From ssorce at redhat.com Thu May 1 13:32:25 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 01 May 2008 09:32:25 -0400 Subject: [Freeipa-devel] [PATCH] Don't prompt for confirmation of DM password when installing a replica In-Reply-To: <4817656F.6030806@redhat.com> References: <4817656F.6030806@redhat.com> Message-ID: <1209648745.12808.109.camel@localhost.localdomain> On Tue, 2008-04-29 at 14:14 -0400, Rob Crittenden wrote: > Don't prompt for confirmation of DM password when installing a replica. > > It implies that you are setting a new password and you really aren't. That's true, but the password need to be confirmed, I think we should try a bind against the master and not proceed if we find out we can't bind, but instead fail gracefully after three attempts (prompting again for the password each time). > Also added a catch for KeyboardInterrupt with instructions on how to > recover from a partial install. this part is ok. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Thu May 1 13:39:32 2008 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 01 May 2008 09:39:32 -0400 Subject: [Freeipa-devel] [PATCH] Don't prompt for confirmation of DM password when installing a replica In-Reply-To: <1209648745.12808.109.camel@localhost.localdomain> References: <4817656F.6030806@redhat.com> <1209648745.12808.109.camel@localhost.localdomain> Message-ID: <4819C814.4060608@redhat.com> Simo Sorce wrote: > On Tue, 2008-04-29 at 14:14 -0400, Rob Crittenden wrote: > >> Don't prompt for confirmation of DM password when installing a replica. >> >> It implies that you are setting a new password and you really aren't. >> > > That's true, but the password need to be confirmed, I think we should > try a bind against the master and not proceed if we find out we can't > bind, but instead fail gracefully after three attempts (prompting again > for the password each time). > > I completely agree but if the scope of work to do this is too big let us postpone it till next version. From ssorce at redhat.com Thu May 1 13:40:01 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 01 May 2008 09:40:01 -0400 Subject: [Freeipa-devel] [PATCH] Change the way versioning is done In-Reply-To: <4818E401.7010301@redhat.com> References: <4818E401.7010301@redhat.com> Message-ID: <1209649201.12808.111.camel@localhost.localdomain> On Wed, 2008-04-30 at 17:26 -0400, Rob Crittenden wrote: > The file VERSION is now the sole-source of versioning. > > The generated .spec files will been removed in the maintainer-clean > targets > and have been removed from the repository. > > By default a GIT build is done. To do a non-GIT build do: > > $ make TARGET IPA_VERSION_IS_GIT_SNAPSHOT=no > > When updating the version you can run this to regenerate the version: > > $ make version-update > > The version can be determined in Python by using > ipaserver.version.VERSION > > Please review this patch carefully, it changes a lot of stuff :-) You deleted a lot of stuff:-) full ack! Simo. -- Simo Sorce * Red Hat, Inc * New York From mike at flyn.org Thu May 1 13:48:02 2008 From: mike at flyn.org (W. Michael Petullo) Date: Thu, 1 May 2008 18:18:02 +0430 Subject: [Freeipa-devel] ipa-client-install and TLS Message-ID: <20080501134802.GB2453@imp.flyn.org> I just upgraded to FreeIPA 1.0. Last time I configured my test client by hand, but this time I used ipa-client-install. I found that ipa-client-install did not configure nss_ldap to use TLS in /etc/ldap.conf* It wrote this: uri ldap://ipa.example.com where I would expect this: uri ldaps://ipa.example.com:636 Is there a reason ipa-client-install does not configure nss_ldap to use TLS by default? -- Mike :wq From ssorce at redhat.com Thu May 1 13:54:20 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 01 May 2008 09:54:20 -0400 Subject: [Freeipa-devel] [PATCH] Don't prompt for confirmation of DM password when installing a replica In-Reply-To: <4819C814.4060608@redhat.com> References: <4817656F.6030806@redhat.com> <1209648745.12808.109.camel@localhost.localdomain> <4819C814.4060608@redhat.com> Message-ID: <1209650060.12808.121.camel@localhost.localdomain> On Thu, 2008-05-01 at 09:39 -0400, Dmitri Pal wrote: > Simo Sorce wrote: > > On Tue, 2008-04-29 at 14:14 -0400, Rob Crittenden wrote: > > > >> Don't prompt for confirmation of DM password when installing a replica. > >> > >> It implies that you are setting a new password and you really aren't. > >> > > > > That's true, but the password need to be confirmed, I think we should > > try a bind against the master and not proceed if we find out we can't > > bind, but instead fail gracefully after three attempts (prompting again > > for the password each time). > > > > > I completely agree but if the scope of work to do this is too big let us > postpone it till next version. It is just one call, very easy to do. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 1 14:08:19 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 01 May 2008 10:08:19 -0400 Subject: [Freeipa-devel] [PATCH] Replace OpenLDAP with mozldap In-Reply-To: <20080228091514.GA21896@imp.flyn.org> References: <20080224141040.GA19318@imp.flyn.org> <1204066438.5684.47.camel@localhost.localdomain> <20080228091514.GA21896@imp.flyn.org> Message-ID: <1209650899.12808.125.camel@localhost.localdomain> On Thu, 2008-02-28 at 13:45 +0430, W. Michael Petullo wrote: > >> I've attached a patch that begins the process of replacing OpenLDAP with > >> mozldap. FreeIPA relies on RedHat's Directory Server, which uses mozldap. A > >> FreeIPA build using mozldap would reduce the project's dependencies and > >> redundant code. In addition, mozldap uses NSS instead of OpenSSL. This is > >> beneficial for the reasons listed in [1]. > >> > >> [1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation > > > patch may make sense for shipping for Fedora, but it would be better to > > have a patch that makes the choice between mozldap or openldap libraries > > a compile time option. > > This is because admin tools and client tools are not meant to be run on > > the server only and other distributions may not ship the mozldap bits. > > > > Do you think you can modify the patch to make it possible to select > > either library through a configure option ? > > > > Simo. > > Attached is a new patch. > > This patch now allows one to specify --with-openldap if they want to continue > using OpenLDAP, otherwise mozldap is used. The exception is ipa-server's > ipa-slapi-plugins, which will not build against OpenLDAP. After long (sorry), finally Pushed to the master branch. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 1 14:11:11 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 01 May 2008 10:11:11 -0400 Subject: [Freeipa-devel] ipa-client-install and TLS In-Reply-To: <20080501134802.GB2453@imp.flyn.org> References: <20080501134802.GB2453@imp.flyn.org> Message-ID: <1209651071.12808.129.camel@localhost.localdomain> On Thu, 2008-05-01 at 18:18 +0430, W. Michael Petullo wrote: > I just upgraded to FreeIPA 1.0. Last time I configured my test client > by hand, but this time I used ipa-client-install. I found that > ipa-client-install did not configure nss_ldap to use TLS in > /etc/ldap.conf* > > It wrote this: > > uri ldap://ipa.example.com > > where I would expect this: > > uri ldaps://ipa.example.com:636 > > Is there a reason ipa-client-install does not configure nss_ldap to use > TLS by default? Performance. The data is all available anonymously anyway, and adding SSL on top is not a big advantage at this point. Of course admins can choose to activate SSL by changing the above line. This will change in v2, where we will do much more aggressive caching and will use GSSAPI (and per-machine credentials) by default to secure the connection. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Thu May 1 14:28:53 2008 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 01 May 2008 10:28:53 -0400 Subject: [Freeipa-devel] [PATCH] Don't prompt for confirmation of DM password when installing a replica In-Reply-To: <1209650060.12808.121.camel@localhost.localdomain> References: <4817656F.6030806@redhat.com> <1209648745.12808.109.camel@localhost.localdomain> <4819C814.4060608@redhat.com> <1209650060.12808.121.camel@localhost.localdomain> Message-ID: <4819D3A5.7060603@redhat.com> Simo Sorce wrote: > On Thu, 2008-05-01 at 09:39 -0400, Dmitri Pal wrote: > >> Simo Sorce wrote: >> >>> On Tue, 2008-04-29 at 14:14 -0400, Rob Crittenden wrote: >>> >>> >>>> Don't prompt for confirmation of DM password when installing a replica. >>>> >>>> It implies that you are setting a new password and you really aren't. >>>> >>>> >>> That's true, but the password need to be confirmed, I think we should >>> try a bind against the master and not proceed if we find out we can't >>> bind, but instead fail gracefully after three attempts (prompting again >>> for the password each time). >>> >>> >>> >> I completely agree but if the scope of work to do this is too big let us >> postpone it till next version. >> > > It is just one call, very easy to do. > > Simo. > > > Ack -- Dmitri Pal Engineering Manager Red Hat Inc. From rcritten at redhat.com Thu May 1 14:45:35 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 01 May 2008 10:45:35 -0400 Subject: [Freeipa-devel] [PATCH] Don't prompt for confirmation of DM password when installing a replica In-Reply-To: <1209648745.12808.109.camel@localhost.localdomain> References: <4817656F.6030806@redhat.com> <1209648745.12808.109.camel@localhost.localdomain> Message-ID: <4819D78F.6040803@redhat.com> Simo Sorce wrote: > On Tue, 2008-04-29 at 14:14 -0400, Rob Crittenden wrote: >> Don't prompt for confirmation of DM password when installing a replica. >> >> It implies that you are setting a new password and you really aren't. > > That's true, but the password need to be confirmed, I think we should > try a bind against the master and not proceed if we find out we can't > bind, but instead fail gracefully after three attempts (prompting again > for the password each time). Sorry, I forgot to mention that. We do a bind to the master to make sure the password is ok before proceeding. We don't ask numerous times, we just fail gracefully if it is wrong (with a helpful message). Not a big difference between re-running the command and asking 3 times though. > >> Also added a catch for KeyboardInterrupt with instructions on how to >> recover from a partial install. > > this part is ok. > > Simo. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 1 14:53:49 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 01 May 2008 10:53:49 -0400 Subject: [Freeipa-devel] [PATCH] Don't prompt for confirmation of DM password when installing a replica In-Reply-To: <4819D78F.6040803@redhat.com> References: <4817656F.6030806@redhat.com> <1209648745.12808.109.camel@localhost.localdomain> <4819D78F.6040803@redhat.com> Message-ID: <1209653629.12808.137.camel@localhost.localdomain> On Thu, 2008-05-01 at 10:45 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 2008-04-29 at 14:14 -0400, Rob Crittenden wrote: > >> Don't prompt for confirmation of DM password when installing a replica. > >> > >> It implies that you are setting a new password and you really aren't. > > > > That's true, but the password need to be confirmed, I think we should > > try a bind against the master and not proceed if we find out we can't > > bind, but instead fail gracefully after three attempts (prompting again > > for the password each time). > > Sorry, I forgot to mention that. We do a bind to the master to make sure > the password is ok before proceeding. We don't ask numerous times, we > just fail gracefully if it is wrong (with a helpful message). Not a big > difference between re-running the command and asking 3 times though. Then it is a full ack :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From taruishi at redhat.com Thu May 1 15:25:51 2008 From: taruishi at redhat.com (Masato Taruishi) Date: Fri, 02 May 2008 00:25:51 +0900 Subject: [Freeipa-devel] [PATCH] create tmp directory for ipa-kpasswd Message-ID: <1209655551.15501.52.camel@dhcp-193-183.nrt.redhat.com> This patch creates temporarl directory before mkstemp(2) in ipa-kpasswd. Because mkstemp doesn't create directories, it may fail with ENOENT. -------------- next part -------------- A non-text attachment was scrubbed... Name: kpasswd_create_tmpdir.patch Type: text/x-patch Size: 1545 bytes Desc: not available URL: From ssorce at redhat.com Thu May 1 15:47:19 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 01 May 2008 11:47:19 -0400 Subject: [Freeipa-devel] [PATCH] create tmp directory for ipa-kpasswd In-Reply-To: <1209655551.15501.52.camel@dhcp-193-183.nrt.redhat.com> References: <1209655551.15501.52.camel@dhcp-193-183.nrt.redhat.com> Message-ID: <1209656839.12808.142.camel@localhost.localdomain> On Fri, 2008-05-02 at 00:25 +0900, Masato Taruishi wrote: > This patch creates temporarl directory before mkstemp(2) > in ipa-kpasswd. > > Because mkstemp doesn't create directories, it may fail > with ENOENT. Nack, the kpasswd directory must be created by make install/spec file and properly SELinux labeled (where available). Current F9 package is broken in this respect :-( but we already fixed the spec file. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 1 15:50:12 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 01 May 2008 11:50:12 -0400 Subject: [Freeipa-devel] [PATCH] create tmp directory for ipa-kpasswd In-Reply-To: <1209656839.12808.142.camel@localhost.localdomain> References: <1209655551.15501.52.camel@dhcp-193-183.nrt.redhat.com> <1209656839.12808.142.camel@localhost.localdomain> Message-ID: <1209657012.12808.145.camel@localhost.localdomain> On Thu, 2008-05-01 at 11:47 -0400, Simo Sorce wrote: > On Fri, 2008-05-02 at 00:25 +0900, Masato Taruishi wrote: > > This patch creates temporarl directory before mkstemp(2) > > in ipa-kpasswd. > > > > Because mkstemp doesn't create directories, it may fail > > with ENOENT. > > Nack, > the kpasswd directory must be created by make install/spec file and > properly SELinux labeled (where available). > > Current F9 package is broken in this respect :-( but we already fixed > the spec file. To be fair, we should probably change the code to retrieve the TMP_DIR from the environment so that it can be changed at runtime, I would love to get a patch that implements that and sets the correct default in /etc/sysconfig/ipa-kpasswd Simo. -- Simo Sorce * Red Hat, Inc * New York From taruishi at redhat.com Thu May 1 17:23:46 2008 From: taruishi at redhat.com (Masato Taruishi) Date: Fri, 02 May 2008 02:23:46 +0900 Subject: [Freeipa-devel] [PATCH] create tmp directory for ipa-kpasswd In-Reply-To: <1209657012.12808.145.camel@localhost.localdomain> References: <1209655551.15501.52.camel@dhcp-193-183.nrt.redhat.com> <1209656839.12808.142.camel@localhost.localdomain> <1209657012.12808.145.camel@localhost.localdomain> Message-ID: <1209662626.21333.11.camel@freeipa.example.com> > On Thu, 2008-05-01 at 11:47 -0400, Simo Sorce wrote: > > On Fri, 2008-05-02 at 00:25 +0900, Masato Taruishi wrote: > > > This patch creates temporarl directory before mkstemp(2) > > > in ipa-kpasswd. > > > > > > Because mkstemp doesn't create directories, it may fail > > > with ENOENT. > > > > Nack, > > the kpasswd directory must be created by make install/spec file and > > properly SELinux labeled (where available). > > > > Current F9 package is broken in this respect :-( but we already fixed > > the spec file. I didn't see the selinux things and thought directories under /var/cache should be created on demand for manual deletion. It seems an old style. Please ignore the patch. > To be fair, we should probably change the code to retrieve the TMP_DIR > from the environment so that it can be changed at runtime, I would love > to get a patch that implements that and sets the correct default > in /etc/sysconfig/ipa-kpasswd I think using localstatedir specified in configure is enough to determine the cache directory. Changing the directory at runtime makes its initialization complex for selinux. -- Masato Taruishi From ssorce at redhat.com Thu May 1 17:38:29 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 01 May 2008 13:38:29 -0400 Subject: [Freeipa-devel] [PATCH] Fix style in dna.c Message-ID: <1209663509.12808.155.camel@localhost.localdomain> I've decide to start fixing the style in our C code. I am string by fixing code I am going to work with. Here there is a patch to fix dna.c style. -- Simo Sorce * Red Hat, Inc * New York >From 579b3c775878eba27f2e9d7c4e5ad6e1b33c4e8a Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 1 May 2008 13:07:57 -0400 Subject: [PATCH] Indent the plugin accordingly to our style guidelines. Used indent -kr -nut dna.c for most of the changes --- ipa-server/ipa-slapi-plugins/dna/dna.c | 1560 ++++++++++++++++---------------- 1 files changed, 758 insertions(+), 802 deletions(-) diff --git a/ipa-server/ipa-slapi-plugins/dna/dna.c b/ipa-server/ipa-slapi-plugins/dna/dna.c index bafe441..169edb8 100644 --- a/ipa-server/ipa-slapi-plugins/dna/dna.c +++ b/ipa-server/ipa-slapi-plugins/dna/dna.c @@ -2,15 +2,15 @@ * This Program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; version 2 of the License. - * + * * This Program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License along with * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple * Place, Suite 330, Boston, MA 02111-1307 USA. - * + * * In addition, as a special exception, Red Hat, Inc. gives You the additional * right to link the code of this Program with code not covered under the GNU * General Public License ("Non-GPL Code") and to distribute linked combinations @@ -28,9 +28,9 @@ * version of the file, but you are not obligated to do so. If you do not wish to * provide this exception without modification, you must delete this exception * statement from your version and license this file solely under the GPL without - * exception. - * - * + * exception. + * + * * Author: Pete Rowley * * Copyright (C) 2007 Red Hat, Inc. @@ -43,7 +43,7 @@ /** - * Distributed Numeric Assignment plug-in + * Distributed Numeric Assignment plug-in */ #include @@ -65,13 +65,14 @@ #include #endif -#define DNA_PLUGIN_SUBSYSTEM "ipa-dna-plugin" -#define DNA_PLUGIN_VERSION 0x00010000 +#define DNA_PLUGIN_SUBSYSTEM "ipa-dna-plugin" +#define DNA_PLUGIN_VERSION 0x00010000 -#define DNA_DN "cn=ipa-dna,cn=plugins,cn=config" /* temporary */ +/* temporary */ +#define DNA_DN "cn=ipa-dna,cn=plugins,cn=config" -#define DNA_SUCCESS 0 -#define DNA_FAILURE -1 +#define DNA_SUCCESS 0 +#define DNA_FAILURE -1 /** * DNA config types @@ -87,9 +88,10 @@ #define FEATURE_DESC "IPA Distributed Numeric Assignment" #define PLUGIN_DESC "IPA Distributed Numeric Assignment plugin" -static Slapi_PluginDesc pdesc = { FEATURE_DESC, - "FreeIPA project", "FreeIPA/1.0", - PLUGIN_DESC }; +static Slapi_PluginDesc pdesc = { FEATURE_DESC, + "FreeIPA project", "FreeIPA/1.0", + PLUGIN_DESC +}; /** @@ -97,22 +99,22 @@ static Slapi_PluginDesc pdesc = { FEATURE_DESC, */ struct _defs { - PRCList list; - char *dn; - char *type; - char *prefix; - unsigned long nextval; - unsigned long interval; - struct slapi_filter *filter; - char *generate; - char *scope; + PRCList list; + char *dn; + char *type; + char *prefix; + unsigned long nextval; + unsigned long interval; + struct slapi_filter *filter; + char *generate; + char *scope; } dna_anchor; typedef struct _defs configEntry; static PRCList *config; static PRRWLock *g_dna_cache_lock; -static void *_PluginID = NULL; -static char *_PluginDN = NULL; +static void *_PluginID = NULL; +static char *_PluginDN = NULL; /* @@ -121,43 +123,44 @@ static char *_PluginDN = NULL; static Slapi_Mutex *g_new_value_lock; /** - * + * * DNA plug-in management functions * */ -int ipa_dna_init(Slapi_PBlock *pb); -static int dna_start(Slapi_PBlock *pb); -static int dna_close(Slapi_PBlock *pb); -static int dna_postop_init(Slapi_PBlock *pb); +int ipa_dna_init(Slapi_PBlock * pb); +static int dna_start(Slapi_PBlock * pb); +static int dna_close(Slapi_PBlock * pb); +static int dna_postop_init(Slapi_PBlock * pb); /** - * + * * Local operation functions * */ static int loadPluginConfig(); -static int parseConfigEntry(Slapi_Entry *e); +static int parseConfigEntry(Slapi_Entry * e); static void deleteConfig(); -static void freeConfigEntry(configEntry **entry); +static void freeConfigEntry(configEntry ** entry); /** * * helpers * */ -static char *dna_get_dn(Slapi_PBlock *pb); +static char *dna_get_dn(Slapi_PBlock * pb); static int dna_dn_is_config(char *dn); -static int dna_get_next_value(configEntry *config_entry, char **next_value_ret); +static int dna_get_next_value(configEntry * config_entry, + char **next_value_ret); /** * * the ops (where the real work is done) * */ -static int dna_config_check_post_op(Slapi_PBlock *pb); -static int dna_pre_op( Slapi_PBlock *pb, int modtype ); -static int dna_mod_pre_op( Slapi_PBlock *pb ); -static int dna_add_pre_op( Slapi_PBlock *pb ); +static int dna_config_check_post_op(Slapi_PBlock * pb); +static int dna_pre_op(Slapi_PBlock * pb, int modtype); +static int dna_mod_pre_op(Slapi_PBlock * pb); +static int dna_add_pre_op(Slapi_PBlock * pb); /** * debug functions - global, for the debugger @@ -173,7 +176,7 @@ int *module_ldap_debug = 0; void plugin_init_debug_level(int *level_ptr) { - module_ldap_debug = level_ptr; + module_ldap_debug = level_ptr; } #endif @@ -184,131 +187,129 @@ void plugin_init_debug_level(int *level_ptr) */ void dna_read_lock() { - PR_RWLock_Rlock(g_dna_cache_lock); + PR_RWLock_Rlock(g_dna_cache_lock); } void dna_write_lock() { - PR_RWLock_Wlock(g_dna_cache_lock); + PR_RWLock_Wlock(g_dna_cache_lock); } void dna_unlock() { - PR_RWLock_Unlock(g_dna_cache_lock); + PR_RWLock_Unlock(g_dna_cache_lock); } /** - * + * * Get the dna plug-in version * */ int dna_version() { - return DNA_PLUGIN_VERSION; + return DNA_PLUGIN_VERSION; } /** * Plugin identity mgmt */ -void setPluginID(void * pluginID) +void setPluginID(void *pluginID) { - _PluginID=pluginID; + _PluginID = pluginID; } -void * getPluginID() +void *getPluginID() { - return _PluginID; + return _PluginID; } void setPluginDN(char *pluginDN) { - _PluginDN = pluginDN; + _PluginDN = pluginDN; } -char * getPluginDN() +char *getPluginDN() { - return _PluginDN; + return _PluginDN; } -/* +/* dna_init ------------- adds our callbacks to the list */ -int ipa_dna_init( Slapi_PBlock *pb ) +int ipa_dna_init(Slapi_PBlock * pb) { - int status = DNA_SUCCESS; - char * plugin_identity=NULL; + int status = DNA_SUCCESS; + char *plugin_identity = NULL; - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "--> ipa_dna_init\n"); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "--> ipa_dna_init\n"); - /** + /** * Store the plugin identity for later use. * Used for internal operations */ - - slapi_pblock_get (pb, SLAPI_PLUGIN_IDENTITY, &plugin_identity); - PR_ASSERT (plugin_identity); - setPluginID(plugin_identity); - - if ( slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION, - SLAPI_PLUGIN_VERSION_01 ) != 0 || - slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, - (void *) dna_start ) != 0 || - slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, - (void *) dna_close ) != 0 || - slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION, - (void *)&pdesc ) != 0 || - slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_MODIFY_FN, - (void *) dna_mod_pre_op ) != 0 || - slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_ADD_FN, - (void *) dna_add_pre_op ) != 0 || - /* the config change checking post op */ - slapi_register_plugin( - "postoperation", /* op type */ - 1, /* Enabled */ - "ipa_dna_init", /* this function desc */ - dna_postop_init, /* init func for post op */ - PLUGIN_DESC, /* plugin desc */ - NULL, /* ? */ - plugin_identity /* access control */ - ) - ) - { - slapi_log_error( SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, - "ipa_dna_init: failed to register plugin\n" ); - status = DNA_FAILURE; - } - - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "<-- ipa_dna_init\n"); - return status; + + slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &plugin_identity); + PR_ASSERT(plugin_identity); + setPluginID(plugin_identity); + + if (slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, + SLAPI_PLUGIN_VERSION_01) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, + (void *) dna_start) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, + (void *) dna_close) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, + (void *) &pdesc) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_MODIFY_FN, + (void *) dna_mod_pre_op) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_ADD_FN, + (void *) dna_add_pre_op) != 0 || + /* the config change checking post op */ + slapi_register_plugin("postoperation", /* op type */ + 1, /* Enabled */ + "ipa_dna_init", /* this function desc */ + dna_postop_init, /* init func for post op */ + PLUGIN_DESC, /* plugin desc */ + NULL, /* ? */ + plugin_identity /* access control */ + ) + ) { + slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, + "ipa_dna_init: failed to register plugin\n"); + status = DNA_FAILURE; + } + + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "<-- ipa_dna_init\n"); + return status; } -static int dna_postop_init(Slapi_PBlock *pb) +static int dna_postop_init(Slapi_PBlock * pb) { - int status = DNA_SUCCESS; - - if ( slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION, - SLAPI_PLUGIN_VERSION_01 ) != 0 || - slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION, - (void *)&pdesc ) != 0 || - slapi_pblock_set(pb, SLAPI_PLUGIN_POST_ADD_FN, - (void *) dna_config_check_post_op ) != 0 || - slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODRDN_FN, - (void *) dna_config_check_post_op ) != 0 || - slapi_pblock_set(pb, SLAPI_PLUGIN_POST_DELETE_FN, - (void *) dna_config_check_post_op ) != 0 || - slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODIFY_FN, - (void *) dna_config_check_post_op ) != 0 - ) - { - slapi_log_error( SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, - "dna_postop_init: failed to register plugin\n" ); - status = DNA_FAILURE; - } - - return status; + int status = DNA_SUCCESS; + + if (slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, + SLAPI_PLUGIN_VERSION_01) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, + (void *) &pdesc) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_POST_ADD_FN, + (void *) dna_config_check_post_op) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODRDN_FN, + (void *) dna_config_check_post_op) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_POST_DELETE_FN, + (void *) dna_config_check_post_op) != 0 || + slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODIFY_FN, + (void *) dna_config_check_post_op) != 0) { + slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, + "dna_postop_init: failed to register plugin \n"); + status = DNA_FAILURE; + } + + return status; } /* @@ -317,60 +318,58 @@ static int dna_postop_init(Slapi_PBlock *pb) Kicks off the config cache. It is called after dna_init. */ -static int dna_start( Slapi_PBlock *pb ) +static int dna_start(Slapi_PBlock * pb) { - char * plugindn = NULL; + char *plugindn = NULL; - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "--> dna_start\n"); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "--> dna_start\n"); - config = &dna_anchor.list; - g_dna_cache_lock = PR_NewRWLock(PR_RWLOCK_RANK_NONE, "dna"); - g_new_value_lock = slapi_new_mutex(); + config = &dna_anchor.list; + g_dna_cache_lock = PR_NewRWLock(PR_RWLOCK_RANK_NONE, "dna"); + g_new_value_lock = slapi_new_mutex(); - if(!g_dna_cache_lock || !g_new_value_lock) - { - slapi_log_error( SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, - "dna_start: lock creation failed\n" ); + if (!g_dna_cache_lock || !g_new_value_lock) { + slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, + "dna_start: lock creation failed\n"); - return DNA_FAILURE; - } + return DNA_FAILURE; + } - /** + /** * Get the plug-in target dn from the system - * and store it for future use. This should avoid - * hardcoding of DN's in the code. + * and store it for future use. This should avoid + * hardcoding of DN's in the code. */ - slapi_pblock_get(pb, SLAPI_TARGET_DN, &plugindn); - if (plugindn == NULL || strlen(plugindn) == 0) - { - slapi_log_error( SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM , - "dna_start: had to use hard coded config dn\n"); - plugindn = DNA_DN; - } - else - { - slapi_log_error( SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM , + slapi_pblock_get(pb, SLAPI_TARGET_DN, &plugindn); + if (plugindn == NULL || strlen(plugindn) == 0) { + slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, + "dna_start: had to use hard coded config dn \n"); + plugindn = DNA_DN; + } else { + slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, "dna_start: config at %s\n", plugindn); - } + } - setPluginDN(plugindn); + setPluginDN(plugindn); - /** + /** * Load the config for our plug-in */ - PR_INIT_CLIST(config); - if (loadPluginConfig() != DNA_SUCCESS) - { - slapi_log_error( SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, - "dna_start: unable to load plug-in configuration\n" ); - return DNA_FAILURE; - } - - slapi_log_error( SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM , "dna: ready for service\n"); - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "<-- dna_start\n"); - - return DNA_SUCCESS; + PR_INIT_CLIST(config); + if (loadPluginConfig() != DNA_SUCCESS) { + slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, + "dna_start: unable to load plug-in configuration\n"); + return DNA_FAILURE; + } + + slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, + "dna: ready for service\n"); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "<-- dna_start\n"); + + return DNA_SUCCESS; } /* @@ -378,18 +377,20 @@ static int dna_start( Slapi_PBlock *pb ) -------------- closes down the cache */ -static int dna_close( Slapi_PBlock *pb ) +static int dna_close(Slapi_PBlock * pb) { - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "--> dna_close\n"); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "--> dna_close\n"); - deleteConfig(); + deleteConfig(); - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "<-- dna_close\n"); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "<-- dna_close\n"); - return DNA_SUCCESS; + return DNA_SUCCESS; } -/* +/* * config looks like this * - cn=myplugin * --- ou=posix @@ -401,139 +402,147 @@ static int dna_close( Slapi_PBlock *pb ) */ static int loadPluginConfig() { - int status = DNA_SUCCESS; - int result; - int i; - Slapi_PBlock *search_pb; - Slapi_Entry **entries = NULL; - - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "--> loadPluginConfig\n"); - - dna_write_lock(); - deleteConfig(); - - search_pb = slapi_pblock_new(); - - slapi_search_internal_set_pb(search_pb, DNA_DN, LDAP_SCOPE_SUBTREE, - "objectclass=*", NULL, 0, NULL, NULL, getPluginID(), 0); - slapi_search_internal_pb(search_pb); - slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &result); - - if (status != DNA_SUCCESS) - { - status = DNA_SUCCESS; - goto cleanup; - } - - slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries); - if (NULL == entries || entries[0] == NULL) - { - status = DNA_SUCCESS; - goto cleanup; - } - - for (i = 0; (entries[i] != NULL); i++) - { - status = parseConfigEntry(entries[i]); - } - -cleanup: - slapi_free_search_results_internal(search_pb); - slapi_pblock_destroy(search_pb); - dna_unlock(); - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "<-- loadPluginConfig\n"); - - return status; + int status = DNA_SUCCESS; + int result; + int i; + Slapi_PBlock *search_pb; + Slapi_Entry **entries = NULL; + + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "--> loadPluginConfig\n"); + + dna_write_lock(); + deleteConfig(); + + search_pb = slapi_pblock_new(); + + slapi_search_internal_set_pb(search_pb, DNA_DN, LDAP_SCOPE_SUBTREE, + "objectclass=*", NULL, 0, NULL, NULL, + getPluginID(), 0); + slapi_search_internal_pb(search_pb); + slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &result); + + if (status != DNA_SUCCESS) { + status = DNA_SUCCESS; + goto cleanup; + } + + slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, + &entries); + if (NULL == entries || entries[0] == NULL) { + status = DNA_SUCCESS; + goto cleanup; + } + + for (i = 0; (entries[i] != NULL); i++) { + status = parseConfigEntry(entries[i]); + } + + cleanup: + slapi_free_search_results_internal(search_pb); + slapi_pblock_destroy(search_pb); + dna_unlock(); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "<-- loadPluginConfig\n"); + + return status; } -static int parseConfigEntry(Slapi_Entry *e) +static int parseConfigEntry(Slapi_Entry * e) { - char *value = NULL; - configEntry *entry = NULL; - configEntry *config_entry = NULL; - PRCList *list = NULL; - int entry_added = 0; - - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "--> parseConfigEntry\n"); - - entry = (configEntry*) slapi_ch_calloc(1, sizeof(configEntry)); - if(0 == entry) - goto bail; - - value = slapi_entry_get_ndn(e); - if(value) { - entry->dn = strdup(value); - } - - slapi_log_error( SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM , "----------> dn [%s] \n",entry->dn,0,0); - - value = slapi_entry_attr_get_charptr(e, DNA_TYPE); - if(value) { - entry->type = value; - } - else - goto bail; - - slapi_log_error( SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM , "----------> dnaType [%s] \n",entry->type,0,0); - - value = slapi_entry_attr_get_charptr(e, DNA_NEXTVAL); - if (value) { - entry->nextval = strtoul(value,0,0); - slapi_ch_free_string(&value); - value = 0; - } - else - goto bail; - - slapi_log_error( SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM , "----------> dnaNextValue [%d] \n",entry->nextval,0,0); - - value = slapi_entry_attr_get_charptr(e, DNA_PREFIX); - if (value) { - entry->prefix = value; - } - - slapi_log_error( SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM , "----------> dnaPrefix [%s] \n",entry->prefix,0,0); - - value = slapi_entry_attr_get_charptr(e, DNA_INTERVAL); - if (value) { - entry->interval = strtoul(value,0,0); - slapi_ch_free_string(&value); - value = 0; - } - else - goto bail; - - slapi_log_error( SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM , "----------> dnaInterval [%s] \n",value,0,0); - - value = slapi_entry_attr_get_charptr(e, DNA_GENERATE); - if (value) { - entry->generate = value; - } - - slapi_log_error( SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM , "----------> dnaMagicRegen [%s] \n",entry->generate,0,0); - - value = slapi_entry_attr_get_charptr(e, DNA_FILTER); - if (value) { - entry->filter = slapi_str2filter(value); - } - else - goto bail; - - slapi_log_error( SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM , "----------> dnaFilter [%s] \n",value,0,0); - - slapi_ch_free_string(&value); - value = 0; - - value = slapi_entry_attr_get_charptr(e, DNA_SCOPE); - if (value) { - char *canonical_dn = slapi_dn_normalize(value); - entry->scope = canonical_dn; - } - - slapi_log_error( SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM , "----------> dnaScope [%s] \n",entry->scope,0,0); - - - /** + char *value = NULL; + configEntry *entry = NULL; + configEntry *config_entry = NULL; + PRCList *list = NULL; + int entry_added = 0; + + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "--> parseConfigEntry\n"); + + entry = (configEntry *) slapi_ch_calloc(1, sizeof(configEntry)); + if (0 == entry) + goto bail; + + value = slapi_entry_get_ndn(e); + if (value) { + entry->dn = strdup(value); + } + + slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, + "----------> dn [%s] \n", entry->dn, 0, 0); + + value = slapi_entry_attr_get_charptr(e, DNA_TYPE); + if (value) { + entry->type = value; + } else + goto bail; + + slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, + "----------> dnaType [%s] \n", entry->type, 0, 0); + + value = slapi_entry_attr_get_charptr(e, DNA_NEXTVAL); + if (value) { + entry->nextval = strtoul(value, 0, 0); + slapi_ch_free_string(&value); + value = 0; + } else + goto bail; + + slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, + "----------> dnaNextValue [%d] \n", entry->nextval, 0, + 0); + + value = slapi_entry_attr_get_charptr(e, DNA_PREFIX); + if (value) { + entry->prefix = value; + } + + slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, + "----------> dnaPrefix [%s] \n", entry->prefix, 0, 0); + + value = slapi_entry_attr_get_charptr(e, DNA_INTERVAL); + if (value) { + entry->interval = strtoul(value, 0, 0); + slapi_ch_free_string(&value); + value = 0; + } else + goto bail; + + slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, + "----------> dnaInterval [%s] \n", value, 0, 0); + + value = slapi_entry_attr_get_charptr(e, DNA_GENERATE); + if (value) { + entry->generate = value; + } + + slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, + "----------> dnaMagicRegen [%s] \n", entry->generate, + 0, 0); + + value = slapi_entry_attr_get_charptr(e, DNA_FILTER); + if (value) { + entry->filter = slapi_str2filter(value); + } else + goto bail; + + slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, + "----------> dnaFilter [%s] \n", value, 0, 0); + + slapi_ch_free_string(&value); + value = 0; + + value = slapi_entry_attr_get_charptr(e, DNA_SCOPE); + if (value) { + char *canonical_dn = slapi_dn_normalize(value); + entry->scope = canonical_dn; + } + + slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, + "----------> dnaScope [%s] \n", entry->scope, 0, 0); + + + /** * Finally add the entry to the list * we group by type then by filter * and finally sort by dn length with longer dn's @@ -541,109 +550,105 @@ static int parseConfigEntry(Slapi_Entry *e) * code to be simple and quick and * cunningly linear */ - if(!PR_CLIST_IS_EMPTY(config)) - { - list = PR_LIST_HEAD(config); - while(list != config) - { - config_entry = (configEntry*)list; - - if(slapi_attr_type_cmp(config_entry->type, entry->type,1)) - goto next; - - if(slapi_filter_compare(config_entry->filter, entry->filter)) - goto next; - - if(slapi_dn_issuffix(entry->scope,config_entry->scope)) - { - PR_INSERT_BEFORE(&(entry->list), list); - slapi_log_error( SLAPI_LOG_CONFIG, - DNA_PLUGIN_SUBSYSTEM , - "store [%s] before [%s] \n",entry->scope,config_entry->scope,0); - entry_added = 1; - break; - } - -next: - list = PR_NEXT_LINK (list); - - if(config == list) - { - /* add to tail */ - PR_INSERT_BEFORE(&(entry->list), list); - slapi_log_error( SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM , "store [% s] at tail\n",entry->scope,0,0); - entry_added = 1; - break; - } - } - } - else - { - /* first entry */ - PR_INSERT_LINK(&(entry->list), config); - slapi_log_error( SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM , "store [%s] at head \n",entry->scope,0,0); - entry_added = 1; - } - -bail: - if(0 == entry_added) - { - slapi_log_error( SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM , - "config entry [%s] skipped\n",entry->dn,0,0); - freeConfigEntry(&entry); - } - - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "<-- parseConfigEntry\n"); - - return DNA_SUCCESS; + if (!PR_CLIST_IS_EMPTY(config)) { + list = PR_LIST_HEAD(config); + while (list != config) { + config_entry = (configEntry *) list; + + if (slapi_attr_type_cmp(config_entry->type, entry->type, 1)) + goto next; + + if (slapi_filter_compare(config_entry->filter, entry->filter)) + goto next; + + if (slapi_dn_issuffix(entry->scope, config_entry->scope)) { + PR_INSERT_BEFORE(&(entry->list), list); + slapi_log_error(SLAPI_LOG_CONFIG, + DNA_PLUGIN_SUBSYSTEM, + "store [%s] before [%s] \n", entry->scope, + config_entry->scope, 0); + entry_added = 1; + break; + } + + next: + list = PR_NEXT_LINK(list); + + if (config == list) { + /* add to tail */ + PR_INSERT_BEFORE(&(entry->list), list); + slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, + "store [%s] at tail\n", entry->scope, 0, + 0); + entry_added = 1; + break; + } + } + } else { + /* first entry */ + PR_INSERT_LINK(&(entry->list), config); + slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, + "store [%s] at head \n", entry->scope, 0, 0); + entry_added = 1; + } + + bail: + if (0 == entry_added) { + slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, + "config entry [%s] skipped\n", entry->dn, 0, 0); + freeConfigEntry(&entry); + } + + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "<-- parseConfigEntry\n"); + + return DNA_SUCCESS; } -static void freeConfigEntry(configEntry **entry) +static void freeConfigEntry(configEntry ** entry) { - configEntry *e = *entry; + configEntry *e = *entry; - if(e->dn) - { - slapi_log_error( SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM , - "freeing config entry [%s]\n",e->dn,0,0); - slapi_ch_free_string(&e->dn); - } + if (e->dn) { + slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, + "freeing config entry [%s]\n", e->dn, 0, 0); + slapi_ch_free_string(&e->dn); + } - if(e->type) - slapi_ch_free_string(&e->type); + if (e->type) + slapi_ch_free_string(&e->type); - if(e->prefix) - slapi_ch_free_string(&e->prefix); + if (e->prefix) + slapi_ch_free_string(&e->prefix); - if(e->filter) - slapi_filter_free(e->filter,1); + if (e->filter) + slapi_filter_free(e->filter, 1); - if(e->generate) - slapi_ch_free_string(&e->generate); + if (e->generate) + slapi_ch_free_string(&e->generate); - if(e->scope) - slapi_ch_free_string(&e->scope); + if (e->scope) + slapi_ch_free_string(&e->scope); - slapi_ch_free((void**)entry); + slapi_ch_free((void **) entry); } -static void deleteConfigEntry(PRCList *entry) +static void deleteConfigEntry(PRCList * entry) { - PR_REMOVE_LINK(entry); - freeConfigEntry((configEntry**)&entry); + PR_REMOVE_LINK(entry); + freeConfigEntry((configEntry **) & entry); } static void deleteConfig() { - PRCList *list; + PRCList *list; - while(!PR_CLIST_IS_EMPTY(config)) - { - list = PR_LIST_HEAD(config); - deleteConfigEntry(list); - } + while (!PR_CLIST_IS_EMPTY(config)) { + list = PR_LIST_HEAD(config); + deleteConfigEntry(list); + } - return; + return; } @@ -651,23 +656,25 @@ static void deleteConfig() Helpers ****************************************************/ -static char *dna_get_dn(Slapi_PBlock *pb) +static char *dna_get_dn(Slapi_PBlock * pb) { - char *dn = 0; - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "--> dna_get_dn\n"); + char *dn = 0; + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "--> dna_get_dn\n"); - if(slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn )) - { - slapi_log_error( SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, "dna_get_dn: failed to get dn of changed entry"); - goto bail; - } + if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn)) { + slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, + "dna_get_dn: failed to get dn of changed entry"); + goto bail; + } /* slapi_dn_normalize( dn ); */ -bail: - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "<-- dna_get_dn\n"); + bail: + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "<-- dna_get_dn\n"); - return dn; + return dn; } /* config check @@ -675,18 +682,19 @@ bail: */ static int dna_dn_is_config(char *dn) { - int ret = 0; + int ret = 0; - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "--> dna_is_config\n"); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "--> dna_is_config\n"); - if(slapi_dn_issuffix(dn, getPluginDN())) - { - ret=1; - } + if (slapi_dn_issuffix(dn, getPluginDN())) { + ret = 1; + } - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "<-- dna_is_config\n"); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "<-- dna_is_config\n"); - return ret; + return ret; } @@ -704,155 +712,144 @@ static int dna_dn_is_config(char *dn) * 2. remove current value, add new value in one operation * 3. if failed, and less than 3 times, goto 1 */ -static int dna_get_next_value(configEntry *config_entry, char **next_value_ret) +static int dna_get_next_value(configEntry * config_entry, + char **next_value_ret) { - int ret = LDAP_SUCCESS; - Slapi_DN *dn = 0; - char *attrlist[3]; - Slapi_Entry *e = 0; - int attempts = 0; + int ret = LDAP_SUCCESS; + Slapi_DN *dn = 0; + char *attrlist[3]; + Slapi_Entry *e = 0; + int attempts = 0; - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "--> dna_get_next_value\n"); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "--> dna_get_next_value\n"); - /* get pre-requisites to search */ - dn = slapi_sdn_new_dn_byref(config_entry->dn); - attrlist[0] = DNA_NEXTVAL; - attrlist[1] = DNA_INTERVAL; - attrlist[2] = 0; + /* get pre-requisites to search */ + dn = slapi_sdn_new_dn_byref(config_entry->dn); + attrlist[0] = DNA_NEXTVAL; + attrlist[1] = DNA_INTERVAL; + attrlist[2] = 0; - /* the operation is constructed such that race conditions - * to increment the value are detected and avoided - one wins, - * one loses - however, there is no need for the server to compete - * with itself so we lock here - */ + /* the operation is constructed such that race conditions + * to increment the value are detected and avoided - one wins, + * one loses - however, there is no need for the server to compete + * with itself so we lock here + */ + + slapi_lock_mutex(g_new_value_lock); + + while (attempts < 3 && LDAP_SUCCESS == ret) { + attempts++; + + /* do update */ + if (e) { + slapi_entry_free(e); + e = 0; + } + + ret = + slapi_search_internal_get_entry(dn, attrlist, &e, + getPluginID()); + if (LDAP_SUCCESS == ret) { + char *old_value; + + old_value = slapi_entry_attr_get_charptr(e, DNA_NEXTVAL); + if (old_value) { + LDAPMod mod_add; + LDAPMod mod_delete; + LDAPMod *mods[3]; + Slapi_PBlock *pb = slapi_pblock_new(); + char *delete_val[2]; + char *add_val[2]; + char new_value[16]; + char *interval = 0; + + mods[0] = &mod_delete; + mods[1] = &mod_add; + mods[2] = 0; + + if (0 == pb) + goto bail; + + interval = slapi_entry_attr_get_charptr(e, DNA_INTERVAL); + if (0 == interval) { + slapi_pblock_destroy(pb); + slapi_ch_free_string(&old_value); + goto bail; + } + + /* perform increment */ + + sprintf(new_value, "%lu", + strtoul(interval, 0, 0) + + strtoul(old_value, 0, 0)); - slapi_lock_mutex(g_new_value_lock); - - while(attempts < 3 && LDAP_SUCCESS == ret) - { - attempts++; - - /* do update */ - if(e) - { - slapi_entry_free(e); - e = 0; - } - - ret = slapi_search_internal_get_entry( dn, attrlist, &e,getPluginID()); - if(LDAP_SUCCESS == ret) - { - char *old_value; - - old_value = slapi_entry_attr_get_charptr(e, DNA_NEXTVAL); - if(old_value) - { - LDAPMod mod_add; - LDAPMod mod_delete; - LDAPMod *mods[3]; - Slapi_PBlock *pb = slapi_pblock_new(); - char *delete_val[2]; - char *add_val[2]; - char new_value[16]; - char *interval = 0; - - mods[0] = &mod_delete; - mods[1] = &mod_add; - mods[2] = 0; - - if(0 == pb) - goto bail; - - interval = slapi_entry_attr_get_charptr(e, DNA_INTERVAL); - if(0 == interval) - { - slapi_pblock_destroy(pb); - slapi_ch_free_string(&old_value); - goto bail; - } - - /* perform increment */ - - sprintf(new_value, "%lu", - strtoul(interval,0,0) + - strtoul(old_value,0,0)); - - delete_val[0] = old_value; - delete_val[1] = 0; - - mod_delete.mod_op = LDAP_MOD_DELETE; - mod_delete.mod_type = DNA_NEXTVAL; - mod_delete.mod_values = delete_val; - - add_val[0] = new_value; - add_val[1] = 0; - - mod_add.mod_op = LDAP_MOD_ADD; - mod_add.mod_type = DNA_NEXTVAL; - mod_add.mod_values = add_val; - - - mods[0] = &mod_delete; - mods[1] = &mod_add; - mods[2] = 0; - - slapi_modify_internal_set_pb( - pb, config_entry->dn, - mods, 0, 0, - getPluginID(), 0); - - slapi_modify_internal_pb(pb); - - slapi_pblock_get(pb, - SLAPI_PLUGIN_INTOP_RESULT, - &ret); - - slapi_pblock_destroy(pb); - slapi_ch_free_string(&interval); - - if(LDAP_SUCCESS == ret) - { - *next_value_ret = old_value; - break; - } - else - { - slapi_ch_free_string(&old_value); - if(LDAP_NO_SUCH_ATTRIBUTE != ret) - { - /* not the result of a race - to change the value - */ - break; - } - else - /* we lost the race to mod - try again - */ - ret = LDAP_SUCCESS; - } - } - else - break; - } - else - break; - } - -bail: - - slapi_unlock_mutex(g_new_value_lock); - - if(dn) - slapi_sdn_free(&dn); - - if(e) - slapi_entry_free(e); - - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "<-- dna_get_next_value\n"); - - return ret; + delete_val[0] = old_value; + delete_val[1] = 0; + + mod_delete.mod_op = LDAP_MOD_DELETE; + mod_delete.mod_type = DNA_NEXTVAL; + mod_delete.mod_values = delete_val; + + add_val[0] = new_value; + add_val[1] = 0; + + mod_add.mod_op = LDAP_MOD_ADD; + mod_add.mod_type = DNA_NEXTVAL; + mod_add.mod_values = add_val; + + + mods[0] = &mod_delete; + mods[1] = &mod_add; + mods[2] = 0; + + slapi_modify_internal_set_pb(pb, config_entry->dn, + mods, 0, 0, getPluginID(), 0); + + slapi_modify_internal_pb(pb); + + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); + + slapi_pblock_destroy(pb); + slapi_ch_free_string(&interval); + + if (LDAP_SUCCESS == ret) { + *next_value_ret = old_value; + break; + } else { + slapi_ch_free_string(&old_value); + if (LDAP_NO_SUCH_ATTRIBUTE != ret) { + /* not the result of a race + to change the value + */ + break; + } else + /* we lost the race to mod + try again + */ + ret = LDAP_SUCCESS; + } + } else + break; + } else + break; + } + + bail: + + slapi_unlock_mutex(g_new_value_lock); + + if (dn) + slapi_sdn_free(&dn); + + if (e) + slapi_entry_free(e); + + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "<-- dna_get_next_value\n"); + + return ret; } /* for mods and adds: @@ -861,278 +858,241 @@ bail: are identical - otherwise all matches count */ -static int dna_pre_op(Slapi_PBlock *pb, int modtype) +static int dna_pre_op(Slapi_PBlock * pb, int modtype) { - char *dn = 0; - PRCList *list = 0; - configEntry *config_entry = 0; - struct slapi_entry *e = 0; - char *last_type = 0; - char *value = 0; - int generate = 0; - Slapi_Mods *smods = 0; - Slapi_Mod *smod = 0; - LDAPMod **mods; - int free_entry = 0; - int ret = 0; - - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "--> dna_pre_op\n"); - - if(0 == (dn = dna_get_dn(pb))) - goto bail; - - if(dna_dn_is_config(dn)) - goto bail; - - if(LDAP_CHANGETYPE_ADD == modtype) - { - slapi_pblock_get( pb, SLAPI_ADD_ENTRY, &e); - } - else - { - /* xxxPAR: Ideally SLAPI_MODIFY_EXISTING_ENTRY should be - * available but it turns out that is only true if you are - * a dbm backend pre-op plugin - lucky dbm backend pre-op - * plugins. - * I think that is wrong since the entry is useful for filter - * tests and schema checks and this plugin shouldn't be limited - * to a single backend type, but I don't want that fight right - * now so we go get the entry here - * - slapi_pblock_get( pb, SLAPI_MODIFY_EXISTING_ENTRY, &e); - */ - Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn); - if(tmp_dn) - { - slapi_search_internal_get_entry( - tmp_dn, 0, &e,getPluginID()); - slapi_sdn_free(&tmp_dn); - free_entry = 1; - } - - /* grab the mods - we'll put them back later with - * our modifications appended - */ - slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods); - smods = slapi_mods_new(); - slapi_mods_init_passin(smods, mods); - } - - if(0 == e) - goto bailmod; - - dna_read_lock(); - - if(!PR_CLIST_IS_EMPTY(config)) - { - list = PR_LIST_HEAD(config); - - while(list != config && LDAP_SUCCESS == ret) - { - config_entry = (configEntry*)list; - - /* did we already service this type? */ - if(last_type) - { - if(! slapi_attr_type_cmp(config_entry->type, last_type,1)) - goto next; - } + char *dn = 0; + PRCList *list = 0; + configEntry *config_entry = 0; + struct slapi_entry *e = 0; + char *last_type = 0; + char *value = 0; + int generate = 0; + Slapi_Mods *smods = 0; + Slapi_Mod *smod = 0; + LDAPMod **mods; + int free_entry = 0; + int ret = 0; + + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "--> dna_pre_op\n"); + + if (0 == (dn = dna_get_dn(pb))) + goto bail; + + if (dna_dn_is_config(dn)) + goto bail; + + if (LDAP_CHANGETYPE_ADD == modtype) { + slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e); + } else { + /* xxxPAR: Ideally SLAPI_MODIFY_EXISTING_ENTRY should be + * available but it turns out that is only true if you are + * a dbm backend pre-op plugin - lucky dbm backend pre-op + * plugins. + * I think that is wrong since the entry is useful for filter + * tests and schema checks and this plugin shouldn't be limited + * to a single backend type, but I don't want that fight right + * now so we go get the entry here + * + slapi_pblock_get( pb, SLAPI_MODIFY_EXISTING_ENTRY, &e); + */ + Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn); + if (tmp_dn) { + slapi_search_internal_get_entry(tmp_dn, 0, &e, getPluginID()); + slapi_sdn_free(&tmp_dn); + free_entry = 1; + } - /* is the entry in scope? */ - if(config_entry->scope) - { - if(!slapi_dn_issuffix(dn, config_entry->scope)) - goto next; + /* grab the mods - we'll put them back later with + * our modifications appended + */ + slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods); + smods = slapi_mods_new(); + slapi_mods_init_passin(smods, mods); + } + + if (0 == e) + goto bailmod; + + dna_read_lock(); + + if (!PR_CLIST_IS_EMPTY(config)) { + list = PR_LIST_HEAD(config); + + while (list != config && LDAP_SUCCESS == ret) { + config_entry = (configEntry *) list; + + /* did we already service this type? */ + if (last_type) { + if (!slapi_attr_type_cmp(config_entry->type, last_type, 1)) + goto next; + } + + /* is the entry in scope? */ + if (config_entry->scope) { + if (!slapi_dn_issuffix(dn, config_entry->scope)) + goto next; + } + + /* does the entry match the filter? */ + if (config_entry->filter) { + if (LDAP_SUCCESS != slapi_vattr_filter_test(pb, + e, + config_entry-> + filter, 0)) + goto next; + } + + + if (LDAP_CHANGETYPE_ADD == modtype) { + /* does attribute contain the magic value + or is the type not there? + */ + value = + slapi_entry_attr_get_charptr(e, config_entry->type); + if ((value + && !slapi_UTF8CASECMP(config_entry->generate, value)) + || 0 == value) { + generate = 1; + } + } else { + /* check mods for magic value */ + Slapi_Mod *next_mod = slapi_mod_new(); + smod = slapi_mods_get_first_smod(smods, next_mod); + while (smod) { + char *type = (char *) + slapi_mod_get_type(smod); + + if (slapi_attr_types_equivalent(type, + config_entry->type)) { + struct berval *bv = + slapi_mod_get_first_value(smod); + int len = strlen(config_entry->generate); + + + if (len == bv->bv_len) { + if (!slapi_UTF8NCASECMP(bv->bv_val, + config_entry-> + generate, len)) + + generate = 1; + break; } + } - /* does the entry match the filter? */ - if(config_entry->filter) - { - if(LDAP_SUCCESS != slapi_vattr_filter_test(pb, - e, - config_entry->filter,0)) - goto next; - } + slapi_mod_done(next_mod); + smod = slapi_mods_get_next_smod(smods, next_mod); + } + slapi_mod_free(&next_mod); + } - if(LDAP_CHANGETYPE_ADD == modtype) - { - /* does attribute contain the magic value - or is the type not there? - */ - value = slapi_entry_attr_get_charptr( - e, config_entry->type); - if((value && - !slapi_UTF8CASECMP( - config_entry->generate, - value)) || - 0 == value) - { - generate = 1; - } - } - else - { - /* check mods for magic value */ - Slapi_Mod *next_mod = slapi_mod_new(); - smod = slapi_mods_get_first_smod( - smods, - next_mod); - while(smod) - { - char *type = (char *) - slapi_mod_get_type(smod); - - if(slapi_attr_types_equivalent( - type, - config_entry->type)) - { - struct berval *bv = - slapi_mod_get_first_value( - smod); - int len = strlen( - config_entry-> - generate); - - - if(len == bv->bv_len) - { - if(!slapi_UTF8NCASECMP( - bv->bv_val, - config_entry-> - generate, - len)) - - generate = 1; - break; - } - } - - slapi_mod_done(next_mod); - smod = slapi_mods_get_next_smod( - smods, - next_mod); - } - - slapi_mod_free(&next_mod); - } + if (generate) { + char *new_value; + int len; - if(generate) - { - char *new_value; - int len; - - /* create the value to add */ - if((ret = dna_get_next_value(config_entry,&value))) - break; - - len = strlen(value) + 1; - if(config_entry->prefix) - { - len += strlen(config_entry->prefix); - } - - new_value = slapi_ch_malloc(len); - - if(config_entry->prefix) - { - strcpy(new_value, - config_entry->prefix); - strcat(new_value, value); - } - else - strcpy(new_value, value); - - /* do the mod */ - if(LDAP_CHANGETYPE_ADD == modtype) - { - /* add - add to entry */ - slapi_entry_attr_set_charptr( - e, - config_entry->type, - new_value); - } - else - { - /* mod - add to mods */ - slapi_mods_add_string( - smods, - LDAP_MOD_REPLACE, - config_entry->type, - new_value); - } - - /* free up */ - slapi_ch_free_string(&value); - slapi_ch_free_string(&new_value); - - /* make sure we don't generate for this - * type again - */ - if(LDAP_SUCCESS == ret) - { - last_type = config_entry->type; - } - - generate = 0; - } -next: - list = PR_NEXT_LINK (list); + /* create the value to add */ + if ((ret = dna_get_next_value(config_entry, &value))) + break; + + len = strlen(value) + 1; + if (config_entry->prefix) { + len += strlen(config_entry->prefix); } + + new_value = slapi_ch_malloc(len); + + if (config_entry->prefix) { + strcpy(new_value, config_entry->prefix); + strcat(new_value, value); + } else + strcpy(new_value, value); + + /* do the mod */ + if (LDAP_CHANGETYPE_ADD == modtype) { + /* add - add to entry */ + slapi_entry_attr_set_charptr(e, + config_entry->type, + new_value); + } else { + /* mod - add to mods */ + slapi_mods_add_string(smods, + LDAP_MOD_REPLACE, + config_entry->type, new_value); + } + + /* free up */ + slapi_ch_free_string(&value); + slapi_ch_free_string(&new_value); + + /* make sure we don't generate for this + * type again + */ + if (LDAP_SUCCESS == ret) { + last_type = config_entry->type; + } + + generate = 0; + } + next: + list = PR_NEXT_LINK(list); } + } - dna_unlock(); + dna_unlock(); -bailmod: - if(LDAP_CHANGETYPE_MODIFY == modtype) - { - /* these are the mods you made, really, - * I didn't change them, honest, just had a quick look - */ - mods = slapi_mods_get_ldapmods_passout(smods); - slapi_pblock_set( pb, SLAPI_MODIFY_MODS, mods); - slapi_mods_free(&smods); - } + bailmod: + if (LDAP_CHANGETYPE_MODIFY == modtype) { + /* these are the mods you made, really, + * I didn't change them, honest, just had a quick look + */ + mods = slapi_mods_get_ldapmods_passout(smods); + slapi_pblock_set(pb, SLAPI_MODIFY_MODS, mods); + slapi_mods_free(&smods); + } -bail: + bail: - if(free_entry && e) - slapi_entry_free(e); + if (free_entry && e) + slapi_entry_free(e); - if(ret) - slapi_log_error( SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM , "dna_pre_op: operation failure [%d]\n", ret); + if (ret) + slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, + "dna_pre_op: operation failure [%d]\n", ret); - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "<-- dna_pre_op\n"); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "<-- dna_pre_op\n"); - return ret; + return ret; } -static int dna_add_pre_op( Slapi_PBlock *pb ) +static int dna_add_pre_op(Slapi_PBlock * pb) { - return dna_pre_op(pb, LDAP_CHANGETYPE_ADD); + return dna_pre_op(pb, LDAP_CHANGETYPE_ADD); } -static int dna_mod_pre_op( Slapi_PBlock *pb ) +static int dna_mod_pre_op(Slapi_PBlock * pb) { - return dna_pre_op(pb, LDAP_CHANGETYPE_MODIFY); + return dna_pre_op(pb, LDAP_CHANGETYPE_MODIFY); } -static int dna_config_check_post_op(Slapi_PBlock *pb) +static int dna_config_check_post_op(Slapi_PBlock * pb) { - char *dn; + char *dn; - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "--> dna_config_check_post_op\n"); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "--> dna_config_check_post_op\n"); - if((dn = dna_get_dn(pb))) - { - if(dna_dn_is_config(dn)) - loadPluginConfig(); - } + if ((dn = dna_get_dn(pb))) { + if (dna_dn_is_config(dn)) + loadPluginConfig(); + } - slapi_log_error( SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM , "<-- dna_config_check_post_op\n"); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, + "<-- dna_config_check_post_op\n"); - return 0; + return 0; } /**************************************************** @@ -1146,31 +1106,27 @@ static int dna_config_check_post_op(Slapi_PBlock *pb) */ void dnaDumpConfig() { - PRCList *list; + PRCList *list; - dna_read_lock(); + dna_read_lock(); - if(!PR_CLIST_IS_EMPTY(config)) - { - list = PR_LIST_HEAD(config); - while(list != config) - { - dnaDumpConfigEntry((configEntry*)list); - list = PR_NEXT_LINK (list); - } - } + if (!PR_CLIST_IS_EMPTY(config)) { + list = PR_LIST_HEAD(config); + while (list != config) { + dnaDumpConfigEntry((configEntry *) list); + list = PR_NEXT_LINK(list); + } + } - dna_unlock(); + dna_unlock(); } -void dnaDumpConfigEntry(configEntry *entry) +void dnaDumpConfigEntry(configEntry * entry) { - printf("<- type --------------> %s\n", entry->type); - printf("<---- prefix ---------> %s\n", entry->prefix); - printf("<---- next value -----> %lu\n", entry->nextval); - printf("<---- interval -------> %lu\n", entry->interval); - printf("<---- generate flag --> %s\n", entry->generate); + printf("<- type --------------> %s\n", entry->type); + printf("<---- prefix ---------> %s\n", entry->prefix); + printf("<---- next value -----> %lu\n", entry->nextval); + printf("<---- interval -------> %lu\n", entry->interval); + printf("<---- generate flag --> %s\n", entry->generate); } - - -- 1.5.4.1 From rcritten at redhat.com Thu May 1 18:44:36 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 01 May 2008 14:44:36 -0400 Subject: [Freeipa-devel] [PATCH] Fix style in dna.c In-Reply-To: <1209663509.12808.155.camel@localhost.localdomain> References: <1209663509.12808.155.camel@localhost.localdomain> Message-ID: <481A0F94.3070908@redhat.com> Simo Sorce wrote: > I've decide to start fixing the style in our C code. > I am string by fixing code I am going to work with. > > Here there is a patch to fix dna.c style. > Ack, this was really not in our coding standard. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From taruishi at redhat.com Fri May 2 09:38:39 2008 From: taruishi at redhat.com (Masato Taruishi) Date: Fri, 02 May 2008 18:38:39 +0900 Subject: [Freeipa-devel] [PATCH] create tmp directory for ipa-kpasswd In-Reply-To: <1209657012.12808.145.camel@localhost.localdomain> References: <1209655551.15501.52.camel@dhcp-193-183.nrt.redhat.com> <1209656839.12808.142.camel@localhost.localdomain> <1209657012.12808.145.camel@localhost.localdomain> Message-ID: <1209721119.15501.53.camel@dhcp-193-183.nrt.redhat.com> SO how about this patch? 2008-05-01 (?) ? 11:50 -0400 ? Simo Sorce ????????: > On Thu, 2008-05-01 at 11:47 -0400, Simo Sorce wrote: > > On Fri, 2008-05-02 at 00:25 +0900, Masato Taruishi wrote: > > > This patch creates temporarl directory before mkstemp(2) > > > in ipa-kpasswd. > > > > > > Because mkstemp doesn't create directories, it may fail > > > with ENOENT. > > > > Nack, > > the kpasswd directory must be created by make install/spec file and > > properly SELinux labeled (where available). > > > > Current F9 package is broken in this respect :-( but we already fixed > > the spec file. > > To be fair, we should probably change the code to retrieve the TMP_DIR > from the environment so that it can be changed at runtime, I would love > to get a patch that implements that and sets the correct default > in /etc/sysconfig/ipa-kpasswd > > Simo. > -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa_kpasswd_cachedir.patch Type: text/x-patch Size: 3219 bytes Desc: not available URL: From ssorce at redhat.com Fri May 2 12:48:45 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 02 May 2008 08:48:45 -0400 Subject: [Freeipa-devel] [PATCH] create tmp directory for ipa-kpasswd In-Reply-To: <1209721119.15501.53.camel@dhcp-193-183.nrt.redhat.com> References: <1209655551.15501.52.camel@dhcp-193-183.nrt.redhat.com> <1209656839.12808.142.camel@localhost.localdomain> <1209657012.12808.145.camel@localhost.localdomain> <1209721119.15501.53.camel@dhcp-193-183.nrt.redhat.com> Message-ID: <1209732525.12808.172.camel@localhost.localdomain> On Fri, 2008-05-02 at 18:38 +0900, Masato Taruishi wrote: > + tmp_file = (char > *)malloc(strlen(cachedir)+strlen(TMP_TEMPLATE)+2); > if (!tmp_file) { > syslog(LOG_ERR, "Out of memory!"); > ret = KRB5_KPASSWD_HARDERROR; > goto done; > } > + strcpy( tmp_file, cachedir ); > + strcat( tmp_file, "/" ); > + strcat( tmp_file, TMP_TEMPLATE ); Change all this with: asprintf(&tmp_file, "%s/%s", cachedir, TMP_TEMPLATE); Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri May 2 14:34:03 2008 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 02 May 2008 10:34:03 -0400 Subject: [Freeipa-devel] [PATCH] create tmp directory for ipa-kpasswd In-Reply-To: <1209732525.12808.172.camel@localhost.localdomain> References: <1209655551.15501.52.camel@dhcp-193-183.nrt.redhat.com> <1209656839.12808.142.camel@localhost.localdomain> <1209657012.12808.145.camel@localhost.localdomain> <1209721119.15501.53.camel@dhcp-193-183.nrt.redhat.com> <1209732525.12808.172.camel@localhost.localdomain> Message-ID: <481B265B.30809@redhat.com> Simo Sorce wrote: > On Fri, 2008-05-02 at 18:38 +0900, Masato Taruishi wrote: > >> + tmp_file = (char >> *)malloc(strlen(cachedir)+strlen(TMP_TEMPLATE)+2); >> if (!tmp_file) { >> syslog(LOG_ERR, "Out of memory!"); >> ret = KRB5_KPASSWD_HARDERROR; >> goto done; >> } >> + strcpy( tmp_file, cachedir ); >> + strcat( tmp_file, "/" ); >> + strcat( tmp_file, TMP_TEMPLATE ); >> > > > Change all this with: > asprintf(&tmp_file, "%s/%s", cachedir, TMP_TEMPLATE); > > Simo. > > This is a non standard extension. If we ever plan to have this code on the client that will run on other OSes we should not optimize like this. If it is server code I agree. -- Dmitri Pal Engineering Manager Red Hat Inc. From ssorce at redhat.com Fri May 2 14:44:25 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 02 May 2008 10:44:25 -0400 Subject: [Freeipa-devel] [PATCH] create tmp directory for ipa-kpasswd In-Reply-To: <481B265B.30809@redhat.com> References: <1209655551.15501.52.camel@dhcp-193-183.nrt.redhat.com> <1209656839.12808.142.camel@localhost.localdomain> <1209657012.12808.145.camel@localhost.localdomain> <1209721119.15501.53.camel@dhcp-193-183.nrt.redhat.com> <1209732525.12808.172.camel@localhost.localdomain> <481B265B.30809@redhat.com> Message-ID: <1209739465.12808.188.camel@localhost.localdomain> On Fri, 2008-05-02 at 10:34 -0400, Dmitri Pal wrote: > Simo Sorce wrote: > > On Fri, 2008-05-02 at 18:38 +0900, Masato Taruishi wrote: > > > >> + tmp_file = (char > >> *)malloc(strlen(cachedir)+strlen(TMP_TEMPLATE)+2); > >> if (!tmp_file) { > >> syslog(LOG_ERR, "Out of memory!"); > >> ret = KRB5_KPASSWD_HARDERROR; > >> goto done; > >> } > >> + strcpy( tmp_file, cachedir ); > >> + strcat( tmp_file, "/" ); > >> + strcat( tmp_file, TMP_TEMPLATE ); > >> > > > > > > Change all this with: > > asprintf(&tmp_file, "%s/%s", cachedir, TMP_TEMPLATE); > > > > Simo. > > > > > This is a non standard extension. If we ever plan to have this code on > the client that will run on other OSes we should not optimize like this. > If it is server code I agree. Server code. In any case I have replacement function for OSs that do not support asprintf. The reason I prefer asprintf is that allocation size is not manually calculated and it avoid the use of completely unsafe functions like strcpy and strcat (I know the code as proposed is ok, but once people start to patch it bugs will creep in). Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri May 2 15:13:41 2008 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 02 May 2008 11:13:41 -0400 Subject: [Freeipa-devel] [PATCH] create tmp directory for ipa-kpasswd In-Reply-To: <1209739465.12808.188.camel@localhost.localdomain> References: <1209655551.15501.52.camel@dhcp-193-183.nrt.redhat.com> <1209656839.12808.142.camel@localhost.localdomain> <1209657012.12808.145.camel@localhost.localdomain> <1209721119.15501.53.camel@dhcp-193-183.nrt.redhat.com> <1209732525.12808.172.camel@localhost.localdomain> <481B265B.30809@redhat.com> <1209739465.12808.188.camel@localhost.localdomain> Message-ID: <481B2FA5.6070003@redhat.com> Simo Sorce wrote: > On Fri, 2008-05-02 at 10:34 -0400, Dmitri Pal wrote: > >> Simo Sorce wrote: >> >>> On Fri, 2008-05-02 at 18:38 +0900, Masato Taruishi wrote: >>> >>> >>>> + tmp_file = (char >>>> *)malloc(strlen(cachedir)+strlen(TMP_TEMPLATE)+2); >>>> if (!tmp_file) { >>>> syslog(LOG_ERR, "Out of memory!"); >>>> ret = KRB5_KPASSWD_HARDERROR; >>>> goto done; >>>> } >>>> + strcpy( tmp_file, cachedir ); >>>> + strcat( tmp_file, "/" ); >>>> + strcat( tmp_file, TMP_TEMPLATE ); >>>> >>>> >>> Change all this with: >>> asprintf(&tmp_file, "%s/%s", cachedir, TMP_TEMPLATE); >>> >>> Simo. >>> >>> >>> >> This is a non standard extension. If we ever plan to have this code on >> the client that will run on other OSes we should not optimize like this. >> If it is server code I agree. >> > > Server code. > > In any case I have replacement function for OSs that do not support > asprintf. > The reason I prefer asprintf is that allocation size is not manually > calculated and it avoid the use of completely unsafe functions like > strcpy and strcat (I know the code as proposed is ok, but once people > start to patch it bugs will creep in). > > Simo. > > Ok -- Dmitri Pal Engineering Manager Red Hat Inc. From rmeggins at redhat.com Fri May 2 15:20:53 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 02 May 2008 09:20:53 -0600 Subject: [Freeipa-devel] [PATCH] create tmp directory for ipa-kpasswd In-Reply-To: <481B2FA5.6070003@redhat.com> References: <1209655551.15501.52.camel@dhcp-193-183.nrt.redhat.com> <1209656839.12808.142.camel@localhost.localdomain> <1209657012.12808.145.camel@localhost.localdomain> <1209721119.15501.53.camel@dhcp-193-183.nrt.redhat.com> <1209732525.12808.172.camel@localhost.localdomain> <481B265B.30809@redhat.com> <1209739465.12808.188.camel@localhost.localdomain> <481B2FA5.6070003@redhat.com> Message-ID: <481B3155.3030102@redhat.com> Dmitri Pal wrote: > Simo Sorce wrote: >> On Fri, 2008-05-02 at 10:34 -0400, Dmitri Pal wrote: >> >>> Simo Sorce wrote: >>> >>>> On Fri, 2008-05-02 at 18:38 +0900, Masato Taruishi wrote: >>>> >>>>> + tmp_file = (char >>>>> *)malloc(strlen(cachedir)+strlen(TMP_TEMPLATE)+2); >>>>> if (!tmp_file) { >>>>> syslog(LOG_ERR, "Out of memory!"); >>>>> ret = KRB5_KPASSWD_HARDERROR; >>>>> goto done; >>>>> } >>>>> + strcpy( tmp_file, cachedir ); >>>>> + strcat( tmp_file, "/" ); >>>>> + strcat( tmp_file, TMP_TEMPLATE ); >>>>> >>>> Change all this with: >>>> asprintf(&tmp_file, "%s/%s", cachedir, TMP_TEMPLATE); >>>> >>>> Simo. >>>> >>>> >>> This is a non standard extension. If we ever plan to have this code >>> on the client that will run on other OSes we should not optimize >>> like this. >>> If it is server code I agree. >>> >> >> Server code. >> >> In any case I have replacement function for OSs that do not support >> asprintf. >> The reason I prefer asprintf is that allocation size is not manually >> calculated and it avoid the use of completely unsafe functions like >> strcpy and strcat (I know the code as proposed is ok, but once people >> start to patch it bugs will creep in). >> >> Simo. >> >> > Ok > If NSPR is available, you can use PR_smprintf() to do the same thing. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Sun May 4 16:44:25 2008 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 04 May 2008 12:44:25 -0400 Subject: [Freeipa-devel] Encrypting replica information Message-ID: <1209919465.12808.199.camel@localhost.localdomain> When we create a replica file we include in it very security sensitive information. Then we tell the admin to move it to another machine and use it. This info is not cleared from the main server, and it may be forgotten in a tmp directory on the target server. Given we need to ask for the Directory Manager password to be able to install the replica I was thinking it could be a good idea to encrypt the replica information with the same password and decipher the data only at installation time, making sure we clean up any temporary file. This also implicitly proves the Directory Manager password is correct even before trying to connect to the other server catching an error in that sense very early on. What do you think? Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Sun May 4 18:01:27 2008 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 04 May 2008 14:01:27 -0400 Subject: [Freeipa-devel] Encrypting replica information In-Reply-To: <1209919465.12808.199.camel@localhost.localdomain> References: <1209919465.12808.199.camel@localhost.localdomain> Message-ID: <481DF9F7.80204@redhat.com> Simo Sorce wrote: > When we create a replica file we include in it very security sensitive > information. Then we tell the admin to move it to another machine and > use it. > This info is not cleared from the main server, and it may be forgotten > in a tmp directory on the target server. > > Given we need to ask for the Directory Manager password to be able to > install the replica I was thinking it could be a good idea to encrypt > the replica information with the same password and decipher the data > only at installation time, making sure we clean up any temporary file. > > This also implicitly proves the Directory Manager password is correct > even before trying to connect to the other server catching an error in > that sense very early on. > > What do you think? > > Simo. > > I agree. I would also suggest to add a 8-bit of the pepper. Since it is a one time operation it is ok to spend several seconds for decryption. Something like: key = sha256 (nonce1 + password + pepper byte + nonce2) + denotes concatenation nonce 1 & 2 are at least 16 byte and included into the package in clear. And use AES as encryption algorithm. -- Dmitri Pal Engineering Manager Red Hat Inc. From rcritten at redhat.com Mon May 5 14:05:35 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 05 May 2008 10:05:35 -0400 Subject: [Freeipa-devel] Encrypting replica information In-Reply-To: <1209919465.12808.199.camel@localhost.localdomain> References: <1209919465.12808.199.camel@localhost.localdomain> Message-ID: <481F142F.4020204@redhat.com> Simo Sorce wrote: > When we create a replica file we include in it very security sensitive > information. Then we tell the admin to move it to another machine and > use it. > This info is not cleared from the main server, and it may be forgotten > in a tmp directory on the target server. > > Given we need to ask for the Directory Manager password to be able to > install the replica I was thinking it could be a good idea to encrypt > the replica information with the same password and decipher the data > only at installation time, making sure we clean up any temporary file. > > This also implicitly proves the Directory Manager password is correct > even before trying to connect to the other server catching an error in > that sense very early on. > > What do you think? > > Simo. > Seems reasonable. Can you file a bug? thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 5 15:11:46 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 05 May 2008 11:11:46 -0400 Subject: [Freeipa-devel] [PATCH] fix trivial problem with ipa-adddelegation man page Message-ID: <481F23B2.7000702@redhat.com> Removed duplicate "the" and added some formatting in the EXAMPLE. Already pushed this change out to ipa-1-0 and master. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-11-man.patch Type: text/x-patch Size: 1635 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon May 5 15:39:15 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 05 May 2008 09:39:15 -0600 Subject: [Freeipa-devel] [Fwd: augeas - reading/modifying/writing system configuration files] Message-ID: <481F2A23.80601@redhat.com> This might be an interesting way to hook into application config, or to grab existing configuration to store in another format. -------------- next part -------------- An embedded message was scrubbed... From: Harald Hoyer Subject: augeas - reading/modifying/writing system configuration files Date: Mon, 05 May 2008 14:15:02 +0200 Size: 6348 URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 5 17:51:20 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 05 May 2008 13:51:20 -0400 Subject: [Freeipa-devel] [PATCH] Change the way versioning is done In-Reply-To: <1209649201.12808.111.camel@localhost.localdomain> References: <4818E401.7010301@redhat.com> <1209649201.12808.111.camel@localhost.localdomain> Message-ID: <481F4918.8050103@redhat.com> Simo Sorce wrote: > On Wed, 2008-04-30 at 17:26 -0400, Rob Crittenden wrote: >> The file VERSION is now the sole-source of versioning. >> >> The generated .spec files will been removed in the maintainer-clean >> targets >> and have been removed from the repository. >> >> By default a GIT build is done. To do a non-GIT build do: >> >> $ make TARGET IPA_VERSION_IS_GIT_SNAPSHOT=no >> >> When updating the version you can run this to regenerate the version: >> >> $ make version-update >> >> The version can be determined in Python by using >> ipaserver.version.VERSION >> >> Please review this patch carefully, it changes a lot of stuff :-) > > You deleted a lot of stuff:-) > > full ack! > > Simo. > Pushed to master and ipa-1-0 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 5 17:56:37 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 05 May 2008 13:56:37 -0400 Subject: [Freeipa-devel] [PATCH] Change the way versioning is done In-Reply-To: <481F4918.8050103@redhat.com> References: <4818E401.7010301@redhat.com> <1209649201.12808.111.camel@localhost.localdomain> <481F4918.8050103@redhat.com> Message-ID: <481F4A55.4010207@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Wed, 2008-04-30 at 17:26 -0400, Rob Crittenden wrote: >>> The file VERSION is now the sole-source of versioning. >>> >>> The generated .spec files will been removed in the maintainer-clean >>> targets >>> and have been removed from the repository. >>> >>> By default a GIT build is done. To do a non-GIT build do: >>> >>> $ make TARGET IPA_VERSION_IS_GIT_SNAPSHOT=no >>> >>> When updating the version you can run this to regenerate the version: >>> >>> $ make version-update >>> >>> The version can be determined in Python by using >>> ipaserver.version.VERSION >>> >>> Please review this patch carefully, it changes a lot of stuff :-) >> >> You deleted a lot of stuff:-) >> >> full ack! >> >> Simo. >> > > Pushed to master and ipa-1-0 Ok, git didn't do what I wanted and this didn't contain the whole patch. Fortunately I already removed that tree so I get to do this all over again :-( rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon May 5 18:29:16 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 05 May 2008 14:29:16 -0400 Subject: [Freeipa-devel] [PATCH] Try to make some error message more clear where they come from Message-ID: <1210012156.12808.237.camel@localhost.localdomain> >From ebcb9fe6a87f82cd3cb9750e9d6c32954d31e89c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 5 May 2008 14:03:51 -0400 Subject: [PATCH] Return better ewrror message that gives a hint about who actually returned it + Some cleanups (trainling spaces and such). --- ipa-server/ipaserver/replication.py | 15 ++++++--------- 1 files changed, 6 insertions(+), 9 deletions(-) diff --git a/ipa-server/ipaserver/replication.py b/ipa-server/ipaserver/replication.py index b9e4e6c..d8bb600 100644 --- a/ipa-server/ipaserver/replication.py +++ b/ipa-server/ipaserver/replication.py @@ -91,7 +91,6 @@ class ReplicationManager: def replica_dn(self): return 'cn=replica, cn="%s", cn=mapping tree, cn=config' % self.suffix - def local_replica_config(self, conn, replica_id): dn = self.replica_dn() @@ -196,19 +195,17 @@ class ReplicationManager: self.conn.modify_s(dn, mod) except ldap.TYPE_OR_VALUE_EXISTS: logging.debug("chainOnUpdate already enabled for %s" % self.suffix) - - + def setup_chain_on_update(self, other_conn): chainbe = self.setup_chaining_backend(other_conn) self.enable_chain_on_update(chainbe) - + def agreement_dn(self, conn): cn = "meTo%s%d" % (conn.host, PORT) dn = "cn=%s, %s" % (cn, self.replica_dn()) return (cn, dn) - def setup_agreement(self, a, b): cn, dn = self.agreement_dn(b) @@ -259,7 +256,7 @@ class ReplicationManager: if not status: print "No status yet" elif status.find("replica busy") > -1: - print "Update failed - replica busy - status", status + print "[%s] reports: Replica Busy! Status: [%s]" % (conn.host, status) done = True hasError = 2 elif status.find("Total update succeeded") > -1: @@ -268,7 +265,7 @@ class ReplicationManager: elif inprogress.lower() == 'true': print "Update in progress yet not in progress" else: - print "Update failed: status", status + print "[%s] reports: Update failed! Status: [%s]" % (conn.host, status) hasError = 1 done = True else: @@ -292,7 +289,7 @@ class ReplicationManager: other_conn.modify_s(dn, mod) return self.wait_for_repl_init(other_conn, dn) - + def basic_replication_setup(self, conn, replica_id): self.add_replication_manager(conn) self.local_replica_config(conn, replica_id) @@ -319,7 +316,7 @@ class ReplicationManager: self.setup_agreement(other_conn, self.conn) self.setup_agreement(self.conn, other_conn) - + return self.start_replication(other_conn) def initialize_replication(self, dn, conn): -- 1.5.4.1 -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon May 5 19:03:50 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 05 May 2008 15:03:50 -0400 Subject: [Freeipa-devel] [PATCH] Change the way versioning is done In-Reply-To: <481F4A55.4010207@redhat.com> References: <4818E401.7010301@redhat.com> <1209649201.12808.111.camel@localhost.localdomain> <481F4918.8050103@redhat.com> <481F4A55.4010207@redhat.com> Message-ID: <481F5A16.4010902@redhat.com> Here is the other half of the version patch, the last one contained just the files that were added or removed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-12-version.patch Type: text/x-patch Size: 13716 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon May 5 19:14:51 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 05 May 2008 15:14:51 -0400 Subject: [Freeipa-devel] [PATCH] Change the way versioning is done In-Reply-To: <481F5A16.4010902@redhat.com> References: <4818E401.7010301@redhat.com> <1209649201.12808.111.camel@localhost.localdomain> <481F4918.8050103@redhat.com> <481F4A55.4010207@redhat.com> <481F5A16.4010902@redhat.com> Message-ID: <1210014891.12808.243.camel@localhost.localdomain> On Mon, 2008-05-05 at 15:03 -0400, Rob Crittenden wrote: > Here is the other half of the version patch, the last one contained > just > the files that were added or removed. Looks good. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon May 5 20:06:02 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 05 May 2008 16:06:02 -0400 Subject: [Freeipa-devel] [PATCH] root everything into /ipa In-Reply-To: <1207251523.3533.353.camel@localhost.localdomain> References: <47F52EDA.3050306@redhat.com> <1207251523.3533.353.camel@localhost.localdomain> Message-ID: <481F68AA.3050906@redhat.com> Simo Sorce wrote: > On Thu, 2008-04-03 at 15:24 -0400, Rob Crittenden wrote: >> Refine our web space some more so that everything we reference is >> in /ipa >> >> UI: /ipa/ui >> XML-RPC: /ipa/xml >> errors: /ipa/errors >> config: /ipa/config >> >> I had to hardcode that URI into the CSS pages but TurboGears handles >> the >> rest of the translations with tg.url(). > > Looks good! > > Thanks, > Simo. > I'm ready to check this patch in but it will break any existing installations (though not too badly). What we need to do is generate a new /etc/httpd/conf.d/ipa.conf and /etc/httpd/conf.d/ipa-rewrite.conf. I was thinking we could do this in Fedora in a %post script. Rename the current files and generate new ones (how, I'm not exactly sure yet). I suppose we could use sed to replace $REALM with the default realm from /etc/krb5.conf and the output of hostname -f for $FQDN in ipa-rewrite.conf. Opinions? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon May 5 20:14:13 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 05 May 2008 16:14:13 -0400 Subject: [Freeipa-devel] [PATCH] root everything into /ipa In-Reply-To: <481F68AA.3050906@redhat.com> References: <47F52EDA.3050306@redhat.com> <1207251523.3533.353.camel@localhost.localdomain> <481F68AA.3050906@redhat.com> Message-ID: <1210018453.12808.247.camel@localhost.localdomain> On Mon, 2008-05-05 at 16:06 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 2008-04-03 at 15:24 -0400, Rob Crittenden wrote: > >> Refine our web space some more so that everything we reference is > >> in /ipa > >> > >> UI: /ipa/ui > >> XML-RPC: /ipa/xml > >> errors: /ipa/errors > >> config: /ipa/config > >> > >> I had to hardcode that URI into the CSS pages but TurboGears handles > >> the > >> rest of the translations with tg.url(). > > > > Looks good! > > > > Thanks, > > Simo. > > > > I'm ready to check this patch in but it will break any existing > installations (though not too badly). > > What we need to do is generate a new /etc/httpd/conf.d/ipa.conf and > /etc/httpd/conf.d/ipa-rewrite.conf. > > I was thinking we could do this in Fedora in a %post script. Rename the > current files and generate new ones (how, I'm not exactly sure yet). I > suppose we could use sed to replace $REALM with the default realm from > /etc/krb5.conf and the output of hostname -f for $FQDN in ipa-rewrite.conf. > > Opinions? do we distribute these files as part of the packaging or are they marked configuration files? The problem of %post is that it doesn't have a clue whether IPA is currently configured or just installed, we would need to find it out as well. If the mere upgrade does not break a running installation we could provide an upgrade script ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon May 5 21:20:34 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 05 May 2008 17:20:34 -0400 Subject: [Freeipa-devel] [PATCH] root everything into /ipa In-Reply-To: <1210018453.12808.247.camel@localhost.localdomain> References: <47F52EDA.3050306@redhat.com> <1207251523.3533.353.camel@localhost.localdomain> <481F68AA.3050906@redhat.com> <1210018453.12808.247.camel@localhost.localdomain> Message-ID: <481F7A22.7020303@redhat.com> Simo Sorce wrote: > On Mon, 2008-05-05 at 16:06 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Thu, 2008-04-03 at 15:24 -0400, Rob Crittenden wrote: >>>> Refine our web space some more so that everything we reference is >>>> in /ipa >>>> >>>> UI: /ipa/ui >>>> XML-RPC: /ipa/xml >>>> errors: /ipa/errors >>>> config: /ipa/config >>>> >>>> I had to hardcode that URI into the CSS pages but TurboGears handles >>>> the >>>> rest of the translations with tg.url(). >>> Looks good! >>> >>> Thanks, >>> Simo. >>> >> I'm ready to check this patch in but it will break any existing >> installations (though not too badly). >> >> What we need to do is generate a new /etc/httpd/conf.d/ipa.conf and >> /etc/httpd/conf.d/ipa-rewrite.conf. >> >> I was thinking we could do this in Fedora in a %post script. Rename the >> current files and generate new ones (how, I'm not exactly sure yet). I >> suppose we could use sed to replace $REALM with the default realm from >> /etc/krb5.conf and the output of hostname -f for $FQDN in ipa-rewrite.conf. >> >> Opinions? > > do we distribute these files as part of the packaging or are they marked > configuration files? > > The problem of %post is that it doesn't have a clue whether IPA is > currently configured or just installed, we would need to find it out as > well. > > If the mere upgrade does not break a running installation we could > provide an upgrade script ? > They are not marked as config files. I suppose we need to ghost them. In any case, if the file exists I think we can assume IPA is configured. It will break the management of a running installation. Kerberos and LDAP will continue to work fine but the UI and the command-line tools will not work. The thing about an upgrade script is that users would have to know to run it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 6 20:10:26 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 06 May 2008 16:10:26 -0400 Subject: [Freeipa-devel] [PATCH] root everything into /ipa In-Reply-To: <481F7A22.7020303@redhat.com> References: <47F52EDA.3050306@redhat.com> <1207251523.3533.353.camel@localhost.localdomain> <481F68AA.3050906@redhat.com> <1210018453.12808.247.camel@localhost.localdomain> <481F7A22.7020303@redhat.com> Message-ID: <4820BB32.80209@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Mon, 2008-05-05 at 16:06 -0400, Rob Crittenden wrote: >>> Simo Sorce wrote: >>>> On Thu, 2008-04-03 at 15:24 -0400, Rob Crittenden wrote: >>>>> Refine our web space some more so that everything we reference is >>>>> in /ipa >>>>> >>>>> UI: /ipa/ui >>>>> XML-RPC: /ipa/xml >>>>> errors: /ipa/errors >>>>> config: /ipa/config >>>>> >>>>> I had to hardcode that URI into the CSS pages but TurboGears handles >>>>> the rest of the translations with tg.url(). >>>> Looks good! >>>> >>>> Thanks, >>>> Simo. >>>> >>> I'm ready to check this patch in but it will break any existing >>> installations (though not too badly). >>> >>> What we need to do is generate a new /etc/httpd/conf.d/ipa.conf and >>> /etc/httpd/conf.d/ipa-rewrite.conf. >>> >>> I was thinking we could do this in Fedora in a %post script. Rename >>> the current files and generate new ones (how, I'm not exactly sure >>> yet). I suppose we could use sed to replace $REALM with the default >>> realm from /etc/krb5.conf and the output of hostname -f for $FQDN in >>> ipa-rewrite.conf. >>> >>> Opinions? >> >> do we distribute these files as part of the packaging or are they marked >> configuration files? >> >> The problem of %post is that it doesn't have a clue whether IPA is >> currently configured or just installed, we would need to find it out as >> well. >> >> If the mere upgrade does not break a running installation we could >> provide an upgrade script ? >> > > They are not marked as config files. I suppose we need to ghost them. > > In any case, if the file exists I think we can assume IPA is configured. > > It will break the management of a running installation. Kerberos and > LDAP will continue to work fine but the UI and the command-line tools > will not work. > > The thing about an upgrade script is that users would have to know to > run it. Ok here is another shot at the patch. I wrote a little python script that will update the two affected configuration files and we can add more as necessary. The script is in /usr/sbin/ipa-upgradeconfig and is set to run in %post of ipa-server. It will do nothing if nothing is to be changed and will save a copy of the config any time it updates it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-13-webroot.patch Type: text/x-patch Size: 19422 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 6 20:35:04 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 06 May 2008 16:35:04 -0400 Subject: [Freeipa-devel] [PATCH] root everything into /ipa In-Reply-To: <4820BB32.80209@redhat.com> References: <47F52EDA.3050306@redhat.com> <1207251523.3533.353.camel@localhost.localdomain> <481F68AA.3050906@redhat.com> <1210018453.12808.247.camel@localhost.localdomain> <481F7A22.7020303@redhat.com> <4820BB32.80209@redhat.com> Message-ID: <1210106104.32052.13.camel@localhost.localdomain> On Tue, 2008-05-06 at 16:10 -0400, Rob Crittenden wrote: > Ok here is another shot at the patch. I wrote a little python script > that will update the two affected configuration files and we can add > more as necessary. The script is in /usr/sbin/ipa-upgradeconfig and > is > set to run in %post of ipa-server. It will do nothing if nothing is > to > be changed and will save a copy of the config any time it updates it. Looks good but I'd move the source of ipa-upgradeconfig into /ipa-server so that we can use this script for future upgrades to other parts of IPA too. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed May 7 13:41:51 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 07 May 2008 09:41:51 -0400 Subject: [Freeipa-devel] [PATCH] root everything into /ipa In-Reply-To: <1210106104.32052.13.camel@localhost.localdomain> References: <47F52EDA.3050306@redhat.com> <1207251523.3533.353.camel@localhost.localdomain> <481F68AA.3050906@redhat.com> <1210018453.12808.247.camel@localhost.localdomain> <481F7A22.7020303@redhat.com> <4820BB32.80209@redhat.com> <1210106104.32052.13.camel@localhost.localdomain> Message-ID: <4821B19F.3070100@redhat.com> Simo Sorce wrote: > On Tue, 2008-05-06 at 16:10 -0400, Rob Crittenden wrote: >> Ok here is another shot at the patch. I wrote a little python script >> that will update the two affected configuration files and we can add >> more as necessary. The script is in /usr/sbin/ipa-upgradeconfig and >> is >> set to run in %post of ipa-server. It will do nothing if nothing is >> to >> be changed and will save a copy of the config any time it updates it. > > Looks good but I'd move the source of ipa-upgradeconfig into /ipa-server > so that we can use this script for future upgrades to other parts of IPA > too. > > Simo. > Pushed to ipa-1-0 and master. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 7 18:33:16 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 07 May 2008 14:33:16 -0400 Subject: [Freeipa-devel] [PATCH] Fix a bug in our dns library, do not return the query as a reply In-Reply-To: <1209413796.3329.302.camel@localhost.localdomain> References: <1209413796.3329.302.camel@localhost.localdomain> Message-ID: <4821F5EC.1080008@redhat.com> Simo Sorce wrote: >>From 8e9f6e9c6d42a552dfa7fe9dd37824fc811d7625 Mon Sep 17 00:00:00 2001 > From: Simo Sorce > Date: Mon, 28 Apr 2008 16:06:23 -0400 > Subject: [PATCH] Fix a bug in our dns library, do not return the query > as a reply if 0 replies were returned. ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From bbaker at priefert.com Wed May 7 23:53:46 2008 From: bbaker at priefert.com (William Baker) Date: Wed, 07 May 2008 18:53:46 -0500 Subject: [Freeipa-devel] using freeipa as a samba backend Message-ID: <4822410A.90306@priefert.com> I've got an existing FDS running as LDAP backend for Samba. I maintain accounts in that system with the smbldap- tools. I read somewhere that the ipa- tools should create the LM hash for Samba, but I don't seem to find that documentation now. I've also followed along enough to know that the true Samba integration is really a V2 feature. Is it possible now to use the ipa-useradd tool in smb.conf? I suppose the smbldap-tools should continue to work with FreeIPA, though I could imagine this might not be "best practice". Is there a "best practice" for using FreeIPA with Samba? I would really like an approach that allowed me to use V1 today and transition to V2 without too much pain. Sorry if I'm asking an obvious question that I should see in the MAN pages. I can't boot my FreeIPA server right now since FDS can't find the DNS server, and the boot process hangs with a message about initializing sbus. I've seen this before when using LDAP as a backend user account manager and know how to deal with it, as soon as I figure out how to boot a different runlevel in a Xend VM. But that's not really the problem I'm asking about here. If anyone asks, I can detail the problem more clearly for other normal "users" that will have the same problem after Fedora 9 is released. By the way, congrats on getting V1 into Fedora 9. You'll probably know how long it took FDS to get into the Fedora repository. Everybody should be pleased to see FreeIPA progressing so well. bbaker From ssorce at redhat.com Thu May 8 13:08:58 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 08 May 2008 09:08:58 -0400 Subject: [Freeipa-devel] using freeipa as a samba backend In-Reply-To: <4822410A.90306@priefert.com> References: <4822410A.90306@priefert.com> Message-ID: <1210252138.32052.70.camel@localhost.localdomain> On Wed, 2008-05-07 at 18:53 -0500, William Baker wrote: > I've got an existing FDS running as LDAP backend for Samba. I maintain > accounts in that system with the smbldap- tools. I read somewhere that > the ipa- tools should create the LM hash for Samba, but I don't seem to > find that documentation now. the password change module will generate NT/LM hashes if the sambaSamAccount objectclass is present on the object. > I've also followed along enough to know > that the true Samba integration is really a V2 feature. possibly > Is it possible now to use the ipa-useradd tool in smb.conf? The only problem with that is that you need valid kerberos credentials and the right to create user objects in the tree. You should be able to create a special user for that and obtain a keytab which you will use to get a valid ticket. But no it won't work as is. > I suppose the smbldap-tools should continue to work with FreeIPA, though > I could imagine this might not be "best practice". If you use it only to create machine accounts it might be ok. For users it is probably not as it would miss many objectclasses and attributes IPA requires. > Is there a "best practice" for using FreeIPA with Samba? Not at this moment. > I would really like an approach > that allowed me to use V1 today and transition to V2 without too much pain. > > Sorry if I'm asking an obvious question that I should see in the MAN > pages. I can't boot my FreeIPA server right now since FDS can't find > the DNS server, and the boot process hangs with a message about > initializing sbus. I would add the public ip and hostname to /etc/hosts Also using nscd may help at boot (we should set it on by default, exzactly to handle dbus startup issues). > I've seen this before when using LDAP as a backend > user account manager and know how to deal with it, as soon as I figure > out how to boot a different runlevel in a Xend VM. But that's not > really the problem I'm asking about here. If anyone asks, I can detail > the problem more clearly for other normal "users" that will have the > same problem after Fedora 9 is released. We still have minor bugs we are going to address with an update once Fedora 9 is released, feel free to open bugzillas if you find bugs. > By the way, congrats on getting V1 into Fedora 9. You'll probably know > how long it took FDS to get into the Fedora repository. Everybody > should be pleased to see FreeIPA progressing so well. Thanks, Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu May 8 15:48:42 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 May 2008 11:48:42 -0400 Subject: [Freeipa-devel] [PATCH] version API for the server Message-ID: <482320DA.4040005@redhat.com> Let the version be able to know and advertise its version. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-15-version.patch Type: text/x-patch Size: 8070 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 8 15:53:57 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 08 May 2008 11:53:57 -0400 Subject: [Freeipa-devel] [PATCH] version API for the server In-Reply-To: <482320DA.4040005@redhat.com> References: <482320DA.4040005@redhat.com> Message-ID: <1210262038.32052.80.camel@localhost.localdomain> On Thu, 2008-05-08 at 11:48 -0400, Rob Crittenden wrote: > Let the version be able to know and advertise its version. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu May 8 16:04:45 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 May 2008 12:04:45 -0400 Subject: [Freeipa-devel] [PATCH] Don't prompt for confirmation of DM password when installing a replica In-Reply-To: <1209653629.12808.137.camel@localhost.localdomain> References: <4817656F.6030806@redhat.com> <1209648745.12808.109.camel@localhost.localdomain> <4819D78F.6040803@redhat.com> <1209653629.12808.137.camel@localhost.localdomain> Message-ID: <4823249D.6040603@redhat.com> Simo Sorce wrote: > On Thu, 2008-05-01 at 10:45 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Tue, 2008-04-29 at 14:14 -0400, Rob Crittenden wrote: >>>> Don't prompt for confirmation of DM password when installing a replica. >>>> >>>> It implies that you are setting a new password and you really aren't. >>> That's true, but the password need to be confirmed, I think we should >>> try a bind against the master and not proceed if we find out we can't >>> bind, but instead fail gracefully after three attempts (prompting again >>> for the password each time). >> Sorry, I forgot to mention that. We do a bind to the master to make sure >> the password is ok before proceeding. We don't ask numerous times, we >> just fail gracefully if it is wrong (with a helpful message). Not a big >> difference between re-running the command and asking 3 times though. > > Then it is a full ack :-) > > Simo. > Pushed to master and ipa-1-0 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 8 16:07:30 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 08 May 2008 12:07:30 -0400 Subject: [Freeipa-devel] [PATCH] Don't allow default service principals to be removed In-Reply-To: <4815D544.4090407@redhat.com> References: <481245F4.3050905@redhat.com> <1209159535.4417.26.camel@dhollis-lnx> <481250DA.4050801@redhat.com> <4815D544.4090407@redhat.com> Message-ID: <1210262850.32052.84.camel@localhost.localdomain> On Mon, 2008-04-28 at 09:46 -0400, Rob Crittenden wrote: > > > > Ack, nice catch. I'll fix it up and resubmit. > > Corrected patch. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu May 8 16:58:39 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 May 2008 12:58:39 -0400 Subject: [Freeipa-devel] [PATCH] Don't allow default service principals to be removed In-Reply-To: <1210262850.32052.84.camel@localhost.localdomain> References: <481245F4.3050905@redhat.com> <1209159535.4417.26.camel@dhollis-lnx> <481250DA.4050801@redhat.com> <4815D544.4090407@redhat.com> <1210262850.32052.84.camel@localhost.localdomain> Message-ID: <4823313F.5080205@redhat.com> Simo Sorce wrote: > On Mon, 2008-04-28 at 09:46 -0400, Rob Crittenden wrote: >>> Ack, nice catch. I'll fix it up and resubmit. >> Corrected patch. > > ack > pushed to master and ipa-1-0 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 8 17:02:40 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 May 2008 13:02:40 -0400 Subject: [Freeipa-devel] [PATCH] version API for the server In-Reply-To: <1210262038.32052.80.camel@localhost.localdomain> References: <482320DA.4040005@redhat.com> <1210262038.32052.80.camel@localhost.localdomain> Message-ID: <48233230.5020605@redhat.com> Simo Sorce wrote: > On Thu, 2008-05-08 at 11:48 -0400, Rob Crittenden wrote: >> Let the version be able to know and advertise its version. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 8 19:23:20 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 May 2008 15:23:20 -0400 Subject: [Freeipa-devel] [PATCH] be more user-friendly when replica install fails Message-ID: <48235328.6010203@redhat.com> Display a helpful message on how to recover from a failed (or cancelled) replica installation rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-16-replica.patch Type: text/x-patch Size: 1500 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 8 19:56:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 May 2008 15:56:04 -0400 Subject: [Freeipa-devel] [PATCH] detect existing instances in replica install In-Reply-To: <4804839F.2050908@redhat.com> References: <4803D2DC.8030401@redhat.com> <4804839F.2050908@redhat.com> Message-ID: <48235AD4.5030304@redhat.com> Simo Sorce wrote: > Rob Crittenden wrote: >> ipa-server-install will detect existing FDS instances and prompt to >> remove them. ipa-replica-install will not, so I stole the code from >> ipa-server-install to make things work nicer. >> > > ACK Pushed to master and ipa-1-0 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 8 20:38:36 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 8 May 2008 16:38:36 -0400 Subject: [Freeipa-devel] [PATCH] Fix configuration of IPA server itself to look only at the localhost for ldap and KDC services Message-ID: <20080508203836.GA29280@hopeson.columbia.edu> Makes the server use itself only, we do not need nor want to contact other masters to resolve local stuff on a master -- SSS From rcritten at redhat.com Thu May 8 20:43:23 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 May 2008 16:43:23 -0400 Subject: [Freeipa-devel] [PATCH] Try to make some error message more clear where they come from In-Reply-To: <1210012156.12808.237.camel@localhost.localdomain> References: <1210012156.12808.237.camel@localhost.localdomain> Message-ID: <482365EB.7020307@redhat.com> Simo Sorce wrote: >>From ebcb9fe6a87f82cd3cb9750e9d6c32954d31e89c Mon Sep 17 00:00:00 2001 > From: Simo Sorce > Date: Mon, 5 May 2008 14:03:51 -0400 > Subject: [PATCH] Return better ewrror message that gives a hint about > who actually returned it > + Some cleanups (trainling spaces and such). > ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 8 21:02:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 8 May 2008 17:02:14 -0400 Subject: [Freeipa-devel] Fix configuration of IPA server itself to look only at localhost for ldap and KDC services Message-ID: <20080508210214.GA30453@hopeson.columbia.edu> Makes the server use itself only, we do not need nor want to contact other masters to resolve local stuff on a master -- SSS -------------- next part -------------- >From 4299a7c75417f8f31806e1adb672e068d5458a43 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 8 May 2008 12:33:38 -0400 Subject: [PATCH] On IPA Servers connect to ourselves using localhost, and avoid searching for KDC servers via DNS, we just connect to ourselves. --- ipa-client/ipa-install/ipa-client-install | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 56fcb32..ce3f164 100644 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -234,7 +234,10 @@ def main(): {'name':'timelimit', 'type':'option', 'value':'15'}, {'name':'empty', 'type':'empty'}] if not dnsok or options.force or options.on_master: - opts.append({'name':'uri', 'type':'option', 'value':'ldap://'+cli_server}) + if options.on_master: + opts.append({'name':'uri', 'type':'option', 'value':'ldap://loclahost'}) + else: + opts.append({'name':'uri', 'type':'option', 'value':'ldap://'+cli_server}) else: opts.append({'name':'nss_srv_domain', 'type':'option', 'value':cli_domain}) @@ -265,7 +268,7 @@ def main(): #[libdefaults] libopts = [{'name':'default_realm', 'type':'option', 'value':cli_realm}] - if dnsok and not options.force: + if dnsok and not options.force and not options.on_master: libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'true'}) libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'}) else: -- 1.5.4.1 From ssorce at redhat.com Thu May 8 21:09:03 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 08 May 2008 17:09:03 -0400 Subject: [Freeipa-devel] [PATCH] Fix configuration of IPA server itself to look only at the localhost for ldap and KDC services In-Reply-To: <20080508203836.GA29280@hopeson.columbia.edu> References: <20080508203836.GA29280@hopeson.columbia.edu> Message-ID: <1210280943.32052.106.camel@localhost.localdomain> Sorry for the noise, fighting stupid mailman :-( On Thu, 2008-05-08 at 16:38 -0400, Simo Sorce wrote: > Makes the server use itself only, we do not need nor want to contact other > masters to resolve local stuff on a master > > -- > SSS > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 8 21:15:58 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 08 May 2008 17:15:58 -0400 Subject: [Freeipa-devel] [PATCH] Try to make some error message more clear where they come from In-Reply-To: <482365EB.7020307@redhat.com> References: <1210012156.12808.237.camel@localhost.localdomain> <482365EB.7020307@redhat.com> Message-ID: <1210281358.32052.108.camel@localhost.localdomain> On Thu, 2008-05-08 at 16:43 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > >>From ebcb9fe6a87f82cd3cb9750e9d6c32954d31e89c Mon Sep 17 00:00:00 2001 > > From: Simo Sorce > > Date: Mon, 5 May 2008 14:03:51 -0400 > > Subject: [PATCH] Return better ewrror message that gives a hint about > > who actually returned it > > + Some cleanups (trainling spaces and such). > > > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 8 21:16:54 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 08 May 2008 17:16:54 -0400 Subject: [Freeipa-devel] [PATCH] be more user-friendly when replica install fails In-Reply-To: <48235328.6010203@redhat.com> References: <48235328.6010203@redhat.com> Message-ID: <1210281414.32052.110.camel@localhost.localdomain> On Thu, 2008-05-08 at 15:23 -0400, Rob Crittenden wrote: > Display a helpful message on how to recover from a failed (or > cancelled) > replica installation ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu May 8 21:17:15 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 May 2008 17:17:15 -0400 Subject: [Freeipa-devel] [PATCH] include tip when hostname resolves to localhost Message-ID: <48236DDB.9040304@redhat.com> Include pointer to /etc/hosts if the IPA server hostname resolves to localhost. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-17-localhost.patch Type: text/x-patch Size: 1136 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 8 21:18:17 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 May 2008 17:18:17 -0400 Subject: [Freeipa-devel] Fix configuration of IPA server itself to look only at localhost for ldap and KDC services In-Reply-To: <20080508210214.GA30453@hopeson.columbia.edu> References: <20080508210214.GA30453@hopeson.columbia.edu> Message-ID: <48236E19.4060609@redhat.com> Simo Sorce wrote: > Makes the server use itself only, we do not need nor want to contact other > masters to resolve local stuff on a master ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 8 21:46:49 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 08 May 2008 17:46:49 -0400 Subject: [Freeipa-devel] Fix configuration of IPA server itself to look only at localhost for ldap and KDC services In-Reply-To: <48236E19.4060609@redhat.com> References: <20080508210214.GA30453@hopeson.columbia.edu> <48236E19.4060609@redhat.com> Message-ID: <1210283209.32052.112.camel@localhost.localdomain> On Thu, 2008-05-08 at 17:18 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > Makes the server use itself only, we do not need nor want to contact other > > masters to resolve local stuff on a master > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 8 21:48:21 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 08 May 2008 17:48:21 -0400 Subject: [Freeipa-devel] [PATCH] include tip when hostname resolves to localhost In-Reply-To: <48236DDB.9040304@redhat.com> References: <48236DDB.9040304@redhat.com> Message-ID: <1210283301.32052.114.camel@localhost.localdomain> On Thu, 2008-05-08 at 17:17 -0400, Rob Crittenden wrote: > Include pointer to /etc/hosts if the IPA server hostname resolves to > localhost. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 8 22:07:47 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 8 May 2008 18:07:47 -0400 Subject: [Freeipa-devel] [PATCH] Fix retrieveing server name from ipa.conf Message-ID: <20080508220747.GA2318@hopeson.columbia.edu> Use the correct check to see if the server names array is empty -------------- next part -------------- >From 1c80f3649402f19ea78e45f911c46094a145a303 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 8 May 2008 18:05:29 -0400 Subject: [PATCH] Fix existence check, default_server is an array so we need to check its length to determine if it is empty --- ipa-python/config.py | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipa-python/config.py b/ipa-python/config.py index 50055bb..c760bb6 100644 --- a/ipa-python/config.py +++ b/ipa-python/config.py @@ -47,7 +47,7 @@ class IPAConfig: raise IPAConfigError("no default realm") def get_server(self): - if self.default_server: + if len(self.default_server): return self.default_server else: raise IPAConfigError("no default server") @@ -62,7 +62,7 @@ def __parse_config(): try: if not config.default_realm: config.default_realm = p.get("defaults", "realm") - if not config.default_server: + if not len(config.default_server): s = p.get("defaults", "server") config.default_server = re.sub("\s+", "", s).split(',') except: -- 1.5.4.1 From ssorce at redhat.com Fri May 9 02:13:37 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 08 May 2008 22:13:37 -0400 Subject: [Freeipa-devel] [PATCH] fix 'make dist' In-Reply-To: <480D144B.9010807@redhat.com> References: <480D144B.9010807@redhat.com> Message-ID: <1210299218.32052.122.camel@localhost.localdomain> On Mon, 2008-04-21 at 18:25 -0400, Rob Crittenden wrote: > 'make dist' still required a mercurial command to run to ensure that it > was building from untainted sources. > > I've converted it to use git and added an argument, TARGET, if you want > to have it pull a specific branch. By default it uses 'master'. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 9 13:06:47 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 09 May 2008 09:06:47 -0400 Subject: [Freeipa-devel] [PATCH] Fix retrieveing server name from ipa.conf In-Reply-To: <20080508220747.GA2318@hopeson.columbia.edu> References: <20080508220747.GA2318@hopeson.columbia.edu> Message-ID: <48244C67.3010001@redhat.com> Simo Sorce wrote: > Use the correct check to see if the server names array is empty > > Is there any chance that self.default_server could be None? len of None would raise an error. If not then ack. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 9 13:15:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 09 May 2008 09:15:14 -0400 Subject: [Freeipa-devel] [PATCH] Fix retrieveing server name from ipa.conf In-Reply-To: <48244C67.3010001@redhat.com> References: <20080508220747.GA2318@hopeson.columbia.edu> <48244C67.3010001@redhat.com> Message-ID: <1210338914.32052.131.camel@localhost.localdomain> On Fri, 2008-05-09 at 09:06 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > Use the correct check to see if the server names array is empty > > > > > > Is there any chance that self.default_server could be None? len of None > would raise an error. > > If not then ack. we init it with [] as far as I can see. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 9 15:11:36 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 09 May 2008 11:11:36 -0400 Subject: [Freeipa-devel] [PATCH] fix 'make dist' In-Reply-To: <1210299218.32052.122.camel@localhost.localdomain> References: <480D144B.9010807@redhat.com> <1210299218.32052.122.camel@localhost.localdomain> Message-ID: <482469A8.7050104@redhat.com> Simo Sorce wrote: > On Mon, 2008-04-21 at 18:25 -0400, Rob Crittenden wrote: >> 'make dist' still required a mercurial command to run to ensure that it >> was building from untainted sources. >> >> I've converted it to use git and added an argument, TARGET, if you want >> to have it pull a specific branch. By default it uses 'master'. > > ack > pushed to master and ipa-1-0 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 9 15:12:07 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 09 May 2008 11:12:07 -0400 Subject: [Freeipa-devel] [PATCH] Fix retrieveing server name from ipa.conf In-Reply-To: <1210338914.32052.131.camel@localhost.localdomain> References: <20080508220747.GA2318@hopeson.columbia.edu> <48244C67.3010001@redhat.com> <1210338914.32052.131.camel@localhost.localdomain> Message-ID: <482469C7.3010708@redhat.com> Simo Sorce wrote: > On Fri, 2008-05-09 at 09:06 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> Use the correct check to see if the server names array is empty >>> >>> >> Is there any chance that self.default_server could be None? len of None >> would raise an error. >> >> If not then ack. > > we init it with [] as far as I can see. > > Simo. > > Ok ack rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 9 18:12:18 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 09 May 2008 14:12:18 -0400 Subject: [Freeipa-devel] [PATCH] enforce max uid length Message-ID: <48249402.9060207@redhat.com> Enforce the maximum username length set by IPA Policy. The plumbing for this wasn't connected at all :-( rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-778-policy.patch Type: text/x-patch Size: 2695 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 9 20:04:58 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 09 May 2008 16:04:58 -0400 Subject: [Freeipa-devel] [PATCH] more DS uninstall cleanup Message-ID: <4824AE6A.3010101@redhat.com> Do a more thorough job of removing a directory server instance. Add /usr/lib/dirsrv/slapd-INSTANCE to the list of directories to be removed Don't remove the directories bak and ldif in /var/lib/dirsrv/slapd-INSTANCE rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-18-dsremove.patch Type: text/x-patch Size: 956 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Sat May 10 15:12:54 2008 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 10 May 2008 11:12:54 -0400 Subject: [Freeipa-devel] [PATCH] more DS uninstall cleanup In-Reply-To: <4824AE6A.3010101@redhat.com> References: <4824AE6A.3010101@redhat.com> Message-ID: <1210432374.32052.135.camel@localhost.localdomain> On Fri, 2008-05-09 at 16:04 -0400, Rob Crittenden wrote: > + shutil.rmtree("/var/lib/dirsrv/slapd-%s/db" % serverid) Shouldn't we remove the whole directory and not just /db ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Sat May 10 18:05:03 2008 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 10 May 2008 14:05:03 -0400 Subject: [Freeipa-devel] [PATCHES] First step to make DNA more useful and configurable Message-ID: <20080510180502.GA26322@hopeson.columbia.edu> These first three patches are the starting point for making DNA much more useful in a dynamic environment where masters can come and go and where you do not want to reconfigure all of them at the same time just because you are adding a new one. See details here: http://directory.fedoraproject.org/wiki/DNA_Plugin These first patches only make it possible to add a maxvalue and check that the value allocate is actually free before assigning it, skipping until the first free is found otherwise. This patchset currently works and is backwards compatible. The next step will be to implement the housekeeping functions that allows multiple masters to actually split and transfer ranges of values between them. This is necessary for 2 reasons: 1. to allow new masters to be added and automatically assign them some space to alloc from. 2. To allow space to be shifted to masters that are more hungry than others. Simo. -------------- next part -------------- >From a7ffe4ee2960eb71cff33f4d4d60f29904d8bf75 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 1 May 2008 18:03:57 -0400 Subject: [PATCH] Implement checks to make sure we are not assigning a number that is in use. Change config to support a maximum value so that ranges can be defined. Add stubs to reach out and ask to swap in new ranges and notify that new chuncks are needed/used. --- ipa-server/ipa-slapi-plugins/dna/dna.c | 636 +++++++++++++++++++++++--------- 1 files changed, 455 insertions(+), 181 deletions(-) diff --git a/ipa-server/ipa-slapi-plugins/dna/dna.c b/ipa-server/ipa-slapi-plugins/dna/dna.c index 169edb8..3df6dbb 100644 --- a/ipa-server/ipa-slapi-plugins/dna/dna.c +++ b/ipa-server/ipa-slapi-plugins/dna/dna.c @@ -51,6 +51,7 @@ #include #include #include +#include /*#include "portable.h"*/ #include "nspr.h" /*#include "slapi-private.h"*/ @@ -66,7 +67,7 @@ #endif #define DNA_PLUGIN_SUBSYSTEM "ipa-dna-plugin" -#define DNA_PLUGIN_VERSION 0x00010000 +#define DNA_PLUGIN_VERSION 0x00020000 /* temporary */ #define DNA_DN "cn=ipa-dna,cn=plugins,cn=config" @@ -77,16 +78,28 @@ /** * DNA config types */ -#define DNA_TYPE "dnaType" -#define DNA_PREFIX "dnaPrefix" -#define DNA_NEXTVAL "dnaNextValue" -#define DNA_INTERVAL "dnaInterval" -#define DNA_GENERATE "dnaMagicRegen" -#define DNA_FILTER "dnaFilter" -#define DNA_SCOPE "dnaScope" +#define DNA_TYPE "dnaType" +#define DNA_PREFIX "dnaPrefix" +#define DNA_NEXTVAL "dnaNextValue" +#define DNA_INTERVAL "dnaInterval" +#define DNA_GENERATE "dnaMagicRegen" +#define DNA_FILTER "dnaFilter" +#define DNA_SCOPE "dnaScope" -#define FEATURE_DESC "IPA Distributed Numeric Assignment" -#define PLUGIN_DESC "IPA Distributed Numeric Assignment plugin" +/* since v2 */ +#define DNA_MAXVAL "dnaMaxValue" +#define DNA_SHARED_CFG_DN "dnaSharedCfgDN" + +/* Shared Config */ +#define DNA_GLOBAL_RANGE "dnaGlobalRange" +#define DNA_RANGE "dnaRange" +#define DNA_MAX_RANGE_SIZE "dnaMaxRangeSize" +#define DNA_CHUNK_SIZE "dnaChunkSize" + + + +#define FEATURE_DESC "IPA Distributed Numeric Assignment" +#define PLUGIN_DESC "IPA Distributed Numeric Assignment plugin" static Slapi_PluginDesc pdesc = { FEATURE_DESC, "FreeIPA project", "FreeIPA/1.0", @@ -98,19 +111,21 @@ static Slapi_PluginDesc pdesc = { FEATURE_DESC, * linked list of config entries */ -struct _defs { +struct configEntry { PRCList list; char *dn; char *type; char *prefix; unsigned long nextval; unsigned long interval; - struct slapi_filter *filter; + unsigned long maxval; + char *filter; + struct slapi_filter *slapi_filter; char *generate; char *scope; -} dna_anchor; -typedef struct _defs configEntry; -static PRCList *config; +}; + +static PRCList *dna_global_config = NULL; static PRRWLock *g_dna_cache_lock; static void *_PluginID = NULL; @@ -140,7 +155,7 @@ static int dna_postop_init(Slapi_PBlock * pb); static int loadPluginConfig(); static int parseConfigEntry(Slapi_Entry * e); static void deleteConfig(); -static void freeConfigEntry(configEntry ** entry); +static void freeConfigEntry(struct configEntry ** entry); /** * @@ -149,8 +164,8 @@ static void freeConfigEntry(configEntry ** entry); */ static char *dna_get_dn(Slapi_PBlock * pb); static int dna_dn_is_config(char *dn); -static int dna_get_next_value(configEntry * config_entry, - char **next_value_ret); +static int dna_get_next_value(struct configEntry * config_entry, + char **next_value_ret); /** * @@ -166,7 +181,7 @@ static int dna_add_pre_op(Slapi_PBlock * pb); * debug functions - global, for the debugger */ void dnaDumpConfig(); -void dnaDumpConfigEntry(configEntry *); +void dnaDumpConfigEntry(struct configEntry *); /** * set the debug level @@ -325,7 +340,6 @@ static int dna_start(Slapi_PBlock * pb) slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, "--> dna_start\n"); - config = &dna_anchor.list; g_dna_cache_lock = PR_NewRWLock(PR_RWLOCK_RANK_NONE, "dna"); g_new_value_lock = slapi_new_mutex(); @@ -336,13 +350,13 @@ static int dna_start(Slapi_PBlock * pb) return DNA_FAILURE; } - /** + /** * Get the plug-in target dn from the system * and store it for future use. This should avoid * hardcoding of DN's in the code. */ slapi_pblock_get(pb, SLAPI_TARGET_DN, &plugindn); - if (plugindn == NULL || strlen(plugindn) == 0) { + if (NULL == plugindn || 0 == strlen(plugindn)) { slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, "dna_start: had to use hard coded config dn\n"); plugindn = DNA_DN; @@ -357,7 +371,10 @@ static int dna_start(Slapi_PBlock * pb) /** * Load the config for our plug-in */ - PR_INIT_CLIST(config); + dna_global_config = (struct configEntry *) + slapi_ch_calloc(1, sizeof(struct configEntry)); + PR_INIT_CLIST(dna_global_config); + if (loadPluginConfig() != DNA_SUCCESS) { slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, "dna_start: unable to load plug-in configuration\n"); @@ -384,6 +401,8 @@ static int dna_close(Slapi_PBlock * pb) deleteConfig(); + slapi_sh_free((void **)dna_global_config); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, "<-- dna_close\n"); @@ -393,7 +412,7 @@ static int dna_close(Slapi_PBlock * pb) /* * config looks like this * - cn=myplugin - * --- ou=posix + * --- cn=posix * ------ cn=accounts * ------ cn=groups * --- cn=samba @@ -416,26 +435,28 @@ static int loadPluginConfig() search_pb = slapi_pblock_new(); - slapi_search_internal_set_pb(search_pb, DNA_DN, LDAP_SCOPE_SUBTREE, - "objectclass=*", NULL, 0, NULL, NULL, - getPluginID(), 0); + slapi_search_internal_set_pb(search_pb, getPluginDN(), + LDAP_SCOPE_SUBTREE, "objectclass=*", + NULL, 0, NULL, NULL, getPluginID(), 0); slapi_search_internal_pb(search_pb); slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &result); - if (status != DNA_SUCCESS) { - status = DNA_SUCCESS; + if (LDAP_SUCCESS != result) { + status = DNA_FAILURE; goto cleanup; } slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries); - if (NULL == entries || entries[0] == NULL) { + if (NULL == entries || NULL == entries[0]) { status = DNA_SUCCESS; goto cleanup; } for (i = 0; (entries[i] != NULL); i++) { status = parseConfigEntry(entries[i]); + if (DNA_SUCCESS != status) + break; } cleanup: @@ -450,17 +471,18 @@ static int loadPluginConfig() static int parseConfigEntry(Slapi_Entry * e) { - char *value = NULL; - configEntry *entry = NULL; - configEntry *config_entry = NULL; - PRCList *list = NULL; + char *value; + struct configEntry *entry; + struct configEntry *config_entry; + PRCList *list; int entry_added = 0; slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, "--> parseConfigEntry\n"); - entry = (configEntry *) slapi_ch_calloc(1, sizeof(configEntry)); - if (0 == entry) + entry = (struct configEntry *) + slapi_ch_calloc(1, sizeof(struct configEntry)); + if (NULL == entry) goto bail; value = slapi_entry_get_ndn(e); @@ -469,7 +491,7 @@ static int parseConfigEntry(Slapi_Entry * e) } slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, - "----------> dn [%s] \n", entry->dn, 0, 0); + "----------> dn [%s]\n", entry->dn, 0, 0); value = slapi_entry_attr_get_charptr(e, DNA_TYPE); if (value) { @@ -478,38 +500,41 @@ static int parseConfigEntry(Slapi_Entry * e) goto bail; slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, - "----------> dnaType [%s] \n", entry->type, 0, 0); + "----------> dnaType [%s]\n", entry->type, 0, 0); + + /* FIXME: check the attribute type, it must suport matching rules and be + * indexed, these are requirements and failure to meet them should result in + * the configuration to be disarded and an ERROR logged prominently */ value = slapi_entry_attr_get_charptr(e, DNA_NEXTVAL); if (value) { entry->nextval = strtoul(value, 0, 0); slapi_ch_free_string(&value); - value = 0; } else goto bail; slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, - "----------> dnaNextValue [%d] \n", entry->nextval, 0, + "----------> dnaNextValue [%d]\n", entry->nextval, 0, 0); value = slapi_entry_attr_get_charptr(e, DNA_PREFIX); - if (value) { + if (value && value[0]) { entry->prefix = value; } slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, - "----------> dnaPrefix [%s] \n", entry->prefix, 0, 0); + "----------> dnaPrefix [%s]\n", entry->prefix, 0, 0); value = slapi_entry_attr_get_charptr(e, DNA_INTERVAL); if (value) { entry->interval = strtoul(value, 0, 0); - slapi_ch_free_string(&value); - value = 0; } else goto bail; slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, - "----------> dnaInterval [%s] \n", value, 0, 0); + "----------> dnaInterval [%s]\n", value, 0, 0); + + slapi_ch_free_string(&value); value = slapi_entry_attr_get_charptr(e, DNA_GENERATE); if (value) { @@ -517,48 +542,59 @@ static int parseConfigEntry(Slapi_Entry * e) } slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, - "----------> dnaMagicRegen [%s] \n", entry->generate, + "----------> dnaMagicRegen [%s]\n", entry->generate, 0, 0); value = slapi_entry_attr_get_charptr(e, DNA_FILTER); if (value) { - entry->filter = slapi_str2filter(value); + entry->filter = value; + entry->slapi_filter = slapi_str2filter(value); } else goto bail; slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, - "----------> dnaFilter [%s] \n", value, 0, 0); - - slapi_ch_free_string(&value); - value = 0; + "----------> dnaFilter [%s]\n", value, 0, 0); value = slapi_entry_attr_get_charptr(e, DNA_SCOPE); if (value) { - char *canonical_dn = slapi_dn_normalize(value); - entry->scope = canonical_dn; + entry->scope = slapi_dn_normalize(value); } slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, - "----------> dnaScope [%s] \n", entry->scope, 0, 0); + "----------> dnaScope [%s]\n", entry->scope, 0, 0); + /* optional, if not specified set -1 which is converted to the max unisgnee + * value */ + value = slapi_entry_attr_get_charptr(e, DNA_MAXVAL); + if (value) { + entry->maxval = strtoul(value, 0, 0); - /** - * Finally add the entry to the list - * we group by type then by filter - * and finally sort by dn length with longer dn's - * first - this allows the scope checking - * code to be simple and quick and - * cunningly linear - */ - if (!PR_CLIST_IS_EMPTY(config)) { - list = PR_LIST_HEAD(config); - while (list != config) { - config_entry = (configEntry *) list; + slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, + "----------> dnaMaxValue [%ld]\n", value, 0, 0); + + slapi_ch_free_string(&value); + } else + entry->maxval = -1; + + + /** + * Finally add the entry to the list + * we group by type then by filter + * and finally sort by dn length with longer dn's + * first - this allows the scope checking + * code to be simple and quick and + * cunningly linear + */ + if (!PR_CLIST_IS_EMPTY(dna_global_config)) { + list = PR_LIST_HEAD(dna_global_config); + while (list != dna_global_config) { + config_entry = (struct configEntry *) list; if (slapi_attr_type_cmp(config_entry->type, entry->type, 1)) goto next; - if (slapi_filter_compare(config_entry->filter, entry->filter)) + if (slapi_filter_compare(config_entry->slapi_filter, + entry->slapi_filter)) goto next; if (slapi_dn_issuffix(entry->scope, config_entry->scope)) { @@ -574,7 +610,7 @@ static int parseConfigEntry(Slapi_Entry * e) next: list = PR_NEXT_LINK(list); - if (config == list) { + if (dna_global_config == list) { /* add to tail */ PR_INSERT_BEFORE(&(entry->list), list); slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, @@ -586,7 +622,7 @@ static int parseConfigEntry(Slapi_Entry * e) } } else { /* first entry */ - PR_INSERT_LINK(&(entry->list), config); + PR_INSERT_LINK(&(entry->list), dna_global_config); slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, "store [%s] at head \n", entry->scope, 0, 0); entry_added = 1; @@ -605,9 +641,9 @@ static int parseConfigEntry(Slapi_Entry * e) return DNA_SUCCESS; } -static void freeConfigEntry(configEntry ** entry) +static void freeConfigEntry(struct configEntry ** entry) { - configEntry *e = *entry; + struct configEntry *e = *entry; if (e->dn) { slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, @@ -622,7 +658,10 @@ static void freeConfigEntry(configEntry ** entry) slapi_ch_free_string(&e->prefix); if (e->filter) - slapi_filter_free(e->filter, 1); + slapi_ch_free_string(&e->filter); + + if (e->slapi_filter) + slapi_filter_free(e->slapi_filter, 1); if (e->generate) slapi_ch_free_string(&e->generate); @@ -636,21 +675,45 @@ static void freeConfigEntry(configEntry ** entry) static void deleteConfigEntry(PRCList * entry) { PR_REMOVE_LINK(entry); - freeConfigEntry((configEntry **) & entry); + freeConfigEntry((struct configEntry **) & entry); } static void deleteConfig() { PRCList *list; - while (!PR_CLIST_IS_EMPTY(config)) { - list = PR_LIST_HEAD(config); + while (!PR_CLIST_IS_EMPTY(dna_global_config)) { + list = PR_LIST_HEAD(dna_global_config); deleteConfigEntry(list); } return; } +/**************************************************** + Distributed ranges Helpers +****************************************************/ + +static int dna_fix_maxval(Slapi_DN *dn, unsigned long *cur, unsigned long *max) +{ + /* TODO: check the main partition to see if another range + * is available, and set the new local configuration + * accordingly. + * If a new range is not available run the retrieval task + * and simply return error + */ + + return LDAP_OPERATIONS_ERROR; +} + +static void dna_notice_allocation(Slapi_DN *dn, unsigned long new) +{ + /* TODO: check if we passed a new chunk threshold and update + * the shared configuration on the public partition. + */ + + return; +} /**************************************************** Helpers @@ -697,29 +760,183 @@ static int dna_dn_is_config(char *dn) return ret; } +static LDAPControl *dna_build_sort_control(const char *attr) +{ + LDAPControl *ctrl; + BerElement *ber; + int rc; + + ber = ber_alloc(); + if (NULL == ber) + return NULL; + + rc = ber_printf(ber, "{{s}}", attr); + if (-1 == rc) { + ber_free(ber, 1); + return NULL; + } + + rc = slapi_build_control(LDAP_CONTROL_SORTREQUEST, ber, 1, &ctrl); + + ber_free(ber, 1); + + if (LDAP_SUCCESS != rc) + return NULL; + + return ctrl; +} /**************************************************** Functions that actually do things other than config and startup ****************************************************/ +/* we do search all values between newval and maxval asking the + * server to sort them, then we check the first free spot and + * use it as newval */ +static int dna_first_free_value(struct configEntry *config_entry, + unsigned long *newval, + unsigned long maxval, + unsigned long increment) +{ + Slapi_Entry **entries = NULL; + Slapi_PBlock *pb = NULL; + LDAPControl **ctrls; + char *attrs[2]; + char *filter; + char *prefix; + char *type; + int preflen; + int result, status; + unsigned long tmpval, sval, i; + char *strval = NULL; + + prefix = config_entry->prefix; + type = config_entry->type; + tmpval = *newval; + + attrs[0] = type; + attrs[1] = NULL; + + ctrls = (LDAPControl **)slapi_ch_calloc(2, sizeof(LDAPControl)); + if (NULL == ctrls) + return LDAP_OPERATIONS_ERROR; + + ctrls[0] = dna_build_sort_control(config_entry->type); + if (NULL == ctrls[0]) { + slapi_ch_free((void **)&ctrls); + return LDAP_OPERATIONS_ERROR; + } + + filter = slapi_ch_smprintf("(&%s(&(%s>=%s%llu)(%s<=%s%llu)))", + config_entry->filter, + type, prefix?prefix:"", tmpval, + type, prefix?prefix:"", maxval); + if (NULL == filter) { + ldap_control_free(ctrls[0]); + slapi_ch_free((void **)&ctrls); + return LDAP_OPERATIONS_ERROR; + } + + pb = slapi_pblock_new(); + if (NULL == pb) { + ldap_control_free(ctrls[0]); + slapi_ch_free((void **)&ctrls); + slapi_ch_free_string(&filter); + return LDAP_OPERATIONS_ERROR; + } + + slapi_search_internal_set_pb(pb, config_entry->scope, + LDAP_SCOPE_SUBTREE, filter, + attrs, 0, ctrls, + NULL, getPluginID(), 0); + slapi_search_internal_pb(pb); +/* + ldap_control_free(ctrls[0]); +*/ + slapi_ch_free_string(&filter); + + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &result); + if (LDAP_SUCCESS != result) { + status = LDAP_OPERATIONS_ERROR; + goto cleanup; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, + &entries); + + if (NULL == entries || NULL == entries[0]) { + /* no values means we already have a good value */ + status = LDAP_SUCCESS; + goto cleanup; + } + + /* entries are sorted and filtered for value >= tval therefore if the + * first one does not match tval it means that the value is free, + * otherwise we need to cycle through values until we find a mismatch, + * the first mismatch is the first free pit */ + + preflen = prefix?strlen(prefix):0; + sval = 0; + for (i = 0; NULL != entries[i]; i++) { + strval = slapi_entry_attr_get_charptr(entries[i], type); + if (preflen) { + if (strlen(strval) <= preflen) { + /* something very wrong here ... */ + status = LDAP_OPERATIONS_ERROR; + goto cleanup; + } + strval = &strval[preflen-1]; + } + + errno = 0; + sval = strtoul(strval, 0, 0); + if (errno) { + /* something very wrong here ... */ + status = LDAP_OPERATIONS_ERROR; + goto cleanup; + } + slapi_ch_free_string(&strval); + + if (tmpval != sval) + break; + + if (maxval < sval) + break; + + tmpval += increment; + } + + *newval = tmpval; + status = LDAP_SUCCESS; + +cleanup: + slapi_ch_free_string(&strval); + slapi_free_search_results_internal(pb); + slapi_pblock_destroy(pb); + + return status; +} /* * Perform ldap operationally atomic increment * Return the next value to be assigned * Method: * 1. retrieve entry - * 2. remove current value, add new value in one operation - * 3. if failed, and less than 3 times, goto 1 + * 2. do increment operations + * 3. remove current value, add new value in one operation + * 4. if failed, and less than 3 times, goto 1 */ -static int dna_get_next_value(configEntry * config_entry, - char **next_value_ret) +static int dna_get_next_value(struct configEntry *config_entry, + char **next_value_ret) { - int ret = LDAP_SUCCESS; - Slapi_DN *dn = 0; - char *attrlist[3]; - Slapi_Entry *e = 0; - int attempts = 0; + Slapi_PBlock *pb = NULL; + char *old_value = NULL; + Slapi_Entry *e = NULL; + Slapi_DN *dn = NULL; + char *attrlist[4]; + int attempts; + int ret; slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, "--> dna_get_next_value\n"); @@ -727,8 +944,9 @@ static int dna_get_next_value(configEntry * config_entry, /* get pre-requisites to search */ dn = slapi_sdn_new_dn_byref(config_entry->dn); attrlist[0] = DNA_NEXTVAL; - attrlist[1] = DNA_INTERVAL; - attrlist[2] = 0; + attrlist[1] = DNA_MAXVAL; + attrlist[2] = DNA_INTERVAL; + attrlist[3] = NULL; /* the operation is constructed such that race conditions @@ -739,113 +957,169 @@ static int dna_get_next_value(configEntry * config_entry, slapi_lock_mutex(g_new_value_lock); - while (attempts < 3 && LDAP_SUCCESS == ret) { - attempts++; + for (attempts = 0; attempts < 3; attempts++) { + + LDAPMod mod_add; + LDAPMod mod_delete; + LDAPMod *mods[3]; + char *delete_val[2]; + char *add_val[2]; + char new_value[16]; + char *interval; + char *max_value; + unsigned long increment = 1; /* default increment */ + unsigned long setval = 0; + unsigned long newval = 0; + unsigned long maxval = -1; + int result; /* do update */ - if (e) { - slapi_entry_free(e); - e = 0; + ret = slapi_search_internal_get_entry(dn, attrlist, &e, + getPluginID()); + if (LDAP_SUCCESS != ret) { + ret = LDAP_OPERATIONS_ERROR; + goto done; } - ret = - slapi_search_internal_get_entry(dn, attrlist, &e, - getPluginID()); - if (LDAP_SUCCESS == ret) { - char *old_value; - - old_value = slapi_entry_attr_get_charptr(e, DNA_NEXTVAL); - if (old_value) { - LDAPMod mod_add; - LDAPMod mod_delete; - LDAPMod *mods[3]; - Slapi_PBlock *pb = slapi_pblock_new(); - char *delete_val[2]; - char *add_val[2]; - char new_value[16]; - char *interval = 0; - - mods[0] = &mod_delete; - mods[1] = &mod_add; - mods[2] = 0; - - if (0 == pb) - goto bail; - - interval = slapi_entry_attr_get_charptr(e, DNA_INTERVAL); - if (0 == interval) { - slapi_pblock_destroy(pb); - slapi_ch_free_string(&old_value); - goto bail; - } + old_value = slapi_entry_attr_get_charptr(e, DNA_NEXTVAL); + if (NULL == old_value) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + setval = strtoul(old_value, 0, 0); + + max_value = slapi_entry_attr_get_charptr(e, DNA_MAXVAL); + if (max_value) { + maxval = strtoul(max_value, 0, 0); + slapi_ch_free_string(&max_value); + } - /* perform increment */ + /* if not present the default is 1 */ + interval = slapi_entry_attr_get_charptr(e, DNA_INTERVAL); + if (NULL != interval) { + increment = strtoul(interval, 0, 0); + } - sprintf(new_value, "%lu", - strtoul(interval, 0, 0) + - strtoul(old_value, 0, 0)); + slapi_entry_free(e); + e = NULL; + + /* check the value is actually in range */ + + /* verify the new value is actually free and get the first + * one free if not*/ + ret = dna_first_free_value(config_entry, &setval, maxval, increment); + if (LDAP_SUCCESS != ret) + goto done; + + /* try for a new range or fail */ + if (setval > maxval) { + ret = dna_fix_maxval(dn, &setval, &maxval); + if (LDAP_SUCCESS != ret) { + slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, + "dna_get_next_value: no more IDs available!!\n"); + goto done; + } - delete_val[0] = old_value; - delete_val[1] = 0; + /* verify the new value is actually free and get the first + * one free if not */ + ret = dna_first_free_value(config_entry, &setval, maxval, increment); + if (LDAP_SUCCESS != ret) + goto done; + } - mod_delete.mod_op = LDAP_MOD_DELETE; - mod_delete.mod_type = DNA_NEXTVAL; - mod_delete.mod_values = delete_val; + if (setval > maxval) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } - add_val[0] = new_value; - add_val[1] = 0; + newval = setval + increment; - mod_add.mod_op = LDAP_MOD_ADD; - mod_add.mod_type = DNA_NEXTVAL; - mod_add.mod_values = add_val; + /* try for a new range or fail */ + if (newval > maxval) { + ret = dna_fix_maxval(dn, &newval, &maxval); + if (LDAP_SUCCESS != ret) { + slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, + "dna_get_next_value: no more IDs available!!\n"); + goto done; + } + } + /* try to set the new value */ - mods[0] = &mod_delete; - mods[1] = &mod_add; - mods[2] = 0; + sprintf(new_value, "%llu", newval); - slapi_modify_internal_set_pb(pb, config_entry->dn, - mods, 0, 0, getPluginID(), 0); + delete_val[0] = old_value; + delete_val[1] = 0; - slapi_modify_internal_pb(pb); + mod_delete.mod_op = LDAP_MOD_DELETE; + mod_delete.mod_type = DNA_NEXTVAL; + mod_delete.mod_values = delete_val; - slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); + add_val[0] = new_value; + add_val[1] = 0; - slapi_pblock_destroy(pb); - slapi_ch_free_string(&interval); + mod_add.mod_op = LDAP_MOD_ADD; + mod_add.mod_type = DNA_NEXTVAL; + mod_add.mod_values = add_val; - if (LDAP_SUCCESS == ret) { - *next_value_ret = old_value; - break; - } else { - slapi_ch_free_string(&old_value); - if (LDAP_NO_SUCH_ATTRIBUTE != ret) { - /* not the result of a race - to change the value - */ - break; - } else - /* we lost the race to mod - try again - */ - ret = LDAP_SUCCESS; - } - } else - break; - } else - break; + mods[0] = &mod_delete; + mods[1] = &mod_add; + mods[2] = 0; + + pb = slapi_pblock_new(); + if (NULL == pb) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + slapi_modify_internal_set_pb(pb, config_entry->dn, + mods, 0, 0, getPluginID(), 0); + + slapi_modify_internal_pb(pb); + + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); + + slapi_pblock_destroy(pb); + pb = NULL; + slapi_ch_free_string(&interval); + slapi_ch_free_string(&old_value); + + if (LDAP_SUCCESS == ret) { + *next_value_ret = slapi_ch_smprintf("%llu", setval); + if (NULL == *next_value_ret) { + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + + dna_notice_allocation(dn, newval); + goto done; + } + + if (LDAP_NO_SUCH_ATTRIBUTE != ret) { + /* not the result of a race + to change the value + */ + goto done; + } } - bail: + done: slapi_unlock_mutex(g_new_value_lock); + if (LDAP_SUCCESS != ret) + slapi_ch_free_string(&old_value); + if (dn) slapi_sdn_free(&dn); if (e) slapi_entry_free(e); + if (pb) + slapi_pblock_destroy(pb); + slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, "<-- dna_get_next_value\n"); @@ -862,7 +1136,7 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype) { char *dn = 0; PRCList *list = 0; - configEntry *config_entry = 0; + struct configEntry *config_entry = 0; struct slapi_entry *e = 0; char *last_type = 0; char *value = 0; @@ -916,11 +1190,11 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype) dna_read_lock(); - if (!PR_CLIST_IS_EMPTY(config)) { - list = PR_LIST_HEAD(config); + if (!PR_CLIST_IS_EMPTY(dna_global_config)) { + list = PR_LIST_HEAD(dna_global_config); - while (list != config && LDAP_SUCCESS == ret) { - config_entry = (configEntry *) list; + while (list != dna_global_config && LDAP_SUCCESS == ret) { + config_entry = (struct configEntry *) list; /* did we already service this type? */ if (last_type) { @@ -935,11 +1209,11 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype) } /* does the entry match the filter? */ - if (config_entry->filter) { + if (config_entry->slapi_filter) { if (LDAP_SUCCESS != slapi_vattr_filter_test(pb, e, config_entry-> - filter, 0)) + slapi_filter, 0)) goto next; } @@ -972,8 +1246,8 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype) if (len == bv->bv_len) { if (!slapi_UTF8NCASECMP(bv->bv_val, - config_entry-> - generate, len)) + config_entry->generate, + len)) generate = 1; break; @@ -992,7 +1266,8 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype) int len; /* create the value to add */ - if ((ret = dna_get_next_value(config_entry, &value))) + ret = dna_get_next_value(config_entry, &value); + if (DNA_SUCCESS != ret) break; len = strlen(value) + 1; @@ -1066,7 +1341,6 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype) return ret; } - static int dna_add_pre_op(Slapi_PBlock * pb) { return dna_pre_op(pb, LDAP_CHANGETYPE_ADD); @@ -1110,10 +1384,10 @@ void dnaDumpConfig() dna_read_lock(); - if (!PR_CLIST_IS_EMPTY(config)) { - list = PR_LIST_HEAD(config); - while (list != config) { - dnaDumpConfigEntry((configEntry *) list); + if (!PR_CLIST_IS_EMPTY(dna_global_config)) { + list = PR_LIST_HEAD(dna_global_config); + while (list != dna_global_config) { + dnaDumpConfigEntry((struct configEntry *) list); list = PR_NEXT_LINK(list); } } @@ -1122,7 +1396,7 @@ void dnaDumpConfig() } -void dnaDumpConfigEntry(configEntry * entry) +void dnaDumpConfigEntry(struct configEntry * entry) { printf("<- type --------------> %s\n", entry->type); printf("<---- prefix ---------> %s\n", entry->prefix); -- 1.5.4.1 -------------- next part -------------- >From aad496178d5cc419eb607a2e4b64fa6261473ed8 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 9 May 2008 12:52:17 -0400 Subject: [PATCH] For some unknown reason the sort control returns values sorted in reverse. Ask for inverse order to get them straight ... --- ipa-server/ipa-slapi-plugins/dna/dna.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/ipa-server/ipa-slapi-plugins/dna/dna.c b/ipa-server/ipa-slapi-plugins/dna/dna.c index 3df6dbb..1f67dc9 100644 --- a/ipa-server/ipa-slapi-plugins/dna/dna.c +++ b/ipa-server/ipa-slapi-plugins/dna/dna.c @@ -760,6 +760,8 @@ static int dna_dn_is_config(char *dn) return ret; } +#define DNA_LDAP_TAG_SK_REVERSE 0x81L + static LDAPControl *dna_build_sort_control(const char *attr) { LDAPControl *ctrl; @@ -770,7 +772,7 @@ static LDAPControl *dna_build_sort_control(const char *attr) if (NULL == ber) return NULL; - rc = ber_printf(ber, "{{s}}", attr); + rc = ber_printf(ber, "{{stb}}", attr, DNA_LDAP_TAG_SK_REVERSE, 1); if (-1 == rc) { ber_free(ber, 1); return NULL; -- 1.5.4.1 -------------- next part -------------- >From b03ef4250a2bdd7a9d66c13ef4a52f852504273e Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 9 May 2008 20:58:02 -0400 Subject: [PATCH] If there is an error we need to send back a reply ourselves. Return also an intelligible error message. --- ipa-server/ipa-slapi-plugins/dna/dna.c | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ipa-server/ipa-slapi-plugins/dna/dna.c b/ipa-server/ipa-slapi-plugins/dna/dna.c index 1f67dc9..fdcd96d 100644 --- a/ipa-server/ipa-slapi-plugins/dna/dna.c +++ b/ipa-server/ipa-slapi-plugins/dna/dna.c @@ -1147,6 +1147,7 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype) Slapi_Mod *smod = 0; LDAPMod **mods; int free_entry = 0; + char *errstr = NULL; int ret = 0; slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, @@ -1269,8 +1270,12 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype) /* create the value to add */ ret = dna_get_next_value(config_entry, &value); - if (DNA_SUCCESS != ret) + if (DNA_SUCCESS != ret) { + errstr = slapi_ch_smprintf("Allocation of a new value for" + " %s failed! Unable to proceed.", + config_entry->type); break; + } len = strlen(value) + 1; if (config_entry->prefix) { @@ -1333,9 +1338,13 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype) if (free_entry && e) slapi_entry_free(e); - if (ret) + if (ret) { slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, "dna_pre_op: operation failure [%d]\n", ret); + slapi_send_ldap_result(pb, ret, NULL, errstr, 0, NULL); + slapi_ch_free(&errstr); + ret = DNA_FAILURE; + } slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, "<-- dna_pre_op\n"); -- 1.5.4.1 From christopher.e.hailey at accenture.com Mon May 12 20:59:26 2008 From: christopher.e.hailey at accenture.com (christopher.e.hailey at accenture.com) Date: Mon, 12 May 2008 15:59:26 -0500 Subject: [Freeipa-devel] IPA Group IDs Message-ID: I am working on integrating freeIPA with an existing system which currently uses group IDs starting at 1000 - when you do a ipa-server-install groups 1001-1003 are assigned to IPA groups which collides with my current configuration. Is there a way to specify which groups IPA serves? I can modify my system to work around this, but it seems that in the long run there should be a way to do this. - Chris - -- Christopher Hailey Accenture Sr. Software Engineer 1615 Murray Canyon Road, Suite 400 San Diego, CA 92108 (619)574-2213 christopher.e.hailey at accenture.com This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. From ssorce at redhat.com Mon May 12 21:08:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 12 May 2008 17:08:14 -0400 Subject: [Freeipa-devel] IPA Group IDs In-Reply-To: References: Message-ID: <4828B1BE.20304@redhat.com> christopher.e.hailey at accenture.com wrote: > I am working on integrating freeIPA with an existing system which currently uses group > IDs starting at 1000 - when you do a ipa-server-install groups 1001-1003 are assigned to > IPA groups which collides with my current configuration. Is there a way to specify which > groups IPA serves? I can modify my system to work around this, but it seems that in the > long run there should be a way to do this. Chris, at the moment these values are hardcoded into the initialization ldif files. Although nothing on the filesystem actually uses these IDs afterinstallation, so it is possible to modify these values using ipa-moduser/ipa-modgroup as the first thing right after the installation. I guess we might try to use < 1000 values by default, and in the long run we might provide some way to define values in some sort of kickstart like file. But at the moment we are not. Simo. From rcritten at redhat.com Tue May 13 14:04:07 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 May 2008 10:04:07 -0400 Subject: [Freeipa-devel] [PATCH] allow admin user to be edited Message-ID: <48299FD7.5070102@redhat.com> The admin user doesn't have the inetorgperson objectclass so don't have a givenname attribute. The UI is currently hardcoded to require "first name" which renders the admin user uneditable via the UI. This is a hack that will allow admin to be edited, assuming that one doesn't try to add a firstname field. This will hopefully be relatively short-term until we can implement a schema parser to determine which fields may be required and/or disabled. rob diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py b/ipa-server/ipa-g index 0a79fc7..9232f30 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py @@ -413,6 +413,16 @@ class UserController(IPAController): # later the update will not be processed cherrypy.session['uid'] = user_dict.get('uid') + # Hack. The admin user doesn't have inetorgperson as an + # objectclass so don't require the givenName attribute if + # this objectclass doesn't exist in the record. + oc = [x.lower() for x in user_dict.get('objectclass')] + try: + p = oc.index('inetorgperson') + except ValueError: + # This entry doesn't have inetorgperson so don't require gn + user_edit_form.validator.fields.get('givenname').not_empty=Fals + return dict(form=user_edit_form, user=user_dict, user_groups=user_groups_dicts) except ipaerror.IPAError, e: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 13 14:31:58 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 13 May 2008 10:31:58 -0400 Subject: [Freeipa-devel] [PATCH] allow admin user to be edited In-Reply-To: <48299FD7.5070102@redhat.com> References: <48299FD7.5070102@redhat.com> Message-ID: <1210689118.4575.13.camel@localhost.localdomain> On Tue, 2008-05-13 at 10:04 -0400, Rob Crittenden wrote: > The admin user doesn't have the inetorgperson objectclass so don't > have > a givenname attribute. The UI is currently hardcoded to require > "first > name" which renders the admin user uneditable via the UI. > > This is a hack that will allow admin to be edited, assuming that one > doesn't try to add a firstname field. > > This will hopefully be relatively short-term until we can implement a > schema parser to determine which fields may be required and/or > disabled. Ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue May 13 15:06:46 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 May 2008 11:06:46 -0400 Subject: [Freeipa-devel] [PATCH] Catch socket errors in admin tools Message-ID: <4829AE86.90909@redhat.com> Catch name resolution errors thrown by socket.gaierror. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-19-dns.patch Type: text/x-patch Size: 13223 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 13 15:19:11 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 13 May 2008 11:19:11 -0400 Subject: [Freeipa-devel] [PATCH] Catch socket errors in admin tools In-Reply-To: <4829AE86.90909@redhat.com> References: <4829AE86.90909@redhat.com> Message-ID: <1210691951.4575.17.camel@localhost.localdomain> On Tue, 2008-05-13 at 11:06 -0400, Rob Crittenden wrote: > Catch name resolution errors thrown by socket.gaierror. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue May 13 16:01:46 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 May 2008 12:01:46 -0400 Subject: [Freeipa-devel] [PATCH] allow admin user to be edited In-Reply-To: <1210689118.4575.13.camel@localhost.localdomain> References: <48299FD7.5070102@redhat.com> <1210689118.4575.13.camel@localhost.localdomain> Message-ID: <4829BB6A.1090005@redhat.com> Simo Sorce wrote: > On Tue, 2008-05-13 at 10:04 -0400, Rob Crittenden wrote: >> The admin user doesn't have the inetorgperson objectclass so don't >> have >> a givenname attribute. The UI is currently hardcoded to require >> "first >> name" which renders the admin user uneditable via the UI. >> >> This is a hack that will allow admin to be edited, assuming that one >> doesn't try to add a firstname field. >> >> This will hopefully be relatively short-term until we can implement a >> schema parser to determine which fields may be required and/or >> disabled. > > Ack > Pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 13 16:01:53 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 May 2008 12:01:53 -0400 Subject: [Freeipa-devel] [PATCH] Catch socket errors in admin tools In-Reply-To: <1210691951.4575.17.camel@localhost.localdomain> References: <4829AE86.90909@redhat.com> <1210691951.4575.17.camel@localhost.localdomain> Message-ID: <4829BB71.2060103@redhat.com> Simo Sorce wrote: > On Tue, 2008-05-13 at 11:06 -0400, Rob Crittenden wrote: >> Catch name resolution errors thrown by socket.gaierror. > > ack > Pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 13 17:01:39 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 13 May 2008 13:01:39 -0400 Subject: [Freeipa-devel] [PATCHES] First step to make DNA more useful and configurable In-Reply-To: <20080510180502.GA26322@hopeson.columbia.edu> References: <20080510180502.GA26322@hopeson.columbia.edu> Message-ID: <4829C973.50406@redhat.com> Simo Sorce wrote: > These first three patches are the starting point for making DNA much more useful > in a dynamic environment where masters can come and go and where you do not want > to reconfigure all of them at the same time just because you are adding a new > one. > See details here: http://directory.fedoraproject.org/wiki/DNA_Plugin > > These first patches only make it possible to add a maxvalue and check that the > value allocate is actually free before assigning it, skipping until the first > free is found otherwise. > > This patchset currently works and is backwards compatible. > > The next step will be to implement the housekeeping functions that allows > multiple masters to actually split and transfer ranges of values between them. > This is necessary for 2 reasons: > 1. to allow new masters to be added and automatically assign them some space > to alloc from. > 2. To allow space to be shifted to masters that are more hungry than others. New patch set to replace the previos, fixes an issue spotted by Rich. Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Implement-checks-to-make-sure-we-are-not-assigning-a.patch Type: text/x-patch Size: 33300 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-For-some-unknown-reason-the-sort-control-returns-val.patch Type: text/x-patch Size: 1141 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-If-there-is-an-error-we-need-to-send-back-a-reply-ou.patch Type: text/x-patch Size: 2032 bytes Desc: not available URL: From rcritten at redhat.com Tue May 13 18:38:11 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 May 2008 14:38:11 -0400 Subject: [Freeipa-devel] [PATCH] more DS uninstall cleanup In-Reply-To: <1210432374.32052.135.camel@localhost.localdomain> References: <4824AE6A.3010101@redhat.com> <1210432374.32052.135.camel@localhost.localdomain> Message-ID: <4829E013.90200@redhat.com> Simo Sorce wrote: > On Fri, 2008-05-09 at 16:04 -0400, Rob Crittenden wrote: >> + shutil.rmtree("/var/lib/dirsrv/slapd-%s/db" % serverid) > > Shouldn't we remove the whole directory and not just /db ? > We delete the whole directory now. I'm proposing we keep any ldif's and backups. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 13 18:46:10 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 13 May 2008 14:46:10 -0400 Subject: [Freeipa-devel] [PATCH] more DS uninstall cleanup In-Reply-To: <4829E013.90200@redhat.com> References: <4824AE6A.3010101@redhat.com> <1210432374.32052.135.camel@localhost.localdomain> <4829E013.90200@redhat.com> Message-ID: <1210704370.28428.0.camel@localhost.localdomain> On Tue, 2008-05-13 at 14:38 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Fri, 2008-05-09 at 16:04 -0400, Rob Crittenden wrote: > >> + shutil.rmtree("/var/lib/dirsrv/slapd-%s/db" % serverid) > > > > Shouldn't we remove the whole directory and not just /db ? > > > > We delete the whole directory now. I'm proposing we keep any ldif's and > backups. We should ask, backups may contain security sensitive material you may really want to remove from the system. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue May 13 20:32:26 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 May 2008 16:32:26 -0400 Subject: [Freeipa-devel] [PATCH] uninstall cleanup Message-ID: <4829FADA.2040005@redhat.com> Always try to shut down the KDC during the uninstall process. Restart nscd as it may have made an LDAP connection. This should help remove some ports stuck at CLOSE_WAIT after uninstall. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-21-uninstall.patch Type: text/x-patch Size: 1859 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 13 20:35:11 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 May 2008 16:35:11 -0400 Subject: [Freeipa-devel] [PATCH] more DS uninstall cleanup In-Reply-To: <1210704370.28428.0.camel@localhost.localdomain> References: <4824AE6A.3010101@redhat.com> <1210432374.32052.135.camel@localhost.localdomain> <4829E013.90200@redhat.com> <1210704370.28428.0.camel@localhost.localdomain> Message-ID: <4829FB7F.4090803@redhat.com> Simo Sorce wrote: > On Tue, 2008-05-13 at 14:38 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Fri, 2008-05-09 at 16:04 -0400, Rob Crittenden wrote: >>>> + shutil.rmtree("/var/lib/dirsrv/slapd-%s/db" % serverid) >>> Shouldn't we remove the whole directory and not just /db ? >>> >> We delete the whole directory now. I'm proposing we keep any ldif's and >> backups. > > We should ask, backups may contain security sensitive material you may > really want to remove from the system. > > Simo. > Well, we clearly state the we "will delete all data and configuration!" so I guess we can go ahead and punt on this. Is the rest of the patch acceptable? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 13 20:40:51 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 13 May 2008 16:40:51 -0400 Subject: [Freeipa-devel] [PATCH] more DS uninstall cleanup In-Reply-To: <4829FB7F.4090803@redhat.com> References: <4824AE6A.3010101@redhat.com> <1210432374.32052.135.camel@localhost.localdomain> <4829E013.90200@redhat.com> <1210704370.28428.0.camel@localhost.localdomain> <4829FB7F.4090803@redhat.com> Message-ID: <1210711251.28428.2.camel@localhost.localdomain> On Tue, 2008-05-13 at 16:35 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 2008-05-13 at 14:38 -0400, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> On Fri, 2008-05-09 at 16:04 -0400, Rob Crittenden wrote: > >>>> + shutil.rmtree("/var/lib/dirsrv/slapd-%s/db" % serverid) > >>> Shouldn't we remove the whole directory and not just /db ? > >>> > >> We delete the whole directory now. I'm proposing we keep any ldif's and > >> backups. > > > > We should ask, backups may contain security sensitive material you may > > really want to remove from the system. > > > > Simo. > > > > Well, we clearly state the we "will delete all data and configuration!" > so I guess we can go ahead and punt on this. > > Is the rest of the patch acceptable? yup Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 13 20:51:54 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 13 May 2008 16:51:54 -0400 Subject: [Freeipa-devel] [PATCH] uninstall cleanup In-Reply-To: <4829FADA.2040005@redhat.com> References: <4829FADA.2040005@redhat.com> Message-ID: <1210711914.28428.8.camel@localhost.localdomain> On Tue, 2008-05-13 at 16:32 -0400, Rob Crittenden wrote: > Always try to shut down the KDC during the uninstall process. > > Restart nscd as it may have made an LDAP connection. > > This should help remove some ports stuck at CLOSE_WAIT after > uninstall. Full ack, thanks for fixing this problem. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 13 21:03:06 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 13 May 2008 17:03:06 -0400 Subject: [Freeipa-devel] [PATCH] enforce max uid length In-Reply-To: <48249402.9060207@redhat.com> References: <48249402.9060207@redhat.com> Message-ID: <1210712587.28428.10.camel@localhost.localdomain> On Fri, 2008-05-09 at 14:12 -0400, Rob Crittenden wrote: > Enforce the maximum username length set by IPA Policy. The plumbing > for > this wasn't connected at all :-( ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed May 14 02:54:22 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 May 2008 22:54:22 -0400 Subject: [Freeipa-devel] [PATCH] more DS uninstall cleanup In-Reply-To: <1210711251.28428.2.camel@localhost.localdomain> References: <4824AE6A.3010101@redhat.com> <1210432374.32052.135.camel@localhost.localdomain> <4829E013.90200@redhat.com> <1210704370.28428.0.camel@localhost.localdomain> <4829FB7F.4090803@redhat.com> <1210711251.28428.2.camel@localhost.localdomain> Message-ID: <482A545E.4020603@redhat.com> Simo Sorce wrote: > On Tue, 2008-05-13 at 16:35 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Tue, 2008-05-13 at 14:38 -0400, Rob Crittenden wrote: >>>> Simo Sorce wrote: >>>>> On Fri, 2008-05-09 at 16:04 -0400, Rob Crittenden wrote: >>>>>> + shutil.rmtree("/var/lib/dirsrv/slapd-%s/db" % serverid) >>>>> Shouldn't we remove the whole directory and not just /db ? >>>>> >>>> We delete the whole directory now. I'm proposing we keep any ldif's and >>>> backups. >>> We should ask, backups may contain security sensitive material you may >>> really want to remove from the system. >>> >>> Simo. >>> >> Well, we clearly state the we "will delete all data and configuration!" >> so I guess we can go ahead and punt on this. >> >> Is the rest of the patch acceptable? > > yup > Simo. > Pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 14 13:54:33 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 May 2008 09:54:33 -0400 Subject: [Freeipa-devel] [PATCH] enforce max uid length In-Reply-To: <1210712587.28428.10.camel@localhost.localdomain> References: <48249402.9060207@redhat.com> <1210712587.28428.10.camel@localhost.localdomain> Message-ID: <482AEF19.9010307@redhat.com> Simo Sorce wrote: > On Fri, 2008-05-09 at 14:12 -0400, Rob Crittenden wrote: >> Enforce the maximum username length set by IPA Policy. The plumbing >> for >> this wasn't connected at all :-( > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 14 13:58:23 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 May 2008 09:58:23 -0400 Subject: [Freeipa-devel] [PATCH] uninstall cleanup In-Reply-To: <1210711914.28428.8.camel@localhost.localdomain> References: <4829FADA.2040005@redhat.com> <1210711914.28428.8.camel@localhost.localdomain> Message-ID: <482AEFFF.4040703@redhat.com> Simo Sorce wrote: > On Tue, 2008-05-13 at 16:32 -0400, Rob Crittenden wrote: >> Always try to shut down the KDC during the uninstall process. >> >> Restart nscd as it may have made an LDAP connection. >> >> This should help remove some ports stuck at CLOSE_WAIT after >> uninstall. > > Full ack, thanks for fixing this problem. > > Simo. > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 14 15:44:25 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 May 2008 11:44:25 -0400 Subject: [Freeipa-devel] [PATCH] typo in man page Message-ID: <482B08D9.1080202@redhat.com> I applied the attached patch under the one-liner rule. Fixes a man page. rob -------------- next part -------------- An embedded message was scrubbed... From: Robert Crittenden Subject: ipa-client/man Date: Wed, 14 May 2008 16:01:20 +0000 (UTC) Size: 2609 URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Wed May 14 16:57:20 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 14 May 2008 18:57:20 +0200 Subject: [Freeipa-devel] [PATCH] Don't ask the user if he want's to overwrite bind configuration if --setup-bind was specified Message-ID: <482B19F0.9000701@redhat.com> Don't ask the user if he want's to overwrite bind configuration if --setup-bind was specified From mnagy at redhat.com Tue May 13 17:03:04 2008 From: mnagy at redhat.com (Martin Nagy) Date: Tue, 13 May 2008 19:03:04 +0200 Subject: [Freeipa-devel] [PATCH] Don't ask the user again if he wants to replace bind configuration files if he specified --setup-bind. Message-ID: 430090 --- ipa-server/ipa-install/ipa-server-install | 11 +---------- 1 files changed, 1 insertions(+), 10 deletions(-) diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install index e1cca39..a7fd30c 100644 --- a/ipa-server/ipa-install/ipa-server-install +++ b/ipa-server/ipa-install/ipa-server-install @@ -499,16 +499,7 @@ def main(): bind.setup(host_name, ip_address, realm_name, domain_name) if options.setup_bind: - skipbind = False - if not options.unattended: - print "This program is about to replace the DNS Server configuration," - print "with an automatically generated one, based on the data gathered so far." - print "This will REPLACE any existing configuration." - yesno = raw_input("Are you sure you want to configure the DNS Server ? [no]: ") - if not yesno or yesno.lower()[0] != 'y': - skipbind = True - if not skipbind: - bind.create_instance() + bind.create_instance() else: bind.create_sample_bind_zone() -- 1.5.4.1 --------------060607080406020305010809-- From mnagy at redhat.com Wed May 14 17:08:11 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 14 May 2008 19:08:11 +0200 Subject: [Freeipa-devel] [PATCH] Fix typo, /etc/resolve.conf -> /etc/resolv.conf. Message-ID: <482B1C7B.5010203@redhat.com> Correct a typo in bindinstance.py From mnagy at redhat.com Wed May 14 17:17:42 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 14 May 2008 19:17:42 +0200 Subject: [Freeipa-devel] [PATCH] Resend: Don't ask the user if he want's to overwrite bind configuration Message-ID: <482B1EB6.7000104@redhat.com> Don't ask the user if he want's to overwrite bind configuration if --setup-bind was specified -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Don-t-ask-the-user-again-if-he-wants-to-replace-bind.patch Type: text/x-patch Size: 1392 bytes Desc: not available URL: From mnagy at redhat.com Wed May 14 17:18:19 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 14 May 2008 19:18:19 +0200 Subject: [Freeipa-devel] [PATCH] Resend: Fix typo, /etc/resolve.conf -> /etc/resolv.conf Message-ID: <482B1EDB.7070805@redhat.com> Correct a typo in bindinstance.py -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-typo-etc-resolve.conf-etc-resolv.conf.patch Type: text/x-patch Size: 2239 bytes Desc: not available URL: From ssorce at redhat.com Wed May 14 17:27:38 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 14 May 2008 13:27:38 -0400 Subject: [Freeipa-devel] [PATCH] Resend: Don't ask the user if he want's to overwrite bind configuration In-Reply-To: <482B1EB6.7000104@redhat.com> References: <482B1EB6.7000104@redhat.com> Message-ID: <1210786058.28428.34.camel@localhost.localdomain> On Wed, 2008-05-14 at 19:17 +0200, Martin Nagy wrote: > Don't ask the user if he want's to overwrite bind configuration if > --setup-bind was specified ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed May 14 17:28:01 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 14 May 2008 13:28:01 -0400 Subject: [Freeipa-devel] [PATCH] Resend: Fix typo, /etc/resolve.conf -> /etc/resolv.conf In-Reply-To: <482B1EDB.7070805@redhat.com> References: <482B1EDB.7070805@redhat.com> Message-ID: <1210786081.28428.36.camel@localhost.localdomain> On Wed, 2008-05-14 at 19:18 +0200, Martin Nagy wrote: > Correct a typo in bindinstance.py ack -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Wed May 14 17:46:20 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 14 May 2008 11:46:20 -0600 Subject: [Freeipa-devel] [PATCHES] First step to make DNA more useful and configurable In-Reply-To: <4829C973.50406@redhat.com> References: <20080510180502.GA26322@hopeson.columbia.edu> <4829C973.50406@redhat.com> Message-ID: <482B256C.9050105@redhat.com> Simo Sorce wrote: > Simo Sorce wrote: >> These first three patches are the starting point for making DNA much >> more useful >> in a dynamic environment where masters can come and go and where you >> do not want >> to reconfigure all of them at the same time just because you are >> adding a new >> one. >> See details here: http://directory.fedoraproject.org/wiki/DNA_Plugin >> >> These first patches only make it possible to add a maxvalue and check >> that the >> value allocate is actually free before assigning it, skipping until >> the first >> free is found otherwise. >> >> This patchset currently works and is backwards compatible. >> >> The next step will be to implement the housekeeping functions that >> allows >> multiple masters to actually split and transfer ranges of values >> between them. >> This is necessary for 2 reasons: >> 1. to allow new masters to be added and automatically assign them >> some space >> to alloc from. >> 2. To allow space to be shifted to masters that are more hungry than >> others. > > New patch set to replace the previos, fixes an issue spotted by Rich. ack > > Simo. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jim at meyering.net Wed May 14 19:37:59 2008 From: jim at meyering.net (Jim Meyering) Date: Wed, 14 May 2008 21:37:59 +0200 Subject: [Freeipa-devel] [PATCH] detect failure to write ipa_kpasswd.pid file Message-ID: <87skwkfzhk.fsf@rho.meyering.net> Hi, I was looking through freeIPA's C code and found a few ways to improve it. >From fac9600e3eb1204fd7a2d0d2c6f0b7be17a3dc02 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Sun, 4 May 2008 15:17:36 +0200 Subject: [PATCH] detect failure to write ipa_kpasswd.pid file * ipa_kpasswd.c (main): Detect not just open failure, but also any write failure. --- ipa-server/ipa-kpasswd/ipa_kpasswd.c | 20 ++++++++++++++------ 1 files changed, 14 insertions(+), 6 deletions(-) diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c index 5782367..86aa6c1 100644 --- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c +++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c @@ -3,7 +3,7 @@ /* Authors: Simo Sorce * - * Copyright (C) 2007 Red Hat + * Copyright (C) 2007, 2008 Red Hat * see file 'COPYING' for use and warranty information * * This program is free software; you can redistribute it and/or @@ -1188,13 +1188,21 @@ int main(int argc, char *argv[]) } /* Write out the pid file after the sigterm handler */ - FILE *f = fopen("/var/run/ipa_kpasswd.pid", "w"); + const char *pid_file = "/var/run/ipa_kpasswd.pid"; + FILE *f = fopen(pid_file, "w"); + int fail = 0; if (f == NULL) { - syslog(LOG_ERR,"Couldn't create pid file /var/run/ipa_kpasswd.pid: %s", strerror(errno)); - exit(1); + fail = 1; } else { - fprintf(f, "%ld\n", (long) getpid()); - fclose(f); + if (fprintf(f, "%ld\n", (long) getpid()) <= 0) + fail = 1; + if (fclose(f) != 0) + fail = 1; + } + if (fail) { + syslog(LOG_ERR,"Couldn't create pid file %s: %s", + pid_file, strerror(errno)); + exit(1); } tai = ai; -- 1.5.5.1.216.g33c73 From jim at meyering.net Wed May 14 19:48:34 2008 From: jim at meyering.net (Jim Meyering) Date: Wed, 14 May 2008 21:48:34 +0200 Subject: [Freeipa-devel] [PATCH] remove useless if-before-free tests Message-ID: <87lk2cfyzx.fsf@rho.meyering.net> I've been on a crusade (;-) to remove useless if-before-free tests, so ran a script that spotted some here. I think I removed the first batch (without braces) automatically, then manually removed the ones with curly braces around the free statements. You may well have doubts about the portability of removing those tests, but as long as you don't care about SunOS4 or earlier, you'll be fine. I've done similar things for e.g., coreutils, glibc, and git, and have had no problems. FYI, here's the script to detect them (with comments showing how to remove some mechanically): http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob_plain;f=build-aux/useless-if-before-free Here's the patch: >From 3106dd7fdf85796de7caaf5e58ffd4c2343bc681 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Sun, 4 May 2008 15:44:32 +0200 Subject: [PATCH] remove useless if-before-free tests --- ipa-client/ipa-getkeytab.c | 2 +- ipa-server/ipa-kpasswd/ipa_kpasswd.c | 8 ++-- .../ipa-pwd-extop/ipa_pwd_extop.c | 36 ++++++------------- 3 files changed, 17 insertions(+), 29 deletions(-) diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index 9642650..8a8c856 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -433,7 +433,7 @@ error_out: if (res) ldap_msgfree(res); if (ld) ldap_unbind_ext(ld, NULL, NULL); if (control) ber_bvfree(control); - if (encs) free(encs); + free(encs); return 0; } diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c index 86aa6c1..877fd93 100644 --- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c +++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c @@ -645,9 +645,9 @@ done: if (sctrl) ber_free(sctrl, 1); if (srvctrl) ldap_controls_free(srvctrl); if (res) ldap_msgfree(res); - if (exterr1) free(exterr1); - if (exterr2) free(exterr2); - if (userdn) free(userdn); + free(exterr1); + free(exterr2); + free(userdn); if (ld) ldap_unbind_ext(ld, NULL, NULL); if (tmp_file) { unlink(tmp_file); @@ -975,7 +975,7 @@ kpreply: *replen = replylen; done: - if (result_string) free(result_string); + free(result_string); if (auth_context) krb5_auth_con_free(context, auth_context); if (kprincpw) krb5_free_principal(context, kprincpw); if (krep.length) free(krep.data); diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index dec772c..2bfa517 100644 --- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -198,20 +198,14 @@ static void ipapwd_keyset_free(struct ipapwd_keyset **pkset) for (i = 0; i < kset->num_keys; i++) { if (kset->keys[i].salt) { - if (kset->keys[i].salt->value.bv_val) { - free(kset->keys[i].salt->value.bv_val); - } + free(kset->keys[i].salt->value.bv_val); free(kset->keys[i].salt); } if (kset->keys[i].ekey) { - if (kset->keys[i].ekey->value.bv_val) { - free(kset->keys[i].ekey->value.bv_val); - } + free(kset->keys[i].ekey->value.bv_val); free(kset->keys[i].ekey); } - if (kset->keys[i].s2kparams.bv_val) { - free(kset->keys[i].s2kparams.bv_val); - } + free(kset->keys[i].s2kparams.bv_val); } free(kset->keys); free(kset); @@ -238,20 +232,14 @@ static int filter_keys(struct ipapwd_keyset *kset) /* free key */ if (kset->keys[i].ekey) { - if (kset->keys[i].ekey->value.bv_val) { - free(kset->keys[i].ekey->value.bv_val); - } + free(kset->keys[i].ekey->value.bv_val); free(kset->keys[i].ekey); } if (kset->keys[i].salt) { - if (kset->keys[i].salt->value.bv_val) { - free(kset->keys[i].salt->value.bv_val); - } + free(kset->keys[i].salt->value.bv_val); free(kset->keys[i].salt); } - if (kset->keys[i].s2kparams.bv_val) { - free(kset->keys[i].s2kparams.bv_val); - } + free(kset->keys[i].s2kparams.bv_val); /* move all remaining keys up by one */ kset->num_keys -= 1; @@ -741,7 +729,7 @@ enc_error: if (kset) ipapwd_keyset_free(&kset); krb5_free_principal(krbctx, princ); if (bval) ber_bvfree(bval); - if (svals) free(svals); + free(svals); return NULL; } @@ -2543,7 +2531,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) /* Free anything that we allocated above */ free_and_return: - if (serviceName) free(serviceName); + free(serviceName); if (kset) ipapwd_keyset_free(&kset); if (bval) ber_bvfree(bval); @@ -2789,10 +2777,10 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn) free_and_error: if (mkey) ber_bvfree(mkey); if (be) ber_free(be, 1); - if (config->pref_encsalts) free(config->pref_encsalts); - if (config->supp_encsalts) free(config->supp_encsalts); - if (config->kmkey) free(config->kmkey); - if (config) free(config); + free(config->pref_encsalts); + free(config->supp_encsalts); + free(config->kmkey); + free(config); if (realm_entry) slapi_entry_free(realm_entry); return LDAP_OPERATIONS_ERROR; } -- 1.5.5.1.216.g33c73 From jim at meyering.net Wed May 14 19:49:30 2008 From: jim at meyering.net (Jim Meyering) Date: Wed, 14 May 2008 21:49:30 +0200 Subject: [Freeipa-devel] [PATCH] ipa_pwd_extop.c (encrypt_encode_key): Handle malloc failure. Message-ID: <87fxskfyyd.fsf@rho.meyering.net> >From 5c162081daa0c66783f858a458cc2d08d6e208e0 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Wed, 14 May 2008 11:03:52 +0200 Subject: [PATCH] * ipa_pwd_extop.c (encrypt_encode_key): Handle malloc failure. --- .../ipa-pwd-extop/ipa_pwd_extop.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 2bfa517..f07bbbf 100644 --- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -570,6 +570,11 @@ static Slapi_Value **encrypt_encode_key(krb5_context krbctx, struct ipapwd_data if (krbTicketFlags & KTF_REQUIRES_PRE_AUTH) { salt.length = KRB5P_SALT_SIZE; salt.data = malloc(KRB5P_SALT_SIZE); + if (!salt.data) { + slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", + "memory allocation failed\n"); + goto enc_error; + } krberr = krb5_c_random_make_octets(krbctx, &salt); if (krberr) { slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", -- 1.5.5.1.216.g33c73 From jim at meyering.net Wed May 14 19:54:51 2008 From: jim at meyering.net (Jim Meyering) Date: Wed, 14 May 2008 21:54:51 +0200 Subject: [Freeipa-devel] many unchecked strdup calls Message-ID: <87abisfypg.fsf@rho.meyering.net> I noticed that there are many unchecked strdup calls. Most look like this: result_string = strdup("Failed to init kerberos context"); result_err = KRB5_KPASSWD_HARDERROR; syslog(LOG_ERR, "%s", result_string); result_string = strdup("Failed to get default realm name"); result_err = KRB5_KPASSWD_HARDERROR; syslog(LOG_ERR, "%s", result_string); Since some uses of strdup are checked, I suppose that those aren't is an oversight. If it's ok to exit from that context, the fix may be as simple as s/strdup/xstrdup/. From jim at meyering.net Wed May 14 19:58:16 2008 From: jim at meyering.net (Jim Meyering) Date: Wed, 14 May 2008 21:58:16 +0200 Subject: [Freeipa-devel] asprintf usage Message-ID: <874p90fyjr.fsf@rho.meyering.net> I noticed some uses of asprintf like this: ... asprintf(&exterr2, " (%d seconds left before password expires)", bint); } else { asprintf(&exterr2, " (%d grace logins remaining)", bint); } if (!exterr2) { syslog(LOG_ERR, "exterr2: OOM?"); Note how it test for failure by examining exterr2. Unfortunately, when asprintf fails (returns -1), that pointer is specified to be "undefined". From rcritten at redhat.com Wed May 14 20:26:45 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 May 2008 16:26:45 -0400 Subject: [Freeipa-devel] [PATCH] Resend: Don't ask the user if he want's to overwrite bind configuration In-Reply-To: <1210786058.28428.34.camel@localhost.localdomain> References: <482B1EB6.7000104@redhat.com> <1210786058.28428.34.camel@localhost.localdomain> Message-ID: <482B4B05.8050102@redhat.com> Simo Sorce wrote: > On Wed, 2008-05-14 at 19:17 +0200, Martin Nagy wrote: >> Don't ask the user if he want's to overwrite bind configuration if >> --setup-bind was specified > > ack > Pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 14 20:26:55 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 May 2008 16:26:55 -0400 Subject: [Freeipa-devel] [PATCH] Resend: Fix typo, /etc/resolve.conf -> /etc/resolv.conf In-Reply-To: <1210786081.28428.36.camel@localhost.localdomain> References: <482B1EDB.7070805@redhat.com> <1210786081.28428.36.camel@localhost.localdomain> Message-ID: <482B4B0F.2040700@redhat.com> Simo Sorce wrote: > On Wed, 2008-05-14 at 19:18 +0200, Martin Nagy wrote: >> Correct a typo in bindinstance.py > > ack > Pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed May 14 21:22:51 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 14 May 2008 17:22:51 -0400 Subject: [Freeipa-devel] [PATCH] ipa_pwd_extop.c (encrypt_encode_key): Handle malloc failure. In-Reply-To: <87fxskfyyd.fsf@rho.meyering.net> References: <87fxskfyyd.fsf@rho.meyering.net> Message-ID: <1210800171.28428.50.camel@localhost.localdomain> On Wed, 2008-05-14 at 21:49 +0200, Jim Meyering wrote: > >From 5c162081daa0c66783f858a458cc2d08d6e208e0 Mon Sep 17 00:00:00 2001 > From: Jim Meyering > Date: Wed, 14 May 2008 11:03:52 +0200 > Subject: [PATCH] * ipa_pwd_extop.c (encrypt_encode_key): Handle malloc failure. > > --- > .../ipa-pwd-extop/ipa_pwd_extop.c | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c > index 2bfa517..f07bbbf 100644 > --- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c > +++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c > @@ -570,6 +570,11 @@ static Slapi_Value **encrypt_encode_key(krb5_context krbctx, struct ipapwd_data > if (krbTicketFlags & KTF_REQUIRES_PRE_AUTH) { > salt.length = KRB5P_SALT_SIZE; > salt.data = malloc(KRB5P_SALT_SIZE); > + if (!salt.data) { > + slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", > + "memory allocation failed\n"); > + goto enc_error; > + } > krberr = krb5_c_random_make_octets(krbctx, &salt); > if (krberr) { > slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", > -- ACK -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed May 14 21:23:44 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 14 May 2008 17:23:44 -0400 Subject: [Freeipa-devel] many unchecked strdup calls In-Reply-To: <87abisfypg.fsf@rho.meyering.net> References: <87abisfypg.fsf@rho.meyering.net> Message-ID: <1210800224.28428.52.camel@localhost.localdomain> On Wed, 2008-05-14 at 21:54 +0200, Jim Meyering wrote: > I noticed that there are many unchecked strdup calls. > Most look like this: > > result_string = strdup("Failed to init kerberos context"); > result_err = KRB5_KPASSWD_HARDERROR; > syslog(LOG_ERR, "%s", result_string); > > result_string = strdup("Failed to get default realm name"); > result_err = KRB5_KPASSWD_HARDERROR; > syslog(LOG_ERR, "%s", result_string); > > Since some uses of strdup are checked, I suppose that those aren't > is an oversight. > > If it's ok to exit from that context, the fix may be as simple > as s/strdup/xstrdup/. If it is in ipa-getkeytab.c I would welcome a patch in this sense yes. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed May 14 21:24:43 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 14 May 2008 17:24:43 -0400 Subject: [Freeipa-devel] asprintf usage In-Reply-To: <874p90fyjr.fsf@rho.meyering.net> References: <874p90fyjr.fsf@rho.meyering.net> Message-ID: <1210800283.28428.54.camel@localhost.localdomain> On Wed, 2008-05-14 at 21:58 +0200, Jim Meyering wrote: > I noticed some uses of asprintf like this: > > ... > asprintf(&exterr2, " (%d seconds left before password expires)", bint); > } else { > asprintf(&exterr2, " (%d grace logins remaining)", bint); > } > if (!exterr2) { > syslog(LOG_ERR, "exterr2: OOM?"); > > Note how it test for failure by examining exterr2. > Unfortunately, when asprintf fails (returns -1), > that pointer is specified to be "undefined". Good catch! I will see to fix this asap. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed May 14 21:42:00 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 14 May 2008 17:42:00 -0400 Subject: [Freeipa-devel] [PATCH] remove useless if-before-free tests In-Reply-To: <87lk2cfyzx.fsf@rho.meyering.net> References: <87lk2cfyzx.fsf@rho.meyering.net> Message-ID: <1210801320.28428.56.camel@localhost.localdomain> On Wed, 2008-05-14 at 21:48 +0200, Jim Meyering wrote: > I've been on a crusade (;-) to remove useless if-before-free tests, > so ran a script that spotted some here. I think I removed the first > batch (without braces) automatically, then manually removed the ones > with curly braces around the free statements. > > You may well have doubts about the portability of removing those > tests, but as long as you don't care about SunOS4 or earlier, you'll > be fine. I've done similar things for e.g., coreutils, glibc, and > git, > and have had no problems. Ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed May 14 21:43:08 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 14 May 2008 17:43:08 -0400 Subject: [Freeipa-devel] [PATCH] detect failure to write ipa_kpasswd.pid file In-Reply-To: <87skwkfzhk.fsf@rho.meyering.net> References: <87skwkfzhk.fsf@rho.meyering.net> Message-ID: <1210801388.28428.59.camel@localhost.localdomain> On Wed, 2008-05-14 at 21:37 +0200, Jim Meyering wrote: > Hi, > > I was looking through freeIPA's C code and found a few ways to improve it. > > >From fac9600e3eb1204fd7a2d0d2c6f0b7be17a3dc02 Mon Sep 17 00:00:00 2001 > From: Jim Meyering > Date: Sun, 4 May 2008 15:17:36 +0200 > Subject: [PATCH] detect failure to write ipa_kpasswd.pid file > > * ipa_kpasswd.c (main): Detect not just open failure, > but also any write failure. > --- > ipa-server/ipa-kpasswd/ipa_kpasswd.c | 20 ++++++++++++++------ > 1 files changed, 14 insertions(+), 6 deletions(-) > > diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c > index 5782367..86aa6c1 100644 > --- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c > +++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c > @@ -3,7 +3,7 @@ > > /* Authors: Simo Sorce > * > - * Copyright (C) 2007 Red Hat > + * Copyright (C) 2007, 2008 Red Hat > * see file 'COPYING' for use and warranty information > * > * This program is free software; you can redistribute it and/or > @@ -1188,13 +1188,21 @@ int main(int argc, char *argv[]) > } > > /* Write out the pid file after the sigterm handler */ > - FILE *f = fopen("/var/run/ipa_kpasswd.pid", "w"); > + const char *pid_file = "/var/run/ipa_kpasswd.pid"; > + FILE *f = fopen(pid_file, "w"); > + int fail = 0; > if (f == NULL) { > - syslog(LOG_ERR,"Couldn't create pid file /var/run/ipa_kpasswd.pid: %s", strerror(errno)); > - exit(1); > + fail = 1; > } else { > - fprintf(f, "%ld\n", (long) getpid()); > - fclose(f); > + if (fprintf(f, "%ld\n", (long) getpid()) <= 0) > + fail = 1; > + if (fclose(f) != 0) > + fail = 1; > + } > + if (fail) { > + syslog(LOG_ERR,"Couldn't create pid file %s: %s", > + pid_file, strerror(errno)); > + exit(1); > } > > tai = ai; > -- > 1.5.5.1.216.g33c73 The code might look better if you do if(f) {} and completely remove the 'else' statement. Simo. -- Simo Sorce * Red Hat, Inc * New York From jim at meyering.net Wed May 14 22:25:52 2008 From: jim at meyering.net (Jim Meyering) Date: Thu, 15 May 2008 00:25:52 +0200 Subject: [Freeipa-devel] [PATCH] detect failure to write ipa_kpasswd.pid file In-Reply-To: <1210801388.28428.59.camel@localhost.localdomain> (Simo Sorce's message of "Wed, 14 May 2008 17:43:08 -0400") References: <87skwkfzhk.fsf@rho.meyering.net> <1210801388.28428.59.camel@localhost.localdomain> Message-ID: <87lk2ced5b.fsf@rho.meyering.net> Simo Sorce wrote: > On Wed, 2008-05-14 at 21:37 +0200, Jim Meyering wrote: >> Hi, >> >> I was looking through freeIPA's C code and found a few ways to improve it. >> >> >From fac9600e3eb1204fd7a2d0d2c6f0b7be17a3dc02 Mon Sep 17 00:00:00 2001 >> From: Jim Meyering >> Date: Sun, 4 May 2008 15:17:36 +0200 >> Subject: [PATCH] detect failure to write ipa_kpasswd.pid file >> >> * ipa_kpasswd.c (main): Detect not just open failure, >> but also any write failure. >> --- >> ipa-server/ipa-kpasswd/ipa_kpasswd.c | 20 ++++++++++++++------ >> 1 files changed, 14 insertions(+), 6 deletions(-) >> >> diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c >> index 5782367..86aa6c1 100644 >> --- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c >> +++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c >> @@ -3,7 +3,7 @@ >> >> /* Authors: Simo Sorce >> * >> - * Copyright (C) 2007 Red Hat >> + * Copyright (C) 2007, 2008 Red Hat >> * see file 'COPYING' for use and warranty information >> * >> * This program is free software; you can redistribute it and/or >> @@ -1188,13 +1188,21 @@ int main(int argc, char *argv[]) >> } >> >> /* Write out the pid file after the sigterm handler */ >> - FILE *f = fopen("/var/run/ipa_kpasswd.pid", "w"); >> + const char *pid_file = "/var/run/ipa_kpasswd.pid"; >> + FILE *f = fopen(pid_file, "w"); >> + int fail = 0; >> if (f == NULL) { >> - syslog(LOG_ERR,"Couldn't create pid file /var/run/ipa_kpasswd.pid: %s", strerror(errno)); >> - exit(1); >> + fail = 1; >> } else { >> - fprintf(f, "%ld\n", (long) getpid()); >> - fclose(f); >> + if (fprintf(f, "%ld\n", (long) getpid()) <= 0) >> + fail = 1; >> + if (fclose(f) != 0) >> + fail = 1; >> + } >> + if (fail) { >> + syslog(LOG_ERR,"Couldn't create pid file %s: %s", >> + pid_file, strerror(errno)); >> + exit(1); >> } >> >> tai = ai; >> -- >> 1.5.5.1.216.g33c73 > > The code might look better if you do if(f) {} and completely remove the > 'else' statement. Maybe I'm being dense, but I don't see it. Can you be more precise? From ssorce at redhat.com Wed May 14 22:33:36 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 14 May 2008 18:33:36 -0400 Subject: [Freeipa-devel] [PATCH] detect failure to write ipa_kpasswd.pid file In-Reply-To: <87lk2ced5b.fsf@rho.meyering.net> References: <87skwkfzhk.fsf@rho.meyering.net> <1210801388.28428.59.camel@localhost.localdomain> <87lk2ced5b.fsf@rho.meyering.net> Message-ID: <1210804416.28428.63.camel@localhost.localdomain> On Thu, 2008-05-15 at 00:25 +0200, Jim Meyering wrote: > Simo Sorce wrote: > > On Wed, 2008-05-14 at 21:37 +0200, Jim Meyering wrote: > >> Hi, > >> > >> I was looking through freeIPA's C code and found a few ways to improve it. > >> > >> >From fac9600e3eb1204fd7a2d0d2c6f0b7be17a3dc02 Mon Sep 17 00:00:00 2001 > >> From: Jim Meyering > >> Date: Sun, 4 May 2008 15:17:36 +0200 > >> Subject: [PATCH] detect failure to write ipa_kpasswd.pid file > >> > >> * ipa_kpasswd.c (main): Detect not just open failure, > >> but also any write failure. > >> --- > >> ipa-server/ipa-kpasswd/ipa_kpasswd.c | 20 ++++++++++++++------ > >> 1 files changed, 14 insertions(+), 6 deletions(-) > >> > >> diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c > >> index 5782367..86aa6c1 100644 > >> --- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c > >> +++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c > >> @@ -3,7 +3,7 @@ > >> > >> /* Authors: Simo Sorce > >> * > >> - * Copyright (C) 2007 Red Hat > >> + * Copyright (C) 2007, 2008 Red Hat > >> * see file 'COPYING' for use and warranty information > >> * > >> * This program is free software; you can redistribute it and/or > >> @@ -1188,13 +1188,21 @@ int main(int argc, char *argv[]) > >> } > >> > >> /* Write out the pid file after the sigterm handler */ > >> - FILE *f = fopen("/var/run/ipa_kpasswd.pid", "w"); > >> + const char *pid_file = "/var/run/ipa_kpasswd.pid"; > >> + FILE *f = fopen(pid_file, "w"); > >> + int fail = 0; > >> if (f == NULL) { > >> - syslog(LOG_ERR,"Couldn't create pid file /var/run/ipa_kpasswd.pid: %s", strerror(errno)); > >> - exit(1); > >> + fail = 1; > >> } else { > >> - fprintf(f, "%ld\n", (long) getpid()); > >> - fclose(f); > >> + if (fprintf(f, "%ld\n", (long) getpid()) <= 0) > >> + fail = 1; > >> + if (fclose(f) != 0) > >> + fail = 1; > >> + } > >> + if (fail) { > >> + syslog(LOG_ERR,"Couldn't create pid file %s: %s", > >> + pid_file, strerror(errno)); > >> + exit(1); > >> } > >> > >> tai = ai; > >> -- > >> 1.5.5.1.216.g33c73 > > > > The code might look better if you do if(f) {} and completely remove the > > 'else' statement. > > Maybe I'm being dense, but I don't see it. > Can you be more precise? The flow is more readable this way: int fail = 1; if (f) { /* do stuff */ if (all_ok) fail = 0; } if (fail) { /* log and exit */ } Also I personally prefer not to execute functions on variables declaration. Like: FILE *f = fopen(pid_file, "w"); (yes I know the original code did it as well :) It is clearer if functions are explicitly run after all variables have been declared IMO. Simo. -- Simo Sorce * Red Hat, Inc * New York From mchristi at u.washington.edu Wed May 14 22:36:20 2008 From: mchristi at u.washington.edu (Mark Christiansen) Date: Wed, 14 May 2008 15:36:20 -0700 Subject: [Freeipa-devel] installation issues Message-ID: Hello everyone, I joined the developer list to attempt to work out basic issues with installation both in a Virtual Machine running FC7 (VMware) and on RHEL5.1. I am unable to install on either platform. Please help me work it out, as I would love to help make freeipa a better tool. First of all, on the RHEL5.1 machine, issuing a "yum install --enablerepo=updates-testing ipa-server" doesn't work. What now? Could this be added to the installation or troubleshooting page somehow? (Is this something I can help maintain?) Secondly, on the FC7 VM, whenever I issue a ldap* command, I get an error from ldap_sasl_interactive_bind_s. I am a noob, but the web page suggests I should update fedora-ds. I thought doing the yum install command should take care of installing that package. If I do a yum list, I can clearly see I have a sufficient level of fedora-ds. If I continue to modify the installation for a VM as the instructions state, I eventually lose the ability to communicate to freeipa through the html page. So really, there are two issues here. Does anyone know what I may be doing wrong, what I may be missing, or know of how I can help to get this working? Thanks! -Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: From jim at meyering.net Wed May 14 23:10:50 2008 From: jim at meyering.net (Jim Meyering) Date: Thu, 15 May 2008 01:10:50 +0200 Subject: [Freeipa-devel] [PATCH] detect failure to write ipa_kpasswd.pid file In-Reply-To: <1210804416.28428.63.camel@localhost.localdomain> (Simo Sorce's message of "Wed, 14 May 2008 18:33:36 -0400") References: <87skwkfzhk.fsf@rho.meyering.net> <1210801388.28428.59.camel@localhost.localdomain> <87lk2ced5b.fsf@rho.meyering.net> <1210804416.28428.63.camel@localhost.localdomain> Message-ID: <87fxskeb2d.fsf@rho.meyering.net> Simo Sorce wrote: > On Thu, 2008-05-15 at 00:25 +0200, Jim Meyering wrote: >> Simo Sorce wrote: >> > On Wed, 2008-05-14 at 21:37 +0200, Jim Meyering wrote: >> >> Hi, >> >> >> >> I was looking through freeIPA's C code and found a few ways to improve it. >> >> >> >> >From fac9600e3eb1204fd7a2d0d2c6f0b7be17a3dc02 Mon Sep 17 00:00:00 2001 >> >> From: Jim Meyering >> >> Date: Sun, 4 May 2008 15:17:36 +0200 >> >> Subject: [PATCH] detect failure to write ipa_kpasswd.pid file >> >> >> >> * ipa_kpasswd.c (main): Detect not just open failure, >> >> but also any write failure. >> >> --- >> >> ipa-server/ipa-kpasswd/ipa_kpasswd.c | 20 ++++++++++++++------ >> >> 1 files changed, 14 insertions(+), 6 deletions(-) >> >> >> >> diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c >> >> index 5782367..86aa6c1 100644 >> >> --- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c >> >> +++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c >> >> @@ -3,7 +3,7 @@ >> >> >> >> /* Authors: Simo Sorce >> >> * >> >> - * Copyright (C) 2007 Red Hat >> >> + * Copyright (C) 2007, 2008 Red Hat >> >> * see file 'COPYING' for use and warranty information >> >> * >> >> * This program is free software; you can redistribute it and/or >> >> @@ -1188,13 +1188,21 @@ int main(int argc, char *argv[]) >> >> } >> >> >> >> /* Write out the pid file after the sigterm handler */ >> >> - FILE *f = fopen("/var/run/ipa_kpasswd.pid", "w"); >> >> + const char *pid_file = "/var/run/ipa_kpasswd.pid"; >> >> + FILE *f = fopen(pid_file, "w"); >> >> + int fail = 0; >> >> if (f == NULL) { >> >> - syslog(LOG_ERR,"Couldn't create pid file /var/run/ipa_kpasswd.pid: %s", strerror(errno)); >> >> - exit(1); >> >> + fail = 1; >> >> } else { >> >> - fprintf(f, "%ld\n", (long) getpid()); >> >> - fclose(f); >> >> + if (fprintf(f, "%ld\n", (long) getpid()) <= 0) >> >> + fail = 1; >> >> + if (fclose(f) != 0) >> >> + fail = 1; >> >> + } >> >> + if (fail) { >> >> + syslog(LOG_ERR,"Couldn't create pid file %s: %s", >> >> + pid_file, strerror(errno)); >> >> + exit(1); >> >> } >> >> >> >> tai = ai; >> >> -- >> >> 1.5.5.1.216.g33c73 >> > >> > The code might look better if you do if(f) {} and completely remove the >> > 'else' statement. >> >> Maybe I'm being dense, but I don't see it. >> Can you be more precise? > > The flow is more readable this way: > > int fail = 1; > > if (f) { > /* do stuff */ > if (all_ok) fail = 0; > } > > if (fail) { /* log and exit */ } Making it more readable while retaining correctness is tricky. The catch lies in always closing F, even when fprintf fails. The following is shorter and no less correct -- maybe even more readable. At least it doesn't set fail=1 three times: [note that technically, we should save errno from a failed fprintf, so it can't be clobbered by fclose, but in practice it probably doesn't matter, since that use of fprintf won't ever fail. ] const char *pid_file = "/var/run/ipa_kpasswd.pid"; int fail = 1; FILE *f = fopen(pid_file, "w"); if (f) { int n_bytes = fprintf(f, "%ld\n", (long) getpid()); if (fclose(f) == 0 && 0 < n_bytes) fail = 0; } if (fail) { syslog(LOG_ERR,"Couldn't create pid file %s: %s", pid_file, strerror(errno)); exit(1); } > Also I personally prefer not to execute functions on variables > declaration. > Like: FILE *f = fopen(pid_file, "w"); > (yes I know the original code did it as well :) > > It is clearer if functions are explicitly run after all variables have > been declared IMO. I have the opposite preference. I prefer to avoid the added line (more code fits on a screen/page), and to avoid the duplicate use of the variable name (one fewer detail that can get out of sync). From jim at meyering.net Thu May 15 11:29:56 2008 From: jim at meyering.net (Jim Meyering) Date: Thu, 15 May 2008 13:29:56 +0200 Subject: [Freeipa-devel] [PATCH] detect failure to write ipa_kpasswd.pid file In-Reply-To: <87fxskeb2d.fsf@rho.meyering.net> (Jim Meyering's message of "Thu, 15 May 2008 01:10:50 +0200") References: <87skwkfzhk.fsf@rho.meyering.net> <1210801388.28428.59.camel@localhost.localdomain> <87lk2ced5b.fsf@rho.meyering.net> <1210804416.28428.63.camel@localhost.localdomain> <87fxskeb2d.fsf@rho.meyering.net> Message-ID: <87bq37dcuj.fsf@rho.meyering.net> Jim Meyering wrote: > Making it more readable while retaining correctness is tricky. > The catch lies in always closing F, even when fprintf fails. > The following is shorter and no less correct -- maybe even more > readable. At least it doesn't set fail=1 three times: > [note that technically, we should save errno from > a failed fprintf, so it can't be clobbered by fclose, > but in practice it probably doesn't matter, since that > use of fprintf won't ever fail. ] > > const char *pid_file = "/var/run/ipa_kpasswd.pid"; > int fail = 1; > FILE *f = fopen(pid_file, "w"); > if (f) { > int n_bytes = fprintf(f, "%ld\n", (long) getpid()); > if (fclose(f) == 0 && 0 < n_bytes) > fail = 0; > } > if (fail) { > syslog(LOG_ERR,"Couldn't create pid file %s: %s", > pid_file, strerror(errno)); > exit(1); > } In case you like that, here's the patch: >From e9c342f7670c8120695e06351d3e895c2c907910 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Sun, 4 May 2008 15:17:36 +0200 Subject: [PATCH] detect failure to write ipa_kpasswd.pid file * ipa_kpasswd.c (main): Detect not just open failure, but also any write failure. --- ipa-server/ipa-kpasswd/ipa_kpasswd.c | 19 ++++++++++++------- 1 files changed, 12 insertions(+), 7 deletions(-) diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c index 5782367..2b82f18 100644 --- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c +++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c @@ -3,7 +3,7 @@ /* Authors: Simo Sorce * - * Copyright (C) 2007 Red Hat + * Copyright (C) 2007, 2008 Red Hat * see file 'COPYING' for use and warranty information * * This program is free software; you can redistribute it and/or @@ -1188,13 +1188,18 @@ int main(int argc, char *argv[]) } /* Write out the pid file after the sigterm handler */ - FILE *f = fopen("/var/run/ipa_kpasswd.pid", "w"); - if (f == NULL) { - syslog(LOG_ERR,"Couldn't create pid file /var/run/ipa_kpasswd.pid: %s", strerror(errno)); + const char *pid_file = "/var/run/ipa_kpasswd.pid"; + FILE *f = fopen(pid_file, "w"); + int fail = 1; + if (f) { + int n_bytes = fprintf(f, "%ld\n", (long) getpid()); + if (fclose(f) == 0 && 0 < n_bytes) + fail = 0; + } + if (fail) { + syslog(LOG_ERR,"Couldn't create pid file %s: %s", + pid_file, strerror(errno)); exit(1); - } else { - fprintf(f, "%ld\n", (long) getpid()); - fclose(f); } tai = ai; -- 1.5.5.1.216.g33c73 From rcritten at redhat.com Thu May 15 13:25:58 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 May 2008 09:25:58 -0400 Subject: [Freeipa-devel] installation issues In-Reply-To: References: Message-ID: <482C39E6.4030205@redhat.com> Mark Christiansen wrote: > Hello everyone, > > I joined the developer list to attempt to work out basic issues with > installation both in a Virtual Machine running FC7 (VMware) and on > RHEL5.1. I am unable to install on either platform. Please help me > work it out, as I would love to help make freeipa a better tool. > > First of all, on the RHEL5.1 machine, issuing a "yum install > --enablerepo=updates-testing ipa-server" doesn't work. What now? Could > this be added to the installation or troubleshooting page somehow? (Is > this something I can help maintain?) RHEL 5.1 is missing a slew of packages that one would need to get IPA working. and some of the packages it ships aren't current enough including: Requires: TurboGears (and about 20 dependencies) a newer krb5 server krb5-server-ldap built python-kerberos a newer mod_nss python-tgexpandingformwidget and maybe python-krbV freeIPA has focused development on Fedora systems for now because that is what Simo and I develop on (I'm still on F-7). > Secondly, on the FC7 VM, whenever I issue a ldap* command, I get an > error from ldap_sasl_interactive_bind_s. I am a noob, but the web page > suggests I should update fedora-ds. I thought doing the yum install > command should take care of installing that package. If I do a yum > list, I can clearly see I have a sufficient level of fedora-ds. If I > continue to modify the installation for a VM as the instructions state, > I eventually lose the ability to communicate to freeipa through the html > page. So really, there are two issues here. I'm assuing you've already set up your IPA server using ipa-server-install. Do the ipa-* commands work? e.g. ipa-finduser admin? To do an authenticated ldap* command you'll want to do something like: ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" uid=admin This of course assumes you have a kerberos ticket. Otherwise, to do simple auth instead of SASL, use the -x option instead of -Y: ldapsearch -x -b "dc=freeipa,dc=org" uid=admin rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 15 14:51:00 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 15 May 2008 10:51:00 -0400 Subject: [Freeipa-devel] [PATCH] detect failure to write ipa_kpasswd.pid file In-Reply-To: <87fxskeb2d.fsf@rho.meyering.net> References: <87skwkfzhk.fsf@rho.meyering.net> <1210801388.28428.59.camel@localhost.localdomain> <87lk2ced5b.fsf@rho.meyering.net> <1210804416.28428.63.camel@localhost.localdomain> <87fxskeb2d.fsf@rho.meyering.net> Message-ID: <1210863060.28428.92.camel@localhost.localdomain> On Thu, 2008-05-15 at 01:10 +0200, Jim Meyering wrote: > Simo Sorce wrote: > > > On Thu, 2008-05-15 at 00:25 +0200, Jim Meyering wrote: > >> Simo Sorce wrote: > >> > On Wed, 2008-05-14 at 21:37 +0200, Jim Meyering wrote: > >> >> Hi, > >> >> > >> >> I was looking through freeIPA's C code and found a few ways to improve it. > >> >> > >> >> >From fac9600e3eb1204fd7a2d0d2c6f0b7be17a3dc02 Mon Sep 17 00:00:00 2001 > >> >> From: Jim Meyering > >> >> Date: Sun, 4 May 2008 15:17:36 +0200 > >> >> Subject: [PATCH] detect failure to write ipa_kpasswd.pid file > >> >> > >> >> * ipa_kpasswd.c (main): Detect not just open failure, > >> >> but also any write failure. > >> >> --- > >> >> ipa-server/ipa-kpasswd/ipa_kpasswd.c | 20 ++++++++++++++------ > >> >> 1 files changed, 14 insertions(+), 6 deletions(-) > >> >> > >> >> diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c > >> >> index 5782367..86aa6c1 100644 > >> >> --- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c > >> >> +++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c > >> >> @@ -3,7 +3,7 @@ > >> >> > >> >> /* Authors: Simo Sorce > >> >> * > >> >> - * Copyright (C) 2007 Red Hat > >> >> + * Copyright (C) 2007, 2008 Red Hat > >> >> * see file 'COPYING' for use and warranty information > >> >> * > >> >> * This program is free software; you can redistribute it and/or > >> >> @@ -1188,13 +1188,21 @@ int main(int argc, char *argv[]) > >> >> } > >> >> > >> >> /* Write out the pid file after the sigterm handler */ > >> >> - FILE *f = fopen("/var/run/ipa_kpasswd.pid", "w"); > >> >> + const char *pid_file = "/var/run/ipa_kpasswd.pid"; > >> >> + FILE *f = fopen(pid_file, "w"); > >> >> + int fail = 0; > >> >> if (f == NULL) { > >> >> - syslog(LOG_ERR,"Couldn't create pid file /var/run/ipa_kpasswd.pid: %s", strerror(errno)); > >> >> - exit(1); > >> >> + fail = 1; > >> >> } else { > >> >> - fprintf(f, "%ld\n", (long) getpid()); > >> >> - fclose(f); > >> >> + if (fprintf(f, "%ld\n", (long) getpid()) <= 0) > >> >> + fail = 1; > >> >> + if (fclose(f) != 0) > >> >> + fail = 1; > >> >> + } > >> >> + if (fail) { > >> >> + syslog(LOG_ERR,"Couldn't create pid file %s: %s", > >> >> + pid_file, strerror(errno)); > >> >> + exit(1); > >> >> } > >> >> > >> >> tai = ai; > >> >> -- > >> >> 1.5.5.1.216.g33c73 > >> > > >> > The code might look better if you do if(f) {} and completely remove the > >> > 'else' statement. > >> > >> Maybe I'm being dense, but I don't see it. > >> Can you be more precise? > > > > The flow is more readable this way: > > > > int fail = 1; > > > > if (f) { > > /* do stuff */ > > if (all_ok) fail = 0; > > } > > > > if (fail) { /* log and exit */ } > > Making it more readable while retaining correctness is tricky. > The catch lies in always closing F, even when fprintf fails. > The following is shorter and no less correct -- maybe even more > readable. At least it doesn't set fail=1 three times: > [note that technically, we should save errno from > a failed fprintf, so it can't be clobbered by fclose, > but in practice it probably doesn't matter, since that > use of fprintf won't ever fail. ] > > const char *pid_file = "/var/run/ipa_kpasswd.pid"; > int fail = 1; > FILE *f = fopen(pid_file, "w"); > if (f) { > int n_bytes = fprintf(f, "%ld\n", (long) getpid()); > if (fclose(f) == 0 && 0 < n_bytes) > fail = 0; > } > if (fail) { > syslog(LOG_ERR,"Couldn't create pid file %s: %s", > pid_file, strerror(errno)); > exit(1); > } Looks much better :) > > Also I personally prefer not to execute functions on variables > > declaration. > > Like: FILE *f = fopen(pid_file, "w"); > > (yes I know the original code did it as well :) > > > > It is clearer if functions are explicitly run after all variables have > > been declared IMO. > > I have the opposite preference. > I prefer to avoid the added line (more code fits on a screen/page), > and to avoid the duplicate use of the variable name (one fewer detail > that can get out of sync). I hate it when debugging like I hate things like: if ((xyz = abc(def(foo))) == bar) { ... it makes debugging unnecessarily harder. But this is a matter of personal choice I guess. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 15 14:51:34 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 15 May 2008 10:51:34 -0400 Subject: [Freeipa-devel] [PATCH] detect failure to write ipa_kpasswd.pid file In-Reply-To: <87bq37dcuj.fsf@rho.meyering.net> References: <87skwkfzhk.fsf@rho.meyering.net> <1210801388.28428.59.camel@localhost.localdomain> <87lk2ced5b.fsf@rho.meyering.net> <1210804416.28428.63.camel@localhost.localdomain> <87fxskeb2d.fsf@rho.meyering.net> <87bq37dcuj.fsf@rho.meyering.net> Message-ID: <1210863094.28428.94.camel@localhost.localdomain> On Thu, 2008-05-15 at 13:29 +0200, Jim Meyering wrote: > In case you like that, here's the patch: > > >From e9c342f7670c8120695e06351d3e895c2c907910 Mon Sep 17 00:00:00 > 2001 > From: Jim Meyering > Date: Sun, 4 May 2008 15:17:36 +0200 > Subject: [PATCH] detect failure to write ipa_kpasswd.pid file > > * ipa_kpasswd.c (main): Detect not just open failure, > but also any write failure. > --- > ipa-server/ipa-kpasswd/ipa_kpasswd.c | 19 ++++++++++++------- > 1 files changed, 12 insertions(+), 7 deletions(-) > > diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c > b/ipa-server/ipa-kpasswd/ipa_kpasswd.c > index 5782367..2b82f18 100644 > --- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c > +++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c > @@ -3,7 +3,7 @@ > > /* Authors: Simo Sorce > * > - * Copyright (C) 2007 Red Hat > + * Copyright (C) 2007, 2008 Red Hat > * see file 'COPYING' for use and warranty information > * > * This program is free software; you can redistribute it and/or > @@ -1188,13 +1188,18 @@ int main(int argc, char *argv[]) > } > > /* Write out the pid file after the sigterm handler */ > - FILE *f = fopen("/var/run/ipa_kpasswd.pid", "w"); > - if (f == NULL) { > - syslog(LOG_ERR,"Couldn't create pid > file /var/run/ipa_kpasswd.pid: %s", strerror(errno)); > + const char *pid_file = "/var/run/ipa_kpasswd.pid"; > + FILE *f = fopen(pid_file, "w"); > + int fail = 1; > + if (f) { > + int n_bytes = fprintf(f, "%ld\n", (long) getpid()); > + if (fclose(f) == 0 && 0 < n_bytes) > + fail = 0; > + } > + if (fail) { > + syslog(LOG_ERR,"Couldn't create pid file %s: %s", > + pid_file, strerror(errno)); > exit(1); > - } else { > - fprintf(f, "%ld\n", (long) getpid()); > - fclose(f); > } > > tai = ai; > -- > 1.5.5.1.216.g33c73 ack Simo. -- Simo Sorce * Red Hat, Inc * New York From jim at meyering.net Thu May 15 15:28:30 2008 From: jim at meyering.net (Jim Meyering) Date: Thu, 15 May 2008 17:28:30 +0200 Subject: [Freeipa-devel] [PATCH] detect failure to write ipa_kpasswd.pid file In-Reply-To: <1210863060.28428.92.camel@localhost.localdomain> (Simo Sorce's message of "Thu, 15 May 2008 10:51:00 -0400") References: <87skwkfzhk.fsf@rho.meyering.net> <1210801388.28428.59.camel@localhost.localdomain> <87lk2ced5b.fsf@rho.meyering.net> <1210804416.28428.63.camel@localhost.localdomain> <87fxskeb2d.fsf@rho.meyering.net> <1210863060.28428.92.camel@localhost.localdomain> Message-ID: <87d4nnbn8h.fsf@rho.meyering.net> Simo Sorce wrote: ... >> I have the opposite preference. >> I prefer to avoid the added line (more code fits on a screen/page), >> and to avoid the duplicate use of the variable name (one fewer detail >> that can get out of sync). > > I hate it when debugging like I hate things like: > if ((xyz = abc(def(foo))) == bar) { ... > it makes debugging unnecessarily harder. When xyz is a short name, sometimes I too prefer to avoid the assignment-in-condition. Performing the assignment as a separate statement makes it obvious that there is an actual assignment: xyz = abc(def(foo)); if (xyz == bar) { ... However, when the assignment LHS is long enough to require significant visual work to confirm that it is the same one being tested on the next line, then I much prefer to avoid the duplication. I.e., I find this hard to read/maintain: kset->keys[i].ekey->value.bv_val = malloc(len+2); if (!kset->keys[i].ekey->value.bv_val) { ... and prefer the code where I don't have to visually match long strings (too easy to miss details like s/i/j/ or s/ekey/akey/): if ((kset->keys[i].ekey->value.bv_val = malloc(len+2)) != NULL) { ... I.e., obscuring the assignment hinders readability, but it's worth doing in cases like this. > But this is a matter of personal choice I guess. It's a balancing act. From ssorce at redhat.com Thu May 15 15:56:30 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 15 May 2008 11:56:30 -0400 Subject: [Freeipa-devel] [PATCH] detect failure to write ipa_kpasswd.pid file In-Reply-To: <87d4nnbn8h.fsf@rho.meyering.net> References: <87skwkfzhk.fsf@rho.meyering.net> <1210801388.28428.59.camel@localhost.localdomain> <87lk2ced5b.fsf@rho.meyering.net> <1210804416.28428.63.camel@localhost.localdomain> <87fxskeb2d.fsf@rho.meyering.net> <1210863060.28428.92.camel@localhost.localdomain> <87d4nnbn8h.fsf@rho.meyering.net> Message-ID: <1210866990.28428.99.camel@localhost.localdomain> On Thu, 2008-05-15 at 17:28 +0200, Jim Meyering wrote: > Simo Sorce wrote: > ... > >> I have the opposite preference. > >> I prefer to avoid the added line (more code fits on a screen/page), > >> and to avoid the duplicate use of the variable name (one fewer detail > >> that can get out of sync). > > > > I hate it when debugging like I hate things like: > > if ((xyz = abc(def(foo))) == bar) { ... > > it makes debugging unnecessarily harder. > > When xyz is a short name, sometimes I too prefer to avoid the > assignment-in-condition. Performing the assignment as a separate > statement makes it obvious that there is an actual assignment: > > xyz = abc(def(foo)); > if (xyz == bar) { ... > > However, when the assignment LHS is long enough to require > significant visual work to confirm that it is the same one > being tested on the next line, then I much prefer to avoid > the duplication. I.e., I find this hard to read/maintain: > > kset->keys[i].ekey->value.bv_val = malloc(len+2); > if (!kset->keys[i].ekey->value.bv_val) { ... > > and prefer the code where I don't have to visually match long > strings (too easy to miss details like s/i/j/ or s/ekey/akey/): > > if ((kset->keys[i].ekey->value.bv_val = malloc(len+2)) != NULL) { ... > > I.e., obscuring the assignment hinders readability, > but it's worth doing in cases like this. > > > But this is a matter of personal choice I guess. > > It's a balancing act. yes but it depends on what you balance for. I tend to balance for debuggability in gdb, which asks for code to be split in lines so that you can easily set break points. Also I tend to use tools like cscope/ctags/etc... and colorized editors so that readability even of long variables is not a big problem usually. Anyway, whom writes the code get to decide, as this specific detail is not covered by our coding style guide. Simo. -- Simo Sorce * Red Hat, Inc * New York From jim at meyering.net Thu May 15 16:04:01 2008 From: jim at meyering.net (Jim Meyering) Date: Thu, 15 May 2008 18:04:01 +0200 Subject: [Freeipa-devel] [PATCH] detect failure to write ipa_kpasswd.pid file In-Reply-To: <1210866990.28428.99.camel@localhost.localdomain> (Simo Sorce's message of "Thu, 15 May 2008 11:56:30 -0400") References: <87skwkfzhk.fsf@rho.meyering.net> <1210801388.28428.59.camel@localhost.localdomain> <87lk2ced5b.fsf@rho.meyering.net> <1210804416.28428.63.camel@localhost.localdomain> <87fxskeb2d.fsf@rho.meyering.net> <1210863060.28428.92.camel@localhost.localdomain> <87d4nnbn8h.fsf@rho.meyering.net> <1210866990.28428.99.camel@localhost.localdomain> Message-ID: <87prrna70u.fsf@rho.meyering.net> Simo Sorce wrote: ... > yes but it depends on what you balance for. > I tend to balance for debuggability in gdb, which asks for code to be > split in lines so that you can easily set break points. Please consider giving more weight to readability and maintainability, since the code is invariably read more often than debugged. > Also I tend to use tools like cscope/ctags/etc... and colorized editors > so that readability even of long variables is not a big problem usually. I use those same tools, but afaik, none of them can highlight the duplication or warn me about the lack thereof in the long-named example I gave. > Anyway, whom writes the code get to decide, as this specific detail is > not covered by our coding style guide. no argument here ;-) I'll stop harping, now. From ssorce at redhat.com Thu May 15 16:20:25 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 15 May 2008 12:20:25 -0400 Subject: [Freeipa-devel] [PATCH] Fix use of find(".") Message-ID: <482C62C9.6000702@redhat.com> The misuse of find('.') in DsInstance class was causing self.realm_name[:self.realm_name.find('.')].lower() to return 'fo' as the DC component instead of 'foo' in case the realm was a single component one 'FOO'. The use of split()[0] avoid the issue as split always return an array with at least one component if the separator is not found. This patch might solve the issue of installing a server where domain and realm are composed of a single domain component. Still investigating if there are other places where we assume multiple-domain components domain/realm names are required. Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Use-split-instead-of-find-as-split-does-not-fail-to.patch Type: text/x-patch Size: 2265 bytes Desc: not available URL: From ssorce at redhat.com Thu May 15 17:13:44 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 15 May 2008 13:13:44 -0400 Subject: [Freeipa-devel] [PATCHES] First step to make DNA more useful and configurable In-Reply-To: <482B256C.9050105@redhat.com> References: <20080510180502.GA26322@hopeson.columbia.edu> <4829C973.50406@redhat.com> <482B256C.9050105@redhat.com> Message-ID: <1210871624.28428.100.camel@localhost.localdomain> On Wed, 2008-05-14 at 11:46 -0600, Rich Megginson wrote: > > > > New patch set to replace the previos, fixes an issue spotted by > Rich. > ack ok pushed to both master and ipa-1-0 -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 15 17:16:51 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 15 May 2008 13:16:51 -0400 Subject: [Freeipa-devel] [PATCH] ipa_pwd_extop.c (encrypt_encode_key): Handle malloc failure. In-Reply-To: <1210800171.28428.50.camel@localhost.localdomain> References: <87fxskfyyd.fsf@rho.meyering.net> <1210800171.28428.50.camel@localhost.localdomain> Message-ID: <1210871811.28428.102.camel@localhost.localdomain> On Wed, 2008-05-14 at 17:22 -0400, Simo Sorce wrote: > On Wed, 2008-05-14 at 21:49 +0200, Jim Meyering wrote: > > >From 5c162081daa0c66783f858a458cc2d08d6e208e0 Mon Sep 17 00:00:00 2001 > > From: Jim Meyering > > Date: Wed, 14 May 2008 11:03:52 +0200 > > Subject: [PATCH] * ipa_pwd_extop.c (encrypt_encode_key): Handle malloc failure. > > > > --- > > .../ipa-pwd-extop/ipa_pwd_extop.c | 5 +++++ > > 1 files changed, 5 insertions(+), 0 deletions(-) > > > > diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c > > index 2bfa517..f07bbbf 100644 > > --- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c > > +++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c > > @@ -570,6 +570,11 @@ static Slapi_Value **encrypt_encode_key(krb5_context krbctx, struct ipapwd_data > > if (krbTicketFlags & KTF_REQUIRES_PRE_AUTH) { > > salt.length = KRB5P_SALT_SIZE; > > salt.data = malloc(KRB5P_SALT_SIZE); > > + if (!salt.data) { > > + slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", > > + "memory allocation failed\n"); > > + goto enc_error; > > + } > > krberr = krb5_c_random_make_octets(krbctx, &salt); > > if (krberr) { > > slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", > > -- > > ACK Pushed to both master and ipa-1-0 branches -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 15 17:18:28 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 15 May 2008 13:18:28 -0400 Subject: [Freeipa-devel] [PATCH] remove useless if-before-free tests In-Reply-To: <1210801320.28428.56.camel@localhost.localdomain> References: <87lk2cfyzx.fsf@rho.meyering.net> <1210801320.28428.56.camel@localhost.localdomain> Message-ID: <1210871908.28428.105.camel@localhost.localdomain> On Wed, 2008-05-14 at 17:42 -0400, Simo Sorce wrote: > On Wed, 2008-05-14 at 21:48 +0200, Jim Meyering wrote: > > I've been on a crusade (;-) to remove useless if-before-free tests, > > so ran a script that spotted some here. I think I removed the first > > batch (without braces) automatically, then manually removed the ones > > with curly braces around the free statements. > > > > You may well have doubts about the portability of removing those > > tests, but as long as you don't care about SunOS4 or earlier, you'll > > be fine. I've done similar things for e.g., coreutils, glibc, and > > git, > > and have had no problems. > > Ack Pushed only to master, it conflicts on ipa-1-0 (we do not have the mozldap patch there). In ipa-1-0 we do not need cosmetic fixes anyway, so although fixing the patch to apply was easy I decided not to apply it to 1.0. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 15 17:18:56 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 15 May 2008 13:18:56 -0400 Subject: [Freeipa-devel] [PATCH] detect failure to write ipa_kpasswd.pid file In-Reply-To: <1210863094.28428.94.camel@localhost.localdomain> References: <87skwkfzhk.fsf@rho.meyering.net> <1210801388.28428.59.camel@localhost.localdomain> <87lk2ced5b.fsf@rho.meyering.net> <1210804416.28428.63.camel@localhost.localdomain> <87fxskeb2d.fsf@rho.meyering.net> <87bq37dcuj.fsf@rho.meyering.net> <1210863094.28428.94.camel@localhost.localdomain> Message-ID: <1210871936.28428.107.camel@localhost.localdomain> On Thu, 2008-05-15 at 10:51 -0400, Simo Sorce wrote: > On Thu, 2008-05-15 at 13:29 +0200, Jim Meyering wrote: > > In case you like that, here's the patch: > > > > >From e9c342f7670c8120695e06351d3e895c2c907910 Mon Sep 17 00:00:00 > > 2001 > > From: Jim Meyering > > Date: Sun, 4 May 2008 15:17:36 +0200 > > Subject: [PATCH] detect failure to write ipa_kpasswd.pid file > > > > * ipa_kpasswd.c (main): Detect not just open failure, > > but also any write failure. > > --- > > ipa-server/ipa-kpasswd/ipa_kpasswd.c | 19 ++++++++++++------- > > 1 files changed, 12 insertions(+), 7 deletions(-) > > > > diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c > > b/ipa-server/ipa-kpasswd/ipa_kpasswd.c > > index 5782367..2b82f18 100644 > > --- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c > > +++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c > > @@ -3,7 +3,7 @@ > > > > /* Authors: Simo Sorce > > * > > - * Copyright (C) 2007 Red Hat > > + * Copyright (C) 2007, 2008 Red Hat > > * see file 'COPYING' for use and warranty information > > * > > * This program is free software; you can redistribute it and/or > > @@ -1188,13 +1188,18 @@ int main(int argc, char *argv[]) > > } > > > > /* Write out the pid file after the sigterm handler */ > > - FILE *f = fopen("/var/run/ipa_kpasswd.pid", "w"); > > - if (f == NULL) { > > - syslog(LOG_ERR,"Couldn't create pid > > file /var/run/ipa_kpasswd.pid: %s", strerror(errno)); > > + const char *pid_file = "/var/run/ipa_kpasswd.pid"; > > + FILE *f = fopen(pid_file, "w"); > > + int fail = 1; > > + if (f) { > > + int n_bytes = fprintf(f, "%ld\n", (long) getpid()); > > + if (fclose(f) == 0 && 0 < n_bytes) > > + fail = 0; > > + } > > + if (fail) { > > + syslog(LOG_ERR,"Couldn't create pid file %s: %s", > > + pid_file, strerror(errno)); > > exit(1); > > - } else { > > - fprintf(f, "%ld\n", (long) getpid()); > > - fclose(f); > > } > > > > tai = ai; > > -- > > 1.5.5.1.216.g33c73 > > > ack pushed to master and ipa-1-0 -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu May 15 17:45:50 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 May 2008 13:45:50 -0400 Subject: [Freeipa-devel] [PATCH] Fix use of find(".") In-Reply-To: <482C62C9.6000702@redhat.com> References: <482C62C9.6000702@redhat.com> Message-ID: <482C76CE.8090909@redhat.com> Simo Sorce wrote: > The misuse of find('.') in DsInstance class was causing > self.realm_name[:self.realm_name.find('.')].lower() to return 'fo' as > the DC component instead of 'foo' in case the realm was a single > component one 'FOO'. > The use of split()[0] avoid the issue as split always return an array > with at least one component if the separator is not found. > > This patch might solve the issue of installing a server where domain and > realm are composed of a single domain component. Still investigating if > there are other places where we assume multiple-domain components > domain/realm names are required. > > Simo. > ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 15 18:29:56 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 15 May 2008 14:29:56 -0400 Subject: [Freeipa-devel] [PATCH] Fix error checking in ipa_kpasswd.c Message-ID: <482C8124.4010606@redhat.com> As per $SUBJ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-testing-for-asprintf-errors-we-need-to-test-the.patch Type: text/x-patch Size: 10646 bytes Desc: not available URL: From ssorce at redhat.com Thu May 15 18:33:47 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 15 May 2008 14:33:47 -0400 Subject: [Freeipa-devel] [PATCH] Fix use of find(".") In-Reply-To: <482C76CE.8090909@redhat.com> References: <482C62C9.6000702@redhat.com> <482C76CE.8090909@redhat.com> Message-ID: <1210876427.28428.109.camel@localhost.localdomain> On Thu, 2008-05-15 at 13:45 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > The misuse of find('.') in DsInstance class was causing > > self.realm_name[:self.realm_name.find('.')].lower() to return 'fo' as > > the DC component instead of 'foo' in case the realm was a single > > component one 'FOO'. > > The use of split()[0] avoid the issue as split always return an array > > with at least one component if the separator is not found. > > > > This patch might solve the issue of installing a server where domain and > > realm are composed of a single domain component. Still investigating if > > there are other places where we assume multiple-domain components > > domain/realm names are required. > > > > Simo. > > > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 16 13:28:28 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 May 2008 09:28:28 -0400 Subject: [Freeipa-devel] [PATCH] Fix error checking in ipa_kpasswd.c In-Reply-To: <482C8124.4010606@redhat.com> References: <482C8124.4010606@redhat.com> Message-ID: <482D8BFC.9030705@redhat.com> Simo Sorce wrote: > As per $SUBJ > partial ack. My only nit is an extra comma in two response messages: exterr0 = "Password change, Succeeded."; exterr0 = "Password change, Failed."; I think "Password change [succeeded/failed]" is fine here. Fix those and you'll have a full ack :-) rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 16 13:55:59 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 16 May 2008 09:55:59 -0400 Subject: [Freeipa-devel] [PATCH] Fix error checking in ipa_kpasswd.c In-Reply-To: <482D8BFC.9030705@redhat.com> References: <482C8124.4010606@redhat.com> <482D8BFC.9030705@redhat.com> Message-ID: <1210946159.18330.26.camel@localhost.localdomain> On Fri, 2008-05-16 at 09:28 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > As per $SUBJ > > > > partial ack. > > My only nit is an extra comma in two response messages: > > exterr0 = "Password change, Succeeded."; > exterr0 = "Password change, Failed."; > > I think "Password change [succeeded/failed]" is fine here. > > Fix those and you'll have a full ack :-) Hey, I just copied the previous messages, this ain't new stuff :-) Ok, I will fix before pushing :) Simo. -- Simo Sorce * Red Hat, Inc * New York From mnagy at redhat.com Fri May 16 17:01:45 2008 From: mnagy at redhat.com (Martin Nagy) Date: Fri, 16 May 2008 19:01:45 +0200 Subject: [Freeipa-devel] [PATCH] Only ask the user to install bind, not caching-nameserver Message-ID: <482DBDF9.6000703@redhat.com> When installing the ipa server using 'ipa-install-server --setup-bind', the following message will show up if the /etc/named.rfc1912.zones doesn't exist on the system: --setup-bind was specified but bind is not installed on the system Please install bind (you may also need the package 'caching-nameserver') and restart the setup program The caching-nameserver is mentioned because on some systems (fedora 7, rhel 5) this package contains the file, but on newer systems, it is contained in the bind package. This message therefore might be misleading on the newer systems, since the caching-nameserver package doesn't exist there. As a solution, I suggest we remove the mention of caching-nameserver (the attached patch) and then add patches which add it in the mentioned system's rpms. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Only-ask-the-user-to-install-bind.patch Type: text/x-patch Size: 1037 bytes Desc: not available URL: From rcritten at redhat.com Fri May 16 19:52:32 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 May 2008 15:52:32 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers Message-ID: <482DE600.3080201@redhat.com> Do uniqueness check on phone numbers entered via the UI. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-22-unique.patch Type: text/x-patch Size: 5616 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mdehaan at redhat.com Fri May 16 20:10:05 2008 From: mdehaan at redhat.com (Michael DeHaan) Date: Fri, 16 May 2008 16:10:05 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <482DE600.3080201@redhat.com> References: <482DE600.3080201@redhat.com> Message-ID: <482DEA1D.8090203@redhat.com> Rob Crittenden wrote: > Do uniqueness check on phone numbers entered via the UI. > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Completely lurking here, but might people might share a phone in some cases? Pagers can also be shared too. --Michael From dpal at redhat.com Fri May 16 20:12:50 2008 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 16 May 2008 16:12:50 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <482DEA1D.8090203@redhat.com> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> Message-ID: <482DEAC2.4020509@redhat.com> Michael DeHaan wrote: > Rob Crittenden wrote: >> Do uniqueness check on phone numbers entered via the UI. >> rob >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Completely lurking here, but might people might share a phone in some > cases? > Pagers can also be shared too. > > --Michael > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This is about having one and the same number listed multiple times in the same multi value attribute. It does not make sense have to have to cell phone records with same number. This is what the bug is about. Rob did you interpret it this way? -- Dmitri Pal Engineering Manager Red Hat Inc. From rcritten at redhat.com Fri May 16 20:39:11 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 May 2008 16:39:11 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <482DEAC2.4020509@redhat.com> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> <482DEAC2.4020509@redhat.com> Message-ID: <482DF0EF.90305@redhat.com> Dmitri Pal wrote: > Michael DeHaan wrote: >> Rob Crittenden wrote: >>> Do uniqueness check on phone numbers entered via the UI. >>> rob >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> Completely lurking here, but might people might share a phone in some >> cases? >> Pagers can also be shared too. >> >> --Michael > This is about having one and the same number listed multiple times in > the same multi value attribute. > It does not make sense have to have to cell phone records with same number. > This is what the bug is about. Rob did you interpret it this way? No. It also allowed the same phone number to be entered multiple times in the same field which would cause LDAP to throw an error (some obscure thing about types). I don't think it is a bad thing to have the same phone number listed in multiple fields, it may very well be the case that their pager is a cell phone. Simo pointed out that we shouldn't limit this test to phone numbers either. The full name field is also multi valued. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dpal at redhat.com Fri May 16 20:48:01 2008 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 16 May 2008 16:48:01 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <482DF0EF.90305@redhat.com> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> <482DEAC2.4020509@redhat.com> <482DF0EF.90305@redhat.com> Message-ID: <482DF301.9090803@redhat.com> Rob Crittenden wrote: > Dmitri Pal wrote: >> Michael DeHaan wrote: >>> Rob Crittenden wrote: >>>> Do uniqueness check on phone numbers entered via the UI. >>>> rob >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> Completely lurking here, but might people might share a phone in >>> some cases? >>> Pagers can also be shared too. >>> >>> --Michael >> This is about having one and the same number listed multiple times in >> the same multi value attribute. >> It does not make sense have to have to cell phone records with same >> number. >> This is what the bug is about. Rob did you interpret it this way? > > No. It also allowed the same phone number to be entered multiple times > in the same field which would cause LDAP to throw an error (some > obscure thing about types). > > I don't think it is a bad thing to have the same phone number listed > in multiple fields, it may very well be the case that their pager is a > cell phone. > > Simo pointed out that we shouldn't limit this test to phone numbers > either. The full name field is also multi valued. > > rob I think the two issues got mixed. 1) It is bad to allow same values in the one multivalue attribute. For example allow two values for phone attribute with the same phone number. 2) It is Ok to have one and the same value across different attributes. Cell can be = pager and phone can be = fax -- Dmitri Pal Engineering Manager Red Hat Inc. From nkinder at redhat.com Fri May 16 20:52:33 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 16 May 2008 13:52:33 -0700 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <482DF301.9090803@redhat.com> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> <482DEAC2.4020509@redhat.com> <482DF0EF.90305@redhat.com> <482DF301.9090803@redhat.com> Message-ID: <482DF411.3060803@redhat.com> Dmitri Pal wrote: > Rob Crittenden wrote: >> Dmitri Pal wrote: >>> Michael DeHaan wrote: >>>> Rob Crittenden wrote: >>>>> Do uniqueness check on phone numbers entered via the UI. >>>>> rob >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>>> Completely lurking here, but might people might share a phone in >>>> some cases? >>>> Pagers can also be shared too. >>>> >>>> --Michael >>> This is about having one and the same number listed multiple times >>> in the same multi value attribute. >>> It does not make sense have to have to cell phone records with same >>> number. >>> This is what the bug is about. Rob did you interpret it this way? >> >> No. It also allowed the same phone number to be entered multiple >> times in the same field which would cause LDAP to throw an error >> (some obscure thing about types). >> >> I don't think it is a bad thing to have the same phone number listed >> in multiple fields, it may very well be the case that their pager is >> a cell phone. >> >> Simo pointed out that we shouldn't limit this test to phone numbers >> either. The full name field is also multi valued. >> >> rob > > > I think the two issues got mixed. > 1) It is bad to allow same values in the one multivalue attribute. For > example allow two values for phone attribute with the same phone number. I'll add that LDAP doesn't allow it (which is the error Rob pointed out). We just want to catch it in the UI ahead of time to prevent an ugly LDAP error. > 2) It is Ok to have one and the same value across different > attributes. Cell can be = pager and phone can be = fax > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From dpal at redhat.com Fri May 16 20:55:37 2008 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 16 May 2008 16:55:37 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <482DF411.3060803@redhat.com> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> <482DEAC2.4020509@redhat.com> <482DF0EF.90305@redhat.com> <482DF301.9090803@redhat.com> <482DF411.3060803@redhat.com> Message-ID: <482DF4C9.4030704@redhat.com> Nathan Kinder wrote: > Dmitri Pal wrote: >> Rob Crittenden wrote: >>> Dmitri Pal wrote: >>>> Michael DeHaan wrote: >>>>> Rob Crittenden wrote: >>>>>> Do uniqueness check on phone numbers entered via the UI. >>>>>> rob >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> >>>>> Completely lurking here, but might people might share a phone in >>>>> some cases? >>>>> Pagers can also be shared too. >>>>> >>>>> --Michael >>>> This is about having one and the same number listed multiple times >>>> in the same multi value attribute. >>>> It does not make sense have to have to cell phone records with same >>>> number. >>>> This is what the bug is about. Rob did you interpret it this way? >>> >>> No. It also allowed the same phone number to be entered multiple >>> times in the same field which would cause LDAP to throw an error >>> (some obscure thing about types). >>> >>> I don't think it is a bad thing to have the same phone number listed >>> in multiple fields, it may very well be the case that their pager is >>> a cell phone. >>> >>> Simo pointed out that we shouldn't limit this test to phone numbers >>> either. The full name field is also multi valued. >>> >>> rob >> >> >> I think the two issues got mixed. >> 1) It is bad to allow same values in the one multivalue attribute. >> For example allow two values for phone attribute with the same phone >> number. > I'll add that LDAP doesn't allow it (which is the error Rob pointed > out). We just want to catch it in the UI ahead of time to prevent an > ugly LDAP error. >> 2) It is Ok to have one and the same value across different >> attributes. Cell can be = pager and phone can be = fax >> >> >> > Ok, I agree. -- Dmitri Pal Engineering Manager Red Hat Inc. From mdehaan at redhat.com Fri May 16 21:19:05 2008 From: mdehaan at redhat.com (Michael DeHaan) Date: Fri, 16 May 2008 17:19:05 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <482DF0EF.90305@redhat.com> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> <482DEAC2.4020509@redhat.com> <482DF0EF.90305@redhat.com> Message-ID: <482DFA49.3000308@redhat.com> Rob Crittenden wrote: > Dmitri Pal wrote: >> Michael DeHaan wrote: >>> Rob Crittenden wrote: >>>> Do uniqueness check on phone numbers entered via the UI. >>>> rob >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> Completely lurking here, but might people might share a phone in >>> some cases? >>> Pagers can also be shared too. >>> >>> --Michael >> This is about having one and the same number listed multiple times in >> the same multi value attribute. >> It does not make sense have to have to cell phone records with same >> number. >> This is what the bug is about. Rob did you interpret it this way? > > No. It also allowed the same phone number to be entered multiple times > in the same field which would cause LDAP to throw an error (some > obscure thing about types). > > I don't think it is a bad thing to have the same phone number listed > in multiple fields, it may very well be the case that their pager is a > cell phone. > > Simo pointed out that we shouldn't limit this test to phone numbers > either. The full name field is also multi valued. > > rob Ah, sorry, back to regularly scheduled programming :) --Michael From jaakanshorter at gmail.com Fri May 16 23:34:33 2008 From: jaakanshorter at gmail.com (Jaakan Shorter) Date: Fri, 16 May 2008 19:34:33 -0400 Subject: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin Message-ID: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> I did Clean install of Fedora 9 with in a XEN guest x64_86 static IP yum install ipa-server ipa-server-install --setup-bind -N I got the bind server working correctly with the following http://www.redhat.com/magazine/025nov06/features/dns/ I got stopped at the test doing a find admin user #ipa-finduser admin Could not initialize GSSAPI: Unspecified GSS failure. Minor code may provide more information/Server not found in Kerberos database # ldapsearch -Y GSSAPI -b "dc=(mydomain),dc=net" uid=admin SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) Troubleshooting Guide Doesn't really help with this issue at all or does "ensure that DNS is configured correctly" in the install Guide. Shouldn't the "--setup-bind" switch take care of configuring the DNS correctly? I have tryed stuff on this page any no luck http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/install.html Jaakan From rcritten at redhat.com Sat May 17 01:03:38 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 May 2008 21:03:38 -0400 Subject: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin In-Reply-To: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> References: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> Message-ID: <482E2EEA.9060907@redhat.com> Jaakan Shorter wrote: > I did > > Clean install of Fedora 9 with in a XEN guest x64_86 > static IP > > yum install ipa-server > ipa-server-install --setup-bind -N > > I got the bind server working correctly with the following > http://www.redhat.com/magazine/025nov06/features/dns/ > > > I got stopped at the test doing a find admin user > > #ipa-finduser admin > Could not initialize GSSAPI: Unspecified GSS failure. Minor code may > provide more information/Server not found in Kerberos database That definitely sounds like a DNS error. The host that it is trying to connect to can't be found in the KDC. > > # ldapsearch -Y GSSAPI -b "dc=(mydomain),dc=net" uid=admin > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) You might want to explicity list the > > Troubleshooting Guide Doesn't really help with this issue at all or > does "ensure that DNS is configured correctly" in the install Guide. > > Shouldn't the "--setup-bind" switch take care of configuring the DNS correctly? > > I have tryed stuff on this page any no luck > http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/install.html > > > > Jaakan > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Sat May 17 01:12:08 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 May 2008 21:12:08 -0400 Subject: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin In-Reply-To: <482E2EEA.9060907@redhat.com> References: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> <482E2EEA.9060907@redhat.com> Message-ID: <482E30E8.3080706@redhat.com> Sigh, sent this before I meant to... Rob Crittenden wrote: > Jaakan Shorter wrote: >> I did >> >> Clean install of Fedora 9 with in a XEN guest x64_86 >> static IP >> >> yum install ipa-server >> ipa-server-install --setup-bind -N >> >> I got the bind server working correctly with the following >> http://www.redhat.com/magazine/025nov06/features/dns/ >> >> >> I got stopped at the test doing a find admin user >> >> #ipa-finduser admin >> Could not initialize GSSAPI: Unspecified GSS failure. Minor code may >> provide more information/Server not found in Kerberos database > > That definitely sounds like a DNS error. The host that it is trying to > connect to can't be found in the KDC. The trouble is identifying which server it is trying to contact. I'd start by looking at what the value of 'server' is in /etc/ipa/ipa.conf and make sure that resolves properly. Check /etc/hosts too because Fedora is notorious for putting hostnames in the localhost entry. We try to catch this as best we can. >> # ldapsearch -Y GSSAPI -b "dc=(mydomain),dc=net" uid=admin >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Local error (-2) > > You might want to explicity list the I was going to say explicitly list the host you want to connect to but I'm not so sure. There wasn't anything else, just Local error (-2)? You might check /var/log/krb5kdc to see if anything got logged there or /var/log/dirsrv/slapd-INSTANCE/errors for the FDS error log (probably nothing because an auth failure isn't really an error). I assume you did a kinit? >> Troubleshooting Guide Doesn't really help with this issue at all or >> does "ensure that DNS is configured correctly" in the install Guide. There are so many ways DNS can be broken it isn't possible to iterate every one. >> Shouldn't the "--setup-bind" switch take care of configuring the DNS >> correctly? DNS was done as a best-effort on our part. It isn't fully baked (or supported). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jaakanshorter at gmail.com Sat May 17 02:39:23 2008 From: jaakanshorter at gmail.com (Jaakan Shorter) Date: Fri, 16 May 2008 22:39:23 -0400 Subject: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin In-Reply-To: <482E30E8.3080706@redhat.com> References: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> <482E2EEA.9060907@redhat.com> <482E30E8.3080706@redhat.com> Message-ID: <1210991963.17550.15.camel@jms1000> Thanks Rob for the fast reply. I'll have to look in to all that Monday. I'm going to read up on bind, ldap, and ?Kerberos over the weekend. You gave me some ideas of where to look. I can see a lot of work has gone in to this. BTW: this a very cool project. On Fri, 2008-05-16 at 21:12 -0400, Rob Crittenden wrote: > Sigh, sent this before I meant to... > > Rob Crittenden wrote: > > Jaakan Shorter wrote: > >> I did > >> > >> Clean install of Fedora 9 with in a XEN guest x64_86 > >> static IP > >> > >> yum install ipa-server > >> ipa-server-install --setup-bind -N > >> > >> I got the bind server working correctly with the following > >> http://www.redhat.com/magazine/025nov06/features/dns/ > >> > >> > >> I got stopped at the test doing a find admin user > >> > >> #ipa-finduser admin > >> Could not initialize GSSAPI: Unspecified GSS failure. Minor code may > >> provide more information/Server not found in Kerberos database > > > > That definitely sounds like a DNS error. The host that it is trying to > > connect to can't be found in the KDC. > > The trouble is identifying which server it is trying to contact. I'd > start by looking at what the value of 'server' is in /etc/ipa/ipa.conf > and make sure that resolves properly. Check /etc/hosts too because > Fedora is notorious for putting hostnames in the localhost entry. We try > to catch this as best we can. > > >> # ldapsearch -Y GSSAPI -b "dc=(mydomain),dc=net" uid=admin > >> SASL/GSSAPI authentication started > >> ldap_sasl_interactive_bind_s: Local error (-2) > > > > You might want to explicity list the > > I was going to say explicitly list the host you want to connect to but > I'm not so sure. There wasn't anything else, just Local error (-2)? > > You might check /var/log/krb5kdc to see if anything got logged there or > /var/log/dirsrv/slapd-INSTANCE/errors for the FDS error log (probably > nothing because an auth failure isn't really an error). > > I assume you did a kinit? > > >> Troubleshooting Guide Doesn't really help with this issue at all or > >> does "ensure that DNS is configured correctly" in the install Guide. > > There are so many ways DNS can be broken it isn't possible to iterate > every one. > > >> Shouldn't the "--setup-bind" switch take care of configuring the DNS > >> correctly? > > DNS was done as a best-effort on our part. It isn't fully baked (or > supported). > > rob From joe at 2resonate.net Sat May 17 23:21:21 2008 From: joe at 2resonate.net (Joe Royall) Date: Sat, 17 May 2008 16:21:21 -0700 Subject: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin In-Reply-To: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> References: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> Message-ID: On Fri, May 16, 2008 at 4:34 PM, Jaakan Shorter wrote: > I did > > Clean install of Fedora 9 with in a XEN guest x64_86 > static IP > > yum install ipa-server > ipa-server-install --setup-bind -N > > I got the bind server working correctly with the following > http://www.redhat.com/magazine/025nov06/features/dns/ > > > I got stopped at the test doing a find admin user > > #ipa-finduser admin > Could not initialize GSSAPI: Unspecified GSS failure. Minor code may > provide more information/Server not found in Kerberos database > > # ldapsearch -Y GSSAPI -b "dc=(mydomain),dc=net" uid=admin > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > > Troubleshooting Guide Doesn't really help with this issue at all or > does "ensure that DNS is configured correctly" in the install Guide. > > Shouldn't the "--setup-bind" switch take care of configuring the DNS > correctly? During the install you will see something like "Sample zone file for bind has been created in /tmp/sample.zone.F_uMf4.db" make sure you correctly use this in your zone file in DNS, and check that your fqdn does not resolve to your loopback address > > I have tryed stuff on this page any no luck > http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/install.html > > > > Jaakan > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > -- Joe Royall Red Hat Certified Architect -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon May 19 15:39:45 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 May 2008 11:39:45 -0400 Subject: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin In-Reply-To: <3a082f0c0805190753s62eb4ed0xa812536d9236ea47@mail.gmail.com> References: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> <482E2EEA.9060907@redhat.com> <482E30E8.3080706@redhat.com> <3a082f0c0805190753s62eb4ed0xa812536d9236ea47@mail.gmail.com> Message-ID: <48319F41.7040707@redhat.com> Jaakan Shorter wrote: > here's an update ( I replaced the domain name with test ) > let me know if you need anymore info > > ipa-server-install --uninstall > rm -f /var/kerberos/krb5kdc/kpasswd.keytab > stopped the kerberos service ( --uninstall switch didn't stop it. I > thought it should set it back to old state ) > yum update ( 1.0.6 version came out over the weekend for FC-9 ) > rebooted > ipa-server-install --setup-bind -N Yes, this should be fixed in the tip. [ snip ] > May 19 09:31:08 freeIPA.test.net krb5kdc[1758](info): set up 4 sockets > May 19 09:31:08 freeIPA.test.net krb5kdc[1759](info): commencing operation > May 19 09:32:02 freeIPA.test.net krb5kdc[1759](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 192.168.1.25: NEEDED_PREAUTH: admin at TEST.NET for > krbtgt/TEST.NET at TEST.NET, Additional pre-authentication required > May 19 09:32:24 freeIPA.test.net krb5kdc[1759](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 192.168.1.25: ISSUE: authtime 1211203944, etypes > {rep=18 tkt=18 ses=18}, admin at TEST.NET for krbtgt/TEST.NET at TEST.NET > May 19 09:32:54 freeIPA.test.net krb5kdc[1759](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.1.25: UNKNOWN_SERVER: authtime > 1211203944, admin at TEST.NET for HTTP/freeipa.test.net at TEST.NET, Server > not found in Kerberos database > May 19 09:32:54 freeIPA.test.net krb5kdc[1759](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.1.25: UNKNOWN_SERVER: authtime > 1211203944, admin at TEST.NET for HTTP/freeipa.test.net at TEST.NET, Server > not found in Kerberos database Service principals are created for the IPA servers at install time. There must be some (perhaps subtle) difference in what was created at install time and what it is trying to use. Try this command to see what service principals exist: $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net" objectclass=krbPrincipalAux dn rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jaakanshorter at gmail.com Mon May 19 15:43:56 2008 From: jaakanshorter at gmail.com (Jaakan Shorter) Date: Mon, 19 May 2008 11:43:56 -0400 Subject: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin In-Reply-To: <48319F41.7040707@redhat.com> References: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> <482E2EEA.9060907@redhat.com> <482E30E8.3080706@redhat.com> <3a082f0c0805190753s62eb4ed0xa812536d9236ea47@mail.gmail.com> <48319F41.7040707@redhat.com> Message-ID: <3a082f0c0805190843u42b02fedq174b458fe743ec1d@mail.gmail.com> # ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net" objectclass=krbPrincipalAux dn dn: krbprincipalname=K/M at TEST.NET,cn=TEST.NET,cn=kerberos,dc=test,dc= net dn: krbprincipalname=krbtgt/TEST.NET at TEST.NET,cn=TEST.NET,cn=kerberos ,dc=test,dc=net dn: krbprincipalname=kadmin/admin at TEST.NET,cn=TEST.NET,cn=kerberos,dc=im mport,dc=net dn: krbprincipalname=kadmin/changepw at TEST.NET,cn=TEST.NET,cn=kerberos,dc =test,dc=net dn: krbprincipalname=kadmin/history at TEST.NET,cn=TEST.NET,cn=kerberos,dc= test,dc=net dn: krbprincipalname=kadmin/freeipa.test.net at TEST.NET,cn=TEST.NET,cn= kerberos,dc=test,dc=net dn: krbprincipalname=ldap/freeIPA.test.net at TEST.NET,cn=TEST.NET,cn=ke rberos,dc=test,dc=net dn: krbprincipalname=host/freeIPA.test.net at TEST.NET,cn=TEST.NET,cn=ke rberos,dc=test,dc=net dn: krbprincipalname=HTTP/freeIPA.test.net at TEST.NET,cn=TEST.NET,cn=ke rberos,dc=test,dc=net On Mon, May 19, 2008 at 11:39 AM, Rob Crittenden wrote: > Jaakan Shorter wrote: >> >> here's an update ( I replaced the domain name with test ) >> let me know if you need anymore info >> >> ipa-server-install --uninstall >> rm -f /var/kerberos/krb5kdc/kpasswd.keytab >> stopped the kerberos service ( --uninstall switch didn't stop it. I >> thought it should set it back to old state ) >> yum update ( 1.0.6 version came out over the weekend for FC-9 ) >> rebooted >> ipa-server-install --setup-bind -N > > Yes, this should be fixed in the tip. > > [ snip ] > >> May 19 09:31:08 freeIPA.test.net krb5kdc[1758](info): set up 4 sockets >> May 19 09:31:08 freeIPA.test.net krb5kdc[1759](info): commencing operation >> May 19 09:32:02 freeIPA.test.net krb5kdc[1759](info): AS_REQ (7 etypes >> {18 17 16 23 1 3 2}) 192.168.1.25: NEEDED_PREAUTH: admin at TEST.NET for >> krbtgt/TEST.NET at TEST.NET, Additional pre-authentication required >> May 19 09:32:24 freeIPA.test.net krb5kdc[1759](info): AS_REQ (7 etypes >> {18 17 16 23 1 3 2}) 192.168.1.25: ISSUE: authtime 1211203944, etypes >> {rep=18 tkt=18 ses=18}, admin at TEST.NET for krbtgt/TEST.NET at TEST.NET >> May 19 09:32:54 freeIPA.test.net krb5kdc[1759](info): TGS_REQ (7 >> etypes {18 17 16 23 1 3 2}) 192.168.1.25: UNKNOWN_SERVER: authtime >> 1211203944, admin at TEST.NET for HTTP/freeipa.test.net at TEST.NET, Server >> not found in Kerberos database >> May 19 09:32:54 freeIPA.test.net krb5kdc[1759](info): TGS_REQ (7 >> etypes {18 17 16 23 1 3 2}) 192.168.1.25: UNKNOWN_SERVER: authtime >> 1211203944, admin at TEST.NET for HTTP/freeipa.test.net at TEST.NET, Server >> not found in Kerberos database > > Service principals are created for the IPA servers at install time. There > must be some (perhaps subtle) difference in what was created at install time > and what it is trying to use. > > Try this command to see what service principals exist: > > $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net" > objectclass=krbPrincipalAux dn > > rob > From ssorce at redhat.com Mon May 19 16:51:46 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 19 May 2008 12:51:46 -0400 Subject: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin In-Reply-To: <3a082f0c0805190843u42b02fedq174b458fe743ec1d@mail.gmail.com> References: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> <482E2EEA.9060907@redhat.com> <482E30E8.3080706@redhat.com> <3a082f0c0805190753s62eb4ed0xa812536d9236ea47@mail.gmail.com> <48319F41.7040707@redhat.com> <3a082f0c0805190843u42b02fedq174b458fe743ec1d@mail.gmail.com> Message-ID: <1211215906.12580.10.camel@localhost.localdomain> On Mon, 2008-05-19 at 11:43 -0400, Jaakan Shorter wrote: > > dn: krbprincipalname=ldap/freeIPA.test.net at TEST.NET,cn=TEST.NET,cn=ke > rberos,dc=test,dc=net > > dn: krbprincipalname=host/freeIPA.test.net at TEST.NET,cn=TEST.NET,cn=ke > rberos,dc=test,dc=net > > dn: krbprincipalname=HTTP/freeIPA.test.net at TEST.NET,cn=TEST.NET,cn=ke > rberos,dc=test,dc=net oooh freeIPA with capital letters in it ... uhmm I guess we have a bug were we are supposed to lowercase dns names somewhere and we don't .... Simo. -- Simo Sorce * Red Hat, Inc * New York From jaakanshorter at gmail.com Mon May 19 17:06:27 2008 From: jaakanshorter at gmail.com (Jaakan Shorter) Date: Mon, 19 May 2008 13:06:27 -0400 Subject: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin In-Reply-To: <1211215906.12580.10.camel@localhost.localdomain> References: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> <482E2EEA.9060907@redhat.com> <482E30E8.3080706@redhat.com> <3a082f0c0805190753s62eb4ed0xa812536d9236ea47@mail.gmail.com> <48319F41.7040707@redhat.com> <3a082f0c0805190843u42b02fedq174b458fe743ec1d@mail.gmail.com> <1211215906.12580.10.camel@localhost.localdomain> Message-ID: <3a082f0c0805191006l57a52228k2553fcd175b6c58f@mail.gmail.com> the servers name is freeIPA.test.net and not freeipa.test.net i just noiced this following line is not in caps when all the other ones are. "dn: krbprincipalname=kadmin/freeipa.test.net at TEST.NET,cn=TEST.NET,cn= kerberos,dc=test,dc=net" how would I fix the principalname? and should the principalname match the server name? Want me to do an uninstall and rename the server name in lower case and see if it's ok with that? Jaakan On Mon, May 19, 2008 at 12:51 PM, Simo Sorce wrote: > On Mon, 2008-05-19 at 11:43 -0400, Jaakan Shorter wrote: >> >> dn: krbprincipalname=ldap/freeIPA.test.net at TEST.NET,cn=TEST.NET,cn=ke >> rberos,dc=test,dc=net >> >> dn: krbprincipalname=host/freeIPA.test.net at TEST.NET,cn=TEST.NET,cn=ke >> rberos,dc=test,dc=net >> >> dn: krbprincipalname=HTTP/freeIPA.test.net at TEST.NET,cn=TEST.NET,cn=ke >> rberos,dc=test,dc=net > > oooh freeIPA with capital letters in it ... > uhmm I guess we have a bug were we are supposed to lowercase dns names > somewhere and we don't .... > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > From ssorce at redhat.com Mon May 19 18:02:44 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 19 May 2008 14:02:44 -0400 Subject: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin In-Reply-To: <3a082f0c0805191006l57a52228k2553fcd175b6c58f@mail.gmail.com> References: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> <482E2EEA.9060907@redhat.com> <482E30E8.3080706@redhat.com> <3a082f0c0805190753s62eb4ed0xa812536d9236ea47@mail.gmail.com> <48319F41.7040707@redhat.com> <3a082f0c0805190843u42b02fedq174b458fe743ec1d@mail.gmail.com> <1211215906.12580.10.camel@localhost.localdomain> <3a082f0c0805191006l57a52228k2553fcd175b6c58f@mail.gmail.com> Message-ID: <1211220164.12580.16.camel@localhost.localdomain> On Mon, 2008-05-19 at 13:06 -0400, Jaakan Shorter wrote: > the servers name is freeIPA.test.net and not freeipa.test.net DNS names are caseless, freeipa == FREEIPA == freeIPA in theory > i just noiced this following line is not in caps when all the other ones are. > > "dn: krbprincipalname=kadmin/freeipa.test.net at TEST.NET,cn=TEST.NET,cn= > kerberos,dc=test,dc=net" > > how would I fix the principalname? and should the principalname match > the server name? this is the only "correct" principal, the problem is with other principals havin capital letters I believe. The kerberos code expects all lowercase name I think. You could use ldapmodify or an ldap browsing tool to change the krbprincipalname attribute. > Want me to do an uninstall and rename the server name in lower case > and see if it's ok with that? I think that would solve the issue, would you mind opening a bug in bugzilla.redhat.com for the FreeIPA component? We should handle this situation by normalizing the names before passing them down the stack. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon May 19 18:29:30 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 May 2008 14:29:30 -0400 Subject: [Freeipa-devel] [PATCH] Don't pass the DM password on the command-line Message-ID: <4831C70A.7010002@redhat.com> We used the -w flag when calling ldapmodify so were passing the DM password on the command-line. This meant that if something went wrong the DM password got logged. Use the -y flag instead which takes a file. I'm using mkstemp() to create that file and a try/finally to be sure it is always removed, even if an error is thrown. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-23-ldapmodify.patch Type: text/x-patch Size: 2826 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon May 19 19:13:00 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 19 May 2008 15:13:00 -0400 Subject: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin In-Reply-To: <3a082f0c0805191159w4ba9d6ddh41eef26005b98aa4@mail.gmail.com> References: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> <482E2EEA.9060907@redhat.com> <482E30E8.3080706@redhat.com> <3a082f0c0805190753s62eb4ed0xa812536d9236ea47@mail.gmail.com> <48319F41.7040707@redhat.com> <3a082f0c0805190843u42b02fedq174b458fe743ec1d@mail.gmail.com> <1211215906.12580.10.camel@localhost.localdomain> <3a082f0c0805191006l57a52228k2553fcd175b6c58f@mail.gmail.com> <1211220164.12580.16.camel@localhost.localdomain> <3a082f0c0805191159w4ba9d6ddh41eef26005b98aa4@mail.gmail.com> Message-ID: <1211224380.12580.31.camel@localhost.localdomain> On Mon, 2008-05-19 at 14:59 -0400, Jaakan Shorter wrote: > thanks Rob and Simo > > here is the bug report number https://bugzilla.redhat.com/show_bug.cgi?id=447381 Thanks a lot! -- Simo Sorce * Red Hat, Inc * New York From jaakanshorter at gmail.com Mon May 19 18:59:43 2008 From: jaakanshorter at gmail.com (Jaakan Shorter) Date: Mon, 19 May 2008 14:59:43 -0400 Subject: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin In-Reply-To: <1211220164.12580.16.camel@localhost.localdomain> References: <3a082f0c0805161634g77681d93n8a1b12f8a7003286@mail.gmail.com> <482E2EEA.9060907@redhat.com> <482E30E8.3080706@redhat.com> <3a082f0c0805190753s62eb4ed0xa812536d9236ea47@mail.gmail.com> <48319F41.7040707@redhat.com> <3a082f0c0805190843u42b02fedq174b458fe743ec1d@mail.gmail.com> <1211215906.12580.10.camel@localhost.localdomain> <3a082f0c0805191006l57a52228k2553fcd175b6c58f@mail.gmail.com> <1211220164.12580.16.camel@localhost.localdomain> Message-ID: <3a082f0c0805191159w4ba9d6ddh41eef26005b98aa4@mail.gmail.com> thanks Rob and Simo here is the bug report number https://bugzilla.redhat.com/show_bug.cgi?id=447381 I uninstalled it renamed the server to freeipa.test.net, in lower case this time. kinit admin Password for admin at TEST.NET: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at TEST.NET Valid starting Expires Service principal 05/19/08 14:42:18 05/20/08 14:42:06 krbtgt/TEST.NET at TEST.NET Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached ipa-finduser admin Full Name: Administrator Home Directory: /home/admin Login Shell: /bin/bash Login: admin now I am going to see if I can get up a client to test it all out. Thanks again. jaakan On Mon, May 19, 2008 at 2:02 PM, Simo Sorce wrote: > On Mon, 2008-05-19 at 13:06 -0400, Jaakan Shorter wrote: >> the servers name is freeIPA.test.net and not freeipa.test.net > > DNS names are caseless, freeipa == FREEIPA == freeIPA in theory > >> i just noiced this following line is not in caps when all the other ones are. >> >> "dn: krbprincipalname=kadmin/freeipa.test.net at TEST.NET,cn=TEST.NET,cn= >> kerberos,dc=test,dc=net" >> >> how would I fix the principalname? and should the principalname match >> the server name? > > this is the only "correct" principal, the problem is with other > principals havin capital letters I believe. > > The kerberos code expects all lowercase name I think. > > You could use ldapmodify or an ldap browsing tool to change the > krbprincipalname attribute. > >> Want me to do an uninstall and rename the server name in lower case >> and see if it's ok with that? > > I think that would solve the issue, would you mind opening a bug in > bugzilla.redhat.com for the FreeIPA component? > We should handle this situation by normalizing the names before passing > them down the stack. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > From mwchristiansen at gmail.com Mon May 19 19:15:40 2008 From: mwchristiansen at gmail.com (Mark Christiansen) Date: Mon, 19 May 2008 12:15:40 -0700 Subject: [Freeipa-devel] Re: Freeipa-devel Digest, Vol 12, Issue 33 In-Reply-To: <20080519160003.CF0B061A155@hormel.redhat.com> References: <20080519160003.CF0B061A155@hormel.redhat.com> Message-ID: I fixed my problems with ipa* functions by modifying /etc/hosts so that my FQDN entry is first, and the localhost entry is not first. I am guessing this is where most other people will have their problems. Can we modify the FAQ to include this recommendation? I am having issues getting access to the web page outside of the machine with freeipa installed. Should I be able to get a ticket by accessing the web interface? In both IE and Firefox, I am unable to bring up any pages after getting prompted. In IE, it is blank, and Firefox I get Kerberos authentication failed. This is another noob question, but perhaps it will be helpful for the FAQ. My O'Reilly book on Kerberos is on its way. :) Thanks! -Mark On Mon, May 19, 2008 at 9:00 AM, wrote: > Send Freeipa-devel mailing list submissions to > freeipa-devel at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-devel > or, via email, send a message with subject or body 'help' to > freeipa-devel-request at redhat.com > > You can reach the person managing the list at > freeipa-devel-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-devel digest..." > > > Today's Topics: > > 1. Re: freeIPA + Fedora 9 + xen , can't get passed ipa-finduser > admin (Rob Crittenden) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 19 May 2008 11:39:45 -0400 > From: Rob Crittenden > Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get > passed ipa-finduser admin > To: Jaakan Shorter > Cc: freeipa-devel at redhat.com > Message-ID: <48319F41.7040707 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Jaakan Shorter wrote: > > here's an update ( I replaced the domain name with test ) > > let me know if you need anymore info > > > > ipa-server-install --uninstall > > rm -f /var/kerberos/krb5kdc/kpasswd.keytab > > stopped the kerberos service ( --uninstall switch didn't stop it. I > > thought it should set it back to old state ) > > yum update ( 1.0.6 version came out over the weekend for FC-9 ) > > rebooted > > ipa-server-install --setup-bind -N > > Yes, this should be fixed in the tip. > > [ snip ] > > > May 19 09:31:08 freeIPA.test.net krb5kdc[1758](info): set up 4 sockets > > May 19 09:31:08 freeIPA.test.net krb5kdc[1759](info): commencing > operation > > May 19 09:32:02 freeIPA.test.net krb5kdc[1759](info): AS_REQ (7 etypes > > {18 17 16 23 1 3 2}) 192.168.1.25: NEEDED_PREAUTH: admin at TEST.NET for > > krbtgt/TEST.NET at TEST.NET, Additional pre-authentication required > > May 19 09:32:24 freeIPA.test.net krb5kdc[1759](info): AS_REQ (7 etypes > > {18 17 16 23 1 3 2}) 192.168.1.25: ISSUE: authtime 1211203944, etypes > > {rep=18 tkt=18 ses=18}, admin at TEST.NET for krbtgt/TEST.NET at TEST.NET > > May 19 09:32:54 freeIPA.test.net krb5kdc[1759](info): TGS_REQ (7 > > etypes {18 17 16 23 1 3 2}) 192.168.1.25: UNKNOWN_SERVER: authtime > > 1211203944, admin at TEST.NET for HTTP/freeipa.test.net at TEST.NET, Server > > not found in Kerberos database > > May 19 09:32:54 freeIPA.test.net krb5kdc[1759](info): TGS_REQ (7 > > etypes {18 17 16 23 1 3 2}) 192.168.1.25: UNKNOWN_SERVER: authtime > > 1211203944, admin at TEST.NET for HTTP/freeipa.test.net at TEST.NET, Server > > not found in Kerberos database > > Service principals are created for the IPA servers at install time. > There must be some (perhaps subtle) difference in what was created at > install time and what it is trying to use. > > Try this command to see what service principals exist: > > $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net" > objectclass=krbPrincipalAux dn > > rob > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin > > ------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > End of Freeipa-devel Digest, Vol 12, Issue 33 > ********************************************* > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon May 19 19:41:00 2008 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 19 May 2008 15:41:00 -0400 Subject: [Freeipa-devel] Re: Freeipa-devel Digest, Vol 12, Issue 33 In-Reply-To: References: <20080519160003.CF0B061A155@hormel.redhat.com> Message-ID: <4831D7CC.2020005@redhat.com> Hi Mark, Thank you for sharing the recommendation with us. Can you please log a request into bugzilla? https://bugzilla.redhat.com Did you do kinit first? Did you add the realm into the FireFox configuration? Thank you Dmitri Pal Mark Christiansen wrote: > I fixed my problems with ipa* functions by modifying /etc/hosts so > that my FQDN entry is first, and the localhost entry is not first. I > am guessing this is where most other people will have their problems. > Can we modify the FAQ to include this recommendation? > > I am having issues getting access to the web page outside of the > machine with freeipa installed. Should I be able to get a ticket by > accessing the web interface? In both IE and Firefox, I am unable to > bring up any pages after getting prompted. In IE, it is blank, and > Firefox I get Kerberos authentication failed. This is another noob > question, but perhaps it will be helpful for the FAQ. My O'Reilly > book on Kerberos is on its way. :) > > Thanks! > > -Mark > > On Mon, May 19, 2008 at 9:00 AM, > wrote: > > Send Freeipa-devel mailing list submissions to > freeipa-devel at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-devel > or, via email, send a message with subject or body 'help' to > freeipa-devel-request at redhat.com > > > You can reach the person managing the list at > freeipa-devel-owner at redhat.com > > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-devel digest..." > > > Today's Topics: > > 1. Re: freeIPA + Fedora 9 + xen , can't get passed ipa-finduser > admin (Rob Crittenden) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 19 May 2008 11:39:45 -0400 > From: Rob Crittenden > > Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get > passed ipa-finduser admin > To: Jaakan Shorter > > Cc: freeipa-devel at redhat.com > Message-ID: <48319F41.7040707 at redhat.com > > > Content-Type: text/plain; charset="iso-8859-1" > > Jaakan Shorter wrote: > > here's an update ( I replaced the domain name with test ) > > let me know if you need anymore info > > > > ipa-server-install --uninstall > > rm -f /var/kerberos/krb5kdc/kpasswd.keytab > > stopped the kerberos service ( --uninstall switch didn't stop it. I > > thought it should set it back to old state ) > > yum update ( 1.0.6 version came out over the weekend for FC-9 ) > > rebooted > > ipa-server-install --setup-bind -N > > Yes, this should be fixed in the tip. > > [ snip ] > > > May 19 09:31:08 freeIPA.test.net > krb5kdc[1758](info): set up 4 sockets > > May 19 09:31:08 freeIPA.test.net > krb5kdc[1759](info): commencing operation > > May 19 09:32:02 freeIPA.test.net > krb5kdc[1759](info): AS_REQ (7 etypes > > {18 17 16 23 1 3 2}) 192.168.1.25 : > NEEDED_PREAUTH: admin at TEST.NET for > > krbtgt/TEST.NET @TEST.NET , > Additional pre-authentication required > > May 19 09:32:24 freeIPA.test.net > krb5kdc[1759](info): AS_REQ (7 etypes > > {18 17 16 23 1 3 2}) 192.168.1.25 : ISSUE: > authtime 1211203944, etypes > > {rep=18 tkt=18 ses=18}, admin at TEST.NET > for krbtgt/TEST.NET @TEST.NET > > May 19 09:32:54 freeIPA.test.net > krb5kdc[1759](info): TGS_REQ (7 > > etypes {18 17 16 23 1 3 2}) 192.168.1.25 : > UNKNOWN_SERVER: authtime > > 1211203944, admin at TEST.NET for > HTTP/freeipa.test.net @TEST.NET > , Server > > not found in Kerberos database > > May 19 09:32:54 freeIPA.test.net > krb5kdc[1759](info): TGS_REQ (7 > > etypes {18 17 16 23 1 3 2}) 192.168.1.25 : > UNKNOWN_SERVER: authtime > > 1211203944, admin at TEST.NET for > HTTP/freeipa.test.net @TEST.NET > , Server > > not found in Kerberos database > > Service principals are created for the IPA servers at install time. > There must be some (perhaps subtle) difference in what was created at > install time and what it is trying to use. > > Try this command to see what service principals exist: > > $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net" > objectclass=krbPrincipalAux dn > > rob > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin > > ------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > End of Freeipa-devel Digest, Vol 12, Issue 33 > ********************************************* > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Dmitri Pal Engineering Manager Red Hat Inc. From ssorce at redhat.com Mon May 19 19:42:51 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 19 May 2008 15:42:51 -0400 Subject: [Freeipa-devel] [PATCH] Don't pass the DM password on the command-line In-Reply-To: <4831C70A.7010002@redhat.com> References: <4831C70A.7010002@redhat.com> Message-ID: <1211226171.12580.37.camel@localhost.localdomain> On Mon, 2008-05-19 at 14:29 -0400, Rob Crittenden wrote: > We used the -w flag when calling ldapmodify so were passing the DM > password on the command-line. This meant that if something went wrong > the DM password got logged. > > Use the -y flag instead which takes a file. I'm using mkstemp() to > create that file and a try/finally to be sure it is always removed, > even > if an error is thrown. I'll ack if you add an extra chmod 400 for safety before you write the password. Thanks for fixing this. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon May 19 19:45:44 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 19 May 2008 15:45:44 -0400 Subject: [Freeipa-devel] [PATCH] Don't pass the DM password on the command-line In-Reply-To: <1211226171.12580.37.camel@localhost.localdomain> References: <4831C70A.7010002@redhat.com> <1211226171.12580.37.camel@localhost.localdomain> Message-ID: <1211226344.12580.40.camel@localhost.localdomain> On Mon, 2008-05-19 at 15:42 -0400, Simo Sorce wrote: > On Mon, 2008-05-19 at 14:29 -0400, Rob Crittenden wrote: > > We used the -w flag when calling ldapmodify so were passing the DM > > password on the command-line. This meant that if something went wrong > > the DM password got logged. > > > > Use the -y flag instead which takes a file. I'm using mkstemp() to > > create that file and a try/finally to be sure it is always removed, > > even > > if an error is thrown. > > I'll ack if you add an extra chmod 400 for safety before you write the > password. > > Thanks for fixing this. Actually thinking some more we do not need to use mkstemp(), we can simply write in /var/lib/ipa or /var/cache/ipa These directories are not writable by any user except root, so there are no races possible like in /tmp Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon May 19 19:48:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 May 2008 15:48:04 -0400 Subject: [Freeipa-devel] [PATCH] Don't pass the DM password on the command-line In-Reply-To: <1211226171.12580.37.camel@localhost.localdomain> References: <4831C70A.7010002@redhat.com> <1211226171.12580.37.camel@localhost.localdomain> Message-ID: <4831D974.2080104@redhat.com> Simo Sorce wrote: > On Mon, 2008-05-19 at 14:29 -0400, Rob Crittenden wrote: >> We used the -w flag when calling ldapmodify so were passing the DM >> password on the command-line. This meant that if something went wrong >> the DM password got logged. >> >> Use the -y flag instead which takes a file. I'm using mkstemp() to >> create that file and a try/finally to be sure it is always removed, >> even >> if an error is thrown. > > I'll ack if you add an extra chmod 400 for safety before you write the > password. > > Thanks for fixing this. > > Simo. > The file is already created mode 0600, is that good enough? From the docs at http://docs.python.org/lib/module-tempfile.html mkstemp( [suffix[, prefix[, dir[, text]]]]) Creates a temporary file in the most secure manner possible. There are no race conditions in the file's creation, assuming that the platform properly implements the O_EXCL flag for os.open(). The file is readable and writable only by the creating user ID. If the platform uses permission bits to indicate whether a file is executable, the file is executable by no one. The file descriptor is not inherited by child processes. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon May 19 19:58:34 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 19 May 2008 15:58:34 -0400 Subject: [Freeipa-devel] [PATCH] Don't pass the DM password on the command-line In-Reply-To: <4831D974.2080104@redhat.com> References: <4831C70A.7010002@redhat.com> <1211226171.12580.37.camel@localhost.localdomain> <4831D974.2080104@redhat.com> Message-ID: <1211227114.12580.42.camel@localhost.localdomain> On Mon, 2008-05-19 at 15:48 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Mon, 2008-05-19 at 14:29 -0400, Rob Crittenden wrote: > >> We used the -w flag when calling ldapmodify so were passing the DM > >> password on the command-line. This meant that if something went wrong > >> the DM password got logged. > >> > >> Use the -y flag instead which takes a file. I'm using mkstemp() to > >> create that file and a try/finally to be sure it is always removed, > >> even > >> if an error is thrown. > > > > I'll ack if you add an extra chmod 400 for safety before you write the > > password. > > > > Thanks for fixing this. > > > > Simo. > > > > The file is already created mode 0600, is that good enough? From the > docs at http://docs.python.org/lib/module-tempfile.html > > mkstemp( [suffix[, prefix[, dir[, text]]]]) > > Creates a temporary file in the most secure manner possible. There > are no race conditions in the file's creation, assuming that the > platform properly implements the O_EXCL flag for os.open(). The file is > readable and writable only by the creating user ID. If the platform uses > permission bits to indicate whether a file is executable, the file is > executable by no one. The file descriptor is not inherited by child > processes. Yes it is good enough. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon May 19 20:20:02 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 19 May 2008 16:20:02 -0400 Subject: [Freeipa-devel] [PATCH] Only ask the user to install bind, not caching-nameserver In-Reply-To: <482DBDF9.6000703@redhat.com> References: <482DBDF9.6000703@redhat.com> Message-ID: <1211228402.12580.52.camel@localhost.localdomain> On Fri, 2008-05-16 at 19:01 +0200, Martin Nagy wrote: > > As a solution, I suggest we remove the mention of caching-nameserver > (the attached patch) and then add patches which add it in the > mentioned > system's rpms. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon May 19 21:12:28 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 May 2008 17:12:28 -0400 Subject: [Freeipa-devel] [PATCH] Don't pass the DM password on the command-line In-Reply-To: <1211227114.12580.42.camel@localhost.localdomain> References: <4831C70A.7010002@redhat.com> <1211226171.12580.37.camel@localhost.localdomain> <4831D974.2080104@redhat.com> <1211227114.12580.42.camel@localhost.localdomain> Message-ID: <4831ED3C.7050005@redhat.com> Simo Sorce wrote: > On Mon, 2008-05-19 at 15:48 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Mon, 2008-05-19 at 14:29 -0400, Rob Crittenden wrote: >>>> We used the -w flag when calling ldapmodify so were passing the DM >>>> password on the command-line. This meant that if something went wrong >>>> the DM password got logged. >>>> >>>> Use the -y flag instead which takes a file. I'm using mkstemp() to >>>> create that file and a try/finally to be sure it is always removed, >>>> even >>>> if an error is thrown. >>> I'll ack if you add an extra chmod 400 for safety before you write the >>> password. >>> >>> Thanks for fixing this. >>> >>> Simo. >>> >> The file is already created mode 0600, is that good enough? From the >> docs at http://docs.python.org/lib/module-tempfile.html >> >> mkstemp( [suffix[, prefix[, dir[, text]]]]) >> >> Creates a temporary file in the most secure manner possible. There >> are no race conditions in the file's creation, assuming that the >> platform properly implements the O_EXCL flag for os.open(). The file is >> readable and writable only by the creating user ID. If the platform uses >> permission bits to indicate whether a file is executable, the file is >> executable by no one. The file descriptor is not inherited by child >> processes. > > Yes it is good enough. > > Simo. > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 19 21:14:30 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 May 2008 17:14:30 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <482DF411.3060803@redhat.com> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> <482DEAC2.4020509@redhat.com> <482DF0EF.90305@redhat.com> <482DF301.9090803@redhat.com> <482DF411.3060803@redhat.com> Message-ID: <4831EDB6.10507@redhat.com> Nathan Kinder wrote: > Dmitri Pal wrote: >> Rob Crittenden wrote: >>> Dmitri Pal wrote: >>>> Michael DeHaan wrote: >>>>> Rob Crittenden wrote: >>>>>> Do uniqueness check on phone numbers entered via the UI. >>>>>> rob >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> >>>>> Completely lurking here, but might people might share a phone in >>>>> some cases? >>>>> Pagers can also be shared too. >>>>> >>>>> --Michael >>>> This is about having one and the same number listed multiple times >>>> in the same multi value attribute. >>>> It does not make sense have to have to cell phone records with same >>>> number. >>>> This is what the bug is about. Rob did you interpret it this way? >>> >>> No. It also allowed the same phone number to be entered multiple >>> times in the same field which would cause LDAP to throw an error >>> (some obscure thing about types). >>> >>> I don't think it is a bad thing to have the same phone number listed >>> in multiple fields, it may very well be the case that their pager is >>> a cell phone. >>> >>> Simo pointed out that we shouldn't limit this test to phone numbers >>> either. The full name field is also multi valued. >>> >>> rob >> >> >> I think the two issues got mixed. >> 1) It is bad to allow same values in the one multivalue attribute. For >> example allow two values for phone attribute with the same phone number. > I'll add that LDAP doesn't allow it (which is the error Rob pointed > out). We just want to catch it in the UI ahead of time to prevent an > ugly LDAP error. So what is the final resolution of this? Is this patch good enough for now? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mchristi at u.washington.edu Mon May 19 22:44:37 2008 From: mchristi at u.washington.edu (Mark Christiansen) Date: Mon, 19 May 2008 15:44:37 -0700 Subject: [Freeipa-devel] Re: Freeipa-devel Digest, Vol 12, Issue 33 In-Reply-To: <4831D7CC.2020005@redhat.com> References: <20080519160003.CF0B061A155@hormel.redhat.com> <4831D7CC.2020005@redhat.com> Message-ID: Hello Dmitri, I filed a bug (447440) for the documentation recommendation. I also filed a 2nd bug (447445) to fix the link to Microsoft's web page for Kerberos Authentication help, which is currently giving a "Content not found" page. If I do a kinit on a Windows machine (which most of the potential end users will likely use), I get the error: kinit(v5): Cannot resolve network address for KDC in realm ___ while getting initial credentials I also added the realm to the about:config page for Mozilla, and added the site as a trusted site within IE. However, for IE I have it so that the page prompts for user name and password, but it doesn't prompt me, gives me a certificate error, and even if I continue with the bad certificate, the page comes up with nothing. Just to understand this better, but once either firefox or IE is configured properly, the web page should allow an end user to get a ticket, right? I am hoping that command line use will not be necessary. Thanks for your help and suggestions! -Mark On Mon, May 19, 2008 at 12:41 PM, Dmitri Pal wrote: > Hi Mark, > > Thank you for sharing the recommendation with us. > Can you please log a request into bugzilla? > > https://bugzilla.redhat.com > > Did you do kinit first? > Did you add the realm into the FireFox configuration? > > Thank you > Dmitri Pal > > > Mark Christiansen wrote: > >> I fixed my problems with ipa* functions by modifying /etc/hosts so that my >> FQDN entry is first, and the localhost entry is not first. I am guessing >> this is where most other people will have their problems. Can we modify the >> FAQ to include this recommendation? >> >> I am having issues getting access to the web page outside of the machine >> with freeipa installed. Should I be able to get a ticket by accessing the >> web interface? In both IE and Firefox, I am unable to bring up any pages >> after getting prompted. In IE, it is blank, and Firefox I get Kerberos >> authentication failed. This is another noob question, but perhaps it will >> be helpful for the FAQ. My O'Reilly book on Kerberos is on its way. :) >> >> Thanks! >> >> -Mark >> >> On Mon, May 19, 2008 at 9:00 AM, > freeipa-devel-request at redhat.com>> wrote: >> >> Send Freeipa-devel mailing list submissions to >> freeipa-devel at redhat.com >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> or, via email, send a message with subject or body 'help' to >> freeipa-devel-request at redhat.com >> >> >> You can reach the person managing the list at >> freeipa-devel-owner at redhat.com >> >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Freeipa-devel digest..." >> >> >> Today's Topics: >> >> 1. Re: freeIPA + Fedora 9 + xen , can't get passed ipa-finduser >> admin (Rob Crittenden) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Mon, 19 May 2008 11:39:45 -0400 >> From: Rob Crittenden > > >> Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get >> passed ipa-finduser admin >> To: Jaakan Shorter > > >> Cc: freeipa-devel at redhat.com >> Message-ID: <48319F41.7040707 at redhat.com >> > >> Content-Type: text/plain; charset="iso-8859-1" >> >> Jaakan Shorter wrote: >> > here's an update ( I replaced the domain name with test ) >> > let me know if you need anymore info >> > >> > ipa-server-install --uninstall >> > rm -f /var/kerberos/krb5kdc/kpasswd.keytab >> > stopped the kerberos service ( --uninstall switch didn't stop it. I >> > thought it should set it back to old state ) >> > yum update ( 1.0.6 version came out over the weekend for FC-9 ) >> > rebooted >> > ipa-server-install --setup-bind -N >> >> Yes, this should be fixed in the tip. >> >> [ snip ] >> >> > May 19 09:31:08 freeIPA.test.net >> krb5kdc[1758](info): set up 4 sockets >> > May 19 09:31:08 freeIPA.test.net >> krb5kdc[1759](info): commencing operation >> > May 19 09:32:02 freeIPA.test.net >> krb5kdc[1759](info): AS_REQ (7 etypes >> > {18 17 16 23 1 3 2}) 192.168.1.25 : >> NEEDED_PREAUTH: admin at TEST.NET for >> > krbtgt/TEST.NET @TEST.NET , >> Additional pre-authentication required >> > May 19 09:32:24 freeIPA.test.net >> krb5kdc[1759](info): AS_REQ (7 etypes >> > {18 17 16 23 1 3 2}) 192.168.1.25 : ISSUE: >> authtime 1211203944, etypes >> > {rep=18 tkt=18 ses=18}, admin at TEST.NET >> for krbtgt/TEST.NET @TEST.NET >> > May 19 09:32:54 freeIPA.test.net >> krb5kdc[1759](info): TGS_REQ (7 >> > etypes {18 17 16 23 1 3 2}) 192.168.1.25 : >> UNKNOWN_SERVER: authtime >> > 1211203944, admin at TEST.NET for >> HTTP/freeipa.test.net @TEST.NET >> , Server >> > not found in Kerberos database >> > May 19 09:32:54 freeIPA.test.net >> krb5kdc[1759](info): TGS_REQ (7 >> > etypes {18 17 16 23 1 3 2}) 192.168.1.25 : >> UNKNOWN_SERVER: authtime >> > 1211203944, admin at TEST.NET for >> HTTP/freeipa.test.net @TEST.NET >> , Server >> > not found in Kerberos database >> >> Service principals are created for the IPA servers at install time. >> There must be some (perhaps subtle) difference in what was created at >> install time and what it is trying to use. >> >> Try this command to see what service principals exist: >> >> $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net" >> objectclass=krbPrincipalAux dn >> >> rob >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: smime.p7s >> Type: application/x-pkcs7-signature >> Size: 3245 bytes >> Desc: S/MIME Cryptographic Signature >> Url : >> >> https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin >> >> ------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> End of Freeipa-devel Digest, Vol 12, Issue 33 >> ********************************************* >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > > -- > Dmitri Pal > Engineering Manager > Red Hat Inc. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon May 19 23:03:36 2008 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 19 May 2008 19:03:36 -0400 Subject: [Freeipa-devel] Re: Freeipa-devel Digest, Vol 12, Issue 33 In-Reply-To: References: <20080519160003.CF0B061A155@hormel.redhat.com> <4831D7CC.2020005@redhat.com> Message-ID: <48320748.2040503@redhat.com> Hi Mark, Thank you for the submission of the bugs. We will see what can be done and come back to you with suggestions. Thank you Dmitri Mark Christiansen wrote: > Hello Dmitri, > > I filed a bug (447440) for the documentation recommendation. I also > filed a 2nd bug (447445) to fix the link to Microsoft's web page for > Kerberos Authentication help, which is currently giving a "Content not > found" page. > > If I do a kinit on a Windows machine (which most of the potential end > users will likely use), I get the error: > kinit(v5): Cannot resolve network address for KDC in realm ___ while > getting initial credentials > > I also added the realm to the about:config page for Mozilla, and added > the site as a trusted site within IE. However, for IE I have it so > that the page prompts for user name and password, but it doesn't > prompt me, gives me a certificate error, and even if I continue with > the bad certificate, the page comes up with nothing. > > Just to understand this better, but once either firefox or IE is > configured properly, the web page should allow an end user to get a > ticket, right? I am hoping that command line use will not be necessary. > > Thanks for your help and suggestions! > > -Mark > > On Mon, May 19, 2008 at 12:41 PM, Dmitri Pal > wrote: > > Hi Mark, > > Thank you for sharing the recommendation with us. > Can you please log a request into bugzilla? > > https://bugzilla.redhat.com > > Did you do kinit first? > Did you add the realm into the FireFox configuration? > > Thank you > Dmitri Pal > > > Mark Christiansen wrote: > > I fixed my problems with ipa* functions by modifying > /etc/hosts so that my FQDN entry is first, and the localhost > entry is not first. I am guessing this is where most other > people will have their problems. Can we modify the FAQ to > include this recommendation? > > I am having issues getting access to the web page outside of > the machine with freeipa installed. Should I be able to get a > ticket by accessing the web interface? In both IE and > Firefox, I am unable to bring up any pages after getting > prompted. In IE, it is blank, and Firefox I get Kerberos > authentication failed. This is another noob question, but > perhaps it will be helpful for the FAQ. My O'Reilly book on > Kerberos is on its way. :) > > Thanks! > > -Mark > > On Mon, May 19, 2008 at 9:00 AM, > > >> wrote: > > Send Freeipa-devel mailing list submissions to > freeipa-devel at redhat.com > > > > > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-devel > or, via email, send a message with subject or body 'help' to > freeipa-devel-request at redhat.com > > > > > > You can reach the person managing the list at > freeipa-devel-owner at redhat.com > > > > > > When replying, please edit your Subject line so it is more > specific > than "Re: Contents of Freeipa-devel digest..." > > > Today's Topics: > > 1. Re: freeIPA + Fedora 9 + xen , can't get passed > ipa-finduser > admin (Rob Crittenden) > > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 19 May 2008 11:39:45 -0400 > From: Rob Crittenden > >> > > Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen , > can't get > passed ipa-finduser admin > To: Jaakan Shorter > >> > Cc: freeipa-devel at redhat.com > > > > > Message-ID: <48319F41.7040707 at redhat.com > > >> > > Content-Type: text/plain; charset="iso-8859-1" > > Jaakan Shorter wrote: > > here's an update ( I replaced the domain name with test ) > > let me know if you need anymore info > > > > ipa-server-install --uninstall > > rm -f /var/kerberos/krb5kdc/kpasswd.keytab > > stopped the kerberos service ( --uninstall switch didn't > stop it. I > > thought it should set it back to old state ) > > yum update ( 1.0.6 version came out over the weekend for > FC-9 ) > > rebooted > > ipa-server-install --setup-bind -N > > Yes, this should be fixed in the tip. > > [ snip ] > > > May 19 09:31:08 freeIPA.test.net > > > krb5kdc[1758](info): set up 4 sockets > > May 19 09:31:08 freeIPA.test.net > > > krb5kdc[1759](info): commencing operation > > May 19 09:32:02 freeIPA.test.net > > > krb5kdc[1759](info): AS_REQ (7 etypes > > {18 17 16 23 1 3 2}) 192.168.1.25 > : > NEEDED_PREAUTH: admin at TEST.NET > > for > > krbtgt/TEST.NET > @TEST.NET , > Additional pre-authentication required > > May 19 09:32:24 freeIPA.test.net > > > krb5kdc[1759](info): AS_REQ (7 etypes > > {18 17 16 23 1 3 2}) 192.168.1.25 > : ISSUE: > authtime 1211203944, etypes > > {rep=18 tkt=18 ses=18}, admin at TEST.NET > > > for krbtgt/TEST.NET > @TEST.NET > > May 19 09:32:54 freeIPA.test.net > > > krb5kdc[1759](info): TGS_REQ (7 > > etypes {18 17 16 23 1 3 2}) 192.168.1.25 > : > UNKNOWN_SERVER: authtime > > 1211203944, admin at TEST.NET > > for > HTTP/freeipa.test.net > @TEST.NET > , Server > > > not found in Kerberos database > > May 19 09:32:54 freeIPA.test.net > > > krb5kdc[1759](info): TGS_REQ (7 > > etypes {18 17 16 23 1 3 2}) 192.168.1.25 > : > UNKNOWN_SERVER: authtime > > 1211203944, admin at TEST.NET > > for > HTTP/freeipa.test.net > @TEST.NET > , Server > > > not found in Kerberos database > > Service principals are created for the IPA servers at > install time. > There must be some (perhaps subtle) difference in what was > created at > install time and what it is trying to use. > > Try this command to see what service principals exist: > > $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net" > objectclass=krbPrincipalAux dn > > rob > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url : > > https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin > > ------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > End of Freeipa-devel Digest, Vol 12, Issue 33 > ********************************************* > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > -- > Dmitri Pal > Engineering Manager > Red Hat Inc. > > -- Dmitri Pal Engineering Manager Red Hat Inc. From rcritten at redhat.com Tue May 20 01:57:50 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 May 2008 21:57:50 -0400 Subject: [Freeipa-devel] Re: Freeipa-devel Digest, Vol 12, Issue 33 In-Reply-To: References: <20080519160003.CF0B061A155@hormel.redhat.com> <4831D7CC.2020005@redhat.com> Message-ID: <4832301E.1000503@redhat.com> Mark Christiansen wrote: > Hello Dmitri, > > I filed a bug (447440) for the documentation recommendation. I also > filed a 2nd bug (447445) to fix the link to Microsoft's web page for > Kerberos Authentication help, which is currently giving a "Content not > found" page. > > If I do a kinit on a Windows machine (which most of the potential end > users will likely use), I get the error: > kinit(v5): Cannot resolve network address for KDC in realm ___ while > getting initial credentials Are you using the native Microsoft kerberos client or the MIT client? I don't believe IPA will interoperate with the native windows client. > I also added the realm to the about:config page for Mozilla, and added > the site as a trusted site within IE. However, for IE I have it so that > the page prompts for user name and password, but it doesn't prompt me, > gives me a certificate error, and even if I continue with the bad > certificate, the page comes up with nothing. > > Just to understand this better, but once either firefox or IE is > configured properly, the web page should allow an end user to get a > ticket, right? I am hoping that command line use will not be necessary. You have to get the ticket before Firefox or IE will work. Firefox/IE, if properly configured, will be able to present the ticket as your credentials so you don't have to type a username/password in to authenticate. rob > > Thanks for your help and suggestions! > > -Mark > > On Mon, May 19, 2008 at 12:41 PM, Dmitri Pal > wrote: > > Hi Mark, > > Thank you for sharing the recommendation with us. > Can you please log a request into bugzilla? > > https://bugzilla.redhat.com > > Did you do kinit first? > Did you add the realm into the FireFox configuration? > > Thank you > Dmitri Pal > > > Mark Christiansen wrote: > > I fixed my problems with ipa* functions by modifying /etc/hosts > so that my FQDN entry is first, and the localhost entry is not > first. I am guessing this is where most other people will have > their problems. Can we modify the FAQ to include this > recommendation? > > I am having issues getting access to the web page outside of the > machine with freeipa installed. Should I be able to get a > ticket by accessing the web interface? In both IE and Firefox, > I am unable to bring up any pages after getting prompted. In > IE, it is blank, and Firefox I get Kerberos authentication > failed. This is another noob question, but perhaps it will be > helpful for the FAQ. My O'Reilly book on Kerberos is on its > way. :) > > Thanks! > > -Mark > > On Mon, May 19, 2008 at 9:00 AM, > > >> wrote: > > Send Freeipa-devel mailing list submissions to > freeipa-devel at redhat.com > > > > > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-devel > or, via email, send a message with subject or body 'help' to > freeipa-devel-request at redhat.com > > > > > > You can reach the person managing the list at > freeipa-devel-owner at redhat.com > > > > > > When replying, please edit your Subject line so it is more > specific > than "Re: Contents of Freeipa-devel digest..." > > > Today's Topics: > > 1. Re: freeIPA + Fedora 9 + xen , can't get passed > ipa-finduser > admin (Rob Crittenden) > > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 19 May 2008 11:39:45 -0400 > From: Rob Crittenden > >> > > Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get > passed ipa-finduser admin > To: Jaakan Shorter > >> > Cc: freeipa-devel at redhat.com > > > > > Message-ID: <48319F41.7040707 at redhat.com > > >> > > Content-Type: text/plain; charset="iso-8859-1" > > Jaakan Shorter wrote: > > here's an update ( I replaced the domain name with test ) > > let me know if you need anymore info > > > > ipa-server-install --uninstall > > rm -f /var/kerberos/krb5kdc/kpasswd.keytab > > stopped the kerberos service ( --uninstall switch didn't > stop it. I > > thought it should set it back to old state ) > > yum update ( 1.0.6 version came out over the weekend for FC-9 ) > > rebooted > > ipa-server-install --setup-bind -N > > Yes, this should be fixed in the tip. > > [ snip ] > > > May 19 09:31:08 freeIPA.test.net > > > krb5kdc[1758](info): set up 4 sockets > > May 19 09:31:08 freeIPA.test.net > > > krb5kdc[1759](info): commencing operation > > May 19 09:32:02 freeIPA.test.net > > > krb5kdc[1759](info): AS_REQ (7 etypes > > {18 17 16 23 1 3 2}) 192.168.1.25 > : > NEEDED_PREAUTH: admin at TEST.NET > > for > > krbtgt/TEST.NET > @TEST.NET , > Additional pre-authentication required > > May 19 09:32:24 freeIPA.test.net > > > krb5kdc[1759](info): AS_REQ (7 etypes > > {18 17 16 23 1 3 2}) 192.168.1.25 > : ISSUE: > authtime 1211203944, etypes > > {rep=18 tkt=18 ses=18}, admin at TEST.NET > > > for krbtgt/TEST.NET > @TEST.NET > > May 19 09:32:54 freeIPA.test.net > > > krb5kdc[1759](info): TGS_REQ (7 > > etypes {18 17 16 23 1 3 2}) 192.168.1.25 > : > UNKNOWN_SERVER: authtime > > 1211203944, admin at TEST.NET > > for > HTTP/freeipa.test.net > @TEST.NET > , Server > > > not found in Kerberos database > > May 19 09:32:54 freeIPA.test.net > > > krb5kdc[1759](info): TGS_REQ (7 > > etypes {18 17 16 23 1 3 2}) 192.168.1.25 > : > UNKNOWN_SERVER: authtime > > 1211203944, admin at TEST.NET > > for > HTTP/freeipa.test.net > @TEST.NET > , Server > > > not found in Kerberos database > > Service principals are created for the IPA servers at install > time. > There must be some (perhaps subtle) difference in what was > created at > install time and what it is trying to use. > > Try this command to see what service principals exist: > > $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net" > objectclass=krbPrincipalAux dn > > rob > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url : > > https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Tue May 20 08:26:20 2008 From: mnagy at redhat.com (Martin Nagy) Date: Tue, 20 May 2008 10:26:20 +0200 Subject: [Freeipa-devel] [PATCH] Change file mode of log files to 600 Message-ID: <48328B2C.8070702@redhat.com> Store log files from (un)installation with file mode 600. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Change-file-mode-of-log-files-to-600.patch Type: text/x-patch Size: 2012 bytes Desc: not available URL: From ssorce at redhat.com Tue May 20 13:07:11 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 20 May 2008 09:07:11 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <4831EDB6.10507@redhat.com> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> <482DEAC2.4020509@redhat.com> <482DF0EF.90305@redhat.com> <482DF301.9090803@redhat.com> <482DF411.3060803@redhat.com> <4831EDB6.10507@redhat.com> Message-ID: <1211288831.12580.71.camel@localhost.localdomain> On Mon, 2008-05-19 at 17:14 -0400, Rob Crittenden wrote: > > So what is the final resolution of this? Is this patch good enough for > now? patch itself is ok, but I'd extend the test to every attribute. Putting in twice your name in 2 separate values is going to cause the same error. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue May 20 13:46:12 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 May 2008 09:46:12 -0400 Subject: [Freeipa-devel] [PATCH] browser config page fixups Message-ID: <4832D624.5070905@redhat.com> Fix up the "How to configure your browser" page. Remove broken link for IE configuration and replace sample domain/realm. Also fix some HTML errors: missing DOCTYPE, title, head. The web page actually comes up as a link in a search on Microsoft's site but the content is gone. It is possible it will come back at some point, who knows. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-24-link.patch Type: text/x-patch Size: 2441 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 20 14:19:31 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 May 2008 10:19:31 -0400 Subject: [Freeipa-devel] [PATCH] lower-case hostnames Message-ID: <4832DDF3.70500@redhat.com> Make sure the hostname is lower-case during installation. Also make the hostname in service principals lower-case when adding them (and searching for them). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-25-hostname.patch Type: text/x-patch Size: 4080 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 20 14:24:58 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 20 May 2008 10:24:58 -0400 Subject: [Freeipa-devel] [PATCH] browser config page fixups In-Reply-To: <4832D624.5070905@redhat.com> References: <4832D624.5070905@redhat.com> Message-ID: <1211293498.12580.81.camel@localhost.localdomain> On Tue, 2008-05-20 at 09:46 -0400, Rob Crittenden wrote: > Fix up the "How to configure your browser" page. Remove broken link > for > IE configuration and replace sample domain/realm. Also fix some HTML > errors: missing DOCTYPE, title, head. > > The web page actually comes up as a link in a search on Microsoft's > site > but the content is gone. It is possible it will come back at some > point, > who knows. Ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 20 14:25:44 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 20 May 2008 10:25:44 -0400 Subject: [Freeipa-devel] [PATCH] lower-case hostnames In-Reply-To: <4832DDF3.70500@redhat.com> References: <4832DDF3.70500@redhat.com> Message-ID: <1211293544.12580.83.camel@localhost.localdomain> On Tue, 2008-05-20 at 10:19 -0400, Rob Crittenden wrote: > Make sure the hostname is lower-case during installation. Also make > the > hostname in service principals lower-case when adding them (and > searching for them). ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue May 20 14:25:56 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 20 May 2008 10:25:56 -0400 Subject: [Freeipa-devel] [PATCH] Change file mode of log files to 600 In-Reply-To: <48328B2C.8070702@redhat.com> References: <48328B2C.8070702@redhat.com> Message-ID: <1211293556.12580.85.camel@localhost.localdomain> On Tue, 2008-05-20 at 10:26 +0200, Martin Nagy wrote: > > Store log files from (un)installation with file mode 600. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue May 20 15:32:56 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 May 2008 11:32:56 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <1211288831.12580.71.camel@localhost.localdomain> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> <482DEAC2.4020509@redhat.com> <482DF0EF.90305@redhat.com> <482DF301.9090803@redhat.com> <482DF411.3060803@redhat.com> <4831EDB6.10507@redhat.com> <1211288831.12580.71.camel@localhost.localdomain> Message-ID: <4832EF28.3060700@redhat.com> Simo Sorce wrote: > On Mon, 2008-05-19 at 17:14 -0400, Rob Crittenden wrote: >> So what is the final resolution of this? Is this patch good enough for >> now? > > patch itself is ok, but I'd extend the test to every attribute. Putting > in twice your name in 2 separate values is going to cause the same > error. > > Simo. > Ok, I'll add cn in when I commit the patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 20 15:36:33 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 20 May 2008 11:36:33 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <4832EF28.3060700@redhat.com> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> <482DEAC2.4020509@redhat.com> <482DF0EF.90305@redhat.com> <482DF301.9090803@redhat.com> <482DF411.3060803@redhat.com> <4831EDB6.10507@redhat.com> <1211288831.12580.71.camel@localhost.localdomain> <4832EF28.3060700@redhat.com> Message-ID: <1211297793.12580.95.camel@localhost.localdomain> On Tue, 2008-05-20 at 11:32 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Mon, 2008-05-19 at 17:14 -0400, Rob Crittenden wrote: > >> So what is the final resolution of this? Is this patch good enough for > >> now? > > > > patch itself is ok, but I'd extend the test to every attribute. Putting > > in twice your name in 2 separate values is going to cause the same > > error. > > > > Simo. > > > > Ok, I'll add cn in when I commit the patch. Uhm no I was not thinking about doing a per attribute specific patch, but something more generic that is applied to any multivalued attribute. Maybe this is something for v2 ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue May 20 15:37:58 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 May 2008 11:37:58 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <1211297793.12580.95.camel@localhost.localdomain> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> <482DEAC2.4020509@redhat.com> <482DF0EF.90305@redhat.com> <482DF301.9090803@redhat.com> <482DF411.3060803@redhat.com> <4831EDB6.10507@redhat.com> <1211288831.12580.71.camel@localhost.localdomain> <4832EF28.3060700@redhat.com> <1211297793.12580.95.camel@localhost.localdomain> Message-ID: <4832F056.3020105@redhat.com> Simo Sorce wrote: > On Tue, 2008-05-20 at 11:32 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Mon, 2008-05-19 at 17:14 -0400, Rob Crittenden wrote: >>>> So what is the final resolution of this? Is this patch good enough for >>>> now? >>> patch itself is ok, but I'd extend the test to every attribute. Putting >>> in twice your name in 2 separate values is going to cause the same >>> error. >>> >>> Simo. >>> >> Ok, I'll add cn in when I commit the patch. > > Uhm no I was not thinking about doing a per attribute specific patch, > but something more generic that is applied to any multivalued attribute. > Maybe this is something for v2 ? > > Simo. > There are only like 5 multi-valued attributes possible in the UI. The phone numbers and cn. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 20 15:51:55 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 20 May 2008 11:51:55 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <4832F056.3020105@redhat.com> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> <482DEAC2.4020509@redhat.com> <482DF0EF.90305@redhat.com> <482DF301.9090803@redhat.com> <482DF411.3060803@redhat.com> <4831EDB6.10507@redhat.com> <1211288831.12580.71.camel@localhost.localdomain> <4832EF28.3060700@redhat.com> <1211297793.12580.95.camel@localhost.localdomain> <4832F056.3020105@redhat.com> Message-ID: <1211298715.12580.97.camel@localhost.localdomain> On Tue, 2008-05-20 at 11:37 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 2008-05-20 at 11:32 -0400, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> On Mon, 2008-05-19 at 17:14 -0400, Rob Crittenden wrote: > >>>> So what is the final resolution of this? Is this patch good enough for > >>>> now? > >>> patch itself is ok, but I'd extend the test to every attribute. Putting > >>> in twice your name in 2 separate values is going to cause the same > >>> error. > >>> > >>> Simo. > >>> > >> Ok, I'll add cn in when I commit the patch. > > > > Uhm no I was not thinking about doing a per attribute specific patch, > > but something more generic that is applied to any multivalued attribute. > > Maybe this is something for v2 ? > > > > Simo. > > > > There are only like 5 multi-valued attributes possible in the UI. The > phone numbers and cn. what about custom attributes ? Simo. -- Simo Sorce * Red Hat, Inc * New York From jaakanshorter at gmail.com Tue May 20 17:02:18 2008 From: jaakanshorter at gmail.com (Jaakan Shorter) Date: Tue, 20 May 2008 13:02:18 -0400 Subject: [Freeipa-devel] network accounts logins but never make a local user folder on Fedora 9 when the option to do that is set Message-ID: <3a082f0c0805201002w7fb9f273m595c39bb0a969597@mail.gmail.com> Not sure if this is a bug or just a configuration issue I have setup a Fedora 9 desktop for network login/authentication, user info = LDAP, Authentication = Kerberos, options = "make /home/$username if folder is not there" test user account I setup = "btestuse" with the WebGUI I ran the following on desktop "kinit btestuse" , "klist", the account i made that works it asked me to change my password and I made a new one. it looked like it was bring up the desktop but just seemed to hang ( I can Ctrl-Alt-F1 and back with Ctrl-Alt-F7 ) Are there missing steps not currently in the documentation for setup a client? Would I have to do something like the following so that logging in via the network account will make a /home/$username folder? or something like adding a windows computer to AD so the desktop lets the creation of that user folder/profile complete? # kinit admin # ipa-addservice host/desktop.example.com # ipa-getkeytab -s ipaserver.example.com -p host/desktop.example.com -k /etc/krb5.keytab here are some logs from the server and client >From a Fedora 9 desktop ( ipacf9.test.net 192.168.1.75 ) May 19 18:24:55 ipacf9 gconfd (btestuse-2741): Failed to open saved state file: Failed: Failed to open gconfd logfile; won't be able to restore listeners after gconfd shutdown (No such file or directory) May 19 18:24:55 ipacf9 gconfd (btestuse-2741): GConf server is not in use, shutting down. May 19 18:24:55 ipacf9 gconfd (btestuse-2741): Could not open saved state file '/home/btestuse/.gconfd/saved_state.tmp' for writing: No such file or directory May 19 18:24:55 ipacf9 gconfd (btestuse-2741): Exiting Server side - Fedora 9- May 19 18:35:45 freeipa.test.net krb5kdc[1813](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.75: NEEDED_PREAUTH: btestuse at TEST.NET for krbtgt/TEST.NET at TEST.NET, Additional pre-authentication required May 19 18:35:45 freeipa.test.net krb5kdc[1813](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.75: ISSUE: authtime 1211236545, etypes {rep=18 tkt=18 ses=18}, btestuse at TEST.NET for krbtgt/TEST.NET at TEST.NET From rcritten at redhat.com Tue May 20 18:34:07 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 May 2008 14:34:07 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <1211298715.12580.97.camel@localhost.localdomain> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> <482DEAC2.4020509@redhat.com> <482DF0EF.90305@redhat.com> <482DF301.9090803@redhat.com> <482DF411.3060803@redhat.com> <4831EDB6.10507@redhat.com> <1211288831.12580.71.camel@localhost.localdomain> <4832EF28.3060700@redhat.com> <1211297793.12580.95.camel@localhost.localdomain> <4832F056.3020105@redhat.com> <1211298715.12580.97.camel@localhost.localdomain> Message-ID: <4833199F.3090700@redhat.com> Simo Sorce wrote: > On Tue, 2008-05-20 at 11:37 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Tue, 2008-05-20 at 11:32 -0400, Rob Crittenden wrote: >>>> Simo Sorce wrote: >>>>> On Mon, 2008-05-19 at 17:14 -0400, Rob Crittenden wrote: >>>>>> So what is the final resolution of this? Is this patch good enough for >>>>>> now? >>>>> patch itself is ok, but I'd extend the test to every attribute. Putting >>>>> in twice your name in 2 separate values is going to cause the same >>>>> error. >>>>> >>>>> Simo. >>>>> >>>> Ok, I'll add cn in when I commit the patch. >>> Uhm no I was not thinking about doing a per attribute specific patch, >>> but something more generic that is applied to any multivalued attribute. >>> Maybe this is something for v2 ? >>> >>> Simo. >>> >> There are only like 5 multi-valued attributes possible in the UI. The >> phone numbers and cn. > > what about custom attributes ? > They are limited to single-value in the UI. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 20 19:04:59 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 May 2008 15:04:59 -0400 Subject: [Freeipa-devel] [PATCH] check for duplicate phone numbers In-Reply-To: <4833199F.3090700@redhat.com> References: <482DE600.3080201@redhat.com> <482DEA1D.8090203@redhat.com> <482DEAC2.4020509@redhat.com> <482DF0EF.90305@redhat.com> <482DF301.9090803@redhat.com> <482DF411.3060803@redhat.com> <4831EDB6.10507@redhat.com> <1211288831.12580.71.camel@localhost.localdomain> <4832EF28.3060700@redhat.com> <1211297793.12580.95.camel@localhost.localdomain> <4832F056.3020105@redhat.com> <1211298715.12580.97.camel@localhost.localdomain> <4833199F.3090700@redhat.com> Message-ID: <483320DB.80201@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Tue, 2008-05-20 at 11:37 -0400, Rob Crittenden wrote: >>> Simo Sorce wrote: >>>> On Tue, 2008-05-20 at 11:32 -0400, Rob Crittenden wrote: >>>>> Simo Sorce wrote: >>>>>> On Mon, 2008-05-19 at 17:14 -0400, Rob Crittenden wrote: >>>>>>> So what is the final resolution of this? Is this patch good >>>>>>> enough for >>>>>>> now? >>>>>> patch itself is ok, but I'd extend the test to every attribute. >>>>>> Putting >>>>>> in twice your name in 2 separate values is going to cause the same >>>>>> error. >>>>>> >>>>>> Simo. >>>>>> >>>>> Ok, I'll add cn in when I commit the patch. >>>> Uhm no I was not thinking about doing a per attribute specific patch, >>>> but something more generic that is applied to any multivalued >>>> attribute. >>>> Maybe this is something for v2 ? >>>> >>>> Simo. >>>> >>> There are only like 5 multi-valued attributes possible in the UI. The >>> phone numbers and cn. >> >> what about custom attributes ? >> > > They are limited to single-value in the UI. I went ahead and pushed what I had. And did a second push because I missed adding the new file to Makefile.am. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 20 19:06:49 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 May 2008 15:06:49 -0400 Subject: [Freeipa-devel] [PATCH] browser config page fixups In-Reply-To: <1211293498.12580.81.camel@localhost.localdomain> References: <4832D624.5070905@redhat.com> <1211293498.12580.81.camel@localhost.localdomain> Message-ID: <48332149.1070306@redhat.com> Simo Sorce wrote: > On Tue, 2008-05-20 at 09:46 -0400, Rob Crittenden wrote: >> Fix up the "How to configure your browser" page. Remove broken link >> for >> IE configuration and replace sample domain/realm. Also fix some HTML >> errors: missing DOCTYPE, title, head. >> >> The web page actually comes up as a link in a search on Microsoft's >> site >> but the content is gone. It is possible it will come back at some >> point, >> who knows. > > Ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 20 19:07:54 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 May 2008 15:07:54 -0400 Subject: [Freeipa-devel] [PATCH] lower-case hostnames In-Reply-To: <1211293544.12580.83.camel@localhost.localdomain> References: <4832DDF3.70500@redhat.com> <1211293544.12580.83.camel@localhost.localdomain> Message-ID: <4833218A.7020707@redhat.com> Simo Sorce wrote: > On Tue, 2008-05-20 at 10:19 -0400, Rob Crittenden wrote: >> Make sure the hostname is lower-case during installation. Also make >> the >> hostname in service principals lower-case when adding them (and >> searching for them). > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 20 19:30:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 20 May 2008 15:30:14 -0400 Subject: [Freeipa-devel] fix dna on 32 bit machines Message-ID: <1211311814.3935.8.camel@localhost.localdomain> $SUBJ -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Use-a-value-that-is-explicitly-64bit-on-all-architec.patch Type: application/mbox Size: 3092 bytes Desc: not available URL: From jaakanshorter at gmail.com Tue May 20 21:08:39 2008 From: jaakanshorter at gmail.com (Jaakan Shorter) Date: Tue, 20 May 2008 17:08:39 -0400 Subject: [Freeipa-devel] Re: network accounts logins but never make a local user folder on Fedora 9 when the option to do that is set In-Reply-To: <3a082f0c0805201002w7fb9f273m595c39bb0a969597@mail.gmail.com> References: <3a082f0c0805201002w7fb9f273m595c39bb0a969597@mail.gmail.com> Message-ID: <3a082f0c0805201408u229fcfb7h686779b6d9d3203e@mail.gmail.com> I got it working with a clean install of fedora 9 as a client first I did # kinit admin # ipa-addservice host/desktop.test.net --force # ipa-getkeytab -s ipaserver.test.net -p host/desktop.test.net -k /etc/krb5.keytab then I made "jshorter" in the WebGUI # kinit jshorter made new password logged in to desktop.test.net ( login hangs ) did Ctrl+Alt+backspace logged in as root # cd /home # mkdir jshorter # chmod -R 777 jshorter I logged in again and now I'm too a working desktop I'll change the owner and rights later jaakan On Tue, May 20, 2008 at 1:02 PM, Jaakan Shorter wrote: > Not sure if this is a bug or just a configuration issue > > I have setup a Fedora 9 desktop for network login/authentication, user > info = LDAP, Authentication = Kerberos, > options = "make /home/$username if folder is not there" > test user account I setup = "btestuse" with the WebGUI > I ran the following on desktop "kinit btestuse" , "klist", the account > i made that works > > it asked me to change my password and I made a new one. > it looked like it was bring up the desktop but just seemed to hang ( I > can Ctrl-Alt-F1 and back with Ctrl-Alt-F7 ) > > Are there missing steps not currently in the documentation for setup a client? > Would I have to do something like the following so that logging in via > the network account will make a /home/$username folder? > or something like adding a windows computer to AD so the desktop lets > the creation of that user folder/profile complete? > > # kinit admin > # ipa-addservice host/desktop.example.com > # ipa-getkeytab -s ipaserver.example.com -p host/desktop.example.com > -k /etc/krb5.keytab > > > > > here are some logs from the server and client > > > From a Fedora 9 desktop ( ipacf9.test.net 192.168.1.75 ) > > May 19 18:24:55 ipacf9 gconfd (btestuse-2741): Failed to open saved > state file: Failed: Failed to open gconfd logfile; won't be able to > restore listeners after gconfd shutdown (No such file or directory) > May 19 18:24:55 ipacf9 gconfd (btestuse-2741): GConf server is not in > use, shutting down. > May 19 18:24:55 ipacf9 gconfd (btestuse-2741): Could not open saved > state file '/home/btestuse/.gconfd/saved_state.tmp' for writing: No > such file or directory > May 19 18:24:55 ipacf9 gconfd (btestuse-2741): Exiting > > > Server side > > - Fedora 9- > May 19 18:35:45 freeipa.test.net krb5kdc[1813](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 192.168.1.75: NEEDED_PREAUTH: btestuse at TEST.NET > for krbtgt/TEST.NET at TEST.NET, Additional pre-authentication required > May 19 18:35:45 freeipa.test.net krb5kdc[1813](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 192.168.1.75: ISSUE: authtime 1211236545, etypes > {rep=18 tkt=18 ses=18}, btestuse at TEST.NET for krbtgt/TEST.NET at TEST.NET > From ssorce at redhat.com Tue May 20 21:30:03 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 20 May 2008 17:30:03 -0400 Subject: [Freeipa-devel] Re: network accounts logins but never make a local user folder on Fedora 9 when the option to do that is set In-Reply-To: <3a082f0c0805201408u229fcfb7h686779b6d9d3203e@mail.gmail.com> References: <3a082f0c0805201002w7fb9f273m595c39bb0a969597@mail.gmail.com> <3a082f0c0805201408u229fcfb7h686779b6d9d3203e@mail.gmail.com> Message-ID: <1211319003.3935.17.camel@localhost.localdomain> On Tue, 2008-05-20 at 17:08 -0400, Jaakan Shorter wrote: > I got it working with a clean install of fedora 9 as a client > > first I did > > # kinit admin > # ipa-addservice host/desktop.test.net --force > # ipa-getkeytab -s ipaserver.test.net -p host/desktop.test.net -k > /etc/krb5.keytab > > then > I made "jshorter" in the WebGUI > > # kinit jshorter > made new password > > logged in to desktop.test.net ( login hangs ) > did Ctrl+Alt+backspace > logged in as root > # cd /home > # mkdir jshorter > # chmod -R 777 jshorter > > I logged in again and now I'm too a working desktop > > I'll change the owner and rights later > > jaakan You may want to experiment with pam_mkhomedir instead Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed May 21 02:44:12 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 May 2008 22:44:12 -0400 Subject: [Freeipa-devel] [PATCH] Change file mode of log files to 600 In-Reply-To: <1211293556.12580.85.camel@localhost.localdomain> References: <48328B2C.8070702@redhat.com> <1211293556.12580.85.camel@localhost.localdomain> Message-ID: <48338C7C.4040101@redhat.com> Simo Sorce wrote: > On Tue, 2008-05-20 at 10:26 +0200, Martin Nagy wrote: >> Store log files from (un)installation with file mode 600. > > ack > pushed to master and ipa-1-0 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jaakanshorter at gmail.com Wed May 21 15:16:58 2008 From: jaakanshorter at gmail.com (Jaakan Shorter) Date: Wed, 21 May 2008 11:16:58 -0400 Subject: [Freeipa-devel] Re: network accounts logins but never make a local user folder on Fedora 9 when the option to do that is set In-Reply-To: <1211319003.3935.17.camel@localhost.localdomain> References: <3a082f0c0805201002w7fb9f273m595c39bb0a969597@mail.gmail.com> <3a082f0c0805201408u229fcfb7h686779b6d9d3203e@mail.gmail.com> <1211319003.3935.17.camel@localhost.localdomain> Message-ID: <3a082f0c0805210816x1f4c55a6qde24b48186916eb9@mail.gmail.com> I changed home back with chmod --reference=lib home remove all test user home folder vim /etc/pam.d/system-auth + session required pam_mkhomedir.so skel=/etc/skel/ umask=0000 And it works is umask=0000 safe? umask=0022 and umask=0077 didn't work btw... On Tue, May 20, 2008 at 5:30 PM, Simo Sorce wrote: > On Tue, 2008-05-20 at 17:08 -0400, Jaakan Shorter wrote: >> I got it working with a clean install of fedora 9 as a client >> >> first I did >> >> # kinit admin >> # ipa-addservice host/desktop.test.net --force >> # ipa-getkeytab -s ipaserver.test.net -p host/desktop.test.net -k >> /etc/krb5.keytab >> >> then >> I made "jshorter" in the WebGUI >> >> # kinit jshorter >> made new password >> >> logged in to desktop.test.net ( login hangs ) >> did Ctrl+Alt+backspace >> logged in as root >> # cd /home >> # mkdir jshorter >> # chmod -R 777 jshorter >> >> I logged in again and now I'm too a working desktop >> >> I'll change the owner and rights later >> >> jaakan > > You may want to experiment with pam_mkhomedir instead > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > From rcritten at redhat.com Wed May 21 20:27:34 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 May 2008 16:27:34 -0400 Subject: [Freeipa-devel] [PATCH] Move some turbogears config elements Message-ID: <483485B6.40400@redhat.com> Some non-user-configurable configuration elements were in dev.cfg and ipa_webgui.cfg. Moved these to ipagui/config/app.cfg as this is where they belong. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-26-config.patch Type: text/x-patch Size: 5047 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed May 21 20:44:19 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 21 May 2008 16:44:19 -0400 Subject: [Freeipa-devel] [PATCH] Move some turbogears config elements In-Reply-To: <483485B6.40400@redhat.com> References: <483485B6.40400@redhat.com> Message-ID: <1211402659.3935.76.camel@localhost.localdomain> On Wed, 2008-05-21 at 16:27 -0400, Rob Crittenden wrote: > Some non-user-configurable configuration elements were in dev.cfg and > ipa_webgui.cfg. Moved these to ipagui/config/app.cfg as this is where > they belong. ack -- Simo Sorce * Red Hat, Inc * New York From christopher.e.hailey at accenture.com Wed May 21 21:36:36 2008 From: christopher.e.hailey at accenture.com (christopher.e.hailey at accenture.com) Date: Wed, 21 May 2008 16:36:36 -0500 Subject: [Freeipa-devel] IPA Groups Message-ID: Due to a collision in group IDs with a system that I am integrating with IPA (it uses 1001-1003) I edited bootstrap-template.ldif before I did an ipa-server-install. I changed the IPA groups to 2001,2002,2003. The question is - am I doing anything evil that will mess me up later? I think it would be helpful if the range of UIDs and GIDs was configurable. I currently plan to add a patch to my configuration script to do this. It also seems that nscd is causing me some problems, specifically if I add a user to a group it is not seen (at least not for a while) i.e. if I do a "groups" on that user I don't see the change unless I turn off nscd. Is this a known issue, or something with my configuration. All of the clients and servers are running Fedora 9 with the IPA 1.0 from that distribution. Thanks - Chris - -- Christopher Hailey Accenture Sr. Software Engineer 1615 Murray Canyon Road, Suite 400 San Diego, CA 92108 (619)574-2213 christopher.e.hailey at accenture.com This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. From ssorce at redhat.com Wed May 21 22:00:31 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 21 May 2008 18:00:31 -0400 Subject: [Freeipa-devel] IPA Groups In-Reply-To: References: Message-ID: <1211407231.3935.83.camel@localhost.localdomain> On Wed, 2008-05-21 at 16:36 -0500, christopher.e.hailey at accenture.com wrote: > Due to a collision in group IDs with a system that I am integrating > with IPA (it uses 1001-1003) I edited bootstrap-template.ldif before I > did an ipa-server-install. I changed the IPA groups to > 2001,2002,2003. The question is - am I doing anything evil that will > mess me up later? I think it would be helpful if the range of UIDs > and GIDs was configurable. I currently plan to add a patch to my > configuration script to do this. You must also change the dna plugin base dnaNextvalue, currently set at 1100 as otherwise it will clash with your conflicting IDs when assigning new IDs. Besides this there should be no problem whatsoever. > It also seems that nscd is causing me some problems, specifically if I > add a user to a group it is not seen (at least not for a while) i.e. > if I do a "groups" on that user I don't see the change unless I turn > off nscd. Is this a known issue, or something with my configuration. This is a side effect of nscd negative cache. You may want to tweak the negative cache or completely shutdown nscd if performance is not an issue in your setup. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 22 00:09:58 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 21 May 2008 20:09:58 -0400 Subject: [Freeipa-devel] IPA Groups In-Reply-To: References: <1211407231.3935.83.camel@localhost.localdomain> Message-ID: <1211414999.3935.86.camel@localhost.localdomain> On Wed, 2008-05-21 at 17:21 -0500, christopher.e.hailey at accenture.com wrote: > Thanks, that was a huge help for me, and as it turns out dnaNextvalue > of 1100 works out good for me Actually you should change them anyway because the GA version of the dna plugin does not skip IDs that are already allocated (the new version in git does now). Simo. -- Simo Sorce * Red Hat, Inc * New York From adingman at redhat.com Thu May 22 13:33:31 2008 From: adingman at redhat.com (Andrew C. Dingman) Date: Thu, 22 May 2008 09:33:31 -0400 Subject: [Freeipa-devel] Wiki access Message-ID: <1211463211.16477.1.camel@sinope.internal.dingman.org> Hi, I agreed on IRC last night to add a note to the wiki, but I find I can't seem to do so. http://freeipa.org/page/Contribute says I should e-mail here to get someone to create a wiki account for me. Could someone do that, please? Thanks! -Andrew -- Andrew C. Dingman, RHCA, RHCSS, RHCX Instructor, Red Hat Global Learning Services adingman at redhat.com gpg: 4DEB 3DF1 1007 B26D EC76 80F4 3C26 A4EB 2975 74B2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dpal at redhat.com Thu May 22 13:53:58 2008 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 22 May 2008 09:53:58 -0400 Subject: [Freeipa-devel] Wiki access In-Reply-To: <1211463211.16477.1.camel@sinope.internal.dingman.org> References: <1211463211.16477.1.camel@sinope.internal.dingman.org> Message-ID: <48357AF6.30000@redhat.com> Andrew C. Dingman wrote: > Hi, > > I agreed on IRC last night to add a note to the wiki, but I find I can't > seem to do so. http://freeipa.org/page/Contribute says I should e-mail > here to get someone to create a wiki account for me. Could someone do > that, please? > > Thanks! > > -Andrew > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Done -- Dmitri Pal Engineering Manager Red Hat Inc. From ssorce at redhat.com Thu May 22 15:42:43 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 22 May 2008 11:42:43 -0400 Subject: [Freeipa-devel] [PATCH] Only ask the user to install bind, not caching-nameserver In-Reply-To: <1211228402.12580.52.camel@localhost.localdomain> References: <482DBDF9.6000703@redhat.com> <1211228402.12580.52.camel@localhost.localdomain> Message-ID: <1211470963.3935.113.camel@localhost.localdomain> On Mon, 2008-05-19 at 16:20 -0400, Simo Sorce wrote: > On Fri, 2008-05-16 at 19:01 +0200, Martin Nagy wrote: > > > > As a solution, I suggest we remove the mention of caching-nameserver > > (the attached patch) and then add patches which add it in the > > mentioned > > system's rpms. > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From themuffinmaster2 at gmail.com Thu May 22 15:38:07 2008 From: themuffinmaster2 at gmail.com (Muffin) Date: Thu, 22 May 2008 11:38:07 -0400 Subject: [Freeipa-devel] Re: network accounts logins but never, make a local user folder on Fedora 9 when the option to do that is set In-Reply-To: <20080522133342.CD9F0619033@hormel.redhat.com> References: <20080522133342.CD9F0619033@hormel.redhat.com> Message-ID: <4835935F.4000600@gmail.com> > vim /etc/pam.d/system-auth > + session required pam_mkhomedir.so skel=/etc/skel/ umask=0000 I edited /etc/pam.d/login to the following. It works fine for me. I add the following line only: session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 I have also change selinux to permissive. #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth session optional pam_ck_connector.so From ssorce at redhat.com Thu May 22 15:46:06 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 22 May 2008 11:46:06 -0400 Subject: [Freeipa-devel] [PATCH] Fix error checking in ipa_kpasswd.c In-Reply-To: <1210946159.18330.26.camel@localhost.localdomain> References: <482C8124.4010606@redhat.com> <482D8BFC.9030705@redhat.com> <1210946159.18330.26.camel@localhost.localdomain> Message-ID: <1211471166.3935.115.camel@localhost.localdomain> On Fri, 2008-05-16 at 09:55 -0400, Simo Sorce wrote: > On Fri, 2008-05-16 at 09:28 -0400, Rob Crittenden wrote: > > Simo Sorce wrote: > > > As per $SUBJ > > > > > > > partial ack. > > > > My only nit is an extra comma in two response messages: > > > > exterr0 = "Password change, Succeeded."; > > exterr0 = "Password change, Failed."; > > > > I think "Password change [succeeded/failed]" is fine here. > > > > Fix those and you'll have a full ack :-) > > Hey, I just copied the previous messages, this ain't new stuff :-) > > Ok, I will fix before pushing :) > > Simo. pushed with the fix -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 22 15:46:44 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 22 May 2008 11:46:44 -0400 Subject: [Freeipa-devel] Re: network accounts logins but never, make a local user folder on Fedora 9 when the option to do that is set In-Reply-To: <4835935F.4000600@gmail.com> References: <20080522133342.CD9F0619033@hormel.redhat.com> <4835935F.4000600@gmail.com> Message-ID: <1211471204.3935.117.camel@localhost.localdomain> On Thu, 2008-05-22 at 11:38 -0400, Muffin wrote: > > I have also change selinux to permissive. Why you did that ? Simo. -- Simo Sorce * Red Hat, Inc * New York From christopher.e.hailey at accenture.com Thu May 22 15:50:02 2008 From: christopher.e.hailey at accenture.com (christopher.e.hailey at accenture.com) Date: Thu, 22 May 2008 10:50:02 -0500 Subject: [Freeipa-devel] Re: network accounts logins but never... In-Reply-To: <20080522133342.D6A06619036@hormel.redhat.com> References: <20080522133342.D6A06619036@hormel.redhat.com> Message-ID: There was a bug in pam_mkhomedir in F9 that may be related to this if you are creating home directories on first login. There was an update on 5/22 to gdm that addresses this https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3761 Hope this helps - Chris - > > Message: 1 > Date: Wed, 21 May 2008 11:16:58 -0400 > From: "Jaakan Shorter" > Subject: Re: [Freeipa-devel] Re: network accounts logins but never > make a local user folder on Fedora 9 when the option to do that is set > To: "Simo Sorce" > Cc: freeipa-devel at redhat.com > Message-ID: > <3a082f0c0805210816x1f4c55a6qde24b48186916eb9 at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > I changed home back with chmod --reference=lib home > remove all test user home folder > > vim /etc/pam.d/system-auth > + session required pam_mkhomedir.so skel=/etc/skel/ umask=0000 > > > And it works > > is umask=0000 safe? > umask=0022 and umask=0077 didn't work btw... > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. From themuffinmaster2 at gmail.com Thu May 22 16:03:36 2008 From: themuffinmaster2 at gmail.com (Muffin) Date: Thu, 22 May 2008 12:03:36 -0400 Subject: [Freeipa-devel] Re: network accounts logins but never, make a local user folder on Fedora 9 when the option to do that is set In-Reply-To: <1211471204.3935.117.camel@localhost.localdomain> References: <20080522133342.CD9F0619033@hormel.redhat.com> <4835935F.4000600@gmail.com> <1211471204.3935.117.camel@localhost.localdomain> Message-ID: <48359958.10901@gmail.com> Simo Sorce wrote: > On Thu, 2008-05-22 at 11:38 -0400, Muffin wrote: > >> I have also change selinux to permissive. >> > > Why you did that ? > > Simo. > > I was generating a few blocks that was causing login problems, however after your post I checked my setup and enforced selinux rebooted and logged in with no problem. I was working on a lot of different thing .... my first install of IPA. I guess whatever I did fixed something. From ssorce at redhat.com Thu May 22 16:25:52 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 22 May 2008 12:25:52 -0400 Subject: [Freeipa-devel] Re: network accounts logins but never, make a local user folder on Fedora 9 when the option to do that is set In-Reply-To: <48359958.10901@gmail.com> References: <20080522133342.CD9F0619033@hormel.redhat.com> <4835935F.4000600@gmail.com> <1211471204.3935.117.camel@localhost.localdomain> <48359958.10901@gmail.com> Message-ID: <1211473552.3935.125.camel@localhost.localdomain> On Thu, 2008-05-22 at 12:03 -0400, Muffin wrote: > Simo Sorce wrote: > > On Thu, 2008-05-22 at 11:38 -0400, Muffin wrote: > > > >> I have also change selinux to permissive. > >> > > > > Why you did that ? > > > > Simo. > > > > > I was generating a few blocks that was causing login problems, however > after your post I checked my setup and enforced selinux rebooted and > logged in with no problem. I was working on a lot of different thing > .... my first install of IPA. I guess whatever I did fixed something. Ok please report any selinux problem you might meet, we know of no problems at this moment and we certainly want to address any that may arise. Simo. -- Simo Sorce * Red Hat, Inc * New York From mwchristiansen at gmail.com Thu May 22 18:27:08 2008 From: mwchristiansen at gmail.com (Mark Christiansen) Date: Thu, 22 May 2008 11:27:08 -0700 Subject: [Freeipa-devel] Re: Freeipa-devel Digest, Vol 12, Issue 33 In-Reply-To: <4832301E.1000503@redhat.com> References: <20080519160003.CF0B061A155@hormel.redhat.com> <4831D7CC.2020005@redhat.com> <4832301E.1000503@redhat.com> Message-ID: Hello Rob, I tried both the Windows command line and the MIT client. Currently, with the MIT client I get the error: Cannot resolve network address for KDC in requested realm. I tried to troubleshoot via the help pages, but I was unable to get past this problem. On the local machine, I can get a ticket via the command line. I am running this in a virtual machine, and I have disabled SELinux and iptables so I don't know if something else could be restricting communication. Thanks for your help! -Mark On Mon, May 19, 2008 at 6:57 PM, Rob Crittenden wrote: > Mark Christiansen wrote: > >> Hello Dmitri, >> >> I filed a bug (447440) for the documentation recommendation. I also filed >> a 2nd bug (447445) to fix the link to Microsoft's web page for Kerberos >> Authentication help, which is currently giving a "Content not found" page. >> >> If I do a kinit on a Windows machine (which most of the potential end >> users will likely use), I get the error: >> kinit(v5): Cannot resolve network address for KDC in realm ___ while >> getting initial credentials >> > > Are you using the native Microsoft kerberos client or the MIT client? I > don't believe IPA will interoperate with the native windows client. > > I also added the realm to the about:config page for Mozilla, and added the >> site as a trusted site within IE. However, for IE I have it so that the >> page prompts for user name and password, but it doesn't prompt me, gives me >> a certificate error, and even if I continue with the bad certificate, the >> page comes up with nothing. >> Just to understand this better, but once either firefox or IE is >> configured properly, the web page should allow an end user to get a ticket, >> right? I am hoping that command line use will not be necessary. >> > > You have to get the ticket before Firefox or IE will work. Firefox/IE, if > properly configured, will be able to present the ticket as your credentials > so you don't have to type a username/password in to authenticate. > > rob > > >> Thanks for your help and suggestions! >> >> -Mark >> >> On Mon, May 19, 2008 at 12:41 PM, Dmitri Pal > dpal at redhat.com>> wrote: >> >> Hi Mark, >> >> Thank you for sharing the recommendation with us. >> Can you please log a request into bugzilla? >> >> https://bugzilla.redhat.com >> >> Did you do kinit first? >> Did you add the realm into the FireFox configuration? >> >> Thank you >> Dmitri Pal >> >> >> Mark Christiansen wrote: >> >> I fixed my problems with ipa* functions by modifying /etc/hosts >> so that my FQDN entry is first, and the localhost entry is not >> first. I am guessing this is where most other people will have >> their problems. Can we modify the FAQ to include this >> recommendation? >> >> I am having issues getting access to the web page outside of the >> machine with freeipa installed. Should I be able to get a >> ticket by accessing the web interface? In both IE and Firefox, >> I am unable to bring up any pages after getting prompted. In >> IE, it is blank, and Firefox I get Kerberos authentication >> failed. This is another noob question, but perhaps it will be >> helpful for the FAQ. My O'Reilly book on Kerberos is on its >> way. :) >> >> Thanks! >> >> -Mark >> >> On Mon, May 19, 2008 at 9:00 AM, >> > >> > >> wrote: >> >> Send Freeipa-devel mailing list submissions to >> freeipa-devel at redhat.com >> >> > >> >> >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> or, via email, send a message with subject or body 'help' to >> freeipa-devel-request at redhat.com >> >> > > >> >> >> You can reach the person managing the list at >> freeipa-devel-owner at redhat.com >> >> > > >> >> >> When replying, please edit your Subject line so it is more >> specific >> than "Re: Contents of Freeipa-devel digest..." >> >> >> Today's Topics: >> >> 1. Re: freeIPA + Fedora 9 + xen , can't get passed >> ipa-finduser >> admin (Rob Crittenden) >> >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Mon, 19 May 2008 11:39:45 -0400 >> From: Rob Crittenden > >> >> >> >> Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't >> get >> passed ipa-finduser admin >> To: Jaakan Shorter > >> > >> >> Cc: freeipa-devel at redhat.com >> >> > >> >> >> >> Message-ID: <48319F41.7040707 at redhat.com >> >> > >> >> >> Content-Type: text/plain; charset="iso-8859-1" >> >> Jaakan Shorter wrote: >> > here's an update ( I replaced the domain name with test ) >> > let me know if you need anymore info >> > >> > ipa-server-install --uninstall >> > rm -f /var/kerberos/krb5kdc/kpasswd.keytab >> > stopped the kerberos service ( --uninstall switch didn't >> stop it. I >> > thought it should set it back to old state ) >> > yum update ( 1.0.6 version came out over the weekend for FC-9 >> ) >> > rebooted >> > ipa-server-install --setup-bind -N >> >> Yes, this should be fixed in the tip. >> >> [ snip ] >> >> > May 19 09:31:08 freeIPA.test.net >> >> >> krb5kdc[1758](info): set up 4 sockets >> > May 19 09:31:08 freeIPA.test.net >> >> >> krb5kdc[1759](info): commencing operation >> > May 19 09:32:02 freeIPA.test.net >> >> >> krb5kdc[1759](info): AS_REQ (7 etypes >> > {18 17 16 23 1 3 2}) 192.168.1.25 >> : >> NEEDED_PREAUTH: admin at TEST.NET >> > for >> > krbtgt/TEST.NET >> @TEST.NET , >> Additional pre-authentication required >> > May 19 09:32:24 freeIPA.test.net >> >> >> krb5kdc[1759](info): AS_REQ (7 etypes >> > {18 17 16 23 1 3 2}) 192.168.1.25 >> : ISSUE: >> authtime 1211203944, etypes >> > {rep=18 tkt=18 ses=18}, admin at TEST.NET >> > > >> for krbtgt/TEST.NET >> @TEST.NET >> > May 19 09:32:54 freeIPA.test.net >> >> >> krb5kdc[1759](info): TGS_REQ (7 >> > etypes {18 17 16 23 1 3 2}) 192.168.1.25 >> : >> UNKNOWN_SERVER: authtime >> > 1211203944, admin at TEST.NET >> > for >> HTTP/freeipa.test.net >> @TEST.NET >> , Server >> >> > not found in Kerberos database >> > May 19 09:32:54 freeIPA.test.net >> >> >> krb5kdc[1759](info): TGS_REQ (7 >> > etypes {18 17 16 23 1 3 2}) 192.168.1.25 >> : >> UNKNOWN_SERVER: authtime >> > 1211203944, admin at TEST.NET >> > for >> HTTP/freeipa.test.net >> @TEST.NET >> , Server >> >> > not found in Kerberos database >> >> Service principals are created for the IPA servers at install >> time. >> There must be some (perhaps subtle) difference in what was >> created at >> install time and what it is trying to use. >> >> Try this command to see what service principals exist: >> >> $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net" >> objectclass=krbPrincipalAux dn >> >> rob >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: smime.p7s >> Type: application/x-pkcs7-signature >> Size: 3245 bytes >> Desc: S/MIME Cryptographic Signature >> Url : >> >> https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu May 22 19:21:38 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 22 May 2008 15:21:38 -0400 Subject: [Freeipa-devel] [PATCH] return 1 on installation error Message-ID: <4835C7C2.8060105@redhat.com> Fix up function return values so we can return 1 on an installation error. Previously even if something went wrong the command returned 0. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-27-install.patch Type: text/x-patch Size: 4034 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 22 19:31:52 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 22 May 2008 15:31:52 -0400 Subject: [Freeipa-devel] [PATCH] return 1 on installation error In-Reply-To: <4835C7C2.8060105@redhat.com> References: <4835C7C2.8060105@redhat.com> Message-ID: <1211484712.3935.134.camel@localhost.localdomain> On Thu, 2008-05-22 at 15:21 -0400, Rob Crittenden wrote: > Fix up function return values so we can return 1 on an installation > error. Previously even if something went wrong the command returned 0. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu May 22 20:38:09 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 22 May 2008 16:38:09 -0400 Subject: [Freeipa-devel] [PATCH] Move some turbogears config elements In-Reply-To: <1211402659.3935.76.camel@localhost.localdomain> References: <483485B6.40400@redhat.com> <1211402659.3935.76.camel@localhost.localdomain> Message-ID: <4835D9B1.9060409@redhat.com> Simo Sorce wrote: > On Wed, 2008-05-21 at 16:27 -0400, Rob Crittenden wrote: >> Some non-user-configurable configuration elements were in dev.cfg and >> ipa_webgui.cfg. Moved these to ipagui/config/app.cfg as this is where >> they belong. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 22 20:38:22 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 22 May 2008 16:38:22 -0400 Subject: [Freeipa-devel] [PATCH] return 1 on installation error In-Reply-To: <1211484712.3935.134.camel@localhost.localdomain> References: <4835C7C2.8060105@redhat.com> <1211484712.3935.134.camel@localhost.localdomain> Message-ID: <4835D9BE.9060609@redhat.com> Simo Sorce wrote: > On Thu, 2008-05-22 at 15:21 -0400, Rob Crittenden wrote: >> Fix up function return values so we can return 1 on an installation >> error. Previously even if something went wrong the command returned 0. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 22 21:59:51 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 22 May 2008 17:59:51 -0400 Subject: [Freeipa-devel] [PATCH] Move admin account into cn=users Message-ID: <1211493591.3935.140.camel@localhost.localdomain> -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Move-admin-into-cn-users-cn-accounts.patch Type: application/mbox Size: 4770 bytes Desc: not available URL: From rcritten at redhat.com Fri May 23 12:50:25 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 23 May 2008 08:50:25 -0400 Subject: [Freeipa-devel] [PATCH] Move admin account into cn=users In-Reply-To: <1211493591.3935.140.camel@localhost.localdomain> References: <1211493591.3935.140.camel@localhost.localdomain> Message-ID: <4836BD91.3060600@redhat.com> Simo Sorce wrote: > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 23 13:04:30 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 23 May 2008 09:04:30 -0400 Subject: [Freeipa-devel] logging thoughts Message-ID: <4836C0DE.6070304@redhat.com> Currently the XML-RPC server only does logging if IPADebug is set to on in the Apache ipa.conf. I'm considering making the default log level INFO in XML-RPC and log function entrances/exits with additional information if IPADebug is set. Is this reasonable? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 23 15:57:29 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 23 May 2008 11:57:29 -0400 Subject: [Freeipa-devel] fix dna on 32 bit machines In-Reply-To: <1211311814.3935.8.camel@localhost.localdomain> References: <1211311814.3935.8.camel@localhost.localdomain> Message-ID: <4836E969.6040708@redhat.com> Simo Sorce wrote: > $SUBJ > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 23 16:40:03 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 23 May 2008 12:40:03 -0400 Subject: [Freeipa-devel] logging thoughts In-Reply-To: <4836C0DE.6070304@redhat.com> References: <4836C0DE.6070304@redhat.com> Message-ID: <1211560803.3935.172.camel@localhost.localdomain> On Fri, 2008-05-23 at 09:04 -0400, Rob Crittenden wrote: > Currently the XML-RPC server only does logging if IPADebug is set to on > in the Apache ipa.conf. > > I'm considering making the default log level INFO in XML-RPC and log > function entrances/exits with additional information if IPADebug is set. > > Is this reasonable? yes I think so, but we should provide a default logrotate configuration if we do so. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri May 23 16:49:20 2008 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 23 May 2008 12:49:20 -0400 Subject: [Freeipa-devel] logging thoughts In-Reply-To: <1211560803.3935.172.camel@localhost.localdomain> References: <4836C0DE.6070304@redhat.com> <1211560803.3935.172.camel@localhost.localdomain> Message-ID: <4836F590.8080705@redhat.com> Simo Sorce wrote: > On Fri, 2008-05-23 at 09:04 -0400, Rob Crittenden wrote: > >> Currently the XML-RPC server only does logging if IPADebug is set to on >> in the Apache ipa.conf. >> >> I'm considering making the default log level INFO in XML-RPC and log >> function entrances/exits with additional information if IPADebug is set. >> >> Is this reasonable? >> > > yes I think so, but we should provide a default logrotate configuration > if we do so. > > Simo. > > Logrotate by size or by time? What is the suggested default? -- Dmitri Pal Engineering Manager Red Hat Inc. From ssorce at redhat.com Fri May 23 16:56:03 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 23 May 2008 12:56:03 -0400 Subject: [Freeipa-devel] logging thoughts In-Reply-To: <4836F590.8080705@redhat.com> References: <4836C0DE.6070304@redhat.com> <1211560803.3935.172.camel@localhost.localdomain> <4836F590.8080705@redhat.com> Message-ID: <1211561763.3935.178.camel@localhost.localdomain> On Fri, 2008-05-23 at 12:49 -0400, Dmitri Pal wrote: > Simo Sorce wrote: > > On Fri, 2008-05-23 at 09:04 -0400, Rob Crittenden wrote: > > > >> Currently the XML-RPC server only does logging if IPADebug is set to on > >> in the Apache ipa.conf. > >> > >> I'm considering making the default log level INFO in XML-RPC and log > >> function entrances/exits with additional information if IPADebug is set. > >> > >> Is this reasonable? > >> > > > > yes I think so, but we should provide a default logrotate configuration > > if we do so. > > > > Simo. > > > > > Logrotate by size or by time? What is the suggested default? logrotate works via cron so it is usually something like every night at time XX:XX 'man logrotate' for details on all possible settings Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri May 23 16:57:37 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 23 May 2008 12:57:37 -0400 Subject: [Freeipa-devel] logging thoughts In-Reply-To: <1211561763.3935.178.camel@localhost.localdomain> References: <4836C0DE.6070304@redhat.com> <1211560803.3935.172.camel@localhost.localdomain> <4836F590.8080705@redhat.com> <1211561763.3935.178.camel@localhost.localdomain> Message-ID: <1211561857.3935.180.camel@localhost.localdomain> On Fri, 2008-05-23 at 12:56 -0400, Simo Sorce wrote: > On Fri, 2008-05-23 at 12:49 -0400, Dmitri Pal wrote: > > Simo Sorce wrote: > > > On Fri, 2008-05-23 at 09:04 -0400, Rob Crittenden wrote: > > > > > >> Currently the XML-RPC server only does logging if IPADebug is set to on > > >> in the Apache ipa.conf. > > >> > > >> I'm considering making the default log level INFO in XML-RPC and log > > >> function entrances/exits with additional information if IPADebug is set. > > >> > > >> Is this reasonable? > > >> > > > > > > yes I think so, but we should provide a default logrotate configuration > > > if we do so. > > > > > > Simo. > > > > > > > > Logrotate by size or by time? What is the suggested default? > > logrotate works via cron so it is usually something like every night at > time XX:XX > > 'man logrotate' for details on all possible settings Ah and thinking along this line we should make ipa_webgui catch SIGHUP and make it reopen the logfile not die :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 23 17:50:30 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 23 May 2008 13:50:30 -0400 Subject: [Freeipa-devel] logging thoughts In-Reply-To: <1211560803.3935.172.camel@localhost.localdomain> References: <4836C0DE.6070304@redhat.com> <1211560803.3935.172.camel@localhost.localdomain> Message-ID: <483703E6.8090601@redhat.com> Simo Sorce wrote: > On Fri, 2008-05-23 at 09:04 -0400, Rob Crittenden wrote: >> Currently the XML-RPC server only does logging if IPADebug is set to on >> in the Apache ipa.conf. >> >> I'm considering making the default log level INFO in XML-RPC and log >> function entrances/exits with additional information if IPADebug is set. >> >> Is this reasonable? > > yes I think so, but we should provide a default logrotate configuration > if we do so. > > Simo. > It currently logs to the Apache error log. That is rotated for us. I guess it would be nice to have an app-specific log. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dpal at redhat.com Fri May 23 18:19:44 2008 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 23 May 2008 14:19:44 -0400 Subject: [Freeipa-devel] logging thoughts In-Reply-To: <483703E6.8090601@redhat.com> References: <4836C0DE.6070304@redhat.com> <1211560803.3935.172.camel@localhost.localdomain> <483703E6.8090601@redhat.com> Message-ID: <48370AC0.8030800@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Fri, 2008-05-23 at 09:04 -0400, Rob Crittenden wrote: >>> Currently the XML-RPC server only does logging if IPADebug is set to >>> on in the Apache ipa.conf. >>> >>> I'm considering making the default log level INFO in XML-RPC and log >>> function entrances/exits with additional information if IPADebug is >>> set. >>> >>> Is this reasonable? >> >> yes I think so, but we should provide a default logrotate configuration >> if we do so. >> >> Simo. >> > > It currently logs to the Apache error log. That is rotated for us. I > guess it would be nice to have an app-specific log. > > rob Yes in v2. > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Dmitri Pal Engineering Manager Red Hat Inc. From ssorce at redhat.com Fri May 23 19:07:54 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 23 May 2008 15:07:54 -0400 Subject: [Freeipa-devel] [PATCH] fix replica install when domain != realm Message-ID: <1211569674.3935.199.camel@localhost.localdomain> as per subj. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-the-case-where-domain-lower-REALM.patch Type: application/mbox Size: 9118 bytes Desc: not available URL: From ssorce at redhat.com Fri May 23 19:10:43 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 23 May 2008 15:10:43 -0400 Subject: [Freeipa-devel] [PATCH] Move admin account into cn=users In-Reply-To: <4836BD91.3060600@redhat.com> References: <1211493591.3935.140.camel@localhost.localdomain> <4836BD91.3060600@redhat.com> Message-ID: <1211569843.3935.201.camel@localhost.localdomain> On Fri, 2008-05-23 at 08:50 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri May 23 19:10:57 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 23 May 2008 15:10:57 -0400 Subject: [Freeipa-devel] fix dna on 32 bit machines In-Reply-To: <4836E969.6040708@redhat.com> References: <1211311814.3935.8.camel@localhost.localdomain> <4836E969.6040708@redhat.com> Message-ID: <1211569857.3935.203.camel@localhost.localdomain> On Fri, 2008-05-23 at 11:57 -0400, Rob Crittenden wrote: > ack pushed -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 23 19:36:46 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 23 May 2008 15:36:46 -0400 Subject: [Freeipa-devel] [PATCH] fix rpm dependency in ipa-admintools Message-ID: <48371CCE.9080204@redhat.com> We need python-configobj for the ipa-admintools command ipa-pwpolicy to work. I also cleaned up the specfile in general, mostly formatting stuff. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-28-admintools.patch Type: text/x-patch Size: 1743 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 23 19:48:25 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 23 May 2008 15:48:25 -0400 Subject: [Freeipa-devel] [PATCH] Make nss_ldap option more strict Message-ID: <1211572105.3935.207.camel@localhost.localdomain> this will avoid searching the whole server for accounts that are all stored under a specific tree. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Now-that-admin-is-in-the-common-users-tree-make-the.patch Type: application/mbox Size: 2657 bytes Desc: not available URL: From ssorce at redhat.com Fri May 23 19:49:05 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 23 May 2008 15:49:05 -0400 Subject: [Freeipa-devel] [PATCH] fix rpm dependency in ipa-admintools In-Reply-To: <48371CCE.9080204@redhat.com> References: <48371CCE.9080204@redhat.com> Message-ID: <1211572145.3935.209.camel@localhost.localdomain> On Fri, 2008-05-23 at 15:36 -0400, Rob Crittenden wrote: > > We need python-configobj for the ipa-admintools command ipa-pwpolicy > to > work. > > I also cleaned up the specfile in general, mostly formatting stuff. ack -- Simo Sorce * Red Hat, Inc * New York From adingman at redhat.com Fri May 23 19:47:00 2008 From: adingman at redhat.com (Andrew C. Dingman) Date: Fri, 23 May 2008 15:47:00 -0400 Subject: [Freeipa-devel] Re: network accounts logins but never, make a local user folder on Fedora 9 when the option to do that is set In-Reply-To: <4835935F.4000600@gmail.com> References: <20080522133342.CD9F0619033@hormel.redhat.com> <4835935F.4000600@gmail.com> Message-ID: <1211572020.26471.57.camel@sinope.internal.dingman.org> Re-sending with the list amngst the recipients. On Thu, 2008-05-22 at 11:38 -0400, Muffin wrote: > > vim /etc/pam.d/system-auth > > + session required pam_mkhomedir.so skel=/etc/skel/ > umask=0000 > > I edited /etc/pam.d/login to the following. It works fine for me. I > add > the following line only: > > session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ > umask=0022 Yuck. Why not "optional" instead of "required"? It makes no difference for X logins, but for ssh or console logins you can at least log in when your homedir is missing. It's a lot nicer than just failing to get in if for some reason /home is unmounted and / is read-only. Expecially for those of us who disable root login, this could be a big deal in the face of filesystem issues. > > I have also change selinux to permissive. I think Simo covered this already, so I'll leave it alone. -- Andrew C. Dingman, RHCA, RHCSS, RHCX Instructor, Red Hat Global Learning Services adingman at redhat.com gpg: 4DEB 3DF1 1007 B26D EC76 80F4 3C26 A4EB 2975 74B2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Fri May 23 19:50:07 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 23 May 2008 15:50:07 -0400 Subject: [Freeipa-devel] [PATCH] Make nss_ldap option more strict In-Reply-To: <1211572105.3935.207.camel@localhost.localdomain> References: <1211572105.3935.207.camel@localhost.localdomain> Message-ID: <48371FEF.4030006@redhat.com> Simo Sorce wrote: > this will avoid searching the whole server for accounts that are all > stored under a specific tree. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel At one time we talked about supporting multiple containers. What does this patch do to that? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 23 19:59:12 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 23 May 2008 15:59:12 -0400 Subject: [Freeipa-devel] [PATCH] Make nss_ldap option more strict In-Reply-To: <48371FEF.4030006@redhat.com> References: <1211572105.3935.207.camel@localhost.localdomain> <48371FEF.4030006@redhat.com> Message-ID: <1211572752.3935.212.camel@localhost.localdomain> On Fri, 2008-05-23 at 15:50 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > this will avoid searching the whole server for accounts that are all > > stored under a specific tree. > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > At one time we talked about supporting multiple containers. What does > this patch do to that? Well we do not have them supported in the webui anyway, so if someone wants to do special stuff they can also change this bit on the client. In v2 I want to do what the HP-UX client does, store the config in ldap, so that changing configuration is a matter of changing a few fields in ldap. Simo. -- Simo Sorce * Red Hat, Inc * New York From jeffschroed at gmail.com Tue May 27 17:31:00 2008 From: jeffschroed at gmail.com (Jeff Schroeder) Date: Tue, 27 May 2008 10:31:00 -0700 Subject: [Freeipa-devel] FreeIPAv2 with dns zones stored in ldap Message-ID: The FreeIPA V2BPRD document[1] mentions storing dns information in ldap. How do you plan on accomplishing this? Will redhat be adding in the bind patch[2] to enable storing zone files in ldap or use an alternative server like powerdns? Which schema will you be using for this? I'm interested in setting up a copy of (RH|F)DS and whatever is needed to start working on and testing this. The upstreams for all projects that store dns zones in ldap other than powerdns seem awful quiet. Any pointers or ideas would be much appreciated. [1] http://freeipa.org/page/V2BPRD#1._Machine_Identity_and_Authentication [1.1.1] Store DNS information in LDAP [2] http://bind9-ldap.bayour.com/ -- Jeff Schroeder Don't drink and derive, alcohol and analysis don't mix. http://www.digitalprognosis.com From ssorce at redhat.com Tue May 27 20:20:17 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 27 May 2008 16:20:17 -0400 Subject: [Freeipa-devel] FreeIPAv2 with dns zones stored in ldap In-Reply-To: References: Message-ID: <1211919617.12605.37.camel@localhost.localdomain> On Tue, 2008-05-27 at 10:31 -0700, Jeff Schroeder wrote: > The FreeIPA V2BPRD document[1] mentions storing dns information in > ldap. How do you plan on accomplishing this? > Will redhat be adding in the bind patch[2] to enable storing zone > files in ldap or use an alternative server like powerdns? > Which schema will you be using for this? I'm interested in setting up > a copy of (RH|F)DS and whatever is needed to start > working on and testing this. The upstreams for all projects that store > dns zones in ldap other than powerdns seem awful > quiet. > > Any pointers or ideas would be much appreciated. > > > [1] http://freeipa.org/page/V2BPRD#1._Machine_Identity_and_Authentication > [1.1.1] Store DNS information in LDAP > [2] http://bind9-ldap.bayour.com/ Jeff we are not yet completely sold to any schema or server, I have been working and testing with bind some, so far I am not completely satisfied with any solution. Aside from caching problems (apparently bind does not cache stuff if the backend uses sdb, there is also a DNS Update problem in that bind does not allow you to update info into an sdb backend at this point. Access Control when using GSS-TSIG is also extremely limited with bind at this point. I am lookig for a solution that present the least resistance path for getting in what we need. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue May 27 20:43:40 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 27 May 2008 16:43:40 -0400 Subject: [Freeipa-devel] [PATCH] rework logging a bit Message-ID: <483C727C.6000007@redhat.com> I've reworked the XML-RPC logging a bit so that INFO is the default logging level. It still logs to the Apache error log (will get fixed some time later). IPADebug still enables "debug" mode and more verbose stuff may be logged. Added a function entry point log for the core IPA functions. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-29-logging.patch Type: text/x-patch Size: 19264 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Tue May 27 21:07:42 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 27 May 2008 14:07:42 -0700 Subject: [Freeipa-devel] [PATCH] rework logging a bit In-Reply-To: <483C727C.6000007@redhat.com> References: <483C727C.6000007@redhat.com> Message-ID: <483C781E.40900@redhat.com> Rob Crittenden wrote: > I've reworked the XML-RPC logging a bit so that INFO is the default > logging level. It still logs to the Apache error log (will get fixed > some time later). > > IPADebug still enables "debug" mode and more verbose stuff may be logged. > > Added a function entry point log for the core IPA functions. > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From jeffschroed at gmail.com Tue May 27 23:45:24 2008 From: jeffschroed at gmail.com (Jeff Schroeder) Date: Tue, 27 May 2008 16:45:24 -0700 Subject: [Freeipa-devel] FreeIPAv2 with dns zones stored in ldap In-Reply-To: <1211919617.12605.37.camel@localhost.localdomain> References: <1211919617.12605.37.camel@localhost.localdomain> Message-ID: On Tue, May 27, 2008 at 1:20 PM, Simo Sorce wrote: > On Tue, 2008-05-27 at 10:31 -0700, Jeff Schroeder wrote: >> The FreeIPA V2BPRD document[1] mentions storing dns information in >> ldap. How do you plan on accomplishing this? >> Will redhat be adding in the bind patch[2] to enable storing zone >> files in ldap or use an alternative server like powerdns? >> Which schema will you be using for this? I'm interested in setting up >> a copy of (RH|F)DS and whatever is needed to start >> working on and testing this. The upstreams for all projects that store >> dns zones in ldap other than powerdns seem awful >> quiet. >> >> Any pointers or ideas would be much appreciated. >> >> >> [1] http://freeipa.org/page/V2BPRD#1._Machine_Identity_and_Authentication >> [1.1.1] Store DNS information in LDAP >> [2] http://bind9-ldap.bayour.com/ > > > Jeff we are not yet completely sold to any schema or server, I have been > working and testing with bind some, so far I am not completely satisfied > with any solution. > > Aside from caching problems (apparently bind does not cache stuff if the > backend uses sdb, there is also a DNS Update problem in that bind does > not allow you to update info into an sdb backend at this point. > > Access Control when using GSS-TSIG is also extremely limited with bind > at this point. > > I am lookig for a solution that present the least resistance path for > getting in what we need. Ok so I've got an idea that might or might not work. It seems like the path of least resistance. Re-implement ldap2dns in python. Use python-ldap to read the zones from ldap and python bindings for libaugeas to write the zones out. The implementation would run something like this: - A script, cronjob, or daemon in freeipa runs every XXX amount of time and checks the serial number of every zone on disk to the zone in ldap. - If the zone in ldap is newer ldap2dns dumps the new zone to disk - A backup of the old zone is made, the new zone is moved into place, and rndc reload $zone is ran The cleanest solution is native ldap support in bind. The problem is that the patch is not in upstream bind and hasn't been updated in some time. Unless redhat or someone dusts that patch off and tries to get it upstream it is a deadend. Short of that happening, my solution seems like the path of least resistance. Here is a diagram of the LDAP setup I'd like to use: http://www.digitalprognosis.com/pics/fds-multimaster.png You could have ldap + dns on the same server. Since ldap is the canonical source for zone information, every bind instance could be master and AXFR could be disabled. A lot of these ideas come from Nathaniel Mccallum, a buddy of mine. I'm willing to work with you the code as best as possible. This seems related to one of the goals of FreeIPA so we might be able to work together. -- Jeff Schroeder Don't drink and derive, alcohol and analysis don't mix. http://www.digitalprognosis.com From bigjoe1008 at gmail.com Wed May 28 13:13:19 2008 From: bigjoe1008 at gmail.com (Joe Harnish) Date: Wed, 28 May 2008 09:13:19 -0400 Subject: [Freeipa-devel] FreeIPAv2 with dns zones stored in ldap In-Reply-To: References: <1211919617.12605.37.camel@localhost.localdomain> Message-ID: <763fc8580805280613x4df2799bgf65fd81f094df6f4@mail.gmail.com> On Tue, May 27, 2008 at 7:45 PM, Jeff Schroeder wrote: > On Tue, May 27, 2008 at 1:20 PM, Simo Sorce wrote: >> On Tue, 2008-05-27 at 10:31 -0700, Jeff Schroeder wrote: >>> The FreeIPA V2BPRD document[1] mentions storing dns information in >>> ldap. How do you plan on accomplishing this? >>> Will redhat be adding in the bind patch[2] to enable storing zone >>> files in ldap or use an alternative server like powerdns? >>> Which schema will you be using for this? I'm interested in setting up >>> a copy of (RH|F)DS and whatever is needed to start >>> working on and testing this. The upstreams for all projects that store >>> dns zones in ldap other than powerdns seem awful >>> quiet. >>> >>> Any pointers or ideas would be much appreciated. >>> >>> >>> [1] http://freeipa.org/page/V2BPRD#1._Machine_Identity_and_Authentication >>> [1.1.1] Store DNS information in LDAP >>> [2] http://bind9-ldap.bayour.com/ >> >> >> Jeff we are not yet completely sold to any schema or server, I have been >> working and testing with bind some, so far I am not completely satisfied >> with any solution. >> >> Aside from caching problems (apparently bind does not cache stuff if the >> backend uses sdb, there is also a DNS Update problem in that bind does >> not allow you to update info into an sdb backend at this point. >> >> Access Control when using GSS-TSIG is also extremely limited with bind >> at this point. >> >> I am lookig for a solution that present the least resistance path for >> getting in what we need. > > Ok so I've got an idea that might or might not work. It seems like the > path of least resistance. > > Re-implement ldap2dns in python. Use python-ldap to read the zones > from ldap and python bindings > for libaugeas to write the zones out. > > The implementation would run something like this: > - A script, cronjob, or daemon in freeipa runs every XXX amount of > time and checks the serial > number of every zone on disk to the zone in ldap. > - If the zone in ldap is newer ldap2dns dumps the new zone to disk > - A backup of the old zone is made, the new zone is moved into place, > and rndc reload $zone is ran > > The cleanest solution is native ldap support in bind. The problem is > that the patch is not in upstream > bind and hasn't been updated in some time. Unless redhat or someone > dusts that patch off and tries to > get it upstream it is a deadend. Short of that happening, my solution > seems like the path of least resistance. > > Here is a diagram of the LDAP setup I'd like to use: > http://www.digitalprognosis.com/pics/fds-multimaster.png > > You could have ldap + dns on the same server. Since ldap is the > canonical source for zone information, > every bind instance could be master and AXFR could be disabled. A lot > of these ideas come from > Nathaniel Mccallum, a buddy of mine. I'm willing to work with you the > code as best as possible. This > seems related to one of the goals of FreeIPA so we might be able to > work together. > > -- > Jeff Schroeder > > Don't drink and derive, alcohol and analysis don't mix. > http://www.digitalprognosis.com > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > Mandriva Directory Server (http://mds.mandriva.org/wiki/Download) is using ISC DHCP and BIND and they already have some python code for managing DNS and DHCP. It looks like they configure Bind to point to their LDAP for their records. Not sure if this is doable with Fedora's Bind builds. But it could be a decent starting point. --Joe From ssorce at redhat.com Wed May 28 13:44:54 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 28 May 2008 09:44:54 -0400 Subject: [Freeipa-devel] FreeIPAv2 with dns zones stored in ldap In-Reply-To: References: <1211919617.12605.37.camel@localhost.localdomain> Message-ID: <1211982294.12605.52.camel@localhost.localdomain> On Tue, 2008-05-27 at 16:45 -0700, Jeff Schroeder wrote: > On Tue, May 27, 2008 at 1:20 PM, Simo Sorce wrote: > > On Tue, 2008-05-27 at 10:31 -0700, Jeff Schroeder wrote: > >> The FreeIPA V2BPRD document[1] mentions storing dns information in > >> ldap. How do you plan on accomplishing this? > >> Will redhat be adding in the bind patch[2] to enable storing zone > >> files in ldap or use an alternative server like powerdns? > >> Which schema will you be using for this? I'm interested in setting up > >> a copy of (RH|F)DS and whatever is needed to start > >> working on and testing this. The upstreams for all projects that store > >> dns zones in ldap other than powerdns seem awful > >> quiet. > >> > >> Any pointers or ideas would be much appreciated. > >> > >> > >> [1] http://freeipa.org/page/V2BPRD#1._Machine_Identity_and_Authentication > >> [1.1.1] Store DNS information in LDAP > >> [2] http://bind9-ldap.bayour.com/ > > > > > > Jeff we are not yet completely sold to any schema or server, I have been > > working and testing with bind some, so far I am not completely satisfied > > with any solution. > > > > Aside from caching problems (apparently bind does not cache stuff if the > > backend uses sdb, there is also a DNS Update problem in that bind does > > not allow you to update info into an sdb backend at this point. > > > > Access Control when using GSS-TSIG is also extremely limited with bind > > at this point. > > > > I am lookig for a solution that present the least resistance path for > > getting in what we need. > > Ok so I've got an idea that might or might not work. It seems like the > path of least resistance. > > Re-implement ldap2dns in python. Use python-ldap to read the zones > from ldap and python bindings > for libaugeas to write the zones out. > > The implementation would run something like this: > - A script, cronjob, or daemon in freeipa runs every XXX amount of > time and checks the serial > number of every zone on disk to the zone in ldap. > - If the zone in ldap is newer ldap2dns dumps the new zone to disk > - A backup of the old zone is made, the new zone is moved into place, > and rndc reload $zone is ran > > The cleanest solution is native ldap support in bind. The problem is > that the patch is not in upstream > bind and hasn't been updated in some time. Unless redhat or someone > dusts that patch off and tries to > get it upstream it is a deadend. Short of that happening, my solution > seems like the path of least resistance. > > Here is a diagram of the LDAP setup I'd like to use: > http://www.digitalprognosis.com/pics/fds-multimaster.png > > You could have ldap + dns on the same server. Since ldap is the > canonical source for zone information, > every bind instance could be master and AXFR could be disabled. A lot > of these ideas come from > Nathaniel Mccallum, a buddy of mine. I'm willing to work with you the > code as best as possible. This > seems related to one of the goals of FreeIPA so we might be able to > work together. We actually have both the sdb and the DLZ backends built for bind in Fedora (and IIRC in RHEL bind). So the backends are not a huge problem. Using a script like that present some problems like the fact that it would be one way so DNS Updates would still be a problem (otherwise we need something that can read from the cache file generated from bind and feed back to ldap. I want to look and see if it is easy enough to modify either sdb or dlz to allow at least dns updates, we can implement a local cache in the backend if performances are too bad. Simo. -- Simo Sorce * Red Hat, Inc * New York From jeffschroed at gmail.com Wed May 28 14:59:02 2008 From: jeffschroed at gmail.com (Jeff Schroeder) Date: Wed, 28 May 2008 07:59:02 -0700 Subject: [Freeipa-devel] FreeIPAv2 with dns zones stored in ldap In-Reply-To: <1211982294.12605.52.camel@localhost.localdomain> References: <1211919617.12605.37.camel@localhost.localdomain> <1211982294.12605.52.camel@localhost.localdomain> Message-ID: On Wed, May 28, 2008 at 6:44 AM, Simo Sorce wrote: > We actually have both the sdb and the DLZ backends built for bind in > Fedora (and IIRC in RHEL bind). So the backends are not a huge problem. > > Using a script like that present some problems like the fact that it > would be one way so DNS Updates would still be a problem (otherwise we > need something that can read from the cache file generated from bind and > feed back to ldap. > > I want to look and see if it is easy enough to modify either sdb or dlz > to allow at least dns updates, we can implement a local cache in the > backend if performances are too bad. I wasn't aware of those patches already being in bind, thankyou. 'bind-9.3.1rc1-sdb.patch' is in the srpm, but there isn't any mention of dlz anywhere in bind-9.3.3-10.el5.src.rpm. Are the dlz patches only in the RHEL 5.2? If you get one of these backends to cache results using bind, will you submit it upstream to isc? -- Jeff Schroeder Don't drink and derive, alcohol and analysis don't mix. http://www.digitalprognosis.com From ssorce at redhat.com Wed May 28 15:55:49 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 28 May 2008 11:55:49 -0400 Subject: [Freeipa-devel] FreeIPAv2 with dns zones stored in ldap In-Reply-To: References: <1211919617.12605.37.camel@localhost.localdomain> <1211982294.12605.52.camel@localhost.localdomain> Message-ID: <1211990149.12605.60.camel@localhost.localdomain> On Wed, 2008-05-28 at 07:59 -0700, Jeff Schroeder wrote: > On Wed, May 28, 2008 at 6:44 AM, Simo Sorce wrote: > > We actually have both the sdb and the DLZ backends built for bind in > > Fedora (and IIRC in RHEL bind). So the backends are not a huge problem. > > > > Using a script like that present some problems like the fact that it > > would be one way so DNS Updates would still be a problem (otherwise we > > need something that can read from the cache file generated from bind and > > feed back to ldap. > > > > I want to look and see if it is easy enough to modify either sdb or dlz > > to allow at least dns updates, we can implement a local cache in the > > backend if performances are too bad. > > I wasn't aware of those patches already being in bind, thankyou. > > 'bind-9.3.1rc1-sdb.patch' is in the srpm, but there isn't any mention > of dlz anywhere > in bind-9.3.3-10.el5.src.rpm. Are the dlz patches only in the RHEL 5.2? > > If you get one of these backends to cache results using bind, will you submit > it upstream to isc? Yes anything we do we will try as hard as possible to feed back upstream, we really do not want to fork bind or anything else. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed May 28 18:04:20 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 28 May 2008 14:04:20 -0400 Subject: [Freeipa-devel] [PATCH] fix ipa_webgui logging Message-ID: <483D9EA4.5020507@redhat.com> Fix issue of double logging in ipa_error.log. We open the log in ipa_webgui and this was being inherited by TurboGears which uses the same log so everything was getting logged twice. Shut down the log in ipa_webgui at the last possible moment. This will not catch configuration errors. Add a Not Found template. Only print a traceback on 500 errors. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-30-webui.patch Type: text/x-patch Size: 6765 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 28 18:06:38 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 28 May 2008 14:06:38 -0400 Subject: [Freeipa-devel] [PATCH] fix replica install when domain != realm In-Reply-To: <1211569674.3935.199.camel@localhost.localdomain> References: <1211569674.3935.199.camel@localhost.localdomain> Message-ID: <483D9F2E.3060904@redhat.com> Simo Sorce wrote: > as per subj. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 28 18:07:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 28 May 2008 14:07:04 -0400 Subject: [Freeipa-devel] [PATCH] Make nss_ldap option more strict In-Reply-To: <1211572752.3935.212.camel@localhost.localdomain> References: <1211572105.3935.207.camel@localhost.localdomain> <48371FEF.4030006@redhat.com> <1211572752.3935.212.camel@localhost.localdomain> Message-ID: <483D9F48.3090302@redhat.com> Simo Sorce wrote: > On Fri, 2008-05-23 at 15:50 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> this will avoid searching the whole server for accounts that are all >>> stored under a specific tree. >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> At one time we talked about supporting multiple containers. What does >> this patch do to that? > > Well we do not have them supported in the webui anyway, so if someone > wants to do special stuff they can also change this bit on the client. > > In v2 I want to do what the HP-UX client does, store the config in ldap, > so that changing configuration is a matter of changing a few fields in > ldap. > > Simo. > Ok then, ack. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From loris at lgs.com.ve Wed May 28 18:07:37 2008 From: loris at lgs.com.ve (Loris Santamaria) Date: Wed, 28 May 2008 13:37:37 -0430 Subject: [Freeipa-devel] AD PassSync and IPA Message-ID: <1211998057.26000.64.camel@arepa.pzo.lgs.com.ve> ?Hi, we're using some FreeIPA components on a large installations that is migrating from AD to FDS or OpenLDAP We've succesfully installed on the FDS side the ipa-pwd-extop plugin for synchronizing password changes for kerberos, samba and posix password. Also we've successfully installed PassSync in Active Directory. When I change a password on the FDS side using kerberos, samba or pam_ldap, the tre hashes are updated successfully on FDS and the change is replicated to AD. But when I change a password on Active Directory _only_ the Posix password is updated on FDS, it seems because PassSync doesn't use the password change extop. Can this be solved modifying PassSync? I think it shouldn't be too difficult to modify PassSync... do anyone has some pointers on what we should change and how to build PassSync on windows? Thanks -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ -O9 -omg-optimize -fomit-instructions From rcritten at redhat.com Wed May 28 18:11:48 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 28 May 2008 14:11:48 -0400 Subject: [Freeipa-devel] [PATCH] fix rpm dependency in ipa-admintools In-Reply-To: <1211572145.3935.209.camel@localhost.localdomain> References: <48371CCE.9080204@redhat.com> <1211572145.3935.209.camel@localhost.localdomain> Message-ID: <483DA064.80606@redhat.com> Simo Sorce wrote: > On Fri, 2008-05-23 at 15:36 -0400, Rob Crittenden wrote: >> We need python-configobj for the ipa-admintools command ipa-pwpolicy >> to >> work. >> >> I also cleaned up the specfile in general, mostly formatting stuff. > > ack > pushed to master and ipa-1-0 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 28 18:14:06 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 28 May 2008 14:14:06 -0400 Subject: [Freeipa-devel] [PATCH] rework logging a bit In-Reply-To: <483C781E.40900@redhat.com> References: <483C727C.6000007@redhat.com> <483C781E.40900@redhat.com> Message-ID: <483DA0EE.1080400@redhat.com> Nathan Kinder wrote: > Rob Crittenden wrote: >> I've reworked the XML-RPC logging a bit so that INFO is the default >> logging level. It still logs to the Apache error log (will get fixed >> some time later). >> >> IPADebug still enables "debug" mode and more verbose stuff may be logged. >> >> Added a function entry point log for the core IPA functions. >> >> rob >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ack pushed to ipa-1-0 and master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed May 28 18:59:01 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 28 May 2008 12:59:01 -0600 Subject: [Freeipa-devel] AD PassSync and IPA In-Reply-To: <1211998057.26000.64.camel@arepa.pzo.lgs.com.ve> References: <1211998057.26000.64.camel@arepa.pzo.lgs.com.ve> Message-ID: <483DAB75.3070508@redhat.com> Loris Santamaria wrote: > Hi, > > we're using some FreeIPA components on a large installations that is > migrating from AD to FDS or OpenLDAP > > We've succesfully installed on the FDS side the ipa-pwd-extop plugin for > synchronizing password changes for kerberos, samba and posix password. > Also we've successfully installed PassSync in Active Directory. > > When I change a password on the FDS side using kerberos, samba or > pam_ldap, the tre hashes are updated successfully on FDS and the change > is replicated to AD. But when I change a password on Active Directory > _only_ the Posix password is updated on FDS, it seems because PassSync > doesn't use the password change extop. > > Can this be solved modifying PassSync? I think it shouldn't be too > difficult to modify PassSync... do anyone has some pointers on what we > should change and how to build PassSync on windows? > First, please file a bug about this issue - bugzilla.redhat.com - use the Sync Service component of product Fedora Directory Server - so we can track this issue. This page http://directory.fedoraproject.org/wiki/Howto:WindowsSync has general information about PassSync, but no building information. The source code is here - http://cvs.fedoraproject.org/viewcvs/winsync/passwordsync/?root=dirsec If you want to build the code, you will first have to get NSPR, NSS, and Mozldap from mozilla: Windows binaries - ftp://ftp.mozilla.org/pub/nspr/releases/v4.6.4/msvc6.0 ftp://ftp.mozilla.org/pub/security/nss/releases/NSS_3_11_4_RTM/msvc6.0 ftp://ftp.mozilla.org/pub/directory/c-sdk/releases/v6.0.4/ldapcsdk-6.0.3-WINNT5.2_DBG.OBJ.zip There is a build.bat file for cmdline use, and a .dsw file. The source code for ldappasswd.c from Mozldap is an example of the password modify extop. > Thanks > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 29 00:43:40 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 28 May 2008 20:43:40 -0400 Subject: [Freeipa-devel] [PATCH] Fix a crach bug in ipa_kpasswd Message-ID: <1212021820.12605.68.camel@localhost.localdomain> We were using the control variable like it was a pointer, make it a pointer as it should be. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-crash-bug-in-ipa_kpasswd.patch Type: application/mbox Size: 1408 bytes Desc: not available URL: From ssorce at redhat.com Thu May 29 00:45:06 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 28 May 2008 20:45:06 -0400 Subject: [Freeipa-devel] [PATCH] revert to using openldap libs by default Message-ID: <1212021906.12605.71.camel@localhost.localdomain> Compiling with mozldap libraries apparently breaks ipa_kpasswd, for some unknown reason the server does not get the control passed to ldap_extended_operation to perform a password change. Compiled with openldap libraries, all seem to work again. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Use-openldap-libraries-by-default-as-mozldap-libs-se.patch Type: application/mbox Size: 969 bytes Desc: not available URL: From ssorce at redhat.com Thu May 29 00:48:19 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 28 May 2008 20:48:19 -0400 Subject: [Freeipa-devel] [PATCH] Make ipa_kpasswd listen on each interface separately Message-ID: <1212022099.12605.75.camel@localhost.localdomain> This makes it possible to keep track to which address a UDP packet has been sent to, so that we can correctly set the local address when we are on a multihomed system. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Make-ipa_kpasswd-listen-on-each-single-interface-exp.patch Type: application/mbox Size: 12201 bytes Desc: not available URL: From rcritten at redhat.com Thu May 29 02:50:32 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 28 May 2008 22:50:32 -0400 Subject: [Freeipa-devel] [PATCH] Fix bindinstance usage that was causing uninstall to fail Message-ID: <483E19F8.6020907@redhat.com> Make check_inst() a standalone function in bindinstance. When an install instance is created that contains a pointer to a sysrestore point it loads in the current configuration when instantiated. If an instance is instantiated but not used then changes may occur to the system state that it is unaware of. So one needs to take care in the order that things are done to avoid losing information. When bind was setup it was overwriting all data in sysrestore.state and leaving just a [named] section. This caused problems at uninstall. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-31-bind.patch Type: text/x-patch Size: 3211 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 29 12:50:51 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 May 2008 08:50:51 -0400 Subject: [Freeipa-devel] [PATCH] Fix a crach bug in ipa_kpasswd In-Reply-To: <1212021820.12605.68.camel@localhost.localdomain> References: <1212021820.12605.68.camel@localhost.localdomain> Message-ID: <483EA6AB.70800@redhat.com> Simo Sorce wrote: > We were using the control variable like it was a pointer, make it a > pointer as it should be. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 29 12:52:21 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 May 2008 08:52:21 -0400 Subject: [Freeipa-devel] [PATCH] revert to using openldap libs by default In-Reply-To: <1212021906.12605.71.camel@localhost.localdomain> References: <1212021906.12605.71.camel@localhost.localdomain> Message-ID: <483EA705.7080902@redhat.com> Simo Sorce wrote: > Compiling with mozldap libraries apparently breaks ipa_kpasswd, for some > unknown reason the server does not get the control passed to > ldap_extended_operation to perform a password change. > > Compiled with openldap libraries, all seem to work again. > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel You should probably update the top-level Makefile with this same change for those who do 'make install' rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 29 12:55:43 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 May 2008 08:55:43 -0400 Subject: [Freeipa-devel] [PATCH] Make ipa_kpasswd listen on each interface separately In-Reply-To: <1212022099.12605.75.camel@localhost.localdomain> References: <1212022099.12605.75.camel@localhost.localdomain> Message-ID: <483EA7CF.1030704@redhat.com> Simo Sorce wrote: > This makes it possible to keep track to which address a UDP packet has > been sent to, so that we can correctly set the local address when we are > on a multihomed system. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 29 13:34:24 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 29 May 2008 09:34:24 -0400 Subject: [Freeipa-devel] [PATCH] revert to using openldap libs by default In-Reply-To: <483EA705.7080902@redhat.com> References: <1212021906.12605.71.camel@localhost.localdomain> <483EA705.7080902@redhat.com> Message-ID: <1212068064.12605.83.camel@localhost.localdomain> On Thu, 2008-05-29 at 08:52 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > Compiling with mozldap libraries apparently breaks ipa_kpasswd, for some > > unknown reason the server does not get the control passed to > > ldap_extended_operation to perform a password change. > > > > Compiled with openldap libraries, all seem to work again. > > > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > You should probably update the top-level Makefile with this same change > for those who do 'make install' Right, I'll push a patch that fixes that too, ok ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu May 29 13:36:53 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 May 2008 09:36:53 -0400 Subject: [Freeipa-devel] [PATCH] revert to using openldap libs by default In-Reply-To: <1212068064.12605.83.camel@localhost.localdomain> References: <1212021906.12605.71.camel@localhost.localdomain> <483EA705.7080902@redhat.com> <1212068064.12605.83.camel@localhost.localdomain> Message-ID: <483EB175.5060506@redhat.com> Simo Sorce wrote: > On Thu, 2008-05-29 at 08:52 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> Compiling with mozldap libraries apparently breaks ipa_kpasswd, for some >>> unknown reason the server does not get the control passed to >>> ldap_extended_operation to perform a password change. >>> >>> Compiled with openldap libraries, all seem to work again. >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> You should probably update the top-level Makefile with this same change >> for those who do 'make install' > > Right, I'll push a patch that fixes that too, ok ? > Simo. > sure thing, ack. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 29 14:02:25 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 29 May 2008 10:02:25 -0400 Subject: [Freeipa-devel] [PATCH] fix replica install when domain != realm In-Reply-To: <483D9F2E.3060904@redhat.com> References: <1211569674.3935.199.camel@localhost.localdomain> <483D9F2E.3060904@redhat.com> Message-ID: <1212069745.12605.85.camel@localhost.localdomain> On Wed, 2008-05-28 at 14:06 -0400, Rob Crittenden wrote: > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 29 14:02:37 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 29 May 2008 10:02:37 -0400 Subject: [Freeipa-devel] [PATCH] Make nss_ldap option more strict In-Reply-To: <483D9F48.3090302@redhat.com> References: <1211572105.3935.207.camel@localhost.localdomain> <48371FEF.4030006@redhat.com> <1211572752.3935.212.camel@localhost.localdomain> <483D9F48.3090302@redhat.com> Message-ID: <1212069757.12605.87.camel@localhost.localdomain> On Wed, 2008-05-28 at 14:07 -0400, Rob Crittenden wrote: > > Ok then, ack. pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 29 14:02:50 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 29 May 2008 10:02:50 -0400 Subject: [Freeipa-devel] [PATCH] Fix a crach bug in ipa_kpasswd In-Reply-To: <483EA6AB.70800@redhat.com> References: <1212021820.12605.68.camel@localhost.localdomain> <483EA6AB.70800@redhat.com> Message-ID: <1212069770.12605.89.camel@localhost.localdomain> On Thu, 2008-05-29 at 08:50 -0400, Rob Crittenden wrote: > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 29 14:03:04 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 29 May 2008 10:03:04 -0400 Subject: [Freeipa-devel] [PATCH] revert to using openldap libs by default In-Reply-To: <483EB175.5060506@redhat.com> References: <1212021906.12605.71.camel@localhost.localdomain> <483EA705.7080902@redhat.com> <1212068064.12605.83.camel@localhost.localdomain> <483EB175.5060506@redhat.com> Message-ID: <1212069784.12605.91.camel@localhost.localdomain> On Thu, 2008-05-29 at 09:36 -0400, Rob Crittenden wrote: > > sure thing, ack. pushed with changes to Makefile -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu May 29 14:03:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 29 May 2008 10:03:14 -0400 Subject: [Freeipa-devel] [PATCH] Make ipa_kpasswd listen on each interface separately In-Reply-To: <483EA7CF.1030704@redhat.com> References: <1212022099.12605.75.camel@localhost.localdomain> <483EA7CF.1030704@redhat.com> Message-ID: <1212069794.12605.93.camel@localhost.localdomain> On Thu, 2008-05-29 at 08:55 -0400, Rob Crittenden wrote: > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Thu May 29 17:01:56 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 29 May 2008 11:01:56 -0600 Subject: [Freeipa-devel] [PATCH] Allow ipa-memberof to build against either Fedora DS 1.1.0 or 1.1.1 Message-ID: <483EE184.1020607@redhat.com> This is only for ipa-1-0. Fedora DS 1.1.1 includes the memberof plugin. IPA should use this one instead of its own. However, ipa-1-0 code may want to build against either the old slapi task functions or the new ones, so this patch allows that for ipa-1-0. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fedora-DS-1.1.1-exposes-a-public-task-api.-In-order.patch Type: text/x-patch Size: 6380 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 29 17:28:20 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 May 2008 13:28:20 -0400 Subject: [Freeipa-devel] [PATCH] fix error introduced in recent logging change Message-ID: <483EE7B4.3020907@redhat.com> I goofed on a variable name. Patch pushed this patch under the 1-liner rule. diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs. index a221ebd..08d351e 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -535,7 +535,7 @@ class IPAServer: raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER) if sattrs is not None and not isinstance(sattrs,list): raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER) - logging.info("IPA: get_user_by_manager '%s'" % manager) + logging.info("IPA: get_user_by_manager '%s'" % manager_dn) manager_dn = self.__safe_filter(manager_dn) searchfilter = "(&(objectClass=person)(manager=%s))" % manager_dn rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 29 18:19:15 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 29 May 2008 14:19:15 -0400 Subject: [Freeipa-devel] [PATCH] Make DS hash the clear text password Message-ID: <1212085155.12605.123.camel@localhost.localdomain> This fixes IPA -> AD password synchronization. DS need to do the password hashing operation on userPassword itself, not get a pre-hashed value. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Let-DS-encode-the-password-this-will-allow-IPA-A.patch Type: application/mbox Size: 1740 bytes Desc: not available URL: From rcritten at redhat.com Thu May 29 18:41:03 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 May 2008 14:41:03 -0400 Subject: [Freeipa-devel] [PATCH] Actually pass along the verbose option Message-ID: <483EF8BF.5030901@redhat.com> So I added a --verbose option to all the admin tools but didn't actually pass on the value to the XML-RPC client. This will fix that oversight. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-32-verbose.patch Type: text/x-patch Size: 8524 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu May 29 19:17:56 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 29 May 2008 15:17:56 -0400 Subject: [Freeipa-devel] [PATCH] Actually pass along the verbose option In-Reply-To: <483EF8BF.5030901@redhat.com> References: <483EF8BF.5030901@redhat.com> Message-ID: <1212088676.12605.127.camel@localhost.localdomain> On Thu, 2008-05-29 at 14:41 -0400, Rob Crittenden wrote: > So I added a --verbose option to all the admin tools but didn't > actually > pass on the value to the XML-RPC client. This will fix that oversight. ack -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Thu May 29 19:30:43 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 29 May 2008 13:30:43 -0600 Subject: [Freeipa-devel] [PATCH] Make DS hash the clear text password In-Reply-To: <1212085155.12605.123.camel@localhost.localdomain> References: <1212085155.12605.123.camel@localhost.localdomain> Message-ID: <483F0463.1070103@redhat.com> Simo Sorce wrote: > This fixes IPA -> AD password synchronization. > DS need to do the password hashing operation on userPassword itself, not > get a pre-hashed value. > ack > Simo. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu May 29 20:06:10 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 May 2008 16:06:10 -0400 Subject: [Freeipa-devel] [PATCH] Actually pass along the verbose option In-Reply-To: <1212088676.12605.127.camel@localhost.localdomain> References: <483EF8BF.5030901@redhat.com> <1212088676.12605.127.camel@localhost.localdomain> Message-ID: <483F0CB2.4000501@redhat.com> Simo Sorce wrote: > On Thu, 2008-05-29 at 14:41 -0400, Rob Crittenden wrote: >> So I added a --verbose option to all the admin tools but didn't >> actually >> pass on the value to the XML-RPC client. This will fix that oversight. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Thu May 29 23:20:34 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 29 May 2008 16:20:34 -0700 Subject: [Freeipa-devel] [PATCH] Make DS hash the clear text password In-Reply-To: <1212085155.12605.123.camel@localhost.localdomain> References: <1212085155.12605.123.camel@localhost.localdomain> Message-ID: <483F3A42.3090308@redhat.com> Simo Sorce wrote: > This fixes IPA -> AD password synchronization. > DS need to do the password hashing operation on userPassword itself, not > get a pre-hashed value. > ack. I tested this with a sync agreement setup between the IPA DS and AD, and the password went across to AD just fine. > Simo. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Thu May 29 23:32:09 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 29 May 2008 16:32:09 -0700 Subject: [Freeipa-devel] [PATCH] Allow ipa-memberof to build against either Fedora DS 1.1.0 or 1.1.1 In-Reply-To: <483EE184.1020607@redhat.com> References: <483EE184.1020607@redhat.com> Message-ID: <483F3CF9.9020708@redhat.com> Rich Megginson wrote: > This is only for ipa-1-0. Fedora DS 1.1.1 includes the memberof > plugin. IPA should use this one instead of its own. However, ipa-1-0 > code may want to build against either the old slapi task functions or > the new ones, so this patch allows that for ipa-1-0. ack. I verified that this builds as well as the memberOf fixup task running fine using this fix with the current fedora-ds-base-1.1.0-3.fc8 package. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 30 04:29:13 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 30 May 2008 00:29:13 -0400 Subject: [Freeipa-devel] [PATCH] Make DS hash the clear text password In-Reply-To: <483F3A42.3090308@redhat.com> References: <1212085155.12605.123.camel@localhost.localdomain> <483F3A42.3090308@redhat.com> Message-ID: <1212121754.12605.131.camel@localhost.localdomain> On Thu, 2008-05-29 at 16:20 -0700, Nathan Kinder wrote: > Simo Sorce wrote: > > This fixes IPA -> AD password synchronization. > > DS need to do the password hashing operation on userPassword itself, not > > get a pre-hashed value. > > > ack. I tested this with a sync agreement setup between the IPA DS and > AD, and the password went across to AD just fine. cool thanks for testing Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 30 14:24:47 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 30 May 2008 10:24:47 -0400 Subject: [Freeipa-devel] [PATCH] Add options to ipa-adduser and ipa-addgroup Message-ID: <48400E2F.8040604@redhat.com> Add two now options, --addattr and --setattr, to allow arbitrary attributes to be added and set when a new user or group is created. Make the user password not mandatory and add new option, -P, to prompt for a password interactively. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-33-options.patch Type: text/x-patch Size: 9139 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Fri May 30 15:04:26 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 30 May 2008 08:04:26 -0700 Subject: [Freeipa-devel] [PATCH] Add options to ipa-adduser and ipa-addgroup In-Reply-To: <48400E2F.8040604@redhat.com> References: <48400E2F.8040604@redhat.com> Message-ID: <4840177A.4030008@redhat.com> Rob Crittenden wrote: > Add two now options, --addattr and --setattr, to allow arbitrary > attributes to be added and set when a new user or group is created. > > Make the user password not mandatory and add new option, -P, to prompt > for a password interactively. ack. > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 30 15:09:29 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 30 May 2008 11:09:29 -0400 Subject: [Freeipa-devel] [PATCH] minor man page fixes Message-ID: <484018A9.1060100@redhat.com> Fix some language issues and add some clarity. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-34-man.patch Type: text/x-patch Size: 1832 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 30 15:14:47 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 30 May 2008 11:14:47 -0400 Subject: [Freeipa-devel] [PATCH] Fix bindinstance usage that was causing uninstall to fail In-Reply-To: <483E19F8.6020907@redhat.com> References: <483E19F8.6020907@redhat.com> Message-ID: <1212160487.12605.149.camel@localhost.localdomain> On Wed, 2008-05-28 at 22:50 -0400, Rob Crittenden wrote: > Make check_inst() a standalone function in bindinstance. > > When an install instance is created that contains a pointer to a > sysrestore point it loads in the current configuration when > instantiated. If an instance is instantiated but not used then > changes > may occur to the system state that it is unaware of. So one needs to > take care in the order that things are done to avoid losing > information. > > When bind was setup it was overwriting all data in sysrestore.state > and > leaving just a [named] section. This caused problems at uninstall. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 30 15:24:16 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 30 May 2008 11:24:16 -0400 Subject: [Freeipa-devel] [PATCH] Fix bindinstance usage that was causing uninstall to fail In-Reply-To: <1212160487.12605.149.camel@localhost.localdomain> References: <483E19F8.6020907@redhat.com> <1212160487.12605.149.camel@localhost.localdomain> Message-ID: <48401C20.5050203@redhat.com> Simo Sorce wrote: > On Wed, 2008-05-28 at 22:50 -0400, Rob Crittenden wrote: >> Make check_inst() a standalone function in bindinstance. >> >> When an install instance is created that contains a pointer to a >> sysrestore point it loads in the current configuration when >> instantiated. If an instance is instantiated but not used then >> changes >> may occur to the system state that it is unaware of. So one needs to >> take care in the order that things are done to avoid losing >> information. >> >> When bind was setup it was overwriting all data in sysrestore.state >> and >> leaving just a [named] section. This caused problems at uninstall. > > ack > pushed to master an ipa-1-0 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 30 15:24:28 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 30 May 2008 11:24:28 -0400 Subject: [Freeipa-devel] [PATCH] Add options to ipa-adduser and ipa-addgroup In-Reply-To: <4840177A.4030008@redhat.com> References: <48400E2F.8040604@redhat.com> <4840177A.4030008@redhat.com> Message-ID: <48401C2C.5030906@redhat.com> Nathan Kinder wrote: > Rob Crittenden wrote: >> Add two now options, --addattr and --setattr, to allow arbitrary >> attributes to be added and set when a new user or group is created. >> >> Make the user password not mandatory and add new option, -P, to prompt >> for a password interactively. > ack. pushed to master and ipa-1-0 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 30 16:20:49 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 30 May 2008 12:20:49 -0400 Subject: [Freeipa-devel] [PATCH] minor man page fixes In-Reply-To: <484018A9.1060100@redhat.com> References: <484018A9.1060100@redhat.com> Message-ID: <1212164449.12605.157.camel@localhost.localdomain> On Fri, 2008-05-30 at 11:09 -0400, Rob Crittenden wrote: > Fix some language issues and add some clarity. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 30 17:50:36 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 30 May 2008 13:50:36 -0400 Subject: [Freeipa-devel] [PATCH] Allow ipa-memberof to build against either Fedora DS 1.1.0 or 1.1.1 In-Reply-To: <483EE184.1020607@redhat.com> References: <483EE184.1020607@redhat.com> Message-ID: <48403E6C.9090005@redhat.com> Rich Megginson wrote: > This is only for ipa-1-0. Fedora DS 1.1.1 includes the memberof > plugin. IPA should use this one instead of its own. However, ipa-1-0 > code may want to build against either the old slapi task functions or > the new ones, so this patch allows that for ipa-1-0. > pushed to master. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 30 18:24:35 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 30 May 2008 14:24:35 -0400 Subject: [Freeipa-devel] [PATCH] move version to ipa-python Message-ID: <48404663.10304@redhat.com> Move version.py to the common ipa directory instead of being server-based so it can be used by the client tool. Fix the client tool imports to fail more gracefully. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-35-version.patch Type: text/x-patch Size: 7814 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri May 30 18:45:00 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 30 May 2008 14:45:00 -0400 Subject: [Freeipa-devel] [PATCH] improve ipa-client-install prompts Message-ID: <48404B2C.9000102@redhat.com> Try to clear up messages prompting for domain and IPA server when DNS discovery fails to find them. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-36-client.patch Type: text/x-patch Size: 1906 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 30 19:31:22 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 30 May 2008 15:31:22 -0400 Subject: [Freeipa-devel] [PATCH] improve ipa-client-install prompts In-Reply-To: <48404B2C.9000102@redhat.com> References: <48404B2C.9000102@redhat.com> Message-ID: <1212175882.12605.176.camel@localhost.localdomain> On Fri, 2008-05-30 at 14:45 -0400, Rob Crittenden wrote: > Try to clear up messages prompting for domain and IPA server when DNS > discovery fails to find them. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 30 19:33:38 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 30 May 2008 15:33:38 -0400 Subject: [Freeipa-devel] [PATCH] fix unattended install Message-ID: <48405692.4030608@redhat.com> Don't prompt regarding previous DS installations in unattended mode, just exit. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-37-install.patch Type: text/x-patch Size: 1371 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 30 19:45:43 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 30 May 2008 15:45:43 -0400 Subject: [Freeipa-devel] [PATCH] fix unattended install In-Reply-To: <48405692.4030608@redhat.com> References: <48405692.4030608@redhat.com> Message-ID: <1212176743.12605.179.camel@localhost.localdomain> On Fri, 2008-05-30 at 15:33 -0400, Rob Crittenden wrote: > Don't prompt regarding previous DS installations in unattended mode, > just exit. Should we add a --force flag so that we can force it to proceed instead? I guess it would be useful for testing. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri May 30 19:51:22 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 30 May 2008 15:51:22 -0400 Subject: [Freeipa-devel] [PATCH] fix unattended install In-Reply-To: <1212176743.12605.179.camel@localhost.localdomain> References: <48405692.4030608@redhat.com> <1212176743.12605.179.camel@localhost.localdomain> Message-ID: <48405ABA.1000206@redhat.com> Simo Sorce wrote: > On Fri, 2008-05-30 at 15:33 -0400, Rob Crittenden wrote: >> Don't prompt regarding previous DS installations in unattended mode, >> just exit. > > Should we add a --force flag so that we can force it to proceed instead? > I guess it would be useful for testing. > > Simo. > My risk-averse nature says let it fail. Any else have an opinion? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Fri May 30 19:54:01 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 30 May 2008 12:54:01 -0700 Subject: [Freeipa-devel] [PATCH] fix unattended install In-Reply-To: <48405ABA.1000206@redhat.com> References: <48405692.4030608@redhat.com> <1212176743.12605.179.camel@localhost.localdomain> <48405ABA.1000206@redhat.com> Message-ID: <48405B59.9070102@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Fri, 2008-05-30 at 15:33 -0400, Rob Crittenden wrote: >>> Don't prompt regarding previous DS installations in unattended mode, >>> just exit. >> >> Should we add a --force flag so that we can force it to proceed instead? >> I guess it would be useful for testing. >> >> Simo. >> > > My risk-averse nature says let it fail. Any else have an opinion? Agreed. > > rob > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri May 30 19:54:50 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 30 May 2008 15:54:50 -0400 Subject: [Freeipa-devel] [PATCH] fix unattended install In-Reply-To: <48405B59.9070102@redhat.com> References: <48405692.4030608@redhat.com> <1212176743.12605.179.camel@localhost.localdomain> <48405ABA.1000206@redhat.com> <48405B59.9070102@redhat.com> Message-ID: <1212177290.12605.181.camel@localhost.localdomain> On Fri, 2008-05-30 at 12:54 -0700, Nathan Kinder wrote: > Rob Crittenden wrote: > > Simo Sorce wrote: > >> On Fri, 2008-05-30 at 15:33 -0400, Rob Crittenden wrote: > >>> Don't prompt regarding previous DS installations in unattended mode, > >>> just exit. > >> > >> Should we add a --force flag so that we can force it to proceed instead? > >> I guess it would be useful for testing. > >> > >> Simo. > >> > > > > My risk-averse nature says let it fail. Any else have an opinion? > Agreed. ok then it is an ack for the patch as is. Simo. -- Simo Sorce * Red Hat, Inc * New York From mgregg at redhat.com Fri May 30 19:45:55 2008 From: mgregg at redhat.com (Michael Gregg) Date: Fri, 30 May 2008 12:45:55 -0700 Subject: [Freeipa-devel] [PATCH] fix unattended install In-Reply-To: <48405ABA.1000206@redhat.com> References: <48405692.4030608@redhat.com> <1212176743.12605.179.camel@localhost.localdomain> <48405ABA.1000206@redhat.com> Message-ID: <48405973.5020509@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> On Fri, 2008-05-30 at 15:33 -0400, Rob Crittenden wrote: >>> Don't prompt regarding previous DS installations in unattended mode, >>> just exit. >> >> Should we add a --force flag so that we can force it to proceed instead? >> I guess it would be useful for testing. >> >> Simo. >> > > My risk-averse nature says let it fail. Any else have an opinion? > > rob I'm happy with just letting it fail. Adding the force flag introduces possible problems I don't want to deal with. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From rcritten at redhat.com Fri May 30 20:15:26 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 30 May 2008 16:15:26 -0400 Subject: [Freeipa-devel] [PATCH] fix unattended install In-Reply-To: <1212177290.12605.181.camel@localhost.localdomain> References: <48405692.4030608@redhat.com> <1212176743.12605.179.camel@localhost.localdomain> <48405ABA.1000206@redhat.com> <48405B59.9070102@redhat.com> <1212177290.12605.181.camel@localhost.localdomain> Message-ID: <4840605E.3060604@redhat.com> Simo Sorce wrote: > On Fri, 2008-05-30 at 12:54 -0700, Nathan Kinder wrote: >> Rob Crittenden wrote: >>> Simo Sorce wrote: >>>> On Fri, 2008-05-30 at 15:33 -0400, Rob Crittenden wrote: >>>>> Don't prompt regarding previous DS installations in unattended mode, >>>>> just exit. >>>> Should we add a --force flag so that we can force it to proceed instead? >>>> I guess it would be useful for testing. >>>> >>>> Simo. >>>> >>> My risk-averse nature says let it fail. Any else have an opinion? >> Agreed. > > ok then it is an ack for the patch as is. > > Simo. > pushed to ipa-1-0 and master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From matt.flusche at cox.net Sat May 31 21:33:20 2008 From: matt.flusche at cox.net (Matt Flusche) Date: Sat, 31 May 2008 16:33:20 -0500 Subject: [Freeipa-devel] ipa_kpasswd - server error Message-ID: Hello, I've been testing freeipa for a few weeks. Current configuration, is fedora 9 x86_64 and ipa-1.0.0-6. I'm having a problem with ipa_kpasswd I can't seem to get past. I'm getting a "Server error: Server Error" from kpasswd. ipa_kpasswd is logging the following: kpasswd[14969]: Unable to bind to ldap server ns-slapd is logging the following: conn=17 received a non-LDAP message (tag 0x53, expected 0x30) The kadmin/changepw principal seems to be working. I can run the following successfully to test # kinit -V -k -t /var/kerberos/krb5kdc/kpasswd.keytab kadmin/changepw # ldapsearch -v -Y GSSAPI Suggestions? Thanks.