From mnagy at redhat.com Mon Sep 8 16:48:42 2008 From: mnagy at redhat.com (Martin Nagy) Date: Mon, 8 Sep 2008 18:48:42 +0200 Subject: [Freeipa-devel] [PATCH] Rework config.py and change cli tools Message-ID: <20080908184842.3db72f18@notas> Done some reworking of config.py and also changed the way we use the option parser in command line utilities. I also occasionally did some very minor cosmetic changes along the way. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Rework-config.py-and-change-cli-tools.patch Type: text/x-patch Size: 63646 bytes Desc: not available URL: From mnagy at redhat.com Tue Sep 9 13:29:09 2008 From: mnagy at redhat.com (Martin Nagy) Date: Tue, 9 Sep 2008 15:29:09 +0200 Subject: [Freeipa-devel] [PATCH] Rework config.py and change cli tools In-Reply-To: <20080908184842.3db72f18@notas> References: <20080908184842.3db72f18@notas> Message-ID: <20080909152909.669eca91@wolverine.englab.brq.redhat.com> On Mon, 8 Sep 2008 18:48:42 +0200, Martin Nagy wrote: > Done some reworking of config.py and also changed the way we use the > option parser in command line utilities. I also occasionally did some > very minor cosmetic changes along the way. Fix the behavior of not reading the servers from ipa.conf if we have specified them on the command line. This is a cumulative patch, apply on top of the first one. When commiting, I will squash them into one patch. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Try-servers-from-ipa.conf-even-if-we-specified-them.patch Type: text/x-patch Size: 865 bytes Desc: not available URL: From rcritten at redhat.com Tue Sep 9 19:57:03 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Sep 2008 15:57:03 -0400 Subject: [Freeipa-devel] [PATCH] LDAP update tool Message-ID: <48C6D50F.4010207@redhat.com> Tool for doing configuration updates over LDAP This tool takes as input a file which contains basically an LDIF, prefixed with a command: default, add, remove or only. These define the operations to perform such as adding new entries, adding new sub-entries to an existing entry, adding or modifying attributes in a record. If an index entry is modified a task is created to re-create the index. Schema may be added using this tool. The idea of this tool is that we can provide a directory of change files and iterate through them and have the IPA configuration updated. The syntax can be found at http://freeipa.org/page/LdapUpdate I haven't integrated this into the install process yet but we should be able to eliminate initializing the DS with LDIFs and instead just use update files. For starters though the installer will just try to run through them once things are all set up. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-80-ldapupdate.patch Type: text/x-patch Size: 20427 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Tue Sep 9 22:48:23 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 10 Sep 2008 00:48:23 +0200 Subject: [Freeipa-devel] [PATCH] More strict input checks in ipa-pwpolicy and return non-zero when unsuccessful Message-ID: <20080910004823.088b846f@notas> Make sure the minimal password lifetime is not larger than the maximal. Exit with non-zero status if we fail because of bad input from the user. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-More-strict-input-checks-in-ipa-pwpolicy-and-return.patch Type: text/x-patch Size: 1541 bytes Desc: not available URL: From mnagy at redhat.com Wed Sep 10 11:40:02 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 10 Sep 2008 13:40:02 +0200 Subject: [Freeipa-devel] [PATCH] Ignore GSS exception when iterating through server list Message-ID: <20080910134002.5cd2d89c@wolverine.englab.brq.redhat.com> When we are attempting to connect to the list of server, we are prepared for connection errors and deal with them by trying another server. This patch makes sure we also ignore GSS errors. This is useful in cases where the server is not in the kerberos database. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Ignore-GSS-exception-when-iterating-through-server-l.patch Type: text/x-patch Size: 800 bytes Desc: not available URL: From mnagy at redhat.com Wed Sep 10 11:52:18 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 10 Sep 2008 13:52:18 +0200 Subject: [Freeipa-devel] [PATCH] Fix the -G option of ipa-adduser Message-ID: <20080910135218.0219ac00@wolverine.englab.brq.redhat.com> Adding users with additional groups should work fine with this patch. Also, I altered the behavior so that the user is not added unless all the groups exist. I think this is more convenient for the user who makes a typo. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-the-G-option-of-ipa-adduser.patch Type: text/x-patch Size: 2232 bytes Desc: not available URL: From rcritten at redhat.com Wed Sep 10 13:04:36 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Sep 2008 09:04:36 -0400 Subject: [Freeipa-devel] [PATCH] More strict input checks in ipa-pwpolicy and return non-zero when unsuccessful In-Reply-To: <20080910004823.088b846f@notas> References: <20080910004823.088b846f@notas> Message-ID: <48C7C5E4.5030002@redhat.com> Martin Nagy wrote: > Make sure the minimal password lifetime is not larger than the maximal. > Exit with non-zero status if we fail because of bad input from the user. > > Martin Just a minor change: "Maximal length of password life must be greater then the minimal" It think should be: "Maximum password life must be greater than minimum" Ack. You can fix up the language when you commit. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Sep 10 13:29:39 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Sep 2008 09:29:39 -0400 Subject: [Freeipa-devel] [PATCH] Ignore GSS exception when iterating through server list In-Reply-To: <20080910134002.5cd2d89c@wolverine.englab.brq.redhat.com> References: <20080910134002.5cd2d89c@wolverine.englab.brq.redhat.com> Message-ID: <48C7CBC3.9060009@redhat.com> Martin Nagy wrote: > When we are attempting to connect to the list of server, we are > prepared for connection errors and deal with them by trying another > server. This patch makes sure we also ignore GSS errors. This is useful > in cases where the server is not in the kerberos database. > > Martin > Ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Sep 10 13:37:29 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Sep 2008 09:37:29 -0400 Subject: [Freeipa-devel] [PATCH] Fix the -G option of ipa-adduser In-Reply-To: <20080910135218.0219ac00@wolverine.englab.brq.redhat.com> References: <20080910135218.0219ac00@wolverine.englab.brq.redhat.com> Message-ID: <48C7CD99.6050304@redhat.com> Martin Nagy wrote: > Adding users with additional groups should work fine with this patch. > Also, I altered the behavior so that the user is not added unless all > the groups exist. I think this is more convenient for the user who > makes a typo. > > Martin > Ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Sep 10 17:00:47 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Sep 2008 13:00:47 -0400 Subject: [Freeipa-devel] [PATCH] additional LDAP Updater work Message-ID: <48C7FD3F.5000506@redhat.com> This patch includes some update files and a few enhancements to ipa-ldap-updater. The update files include configuration for the slapi-nis plugin and support for RFC 4876 configuration profiles. I've used this to simplify configuration of Solaris clients using native nss_ldap. One problem I'm having is determining the order in which to apply the updates. Should we number these files and apply them in that order (and end up running out of numbers)? Should we create subdirectories of types of updates and apply that way? We need to apply new schema before anything else, ensure parent entries exist, etc. I think I'd like to avoid having everything in one humongous update file if possible, though that would solve the problem. In my testing I've used a horrible command-line to apply them by date-modified: # /usr/sbin/ipa-ldap-updater -t `ls -1tr /usr/share/ipa/updates/ | xargs -I '{}' echo '/usr/share/ipa/updates/{}'` Definitely not good :-( So I'm looking for suggestions. I don't expect an "ack" on this patch, it is supplied mostly to better illustrate what I'm doing. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-81-ldapupdate.patch Type: text/x-patch Size: 38902 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Sep 10 17:18:00 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Sep 2008 13:18:00 -0400 Subject: [Freeipa-devel] [PATCH] Rework config.py and change cli tools In-Reply-To: <20080908184842.3db72f18@notas> References: <20080908184842.3db72f18@notas> Message-ID: <48C80148.7080808@redhat.com> Martin Nagy wrote: > Done some reworking of config.py and also changed the way we use the > option parser in command line utilities. I also occasionally did some > very minor cosmetic changes along the way. > > Ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Sep 10 17:18:31 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Sep 2008 13:18:31 -0400 Subject: [Freeipa-devel] [PATCH] Rework config.py and change cli tools In-Reply-To: <20080909152909.669eca91@wolverine.englab.brq.redhat.com> References: <20080908184842.3db72f18@notas> <20080909152909.669eca91@wolverine.englab.brq.redhat.com> Message-ID: <48C80167.1080400@redhat.com> Martin Nagy wrote: > On Mon, 8 Sep 2008 18:48:42 +0200, Martin Nagy wrote: > >> Done some reworking of config.py and also changed the way we use the >> option parser in command line utilities. I also occasionally did some >> very minor cosmetic changes along the way. > > Fix the behavior of not reading the servers from ipa.conf if we have > specified them on the command line. This is a cumulative patch, apply > on top of the first one. When commiting, I will squash them into one > patch. > > Martin Ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Sep 11 17:17:57 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 11 Sep 2008 11:17:57 -0600 Subject: [Freeipa-devel] Please review: Bug 459729 - Windows sync support in IPA - setup and configuration Message-ID: <48C952C5.3070103@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=459729 Resolves: bug 459729 Bug Description: Windows sync support in IPA- setup and configuration Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: This patch adds support for Windows Sync and the IPA Winsync plugin ipa-server-install and ipa-replica-manage The only change to server install is to just add the ipa winsync plugin config entry. A Windows Sync agreement is added via ipa-replica-manage add. I had to add additional flags to make it work: --port=PORT port number of other server --binddn=BINDDN Bind DN to use with remote server --bindpw=BINDPW Password for Bind DN to use with remote server --winsync This is a Windows Sync Agreement --cacert=CACERT Full path and filename of CA certificate to use with TLS/SSL to the remote server The tricky part is installing the Windows CA cert. I had to add support to shutdown the ds, install the ca cert in the ds cert db, and restart the ds, before adding the sync agreement. The rest was pretty easy, since replication agreements are almost like sync agreements. Platforms tested: Fedora 9 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=316460&action=diff From rmeggins at redhat.com Thu Sep 11 20:41:15 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 11 Sep 2008 14:41:15 -0600 Subject: [Freeipa-devel] [PATCH] LDAP update tool In-Reply-To: <48C6D50F.4010207@redhat.com> References: <48C6D50F.4010207@redhat.com> Message-ID: <48C9826B.5090703@redhat.com> Rob Crittenden wrote: > Tool for doing configuration updates over LDAP > > This tool takes as input a file which contains basically an LDIF, > prefixed with a command: default, add, remove or only. These define > the operations to perform such as adding new entries, adding new > sub-entries to an existing entry, adding or modifying attributes in a > record. > > If an index entry is modified a task is created to re-create the index. > > Schema may be added using this tool. > > The idea of this tool is that we can provide a directory of change > files and iterate through them and have the IPA configuration updated. > > The syntax can be found at http://freeipa.org/page/LdapUpdate > > I haven't integrated this into the install process yet but we should > be able to eliminate initializing the DS with LDIFs and instead just > use update files. For starters though the installer will just try to > run through them once things are all set up. ack > > rob > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Thu Sep 11 20:59:06 2008 From: mnagy at redhat.com (Martin Nagy) Date: Thu, 11 Sep 2008 22:59:06 +0200 Subject: [Freeipa-devel] [PATCH] Rework config.py and change cli tools In-Reply-To: <20080908184842.3db72f18@notas> References: <20080908184842.3db72f18@notas> Message-ID: <20080911225906.0b00e184@notas> Martin Nagy wrote: > Done some reworking of config.py and also changed the way we use the > option parser in command line utilities. I also occasionally did some > very minor cosmetic changes along the way. Another additional patch changing the tools that were included in the security update. Martin From mnagy at redhat.com Thu Sep 11 21:02:35 2008 From: mnagy at redhat.com (Martin Nagy) Date: Thu, 11 Sep 2008 23:02:35 +0200 Subject: [Freeipa-devel] [PATCH] Rework config.py and change cli tools In-Reply-To: <20080911225906.0b00e184@notas> References: <20080908184842.3db72f18@notas> <20080911225906.0b00e184@notas> Message-ID: <20080911230235.113f4a62@notas> Martin Nagy wrote: > Martin Nagy wrote: > > Done some reworking of config.py and also changed the way we use the > > option parser in command line utilities. I also occasionally did > > some very minor cosmetic changes along the way. > > Another additional patch changing the tools that were included in the > security update. > > Martin Trying again as the patch was empty.. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Additional-changes-for-sec-patch.patch Type: text/x-patch Size: 8126 bytes Desc: not available URL: From rcritten at redhat.com Thu Sep 11 21:09:49 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 11 Sep 2008 17:09:49 -0400 Subject: [Freeipa-devel] [PATCH] Rework config.py and change cli tools In-Reply-To: <20080911230235.113f4a62@notas> References: <20080908184842.3db72f18@notas> <20080911225906.0b00e184@notas> <20080911230235.113f4a62@notas> Message-ID: <48C9891D.3000604@redhat.com> Martin Nagy wrote: > Martin Nagy wrote: >> Martin Nagy wrote: >>> Done some reworking of config.py and also changed the way we use the >>> option parser in command line utilities. I also occasionally did >>> some very minor cosmetic changes along the way. >> Another additional patch changing the tools that were included in the >> security update. >> >> Martin > > Trying again as the patch was empty.. ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dpal at redhat.com Thu Sep 11 21:19:26 2008 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 11 Sep 2008 17:19:26 -0400 Subject: [Freeipa-devel] New content on the FreeIPA web site: Design Pages and Updated PRD Message-ID: <48C98B5E.8030200@redhat.com> Dear FreeIPA Community, In the last few months the FreeIPA development team has been focusing on R&D for the features and components that will be released as a part of version 2. We are approaching the conclusion of this research phase and we are happy to announce that we are going to update the project web site with the results of this activity. The first thing we published is a revised PRD. http://freeipa.org/page/V2BPRD The new PRD contains all the requirements that we think should considered for inclusion into FreeIPA version 2. We will keep updating the PRD and the upcoming changes will highlight the requirements that we may defer to later versions based on resources and time estimates. We have put a lot of thinking into how different components and parts of the system will work together. We are about to publish design pages that express our implementation plans and ideas. The first one we are going to publish is about the IPA client design. We will follow it with other pages covering policy management, description of the new directory server objects, new pluggable management framework, UI and other related material. http://freeipa.org/page/DocumentationV2 Your feedback is very important! You are welcome to contribute in any area you find interesting whether it be design, documentation, code or anything else. Thank you, FreeIPA Team From mnagy at redhat.com Thu Sep 11 21:35:21 2008 From: mnagy at redhat.com (Martin Nagy) Date: Thu, 11 Sep 2008 23:35:21 +0200 Subject: [Freeipa-devel] [PATCH] Rework config.py and change cli tools In-Reply-To: <48C80148.7080808@redhat.com> References: <20080908184842.3db72f18@notas> <48C80148.7080808@redhat.com> Message-ID: <20080911233521.267f54e2@notas> Rob Crittenden wrote: > Martin Nagy wrote: > > Done some reworking of config.py and also changed the way we use the > > option parser in command line utilities. I also occasionally did > > some very minor cosmetic changes along the way. > > > > > > Ack pushed to master From mnagy at redhat.com Thu Sep 11 21:39:01 2008 From: mnagy at redhat.com (Martin Nagy) Date: Thu, 11 Sep 2008 23:39:01 +0200 Subject: [Freeipa-devel] [PATCH] Ignore GSS exception when iterating through server list In-Reply-To: <48C7CBC3.9060009@redhat.com> References: <20080910134002.5cd2d89c@wolverine.englab.brq.redhat.com> <48C7CBC3.9060009@redhat.com> Message-ID: <20080911233901.0ac69905@notas> Rob Crittenden wrote: > Martin Nagy wrote: > > When we are attempting to connect to the list of server, we are > > prepared for connection errors and deal with them by trying another > > server. This patch makes sure we also ignore GSS errors. This is > > useful in cases where the server is not in the kerberos database. > > > > Martin > > > > Ack pushed to master From mnagy at redhat.com Thu Sep 11 21:39:59 2008 From: mnagy at redhat.com (Martin Nagy) Date: Thu, 11 Sep 2008 23:39:59 +0200 Subject: [Freeipa-devel] [PATCH] Fix the -G option of ipa-adduser In-Reply-To: <48C7CD99.6050304@redhat.com> References: <20080910135218.0219ac00@wolverine.englab.brq.redhat.com> <48C7CD99.6050304@redhat.com> Message-ID: <20080911233959.50970133@notas> Rob Crittenden wrote: > Martin Nagy wrote: > > Adding users with additional groups should work fine with this > > patch. Also, I altered the behavior so that the user is not added > > unless all the groups exist. I think this is more convenient for > > the user who makes a typo. > > > > Martin > > > > Ack pushed to master From mnagy at redhat.com Thu Sep 11 23:20:48 2008 From: mnagy at redhat.com (Martin Nagy) Date: Fri, 12 Sep 2008 01:20:48 +0200 Subject: [Freeipa-devel] [PATCH] LDAP update tool In-Reply-To: <48C6D50F.4010207@redhat.com> References: <48C6D50F.4010207@redhat.com> Message-ID: <20080912012048.3de9e6bd@notas> Rob Crittenden wrote: > Tool for doing configuration updates over LDAP > > This tool takes as input a file which contains basically an LDIF, > prefixed with a command: default, add, remove or only. These define > the operations to perform such as adding new entries, adding new > sub-entries to an existing entry, adding or modifying attributes in a > record. > > If an index entry is modified a task is created to re-create the > index. > > Schema may be added using this tool. > > The idea of this tool is that we can provide a directory of change > files and iterate through them and have the IPA configuration updated. > > The syntax can be found at http://freeipa.org/page/LdapUpdate > > I haven't integrated this into the install process yet but we should > be able to eliminate initializing the DS with LDIFs and instead just > use update files. For starters though the installer will just try to > run through them once things are all set up. > > rob Hi, I attached a patch that would take into account latest commited changes.. I also attached a patch for changing the SyntaxError exception to our custom one and catch it down. Might be good to squash these into your patch before you push if you think they are ok.. Otherwise I didn't review the tool much since Rich already acked it. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Adjust-ipa-ldap-updater-to-new-config.py.patch Type: text/x-patch Size: 2070 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Use-a-custom-class-for-exceptions-when-handling-synt.patch Type: text/x-patch Size: 2594 bytes Desc: not available URL: From mnagy at redhat.com Fri Sep 12 00:09:30 2008 From: mnagy at redhat.com (Martin Nagy) Date: Fri, 12 Sep 2008 02:09:30 +0200 Subject: [Freeipa-devel] [PATCH] More strict input checks in ipa-pwpolicy and return non-zero when unsuccessful In-Reply-To: <48C7C5E4.5030002@redhat.com> References: <20080910004823.088b846f@notas> <48C7C5E4.5030002@redhat.com> Message-ID: <20080912020930.696694a0@notas> Rob Crittenden wrote: > Martin Nagy wrote: > > Make sure the minimal password lifetime is not larger than the > > maximal. Exit with non-zero status if we fail because of bad input > > from the user. > > > > Martin > > Just a minor change: > > "Maximal length of password life must be greater then the minimal" > > It think should be: > > "Maximum password life must be greater than minimum" > > Ack. You can fix up the language when you commit. > > rob pushed to master From rcritten at redhat.com Fri Sep 12 13:37:06 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 09:37:06 -0400 Subject: [Freeipa-devel] [PATCH] LDAP update tool In-Reply-To: <20080912012048.3de9e6bd@notas> References: <48C6D50F.4010207@redhat.com> <20080912012048.3de9e6bd@notas> Message-ID: <48CA7082.7060501@redhat.com> Martin Nagy wrote: > Rob Crittenden wrote: >> Tool for doing configuration updates over LDAP >> >> This tool takes as input a file which contains basically an LDIF, >> prefixed with a command: default, add, remove or only. These define >> the operations to perform such as adding new entries, adding new >> sub-entries to an existing entry, adding or modifying attributes in a >> record. >> >> If an index entry is modified a task is created to re-create the >> index. >> >> Schema may be added using this tool. >> >> The idea of this tool is that we can provide a directory of change >> files and iterate through them and have the IPA configuration updated. >> >> The syntax can be found at http://freeipa.org/page/LdapUpdate >> >> I haven't integrated this into the install process yet but we should >> be able to eliminate initializing the DS with LDIFs and instead just >> use update files. For starters though the installer will just try to >> run through them once things are all set up. >> >> rob > > Hi, I attached a patch that would take into account latest commited > changes.. > I also attached a patch for changing the SyntaxError exception to our > custom one and catch it down. > Might be good to squash these into your patch before you push if you > think they are ok.. Otherwise I didn't review the tool much since Rich > already acked it. > > Martin > Ack, nice patch. I'll try to take your advice and squash this in when I push my patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 12 13:57:47 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 09:57:47 -0400 Subject: [Freeipa-devel] [PATCH] More ldap updater files/changes Message-ID: <48CA755B.5070107@redhat.com> Add some update files that can be installed. This includes 2 schema files for doing LDAP profile installs on Solaris, a default profile and configuration for the slapi-nis Schema Compatibility plugin. Also modified the updater to parse multiple files instead of just one. It iterates through them currently. Rich and I discussed instead slurping them all into memory so we can ensure that updates are properly ordered in parent/child. With this patch it is up to the user to ensure that. This also catches syntax errors a little better. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-82-ldapupdate.patch Type: text/x-patch Size: 18873 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Sep 12 14:12:08 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 12 Sep 2008 08:12:08 -0600 Subject: [Freeipa-devel] [PATCH] More ldap updater files/changes In-Reply-To: <48CA755B.5070107@redhat.com> References: <48CA755B.5070107@redhat.com> Message-ID: <48CA78B8.6090002@redhat.com> Rob Crittenden wrote: > Add some update files that can be installed. This includes 2 schema > files for doing LDAP profile installs on Solaris, a default profile > and configuration for the slapi-nis Schema Compatibility plugin. > > Also modified the updater to parse multiple files instead of just one. > It iterates through them currently. Rich and I discussed instead > slurping them all into memory so we can ensure that updates are > properly ordered in parent/child. With this patch it is up to the user > to ensure that. > > This also catches syntax errors a little better. ack > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 12 17:40:56 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 13:40:56 -0400 Subject: [Freeipa-devel] [PATCH] fix minor usage error Message-ID: <48CAA9A8.5000200@redhat.com> Missed a += in the original patch for ipa-pwpolicy. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-83-usage.patch Type: text/x-patch Size: 955 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Fri Sep 12 18:00:34 2008 From: mnagy at redhat.com (Martin Nagy) Date: Fri, 12 Sep 2008 20:00:34 +0200 Subject: [Freeipa-devel] [PATCH] fix minor usage error In-Reply-To: <48CAA9A8.5000200@redhat.com> References: <48CAA9A8.5000200@redhat.com> Message-ID: <20080912200034.66f4b476@notas> Rob Crittenden wrote: > Missed a += in the original patch for ipa-pwpolicy. > > rob ack From rcritten at redhat.com Fri Sep 12 18:18:13 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 14:18:13 -0400 Subject: [Freeipa-devel] [PATCH] fix minor usage error In-Reply-To: <20080912200034.66f4b476@notas> References: <48CAA9A8.5000200@redhat.com> <20080912200034.66f4b476@notas> Message-ID: <48CAB265.4090205@redhat.com> Martin Nagy wrote: > Rob Crittenden wrote: >> Missed a += in the original patch for ipa-pwpolicy. >> >> rob > ack pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 12 18:40:11 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 14:40:11 -0400 Subject: [Freeipa-devel] [PATCH] reversed logic when prompting to remove FDS instance Message-ID: <48CAB78B.7010904@redhat.com> The logic for removing an existing FDS instance is reversed! Selecting the default, "No, I want to keep my instance" will result in it being removed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-84-install.patch Type: text/x-patch Size: 1102 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Sep 12 18:40:48 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 12 Sep 2008 12:40:48 -0600 Subject: [Freeipa-devel] [PATCH] reversed logic when prompting to remove FDS instance In-Reply-To: <48CAB78B.7010904@redhat.com> References: <48CAB78B.7010904@redhat.com> Message-ID: <48CAB7B0.5040000@redhat.com> Rob Crittenden wrote: > The logic for removing an existing FDS instance is reversed! Selecting > the default, "No, I want to keep my instance" will result in it being > removed. ack > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 12 18:43:24 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 14:43:24 -0400 Subject: [Freeipa-devel] [PATCH] more ldap updater work Message-ID: <48CAB84C.7070209@redhat.com> Sort updates by DN length and by default process all files in the updates dir. The updates directory is currently hardcoded to /usr/share/ipa/updates. All of the files are read into memory and then sorted by the length of the DN. This is so we can be sure that parent entries are added before children. Also add a man page. This should finish things up, except for now we notify the user that this needs to be run after an update. Note that it doesn't hurt to run this over and over again. We need user intervention because the DM password is required. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-85-updater.patch Type: text/x-patch Size: 10622 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 12 19:25:53 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 15:25:53 -0400 Subject: [Freeipa-devel] [PATCH] test for more things in ipa-server/configure Message-ID: <48CAC241.8000306@redhat.com> Test for more things in ipa-server/configure. This should make it a little easier to build if you don't have every conceivable -devel package installed already. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-more-development-packages-to-test-for.patch Type: text/x-patch Size: 3446 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 12 19:35:25 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 15:35:25 -0400 Subject: [Freeipa-devel] [PATCH] reversed logic when prompting to remove FDS instance In-Reply-To: <48CAB7B0.5040000@redhat.com> References: <48CAB78B.7010904@redhat.com> <48CAB7B0.5040000@redhat.com> Message-ID: <48CAC47D.8060204@redhat.com> Rich Megginson wrote: > Rob Crittenden wrote: >> The logic for removing an existing FDS instance is reversed! Selecting >> the default, "No, I want to keep my instance" will result in it being >> removed. > ack pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Sep 12 19:55:04 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 12 Sep 2008 15:55:04 -0400 Subject: [Freeipa-devel] [PATCH] test for more things in ipa-server/configure In-Reply-To: <48CAC241.8000306@redhat.com> References: <48CAC241.8000306@redhat.com> Message-ID: <1221249304.15726.219.camel@localhost.localdomain> On Fri, 2008-09-12 at 15:25 -0400, Rob Crittenden wrote: > Test for more things in ipa-server/configure. This should make it a > little easier to build if you don't have every conceivable -devel > package installed already. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Sep 12 20:04:50 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 16:04:50 -0400 Subject: [Freeipa-devel] [PATCH] test for more things in ipa-server/configure In-Reply-To: <1221249304.15726.219.camel@localhost.localdomain> References: <48CAC241.8000306@redhat.com> <1221249304.15726.219.camel@localhost.localdomain> Message-ID: <48CACB62.5020807@redhat.com> Simo Sorce wrote: > On Fri, 2008-09-12 at 15:25 -0400, Rob Crittenden wrote: >> Test for more things in ipa-server/configure. This should make it a >> little easier to build if you don't have every conceivable -devel >> package installed already. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 12 20:05:19 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 16:05:19 -0400 Subject: [Freeipa-devel] [PATCH] More ldap updater files/changes In-Reply-To: <48CA78B8.6090002@redhat.com> References: <48CA755B.5070107@redhat.com> <48CA78B8.6090002@redhat.com> Message-ID: <48CACB7F.5030708@redhat.com> Rich Megginson wrote: > Rob Crittenden wrote: >> Add some update files that can be installed. This includes 2 schema >> files for doing LDAP profile installs on Solaris, a default profile >> and configuration for the slapi-nis Schema Compatibility plugin. >> >> Also modified the updater to parse multiple files instead of just one. >> It iterates through them currently. Rich and I discussed instead >> slurping them all into memory so we can ensure that updates are >> properly ordered in parent/child. With this patch it is up to the user >> to ensure that. >> >> This also catches syntax errors a little better. > ack pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 12 20:05:37 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 16:05:37 -0400 Subject: [Freeipa-devel] [PATCH] LDAP update tool In-Reply-To: <48C9826B.5090703@redhat.com> References: <48C6D50F.4010207@redhat.com> <48C9826B.5090703@redhat.com> Message-ID: <48CACB91.6020309@redhat.com> Rich Megginson wrote: > Rob Crittenden wrote: >> Tool for doing configuration updates over LDAP >> >> This tool takes as input a file which contains basically an LDIF, >> prefixed with a command: default, add, remove or only. These define >> the operations to perform such as adding new entries, adding new >> sub-entries to an existing entry, adding or modifying attributes in a >> record. >> >> If an index entry is modified a task is created to re-create the index. >> >> Schema may be added using this tool. >> >> The idea of this tool is that we can provide a directory of change >> files and iterate through them and have the IPA configuration updated. >> >> The syntax can be found at http://freeipa.org/page/LdapUpdate >> >> I haven't integrated this into the install process yet but we should >> be able to eliminate initializing the DS with LDIFs and instead just >> use update files. For starters though the installer will just try to >> run through them once things are all set up. > ack pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 12 20:31:09 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 16:31:09 -0400 Subject: [Freeipa-devel] [PATCH] allow passwords to work without a tty Message-ID: <48CAD18D.4090902@redhat.com> getpass.getpass() requires a tty to work so it prevents one from doing something like: echo "password" | some_program Detect if there is not a tty and use readline() instead so this will work. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-86-password.patch Type: text/x-patch Size: 1565 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 12 20:33:54 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 16:33:54 -0400 Subject: [Freeipa-devel] [PATCH] test for more things in ipa-server/configure In-Reply-To: <1221249304.15726.219.camel@localhost.localdomain> References: <48CAC241.8000306@redhat.com> <1221249304.15726.219.camel@localhost.localdomain> Message-ID: <48CAD232.9000401@redhat.com> Simo Sorce wrote: > On Fri, 2008-09-12 at 15:25 -0400, Rob Crittenden wrote: >> Test for more things in ipa-server/configure. This should make it a >> little easier to build if you don't have every conceivable -devel >> package installed already. > > ack > pushed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 12 21:04:00 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Sep 2008 17:04:00 -0400 Subject: [Freeipa-devel] [Fwd: [Freeipa-users] FreeIPA 1.1.1 SECURITY Release] Message-ID: <48CAD940.9070505@redhat.com> Simo is having problems sending mail to freeipa-devel for some reason, so here is an important message from him: -------------- next part -------------- An embedded message was scrubbed... From: Simo Sorce Subject: [Freeipa-users] FreeIPA 1.1.1 SECURITY Release Date: Wed, 10 Sep 2008 16:55:51 -0400 Size: 4011 URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Sep 15 17:04:45 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Sep 2008 13:04:45 -0400 Subject: [Freeipa-devel] [PATCH] integrate ipa-ldap-updater into installer Message-ID: <48CE95AD.6020902@redhat.com> This patch ties the updater into the installer. It runs as one of the last things so it can use /etc/ipa/ipa.conf and we can be fairly sure that the basic IPA server is up and running, including the KDC. Future changes to configuration should go into an update file in freeipa/ipa-install/updates. For now when updating a live system users will need to manually run ipa-ldap-updater after installing the new packages because the Directory Manager password is required. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa87-updater.patch Type: text/x-patch Size: 4103 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jonathansteffan at gmail.com Mon Sep 15 19:22:40 2008 From: jonathansteffan at gmail.com (Jonathan Steffan) Date: Mon, 15 Sep 2008 13:22:40 -0600 Subject: [Freeipa-devel] Patch to Fixup Automake RHEL4 Message-ID: <984b2f890809151222n3a41d7c8r746885c55a9285a8@mail.gmail.com> This just makes building the el4 package somewhat more sane. -- Jonathan Steffan jonathansteffan at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: makeautomakework.diff Type: application/octet-stream Size: 2623 bytes Desc: not available URL: From rcritten at redhat.com Mon Sep 15 19:28:51 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Sep 2008 15:28:51 -0400 Subject: [Freeipa-devel] [PATCH] make ipa-ldap-updater a library Message-ID: <48CEB773.4080707@redhat.com> Martin suggested that ipa-ldap-update should be a library which would make it easier to re-use. What a great idea, so here it is. One of the arguments the updater takes during object init is sub_dict. This is the substitution dictionary that is used in the template engine to replace variables in the update files. It is possible to override the default values by passing in your own dictionary. Probably best to let the defaults be. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-88-updater.patch Type: text/x-patch Size: 40441 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Sep 15 20:29:56 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Sep 2008 16:29:56 -0400 Subject: [Freeipa-devel] Patch to Fixup Automake RHEL4 In-Reply-To: <984b2f890809151222n3a41d7c8r746885c55a9285a8@mail.gmail.com> References: <984b2f890809151222n3a41d7c8r746885c55a9285a8@mail.gmail.com> Message-ID: <48CEC5C4.6030402@redhat.com> Jonathan Steffan wrote: > This just makes building the el4 package somewhat more sane. > Thanks. I just have a couple of minor comments. The version should probably be bumped up to 1.1.0 rather than 1.0.0. Ideally this could be tied into the top-level version but that may be a little non-trivial. setup.py needs the version updated as well. Can you add a changelog entry too? Take credit :-) In NEWS I'd rather the URL be http://www.freeipa.org/ thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Sep 16 18:00:30 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 16 Sep 2008 14:00:30 -0400 Subject: [Freeipa-devel] [PATCH] New plugin - ipa-winsync - for Windows sync support In-Reply-To: <48ADA8CF.6020908@redhat.com> References: <48ADA8CF.6020908@redhat.com> Message-ID: <48CFF43E.6080302@redhat.com> Rich Megginson wrote: > ipa-winsync is a new SLAPI plugin that allows IPA to hook into windows > AD <-> dirsrv user addition and modification, so that it can add > additional objectclasses and attributes required by IPA. This depends > on an as-yet-unreleased Fedora DS windows sync api, so it won't compile > out in the wild just yet. It also depends on the DNA plugin to > automatically assign the uidNumber. > > Several plugin points have been added to the existing windows sync code > to allow for callbacks in several places > * just before a DS user/group entry is added to AD > * just before an AD user/group entry is added to DS > * just before modifications are sent in either direction > * just before/after a total update occurs > * just before/after an incremental update occurs > * to get the DN of what a new DS entry synced from AD will be > > And others. This is how IPA uses these: > * NOTE: for this first version, the plugin only cares about user > entries, not groups > * at startup, IPA reads its global config from its plugin config entry > * when the sync agreement is created, the IPA agmt init callback is > called with the DS subtree and the AD subtree. The DS subtree should be > the user container (i.e. cn=users,cn=accounts,). The IPA > winsync plugin creates a domain specific callback object which will be > passed back to every callback. > * just before an init or update, the IPA winsync plugin is called. The > plugin searches the IPA configuration entries looking for information > like the Kerberos realm name, the list of objectclasses to add to new > entries, the posix homeDirectory prefix, and the default gidNumber. It > also grabs other information from the global plugin config, such as the > list of default attributes and values to add to each user entry. It > stores this information in the domain specific config callback object > * windows sync code calls into ipa-winsync to get the new user DN. By > default, ipa-winsync will "flatten" the DN. In AD it is common to have > users grouped into OUs - IPA will "flatten" these into just the > cn=users,cn=accounts container, and store the OUs in the OU attribute in > the new user entry > * windows sync code calls into ipa-winsync to add the new user - the > callback adds the list of objectclasses and attributes if any. There > are a couple of attributes which get special handling > ** krbPrincipalName - this is equal to the samAccountName (== uid) '@' > the realm name from the domain specific config > ** homeDirectory - domain config->homedir_prefix (read from ipa config) > '/' samAccountName (== uid) > ** gecos - set to the cn > > I've created a bug to track this and to attach patch files - > https://bugzilla.redhat.com/show_bug.cgi?id=459729 > Graphical diffs: > https://bugzilla.redhat.com/attachment.cgi?id=314729&action=diff > https://bugzilla.redhat.com/attachment.cgi?id=314730&action=diff > https://bugzilla.redhat.com/attachment.cgi?id=314731&action=diff > https://bugzilla.redhat.com/attachment.cgi?id=314732&action=diff > https://bugzilla.redhat.com/attachment.cgi?id=314733&action=diff > > Raw patch files: > https://bugzilla.redhat.com/attachment.cgi?id=314729 > https://bugzilla.redhat.com/attachment.cgi?id=314730 > https://bugzilla.redhat.com/attachment.cgi?id=314731 > https://bugzilla.redhat.com/attachment.cgi?id=314732 > https://bugzilla.redhat.com/attachment.cgi?id=314733 Some comments on the tools: Are port, binddn, bindpw, and cacert only used with winsync? It appears that way so we need to detect that and not ignore options that are passed in. In other words, require --winsync if these are used. In erase_ds_instance_data() looks like you added 64-bit support but you are removing /usr/lib64/... and on 32-bit we remove /var/lib/... What's the difference? Did you mean to include the patch to not remove logs when an instance is removed? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Sep 16 18:09:47 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 16 Sep 2008 12:09:47 -0600 Subject: [Freeipa-devel] [PATCH] New plugin - ipa-winsync - for Windows sync support In-Reply-To: <48CFF43E.6080302@redhat.com> References: <48ADA8CF.6020908@redhat.com> <48CFF43E.6080302@redhat.com> Message-ID: <48CFF66B.3050207@redhat.com> Rob Crittenden wrote: > Rich Megginson wrote: >> ipa-winsync is a new SLAPI plugin that allows IPA to hook into >> windows AD <-> dirsrv user addition and modification, so that it can >> add additional objectclasses and attributes required by IPA. This >> depends on an as-yet-unreleased Fedora DS windows sync api, so it >> won't compile out in the wild just yet. It also depends on the DNA >> plugin to automatically assign the uidNumber. >> >> Several plugin points have been added to the existing windows sync >> code to allow for callbacks in several places >> * just before a DS user/group entry is added to AD >> * just before an AD user/group entry is added to DS >> * just before modifications are sent in either direction >> * just before/after a total update occurs >> * just before/after an incremental update occurs >> * to get the DN of what a new DS entry synced from AD will be >> >> And others. This is how IPA uses these: >> * NOTE: for this first version, the plugin only cares about user >> entries, not groups >> * at startup, IPA reads its global config from its plugin config entry >> * when the sync agreement is created, the IPA agmt init callback is >> called with the DS subtree and the AD subtree. The DS subtree should >> be the user container (i.e. cn=users,cn=accounts,). The IPA >> winsync plugin creates a domain specific callback object which will >> be passed back to every callback. >> * just before an init or update, the IPA winsync plugin is called. >> The plugin searches the IPA configuration entries looking for >> information like the Kerberos realm name, the list of objectclasses >> to add to new entries, the posix homeDirectory prefix, and the >> default gidNumber. It also grabs other information from the global >> plugin config, such as the list of default attributes and values to >> add to each user entry. It stores this information in the domain >> specific config callback object >> * windows sync code calls into ipa-winsync to get the new user DN. >> By default, ipa-winsync will "flatten" the DN. In AD it is common to >> have users grouped into OUs - IPA will "flatten" these into just the >> cn=users,cn=accounts container, and store the OUs in the OU attribute >> in the new user entry >> * windows sync code calls into ipa-winsync to add the new user - the >> callback adds the list of objectclasses and attributes if any. There >> are a couple of attributes which get special handling >> ** krbPrincipalName - this is equal to the samAccountName (== uid) >> '@' the realm name from the domain specific config >> ** homeDirectory - domain config->homedir_prefix (read from ipa >> config) '/' samAccountName (== uid) >> ** gecos - set to the cn >> >> I've created a bug to track this and to attach patch files - >> https://bugzilla.redhat.com/show_bug.cgi?id=459729 >> Graphical diffs: >> https://bugzilla.redhat.com/attachment.cgi?id=314729&action=diff >> https://bugzilla.redhat.com/attachment.cgi?id=314730&action=diff >> https://bugzilla.redhat.com/attachment.cgi?id=314731&action=diff >> https://bugzilla.redhat.com/attachment.cgi?id=314732&action=diff >> https://bugzilla.redhat.com/attachment.cgi?id=314733&action=diff >> >> Raw patch files: >> https://bugzilla.redhat.com/attachment.cgi?id=314729 >> https://bugzilla.redhat.com/attachment.cgi?id=314730 >> https://bugzilla.redhat.com/attachment.cgi?id=314731 >> https://bugzilla.redhat.com/attachment.cgi?id=314732 >> https://bugzilla.redhat.com/attachment.cgi?id=314733 > > Some comments on the tools: > > Are port, binddn, bindpw, and cacert only used with winsync? It > appears that way so we need to detect that and not ignore options that > are passed in. In other words, require --winsync if these are used. It's possible they could be used outside of winsync. > > In erase_ds_instance_data() looks like you added 64-bit support but > you are removing /usr/lib64/... and on 32-bit we remove /var/lib/... > What's the difference? 64-bit DS uses /usr/lib64/dirsrv/slapd-instancename - that needs to be erased. /var/lib is used on both 64-bit and 32-bit > > Did you mean to include the patch to not remove logs when an instance > is removed? I didn't know if IPA wanted to keep the logs or not. So I put that in there commented out to show what else would need to be erased if you wanted to remove everything. I didn't know if IPA needed to keep the logs around for some reason (e.g. an audit trail). > > rob > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Wed Sep 17 13:27:14 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 17 Sep 2008 15:27:14 +0200 Subject: [Freeipa-devel] [PATCH] Add standard override options to ipa-replica-prepare Message-ID: <20080917152714.33286e11@wolverine.englab.brq.redhat.com> Fix up ipa-replica-prepare. Fixes 462489 -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-standard-override-options-to-ipa-replica-prepare.patch Type: text/x-patch Size: 1498 bytes Desc: not available URL: From mnagy at redhat.com Wed Sep 17 13:30:40 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 17 Sep 2008 15:30:40 +0200 Subject: [Freeipa-devel] [PATCH] Don't try to discover servers if we specified them on command line Message-ID: <20080917153040.742e4818@wolverine.englab.brq.redhat.com> Currently, if we specify alternate server with the --server option, we will try it first and after that we try ipa.conf and DNS. This patch changes the behavior so that if we don't try servers from ipa.conf and DNS. My reasoning is that this is more "expected" behavior. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Don-t-try-to-discover-servers-if-we-specified-them-o.patch Type: text/x-patch Size: 2859 bytes Desc: not available URL: From mnagy at redhat.com Wed Sep 17 13:32:49 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 17 Sep 2008 15:32:49 +0200 Subject: [Freeipa-devel] [PATCH] Restart httpd and dirsrv services after yum upgrade Message-ID: <20080917153249.4013d0cf@wolverine.englab.brq.redhat.com> Restart httpd and dirsrv after upgrade. Fixes 441566 -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Restart-httpd-and-dirsrv-services-after-yum-upgrade.patch Type: text/x-patch Size: 1112 bytes Desc: not available URL: From ssorce at redhat.com Wed Sep 17 13:34:54 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 09:34:54 -0400 Subject: [Freeipa-devel] [PATCH] Restart httpd and dirsrv services after yum upgrade In-Reply-To: <20080917153249.4013d0cf@wolverine.englab.brq.redhat.com> References: <20080917153249.4013d0cf@wolverine.englab.brq.redhat.com> Message-ID: <1221658494.12851.80.camel@localhost.localdomain> On Wed, 2008-09-17 at 15:32 +0200, Martin Nagy wrote: > +* Wed Sep 17 2008 Martin Nagy - 1.0.0-6 > +- restart httpd and dirsrv services after upgrade > + Are you releasing 1.0.0-6 on your own? :-P Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Sep 17 13:36:25 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 09:36:25 -0400 Subject: [Freeipa-devel] [PATCH] Don't try to discover servers if we specified them on command line In-Reply-To: <20080917153040.742e4818@wolverine.englab.brq.redhat.com> References: <20080917153040.742e4818@wolverine.englab.brq.redhat.com> Message-ID: <1221658585.12851.82.camel@localhost.localdomain> On Wed, 2008-09-17 at 15:30 +0200, Martin Nagy wrote: > Currently, if we specify alternate server with the --server option, we > will try it first and after that we try ipa.conf and DNS. This patch > changes the behavior so that if we don't try servers from ipa.conf and > DNS. My reasoning is that this is more "expected" behavior. Ack. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Wed Sep 17 13:36:57 2008 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 17 Sep 2008 09:36:57 -0400 Subject: [Freeipa-devel] [PATCH] Don't try to discover servers if we specified them on command line In-Reply-To: <20080917153040.742e4818@wolverine.englab.brq.redhat.com> References: <20080917153040.742e4818@wolverine.englab.brq.redhat.com> Message-ID: <48D107F9.6040102@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Nagy wrote: > Currently, if we specify alternate server with the --server option, we > will try it first and after that we try ipa.conf and DNS. This patch > changes the behavior so that if we don't try servers from ipa.conf and > DNS. My reasoning is that this is more "expected" behavior. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack - -- - -------------------- Stephen Gallagher RHCE 804006346421761 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjRB/UACgkQc7MaxVic+2qCkgCcCRn7rMHPLFBohikEV5V5fi1y cLYAn3SXwebrRjYQWhl7zAgghdxmb8Qq =J6pe -----END PGP SIGNATURE----- From mnagy at redhat.com Wed Sep 17 13:38:00 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 17 Sep 2008 15:38:00 +0200 Subject: [Freeipa-devel] [PATCH] Restart httpd and dirsrv services after yum upgrade In-Reply-To: <1221658494.12851.80.camel@localhost.localdomain> References: <20080917153249.4013d0cf@wolverine.englab.brq.redhat.com> <1221658494.12851.80.camel@localhost.localdomain> Message-ID: <20080917153800.3ead22c4@wolverine.englab.brq.redhat.com> On Wed, 17 Sep 2008 09:34:54 -0400, Simo Sorce wrote: > On Wed, 2008-09-17 at 15:32 +0200, Martin Nagy wrote: > > +* Wed Sep 17 2008 Martin Nagy - 1.0.0-6 > > +- restart httpd and dirsrv services after upgrade > > + > > Are you releasing 1.0.0-6 on your own? :-P > > Simo. Heh :) Didn't know any better thing to put there, besides, Rob's entry bellow is 1.0.0-5 and about week old. Should I send a new patch with 1.1.1-1? Martin From ssorce at redhat.com Wed Sep 17 14:42:32 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 10:42:32 -0400 Subject: [Freeipa-devel] [PATCH] Restart httpd and dirsrv services after yum upgrade In-Reply-To: <20080917153800.3ead22c4@wolverine.englab.brq.redhat.com> References: <20080917153249.4013d0cf@wolverine.englab.brq.redhat.com> <1221658494.12851.80.camel@localhost.localdomain> <20080917153800.3ead22c4@wolverine.englab.brq.redhat.com> Message-ID: <1221662552.12851.96.camel@localhost.localdomain> On Wed, 2008-09-17 at 15:38 +0200, Martin Nagy wrote: > On Wed, 17 Sep 2008 09:34:54 -0400, Simo Sorce > wrote: > > > On Wed, 2008-09-17 at 15:32 +0200, Martin Nagy wrote: > > > +* Wed Sep 17 2008 Martin Nagy - 1.0.0-6 > > > +- restart httpd and dirsrv services after upgrade > > > + > > > > Are you releasing 1.0.0-6 on your own? :-P > > > > Simo. > > Heh :) Didn't know any better thing to put there, besides, Rob's entry > bellow is 1.0.0-5 and about week old. Should I send a new patch with > 1.1.1-1? Both you and Rob should stack changelog changes with a temporary version number until a release is made. 1.2.0-0 is probably the right one to use to pile up all changes in one changelog entry. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Sep 17 13:48:57 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 09:48:57 -0400 Subject: [Freeipa-devel] [PATCH] Fix install with EXAMPLE.COM realm Message-ID: <1221659337.12851.84.camel@localhost.localdomain> -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-We-were-assuming-that-if-the-realm-was-correct-then.patch Type: application/mbox Size: 2562 bytes Desc: not available URL: From sgallagh at redhat.com Wed Sep 17 15:03:25 2008 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 17 Sep 2008 11:03:25 -0400 Subject: [Freeipa-devel] [PATCH] Fix install with EXAMPLE.COM realm In-Reply-To: <1221659337.12851.84.camel@localhost.localdomain> References: <1221659337.12851.84.camel@localhost.localdomain> Message-ID: <48D11C3D.20207@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack - -- - -------------------- Stephen Gallagher RHCE 804006346421761 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjRHDoACgkQc7MaxVic+2rv6ACgvej/b2fCfEiHggk0RHZ4Z0FK bKsAn1QyYWldaJ7fWtiMxwChJC5upyDR =w3C8 -----END PGP SIGNATURE----- From ssorce at redhat.com Wed Sep 17 15:13:22 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 11:13:22 -0400 Subject: [Freeipa-devel] [PATCH] Remove unlikely service from the interface Message-ID: <1221664402.12851.112.camel@localhost.localdomain> They are just confusing and not useful by default. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Remove-reference-to-very-unlikely-service-examples-t.patch Type: application/mbox Size: 1972 bytes Desc: not available URL: From ssorce at redhat.com Wed Sep 17 15:38:38 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 11:38:38 -0400 Subject: [Freeipa-devel] [PATCH] allow passwords to work without a tty In-Reply-To: <48CAD18D.4090902@redhat.com> References: <48CAD18D.4090902@redhat.com> Message-ID: <1221665918.12851.128.camel@localhost.localdomain> On Fri, 2008-09-12 at 16:31 -0400, Rob Crittenden wrote: > getpass.getpass() requires a tty to work so it prevents one from > doing > something like: echo "password" | some_program > > Detect if there is not a tty and use readline() instead so this will > work. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Sep 17 15:40:31 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 11:40:31 -0400 Subject: [Freeipa-devel] [PATCH] integrate ipa-ldap-updater into installer In-Reply-To: <48CE95AD.6020902@redhat.com> References: <48CE95AD.6020902@redhat.com> Message-ID: <1221666031.12851.130.camel@localhost.localdomain> On Mon, 2008-09-15 at 13:04 -0400, Rob Crittenden wrote: > This patch ties the updater into the installer. It runs as one of the > last things so it can use /etc/ipa/ipa.conf and we can be fairly sure > that the basic IPA server is up and running, including the KDC. > > Future changes to configuration should go into an update file in > freeipa/ipa-install/updates. > > For now when updating a live system users will need to manually run > ipa-ldap-updater after installing the new packages because the > Directory > Manager password is required. I would *really* prefer the password is passed via stdin. I don't like it being written to a file. Simo. -- Simo Sorce * Red Hat, Inc * New York From mnagy at redhat.com Wed Sep 17 16:01:41 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 17 Sep 2008 18:01:41 +0200 Subject: [Freeipa-devel] [PATCH] Add standard override options to ipa-replica-prepare Fixes: 462489 Message-ID: <20080917180141.6edb7172@notas> SSIA. Sending this for the second time, it probably got lost somewhere.. Martin From mnagy at redhat.com Wed Sep 17 16:10:35 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 17 Sep 2008 18:10:35 +0200 Subject: [Freeipa-devel] [PATCH] Restart httpd and dirsrv services after yum upgrade In-Reply-To: <1221662552.12851.96.camel@localhost.localdomain> References: <20080917153249.4013d0cf@wolverine.englab.brq.redhat.com> <1221658494.12851.80.camel@localhost.localdomain> <20080917153800.3ead22c4@wolverine.englab.brq.redhat.com> <1221662552.12851.96.camel@localhost.localdomain> Message-ID: <20080917181035.362c3996@notas> Simo Sorce wrote: > On Wed, 2008-09-17 at 15:38 +0200, Martin Nagy wrote: > > On Wed, 17 Sep 2008 09:34:54 -0400, Simo Sorce > > wrote: > > > > > On Wed, 2008-09-17 at 15:32 +0200, Martin Nagy wrote: > > > > +* Wed Sep 17 2008 Martin Nagy - 1.0.0-6 > > > > +- restart httpd and dirsrv services after upgrade > > > > + > > > > > > Are you releasing 1.0.0-6 on your own? :-P > > > > > > Simo. > > > > Heh :) Didn't know any better thing to put there, besides, Rob's > > entry bellow is 1.0.0-5 and about week old. Should I send a new > > patch with 1.1.1-1? > > Both you and Rob should stack changelog changes with a temporary > version number until a release is made. > > 1.2.0-0 is probably the right one to use to pile up all changes in one > changelog entry. > > Simo. Oops, meant to send that mail to the list.. Anyway, here's a patch with piled up changes. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Restart-httpd-and-dirsrv-services-after-yum-upgrade.patch Type: text/x-patch Size: 1660 bytes Desc: not available URL: From ssorce at redhat.com Wed Sep 17 16:21:07 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 12:21:07 -0400 Subject: [Freeipa-devel] [PATCH] make ipa-ldap-updater a library In-Reply-To: <48CEB773.4080707@redhat.com> References: <48CEB773.4080707@redhat.com> Message-ID: <1221668467.12851.139.camel@localhost.localdomain> On Mon, 2008-09-15 at 15:28 -0400, Rob Crittenden wrote: > Martin suggested that ipa-ldap-update should be a library which would > make it easier to re-use. What a great idea, so here it is. > > One of the arguments the updater takes during object init is > sub_dict. > This is the substitution dictionary that is used in the template > engine > to replace variables in the update files. It is possible to override > the > default values by passing in your own dictionary. Probably best to > let > the defaults be. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Sep 17 16:32:32 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 12:32:32 -0400 Subject: [Freeipa-devel] [PATCH] Restart httpd and dirsrv services after yum upgrade In-Reply-To: <20080917181035.362c3996@notas> References: <20080917153249.4013d0cf@wolverine.englab.brq.redhat.com> <1221658494.12851.80.camel@localhost.localdomain> <20080917153800.3ead22c4@wolverine.englab.brq.redhat.com> <1221662552.12851.96.camel@localhost.localdomain> <20080917181035.362c3996@notas> Message-ID: <1221669152.12851.149.camel@localhost.localdomain> On Wed, 2008-09-17 at 18:10 +0200, Martin Nagy wrote: > > Oops, meant to send that mail to the list.. > Anyway, here's a patch with piled up changes. ack -- Simo Sorce * Red Hat, Inc * New York From mnagy at redhat.com Wed Sep 17 16:41:32 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 17 Sep 2008 18:41:32 +0200 Subject: [Freeipa-devel] [PATCH] Remove unlikely service from the interface In-Reply-To: <1221664402.12851.112.camel@localhost.localdomain> References: <1221664402.12851.112.camel@localhost.localdomain> Message-ID: <20080917184132.19ba3519@notas> Simo Sorce wrote: > They are just confusing and not useful by default. ack From mnagy at redhat.com Wed Sep 17 16:58:20 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 17 Sep 2008 18:58:20 +0200 Subject: [Freeipa-devel] [PATCH] Add standard override options to ipa-replica-prepare Message-ID: <20080917185820.171a2e7c@notas> SSIA, sending this for the third time.. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-standard-override-options-to-ipa-replica-prepare.patch Type: text/x-patch Size: 1498 bytes Desc: not available URL: From rcritten at redhat.com Wed Sep 17 16:59:15 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Sep 2008 12:59:15 -0400 Subject: [Freeipa-devel] [PATCH] integrate ipa-ldap-updater into installer In-Reply-To: <1221666031.12851.130.camel@localhost.localdomain> References: <48CE95AD.6020902@redhat.com> <1221666031.12851.130.camel@localhost.localdomain> Message-ID: <48D13763.5020606@redhat.com> Simo Sorce wrote: > On Mon, 2008-09-15 at 13:04 -0400, Rob Crittenden wrote: >> This patch ties the updater into the installer. It runs as one of the >> last things so it can use /etc/ipa/ipa.conf and we can be fairly sure >> that the basic IPA server is up and running, including the KDC. >> >> Future changes to configuration should go into an update file in >> freeipa/ipa-install/updates. >> >> For now when updating a live system users will need to manually run >> ipa-ldap-updater after installing the new packages because the >> Directory >> Manager password is required. > > I would *really* prefer the password is passed via stdin. > I don't like it being written to a file. > > Simo. > I agree. I added it as an option because so many other tools we use/provide offer the same option. We aren't actually going to use this ourselves since I made the updater into a python library. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Wed Sep 17 17:18:12 2008 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 17 Sep 2008 13:18:12 -0400 Subject: [Freeipa-devel] [PATCH] Add standard override options to ipa-replica-prepare In-Reply-To: <20080917185820.171a2e7c@notas> References: <20080917185820.171a2e7c@notas> Message-ID: <48D13BD4.10800@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Nagy wrote: > SSIA, sending this for the third time.. > > Martin > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack - -- - -------------------- Stephen Gallagher RHCE 804006346421761 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjRO9AACgkQc7MaxVic+2oQvQCeLFf/N9fqWRxSypW5xnhdKhMo XEYAnRSlrqaLV7wXjKz6zEzzdJl4Wgon =qiQt -----END PGP SIGNATURE----- From ssorce at redhat.com Wed Sep 17 17:26:27 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 13:26:27 -0400 Subject: [Freeipa-devel] [PATCH] integrate ipa-ldap-updater into installer In-Reply-To: <48D13763.5020606@redhat.com> References: <48CE95AD.6020902@redhat.com> <1221666031.12851.130.camel@localhost.localdomain> <48D13763.5020606@redhat.com> Message-ID: <1221672387.12851.155.camel@localhost.localdomain> On Wed, 2008-09-17 at 12:59 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Mon, 2008-09-15 at 13:04 -0400, Rob Crittenden wrote: > >> This patch ties the updater into the installer. It runs as one of the > >> last things so it can use /etc/ipa/ipa.conf and we can be fairly sure > >> that the basic IPA server is up and running, including the KDC. > >> > >> Future changes to configuration should go into an update file in > >> freeipa/ipa-install/updates. > >> > >> For now when updating a live system users will need to manually run > >> ipa-ldap-updater after installing the new packages because the > >> Directory > >> Manager password is required. > > > > I would *really* prefer the password is passed via stdin. > > I don't like it being written to a file. > > > > Simo. > > > > I agree. I added it as an option because so many other tools we > use/provide offer the same option. We aren't actually going to use this > ourselves since I made the updater into a python library. ok then ack Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Sep 17 18:35:34 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Sep 2008 14:35:34 -0400 Subject: [Freeipa-devel] [PATCH] integrate ipa-ldap-updater into installer In-Reply-To: <1221672387.12851.155.camel@localhost.localdomain> References: <48CE95AD.6020902@redhat.com> <1221666031.12851.130.camel@localhost.localdomain> <48D13763.5020606@redhat.com> <1221672387.12851.155.camel@localhost.localdomain> Message-ID: <48D14DF6.1010305@redhat.com> Simo Sorce wrote: > On Wed, 2008-09-17 at 12:59 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Mon, 2008-09-15 at 13:04 -0400, Rob Crittenden wrote: >>>> This patch ties the updater into the installer. It runs as one of the >>>> last things so it can use /etc/ipa/ipa.conf and we can be fairly sure >>>> that the basic IPA server is up and running, including the KDC. >>>> >>>> Future changes to configuration should go into an update file in >>>> freeipa/ipa-install/updates. >>>> >>>> For now when updating a live system users will need to manually run >>>> ipa-ldap-updater after installing the new packages because the >>>> Directory >>>> Manager password is required. >>> I would *really* prefer the password is passed via stdin. >>> I don't like it being written to a file. >>> >>> Simo. >>> >> I agree. I added it as an option because so many other tools we >> use/provide offer the same option. We aren't actually going to use this >> ourselves since I made the updater into a python library. > > ok then ack > > Simo. > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Sep 17 18:35:46 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Sep 2008 14:35:46 -0400 Subject: [Freeipa-devel] [PATCH] make ipa-ldap-updater a library In-Reply-To: <1221668467.12851.139.camel@localhost.localdomain> References: <48CEB773.4080707@redhat.com> <1221668467.12851.139.camel@localhost.localdomain> Message-ID: <48D14E02.2070400@redhat.com> Simo Sorce wrote: > On Mon, 2008-09-15 at 15:28 -0400, Rob Crittenden wrote: >> Martin suggested that ipa-ldap-update should be a library which would >> make it easier to re-use. What a great idea, so here it is. >> >> One of the arguments the updater takes during object init is >> sub_dict. >> This is the substitution dictionary that is used in the template >> engine >> to replace variables in the update files. It is possible to override >> the >> default values by passing in your own dictionary. Probably best to >> let >> the defaults be. > > ack > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Sep 17 18:35:56 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Sep 2008 14:35:56 -0400 Subject: [Freeipa-devel] [PATCH] allow passwords to work without a tty In-Reply-To: <1221665918.12851.128.camel@localhost.localdomain> References: <48CAD18D.4090902@redhat.com> <1221665918.12851.128.camel@localhost.localdomain> Message-ID: <48D14E0C.7010005@redhat.com> Simo Sorce wrote: > On Fri, 2008-09-12 at 16:31 -0400, Rob Crittenden wrote: >> getpass.getpass() requires a tty to work so it prevents one from >> doing >> something like: echo "password" | some_program >> >> Detect if there is not a tty and use readline() instead so this will >> work. > > ack > pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Sep 17 20:19:30 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Sep 2008 16:19:30 -0400 Subject: [Freeipa-devel] [PATCH] update an update Message-ID: <48D16652.4010901@redhat.com> Change order of SUP. In FDS if it comes before NAME it gets dropped. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-89-update.patch Type: text/x-patch Size: 1003 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Sep 17 20:58:49 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Sep 2008 16:58:49 -0400 Subject: [Freeipa-devel] [PATCH] detect when updates are available Message-ID: <48D16F89.7030108@redhat.com> This patch will cause the test mode to return 2 when updates are available and 0 when they are not. So when an admin installs a new package they can run /usr/sbin/ipa-ldaper-update -t to determine whether there are updates to apply. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-90-update.patch Type: text/x-patch Size: 5945 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Wed Sep 17 21:12:35 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 17 Sep 2008 23:12:35 +0200 Subject: [Freeipa-devel] [PATCH] Add standard override options to ipa-replica-prepare In-Reply-To: <48D13BD4.10800@redhat.com> References: <20080917185820.171a2e7c@notas> <48D13BD4.10800@redhat.com> Message-ID: <20080917231235.2c22fe97@notas> Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Martin Nagy wrote: > > SSIA, sending this for the third time.. > > > > Martin > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > ack pushed to master From mnagy at redhat.com Wed Sep 17 21:13:24 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 17 Sep 2008 23:13:24 +0200 Subject: [Freeipa-devel] [PATCH] Don't try to discover servers if we specified them on command line In-Reply-To: <1221658585.12851.82.camel@localhost.localdomain> References: <20080917153040.742e4818@wolverine.englab.brq.redhat.com> <1221658585.12851.82.camel@localhost.localdomain> Message-ID: <20080917231324.76904ef6@notas> Simo Sorce wrote: > On Wed, 2008-09-17 at 15:30 +0200, Martin Nagy wrote: > > Currently, if we specify alternate server with the --server option, > > we will try it first and after that we try ipa.conf and DNS. This > > patch changes the behavior so that if we don't try servers from > > ipa.conf and DNS. My reasoning is that this is more "expected" > > behavior. > > Ack. > pushed to master From mnagy at redhat.com Wed Sep 17 21:13:42 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 17 Sep 2008 23:13:42 +0200 Subject: [Freeipa-devel] [PATCH] Restart httpd and dirsrv services after yum upgrade In-Reply-To: <1221669152.12851.149.camel@localhost.localdomain> References: <20080917153249.4013d0cf@wolverine.englab.brq.redhat.com> <1221658494.12851.80.camel@localhost.localdomain> <20080917153800.3ead22c4@wolverine.englab.brq.redhat.com> <1221662552.12851.96.camel@localhost.localdomain> <20080917181035.362c3996@notas> <1221669152.12851.149.camel@localhost.localdomain> Message-ID: <20080917231342.5d6956c3@notas> Simo Sorce wrote: > On Wed, 2008-09-17 at 18:10 +0200, Martin Nagy wrote: > > > > Oops, meant to send that mail to the list.. > > Anyway, here's a patch with piled up changes. > > ack > pushed to master From mnagy at redhat.com Thu Sep 18 11:24:37 2008 From: mnagy at redhat.com (Martin Nagy) Date: Thu, 18 Sep 2008 13:24:37 +0200 Subject: [Freeipa-devel] [PATCH] detect when updates are available In-Reply-To: <48D16F89.7030108@redhat.com> References: <48D16F89.7030108@redhat.com> Message-ID: <20080918132437.53079310@notas> Rob Crittenden wrote: > This patch will cause the test mode to return 2 when updates are > available and 0 when they are not. > > So when an admin installs a new package they can run > /usr/sbin/ipa-ldaper-update -t to determine whether there are updates > to apply. > > rob Few things I noticed: > add:attributeTypes: X-ORIGIN 'RFC2307bis' ) > add:attributeTypes: > ( 1.3.6.1.4.1.1.1.1.12 NAME 'nisDomain' > - DESC 'NIS domain' SUP name > + DESC 'NIS domain' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > X-ORIGIN 'RFC2307bis' ) > add:attributeTypes: Hmm, why are you reverting the previous patch you sent? > + import pprint > + f = open('s', 'w') > + pprint.pprint(s, f) > + f.close() > + f = open('n', 'w') > + pprint.pprint(n, f) > + f.close() > + > + if s == n: > + return False > + else: > + return True Why are you writing out to those files? They don't seem to be read later on. Martin From rcritten at redhat.com Thu Sep 18 12:54:42 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Sep 2008 08:54:42 -0400 Subject: [Freeipa-devel] [PATCH] detect when updates are available In-Reply-To: <20080918132437.53079310@notas> References: <48D16F89.7030108@redhat.com> <20080918132437.53079310@notas> Message-ID: <48D24F92.9050001@redhat.com> Martin Nagy wrote: > Rob Crittenden wrote: >> This patch will cause the test mode to return 2 when updates are >> available and 0 when they are not. >> >> So when an admin installs a new package they can run >> /usr/sbin/ipa-ldaper-update -t to determine whether there are updates >> to apply. >> >> rob > > Few things I noticed: > >> add:attributeTypes: X-ORIGIN 'RFC2307bis' ) >> add:attributeTypes: >> ( 1.3.6.1.4.1.1.1.1.12 NAME 'nisDomain' >> - DESC 'NIS domain' SUP name >> + DESC 'NIS domain' >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >> X-ORIGIN 'RFC2307bis' ) >> add:attributeTypes: > > Hmm, why are you reverting the previous patch you sent? FDS has this this schema as well and they don't do a SUP name so I removed it altogether instead of moving it around. > >> + import pprint >> + f = open('s', 'w') >> + pprint.pprint(s, f) >> + f.close() >> + f = open('n', 'w') >> + pprint.pprint(n, f) >> + f.close() >> + >> + if s == n: >> + return False >> + else: >> + return True > > Why are you writing out to those files? They don't seem to be read > later on. Oh, heh, left in some debugging! When working on the schema these dictionaries are HUGE so I had to output them to files to see where the differences were. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Sep 18 20:09:19 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Sep 2008 16:09:19 -0400 Subject: [Freeipa-devel] [PATCH] detect when updates are available In-Reply-To: <20080918132437.53079310@notas> References: <48D16F89.7030108@redhat.com> <20080918132437.53079310@notas> Message-ID: <48D2B56F.5080209@redhat.com> Martin Nagy wrote: > Rob Crittenden wrote: >> This patch will cause the test mode to return 2 when updates are >> available and 0 when they are not. >> >> So when an admin installs a new package they can run >> /usr/sbin/ipa-ldaper-update -t to determine whether there are updates >> to apply. >> >> rob > > Few things I noticed: > >> add:attributeTypes: X-ORIGIN 'RFC2307bis' ) >> add:attributeTypes: >> ( 1.3.6.1.4.1.1.1.1.12 NAME 'nisDomain' >> - DESC 'NIS domain' SUP name >> + DESC 'NIS domain' >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >> X-ORIGIN 'RFC2307bis' ) >> add:attributeTypes: > > Hmm, why are you reverting the previous patch you sent? > >> + import pprint >> + f = open('s', 'w') >> + pprint.pprint(s, f) >> + f.close() >> + f = open('n', 'w') >> + pprint.pprint(n, f) >> + f.close() >> + >> + if s == n: >> + return False >> + else: >> + return True > > Why are you writing out to those files? They don't seem to be read > later on. > > Martin Updated patch attached rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-90-update2.patch Type: text/x-patch Size: 5863 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Thu Sep 18 21:15:40 2008 From: mnagy at redhat.com (Martin Nagy) Date: Thu, 18 Sep 2008 23:15:40 +0200 Subject: [Freeipa-devel] [PATCH] detect when updates are available In-Reply-To: <48D2B56F.5080209@redhat.com> References: <48D16F89.7030108@redhat.com> <20080918132437.53079310@notas> <48D2B56F.5080209@redhat.com> Message-ID: <20080918231540.4fcdfc1b@notas> Rob Crittenden wrote: > Martin Nagy wrote: > > Rob Crittenden wrote: > >> This patch will cause the test mode to return 2 when updates are > >> available and 0 when they are not. > >> > >> So when an admin installs a new package they can run > >> /usr/sbin/ipa-ldaper-update -t to determine whether there are > >> updates to apply. > >> > >> rob > > > > Few things I noticed: > > > >> add:attributeTypes: X-ORIGIN 'RFC2307bis' ) > >> add:attributeTypes: > >> ( 1.3.6.1.4.1.1.1.1.12 NAME 'nisDomain' > >> - DESC 'NIS domain' SUP name > >> + DESC 'NIS domain' > >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > >> X-ORIGIN 'RFC2307bis' ) > >> add:attributeTypes: > > > > Hmm, why are you reverting the previous patch you sent? > > > >> + import pprint > >> + f = open('s', 'w') > >> + pprint.pprint(s, f) > >> + f.close() > >> + f = open('n', 'w') > >> + pprint.pprint(n, f) > >> + f.close() > >> + > >> + if s == n: > >> + return False > >> + else: > >> + return True > > > > Why are you writing out to those files? They don't seem to be read > > later on. > > > > Martin > > Updated patch attached > > rob ack From mnagy at redhat.com Thu Sep 18 21:22:58 2008 From: mnagy at redhat.com (Martin Nagy) Date: Thu, 18 Sep 2008 23:22:58 +0200 Subject: [Freeipa-devel] [PATCH] Fix architecture detection in ldapupdate Message-ID: <20080918232258.709cb0bc@notas> I noticed the architecture detection won't work, since platform.platform() will return something like 'Linux-2.6.25.14-108.fc9.i686-i686-with-fedora-9-Sulphur'. After the patch the detection should be better and we explicitly ask about the bits, not just the arch. I also did a tiny change in a while loop. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-architecture-detection-in-ldapupdate.patch Type: text/x-patch Size: 1526 bytes Desc: not available URL: From ssorce at redhat.com Thu Sep 18 21:33:51 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 18 Sep 2008 17:33:51 -0400 Subject: [Freeipa-devel] [PATCH] update an update In-Reply-To: <48D16652.4010901@redhat.com> References: <48D16652.4010901@redhat.com> Message-ID: <1221773631.1796.0.camel@localhost.localdomain> On Wed, 2008-09-17 at 16:19 -0400, Rob Crittenden wrote: > Change order of SUP. In FDS if it comes before NAME it gets dropped. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Sep 18 21:34:27 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 18 Sep 2008 17:34:27 -0400 Subject: [Freeipa-devel] [PATCH] Remove unlikely service from the interface In-Reply-To: <20080917184132.19ba3519@notas> References: <1221664402.12851.112.camel@localhost.localdomain> <20080917184132.19ba3519@notas> Message-ID: <1221773667.1796.2.camel@localhost.localdomain> On Wed, 2008-09-17 at 18:41 +0200, Martin Nagy wrote: > Simo Sorce wrote: > > They are just confusing and not useful by default. > ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Sep 18 21:34:59 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 18 Sep 2008 17:34:59 -0400 Subject: [Freeipa-devel] [PATCH] Fix install with EXAMPLE.COM realm In-Reply-To: <48D11C3D.20207@redhat.com> References: <1221659337.12851.84.camel@localhost.localdomain> <48D11C3D.20207@redhat.com> Message-ID: <1221773699.1796.4.camel@localhost.localdomain> On Wed, 2008-09-17 at 11:03 -0400, Stephen Gallagher wrote: > ack pushed -- Simo Sorce * Red Hat, Inc * New York From tscherf at redhat.com Fri Sep 19 09:37:56 2008 From: tscherf at redhat.com (Thorsten Scherf) Date: Fri, 19 Sep 2008 11:37:56 +0200 Subject: [Freeipa-devel] Question: krb5 machine credentials Message-ID: <20080919093756.GG3764@tscherf.redhat.com> Where is IPA krb5 storing machine credential information? There is no file any more available in /tmp with such kind of information. I do find files there for user credentials, but not for machine credentials. do we moved them up to kernel store? Happy Day. Thorsten -- "Eternity is a very long time, especially towards the end." ? Stephen Hawking -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From sgallagh at redhat.com Fri Sep 19 11:42:39 2008 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 19 Sep 2008 07:42:39 -0400 Subject: [Freeipa-devel] [PATCH] Fix architecture detection in ldapupdate In-Reply-To: <20080918232258.709cb0bc@notas> References: <20080918232258.709cb0bc@notas> Message-ID: <48D3902F.7020602@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Nagy wrote: > I noticed the architecture detection won't work, since > platform.platform() will return something like > 'Linux-2.6.25.14-108.fc9.i686-i686-with-fedora-9-Sulphur'. After the > patch the detection should be better and we explicitly ask about the > bits, not just the arch. > > I also did a tiny change in a while loop. > > Martin > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Since I don't know where this return value goes, I want to ask a question. Is it only the 64-bit nature that matters, or is the x86_64 architecture directly relevant? In other words, the previous code was checking for x86_64 processors only, but now you've expanded it to potentially include IA64, Sparc64, etc. - -- - -------------------- Stephen Gallagher RHCE 804006346421761 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjTkCoACgkQc7MaxVic+2pDngCeNuWCSrWIkx6/ItEQpwNf2LYj xA8An0sVJh+Wyld6snqSqTvGBYOkMumZ =Pc5U -----END PGP SIGNATURE----- From mnagy at redhat.com Fri Sep 19 11:59:09 2008 From: mnagy at redhat.com (Martin Nagy) Date: Fri, 19 Sep 2008 13:59:09 +0200 Subject: [Freeipa-devel] [PATCH] Fix architecture detection in ldapupdate In-Reply-To: <48D3902F.7020602@redhat.com> References: <20080918232258.709cb0bc@notas> <48D3902F.7020602@redhat.com> Message-ID: <20080919135909.2eb1ec40@wolverine.englab.brq.redhat.com> On Fri, 19 Sep 2008 07:42:39 -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Martin Nagy wrote: > > I noticed the architecture detection won't work, since > > platform.platform() will return something like > > 'Linux-2.6.25.14-108.fc9.i686-i686-with-fedora-9-Sulphur'. After the > > patch the detection should be better and we explicitly ask about the > > bits, not just the arch. > > > > I also did a tiny change in a while loop. > > > > Martin > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Since I don't know where this return value goes, I want to ask a > question. Is it only the 64-bit nature that matters, or is the x86_64 > architecture directly relevant? > > In other words, the previous code was checking for x86_64 processors > only, but now you've expanded it to potentially include IA64, > Sparc64, etc. Quickly doing git grep LIBARCH, the code seems to be using this in "/usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so", which means we really need the bits. I think Rob only checked for x86_64 because FreeIPA doesn't work with other 64 bit architectures (am I right about this?). Martin From rcritten at redhat.com Fri Sep 19 12:07:00 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Sep 2008 08:07:00 -0400 Subject: [Freeipa-devel] [PATCH] Fix architecture detection in ldapupdate In-Reply-To: <20080918232258.709cb0bc@notas> References: <20080918232258.709cb0bc@notas> Message-ID: <48D395E4.7000700@redhat.com> Martin Nagy wrote: > I noticed the architecture detection won't work, since > platform.platform() will return something like > 'Linux-2.6.25.14-108.fc9.i686-i686-with-fedora-9-Sulphur'. After the > patch the detection should be better and we explicitly ask about the > bits, not just the arch. > > I also did a tiny change in a while loop. > Arg, I must've pasted the wrong code in. This was supposed to be platform.machine() (which returns x86_64 on AMD and Intel 64-bit machines). Not sure which is the better method. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 19 12:08:25 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Sep 2008 08:08:25 -0400 Subject: [Freeipa-devel] [PATCH] Fix architecture detection in ldapupdate In-Reply-To: <48D3902F.7020602@redhat.com> References: <20080918232258.709cb0bc@notas> <48D3902F.7020602@redhat.com> Message-ID: <48D39639.2030705@redhat.com> Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Martin Nagy wrote: >> I noticed the architecture detection won't work, since >> platform.platform() will return something like >> 'Linux-2.6.25.14-108.fc9.i686-i686-with-fedora-9-Sulphur'. After the >> patch the detection should be better and we explicitly ask about the >> bits, not just the arch. >> >> I also did a tiny change in a while loop. >> >> Martin >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Since I don't know where this return value goes, I want to ask a > question. Is it only the 64-bit nature that matters, or is the x86_64 > architecture directly relevant? > > In other words, the previous code was checking for x86_64 processors > only, but now you've expanded it to potentially include IA64, Sparc64, etc. > I wasn't being that clever (excluding other arches). The target arch for the server right now is intel-only. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 19 12:23:25 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Sep 2008 08:23:25 -0400 Subject: [Freeipa-devel] Question: krb5 machine credentials In-Reply-To: <20080919093756.GG3764@tscherf.redhat.com> References: <20080919093756.GG3764@tscherf.redhat.com> Message-ID: <48D399BD.7080107@redhat.com> Thorsten Scherf wrote: > Where is IPA krb5 storing machine credential information? There is no > file any more available in /tmp with such kind of information. I do find > files there for user credentials, but not for machine credentials. do we > moved them up to kernel store? > > Happy Day. > Thorsten > Machine credentials are stored in a keytab. On an IPA server we have them in /etc/krb5.keytab (host/FQDN), /etc/httpd/conf/ipa.keytab (Apache) and /etc/dirsrv/ds.keytab (FDS). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 19 15:15:54 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Sep 2008 11:15:54 -0400 Subject: [Freeipa-devel] [PATCH] Fix architecture detection in ldapupdate In-Reply-To: <20080918232258.709cb0bc@notas> References: <20080918232258.709cb0bc@notas> Message-ID: <48D3C22A.8060508@redhat.com> Martin Nagy wrote: > I noticed the architecture detection won't work, since > platform.platform() will return something like > 'Linux-2.6.25.14-108.fc9.i686-i686-with-fedora-9-Sulphur'. After the > patch the detection should be better and we explicitly ask about the > bits, not just the arch. > > I also did a tiny change in a while loop. > > Martin > ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 19 15:22:45 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Sep 2008 11:22:45 -0400 Subject: [Freeipa-devel] [PATCH] detect when updates are available In-Reply-To: <20080918231540.4fcdfc1b@notas> References: <48D16F89.7030108@redhat.com> <20080918132437.53079310@notas> <48D2B56F.5080209@redhat.com> <20080918231540.4fcdfc1b@notas> Message-ID: <48D3C3C5.6010501@redhat.com> Martin Nagy wrote: > Rob Crittenden wrote: >> Martin Nagy wrote: >>> Rob Crittenden wrote: >>>> This patch will cause the test mode to return 2 when updates are >>>> available and 0 when they are not. >>>> >>>> So when an admin installs a new package they can run >>>> /usr/sbin/ipa-ldaper-update -t to determine whether there are >>>> updates to apply. >>>> >>>> rob >>> Few things I noticed: >>> >>>> add:attributeTypes: X-ORIGIN 'RFC2307bis' ) >>>> add:attributeTypes: >>>> ( 1.3.6.1.4.1.1.1.1.12 NAME 'nisDomain' >>>> - DESC 'NIS domain' SUP name >>>> + DESC 'NIS domain' >>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >>>> X-ORIGIN 'RFC2307bis' ) >>>> add:attributeTypes: >>> Hmm, why are you reverting the previous patch you sent? >>> >>>> + import pprint >>>> + f = open('s', 'w') >>>> + pprint.pprint(s, f) >>>> + f.close() >>>> + f = open('n', 'w') >>>> + pprint.pprint(n, f) >>>> + f.close() >>>> + >>>> + if s == n: >>>> + return False >>>> + else: >>>> + return True >>> Why are you writing out to those files? They don't seem to be read >>> later on. >>> >>> Martin >> Updated patch attached >> >> rob > ack pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Fri Sep 19 15:25:37 2008 From: mnagy at redhat.com (Martin Nagy) Date: Fri, 19 Sep 2008 17:25:37 +0200 Subject: [Freeipa-devel] [PATCH] Fix architecture detection in ldapupdate In-Reply-To: <48D3C22A.8060508@redhat.com> References: <20080918232258.709cb0bc@notas> <48D3C22A.8060508@redhat.com> Message-ID: <20080919172537.0e47ef3b@wolverine.englab.brq.redhat.com> On Fri, 19 Sep 2008 11:15:54 -0400, Rob Crittenden wrote: > Martin Nagy wrote: > > I noticed the architecture detection won't work, since > > platform.platform() will return something like > > 'Linux-2.6.25.14-108.fc9.i686-i686-with-fedora-9-Sulphur'. After the > > patch the detection should be better and we explicitly ask about the > > bits, not just the arch. > > > > I also did a tiny change in a while loop. > > > > Martin > > > > ack pushed From rcritten at redhat.com Fri Sep 19 19:48:48 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 19 Sep 2008 15:48:48 -0400 Subject: [Freeipa-devel] [PATCH] change class syntax to work on python 2.4 Message-ID: <48D40220.3030903@redhat.com> Needed to remove () from class declaraion that doesn't subclass to work with python 2.4. I've pushed this one-liner to master. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-91-syntax.patch Type: text/x-patch Size: 839 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Sep 24 12:45:04 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Sep 2008 08:45:04 -0400 Subject: [Freeipa-devel] [PATCH] fix segfault in ipa-getkeytab Message-ID: <48DA3650.903@redhat.com> See if the enctypes_string has been set before checking if it has a colon in it to fix a segfault. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-92-keytab.patch Type: text/x-patch Size: 803 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Wed Sep 24 12:54:53 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 24 Sep 2008 14:54:53 +0200 Subject: [Freeipa-devel] [PATCH] fix segfault in ipa-getkeytab In-Reply-To: <48DA3650.903@redhat.com> References: <48DA3650.903@redhat.com> Message-ID: <20080924145453.05c5a458@wolverine.englab.brq.redhat.com> On Wed, 24 Sep 2008 08:45:04 -0400, Rob Crittenden wrote: > See if the enctypes_string has been set before checking if it has a > colon in it to fix a segfault. > > rob ack From rcritten at redhat.com Wed Sep 24 12:57:22 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Sep 2008 08:57:22 -0400 Subject: [Freeipa-devel] [PATCH] fix segfault in ipa-getkeytab In-Reply-To: <20080924145453.05c5a458@wolverine.englab.brq.redhat.com> References: <48DA3650.903@redhat.com> <20080924145453.05c5a458@wolverine.englab.brq.redhat.com> Message-ID: <48DA3932.2080405@redhat.com> Martin Nagy wrote: > On Wed, 24 Sep 2008 08:45:04 -0400, Rob Crittenden > wrote: > >> See if the enctypes_string has been set before checking if it has a >> colon in it to fix a segfault. >> >> rob > ack pushed to master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Wed Sep 24 17:53:11 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 24 Sep 2008 19:53:11 +0200 Subject: [Freeipa-devel] [PATCH] ipa-change-master-key: Really exit when not run as root Message-ID: <20080924195311.56030e72@notas> We print an error message when the ipa-change-master-key isn't running as root but we don't exit. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa-change-master-key-Really-exit-when-not-run-as-r.patch Type: text/x-patch Size: 1507 bytes Desc: not available URL: From rcritten at redhat.com Wed Sep 24 18:05:45 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Sep 2008 14:05:45 -0400 Subject: [Freeipa-devel] [PATCH] ipa-change-master-key: Really exit when not run as root In-Reply-To: <20080924195311.56030e72@notas> References: <20080924195311.56030e72@notas> Message-ID: <48DA8179.5000205@redhat.com> Martin Nagy wrote: > We print an error message when the ipa-change-master-key isn't running > as root but we don't exit. ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mnagy at redhat.com Wed Sep 24 18:09:58 2008 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 24 Sep 2008 20:09:58 +0200 Subject: [Freeipa-devel] [PATCH] ipa-change-master-key: Really exit when not run as root In-Reply-To: <48DA8179.5000205@redhat.com> References: <20080924195311.56030e72@notas> <48DA8179.5000205@redhat.com> Message-ID: <20080924200958.5c53242e@notas> Rob Crittenden wrote: > Martin Nagy wrote: > > We print an error message when the ipa-change-master-key isn't > > running as root but we don't exit. > > ack pushed to master From gdk at redhat.com Thu Sep 25 14:49:34 2008 From: gdk at redhat.com (Greg Dekoenigsberg) Date: Thu, 25 Sep 2008 10:49:34 -0400 (EDT) Subject: [Freeipa-devel] [Ambassadors] EVENT REPORT: SFD and Atlanta Linux Fest (fwd) Message-ID: Thought you guys might find this report to be of interest. --g ---------- Forwarded message ---------- Date: Thu, 25 Sep 2008 09:49:24 -0400 From: David Nalley Reply-To: fedora-ambassadors-list at redhat.com To: fedora-ambassadors-list at redhat.com Subject: [Ambassadors] EVENT REPORT: SFD and Atlanta Linux Fest I attended the Atlanta Linux Fest on Saturday. The event was organized mainly by Ubuntu's Georgia LoCo, but had assistance from several of the other LUGs in the area. Dave Yates, podcaster extraordinaire, claims attendance at 144. For a first year event that's a great turn out. I was invited to talk about what's coming in Fedora 10 and also talked about some interesting things like Cobbler, FreeIPA, and OLPC. I have had a number of people come up and tell me that they've never heard of FreeIPA and an equal number that want to get involved with OLPC. It's nice to meet some new faces and put some faces with old names. Jas Eckard had his OLPC XO and that of course drew lots of attention. This event has completely wiped me out with regards to swag. We came away with a number of ideas - including the thought of creating a Southeast Open Source blog aggregator - ie Open Source Southeast Planet. We are trying this out with our Local LUG right now - Planet UCLUG lives, though it needs a ton of work from someone who can make things pretty. Hopefully will have something Southeast wide shortly. I had a number of people come up to me at the event after I mentioned FreeIPA as another cool thing being worked on in Fedora. They were absolutely awestruck - and virtually no one had heard of the project. Another Fedora Project that made waves was First Aid Kit which I mentioned almost right after someone talked about what to do if grub became hosed in Ubuntu. -- Fedora-ambassadors-list mailing list Fedora-ambassadors-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-ambassadors-list From rmeggins at redhat.com Fri Sep 26 16:31:09 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 26 Sep 2008 10:31:09 -0600 Subject: [Freeipa-devel] Please review: Bug 459729 - Windows sync support in IPA - account disable and force sync Message-ID: <48DD0E4D.2020506@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=459729 Resolves: bug 459729 Bug Description: Windows sync support in IPA - account disable and force sync Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Add support for account disable sync and force sync * Account disable sync - AD uses the userAccountControl attribute ACCOUNTDISABLE value http://support.microsoft.com/kb/305144 We have to sync that with the nsAccountLock attribute used by DS. In IPA, nsAccountLock is a virtual attribute generated by the membership of the user or group in the cn=inactivated group (or enabled if in the cn=activated group or not in any group - the account is enabled if nsAccountLock is not present). The sync can be done in 1 of 4 ways, with the config attribute ipaWinSyncAcctDisable: * none - no account disable sync occurs * to_ad - account disable is only synced from IPA to AD, not from AD to IPA * to_ds - account disable is only synced from AD to IPA, not from IPA to AD * both - account disable is synced in both directions I added some code to let the plugin find the cn=inactivated and cn=activated groups dynamically * Force Sync - by default, the DS will only sync existing IPA users if they have the ntUser objectclass, and the ntUserDomainID set to the Windows user ID (e.g. the samAccountName). With the config attribute ipaWinSyncForceSync set to "true", any IPA user that has a matching account in Windows will be forced to be in sync - the IPA user will have the ntUser objectclass added automatically, and the ntUserDomainID set to the matching account samAccountName value. The existing winsync code already handles adding ntUserDomainID, so the ipa winsync plugin just has to add ntUser. Platforms tested: Fedora 9 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=317807&action=diff From rcritten at redhat.com Tue Sep 30 17:59:58 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Sep 2008 13:59:58 -0400 Subject: [Freeipa-devel] Please review: Bug 459729 - Windows sync support in IPA - account disable and force sync In-Reply-To: <48DD0E4D.2020506@redhat.com> References: <48DD0E4D.2020506@redhat.com> Message-ID: <48E2691E.3060603@redhat.com> Rich Megginson wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=459729 > Resolves: bug 459729 > Bug Description: Windows sync support in IPA - account disable and force > sync > Reviewed by: ??? > Files: see diff > Branch: HEAD > Fix Description: Add support for account disable sync and force sync > * Account disable sync - AD uses the userAccountControl attribute > ACCOUNTDISABLE value http://support.microsoft.com/kb/305144 > We have to sync that with the nsAccountLock attribute used by DS. In > IPA, nsAccountLock is a virtual attribute generated by the membership of > the user or group in the cn=inactivated group (or enabled if in the > cn=activated group or not in any group - the account is enabled if > nsAccountLock is not present). The sync can be done in 1 of 4 ways, > with the config attribute ipaWinSyncAcctDisable: > * none - no account disable sync occurs > * to_ad - account disable is only synced from IPA to AD, not from AD > to IPA > * to_ds - account disable is only synced from AD to IPA, not from IPA > to AD > * both - account disable is synced in both directions > I added some code to let the plugin find the cn=inactivated and > cn=activated groups dynamically > * Force Sync - by default, the DS will only sync existing IPA users if > they have the ntUser objectclass, and the ntUserDomainID set to the > Windows user ID (e.g. the samAccountName). With the config attribute > ipaWinSyncForceSync set to "true", any IPA user that has a matching > account in Windows will be forced to be in sync - the IPA user will have > the ntUser objectclass added automatically, and the ntUserDomainID set > to the matching account samAccountName value. The existing winsync code > already handles adding ntUserDomainID, so the ipa winsync plugin just > has to add ntUser. > Platforms tested: Fedora 9 > Flag Day: no > Doc impact: no > https://bugzilla.redhat.com/attachment.cgi?id=317807&action=diff Assuming I'm reading this properly, you don't need to add users to the activated group in order to activate them. This group is for override purposes (has a lower cosPriority). We have it so that if a group is inactivated but you want one or more members to be active you can add them to the activated group. This will override the group membership in an inactivated group. By putting unlocked users into activated you will be preventing them from being inactivated. Is parse_acct_disable() called for each request or only during initialization? It is a little hard to tell in the context of this patch. I mention it because you end up doing 4 string compares every time it runs though. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: