance.config_dirname() In-Reply-To: <88b7b4b3b16ddf1770ab.1201104066@localhost.localdomain> References: <88b7b4b3b16ddf1770ab.1201104066@localhost.localdomain> Message-ID: <479A41B8.40207@redhat.com> Mark McLoughlin wrote: > # HG changeset patch > # User Mark McLoughlin > # Date 1201003079 0 > # Node ID 88b7b4b3b16ddf1770ab6ecf3f43b39b0d97fe63 > # Parent 8fea038a7fc9219cacad0234ac7f124fb206caad > Small refactor of dsinstance.config_dirname() > > If, in future, we change the server ID so that it's not > derived from the realm name, there's a fair few places > that need to be changed. > > Make that easier by having config_dirname() take the > server ID rather than the realm name. That makes sense > anyway so we don't have to realm_to_serverid() so > much. > > Signed-off-by: Mark McLoughlin ack and push rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 25 20:08:34 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 15:08:34 -0500 Subject: [Freeipa-devel] [PATCH 3 of 7] Initialise DsInstance.pkcs12_info In-Reply-To: References: Message-ID: <479A41C2.9080209@redhat.com> Mark McLoughlin wrote: > # HG changeset patch > # User Mark McLoughlin > # Date 1201003086 0 > # Node ID c869f9c37414333ed4ce5915c9a29241aedf53f9 > # Parent 88b7b4b3b16ddf1770ab6ecf3f43b39b0d97fe63 > Initialise DsInstance.pkcs12_info > > DsInstance.pkcs12_info isn't currently initialised in > the constructore so, e.g. __enable_ssl() assumes that > create_instance() has initialised it. > > Signed-off-by: Mark McLoughlin ack and push rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 25 20:08:53 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 15:08:53 -0500 Subject: [Freeipa-devel] [PATCH 4 of 7] Re-factor the ipa_webgui and ipa_kpasswd instance code In-Reply-To: <2f52fe548d870069fdce.1201104068@localhost.localdomain> References: <2f52fe548d870069fdce.1201104068@localhost.localdomain> Message-ID: <479A41D5.7020405@redhat.com> Mark McLoughlin wrote: > # HG changeset patch > # User Mark McLoughlin > # Date 1201003086 0 > # Node ID 2f52fe548d870069fdcea8ff9959007977f4da93 > # Parent c869f9c37414333ed4ce5915c9a29241aedf53f9 > Re-factor the ipa_webgui and ipa_kpasswd instance code > > The ipa_webgui and ipa_kpasswd instance code is identical > and I want to add another similar instance down the line, > so re-factor the code into a service.SimpleServiceInstance > class. > > Signed-off-by: Mark McLoughlin > ack and push rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 25 20:09:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 15:09:04 -0500 Subject: [Freeipa-devel] [PATCH 5 of 7] Fix not so random random passwords In-Reply-To: <32943922b23b325fbc63.1201104069@localhost.localdomain> References: <32943922b23b325fbc63.1201104069@localhost.localdomain> Message-ID: <479A41E0.9060408@redhat.com> Mark McLoughlin wrote: > # HG changeset patch > # User Mark McLoughlin > # Date 1201020165 0 > # Node ID 32943922b23b325fbc63527ba469c0a2fd0dd3d7 > # Parent 2f52fe548d870069fdcea8ff9959007977f4da93 > Fix not so random random passwords > > If you run ipa_generate_password() multiple times, one > after the other, then you get the same password each time. > > This is because it uses the current time to seed the > pseudo random number generator. > > The easiest solution is to just use the default method > which seeds itself from /dev/urandom if available, > and uses a fractional time value otherwise. > > Signed-off-by: Mark McLoughlin > ack and push rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jan 25 22:08:34 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Jan 2008 17:08:34 -0500 Subject: [Freeipa-devel] [PATCH] more info on installation Message-ID: <479A5DE2.2080502@redhat.com> This bug https://bugzilla.redhat.com/show_bug.cgi?id=430088 complained about a lack of info when installing IPA. I beefed it up slightly and removed 8080 as a port that needs to be opened in the firewall. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-605-msg.patch Type: text/x-patch Size: 3458 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From daobrien at redhat.com Tue Jan 29 08:29:34 2008 From: daobrien at redhat.com (David O'Brien) Date: Tue, 29 Jan 2008 18:29:34 +1000 Subject: [Freeipa-devel] opinion on tool naming needed In-Reply-To: <47990DFD.9060101@redhat.com> References: <4799069D.3000301@redhat.com> <47990DFD.9060101@redhat.com> Message-ID: <479EE3EE.7050900@redhat.com> John Dennis wrote: > Rob Crittenden wrote: >> David O'Brien has noticed that there is some inconsistent naming in >> some of the ipa-admintools, notably ipa-groupmod and ipa-usermod. >> Every other command has user/group at the end (ipa-adduser, >> ipa-deluser, etc). >> >> Shall we rename these for consistencies sake? > > +1 yes > > The inconsistency always kind of drove me crazy. The naming should > follow what admins are already familiar with. Historically there have > been adduser and usermod commands, which have the naming reversed, but > I think this has since been cleaned up, note adduser is just a symlink > to useradd. > > I prefer consistency, the radius commands will need to renamed as well. > any opinions on what should happen with ipa-lockuser? From the command line: ipa-lockuser ipa-lockuser -u In the webUI Inactivate Activate I know they're just different ways of saying the same thing, but status appears as active or inactive, and not locked or unlocked. /david the pedant -- David O'Brien IPA Content Author "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From rcritten at redhat.com Tue Jan 29 14:49:31 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Jan 2008 09:49:31 -0500 Subject: [Freeipa-devel] [RFC] IPA "firstboot" UI In-Reply-To: <1201284764.4570.21.camel@muff> References: <1201284764.4570.21.camel@muff> Message-ID: <479F3CFB.9090706@redhat.com> Mark McLoughlin wrote: > Hi, > I wanted to get people's feedback on a proposal I have to replace the > questions currently asked on the command line by ipa-server-install with > a "firstboot" type web UI. > > The basic idea would be that you'd run ipa-server-install with no > arguments and then use the firstboot web UI to configure the realm name, > administrator password and hostname (if needed). > > The reason I'm looking to do this is for an IPA appliance - the first > time a user boots the appliance they would use this UI instead of > running ipa-server-install. However, I think this is a much model for > first-time configuration for IPA as a whole. > > The changes I'm proposing to support this include: > > - ipa-server-install will set up the directory server, apache and the > web UI > > - The realm name, hostname, etc. configuration should be stored in > the directory server in cn=config,dc=IPA > > - The web UI will merely modify this configuration in the directory > > - A daemon will run as root, watch the directory for any > configuration changes and apply those changes to the system > > - So, e.g. the firstboot UI code will set the ipaRealmName attribute > and the daemon will create that realm > > - In the future a UI will also be added to support changing the realm > name at a later stage > > - Also in the future I hope to be able to add some system > configuration to the UI e.g. timezone, networking etc. and this > would be implemented using the same mechanism > > I've uploaded my rough patches for people to look at rather than > spamming the list, but I lamely failed to quickly publish these patches > as a nice mercurial repo which could be easily used with mq, so here's > how to apply them: > > $> hg clone http://hg.fedoraproject.org/hg/freeipa ipa-firstboot > $> mkdir -p ipa-firstboot/.hg/patches > $> cd ipa-firstboot/.hg/patches > $> wget http://markmc.fedorapeople.org/ipa/ipa-firstboot-patches/series > $> grep '^[^#]' series | xargs -i wget http://markmc.fedorapeople.org/ipa/ipa-firstboot-patches/{} > $> hg qpush -a > > To try it out, run ipa-server-install and login connect to > http://master.example.com/firstboot > > I've also posted a TODO list here: > > http://markmc.fedorapeople.org/ipa/ipa-firstboot-patches/TODO > > Any and all feedback welcome ... I'm hoping to have this in 1.2. > > Thanks, > Mark. I'm having problems with this. First a couple of questions. I know the UI is still rough but: - Why ask for both hostname and IP address? - A realm is typically upper-case, are you automatically doing this? Once I click on Next I end up at the IPA page which results in a failed login because I don't have a ticket yet. I can't get a ticket at the command-line either, I get: kinit(v5): Preauthentication failed while getting initial credentials I think I like the naming convention. I don't think we really need to stomp all over other DS instances. If they are using our ports then we should be able to detect that now. Simo, should we switch the instance naming to slapd-IPA from slapd-REALM and stop removing all existing instances (except perhaps, for ours)? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue Jan 29 14:56:28 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 29 Jan 2008 09:56:28 -0500 Subject: [Freeipa-devel] [RFC] IPA "firstboot" UI In-Reply-To: <479F3CFB.9090706@redhat.com> References: <1201284764.4570.21.camel@muff> <479F3CFB.9090706@redhat.com> Message-ID: <1201618588.3180.29.camel@localhost.localdomain> On Tue, 2008-01-29 at 09:49 -0500, Rob Crittenden wrote: > > Simo, should we switch the instance naming to slapd-IPA from > slapd-REALM > and stop removing all existing instances (except perhaps, for ours)? Not sure, I don't think we really want to keep other instances around, how they are going to interact ? Is there going to be auth problems after we install ? Can there be conflicts somehow (same base dn) ? Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From rcritten at redhat.com Tue Jan 29 14:59:32 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Jan 2008 09:59:32 -0500 Subject: [Freeipa-devel] [RFC] IPA "firstboot" UI In-Reply-To: <1201618588.3180.29.camel@localhost.localdomain> References: <1201284764.4570.21.camel@muff> <479F3CFB.9090706@redhat.com> <1201618588.3180.29.camel@localhost.localdomain> Message-ID: <479F3F54.1030809@redhat.com> Simo Sorce wrote: > On Tue, 2008-01-29 at 09:49 -0500, Rob Crittenden wrote: >> Simo, should we switch the instance naming to slapd-IPA from >> slapd-REALM >> and stop removing all existing instances (except perhaps, for ours)? > > Not sure, I don't think we really want to keep other instances around, > how they are going to interact ? > Is there going to be auth problems after we install ? > Can there be conflicts somehow (same base dn) ? > The other instance(s) will be running on different ports (or not at all) so it really shouldn't matter. They don't need to interact at all, but who are we to say that nobody can have other instances of a product. If it interferes with IPA then that's their problem. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Jan 29 15:10:30 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Jan 2008 10:10:30 -0500 Subject: [Freeipa-devel] [PATCH] fix ipa-replica-install Message-ID: <479F41E6.6020205@redhat.com> There was a import of radiusinstance causing the tool to not work. Removed it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-606-replica.patch Type: text/x-patch Size: 886 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue Jan 29 15:30:08 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 29 Jan 2008 10:30:08 -0500 Subject: [Freeipa-devel] [PATCH] fix ipa-replica-install In-Reply-To: <479F41E6.6020205@redhat.com> References: <479F41E6.6020205@redhat.com> Message-ID: <1201620608.3180.31.camel@localhost.localdomain> On Tue, 2008-01-29 at 10:10 -0500, Rob Crittenden wrote: > There was a import of radiusinstance causing the tool to not work. > Removed it. Ack. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | From ssorce at redhat.com Tue Jan 29 15:33:37 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 29 Jan 2008 10:33:37 -0500 Subject: [Freeipa-devel] [PATCH] fix misspelling In-Reply-To: <479A2AAA.1070306@redhat.com> References: <479A2AAA.1070306@redhat.com> Message-ID: <1201620817.3180.33.camel@localhost.localdomain> On Fri, 2008-01-25 at 13:30 -0500, Rob Crittenden wrote: > I goofed in the plural for index as indeces rather than indices. This > fixes it. Ack. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 29 15:34:05 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 29 Jan 2008 10:34:05 -0500 Subject: [Freeipa-devel] [PATCH] Fix discrepencies between built-in help and the man page. In-Reply-To: <479A2F56.7000502@redhat.com> References: <479A2F56.7000502@redhat.com> Message-ID: <1201620845.3180.35.camel@localhost.localdomain> On Fri, 2008-01-25 at 13:49 -0500, Rob Crittenden wrote: > I must've goofed at some point and overwritten the ipa-moduser man > page > with the usage from ipa-modgroup. That or I never went back and > updated > things properly. > > In any case this patch brings it into line with reality. Ack. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 29 15:36:16 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 29 Jan 2008 10:36:16 -0500 Subject: [Freeipa-devel] [RFC] IPA "firstboot" UI In-Reply-To: <479F3F54.1030809@redhat.com> References: <1201284764.4570.21.camel@muff> <479F3CFB.9090706@redhat.com> <1201618588.3180.29.camel@localhost.localdomain> <479F3F54.1030809@redhat.com> Message-ID: <1201620976.3180.37.camel@localhost.localdomain> On Tue, 2008-01-29 at 09:59 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 2008-01-29 at 09:49 -0500, Rob Crittenden wrote: > >> Simo, should we switch the instance naming to slapd-IPA from > >> slapd-REALM > >> and stop removing all existing instances (except perhaps, for ours)? > > > > Not sure, I don't think we really want to keep other instances around, > > how they are going to interact ? > > Is there going to be auth problems after we install ? > > Can there be conflicts somehow (same base dn) ? > > > > The other instance(s) will be running on different ports (or not at all) > so it really shouldn't matter. > > They don't need to interact at all, but who are we to say that nobody > can have other instances of a product. If it interferes with IPA then > that's their problem. I see the reasoning, can we discuss this a bit further next time we have a conf call or meeting ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Jan 29 17:34:09 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Jan 2008 12:34:09 -0500 Subject: [Freeipa-devel] resend: internationalization of kid templates In-Reply-To: <1199353118.4420.17.camel@freeipa.example.com> References: <1199353118.4420.17.camel@freeipa.example.com> Message-ID: <479F6391.3060102@redhat.com> Masato Taruishi wrote: > Hi, > > I wrote a patch to internationalize kid templates. In addition > to the general internationalization, the patch also includes > the japanese po file. Please see the attached screenshots. > Of cource, this patch supports the content negotiation feature > so you can see the English page, too. > > I haven't internationalize javascript and python messages yet > because it requires utf-8 safe. I guess it's a next work for > i18n related tasks. > > I hope this would help internationalization support of freeipa. > > Thanks > Best regards Hi. I'm reviewing your patch now and it looks ok, I just have a couple of question. What do we need to do on an ongoing basis to be sure that the messages stay up-to-date? Will we need to run something every time we make a change to a kid file? The .po files have a header. Currently the translator field is empty. Is it common for this to be the default, FULL NAME ? It pulled in some pure code in some cases. It looks like: +#: ipagui/templates/ipapolicyshow.kid:td +msgid "${ipapolicy.get(\"ipasearchtimelimit\")}" +msgstr "" Should we leave these in there or remove them? thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Jan 29 21:07:31 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Jan 2008 16:07:31 -0500 Subject: [Freeipa-devel] [PATCH] Put user-modifiable html files into /etc Message-ID: <479F9593.3060008@redhat.com> This is a specfile change for ipa-server. It moves files from /usr/share/ipa/html into /etc/ipa and links them back in so we can mark them as config(noreplace). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-613-relocate.patch Type: text/x-patch Size: 4911 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue Jan 29 21:18:39 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 29 Jan 2008 16:18:39 -0500 Subject: [Freeipa-devel] [PATCH] Put user-modifiable html files into /etc In-Reply-To: <479F9593.3060008@redhat.com> References: <479F9593.3060008@redhat.com> Message-ID: <1201641519.14154.21.camel@localhost.localdomain> On Tue, 2008-01-29 at 16:07 -0500, Rob Crittenden wrote: > This is a specfile change for ipa-server. It moves files from > /usr/share/ipa/html into /etc/ipa and links them back in so we can > mark > them as config(noreplace). Can you make it /etc/ipa/html/ ? Or shouldn't we try to use /var/ipa/html instead? They are not exactly configuration files after all, maybe a better way would be to have their paths specified in /etc/ipa/ipa.conf have the standard ones in /usr/share/ipa and the user advised that to have modifications persist the right way it to copy them and change /etc/ipa/ipa.conf accordingly. This will allow us to upgrade the standard ones with newer versions for people that are fine with the defaults. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Jan 29 21:21:48 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Jan 2008 16:21:48 -0500 Subject: [Freeipa-devel] [PATCH] Put user-modifiable html files into /etc In-Reply-To: <1201641519.14154.21.camel@localhost.localdomain> References: <479F9593.3060008@redhat.com> <1201641519.14154.21.camel@localhost.localdomain> Message-ID: <479F98EC.1080402@redhat.com> Simo Sorce wrote: > On Tue, 2008-01-29 at 16:07 -0500, Rob Crittenden wrote: >> This is a specfile change for ipa-server. It moves files from >> /usr/share/ipa/html into /etc/ipa and links them back in so we can >> mark >> them as config(noreplace). > > Can you make it /etc/ipa/html/ ? Yes, I could do that but there are only 3 files there now as it is. > Or shouldn't we try to use /var/ipa/html instead? If it isn't in /etc you can't use config(noreplace) without rpmlint throwing up. This was recommended by the Fedora packagers. > They are not exactly configuration files after all, > maybe a better way would be to have their paths specified > in /etc/ipa/ipa.conf have the standard ones in /usr/share/ipa and the > user advised that to have modifications persist the right way it to copy > them and change /etc/ipa/ipa.conf accordingly. I don't think we need this much flexibility. These files just say who to call if authorization fails. Typically it will be "Call the helpdesk at 555-1212". > > This will allow us to upgrade the standard ones with newer versions for > people that are fine with the defaults. > > Simo. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Jan 29 21:54:31 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Jan 2008 16:54:31 -0500 Subject: [Freeipa-devel] [PATCH] Don't set blank values Message-ID: <479FA097.2090303@redhat.com> Don't set blank values so we can avoid empty attributes. This is really only an issue in the UI so I've limited the changes to there. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-614-values.patch Type: text/x-patch Size: 10864 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jan 30 14:51:39 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Jan 2008 09:51:39 -0500 Subject: [Freeipa-devel] [PATCH] Put user-modifiable html files into /etc In-Reply-To: <479F98EC.1080402@redhat.com> References: <479F9593.3060008@redhat.com> <1201641519.14154.21.camel@localhost.localdomain> <479F98EC.1080402@redhat.com> Message-ID: <47A08EFB.5070707@redhat.com> Pushed a version that puts the files into /etc/ipa/html. rob Rob Crittenden wrote: > Simo Sorce wrote: >> On Tue, 2008-01-29 at 16:07 -0500, Rob Crittenden wrote: >>> This is a specfile change for ipa-server. It moves files from >>> /usr/share/ipa/html into /etc/ipa and links them back in so we can >>> mark them as config(noreplace). >> >> Can you make it /etc/ipa/html/ ? > > Yes, I could do that but there are only 3 files there now as it is. > >> Or shouldn't we try to use /var/ipa/html instead? > > If it isn't in /etc you can't use config(noreplace) without rpmlint > throwing up. This was recommended by the Fedora packagers. > >> They are not exactly configuration files after all, >> maybe a better way would be to have their paths specified >> in /etc/ipa/ipa.conf have the standard ones in /usr/share/ipa and the >> user advised that to have modifications