From ssorce at redhat.com Wed Apr 1 13:39:34 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 01 Apr 2009 09:39:34 -0400 Subject: [Freeipa-devel] [PATCH] Avoid segfaults in backends Message-ID: <1238593174.4858.45.camel@localhost.localdomain> Some modules do not implement all functions. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Do-not-file-a-sure-segfault.patch Type: text/x-patch Size: 759 bytes Desc: not available URL: From ssorce at redhat.com Wed Apr 1 14:28:11 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 01 Apr 2009 10:28:11 -0400 Subject: [Freeipa-devel] [PATCH] Fixes for nsssrv service Message-ID: <1238596091.4858.47.camel@localhost.localdomain> This patch contains fixes needed to make LOCAL be backed by proxy/libnsss_files (ie local /etc/passwd,/etc/group accounts) It also fixes various minor issues found while testing it. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Wed Apr 1 14:30:58 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 01 Apr 2009 10:30:58 -0400 Subject: [Freeipa-devel] [PATCH] Avoid segfaults in backends In-Reply-To: <1238593174.4858.45.camel@localhost.localdomain> References: <1238593174.4858.45.camel@localhost.localdomain> Message-ID: <49D37AA2.90101@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > Some modules do not implement all functions. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknTepcACgkQeiVVYja6o6OxZACfZ5Kc6jylwvB6r8vXWGMVfFtK AvoAn3uxQzFSxHjppcjxNvEhgHVzQbT+ =6C+I -----END PGP SIGNATURE----- From sgallagh at redhat.com Wed Apr 1 14:31:35 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 01 Apr 2009 10:31:35 -0400 Subject: [Freeipa-devel] [PATCH] Fixes for nsssrv service In-Reply-To: <1238596091.4858.47.camel@localhost.localdomain> References: <1238596091.4858.47.camel@localhost.localdomain> Message-ID: <49D37AC7.9050807@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > This patch contains fixes needed to make LOCAL be backed by > proxy/libnsss_files (ie local /etc/passwd,/etc/group accounts) > > It also fixes various minor issues found while testing it. > > Simo. > No patch attached. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknTescACgkQeiVVYja6o6MzjwCggPdQVXAvRhVZUkmubaTY6qvm P+YAoLEi3fo+c/M8zVk/Y4pW9scDp9RT =15YP -----END PGP SIGNATURE----- From ssorce at redhat.com Wed Apr 1 14:33:53 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 01 Apr 2009 10:33:53 -0400 Subject: [Freeipa-devel] [PATCH] Fixes for nsssrv service In-Reply-To: <49D37AC7.9050807@redhat.com> References: <1238596091.4858.47.camel@localhost.localdomain> <49D37AC7.9050807@redhat.com> Message-ID: <1238596433.4858.49.camel@localhost.localdomain> On Wed, 2009-04-01 at 10:31 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > This patch contains fixes needed to make LOCAL be backed by > > proxy/libnsss_files (ie local /etc/passwd,/etc/group accounts) > > > > It also fixes various minor issues found while testing it. > > > > Simo. > > > > No patch attached. I am Dumb, du-dumb, du-dumb, da-da ... here it is. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-way-to-use-files-as-a-proxy-backend-fro-LOCAL.patch Type: text/x-patch Size: 22711 bytes Desc: not available URL: From rcritten at redhat.com Wed Apr 1 14:33:54 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Apr 2009 10:33:54 -0400 Subject: [Freeipa-devel] [PATCH] add more delegation rules In-Reply-To: <1238184542.20998.33.camel@localhost.localdomain> References: <49CA4AEF.7070506@redhat.com> <1238184542.20998.33.camel@localhost.localdomain> Message-ID: <49D37B52.2060605@redhat.com> Simo Sorce wrote: > On Wed, 2009-03-25 at 11:17 -0400, Rob Crittenden wrote: >> Fill in the ACIs and taskgroups for most of the plugins. >> >> This adds: >> group administration >> host administration >> host group administration >> delegation administration >> service administration >> automount administration >> netgroup administration >> >> So far I've focused on granting write/add/del permissions. At some >> point I may add in read/search ACIs as well. >> >> This still isn't going to, by default, allow one to grant write >> access >> to different containers as we still have a flat tree. The way that >> can >> be handled is by setting some attribute (say ou) to a value and then >> adding that to the ACI. How one would do this without manually >> updating >> the ACI by hand is still up in the air. It may be that we still won't >> support it directly but doing so will be a lot more possible in v2. > > ack > > although I wonder if just allowing 'add'/'delete' is always sufficient > and you don't need 'write' ? > > Simo. > pushed to master From rcritten at redhat.com Wed Apr 1 14:35:09 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Apr 2009 10:35:09 -0400 Subject: [Freeipa-devel] [PATCH] jderose 001 plugin module name cleanup In-Reply-To: <1238514251.8656.10.camel@jgd-dsk> References: <1238514251.8656.10.camel@jgd-dsk> Message-ID: <49D37B9D.40107@redhat.com> Jason Gerard DeRose wrote: > This patch renames the remaining plugin modules still using the bad f_* > b_* naming convention that I started. > > The renames are as follows: > > ipalib/plugins/f_application.py -> ipalib/plugins/application.py > ipalib/plugins/f_automount.py -> ipalib/plugins/automount.py > ipalib/plugins/f_defaultoptions.py -> ipalib/plugins/defaultoptions.py > ipalib/plugins/f_delegation.py -> ipalib/plugins/delegation.py > ipalib/plugins/f_host.py -> ipalib/plugins/host.py > ipalib/plugins/b_kerberos.py -> ipalib/plugins/kerberos.py > ipalib/plugins/f_passwd.py -> ipalib/plugins/passwd.py > ipalib/plugins/f_pwpolicy.py -> ipalib/plugins/pwpolicy.py > ipalib/plugins/f_service.py -> ipalib/plugins/service.py > ipalib/plugins/f_user.py -> ipalib/plugins/user.py > ipaserver/plugins/b_ldap.py -> ipaserver/plugins/ldap.py ack pushed to master rob From ssorce at redhat.com Wed Apr 1 14:58:19 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 01 Apr 2009 10:58:19 -0400 Subject: [Freeipa-devel] [PATCH] add more delegation rules In-Reply-To: <49D0D4CB.2090605@redhat.com> References: <49CA4AEF.7070506@redhat.com> <1238184542.20998.33.camel@localhost.localdomain> <49D0D4CB.2090605@redhat.com> Message-ID: <1238597899.4858.50.camel@localhost.localdomain> On Mon, 2009-03-30 at 10:18 -0400, Rob Crittenden wrote: > > > > although I wonder if just allowing 'add'/'delete' is always > sufficient > > and you don't need 'write' ? > > > > Simo. > > > > add lets you write any attribute during entry creation. Likewise > delete > permission lets you delete an entire entry, even if you lack write > permission on one or more of the attributes. Ok, that's what I thought, thanks for confirming. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Apr 1 15:04:22 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 01 Apr 2009 11:04:22 -0400 Subject: [Freeipa-devel] [PATCH] allow compilation with older version of dbus In-Reply-To: <1238511172.4858.14.camel@localhost.localdomain> References: <49D21FB5.6080306@redhat.com> <1238508434.4858.5.camel@localhost.localdomain> <49D22BFD.70809@redhat.com> <1238511172.4858.14.camel@localhost.localdomain> Message-ID: <1238598262.4858.51.camel@localhost.localdomain> On Tue, 2009-03-31 at 10:52 -0400, Simo Sorce wrote: > On Tue, 2009-03-31 at 16:43 +0200, Sumit Bose wrote: > > Simo Sorce schrieb: > > > On Tue, 2009-03-31 at 15:50 +0200, Sumit Bose wrote: > > >> there was an API change in dbus around version 1.1.1. This patch > > >> checks > > >> for the new API call dbus_watch_get_unix_fd and sets a definition in > > >> config.h is found. I found AC_CHECK_FUNC and AC_DEFINE reasonable to > > >> handle this but I'm open to change it if we prefer a different way. > > > > > > Should we just fail if we do not have dbus >= 1.1.1 ? > > > > > Many, still widespread, distributions like SLES10 and RHEL versions > > before 5.3 are using dbus version lesser than 1.1.1. It would be nice if > > we can support them. > > ok then it's an ack. > and pushed, case closed! :) -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Apr 1 15:05:15 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 01 Apr 2009 11:05:15 -0400 Subject: [Freeipa-devel] [PATCH] Avoid segfaults in backends In-Reply-To: <49D37AA2.90101@redhat.com> References: <1238593174.4858.45.camel@localhost.localdomain> <49D37AA2.90101@redhat.com> Message-ID: <1238598315.4858.52.camel@localhost.localdomain> On Wed, 2009-04-01 at 10:30 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > Some modules do not implement all functions. > Ack pushed -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Wed Apr 1 16:08:22 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 01 Apr 2009 12:08:22 -0400 Subject: [Freeipa-devel] [PATCH] tentative reworking of parse name and filters In-Reply-To: <1238508667.4858.9.camel@localhost.localdomain> References: <1238508667.4858.9.camel@localhost.localdomain> Message-ID: <49D39176.9020008@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > While working on making it possible to have multiple domains that do not > require to use fully qualified names I found myself changing how we > parse names and how we could filter names. > > This patch works here, although I am not 100% satisfied yet. > I will probably build more on top of it unless someone vehemently > disagrees with something in this patch. > > Please look at how nss_parse_name works, and how permanent filtering > works right now. > > If there are no strongly negative comments then we can push it and > eventually work on improving things, if necessary, later. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I think this is reasonable. Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknTkXIACgkQeiVVYja6o6PHqACeNghHLi/yaWvgGw8Zksa76yfI OYwAn1YfsyG22tt1G1LQijoPjT1LUuMN =s+VX -----END PGP SIGNATURE----- From sgallagh at redhat.com Wed Apr 1 16:36:34 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 01 Apr 2009 12:36:34 -0400 Subject: [Freeipa-devel] [PATCH] Fixes for nsssrv service In-Reply-To: <1238596433.4858.49.camel@localhost.localdomain> References: <1238596091.4858.47.camel@localhost.localdomain> <49D37AC7.9050807@redhat.com> <1238596433.4858.49.camel@localhost.localdomain> Message-ID: <49D39812.1030709@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Wed, 2009-04-01 at 10:31 -0400, Stephen Gallagher wrote: >> Simo Sorce wrote: >>> This patch contains fixes needed to make LOCAL be backed by >>> proxy/libnsss_files (ie local /etc/passwd,/etc/group accounts) >>> >>> It also fixes various minor issues found while testing it. >>> >>> Simo. >>> >> No patch attached. > > I am Dumb, du-dumb, du-dumb, da-da ... > > here it is. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack Copy-paste error in sysdb.h - -#define SYSDB_GRPW_ATTRS {SYSDB_NAME, SYSDB_LAST_UPDATE, \ +#define SYSDB_GRPW_ATTRS {SYSDB_NAME, SYSDB_UIDNUM, \ + SYSDB_LAST_UPDATE, \ "objectClass", \ NULL} Should be SYSDB_GIDNUM, shouldn't it? Also, if we're testing for invalid UID/GID, wouldn't '<= 0' be more accurate than '== 0'? Nitpick: + DEBUG(1, ("The '%s' library does not provides the " + "_nss_XXX_initgroups_dyn function!\n" + "initgroups will be slow as it will require " + "full groups enumeration!\n", libname)); Should read: The '%s' library does not provide the _nss_XXX_initgroups_dyn function! initgroups will be slow as it will require full group enumeration. Nitpick: Testing for if ((info->id_min && (gid < info->id_min)) is redundant. We only need to test if(gid < info->id_min) - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknTmA4ACgkQeiVVYja6o6MTBgCff9Luwk+1HYWdBzHnTsMRN2iG 7x8An2vBNnBxiVkY28NHqJuYu2uPd5q7 =YFFE -----END PGP SIGNATURE----- From ssorce at redhat.com Wed Apr 1 18:27:31 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 01 Apr 2009 18:27:31 +0000 Subject: [Freeipa-devel] [PATCH] Fixes for nsssrv service In-Reply-To: <49D39812.1030709@redhat.com> References: <1238596091.4858.47.camel@localhost.localdomain> <49D37AC7.9050807@redhat.com> <1238596433.4858.49.camel@localhost.localdomain> <49D39812.1030709@redhat.com> Message-ID: <1238610451.4858.62.camel@localhost.localdomain> On Wed, 2009-04-01 at 12:36 -0400, Stephen Gallagher wrote: > Nack > > Copy-paste error in sysdb.h > - -#define SYSDB_GRPW_ATTRS {SYSDB_NAME, SYSDB_LAST_UPDATE, \ > +#define SYSDB_GRPW_ATTRS {SYSDB_NAME, SYSDB_UIDNUM, \ > + SYSDB_LAST_UPDATE, \ > "objectClass", \ > NULL} > > Should be SYSDB_GIDNUM, shouldn't it? No, this is the list of attributes when we search for group members (ie users). > Also, if we're testing for invalid UID/GID, wouldn't '<= 0' be more > accurate than '== 0'? No, the variables used are all unsigned. > Nitpick: > + DEBUG(1, ("The '%s' library does not provides the " > + "_nss_XXX_initgroups_dyn function!\n" > + "initgroups will be slow as it will require " > + "full groups enumeration!\n", libname)); > > Should read: > The '%s' library does not provide the _nss_XXX_initgroups_dyn function! > initgroups will be slow as it will require full group enumeration. > > > Nitpick: > Testing for > if ((info->id_min && (gid < info->id_min)) > is redundant. We only need to test > if(gid < info->id_min) right but it is harmless, and conveys the point that it is an "optional" test :) Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Wed Apr 1 18:30:41 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 01 Apr 2009 14:30:41 -0400 Subject: [Freeipa-devel] [PATCH] Fixes for nsssrv service In-Reply-To: <1238610451.4858.62.camel@localhost.localdomain> References: <1238596091.4858.47.camel@localhost.localdomain> <49D37AC7.9050807@redhat.com> <1238596433.4858.49.camel@localhost.localdomain> <49D39812.1030709@redhat.com> <1238610451.4858.62.camel@localhost.localdomain> Message-ID: <49D3B2D1.8000300@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Wed, 2009-04-01 at 12:36 -0400, Stephen Gallagher wrote: > >> Nack >> >> Copy-paste error in sysdb.h >> - -#define SYSDB_GRPW_ATTRS {SYSDB_NAME, SYSDB_LAST_UPDATE, \ >> +#define SYSDB_GRPW_ATTRS {SYSDB_NAME, SYSDB_UIDNUM, \ >> + SYSDB_LAST_UPDATE, \ >> "objectClass", \ >> NULL} >> >> Should be SYSDB_GIDNUM, shouldn't it? > > No, this is the list of attributes when we search for group members (ie > users). > >> Also, if we're testing for invalid UID/GID, wouldn't '<= 0' be more >> accurate than '== 0'? > > No, the variables used are all unsigned. > >> Nitpick: >> + DEBUG(1, ("The '%s' library does not provides the " >> + "_nss_XXX_initgroups_dyn function!\n" >> + "initgroups will be slow as it will require " >> + "full groups enumeration!\n", libname)); >> >> Should read: >> The '%s' library does not provide the _nss_XXX_initgroups_dyn function! >> initgroups will be slow as it will require full group enumeration. >> >> >> Nitpick: >> Testing for >> if ((info->id_min && (gid < info->id_min)) >> is redundant. We only need to test >> if(gid < info->id_min) > > right but it is harmless, and conveys the point that it is an "optional" > test :) > > Simo. > Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknTsswACgkQeiVVYja6o6PdkQCfc5yOFH3hrTS5bulUnfxjIcXN qosAnAkyZsrWpjf93GreZad2hBGfMHfg =71lA -----END PGP SIGNATURE----- From ssorce at redhat.com Wed Apr 1 19:03:35 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 01 Apr 2009 15:03:35 -0400 Subject: [Freeipa-devel] [PATCH] tentative reworking of parse name and filters In-Reply-To: <49D39176.9020008@redhat.com> References: <1238508667.4858.9.camel@localhost.localdomain> <49D39176.9020008@redhat.com> Message-ID: <1238612615.4858.63.camel@localhost.localdomain> On Wed, 2009-04-01 at 12:08 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > While working on making it possible to have multiple domains that do > not > > require to use fully qualified names I found myself changing how we > > parse names and how we could filter names. > > > > This patch works here, although I am not 100% satisfied yet. > > I will probably build more on top of it unless someone vehemently > > disagrees with something in this patch. > > > > Please look at how nss_parse_name works, and how permanent filtering > > works right now. > > > > If there are no strongly negative comments then we can push it and > > eventually work on improving things, if necessary, later. > I think this is reasonable. > Ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Apr 1 19:03:51 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 01 Apr 2009 15:03:51 -0400 Subject: [Freeipa-devel] [PATCH] Fixes for nsssrv service In-Reply-To: <49D3B2D1.8000300@redhat.com> References: <1238596091.4858.47.camel@localhost.localdomain> <49D37AC7.9050807@redhat.com> <1238596433.4858.49.camel@localhost.localdomain> <49D39812.1030709@redhat.com> <1238610451.4858.62.camel@localhost.localdomain> <49D3B2D1.8000300@redhat.com> Message-ID: <1238612631.4858.64.camel@localhost.localdomain> On Wed, 2009-04-01 at 14:30 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > On Wed, 2009-04-01 at 12:36 -0400, Stephen Gallagher wrote: > > > >> Nack > >> > >> Copy-paste error in sysdb.h > >> - -#define SYSDB_GRPW_ATTRS {SYSDB_NAME, SYSDB_LAST_UPDATE, \ > >> +#define SYSDB_GRPW_ATTRS {SYSDB_NAME, SYSDB_UIDNUM, \ > >> + SYSDB_LAST_UPDATE, \ > >> "objectClass", \ > >> NULL} > >> > >> Should be SYSDB_GIDNUM, shouldn't it? > > > > No, this is the list of attributes when we search for group members > (ie > > users). > > > >> Also, if we're testing for invalid UID/GID, wouldn't '<= 0' be more > >> accurate than '== 0'? > > > > No, the variables used are all unsigned. > > > >> Nitpick: > >> + DEBUG(1, ("The '%s' library does not provides the " > >> + "_nss_XXX_initgroups_dyn function!\n" > >> + "initgroups will be slow as it will require " > >> + "full groups enumeration!\n", libname)); > >> > >> Should read: > >> The '%s' library does not provide the _nss_XXX_initgroups_dyn > function! > >> initgroups will be slow as it will require full group enumeration. > >> > >> > >> Nitpick: > >> Testing for > >> if ((info->id_min && (gid < info->id_min)) > >> is redundant. We only need to test > >> if(gid < info->id_min) > > > > right but it is harmless, and conveys the point that it is an > "optional" > > test :) > > > > Simo. > > > > Ack pushed -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Apr 2 03:22:43 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Apr 2009 23:22:43 -0400 Subject: [Freeipa-devel] [PATCH] First pass at CA installer Message-ID: <49D42F83.8070309@redhat.com> Implement an installer for the Dogtag certificate system. The CA is currently not automatically installed. You have to pass in the --ca flag to install it. What works: - installation - unistallation - cert/ra plugins can issue and retrieve server certs What doesn't work: - self-signed CA is still created and issues Apache and DS certs - dogtag and python-nss not in rpm requires - requires that CS be in the "pre" install state from pkicreate So basically after doing this you have 2 CAs. The old self-signed CA from IPA v1 and a new dogtag-based CA. This new CA is used by the cert/ra plugins. My next step is to replace the self-signed CA. I'm also doing all my testing of dogtag using the SVN tip. A number of important but fixes are there. This also adds a python-nss based httplib library. Also on my list of things to do is to drop the fork calls to sslget. They aren't very efficient and they make SELinux cry. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-170-ca.patch Type: application/mbox Size: 43211 bytes Desc: not available URL: From pzuna at redhat.com Thu Apr 2 15:06:56 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 02 Apr 2009 17:06:56 +0200 Subject: [Freeipa-devel] [PATCH] Import missing 'errors' module. Message-ID: <49D4D490.4060506@redhat.com> Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Import-missing-errors-module.patch URL: From rcritten at redhat.com Thu Apr 2 15:08:09 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 Apr 2009 11:08:09 -0400 Subject: [Freeipa-devel] [PATCH] Import missing 'errors' module. In-Reply-To: <49D4D490.4060506@redhat.com> References: <49D4D490.4060506@redhat.com> Message-ID: <49D4D4D9.5070503@redhat.com> Pavel Zuna wrote: > Pavel > > This change is included in my pending CA patch. rob From ssorce at redhat.com Thu Apr 2 15:17:48 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 02 Apr 2009 11:17:48 -0400 Subject: [Freeipa-devel] [PATCH] sssd: change from reserved ldap_ to sdap_ in ldap provider Message-ID: <1238685468.32059.1.camel@localhost.localdomain> Better not to use the ldap_ name space at all for our internal function names. Let it be reserved for ldap libraries. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Do-not-use-the-ldap-libraries-ldap_-prefix.patch Type: text/x-patch Size: 13597 bytes Desc: not available URL: From sgallagh at redhat.com Thu Apr 2 15:26:19 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 02 Apr 2009 11:26:19 -0400 Subject: [Freeipa-devel] [PATCH] sssd: change from reserved ldap_ to sdap_ in ldap provider In-Reply-To: <1238685468.32059.1.camel@localhost.localdomain> References: <1238685468.32059.1.camel@localhost.localdomain> Message-ID: <49D4D91B.5020302@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > Better not to use the ldap_ name space at all for our internal function > names. Let it be reserved for ldap libraries. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack: Line 218: This needs to be left alone as ldap_start_tls(), it's an actual LDAP call. Please also revert the DEBUG statements related to it. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknU2RcACgkQeiVVYja6o6OqswCaAy6eCPgTPCzkH1dfI2tN4fv8 c/EAniTFAhMzY7TwjjN94CrL4hn4u35f =3QYl -----END PGP SIGNATURE----- From ssorce at redhat.com Thu Apr 2 15:46:17 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 02 Apr 2009 11:46:17 -0400 Subject: [Freeipa-devel] [PATCH] sssd: change from reserved ldap_ to sdap_ in ldap provider In-Reply-To: <49D4D91B.5020302@redhat.com> References: <1238685468.32059.1.camel@localhost.localdomain> <49D4D91B.5020302@redhat.com> Message-ID: <1238687177.32059.6.camel@localhost.localdomain> On Thu, 2009-04-02 at 11:26 -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > Better not to use the ldap_ name space at all for our internal function > > names. Let it be reserved for ldap libraries. > > > > Simo. > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Nack: > > Line 218: This needs to be left alone as ldap_start_tls(), it's an > actual LDAP call. Please also revert the DEBUG statements related to it. the funny thing is that it actually compiled ... new patch attached Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Do-not-use-the-ldap-libraries-ldap_-prefix.patch Type: text/x-patch Size: 12536 bytes Desc: not available URL: From sgallagh at redhat.com Thu Apr 2 15:48:00 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 02 Apr 2009 11:48:00 -0400 Subject: [Freeipa-devel] [PATCH] sssd: change from reserved ldap_ to sdap_ in ldap provider In-Reply-To: <1238687177.32059.6.camel@localhost.localdomain> References: <1238685468.32059.1.camel@localhost.localdomain> <49D4D91B.5020302@redhat.com> <1238687177.32059.6.camel@localhost.localdomain> Message-ID: <49D4DE30.7070208@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Thu, 2009-04-02 at 11:26 -0400, Stephen Gallagher wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Simo Sorce wrote: >>> Better not to use the ldap_ name space at all for our internal function >>> names. Let it be reserved for ldap libraries. >>> >>> Simo. >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Nack: >> >> Line 218: This needs to be left alone as ldap_start_tls(), it's an >> actual LDAP call. Please also revert the DEBUG statements related to it. > > the funny thing is that it actually compiled ... > > new patch attached > > Simo. > > Yeah, I just happened to try running it, and I saw the error there. Ack. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknU3i0ACgkQeiVVYja6o6MdbwCfVc2H0coJePDdkzb/f8uTEIdD kYkAmwdd051WKa/HjqTei8UJgTVT1Z29 =cvzA -----END PGP SIGNATURE----- From ssorce at redhat.com Thu Apr 2 16:04:08 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 02 Apr 2009 12:04:08 -0400 Subject: [Freeipa-devel] [PATCH] sssd: change from reserved ldap_ to sdap_ in ldap provider In-Reply-To: <49D4DE30.7070208@redhat.com> References: <1238685468.32059.1.camel@localhost.localdomain> <49D4D91B.5020302@redhat.com> <1238687177.32059.6.camel@localhost.localdomain> <49D4DE30.7070208@redhat.com> Message-ID: <1238688248.32059.8.camel@localhost.localdomain> On Thu, 2009-04-02 at 11:48 -0400, Stephen Gallagher wrote: > >> Nack: > >> > >> Line 218: This needs to be left alone as ldap_start_tls(), it's an > >> actual LDAP call. Please also revert the DEBUG statements related to it. > > > > the funny thing is that it actually compiled ... > > > > new patch attached > Yeah, I just happened to try running it, and I saw the error there. > > Ack. Sorry, I just realized I missed to convert enum value names as well, attached a new patch. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Do-not-use-the-ldap-libraries-ldap_-prefix.patch Type: text/x-patch Size: 14528 bytes Desc: not available URL: From sgallagh at redhat.com Thu Apr 2 16:07:36 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 02 Apr 2009 12:07:36 -0400 Subject: [Freeipa-devel] [PATCH] sssd: change from reserved ldap_ to sdap_ in ldap provider In-Reply-To: <1238688248.32059.8.camel@localhost.localdomain> References: <1238685468.32059.1.camel@localhost.localdomain> <49D4D91B.5020302@redhat.com> <1238687177.32059.6.camel@localhost.localdomain> <49D4DE30.7070208@redhat.com> <1238688248.32059.8.camel@localhost.localdomain> Message-ID: <49D4E2C8.5050207@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Thu, 2009-04-02 at 11:48 -0400, Stephen Gallagher wrote: >>>> Nack: >>>> >>>> Line 218: This needs to be left alone as ldap_start_tls(), it's an >>>> actual LDAP call. Please also revert the DEBUG statements related to it. >>> the funny thing is that it actually compiled ... >>> >>> new patch attached > > >> Yeah, I just happened to try running it, and I saw the error there. >> >> Ack. > > Sorry, I just realized I missed to convert enum value names as well, > attached a new patch. > > Simo. > > Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknU4sUACgkQeiVVYja6o6O3XgCfRdKNsrti7pfyMayjijYJtsTW vs8An1BdYs7Cke3w6f4aKNcz2Doqkqky =yMOe -----END PGP SIGNATURE----- From jderose at redhat.com Thu Apr 2 22:53:09 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 02 Apr 2009 16:53:09 -0600 Subject: [Freeipa-devel] [PATCH] Import missing 'errors' module. In-Reply-To: <49D4D490.4060506@redhat.com> References: <49D4D490.4060506@redhat.com> Message-ID: <1238712789.6905.3.camel@jgd-dsk> On Thu, 2009-04-02 at 17:06 +0200, Pavel Zuna wrote: > Pavel nack. The errors module is depreciated, uses the old non-i18n friendly errors classes. If cli.py is referencing exceptions in errors.py, they should be changed to an equivalent exception in errors2.py (which we will create if needed). I'll try to clean the errors/errors2 mess up today. It's been on my todo list for a while, but I've been busy with UI work. From jderose at redhat.com Fri Apr 3 07:52:42 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 03 Apr 2009 01:52:42 -0600 Subject: [Freeipa-devel] [PATCH] First pass at CA installer In-Reply-To: <49D42F83.8070309@redhat.com> References: <49D42F83.8070309@redhat.com> Message-ID: <1238745162.17593.3.camel@jgd-dsk> On Wed, 2009-04-01 at 23:22 -0400, Rob Crittenden wrote: > Implement an installer for the Dogtag certificate system. > > The CA is currently not automatically installed. You have to pass in the > --ca flag to install it. > > What works: > - installation > - unistallation > - cert/ra plugins can issue and retrieve server certs > > What doesn't work: > - self-signed CA is still created and issues Apache and DS certs > - dogtag and python-nss not in rpm requires > - requires that CS be in the "pre" install state from pkicreate > > So basically after doing this you have 2 CAs. The old self-signed CA > from IPA v1 and a new dogtag-based CA. This new CA is used by the > cert/ra plugins. My next step is to replace the self-signed CA. > > I'm also doing all my testing of dogtag using the SVN tip. A number of > important but fixes are there. > > This also adds a python-nss based httplib library. Also on my list of > things to do is to drop the fork calls to sslget. They aren't very > efficient and they make SELinux cry. > > rob ack. I don't understand all of the installer details, but everything looks reasonable to me, doesn't seam to break anything. Thanks for fixing the ra.sec_dir path when running in the server. From jderose at redhat.com Fri Apr 3 08:04:01 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 03 Apr 2009 02:04:01 -0600 Subject: [Freeipa-devel] [PATCH] Add 'container_hbac' env variable In-Reply-To: <49D25F17.6040102@redhat.com> References: <49D25F17.6040102@redhat.com> Message-ID: <1238745841.17593.4.camel@jgd-dsk> On Tue, 2009-03-31 at 20:21 +0200, Pavel Zuna wrote: > Env variable used by HBAC management plugin. Submitting this now, so it > doesn't get in my way anymore. Plugin should follow in a couple of days. > > Pavel ack. From jderose at redhat.com Fri Apr 3 08:12:22 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 03 Apr 2009 02:12:22 -0600 Subject: [Freeipa-devel] [PATCH] Add new LDAP backend plugin In-Reply-To: <49D25F7A.30404@redhat.com> References: <49D25F7A.30404@redhat.com> Message-ID: <1238746342.17593.12.camel@jgd-dsk> On Tue, 2009-03-31 at 20:22 +0200, Pavel Zuna wrote: > ldap2 I posted last week, this time as a patch. > > Pavel ack. There's no reason not to have this in. Obviously we will need to be more conservative when it comes to porting commands to use this new backend, but in the mean time let's get it in the tree and get more eyes on it. Nice work, Pavel. I'll try to spend some time beating up on your new plugin soon, give you more detailed feedback. From rcritten at redhat.com Fri Apr 3 13:24:23 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Apr 2009 09:24:23 -0400 Subject: [Freeipa-devel] [PATCH] Import missing 'errors' module. In-Reply-To: <1238712789.6905.3.camel@jgd-dsk> References: <49D4D490.4060506@redhat.com> <1238712789.6905.3.camel@jgd-dsk> Message-ID: <49D60E07.9020408@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-04-02 at 17:06 +0200, Pavel Zuna wrote: >> Pavel > > nack. The errors module is depreciated, uses the old non-i18n friendly > errors classes. If cli.py is referencing exceptions in errors.py, they > should be changed to an equivalent exception in errors2.py (which we > will create if needed). > > I'll try to clean the errors/errors2 mess up today. It's been on my > todo list for a while, but I've been busy with UI work. I took a short-term view on this too. Adding an errors import doesn't fix the underlying problem but it does make the code stop throwing an exception. rob From rcritten at redhat.com Fri Apr 3 18:08:36 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Apr 2009 14:08:36 -0400 Subject: [Freeipa-devel] [PATCH] First pass at CA installer In-Reply-To: <1238745162.17593.3.camel@jgd-dsk> References: <49D42F83.8070309@redhat.com> <1238745162.17593.3.camel@jgd-dsk> Message-ID: <49D650A4.9080709@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-04-01 at 23:22 -0400, Rob Crittenden wrote: >> Implement an installer for the Dogtag certificate system. >> >> The CA is currently not automatically installed. You have to pass in the >> --ca flag to install it. >> >> What works: >> - installation >> - unistallation >> - cert/ra plugins can issue and retrieve server certs >> >> What doesn't work: >> - self-signed CA is still created and issues Apache and DS certs >> - dogtag and python-nss not in rpm requires >> - requires that CS be in the "pre" install state from pkicreate >> >> So basically after doing this you have 2 CAs. The old self-signed CA >> from IPA v1 and a new dogtag-based CA. This new CA is used by the >> cert/ra plugins. My next step is to replace the self-signed CA. >> >> I'm also doing all my testing of dogtag using the SVN tip. A number of >> important but fixes are there. >> >> This also adds a python-nss based httplib library. Also on my list of >> things to do is to drop the fork calls to sslget. They aren't very >> efficient and they make SELinux cry. >> >> rob > > ack. I don't understand all of the installer details, but everything > looks reasonable to me, doesn't seam to break anything. > > Thanks for fixing the ra.sec_dir path when running in the server. > pushed to master From rcritten at redhat.com Fri Apr 3 18:08:45 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Apr 2009 14:08:45 -0400 Subject: [Freeipa-devel] [PATCH] Add 'container_hbac' env variable In-Reply-To: <1238745841.17593.4.camel@jgd-dsk> References: <49D25F17.6040102@redhat.com> <1238745841.17593.4.camel@jgd-dsk> Message-ID: <49D650AD.7060907@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-03-31 at 20:21 +0200, Pavel Zuna wrote: >> Env variable used by HBAC management plugin. Submitting this now, so it >> doesn't get in my way anymore. Plugin should follow in a couple of days. >> >> Pavel > > ack. pushed to master From rcritten at redhat.com Fri Apr 3 18:08:55 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Apr 2009 14:08:55 -0400 Subject: [Freeipa-devel] [PATCH] Add new LDAP backend plugin In-Reply-To: <1238746342.17593.12.camel@jgd-dsk> References: <49D25F7A.30404@redhat.com> <1238746342.17593.12.camel@jgd-dsk> Message-ID: <49D650B7.1050907@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-03-31 at 20:22 +0200, Pavel Zuna wrote: >> ldap2 I posted last week, this time as a patch. >> >> Pavel > > ack. There's no reason not to have this in. Obviously we will need to > be more conservative when it comes to porting commands to use this new > backend, but in the mean time let's get it in the tree and get more eyes > on it. > > Nice work, Pavel. I'll try to spend some time beating up on your new > plugin soon, give you more detailed feedback. pushed to master From rcritten at redhat.com Fri Apr 3 18:13:02 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Apr 2009 14:13:02 -0400 Subject: [Freeipa-devel] [PATCH] catch GSS errors in the cli Message-ID: <49D651AE.7040905@redhat.com> Catch and display GSS errors on the command-line. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-171-cligss.patch Type: application/mbox Size: 1105 bytes Desc: not available URL: From rcritten at redhat.com Fri Apr 3 18:13:45 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Apr 2009 14:13:45 -0400 Subject: [Freeipa-devel] [PATCH] default values in host plugin Message-ID: <49D651D9.6070600@redhat.com> Fill in OS and platform in the host plugin when creating new entries. We can get a fair bit of information from Python about the underlying OS/platform so why not use it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-172-host.patch Type: application/mbox Size: 1939 bytes Desc: not available URL: From ssorce at redhat.com Fri Apr 3 18:33:13 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 03 Apr 2009 14:33:13 -0400 Subject: [Freeipa-devel] [PATCH] sssd: change from reserved ldap_ to sdap_ in ldap provider In-Reply-To: <49D4E2C8.5050207@redhat.com> References: <1238685468.32059.1.camel@localhost.localdomain> <49D4D91B.5020302@redhat.com> <1238687177.32059.6.camel@localhost.localdomain> <49D4DE30.7070208@redhat.com> <1238688248.32059.8.camel@localhost.localdomain> <49D4E2C8.5050207@redhat.com> Message-ID: <1238783593.32059.44.camel@localhost.localdomain> On Thu, 2009-04-02 at 12:07 -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > On Thu, 2009-04-02 at 11:48 -0400, Stephen Gallagher wrote: > >>>> Nack: > >>>> > >>>> Line 218: This needs to be left alone as ldap_start_tls(), it's an > >>>> actual LDAP call. Please also revert the DEBUG statements related to it. > >>> the funny thing is that it actually compiled ... > >>> > >>> new patch attached > > > > > >> Yeah, I just happened to try running it, and I saw the error there. > >> > >> Ack. > > > > Sorry, I just realized I missed to convert enum value names as well, > > attached a new patch. > > > > Simo. > > > > > > Ack Pushed, and pushed also a patch to remove an old file that was basically empty and unused. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Apr 3 20:19:47 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Apr 2009 16:19:47 -0400 Subject: [Freeipa-devel] [PATCH] Use proper error for Kerberos and Network in cli Message-ID: <49D66F63.7030708@redhat.com> This enhances the last patch adding an except for GSSAPI errors and also adds one for XML-RPC protocol errors. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-173-errors.patch Type: application/mbox Size: 2297 bytes Desc: not available URL: From rcritten at redhat.com Fri Apr 3 20:20:25 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 03 Apr 2009 16:20:25 -0400 Subject: [Freeipa-devel] [PATCH] configure right file in ipa-client Message-ID: <49D66F89.6000106@redhat.com> The new ipa tool uses a different configuration file than the old ipa-* tools so create that file in ipa-client-install. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-174-client.patch Type: application/mbox Size: 1853 bytes Desc: not available URL: From dpal at redhat.com Sat Apr 4 00:54:40 2009 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 03 Apr 2009 20:54:40 -0400 Subject: [Freeipa-devel] Collection API first commit Message-ID: <49D6AFD0.2010606@redhat.com> This is the first official patch with collection API. All the details about API are in the collection.h -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-First-commit-of-basic-collection-API.patch Type: text/x-patch Size: 220183 bytes Desc: not available URL: From sbose at redhat.com Sat Apr 4 21:30:56 2009 From: sbose at redhat.com (Sumit Bose) Date: Sat, 04 Apr 2009 23:30:56 +0200 Subject: [Freeipa-devel] [PATCH] sssd: kerberos backend Message-ID: <49D7D190.3040703@redhat.com> Hi, the following series of patches introduces a kerberos backend to sssd. 0001: a small locator plugin to find the realm name and the kdc. This is useful for testing, because you do not have to modify your krb5.conf and later on we can hook this plugin to the utility which will do the DNS queries and cache the results or future use. So far it check the environment variable SSSD_REALM and SSSD_KDC. So please set them appropriate before starting sssd. (SSSD_KDC should be an IP address and not a hostname). 0002: the kerberos backend. Due to the lach of an asynchronous kerberos implementation this backend fork to make the blocking kerberos calls. The rest is hopefully asynchronous. 0003: to be able to create the users credential cache with the right access permission, we need to know the uid of the user. This patch adds a uid field to the main pam_data structure (I know that the primary uid is needed too, but it was not clear to me how to handle this in the case where we have MPGs. Simo, maybe you can add the right gid handling?) 0004: the glibc getpwnam call will not work so I added a sysdb_getpwnam call to get the uid from the cached data (or the LOCAL backend). There is a hack that if the domain is called KRB (domain which the kerberos backend) the user is search in the LOCAL backend, because kerberos is not an identity provider. 0005: this patch allows the pam client pam_sss to send messages back to the user via pam conversation which originated from the responder or the backends. 0006: the kerberos backend cannot implement get_account_info. So far the data provider backend code does not check if a call is implemented or not. I have seen some delays and segementation faults with nss call when using the kerberos backend, so I implemented a small check to avoid calling a NULL pointer. This may not be necessary anymore if we split the nss get_account_info call (identiy provider) and the pam call (authentication provider). I think I have seen a recent patch by Simo which will do a similar thing so maybe this one can just be dropped. 0007: the patches so far only touch code. This one contains all changes to the autotools file like configure.ac and Makefile.in to find the kerberos libraries, the kerberos plugin path and to compile the new files. Have a nice weekend. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-kerberos-locator-plugin-to-find-realm-and-kdc.patch Type: text/x-patch Size: 3881 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-kerberos-backend.patch Type: text/x-patch Size: 14137 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-add-pw_uid-to-struct-pam_data.patch Type: text/x-patch Size: 2097 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-added-sysdb_getpwnam-to-pam-responder-to-get-pw_uid.patch Type: text/x-patch Size: 3634 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0005-added-show_message-to-display-pam-info-messages-to-t.patch Type: text/x-patch Size: 2723 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0006-check-if-the-backend-implements-get_account_info.patch Type: text/x-patch Size: 967 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0007-updates-to-autotool-files-to-build-kerberos-backend.patch Type: text/x-patch Size: 8642 bytes Desc: not available URL: From ssorce at redhat.com Sun Apr 5 22:31:04 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 05 Apr 2009 18:31:04 -0400 Subject: [Freeipa-devel] [PATCH] sssd: kerberos backend In-Reply-To: <49D7D190.3040703@redhat.com> References: <49D7D190.3040703@redhat.com> Message-ID: <1238970664.32059.98.camel@localhost.localdomain> On Sat, 2009-04-04 at 23:30 +0200, Sumit Bose wrote: > Hi, > > the following series of patches introduces a kerberos backend to sssd. > > 0001: a small locator plugin to find the realm name and the kdc. This > is > useful for testing, because you do not have to modify your krb5.conf > and later on we can hook this plugin to the utility which will do the > DNS queries and cache the results or future use. So far it check the > environment variable SSSD_REALM and SSSD_KDC. So please set them > appropriate before starting sssd. (SSSD_KDC should be an IP address > and > not a hostname). This is very useful, thanks. We should probably use a (mmaped ?) file or some other mechanism so that we can pump configuration changes in live without having to restart processes if something changes (join/unjoin/location changes/...) but it a good start. > 0002: the kerberos backend. Due to the lach of an asynchronous > kerberos > implementation this backend fork to make the blocking kerberos calls. > The rest is hopefully asynchronous. Ok there may be a problem with just forking and not executing a new process, in that dbus may then close the parent channels when you exit. I am also changing the way auth modules interface, I will take on working with this module to adapt it to the new interfaces before committing it. > 0003: to be able to create the users credential cache with the right > access permission, we need to know the uid of the user. This patch > adds > a uid field to the main pam_data structure (I know that the primary > uid > is needed too, but it was not clear to me how to handle this in the > case > where we have MPGs. Simo, maybe you can add the right gid handling?) I think we ned to let the sysdb handle this for you, like we do for the nss case. We also need to make the pam responder find out more info about the user. I will take a closer look later on. > 0004: the glibc getpwnam call will not work so I added a > sysdb_getpwnam > call to get the uid from the cached data (or the LOCAL backend). There > is a hack that if the domain is called KRB (domain which the kerberos > backend) the user is search in the LOCAL backend, because kerberos is > not an identity provider. I have already a patch that separates identity and auth modules, I will adapt the code before pushing, once my patch is in. > 0005: this patch allows the pam client pam_sss to send messages back > to > the user via pam conversation which originated from the responder or > the > backends. ack, I will push this one this coming week > 0006: the kerberos backend cannot implement get_account_info. So far > the > data provider backend code does not check if a call is implemented or > not. I have seen some delays and segementation faults with nss call > when > using the kerberos backend, so I implemented a small check to avoid > calling a NULL pointer. This may not be necessary anymore if we split > the nss get_account_info call (identiy provider) and the pam call > (authentication provider). I think I have seen a recent patch by Simo > which will do a similar thing so maybe this one can just be dropped. Yes I have committed a more generic patch, which is not ideal either, my upcoming code that separates identity and auth modules will address the problem in a better way. > 0007: the patches so far only touch code. This one contains all > changes > to the autotools file like configure.ac and Makefile.in to find the > kerberos libraries, the kerberos plugin path and to compile the new > files. > > Have a nice weekend. Thanks Sumit, I will work this week to integrate these patches and adapt them to the work I am doing on the interfaces. I hope we will be able to soon have an ldap backed identity provider perform kerberos pam authentication. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Mon Apr 6 02:52:58 2009 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 05 Apr 2009 22:52:58 -0400 Subject: [Freeipa-devel] ini interface as promised Message-ID: <49D96E8A.2020209@redhat.com> Please find attached the first pass at the INI interface. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-First-attempt-to-produce-INI-interface.patch Type: text/x-patch Size: 81000 bytes Desc: not available URL: From sgallagh at redhat.com Mon Apr 6 11:56:27 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 06 Apr 2009 07:56:27 -0400 Subject: [Freeipa-devel] [PATCH] sssd: kerberos backend In-Reply-To: <1238970664.32059.98.camel@localhost.localdomain> References: <49D7D190.3040703@redhat.com> <1238970664.32059.98.camel@localhost.localdomain> Message-ID: <49D9EDEB.3010707@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Sat, 2009-04-04 at 23:30 +0200, Sumit Bose wrote: >> Hi, >> >> the following series of patches introduces a kerberos backend to sssd. >> >> 0001: a small locator plugin to find the realm name and the kdc. This >> is >> useful for testing, because you do not have to modify your krb5.conf >> and later on we can hook this plugin to the utility which will do the >> DNS queries and cache the results or future use. So far it check the >> environment variable SSSD_REALM and SSSD_KDC. So please set them >> appropriate before starting sssd. (SSSD_KDC should be an IP address >> and >> not a hostname). > > This is very useful, thanks. > We should probably use a (mmaped ?) file or some other mechanism so that > we can pump configuration changes in live without having to restart > processes if something changes (join/unjoin/location changes/...) but it > a good start. > >> 0002: the kerberos backend. Due to the lach of an asynchronous >> kerberos >> implementation this backend fork to make the blocking kerberos calls. >> The rest is hopefully asynchronous. > > Ok there may be a problem with just forking and not executing a new > process, in that dbus may then close the parent channels when you exit. > I am also changing the way auth modules interface, I will take on > working with this module to adapt it to the new interfaces before > committing it. > Simo is right. There's a bug in D-BUS (which upstream refuses to fix on the grounds that "forking without exec() is broken"). So when you call exit in the forked process, it will close and remove the internal pipe files for the SBUS connection, wreaking havoc on the rest of the system. (And yes, that was a pun on the name of the D-BUS creator) >> 0003: to be able to create the users credential cache with the right >> access permission, we need to know the uid of the user. This patch >> adds >> a uid field to the main pam_data structure (I know that the primary >> uid >> is needed too, but it was not clear to me how to handle this in the >> case >> where we have MPGs. Simo, maybe you can add the right gid handling?) > > I think we ned to let the sysdb handle this for you, like we do for the > nss case. We also need to make the pam responder find out more info > about the user. I will take a closer look later on. > >> 0004: the glibc getpwnam call will not work so I added a >> sysdb_getpwnam >> call to get the uid from the cached data (or the LOCAL backend). There >> is a hack that if the domain is called KRB (domain which the kerberos >> backend) the user is search in the LOCAL backend, because kerberos is >> not an identity provider. > > I have already a patch that separates identity and auth modules, I will > adapt the code before pushing, once my patch is in. > >> 0005: this patch allows the pam client pam_sss to send messages back >> to >> the user via pam conversation which originated from the responder or >> the >> backends. > > ack, I will push this one this coming week > >> 0006: the kerberos backend cannot implement get_account_info. So far >> the >> data provider backend code does not check if a call is implemented or >> not. I have seen some delays and segementation faults with nss call >> when >> using the kerberos backend, so I implemented a small check to avoid >> calling a NULL pointer. This may not be necessary anymore if we split >> the nss get_account_info call (identiy provider) and the pam call >> (authentication provider). I think I have seen a recent patch by Simo >> which will do a similar thing so maybe this one can just be dropped. > > Yes I have committed a more generic patch, which is not ideal either, my > upcoming code that separates identity and auth modules will address the > problem in a better way. > >> 0007: the patches so far only touch code. This one contains all >> changes >> to the autotools file like configure.ac and Makefile.in to find the >> kerberos libraries, the kerberos plugin path and to compile the new >> files. >> >> Have a nice weekend. > > Thanks Sumit, > I will work this week to integrate these patches and adapt them to the > work I am doing on the interfaces. I hope we will be able to soon have > an ldap backed identity provider perform kerberos pam authentication. > > Simo. > - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknZ7ecACgkQeiVVYja6o6OxuQCgmB4I1Qmse1zlGeuMPQcBR1fm YP8An0AFJSy54HS8xNO4mvK6dHqoayXp =cDE0 -----END PGP SIGNATURE----- From pzuna at redhat.com Mon Apr 6 14:17:53 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 06 Apr 2009 16:17:53 +0200 Subject: [Freeipa-devel] [PATCH] Use full OID for LDAP SYNTAX identification. Message-ID: <49DA0F11.9070908@redhat.com> LDAP Backend 2 tweaks. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Use-full-OID-for-LDAP-SYNTAX-identification.patch URL: From rcritten at redhat.com Mon Apr 6 15:03:44 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Apr 2009 11:03:44 -0400 Subject: [Freeipa-devel] Documentation update Message-ID: <49DA19D0.3020209@redhat.com> Updated documentation for IPA v1.2.1 is finally available. It has also been converted to static HTML files. We were having problems keeping the documentation in sync with what we also wanted to deliver as pdf and html files resulting in frequent and long delays in updating the wiki. The solution we came up with is to publish the documentation in a public GIT repo and build the html files that appear on the wiki from there. The repository is here: http://git.fedorahosted.org/git/ipadocs.git?p=ipadocs.git;a=summary This static html files are built with a Red Hat internally-developed documentation tool, Publican. We're encouraging the Fedora people (and others) to use it, and they're providing lots of feedback and helping to improve it. Publican takes docbook xml as input, validates it according to the "brand" being used (Fedora, Red Hat, JBoss, etc., specified in the Makefile), and can produce html, pdf, and rpm output. It also includes options to create localization kits. We use publican to create the POT/PO files for translation and to create localized versions of books. For those interested in getting involved in publican: publican-list at redhat.com https://www.redhat.com/mailman/listinfo/publican-list Wiki: https://fedorahosted.org/publican There are still a few pointers to wiki-based documentation. We'll be dealing with these in the near future. The old wiki docs are still hosted currently. I'm going to completely remove them in the very near future so they aren't accidentally found by the search system. I'm also looking for a way to index these files for searching within the wiki. rob From rcritten at redhat.com Mon Apr 6 15:23:54 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Apr 2009 11:23:54 -0400 Subject: [Freeipa-devel] [PATCH] Use full OID for LDAP SYNTAX identification. In-Reply-To: <49DA0F11.9070908@redhat.com> References: <49DA0F11.9070908@redhat.com> Message-ID: <49DA1E8A.80508@redhat.com> Pavel Zuna wrote: > LDAP Backend 2 tweaks. > > Pavel > > ack and pushed to master rob From pzuna at redhat.com Mon Apr 6 17:08:14 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 06 Apr 2009 19:08:14 +0200 Subject: [Freeipa-devel] [PATCH] Add more sophisticated help interface. Split commands into 'topics'. Message-ID: <49DA36FE.2020109@redhat.com> This is more of a suggestion than a real patch. I thought it might be easier to actually show what I had in mind than explaining it. Sometimes code is more than words. :) Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-more-sophisticated-help-interface.-Split-command.patch URL: From sgallagh at redhat.com Mon Apr 6 19:42:38 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 06 Apr 2009 15:42:38 -0400 Subject: [Freeipa-devel] [PATCHES] Some fixes for the Collection and INI parser Message-ID: <49DA5B2E.6090103@redhat.com> 0001, 0002: Fixed whitespace issues with Dmitri's original patch. No other changes. 0003: INI parser wasn't being build (missing from the configure.ac), README needed work. Add -Wall to the compile flags. 