persist the right way it to copy >> them and change /etc/ipa/ipa.conf accordingly. > > I don't think we need this much flexibility. These files just say who to > call if authorization fails. Typically it will be "Call the helpdesk at > 555-1212". > >> >> This will allow us to upgrade the standard ones with newer versions for >> people that are fine with the defaults. >> >> Simo. >> > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jan 30 16:58:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Jan 2008 11:58:04 -0500 Subject: [Freeipa-devel] [PATCH] enable logging in ipa_webgui start script Message-ID: <47A0AC9C.9060505@redhat.com> Some errors aren't detected until the server receives its first request (something already using the port, for example). This patch adds logging during startup so it should be easier to track down errors. Also a -f flag for preventing the script from becoming a daemon and -d flag for increasing the debug level of the log. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-615-startup.patch Type: text/x-patch Size: 3065 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Jan 30 17:58:52 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 30 Jan 2008 12:58:52 -0500 Subject: [Freeipa-devel] [PATCH] enable logging in ipa_webgui start script In-Reply-To: <47A0AC9C.9060505@redhat.com> References: <47A0AC9C.9060505@redhat.com> Message-ID: <1201715932.3269.9.camel@localhost.localdomain> On Wed, 2008-01-30 at 11:58 -0500, Rob Crittenden wrote: > Some errors aren't detected until the server receives its first > request > (something already using the port, for example). > > This patch adds logging during startup so it should be easier to > track > down errors. > > Also a -f flag for preventing the script from becoming a daemon and > -d > flag for increasing the debug level of the log. Ack. -- Simo Sorce * Red Hat, Inc * New York From taruishi at redhat.com Thu Jan 31 01:47:17 2008 From: taruishi at redhat.com (Masato Taruishi) Date: Thu, 31 Jan 2008 10:47:17 +0900 Subject: [Freeipa-devel] resend: internationalization of kid templates In-Reply-To: <479F6391.3060102@redhat.com> References: <1199353118.4420.17.camel@freeipa.example.com> <479F6391.3060102@redhat.com> Message-ID: <1201744037.4036.7.camel@freeipa.example.com> Ah, I'm very sorry about my late reply. I missed your reply. > Masato Taruishi wrote: > > Hi, > > > > I wrote a patch to internationalize kid templates. In addition > > to the general internationalization, the patch also includes > > the japanese po file. Please see the attached screenshots. > > Of cource, this patch supports the content negotiation feature > > so you can see the English page, too. > > > > I haven't internationalize javascript and python messages yet > > because it requires utf-8 safe. I guess it's a next work for > > i18n related tasks. > > > > I hope this would help internationalization support of freeipa. > > > > Thanks > > Best regards > > > Hi. I'm reviewing your patch now and it looks ok, I just have a couple > of question. > > What do we need to do on an ongoing basis to be sure that the messages > stay up-to-date? Will we need to run something every time we make a > change to a kid file? You can collect the template pot file by running the following command: ~/ipa-server/ipa-gui$ tg-admin i18n collect which creates locales/messages.pot. However, unfotunately, the above command doesn't work correctly for .kid files unless you apply the following patch: --- /usr/lib/python2.5/site-packages/turbogears/command/i18n.py 2007-07-22 05:08:37.000000000 +0900 +++ i18n.py 2008-01-31 01:02:13.000000000 +0900 @@ -251,7 +251,12 @@ if self.options.loose_kid_support or el.get('lang', None): tag = re.sub('({[^}]+})?(\w+)', '\\2', el.tag) ents = [] - if el.text: ents = [el.text.strip()] + if el.text and not ( el.text.strip() in keys): + if el.tag == "script": + ents = [el.text.strip()] + else: + messages.append((tag, fname, el.text.strip())) + keys.append(el.text.strip()) if el.attrib: ents.extend(el.attrib.values()) for k in ents: key = None > The .po files have a header. Currently the translator field is empty. Is > it common for this to be the default, FULL NAME ? Ah, I forgot to change that to my name. Can you change it to my name? > It pulled in some pure code in some cases. It looks like: > > +#: ipagui/templates/ipapolicyshow.kid:td > +msgid "${ipapolicy.get(\"ipasearchtimelimit\")}" > +msgstr "" > > Should we leave these in there or remove them? Or use py:content for the code in the td tag. Thanks > thanks > > rob From rcritten at redhat.com Thu Jan 31 15:25:51 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Jan 2008 10:25:51 -0500 Subject: [Freeipa-devel] [PATCH] fix uninstaller Message-ID: <47A1E87F.9050902@redhat.com> I've pushed this patch provided by Mark to fix uninstalling IPA. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-612-uninstall.patch Type: text/x-patch Size: 890 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jan 31 15:54:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Jan 2008 10:54:04 -0500 Subject: [Freeipa-devel] [PATCH] fix command-line usage Message-ID: <47A1EF1C.5030902@redhat.com> Handle the --usage option by actually displaying the usage Fix some missing options in --usage Remove a few debugging statements rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-621-usage.patch Type: text/x-patch Size: 8021 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jan 31 16:26:32 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Jan 2008 11:26:32 -0500 Subject: [Freeipa-devel] [PATCH] Add option to list available attributes in the ipa-mod* utilities Message-ID: <47A1F6B8.7090005@redhat.com> Add option to list common attributes for use with --setattr,--addattr,--delattr in the ipa-mod* utilities. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-623-listattr.patch Type: text/x-patch Size: 5554 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jan 31 19:20:27 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Jan 2008 14:20:27 -0500 Subject: [Freeipa-devel] [PATCH] setup log in specfile Message-ID: <47A21F7B.1050606@redhat.com> Add a %post script to touch and set ownership & permissions on the TurboGears error log. It needs to be owned by apache otherwise the UI can't start up. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-624-logs.patch Type: text/x-patch Size: 2484 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jan 31 19:59:57 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Jan 2008 14:59:57 -0500 Subject: [Freeipa-devel] resend: internationalization of kid templates In-Reply-To: <1201744037.4036.7.camel@freeipa.example.com> References: <1199353118.4420.17.camel@freeipa.example.com> <479F6391.3060102@redhat.com> <1201744037.4036.7.camel@freeipa.example.com> Message-ID: <47A228BD.7030603@redhat.com> Masato Taruishi wrote: > Ah, I'm very sorry about my late reply. > I missed your reply. No worries. > >> Masato Taruishi wrote: >>> Hi, >>> >>> I wrote a patch to internationalize kid templates. In addition >>> to the general internationalization, the patch also includes >>> the japanese po file. Please see the attached screenshots. >>> Of cource, this patch supports the content negotiation feature >>> so you can see the English page, too. >>> >>> I haven't internationalize javascript and python messages yet >>> because it requires utf-8 safe. I guess it's a next work for >>> i18n related tasks. >>> >>> I hope this would help internationalization support of freeipa. >>> >>> Thanks >>> Best regards >> >> Hi. I'm reviewing your patch now and it looks ok, I just have a couple >> of question. >> >> What do we need to do on an ongoing basis to be sure that the messages >> stay up-to-date? Will we need to run something every time we make a >> change to a kid file? > > You can collect the template pot file by running the following command: > > ~/ipa-server/ipa-gui$ tg-admin i18n collect > > which creates locales/messages.pot. However, unfotunately, the above > command doesn't work correctly for .kid files unless you apply the > following patch: > > --- /usr/lib/python2.5/site-packages/turbogears/command/i18n.py > 2007-07-22 05:08:37.000000000 +0900 > +++ i18n.py 2008-01-31 01:02:13.000000000 +0900 > @@ -251,7 +251,12 @@ > if self.options.loose_kid_support or el.get('lang', > None): > tag = re.sub('({[^}]+})?(\w+)', '\\2', el.tag) > ents = [] > - if el.text: ents = [el.text.strip()] > + if el.text and not ( el.text.strip() in keys): > + if el.tag == "script": > + ents = [el.text.strip()] > + else: > + messages.append((tag, fname, > el.text.strip())) > + keys.append(el.text.strip()) > if el.attrib: ents.extend(el.attrib.values()) > for k in ents: > key = None How often would we be expected to run this? I assume that ideally we should do it with any update to the kid files, just to keep things in sync, right? > >> The .po files have a header. Currently the translator field is empty. Is >> it common for this to be the default, FULL NAME ? > > Ah, I forgot to change that to my name. Can you change it > to my name? Sure. > >> It pulled in some pure code in some cases. It looks like: >> >> +#: ipagui/templates/ipapolicyshow.kid:td >> +msgid "${ipapolicy.get(\"ipasearchtimelimit\")}" >> +msgstr "" >> >> Should we leave these in there or remove them? > > Or use py:content for the code in the td tag. And I assume this is something we could go back to and fix later? One last question. How would you recommend packaging? Would we want a separate package that contained the .pot file(s) for each language? thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jan 31 22:39:36 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Jan 2008 17:39:36 -0500 Subject: [Freeipa-devel] [PATCH] don't error out on password changes in UI Message-ID: <47A24E28.1040900@redhat.com> A change happened as some point related to password changes in the UI which broke it. This fixes it and adds an extra exception handler so rather than erroring out we handle it gracefully. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-626-passchange.patch Type: text/x-patch Size: 1503 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Jan 31 23:26:58 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 31 Jan 2008 18:26:58 -0500 Subject: [Freeipa-devel] [PATCH] fix command-line usage In-Reply-To: <47A1EF1C.5030902@redhat.com> References: <47A1EF1C.5030902@redhat.com> Message-ID: <1201822018.22772.53.camel@localhost.localdomain> On Thu, 2008-01-31 at 10:54 -0500, Rob Crittenden wrote: > Handle the --usage option by actually displaying the usage > Fix some missing options in --usage > Remove a few debugging statements Ack. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jan 31 23:27:35 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 31 Jan 2008 18:27:35 -0500 Subject: [Freeipa-devel] [PATCH] Add option to list available attributes in the ipa-mod* utilities In-Reply-To: <47A1F6B8.7090005@redhat.com> References: <47A1F6B8.7090005@redhat.com> Message-ID: <1201822055.22772.55.camel@localhost.localdomain> On Thu, 2008-01-31 at 11:26 -0500, Rob Crittenden wrote: > Add option to list common attributes for use with > --setattr,--addattr,--delattr in the ipa-mod* utilities. Ack. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jan 31 23:28:04 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 31 Jan 2008 18:28:04 -0500 Subject: [Freeipa-devel] [PATCH] setup log in specfile In-Reply-To: <47A21F7B.1050606@redhat.com> References: <47A21F7B.1050606@redhat.com> Message-ID: <1201822084.22772.57.camel@localhost.localdomain> On Thu, 2008-01-31 at 14:20 -0500, Rob Crittenden wrote: > Add a %post script to touch and set ownership & permissions on the > TurboGears error log. It needs to be owned by apache otherwise the UI > can't start up. Ack. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jan 31 23:28:32 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 31 Jan 2008 18:28:32 -0500 Subject: [Freeipa-devel] [PATCH] don't error out on password changes in UI In-Reply-To: <47A24E28.1040900@redhat.com> References: <47A24E28.1040900@redhat.com> Message-ID: <1201822112.22772.59.camel@localhost.localdomain> On Thu, 2008-01-31 at 17:39 -0500, Rob Crittenden wrote: > A change happened as some point related to password changes in the UI > which broke it. This fixes it and adds an extra exception handler so > rather than erroring out we handle it gracefully. Good. -- Simo Sorce * Red Hat, Inc * New York