0004: Fix a lot of warnings. BEFORE 0004: In file included from collection.c:32: collection.h:116:1: warning: "/*" within comment collection.h:148:1: warning: "/*" within comment collection.c: In function ?update_current_item?: collection.c:737: warning: unused variable ?error? collection.c: In function ?get_reference_from_item?: collection.c:1471: warning: unused variable ?error? collection.c: In function ?modify_item?: collection.c:1881: warning: unused variable ?error? collection.c: In function ?grow_stack?: collection.c:2057: warning: unused variable ?error? collection.c: In function ?walk_items?: collection.c:565: warning: ?parent? may be used uninitialized in this function collection.c: In function ?add_property?: collection.c:306: warning: ?item? may be used uninitialized in this function In file included from collection_tools.c:28: collection.h:116:1: warning: "/*" within comment collection.h:148:1: warning: "/*" within comment collection_tools.c: In function ?put_marker?: collection_tools.c:308: warning: implicit declaration of function ?memcpy? collection_tools.c:308: warning: incompatible implicit declaration of built-in function ?memcpy? In file included from collection_ut.c:28: collection.h:116:1: warning: "/*" within comment collection.h:148:1: warning: "/*" within comment collection_ut.c: In function ?ref_collection_test?: collection_ut.c:37: warning: unused variable ?found? collection_ut.c: In function ?add_collection_test?: collection_ut.c:172: warning: unused variable ?found? collection_ut.c: In function ?mixed_collection_test?: collection_ut.c:440: warning: implicit declaration of function ?print_collection2? collection_ut.c:526: warning: pointer targets in passing argument 2 of ?get_collection_class? differ in signedness collection_ut.c:230: warning: unused variable ?packet? In file included from ini_config.c:35: ../collection/collection.h:116:1: warning: "/*" within comment ../collection/collection.h:148:1: warning: "/*" within comment In file included from ../collection/collection_tools.h:27, from ini_config.c:36: ../collection/collection.h:116:1: warning: "/*" within comment ../collection/collection.h:148:1: warning: "/*" within comment In file included from ini_config.c:38: ini_config.h:110:1: warning: "/*" within comment ini_config.c: In function ?ini_to_collection?: ini_config.c:169: warning: implicit declaration of function ?read_line? ini_config.c:140: warning: unused variable ?type? ini_config.c: In function ?config_for_app?: ini_config.c:352: warning: unused variable ?error_file_set? ini_config.c: In function ?read_line?: ini_config.c:491: warning: unused variable ?status? ini_config.c: In function ?print_file_parsing_errors?: ini_config.c:684: warning: pointer targets in passing argument 2 of ?get_collection_count? differ in signedness ini_config.c:642: warning: unused variable ?header? ini_config.c: In function ?get_config_item?: ini_config.c:799: warning: statement with no effect ini_config.c: In function ?get_string_config_array?: ini_config.c:1123: warning: implicit declaration of function ?strnlen? ini_config.c:1100: warning: unused variable ?total? In file included from ini_config.h:27, from ini_config_ut.c:25: ../collection/collection.h:116:1: warning: "/*" within comment ../collection/collection.h:148:1: warning: "/*" within comment In file included from ini_config_ut.c:25: ini_config.h:110:1: warning: "/*" within comment In file included from ../collection/collection_tools.h:27, from ini_config_ut.c:27: ../collection/collection.h:116:1: warning: "/*" within comment ../collection/collection.h:148:1: warning: "/*" within comment ini_config_ut.c: In function ?negative_test?: ini_config_ut.c:120: warning: pointer targets in passing argument 2 of ?get_collection_count? differ in signedness ini_config_ut.c:89: warning: unused variable ?error_set? ini_config_ut.c: In function ?get_test?: ini_config_ut.c:337: warning: implicit declaration of function ?free? ini_config_ut.c:337: warning: incompatible implicit declaration of built-in function ?free? ini_config_ut.c:452: warning: format ?%d? expects type ?int?, but argument 2 has type ?long int? ini_config_ut.c:492: warning: format ?%d? expects type ?int?, but argument 2 has type ?long unsigned int? ini_config_ut.c:512: warning: format ?%d? expects type ?int?, but argument 2 has type ?double? ini_config_ut.c:678: warning: format ?%d? expects type ?int?, but argument 2 has type ?long int? ini_config_ut.c:214: warning: unused variable ?type? ini_config_ut.c:212: warning: unused variable ?iterator? AFTER 0004: collection.c: In function ?walk_items?: collection.c:565: warning: ?parent? may be used uninitialized in this function The remaining warning is a real bug which Dmitri will fix soon. It's a rare case that will cause a segfault if a program is trying to walk through a complete collection, performing deletes and the first entry (which has no parent) needs to be deleted. I am going to ack the first two patches (with the whitespace corrections), but I'm not going to push them until someone (preferably Dmitri) reviews my two follow-on patches. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-First-commit-of-basic-collection-API.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-First-attempt-to-produce-INI-interface.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Fix-build-system-for-Collection-and-INI-parser.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0004-Clean-up-a-lot-of-warnings-in-Collection-and-INI-par.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From dpal at redhat.com Mon Apr 6 19:57:01 2009 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 06 Apr 2009 15:57:01 -0400 Subject: [Freeipa-devel] [PATCHES] Some fixes for the Collection and INI parser In-Reply-To: <49DA5B2E.6090103@redhat.com> References: <49DA5B2E.6090103@redhat.com> Message-ID: <49DA5E8D.4040000@redhat.com> ack. Stephen Gallagher wrote: > 0001, 0002: Fixed whitespace issues with Dmitri's original patch. No > other changes. > > 0003: INI parser wasn't being build (missing from the configure.ac), > README needed work. Add -Wall to the compile flags. > > 0004: Fix a lot of warnings. > > BEFORE 0004: > In file included from collection.c:32: > collection.h:116:1: warning: "/*" within comment > collection.h:148:1: warning: "/*" within comment > collection.c: In function ?update_current_item?: > collection.c:737: warning: unused variable ?error? > collection.c: In function ?get_reference_from_item?: > collection.c:1471: warning: unused variable ?error? > collection.c: In function ?modify_item?: > collection.c:1881: warning: unused variable ?error? > collection.c: In function ?grow_stack?: > collection.c:2057: warning: unused variable ?error? > collection.c: In function ?walk_items?: > collection.c:565: warning: ?parent? may be used uninitialized in this > function > collection.c: In function ?add_property?: > collection.c:306: warning: ?item? may be used uninitialized in this function > In file included from collection_tools.c:28: > collection.h:116:1: warning: "/*" within comment > collection.h:148:1: warning: "/*" within comment > collection_tools.c: In function ?put_marker?: > collection_tools.c:308: warning: implicit declaration of function ?memcpy? > collection_tools.c:308: warning: incompatible implicit declaration of > built-in function ?memcpy? > In file included from collection_ut.c:28: > collection.h:116:1: warning: "/*" within comment > collection.h:148:1: warning: "/*" within comment > collection_ut.c: In function ?ref_collection_test?: > collection_ut.c:37: warning: unused variable ?found? > collection_ut.c: In function ?add_collection_test?: > collection_ut.c:172: warning: unused variable ?found? > collection_ut.c: In function ?mixed_collection_test?: > collection_ut.c:440: warning: implicit declaration of function > ?print_collection2? > collection_ut.c:526: warning: pointer targets in passing argument 2 of > ?get_collection_class? differ in signedness > collection_ut.c:230: warning: unused variable ?packet? > In file included from ini_config.c:35: > ../collection/collection.h:116:1: warning: "/*" within comment > ../collection/collection.h:148:1: warning: "/*" within comment > In file included from ../collection/collection_tools.h:27, > from ini_config.c:36: > ../collection/collection.h:116:1: warning: "/*" within comment > ../collection/collection.h:148:1: warning: "/*" within comment > In file included from ini_config.c:38: > ini_config.h:110:1: warning: "/*" within comment > ini_config.c: In function ?ini_to_collection?: > ini_config.c:169: warning: implicit declaration of function ?read_line? > ini_config.c:140: warning: unused variable ?type? > ini_config.c: In function ?config_for_app?: > ini_config.c:352: warning: unused variable ?error_file_set? > ini_config.c: In function ?read_line?: > ini_config.c:491: warning: unused variable ?status? > ini_config.c: In function ?print_file_parsing_errors?: > ini_config.c:684: warning: pointer targets in passing argument 2 of > ?get_collection_count? differ in signedness > ini_config.c:642: warning: unused variable ?header? > ini_config.c: In function ?get_config_item?: > ini_config.c:799: warning: statement with no effect > ini_config.c: In function ?get_string_config_array?: > ini_config.c:1123: warning: implicit declaration of function ?strnlen? > ini_config.c:1100: warning: unused variable ?total? > In file included from ini_config.h:27, > from ini_config_ut.c:25: > ../collection/collection.h:116:1: warning: "/*" within comment > ../collection/collection.h:148:1: warning: "/*" within comment > In file included from ini_config_ut.c:25: > ini_config.h:110:1: warning: "/*" within comment > In file included from ../collection/collection_tools.h:27, > from ini_config_ut.c:27: > ../collection/collection.h:116:1: warning: "/*" within comment > ../collection/collection.h:148:1: warning: "/*" within comment > ini_config_ut.c: In function ?negative_test?: > ini_config_ut.c:120: warning: pointer targets in passing argument 2 of > ?get_collection_count? differ in signedness > ini_config_ut.c:89: warning: unused variable ?error_set? > ini_config_ut.c: In function ?get_test?: > ini_config_ut.c:337: warning: implicit declaration of function ?free? > ini_config_ut.c:337: warning: incompatible implicit declaration of > built-in function ?free? > ini_config_ut.c:452: warning: format ?%d? expects type ?int?, but > argument 2 has type ?long int? > ini_config_ut.c:492: warning: format ?%d? expects type ?int?, but > argument 2 has type ?long unsigned int? > ini_config_ut.c:512: warning: format ?%d? expects type ?int?, but > argument 2 has type ?double? > ini_config_ut.c:678: warning: format ?%d? expects type ?int?, but > argument 2 has type ?long int? > ini_config_ut.c:214: warning: unused variable ?type? > ini_config_ut.c:212: warning: unused variable ?iterator? > > > > AFTER 0004: > collection.c: In function ?walk_items?: > collection.c:565: warning: ?parent? may be used uninitialized in this > function > > The remaining warning is a real bug which Dmitri will fix soon. It's a > rare case that will cause a segfault if a program is trying to walk > through a complete collection, performing deletes and the first entry > (which has no parent) needs to be deleted. > > > I am going to ack the first two patches (with the whitespace > corrections), but I'm not going to push them until someone (preferably > Dmitri) reviews my two follow-on patches. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sgallagh at redhat.com Mon Apr 6 20:02:42 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 06 Apr 2009 16:02:42 -0400 Subject: [Freeipa-devel] Collection API first commit In-Reply-To: <49D6AFD0.2010606@redhat.com> References: <49D6AFD0.2010606@redhat.com> Message-ID: <49DA5FE2.2030609@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dmitri Pal wrote: > This is the first official patch with collection API. > All the details about API are in the collection.h > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master (with whitespace cleanup) - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknaX9wACgkQeiVVYja6o6P2PACcD0Q/sdhfppy9Qaq0RwahuQXd gr8Aniqf0JspHKQQSwaH6jVJNzKF4o+V =I2HK -----END PGP SIGNATURE----- From sgallagh at redhat.com Mon Apr 6 20:02:56 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 06 Apr 2009 16:02:56 -0400 Subject: [Freeipa-devel] ini interface as promised In-Reply-To: <49D96E8A.2020209@redhat.com> References: <49D96E8A.2020209@redhat.com> Message-ID: <49DA5FF0.8030005@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dmitri Pal wrote: > Please find attached the first pass at the INI interface. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master (with whitespace cleanup) - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknaX/AACgkQeiVVYja6o6PblwCgkYZ1objzqm5uGA3e7nnaIHAu cQMAniOtvq9UBpU4kXUs/N6cBBVnPSNf =FvJR -----END PGP SIGNATURE----- From sgallagh at redhat.com Mon Apr 6 20:03:39 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 06 Apr 2009 16:03:39 -0400 Subject: [Freeipa-devel] [PATCHES] Some fixes for the Collection and INI parser In-Reply-To: <49DA5E8D.4040000@redhat.com> References: <49DA5B2E.6090103@redhat.com> <49DA5E8D.4040000@redhat.com> Message-ID: <49DA601B.6080509@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dmitri Pal wrote: > ack. > > Stephen Gallagher wrote: >> 0001, 0002: Fixed whitespace issues with Dmitri's original patch. No >> other changes. >> >> 0003: INI parser wasn't being build (missing from the configure.ac), >> README needed work. Add -Wall to the compile flags. >> >> 0004: Fix a lot of warnings. >> >> BEFORE 0004: >> In file included from collection.c:32: >> collection.h:116:1: warning: "/*" within comment >> collection.h:148:1: warning: "/*" within comment >> collection.c: In function ?update_current_item?: >> collection.c:737: warning: unused variable ?error? >> collection.c: In function ?get_reference_from_item?: >> collection.c:1471: warning: unused variable ?error? >> collection.c: In function ?modify_item?: >> collection.c:1881: warning: unused variable ?error? >> collection.c: In function ?grow_stack?: >> collection.c:2057: warning: unused variable ?error? >> collection.c: In function ?walk_items?: >> collection.c:565: warning: ?parent? may be used uninitialized in this >> function >> collection.c: In function ?add_property?: >> collection.c:306: warning: ?item? may be used uninitialized in this >> function >> In file included from collection_tools.c:28: >> collection.h:116:1: warning: "/*" within comment >> collection.h:148:1: warning: "/*" within comment >> collection_tools.c: In function ?put_marker?: >> collection_tools.c:308: warning: implicit declaration of function >> ?memcpy? >> collection_tools.c:308: warning: incompatible implicit declaration of >> built-in function ?memcpy? >> In file included from collection_ut.c:28: >> collection.h:116:1: warning: "/*" within comment >> collection.h:148:1: warning: "/*" within comment >> collection_ut.c: In function ?ref_collection_test?: >> collection_ut.c:37: warning: unused variable ?found? >> collection_ut.c: In function ?add_collection_test?: >> collection_ut.c:172: warning: unused variable ?found? >> collection_ut.c: In function ?mixed_collection_test?: >> collection_ut.c:440: warning: implicit declaration of function >> ?print_collection2? >> collection_ut.c:526: warning: pointer targets in passing argument 2 of >> ?get_collection_class? differ in signedness >> collection_ut.c:230: warning: unused variable ?packet? >> In file included from ini_config.c:35: >> ../collection/collection.h:116:1: warning: "/*" within comment >> ../collection/collection.h:148:1: warning: "/*" within comment >> In file included from ../collection/collection_tools.h:27, >> from ini_config.c:36: >> ../collection/collection.h:116:1: warning: "/*" within comment >> ../collection/collection.h:148:1: warning: "/*" within comment >> In file included from ini_config.c:38: >> ini_config.h:110:1: warning: "/*" within comment >> ini_config.c: In function ?ini_to_collection?: >> ini_config.c:169: warning: implicit declaration of function ?read_line? >> ini_config.c:140: warning: unused variable ?type? >> ini_config.c: In function ?config_for_app?: >> ini_config.c:352: warning: unused variable ?error_file_set? >> ini_config.c: In function ?read_line?: >> ini_config.c:491: warning: unused variable ?status? >> ini_config.c: In function ?print_file_parsing_errors?: >> ini_config.c:684: warning: pointer targets in passing argument 2 of >> ?get_collection_count? differ in signedness >> ini_config.c:642: warning: unused variable ?header? >> ini_config.c: In function ?get_config_item?: >> ini_config.c:799: warning: statement with no effect >> ini_config.c: In function ?get_string_config_array?: >> ini_config.c:1123: warning: implicit declaration of function ?strnlen? >> ini_config.c:1100: warning: unused variable ?total? >> In file included from ini_config.h:27, >> from ini_config_ut.c:25: >> ../collection/collection.h:116:1: warning: "/*" within comment >> ../collection/collection.h:148:1: warning: "/*" within comment >> In file included from ini_config_ut.c:25: >> ini_config.h:110:1: warning: "/*" within comment >> In file included from ../collection/collection_tools.h:27, >> from ini_config_ut.c:27: >> ../collection/collection.h:116:1: warning: "/*" within comment >> ../collection/collection.h:148:1: warning: "/*" within comment >> ini_config_ut.c: In function ?negative_test?: >> ini_config_ut.c:120: warning: pointer targets in passing argument 2 of >> ?get_collection_count? differ in signedness >> ini_config_ut.c:89: warning: unused variable ?error_set? >> ini_config_ut.c: In function ?get_test?: >> ini_config_ut.c:337: warning: implicit declaration of function ?free? >> ini_config_ut.c:337: warning: incompatible implicit declaration of >> built-in function ?free? >> ini_config_ut.c:452: warning: format ?%d? expects type ?int?, but >> argument 2 has type ?long int? >> ini_config_ut.c:492: warning: format ?%d? expects type ?int?, but >> argument 2 has type ?long unsigned int? >> ini_config_ut.c:512: warning: format ?%d? expects type ?int?, but >> argument 2 has type ?double? >> ini_config_ut.c:678: warning: format ?%d? expects type ?int?, but >> argument 2 has type ?long int? >> ini_config_ut.c:214: warning: unused variable ?type? >> ini_config_ut.c:212: warning: unused variable ?iterator? >> >> >> >> AFTER 0004: >> collection.c: In function ?walk_items?: >> collection.c:565: warning: ?parent? may be used uninitialized in this >> function >> >> The remaining warning is a real bug which Dmitri will fix soon. It's a >> rare case that will cause a segfault if a program is trying to walk >> through a complete collection, performing deletes and the first entry >> (which has no parent) needs to be deleted. >> >> >> I am going to ack the first two patches (with the whitespace >> corrections), but I'm not going to push them until someone (preferably >> Dmitri) reviews my two follow-on patches. >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknaYBoACgkQeiVVYja6o6PgaQCdET87klHoOl7IhJuj3bX7MatC KkcAn1XeYD95Mf1CIlOaJCH+Q3SDJNeT =Scpn -----END PGP SIGNATURE----- From ssorce at redhat.com Mon Apr 6 20:14:18 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 06 Apr 2009 16:14:18 -0400 Subject: [Freeipa-devel] [PATCHES] reorg of code continued Message-ID: <1239048858.32059.131.camel@localhost.localdomain> Three patches to improve our internal interfaces. Create a second authenticator module interface, so that identity and authenticator modules are 2 different things. Load the authenticator module per domain based on configuration in the domain config entry. Initial changes to the pam responder to cope with the changes Move the name parsing routines into the common responder code, and move pcre initialization into sss_process_init() with data hanging on the responder context, also add a config/names section where to configure name parsing rules. All is tested and seem to work as it should, I've also added more configuration samples for the pam proxy stuff (tested with sudo and that one works so far ie pam->pam_sss->sssd_pam->proxy->pam_unix/pam_ldap). Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Split-modules-types-in-Identity-and-Authenticator.patch Type: text/x-patch Size: 22137 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Use-info-in-the-domain-entry-to-determine-action.patch Type: text/x-patch Size: 1393 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Unify-name-parsing-and-reposnder-headers.patch Type: text/x-patch Size: 38503 bytes Desc: not available URL: From dmalcolm at redhat.com Mon Apr 6 20:35:28 2009 From: dmalcolm at redhat.com (David Malcolm) Date: Mon, 06 Apr 2009 16:35:28 -0400 Subject: [Freeipa-devel] Naming suggestion: InfoTank Message-ID: <1239050128.5951.88.camel@radiator.bos.redhat.com> I'm just a lurker here, but "sssd" seems a rather unwieldy name for a component. "InfoTank" occurred to me as a name. AIUI it's the thing that the "InfoPipe" is plugged in to, but "tank" also has nice connotations about security (using the military interpretation of the word). Not sure it's better than "sssd" though. Hope this is helpful Dave From ssorce at redhat.com Tue Apr 7 02:20:50 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 06 Apr 2009 22:20:50 -0400 Subject: [Freeipa-devel] [PATCH] sssd: style and const fixes for common/ Message-ID: <1239070850.15257.6.camel@localhost.localdomain> The recently pushed common/ code does not conform to sssd style guidelines. The first patch address the style issue. Note: I gave authorship to Dmitri as this are just sytle fixes, and I don't want to snatch authorship of the code (man git-annotate if you don't know what I am talking about :) The second patch fixes const warnings, it make strings that the functions should not touch const. I strongly recommend this second patch as it is important from a public API to give guarantees to applications about what it is going to touch and keeps us honest too, avoid touching string that come from user applications by mistake. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Style-fixes-for-common.patch Type: text/x-patch Size: 256933 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Fix-const-warnings.patch Type: text/x-patch Size: 47792 bytes Desc: not available URL: From sgallagh at redhat.com Tue Apr 7 12:31:41 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 07 Apr 2009 08:31:41 -0400 Subject: [Freeipa-devel] [PATCH] sssd: style and const fixes for common/ In-Reply-To: <1239070850.15257.6.camel@localhost.localdomain> References: <1239070850.15257.6.camel@localhost.localdomain> Message-ID: <49DB47AD.3000408@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > The recently pushed common/ code does not conform to sssd style > guidelines. > > The first patch address the style issue. > Note: I gave authorship to Dmitri as this are just sytle fixes, and I > don't want to snatch authorship of the code (man git-annotate if you > don't know what I am talking about :) > > The second patch fixes const warnings, it make strings that the > functions should not touch const. > I strongly recommend this second patch as it is important from a public > API to give guarantees to applications about what it is going to touch > and keeps us honest too, avoid touching string that come from user > applications by mistake. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack to both, but please fix the whitespace when you commit it. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknbR6oACgkQeiVVYja6o6MuuQCfc3VxL/BqiRaSBlHHE2063Hoc LVIAn3lAkXzw59PSUEHK0wlMi2VLjx+K =/s5C -----END PGP SIGNATURE----- From sgallagh at redhat.com Tue Apr 7 15:45:28 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 07 Apr 2009 11:45:28 -0400 Subject: [Freeipa-devel] [PATCHES] reorg of code continued In-Reply-To: <1239048858.32059.131.camel@localhost.localdomain> References: <1239048858.32059.131.camel@localhost.localdomain> Message-ID: <49DB7518.10407@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > Three patches to improve our internal interfaces. > > Create a second authenticator module interface, so that identity and > authenticator modules are 2 different things. > > Load the authenticator module per domain based on configuration in the > domain config entry. > > Initial changes to the pam responder to cope with the changes > > Move the name parsing routines into the common responder code, and move > pcre initialization into sss_process_init() with data hanging on the > responder context, also add a config/names section where to configure > name parsing rules. > > All is tested and seem to work as it should, I've also added more > configuration samples for the pam proxy stuff (tested with sudo and that > one works so far ie pam->pam_sss->sssd_pam->proxy->pam_unix/pam_ldap). > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel 0001: Ack 0002: Ack 0003: Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknbdRIACgkQeiVVYja6o6NOQQCcC2oLzBltDCBEENpqt+gTRxOo s7sAoLAqq69cTqrXBvBWzwU9Cn3Q5J/7 =UsQ7 -----END PGP SIGNATURE----- From sgallagh at redhat.com Tue Apr 7 16:17:11 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 07 Apr 2009 12:17:11 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Clean up some compiler warnings Message-ID: <49DB7C87.5050300@redhat.com> Update configure to halt if pcre isn't available. Eliminate compiler warnings about unused variables and signed/unsigned mismatches. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Clean-up-warnings-in-SSSD.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Tue Apr 7 18:30:21 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 07 Apr 2009 14:30:21 -0400 Subject: [Freeipa-devel] [PATCH] sssd: style and const fixes for common/ In-Reply-To: <49DB47AD.3000408@redhat.com> References: <1239070850.15257.6.camel@localhost.localdomain> <49DB47AD.3000408@redhat.com> Message-ID: <1239129021.26768.2.camel@localhost.localdomain> On Tue, 2009-04-07 at 08:31 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > The recently pushed common/ code does not conform to sssd style > > guidelines. > > > > The first patch address the style issue. > > Note: I gave authorship to Dmitri as this are just sytle fixes, and > I > > don't want to snatch authorship of the code (man git-annotate if you > > don't know what I am talking about :) > > > > The second patch fixes const warnings, it make strings that the > > functions should not touch const. > > I strongly recommend this second patch as it is important from a > public > > API to give guarantees to applications about what it is going to > touch > > and keeps us honest too, avoid touching string that come from user > > applications by mistake. > Ack to both, but please fix the whitespace when you commit it. Pushed with one minor change in the first patch discussed on the phone. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Apr 7 18:30:58 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 07 Apr 2009 14:30:58 -0400 Subject: [Freeipa-devel] [PATCHES] reorg of code continued In-Reply-To: <49DB7518.10407@redhat.com> References: <1239048858.32059.131.camel@localhost.localdomain> <49DB7518.10407@redhat.com> Message-ID: <1239129058.26768.3.camel@localhost.localdomain> On Tue, 2009-04-07 at 11:45 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > Three patches to improve our internal interfaces. > > > > Create a second authenticator module interface, so that identity and > > authenticator modules are 2 different things. > > > > Load the authenticator module per domain based on configuration in > the > > domain config entry. > > > > Initial changes to the pam responder to cope with the changes > > > > Move the name parsing routines into the common responder code, and > move > > pcre initialization into sss_process_init() with data hanging on the > > responder context, also add a config/names section where to > configure > > name parsing rules. > > > > All is tested and seem to work as it should, I've also added more > > configuration samples for the pam proxy stuff (tested with sudo and > that > > one works so far ie > pam->pam_sss->sssd_pam->proxy->pam_unix/pam_ldap). > 0001: Ack > > 0002: Ack > > 0003: Ack pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Apr 7 18:41:15 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 07 Apr 2009 14:41:15 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Clean up some compiler warnings In-Reply-To: <49DB7C87.5050300@redhat.com> References: <49DB7C87.5050300@redhat.com> Message-ID: <1239129675.26768.4.camel@localhost.localdomain> On Tue, 2009-04-07 at 12:17 -0400, Stephen Gallagher wrote: > Update configure to halt if pcre isn't available. Eliminate compiler > warnings about unused variables and signed/unsigned mismatches. Ack and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Apr 8 00:59:14 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 07 Apr 2009 20:59:14 -0400 Subject: [Freeipa-devel] [PATCH] use ordered lists of domains Message-ID: <1239152355.26768.5.camel@localhost.localdomain> See patch commit comment. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Change-the-way-we-retrieve-domains.patch Type: text/x-patch Size: 59584 bytes Desc: not available URL: From jderose at redhat.com Wed Apr 8 04:39:20 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 07 Apr 2009 22:39:20 -0600 Subject: [Freeipa-devel] [PATCH] catch GSS errors in the cli In-Reply-To: <49D651AE.7040905@redhat.com> References: <49D651AE.7040905@redhat.com> Message-ID: <1239165560.17459.2.camel@jgd-dsk> On Fri, 2009-04-03 at 14:13 -0400, Rob Crittenden wrote: > Catch and display GSS errors on the command-line. > > rob nack. We should make a PublicError for this. The PublicError base class is translatable and can be gracefully returned in an RPC response. Where is this GSSError being raised? From jderose at redhat.com Wed Apr 8 04:48:57 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 07 Apr 2009 22:48:57 -0600 Subject: [Freeipa-devel] [PATCH] default values in host plugin In-Reply-To: <49D651D9.6070600@redhat.com> References: <49D651D9.6070600@redhat.com> Message-ID: <1239166137.17459.9.camel@jgd-dsk> ack. One Python style nitpick: you shouldn't import multiple packages/modules on the same line unless they're all from the same package (meaning you're using the "from" keyword). So: import sys import os import platform Instead of: import sys, os, platform But this would be okay: from platform import architecture, system, uname From jderose at redhat.com Wed Apr 8 05:38:20 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 07 Apr 2009 23:38:20 -0600 Subject: [Freeipa-devel] [PATCH] Use proper error for Kerberos and Network in cli In-Reply-To: <49D66F63.7030708@redhat.com> References: <49D66F63.7030708@redhat.com> Message-ID: <1239169100.17459.50.camel@jgd-dsk> On Fri, 2009-04-03 at 16:19 -0400, Rob Crittenden wrote: > This enhances the last patch adding an except for GSSAPI errors and also > adds one for XML-RPC protocol errors. nack. We should catch the ProtocolError at it's source. Put this at the bottom of xmlclient.forward() (ipalib/rpc.py). There are a lot of reasons to wrap exceptions in a PublicError, but one that I probably haven't documented is that is consolidates code, makes it simpler to write applications atop ipalib. If we add these exception handlers in cli.py, we also have to add the same to any other client built on ipalib. This especially doesn't work well with plugability. We want applications built atop ipalib to only need to know about PublicError. So for the record, I'm not just being a pain. ;) From jderose at redhat.com Wed Apr 8 05:39:08 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 07 Apr 2009 23:39:08 -0600 Subject: [Freeipa-devel] [PATCH] configure right file in ipa-client In-Reply-To: <49D66F89.6000106@redhat.com> References: <49D66F89.6000106@redhat.com> Message-ID: <1239169148.17459.51.camel@jgd-dsk> On Fri, 2009-04-03 at 16:20 -0400, Rob Crittenden wrote: > The new ipa tool uses a different configuration file than the old ipa-* > tools so create that file in ipa-client-install. ack. From sgallagh at redhat.com Wed Apr 8 11:57:59 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 08 Apr 2009 07:57:59 -0400 Subject: [Freeipa-devel] [PATCH] use ordered lists of domains In-Reply-To: <1239152355.26768.5.camel@localhost.localdomain> References: <1239152355.26768.5.camel@localhost.localdomain> Message-ID: <49DC9147.5050609@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > See patch commit comment. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknckUMACgkQeiVVYja6o6N+GQCgls/Bx3Y4S/qeISSXtT1iIVeW ZnIAn0WmoClV3qtL1aubTxuHHmzlqYDf =NXs+ -----END PGP SIGNATURE----- From sgallagh at redhat.com Wed Apr 8 12:13:04 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 08 Apr 2009 08:13:04 -0400 Subject: [Freeipa-devel] [PATCH] use ordered lists of domains In-Reply-To: <1239152355.26768.5.camel@localhost.localdomain> References: <1239152355.26768.5.camel@localhost.localdomain> Message-ID: <49DC94D0.3050808@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > See patch commit comment. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I take back my "ack". Please update config.ldif with examples. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknclMcACgkQeiVVYja6o6PIJwCdEBO+f3AczRK65PEjSvYcUsXa pnAAoJI6wFAyQOHHfI1N3/g3ka+IskFZ =Z7Hw -----END PGP SIGNATURE----- From rcritten at redhat.com Wed Apr 8 13:09:08 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Apr 2009 09:09:08 -0400 Subject: [Freeipa-devel] [PATCH] catch GSS errors in the cli In-Reply-To: <1239165560.17459.2.camel@jgd-dsk> References: <49D651AE.7040905@redhat.com> <1239165560.17459.2.camel@jgd-dsk> Message-ID: <49DCA1F4.1030200@redhat.com> Jason Gerard DeRose wrote: > On Fri, 2009-04-03 at 14:13 -0400, Rob Crittenden wrote: >> Catch and display GSS errors on the command-line. >> >> rob > > nack. We should make a PublicError for this. The PublicError base > class is translatable and can be gracefully returned in an RPC response. > > Where is this GSSError being raised? > The traceback looks like this, so perhaps catching it in forward like the xmlrpclib errors is the place to go. % ipa user-show admin ipa: ERROR: GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Decrypt integrity check failed', -1765328353)) Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/ipalib/cli.py", line 660, in run api.Backend.cli.run(argv) File "/usr/lib/python2.5/site-packages/ipalib/cli.py", line 547, in run result = self.execute(name, **kw) File "/usr/lib/python2.5/site-packages/ipalib/backend.py", line 110, in execute result = self.Command[_name](*args, **options) File "/usr/lib/python2.5/site-packages/ipalib/plugable.py", line 408, in __call__ return self['__call__'](*args, **kw) File "/usr/lib/python2.5/site-packages/ipalib/frontend.py", line 109, in __call__ result = self.run(*args, **options) File "/usr/lib/python2.5/site-packages/ipalib/frontend.py", line 309, in run return self.forward(*args, **options) File "/usr/lib/python2.5/site-packages/ipalib/frontend.py", line 330, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File "/usr/lib/python2.5/site-packages/ipalib/rpc.py", line 376, in forward response = command(*xml_wrap(params)) File "/usr/lib/python2.5/xmlrpclib.py", line 1150, in __call__ return self.__send(self.__name, args) File "/usr/lib/python2.5/xmlrpclib.py", line 1440, in __request verbose=self.__verbose File "/usr/lib/python2.5/xmlrpclib.py", line 1179, in request h = self.make_connection(host) File "/usr/lib/python2.5/site-packages/ipalib/rpc.py", line 185, in make_connection host, extra_headers, x509 = self.get_host_info(host) File "/usr/lib/python2.5/site-packages/ipalib/rpc.py", line 328, in get_host_info raise e GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Decrypt integrity check failed', -1765328353)) ipa: ERROR: an internal error has occured From ssorce at redhat.com Wed Apr 8 14:58:38 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 08 Apr 2009 10:58:38 -0400 Subject: [Freeipa-devel] [PATCH] use ordered lists of domains In-Reply-To: <49DC94D0.3050808@redhat.com> References: <1239152355.26768.5.camel@localhost.localdomain> <49DC94D0.3050808@redhat.com> Message-ID: <1239202718.26768.17.camel@localhost.localdomain> On Wed, 2009-04-08 at 08:13 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > See patch commit comment. > I take back my "ack". > > Please update config.ldif with examples. Ok, fixed the example configuration and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Wed Apr 8 16:46:02 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 08 Apr 2009 12:46:02 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix SBUS handling of unknown messages Message-ID: <49DCD4CA.4010704@redhat.com> This was missed when we moved away from using the message_handler for sending replies (in order to support async processing). In order to properly notify the client on the other end of the connection that a method is not known, we need to actually send the reply. (This is a trivial change, but it's more than one line, so sending it for review) -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-SBUS-handling-of-unknown-messages.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Wed Apr 8 17:39:14 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 08 Apr 2009 13:39:14 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix SBUS handling of unknown messages In-Reply-To: <49DCD4CA.4010704@redhat.com> References: <49DCD4CA.4010704@redhat.com> Message-ID: <1239212354.26768.18.camel@localhost.localdomain> On Wed, 2009-04-08 at 12:46 -0400, Stephen Gallagher wrote: > This was missed when we moved away from using the message_handler > for sending replies (in order to support async processing). > > In order to properly notify the client on the other end of the > connection that a method is not known, we need to actually send the > reply. > > (This is a trivial change, but it's more than one line, so sending it > for review) Looks fine, ack! Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Wed Apr 8 18:58:16 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 08 Apr 2009 14:58:16 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix SBUS handling of unknown messages In-Reply-To: <1239212354.26768.18.camel@localhost.localdomain> References: <49DCD4CA.4010704@redhat.com> <1239212354.26768.18.camel@localhost.localdomain> Message-ID: <49DCF3C8.2010000@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Wed, 2009-04-08 at 12:46 -0400, Stephen Gallagher wrote: >> This was missed when we moved away from using the message_handler >> for sending replies (in order to support async processing). >> >> In order to properly notify the client on the other end of the >> connection that a method is not known, we need to actually send the >> reply. >> >> (This is a trivial change, but it's more than one line, so sending it >> for review) > > Looks fine, > ack! > > Simo. > Pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknc88UACgkQeiVVYja6o6OuqACfUXBD+O1vAbxHlHOePfp+Hr/d 4/UAnj/u62E95Pd4Cy6RN4zDtTtDYnYY =zSbL -----END PGP SIGNATURE----- From sgallagh at redhat.com Wed Apr 8 19:05:59 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 08 Apr 2009 15:05:59 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix missing entry from first-start config Message-ID: <49DCF597.9040001@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Since we switched to allowing domains to be configured but inactive, we need to include the default set (just LOCAL) into the first-start config. Pushed under one-liner rule. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknc9ZQACgkQeiVVYja6o6MzqwCdGFQLGqmc8kZjoVoNHQvJ8KvS t3EAn08c1awj+DTKUFMIvANKnrrvnVov =R17O -----END PGP SIGNATURE----- From sgallagh at redhat.com Wed Apr 8 19:06:37 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 08 Apr 2009 15:06:37 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix missing entry from first-start config In-Reply-To: <49DCF597.9040001@redhat.com> References: <49DCF597.9040001@redhat.com> Message-ID: <49DCF5BD.5090504@redhat.com> Stephen Gallagher wrote: > Since we switched to allowing domains to be configured but > inactive, we need to include the default set (just LOCAL) into > the first-start config. > > Pushed under one-liner rule. > Forgot to attach the patch... _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-missing-entry-from-first-start-config.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Wed Apr 8 21:17:08 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 08 Apr 2009 17:17:08 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Monitor configuration changes Message-ID: <49DD1454.2080304@redhat.com> First set of changes to the monitor to support live configuration reloads. Patch 0001: Change the build system so that the monitor's service pipe is fixed at compile-time. Patch 0002: Enable the monitor to handle SIGHUP to start, stop and update running children without always restarting them. Note, configuration changes where the binary path or provider type has changed will still necessitate a child process restart. The monitor will signal the children through the SBUS to shut down gracefully, but if they do not yet implement it or are unable to do so within the specified timeout, the monitor will kill them with a POSIX signal. Whenever the monitor's configuration changes, it will send a message to all registered children to reread their configuration as well. At the moment it doesn't care whether they succeed at this or not (TODO) -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Make-the-monitor-address-a-compile-time-option.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Redesign-the-the-monitor-s-configuration-to-enable-l.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From dpal at redhat.com Wed Apr 8 21:35:58 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Apr 2009 17:35:58 -0400 Subject: [Freeipa-devel] fixes to regressions in INI code and some improvements based on review Message-ID: <49DD18BE.5040902@redhat.com> a) Removed ifdef code that was supposed to be used by conditional build and left only one option b) Created two different functions for returning string from config c) Fixed warning in collection.c d) Added some const definitions where it makes sense. e) Added function to parse array of doubles from the INI file. f) Re-ran the tests, found problems and addressed them -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-INI-component.-Fixed-couple-issues-introduced-by-cle.patch Type: text/x-patch Size: 19578 bytes Desc: not available URL: From ssorce at redhat.com Thu Apr 9 00:06:10 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 08 Apr 2009 20:06:10 -0400 Subject: [Freeipa-devel] fixes to regressions in INI code and some improvements based on review In-Reply-To: <49DD18BE.5040902@redhat.com> References: <49DD18BE.5040902@redhat.com> Message-ID: <1239235570.26768.25.camel@localhost.localdomain> On Wed, 2009-04-08 at 17:35 -0400, Dmitri Pal wrote: > + /* Advance to the next valid number */ > + for (str = endptr; *str; str++) { > + if (isdigit(*str) || (*str == '-') || (*str == '+') || > + /* It is ok to do this since the string is null > terminated */ > + ((*str == '.') && isdigit(str[1]))) break; NACK, if you use strtod() then you are assuming the values in the configuration files are locale-dependent (whether this is a good idea is another matter). In this case you can't simply check for '.' as that is not the separator in all locales, and would lead to different (wrong) behaviors in locales where it isn't. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Thu Apr 9 00:48:42 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Apr 2009 20:48:42 -0400 Subject: [Freeipa-devel] [PATCH] fixes and corrections for locale Message-ID: <49DD45EA.20101@redhat.com> I am resubmitting the patch with additional patch that corrects Simo concerns. a) do-while b) checking for decimal point symbol. I did not quite figure out how to create one patch instead of original one and a correction to it. Hint will be appreciated. But I will not be available tomorrow so I did not want to block you. I also checked code for the type casting of "const char *" to "char *" in my recent patch and did not see a place that Simo was concerned about so I do not know what to change if anything. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-INI-component.-Fixed-couple-issues-introduced-by-cle.patch Type: text/x-patch Size: 19578 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-INI.-Fixed-the-floating-point-conversion.-Changed-lo.patch Type: text/x-patch Size: 3084 bytes Desc: not available URL: From sgallagh at redhat.com Thu Apr 9 12:35:22 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 09 Apr 2009 08:35:22 -0400 Subject: [Freeipa-devel] Re: Staging area In-Reply-To: <49DD363E.9030203@redhat.com> References: <49DD2946.7020806@redhat.com> <1239231497.26768.20.camel@localhost.localdomain> <49DD363E.9030203@redhat.com> Message-ID: <49DDEB8A.2050002@redhat.com> Dmitri Pal wrote: > Simo Sorce wrote: >> On Wed, 2009-04-08 at 18:46 -0400, Dmitri Pal wrote: >> >>> I put together this script. >>> We were talking about putting the results of the libs and includes >>> from common area to some staging area. >>> I picked ./common/lib and ./common/include. >>> Is it Ok? >>> >> >> Not sure what should we use this script for ? >> If it is part of a build process then no, we don't want to use custom >> scripts but the proper autotools magic methinks. >> >> Simo. >> >> > I do not know what is the proper autotool magic is and frankly speaking > i do not want figure it out. At least now. > The idea was to extract header files and libs into some common place as > a result of the build of the common components. > I suggest that we settle on the common/lib and common/include. We need > to agree on this because Steve needs to use these paths in the make > files that take advantage on the INI and I need to use > these paths in the ELAPI that I starting to move into the code tree. > This script is a temp solution at least for me to populate the common > areas so that they can be referenced. > What is the right way of doing the same thing using autools I do not know. > > See my attached patch. To get output identical to your script, run: autoreconf ./configure --enable-static --disable-shared --prefix=`pwd` make all install Also, I switched you back to using libtool (Simo, don't cringe) because you can switch between static and shared library builds simply by changing the configure arguments (I'm sure you can figure it out from the above command) or build both at the same time. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Build-system-improvements-for-the-common-tools.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Thu Apr 9 13:16:55 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 09 Apr 2009 09:16:55 -0400 Subject: [Freeipa-devel] [PATCH] Serialize access to domains/backends Message-ID: <1239283015.26768.27.camel@localhost.localdomain> Necessary for accessing domains in an ordered fashion so that precedence rules for name conflicts apply properly. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Serialize-requests-vs-backends.patch Type: text/x-patch Size: 62854 bytes Desc: not available URL: From sgallagh at redhat.com Thu Apr 9 18:26:15 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 09 Apr 2009 14:26:15 -0400 Subject: [Freeipa-devel] [PATCH] Serialize access to domains/backends In-Reply-To: <1239283015.26768.27.camel@localhost.localdomain> References: <1239283015.26768.27.camel@localhost.localdomain> Message-ID: <49DE3DC7.3060906@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > Necessary for accessing domains in an ordered fashion so that precedence > rules for name conflicts apply properly. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknePcQACgkQeiVVYja6o6ORPQCgo2L87VsWUepsmRwBNwiiMYZ2 vzMAmQElL4vmegFclnE2jTEQU4+pLBOs =uFYb -----END PGP SIGNATURE----- From ssorce at redhat.com Thu Apr 9 19:28:13 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 09 Apr 2009 15:28:13 -0400 Subject: [Freeipa-devel] [PATCH] fixes and corrections for locale In-Reply-To: <49DD45EA.20101@redhat.com> References: <49DD45EA.20101@redhat.com> Message-ID: <1239305293.26768.37.camel@localhost.localdomain> On Wed, 2009-04-08 at 20:48 -0400, Dmitri Pal wrote: > I am resubmitting the patch with additional patch that corrects Simo > concerns. > a) do-while > b) checking for decimal point symbol. > I did not quite figure out how to create one patch instead of original > one and a correction to it. Hint will be appreciated. There a re a couple of ways. If the patch you want to change is the last one committed, you can add the --amend switch to git commit. This will add the changes you are committing to the last existing commit instead of creating a new one. Another way is of course to git reset --soft HEAD^, so that you uncommit the previous commit, then make a new commit including all changes. Another way is to 'squash' the second patch into the first doing a git rebase -i > But I will not be available tomorrow so I did not want to block you. Ok I'll merge these into a single patch and push them. > I also checked code for the type casting of "const char *" to "char *" > in my recent patch and did not see a place that Simo was concerned about > so I do not know what to change if anything. I'll check and fix them in the new merge patch and will push the fix together with the rest. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Apr 9 19:47:20 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 09 Apr 2009 15:47:20 -0400 Subject: [Freeipa-devel] [PATCH] fixes and corrections for locale In-Reply-To: <49DD45EA.20101@redhat.com> References: <49DD45EA.20101@redhat.com> Message-ID: <1239306440.26768.39.camel@localhost.localdomain> On Wed, 2009-04-08 at 20:48 -0400, Dmitri Pal wrote: > I also checked code for the type casting of "const char *" to "char > *" > in my recent patch and did not see a place that Simo was concerned > about > so I do not know what to change if anything. get_item_data() is declared as returning const void * The attached patch (that I'd like to merge in the patches sent on this thread before pushing) turns all castings of get_item_data() from (char *) to (const char *) Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Keep-const-values-as-const.patch Type: text/x-patch Size: 4845 bytes Desc: not available URL: From sgallagh at redhat.com Thu Apr 9 19:50:22 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 09 Apr 2009 15:50:22 -0400 Subject: [Freeipa-devel] [PATCH] fixes and corrections for locale In-Reply-To: <1239306440.26768.39.camel@localhost.localdomain> References: <49DD45EA.20101@redhat.com> <1239306440.26768.39.camel@localhost.localdomain> Message-ID: <49DE517E.1080209@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Wed, 2009-04-08 at 20:48 -0400, Dmitri Pal wrote: >> I also checked code for the type casting of "const char *" to "char >> *" >> in my recent patch and did not see a place that Simo was concerned >> about >> so I do not know what to change if anything. > > get_item_data() is declared as returning const void * > > The attached patch (that I'd like to merge in the patches sent on this > thread before pushing) turns all castings of get_item_data() from (char > *) to (const char *) > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkneUXsACgkQeiVVYja6o6OIMQCfZwTV5pOJRpWTQTkLAEXJhH50 bYoAn1Qb11NtW8LAvHPzjFEkAZWYPYyc =FrVe -----END PGP SIGNATURE----- From ssorce at redhat.com Thu Apr 9 19:56:15 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 09 Apr 2009 15:56:15 -0400 Subject: [Freeipa-devel] [PATCH] fixes and corrections for locale In-Reply-To: <49DE517E.1080209@redhat.com> References: <49DD45EA.20101@redhat.com> <1239306440.26768.39.camel@localhost.localdomain> <49DE517E.1080209@redhat.com> Message-ID: <1239306975.26768.40.camel@localhost.localdomain> On Thu, 2009-04-09 at 15:50 -0400, Stephen Gallagher wrote: > > Ack ok pushed all the patches in this thread as a single combined patch. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Thu Apr 9 19:56:27 2009 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 09 Apr 2009 15:56:27 -0400 Subject: [Freeipa-devel] [PATCH] fixes and corrections for locale In-Reply-To: <49DE517E.1080209@redhat.com> References: <49DD45EA.20101@redhat.com> <1239306440.26768.39.camel@localhost.localdomain> <49DE517E.1080209@redhat.com> Message-ID: <49DE52EB.7010502@redhat.com> Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > >> On Wed, 2009-04-08 at 20:48 -0400, Dmitri Pal wrote: >> >>> I also checked code for the type casting of "const char *" to "char >>> *" >>> in my recent patch and did not see a place that Simo was concerned >>> about >>> so I do not know what to change if anything. >>> >> get_item_data() is declared as returning const void * >> >> The attached patch (that I'd like to merge in the patches sent on this >> thread before pushing) turns all castings of get_item_data() from (char >> *) to (const char *) >> >> Simo. >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > Ack > > - -- > Stephen Gallagher > RHCE 804006346421761 > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkneUXsACgkQeiVVYja6o6OIMQCfZwTV5pOJRpWTQTkLAEXJhH50 > bYoAn1Qb11NtW8LAvHPzjFEkAZWYPYyc > =FrVe > -----END PGP SIGNATURE----- > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > nack - this data is void * it is not always char* it should be const void * but can't be const char *. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Thu Apr 9 19:56:34 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 09 Apr 2009 15:56:34 -0400 Subject: [Freeipa-devel] [PATCH] Serialize access to domains/backends In-Reply-To: <49DE3DC7.3060906@redhat.com> References: <1239283015.26768.27.camel@localhost.localdomain> <49DE3DC7.3060906@redhat.com> Message-ID: <1239306994.26768.41.camel@localhost.localdomain> On Thu, 2009-04-09 at 14:26 -0400, Stephen Gallagher wrote: > Ack Pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Apr 9 20:43:02 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 09 Apr 2009 20:43:02 +0000 Subject: [Freeipa-devel] [PATCH][SSSD] Monitor configuration changes In-Reply-To: <49DD1454.2080304@redhat.com> References: <49DD1454.2080304@redhat.com> Message-ID: <1239309782.26768.45.camel@localhost.localdomain> On Wed, 2009-04-08 at 17:17 -0400, Stephen Gallagher wrote: > First set of changes to the monitor to support live configuration > reloads. > > Patch 0001: Change the build system so that the monitor's service pipe > is fixed at compile-time. ack and pushed > Patch 0002: Enable the monitor to handle SIGHUP to start, stop and > update running children without always restarting them. Note, > configuration changes where the binary path or provider type has > changed > will still necessitate a child process restart. nack, do not kill and free services in service_signal_reload() The rest is fine (see minor nitpicking comments on IRC) > The monitor will signal the children through the SBUS to shut down > gracefully, but if they do not yet implement it or are unable to do so > within the specified timeout, the monitor will kill them with a POSIX > signal. Whenever the monitor's configuration changes, it will send a > message to all registered children to reread their configuration as > well. At the moment it doesn't care whether they succeed at this or > not > (TODO) Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Fri Apr 10 15:19:41 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 10 Apr 2009 11:19:41 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Monitor configuration changes In-Reply-To: <1239309782.26768.45.camel@localhost.localdomain> References: <49DD1454.2080304@redhat.com> <1239309782.26768.45.camel@localhost.localdomain> Message-ID: <49DF638D.6070107@redhat.com> Simo Sorce wrote: > On Wed, 2009-04-08 at 17:17 -0400, Stephen Gallagher wrote: >> First set of changes to the monitor to support live configuration >> reloads. >> >> Patch 0001: Change the build system so that the monitor's service pipe >> is fixed at compile-time. > > ack and pushed > >> Patch 0002: Enable the monitor to handle SIGHUP to start, stop and >> update running children without always restarting them. Note, >> configuration changes where the binary path or provider type has >> changed >> will still necessitate a child process restart. > > nack, do not kill and free services in service_signal_reload() > > The rest is fine (see minor nitpicking comments on IRC) > >> The monitor will signal the children through the SBUS to shut down >> gracefully, but if they do not yet implement it or are unable to do so >> within the specified timeout, the monitor will kill them with a POSIX >> signal. Whenever the monitor's configuration changes, it will send a >> message to all registered children to reread their configuration as >> well. At the moment it doesn't care whether they succeed at this or >> not >> (TODO) > > > Simo. > Attaching two versions of this patch. Since the original was so large, I'm also attaching a diff of just the changes since code review. The smaller patch is not intended to go into the repo. It has been merged into the larger patch. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fixes-requested-during-code-review.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Redesign-the-the-monitor-s-configuration-to-enable-l.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Fri Apr 10 15:30:37 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 10 Apr 2009 11:30:37 -0400 Subject: [Freeipa-devel] [Fwd: Final Development Freeze Coming!!] Message-ID: <49DF661D.5030405@redhat.com> Just a reminder, this will affect the SSSD significantly. The build for our Test Day will have to be coming from whatever's in Rawhide at midnight EDT. I'm working this weekend to try and finish up the INI file configuration. I will need somebody to do a review on Sunday so I can make any final corrections on Monday so we can get a Koji build run in time. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded message was scrubbed... From: Jesse Keating Subject: Final Development Freeze Coming!! Date: Fri, 10 Apr 2009 08:26:57 -0700 Size: 5388 URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From dpal at redhat.com Fri Apr 10 15:32:38 2009 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Apr 2009 11:32:38 -0400 Subject: [Freeipa-devel] [PATCH] Added functions to return sections and attributes as lists of str. Message-ID: <49DF6696.3030804@redhat.com> Addressed https://fedorahosted.org/sssd/ticket/18 -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Added-functions-to-create-list-of-sections-and-attri.patch Type: text/x-patch Size: 14769 bytes Desc: not available URL: From dpal at redhat.com Fri Apr 10 15:42:18 2009 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Apr 2009 11:42:18 -0400 Subject: [Freeipa-devel] [PATCH] Added functions to return sections and attributes as lists of str. In-Reply-To: <49DF6696.3030804@redhat.com> References: <49DF6696.3030804@redhat.com> Message-ID: <49DF68DA.3030800@redhat.com> Dmitri Pal wrote: > Addressed https://fedorahosted.org/sssd/ticket/18 > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Found a typo in comment - resending. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Added-functions-to-create-list-of-sections-and-attri.patch Type: text/x-patch Size: 14770 bytes Desc: not available URL: From dpal at redhat.com Fri Apr 10 16:09:11 2009 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Apr 2009 12:09:11 -0400 Subject: [Freeipa-devel] [Fwd: Final Development Freeze Coming!!] In-Reply-To: <49DF661D.5030405@redhat.com> References: <49DF661D.5030405@redhat.com> Message-ID: <49DF6F27.1000502@redhat.com> Stephen Gallagher wrote: > Just a reminder, this will affect the SSSD significantly. The build for > our Test Day will have to be coming from whatever's in Rawhide at > midnight EDT. I'm working this weekend to try and finish up the INI file > configuration. I will need somebody to do a review on Sunday so I can > make any final corrections on Monday so we can get a Koji build run in time. > > I can give it a try. Just call me when you are ready. > ------------------------------------------------------------------------ > > Subject: > Final Development Freeze Coming!! > From: > Jesse Keating > Date: > Fri, 10 Apr 2009 08:26:57 -0700 > To: > fedora-devel-announce at redhat.com > > To: > fedora-devel-announce at redhat.com > > > The final devel freeze for Fedora 11 is this coming Tuesday. After that > point, any changes will have to be explicitly approved as per > the Final Freeze policy[1]. > > Now would be a very very good time to check the Fedora 11 Blocker[2] and > Tracker[3] bugs for things that involve your packages. > > There is only this week's snapshot, then the preview release before our > final release. Lets work hard and together to make Fedora 11 awesome! > > It should be obvious, but /please/ avoid any risky change in your > packages at this point, or any change that will effect large swaths of > packages. > > > [1]: https://fedoraproject.org/wiki/ReleaseEngineering/FinalFreezePolicy > [2]: > https://bugzilla.redhat.com/showdependencytree.cgi?id=F11Blocker&hide_resolved=1 > [3]: > https://bugzilla.redhat.com/showdependencytree.cgi?id=F11Target&hide_resolved=1 > > ------------------------------------------------------------------------ > > _______________________________________________ > Fedora-devel-announce mailing list > Fedora-devel-announce at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-devel-announce > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sgallagh at redhat.com Fri Apr 10 16:58:58 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 10 Apr 2009 12:58:58 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Monitor configuration changes In-Reply-To: <49DF638D.6070107@redhat.com> References: <49DD1454.2080304@redhat.com> <1239309782.26768.45.camel@localhost.localdomain> <49DF638D.6070107@redhat.com> Message-ID: <49DF7AD2.5040601@redhat.com> Stephen Gallagher wrote: > Simo Sorce wrote: >> On Wed, 2009-04-08 at 17:17 -0400, Stephen Gallagher wrote: >>> First set of changes to the monitor to support live configuration >>> reloads. >>> >>> Patch 0001: Change the build system so that the monitor's service pipe >>> is fixed at compile-time. >> ack and pushed >> >>> Patch 0002: Enable the monitor to handle SIGHUP to start, stop and >>> update running children without always restarting them. Note, >>> configuration changes where the binary path or provider type has >>> changed >>> will still necessitate a child process restart. >> nack, do not kill and free services in service_signal_reload() >> >> The rest is fine (see minor nitpicking comments on IRC) >> >>> The monitor will signal the children through the SBUS to shut down >>> gracefully, but if they do not yet implement it or are unable to do so >>> within the specified timeout, the monitor will kill them with a POSIX >>> signal. Whenever the monitor's configuration changes, it will send a >>> message to all registered children to reread their configuration as >>> well. At the moment it doesn't care whether they succeed at this or >>> not >>> (TODO) >> >> Simo. >> > > Attaching two versions of this patch. Since the original was so large, > I'm also attaching a diff of just the changes since code review. The > smaller patch is not intended to go into the repo. It has been merged > into the larger patch. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Two additional changes spotted during code review: 1) shutdown_reply() will now call monitor_kill_service if the impossible situation happens where the reply handler is called without a valid reply object. 2) The addition of the service destructor was fundamentally flawed. It has been fixed so that it will now DLIST_REMOVE() from svc->mt_ctx->svc_list instead of adding a new "first" attribute. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Redesign-the-the-monitor-s-configuration-to-enable-l.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Fri Apr 10 17:25:47 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 10 Apr 2009 13:25:47 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Monitor configuration changes In-Reply-To: <49DF7AD2.5040601@redhat.com> References: <49DD1454.2080304@redhat.com> <1239309782.26768.45.camel@localhost.localdomain> <49DF638D.6070107@redhat.com> <49DF7AD2.5040601@redhat.com> Message-ID: <49DF811B.7030202@redhat.com> Stephen Gallagher wrote: > Stephen Gallagher wrote: >> Simo Sorce wrote: >>> On Wed, 2009-04-08 at 17:17 -0400, Stephen Gallagher wrote: >>>> First set of changes to the monitor to support live configuration >>>> reloads. >>>> >>>> Patch 0001: Change the build system so that the monitor's service pipe >>>> is fixed at compile-time. >>> ack and pushed >>> >>>> Patch 0002: Enable the monitor to handle SIGHUP to start, stop and >>>> update running children without always restarting them. Note, >>>> configuration changes where the binary path or provider type has >>>> changed >>>> will still necessitate a child process restart. >>> nack, do not kill and free services in service_signal_reload() >>> >>> The rest is fine (see minor nitpicking comments on IRC) >>> >>>> The monitor will signal the children through the SBUS to shut down >>>> gracefully, but if they do not yet implement it or are unable to do so >>>> within the specified timeout, the monitor will kill them with a POSIX >>>> signal. Whenever the monitor's configuration changes, it will send a >>>> message to all registered children to reread their configuration as >>>> well. At the moment it doesn't care whether they succeed at this or >>>> not >>>> (TODO) >>> Simo. >>> >> Attaching two versions of this patch. Since the original was so large, >> I'm also attaching a diff of just the changes since code review. The >> smaller patch is not intended to go into the repo. It has been merged >> into the larger patch. >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Two additional changes spotted during code review: > 1) shutdown_reply() will now call monitor_kill_service if the impossible > situation happens where the reply handler is called without a valid > reply object. > > 2) The addition of the service destructor was fundamentally flawed. It > has been fixed so that it will now DLIST_REMOVE() from > svc->mt_ctx->svc_list instead of adding a new "first" attribute. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Missed one other small fix. Changed return of delist_service to return 0 rather than EOK (for clarity). -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Redesign-the-the-monitor-s-configuration-to-enable-l.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From dpal at redhat.com Fri Apr 10 17:44:11 2009 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Apr 2009 13:44:11 -0400 Subject: [Freeipa-devel] [PATCH] Addressing issue with return error code Message-ID: <49DF856B.5080501@redhat.com> Addressed issue https://fedorahosted.org/sssd/ticket/17 The low level function now returns ENOENT if file does not exist. The high level convenience "best effort" function suppresses this error. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-The-lower-level-function-now-returns-NOENT-if-file-i.patch Type: text/x-patch Size: 2691 bytes Desc: not available URL: From ssorce at redhat.com Fri Apr 10 19:33:21 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Apr 2009 15:33:21 -0400 Subject: [Freeipa-devel] [PATCH] Added functions to return sections and attributes as lists of str. In-Reply-To: <49DF68DA.3030800@redhat.com> References: <49DF6696.3030804@redhat.com> <49DF68DA.3030800@redhat.com> Message-ID: <1239392001.26768.55.camel@localhost.localdomain> On Fri, 2009-04-10 at 11:42 -0400, Dmitri Pal wrote: > > Addressed https://fedorahosted.org/sssd/ticket/18 > Found a typo in comment - resending. Nack, in the patch there are reverts of stuff we committed yesterday (see ini_config.c) Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Apr 10 19:37:42 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Apr 2009 15:37:42 -0400 Subject: [Freeipa-devel] [PATCH] Addressing issue with return error code In-Reply-To: <49DF856B.5080501@redhat.com> References: <49DF856B.5080501@redhat.com> Message-ID: <1239392262.26768.56.camel@localhost.localdomain> On Fri, 2009-04-10 at 13:44 -0400, Dmitri Pal wrote: > Addressed issue https://fedorahosted.org/sssd/ticket/17 > > The low level function now returns ENOENT if file does not exist. > The high level convenience "best effort" function suppresses this > error. Ack. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri Apr 10 20:17:19 2009 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Apr 2009 16:17:19 -0400 Subject: [Freeipa-devel] [PATCH] Added functions to return sections and attributes as lists of str. In-Reply-To: <1239392001.26768.55.camel@localhost.localdomain> References: <49DF6696.3030804@redhat.com> <49DF68DA.3030800@redhat.com> <1239392001.26768.55.camel@localhost.localdomain> Message-ID: <49DFA94F.4040703@redhat.com> Simo Sorce wrote: > On Fri, 2009-04-10 at 11:42 -0400, Dmitri Pal wrote: > >>> Addressed https://fedorahosted.org/sssd/ticket/18 >>> > > >> Found a typo in comment - resending. >> > > Nack, > in the patch there are reverts of stuff we committed yesterday (see > ini_config.c) > > Simo. > > Updated and re-submitting. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Added-functions-to-create-list-of-sections-and-attri.patch Type: text/x-patch Size: 10406 bytes Desc: not available URL: From dpal at redhat.com Fri Apr 10 20:27:35 2009 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Apr 2009 16:27:35 -0400 Subject: [Freeipa-devel] The proposed description of the INI file format Message-ID: <49DFABB7.1070107@redhat.com> Hi, I was thinking about the INI file processing. In many cases there is a need to validate that the INI file is synthetically and structurally correct. Such checking would be very helpful when admin changed the file manually or when the policy tries to merge/apply something. The attached file is an attempt to create and example of the template file that will contain the rules (grammar) about the INI file. I think such kind of validation will be extremely helpful. On the other hand I was not planning to implement everything I propose in the first pass. This might be too much but at least structural and type checking might be very good start. File has a lot of comments and written in INI format. This seems like re-inventing XML in a human readable and editable form. :-) -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: sssdcfg.tpl URL: From ssorce at redhat.com Fri Apr 10 21:06:59 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Apr 2009 17:06:59 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Monitor configuration changes In-Reply-To: <49DF811B.7030202@redhat.com> References: <49DD1454.2080304@redhat.com> <1239309782.26768.45.camel@localhost.localdomain> <49DF638D.6070107@redhat.com> <49DF7AD2.5040601@redhat.com> <49DF811B.7030202@redhat.com> Message-ID: <1239397619.26768.58.camel@localhost.localdomain> On Fri, 2009-04-10 at 13:25 -0400, Stephen Gallagher wrote: > > > > Two additional changes spotted during code review: > > 1) shutdown_reply() will now call monitor_kill_service if the > impossible > > situation happens where the reply handler is called without a valid > > reply object. > > > > 2) The addition of the service destructor was fundamentally flawed. > It > > has been fixed so that it will now DLIST_REMOVE() from > > svc->mt_ctx->svc_list instead of adding a new "first" attribute. > Missed one other small fix. Changed return of delist_service to return > 0 > rather than EOK (for clarity). ack and puched. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Apr 10 21:07:22 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Apr 2009 17:07:22 -0400 Subject: [Freeipa-devel] [PATCH] Addressing issue with return error code In-Reply-To: <1239392262.26768.56.camel@localhost.localdomain> References: <49DF856B.5080501@redhat.com> <1239392262.26768.56.camel@localhost.localdomain> Message-ID: <1239397642.26768.59.camel@localhost.localdomain> On Fri, 2009-04-10 at 15:37 -0400, Simo Sorce wrote: > On Fri, 2009-04-10 at 13:44 -0400, Dmitri Pal wrote: > > Addressed issue https://fedorahosted.org/sssd/ticket/17 > > > > The low level function now returns ENOENT if file does not exist. > > The high level convenience "best effort" function suppresses this > > error. > > Ack. pushed, Simo -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Apr 10 21:07:46 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Apr 2009 17:07:46 -0400 Subject: [Freeipa-devel] [PATCH] Added functions to return sections and attributes as lists of str. In-Reply-To: <49DFA94F.4040703@redhat.com> References: <49DF6696.3030804@redhat.com> <49DF68DA.3030800@redhat.com> <1239392001.26768.55.camel@localhost.localdomain> <49DFA94F.4040703@redhat.com> Message-ID: <1239397666.26768.60.camel@localhost.localdomain> On Fri, 2009-04-10 at 16:17 -0400, Dmitri Pal wrote: > Simo Sorce wrote: > > On Fri, 2009-04-10 at 11:42 -0400, Dmitri Pal wrote: > > > >>> Addressed https://fedorahosted.org/sssd/ticket/18 > >>> > > > > > >> Found a typo in comment - resending. > >> > > > > Nack, > > in the patch there are reverts of stuff we committed yesterday (see > > ini_config.c) > > > > Simo. > > > > > Updated and re-submitting. ack and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Apr 10 21:15:41 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Apr 2009 17:15:41 -0400 Subject: [Freeipa-devel] The proposed description of the INI file format In-Reply-To: <49DFABB7.1070107@redhat.com> References: <49DFABB7.1070107@redhat.com> Message-ID: <1239398141.26768.61.camel@localhost.localdomain> On Fri, 2009-04-10 at 16:27 -0400, Dmitri Pal wrote: > Hi, > > I was thinking about the INI file processing. > In many cases there is a need to validate that the INI file is > synthetically and structurally correct. > Such checking would be very helpful when admin changed the file > manually > or when the policy tries to merge/apply something. > The attached file is an attempt to create and example of the template > file that will contain the rules (grammar) about the INI file. > I think such kind of validation will be extremely helpful. > On the other hand I was not planning to implement everything I > propose > in the first pass. > This might be too much but at least structural and type checking > might > be very good start. > > File has a lot of comments and written in INI format. > This seems like re-inventing XML in a human readable and editable > form. :-) Indeed :) Looks reasonable to me. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Sat Apr 11 04:38:40 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 11 Apr 2009 00:38:40 -0400 Subject: [Freeipa-devel] [PATCH] always pass as much info as possible Message-ID: <1239424721.26768.64.camel@localhost.localdomain> In some sysdb function we were passing the domain name instaed of the domain info structure. Fix all functions to use the full domain info. Add helper function to retrieve just one domain info structure given the domain name. Add option to not store passwords even if the remote backend offers them (enabled by default) Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Always-pass-full-domain-info.patch Type: text/x-patch Size: 27088 bytes Desc: not available URL: From ssorce at redhat.com Sat Apr 11 04:43:15 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 11 Apr 2009 04:43:15 +0000 Subject: [Freeipa-devel] [PATCH] Cahce credentials as hashes Message-ID: <1239424995.26768.69.camel@localhost.localdomain> Add code in the pam responder to cache credentials on successful authentication and use the stored credentials if the backend returns that it can't fetch information (offline). Tested with the proxt auth module and pam_ldap. Seems to work. One issue is that it seems that pam_ldap doesn't take well the fact that the server may disappear. If one successful connection to the ldap server have been performed it seem like pam_ldap will keep trying to use the same connection eventually returning a PAM system error. If sssd is restarted when the ldap server is not available pam_ldap will give up immediately any attempt to connect and cached credentials are used instead. This makes using pam_ldap less then ideal in real deployments, but it is ok for testing of offline cached credentials capabilities. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Implement-credentials-caching-in-pam-responder.patch Type: text/x-patch Size: 40742 bytes Desc: not available URL: From sgallagh at redhat.com Sat Apr 11 14:26:18 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sat, 11 Apr 2009 10:26:18 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert to using INI configuration file for the SSSD Message-ID: <49E0A88A.3020403@redhat.com> See patch commit comments. Please note, review of these patches are a high priority, as successful completion of this task must be achieved no later than 11:00 EDT on Monday in order to be included in the F11 Release Candidate and the SSSD Test Day. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Build-system-improvements-for-common-tools.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Allow-configuration-of-the-SSSD-through-etc-sssd-ss.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Update-RPM-build-for-configuration-changes.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From mpcolino at gmail.com Sun Apr 12 09:44:24 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Sun, 12 Apr 2009 11:44:24 +0200 Subject: [Freeipa-devel] Let me introduce myself ... (working with sssd) Message-ID: <1239529464.6415.9.camel@crow> Hello everyone. Hi Stephen, hi Simo. My name is Miguel P?rez Colino and I'm currently working in my Master's Final Proyect which is focused in FreeIPA and Ubuntu. My background in systems administration is pretty good, but I can't say the same about my programming and packaging skills. (Although I packaged updated versions of NUT for RH9 some years ago). Right now, I'd like to start making an SSSD package for Ubuntu and I'm looking for the needed documentation to read (specially about the compilation/building part). Any advice will be really welcomed. Please, if I'm writting to the wrong list or asking for already written information, let me know. I really do not want to be unpolite :-) Thanks in advance. M* -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Esto es una parte de mensaje firmado digitalmente URL: From ssorce at redhat.com Sun Apr 12 13:11:02 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 12 Apr 2009 13:11:02 +0000 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert to using INI configuration file for the SSSD In-Reply-To: <49E0A88A.3020403@redhat.com> References: <49E0A88A.3020403@redhat.com> Message-ID: <1239541863.1449.39.camel@localhost.localdomain> On Sat, 2009-04-11 at 10:26 -0400, Stephen Gallagher wrote: > > See patch commit comments. > > Please note, review of these patches are a high priority, as > successful > completion of this task must be achieved no later than 11:00 EDT on > Monday in order to be included in the F11 Release Candidate and the > SSSD > Test Day. 1st patch seem ok. 3rd patch is not ok, all configuration should be performed in the setup step, and building only in the build step running autoreconf and configure in the build step is not correct On the 2nd I have a few comments. inotify: 1) we cannot simply do an if/or with inotify just because we found it in configure. Support for inotify depends on the filesystem used. So even if the kernel exposes the syscall we still don't know if inotify is going to be really available or not. If we fail to set up an inotify watch we should fallback to polling. Please use a function like try_inotify(...) and ifedf it to contain real inotify code if if we have headers or to immediately return if not like: #ifdef HAVE_INOTIFY int try_inotify(...) { ... } #else int try_inotify(...) { return EINVAL; } #endif and in the core code always call try_inotify() first and if EINVAL is returned fallback to polling. 2) inotify can return multiple events at the same time so you should have a loop to read them 3) you use read() without retrying in case you read less than the requested bytes. While a read() is unlikely to fail in this case, but you never know if an interrupt will interrupt the call. So you should really check if you need to reread. 4) You should use ioctl() to make the inotify descriptor O_NONBLOCK, otherwise there is a risk of blocking on the call. 5) Are we sure we want to put the file monitoring functions in confdb ? It seem to me monitor own code is the right place. files: 1) *never* install sssd.conf, it would overwrite existing legit ones, let the rpm do it. (this is definitely a blocking issue for the patch) 2) please put the example sssd.conf under examples and at the same time remove the ldif examples we have there as they are not necessary anymore. (besides, the example config file, as is is not ok, you can't use /lib64 on a 32 bit machine, and we don't want to use the LOCAL compat mode by default upstream, it's only a migration mode) server_setup(): I think we should confine the config file manipulation within monitor, so I would prefer not to pass the conf file to the general server_setup. Let server_setup create the basic empty ldb if no ldb is found, but also let the monitor do all the file reading and initialization. We do not want to expose to all process functions that can and should be performed only by monitor. So move confdb_init_db() out of confdb_init() and call it from monitor as the first thing. (This should also reduce the number of files touched by the patch) If this is too much work for now, we can move it later, although it would be better to have it correct now. This is more or less all I can see that would need fixing. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Sun Apr 12 21:43:52 2009 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 12 Apr 2009 17:43:52 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert to using INI configuration file for the SSSD In-Reply-To: <1239541863.1449.39.camel@localhost.localdomain> References: <49E0A88A.3020403@redhat.com> <1239541863.1449.39.camel@localhost.localdomain> Message-ID: <49E26098.80003@redhat.com> Simo Sorce wrote: > On Sat, 2009-04-11 at 10:26 -0400, Stephen Gallagher wrote: > >> See patch commit comments. >> >> Please note, review of these patches are a high priority, as >> successful >> completion of this task must be achieved no later than 11:00 EDT on >> Monday in order to be included in the F11 Release Candidate and the >> SSSD >> Test Day. >> > > 1st patch seem ok. > > 3rd patch is not ok, all configuration should be performed in the setup > step, and building only in the build step > running autoreconf and configure in the build step is not correct > > > On the 2nd I have a few comments. > > inotify: > 1) we cannot simply do an if/or with inotify just because we found it in > configure. > Support for inotify depends on the filesystem used. So even if the > kernel exposes the syscall we still don't know if inotify is going to be > really available or not. > If we fail to set up an inotify watch we should fallback to polling. > > Please use a function like try_inotify(...) and ifedf it to contain real > inotify code if if we have headers or to immediately return if not like: > > #ifdef HAVE_INOTIFY > int try_inotify(...) { > .. > } > #else > int try_inotify(...) { > return EINVAL; > } > #endif > > and in the core code always call try_inotify() first and if EINVAL is > returned fallback to polling. > > 2) inotify can return multiple events at the same time so you should > have a loop to read them > > 3) you use read() without retrying in case you read less than the > requested bytes. While a read() is unlikely to fail in this case, but > you never know if an interrupt will interrupt the call. So you should > really check if you need to reread. > > 4) You should use ioctl() to make the inotify descriptor O_NONBLOCK, > otherwise there is a risk of blocking on the call. > > 5) Are we sure we want to put the file monitoring functions in confdb ? > It seem to me monitor own code is the right place. > > > files: > 1) *never* install sssd.conf, it would overwrite existing legit ones, > let the rpm do it. (this is definitely a blocking issue for the patch) > > 2) please put the example sssd.conf under examples and at the same time > remove the ldif examples we have there as they are not necessary > anymore. (besides, the example config file, as is is not ok, you can't > use /lib64 on a 32 bit machine, and we don't want to use the LOCAL > compat mode by default upstream, it's only a migration mode) > > > server_setup(): > I think we should confine the config file manipulation within monitor, > so I would prefer not to pass the conf file to the general server_setup. > > Let server_setup create the basic empty ldb if no ldb is found, but also > let the monitor do all the file reading and initialization. We do not > want to expose to all process functions that can and should be performed > only by monitor. > > So move confdb_init_db() out of confdb_init() and call it from monitor > as the first thing. > > (This should also reduce the number of files touched by the patch) > > If this is too much work for now, we can move it later, although it > would be better to have it correct now. > > > > This is more or less all I can see that would need fixing. > Simo. > > In follow up to Simo's comment. Patch 2) Function confdb_create_ldif you should free the list of sections and attributes in case of error. You currently do not do this. Function confdb_init_db you should destroy error_list of parse errors after you printed errors using destroy_collection() function. Function confdb_init_db you should destroy sssd_config collection after you used it. I do not see it being destroyed anywhere. I know that there is a lack of time but better commenting and tracing/debugging capabilities in the code would really be helpful to understand what the code is doing. Also an observation. John invested several weeks into inotify kind of complex file monitoring. Moving forward we should create a library out of it and put it into common so that you can use his work in the other parts of the sssd. I also think that the config reload code should probably be its separate API based on John's code so that it can be easily used for all daemons written in the scope of the project whether they are a part of the sssd, audit or policy client. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sbose at redhat.com Sun Apr 12 21:49:10 2009 From: sbose at redhat.com (Sumit Bose) Date: Sun, 12 Apr 2009 23:49:10 +0200 Subject: [Freeipa-devel] [PATCH] Cahce credentials as hashes In-Reply-To: <1239424995.26768.69.camel@localhost.localdomain> References: <1239424995.26768.69.camel@localhost.localdomain> Message-ID: <49E261D6.9050908@redhat.com> Hi Simo, after reading the patch I would generally ACK it, but I think pamsrv_cache.c is missing in the patch. Also the new definition of dp_pack_pam_request and friends (delete from pamsrv.h and pamsrv_util.h, new prototypes in data_provider.h, but no code) are missing. bye, Sumit Simo Sorce schrieb: > Add code in the pam responder to cache credentials on successful > authentication and use the stored credentials if the backend returns > that it can't fetch information (offline). > > Tested with the proxt auth module and pam_ldap. > > Seems to work. One issue is that it seems that pam_ldap doesn't take > well the fact that the server may disappear. If one successful > connection to the ldap server have been performed it seem like pam_ldap > will keep trying to use the same connection eventually returning a PAM > system error. If sssd is restarted when the ldap server is not available > pam_ldap will give up immediately any attempt to connect and cached > credentials are used instead. > This makes using pam_ldap less then ideal in real deployments, but it is > ok for testing of offline cached credentials capabilities. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From dpal at redhat.com Sun Apr 12 21:56:26 2009 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 12 Apr 2009 17:56:26 -0400 Subject: [Freeipa-devel] Let me introduce myself ... (working with sssd) In-Reply-To: <1239529464.6415.9.camel@crow> References: <1239529464.6415.9.camel@crow> Message-ID: <49E2638A.9000001@redhat.com> Miguel P.C. wrote: > Hello everyone. > Hi Stephen, hi Simo. > > Welcome Miguel! There are couple channels on irc.freenode.net #freeipa and #freeipa-devel that you might want to join then. > My name is Miguel P?rez Colino and I'm currently working in my Master's > Final Proyect which is focused in FreeIPA and Ubuntu. > > My background in systems administration is pretty good, but I can't say > the same about my programming and packaging skills. (Although I packaged > updated versions of NUT for RH9 some years ago). > > Right now, I'd like to start making an SSSD package for Ubuntu and I'm > looking for the needed documentation to read (specially about the > compilation/building part). Any advice will be really welcomed. > > Some information about the design of the sssd can be found on the www.freeipa.org. The best way to become familiar with the project is to look at the git repository for it. https://fedorahosted.org/sssd/ https://fedorahosted.org/sssd/browser We had a round of significant changes recently but now hopefully the tree is stable. > Please, if I'm writting to the wrong list or asking for already written > information, let me know. I really do not want to be unpolite :-) > > This is the right place and the right team. Do not hesitate to ask. We will try to help you as much as we can. We are at a bit of pressure before mid of the week but after it we might be able to help you more. I am also a novice to the project's code and trying to learn and contribute. If you can send me the specific questions you want to know answers to I will be glad try to answer them. > Thanks in advance. > > M* > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Sun Apr 12 22:02:12 2009 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 12 Apr 2009 18:02:12 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert to using INI configuration file for the SSSD In-Reply-To: <49E26098.80003@redhat.com> References: <49E0A88A.3020403@redhat.com> <1239541863.1449.39.camel@localhost.localdomain> <49E26098.80003@redhat.com> Message-ID: <49E264E4.9090801@redhat.com> Dmitri Pal wrote: > Simo Sorce wrote: >> On Sat, 2009-04-11 at 10:26 -0400, Stephen Gallagher wrote: >> >>> See patch commit comments. >>> >>> Please note, review of these patches are a high priority, as >>> successful >>> completion of this task must be achieved no later than 11:00 EDT on >>> Monday in order to be included in the F11 Release Candidate and the >>> SSSD >>> Test Day. >>> >> >> 1st patch seem ok. >> >> 3rd patch is not ok, all configuration should be performed in the setup >> step, and building only in the build step >> running autoreconf and configure in the build step is not correct >> >> >> On the 2nd I have a few comments. >> >> inotify: >> 1) we cannot simply do an if/or with inotify just because we found it in >> configure. >> Support for inotify depends on the filesystem used. So even if the >> kernel exposes the syscall we still don't know if inotify is going to be >> really available or not. >> If we fail to set up an inotify watch we should fallback to polling. >> >> Please use a function like try_inotify(...) and ifedf it to contain real >> inotify code if if we have headers or to immediately return if not like: >> >> #ifdef HAVE_INOTIFY >> int try_inotify(...) { >> .. >> } >> #else >> int try_inotify(...) { >> return EINVAL; >> } >> #endif >> >> and in the core code always call try_inotify() first and if EINVAL is >> returned fallback to polling. >> >> 2) inotify can return multiple events at the same time so you should >> have a loop to read them >> >> 3) you use read() without retrying in case you read less than the >> requested bytes. While a read() is unlikely to fail in this case, but >> you never know if an interrupt will interrupt the call. So you should >> really check if you need to reread. >> >> 4) You should use ioctl() to make the inotify descriptor O_NONBLOCK, >> otherwise there is a risk of blocking on the call. >> >> 5) Are we sure we want to put the file monitoring functions in confdb ? >> It seem to me monitor own code is the right place. >> >> >> files: >> 1) *never* install sssd.conf, it would overwrite existing legit ones, >> let the rpm do it. (this is definitely a blocking issue for the patch) >> >> 2) please put the example sssd.conf under examples and at the same time >> remove the ldif examples we have there as they are not necessary >> anymore. (besides, the example config file, as is is not ok, you can't >> use /lib64 on a 32 bit machine, and we don't want to use the LOCAL >> compat mode by default upstream, it's only a migration mode) >> >> >> server_setup(): >> I think we should confine the config file manipulation within monitor, >> so I would prefer not to pass the conf file to the general server_setup. >> >> Let server_setup create the basic empty ldb if no ldb is found, but also >> let the monitor do all the file reading and initialization. We do not >> want to expose to all process functions that can and should be performed >> only by monitor. >> >> So move confdb_init_db() out of confdb_init() and call it from monitor >> as the first thing. >> >> (This should also reduce the number of files touched by the patch) >> >> If this is too much work for now, we can move it later, although it >> would be better to have it correct now. >> >> >> >> This is more or less all I can see that would need fixing. >> Simo. >> >> > In follow up to Simo's comment. > Patch 2) > Function confdb_create_ldif you should free the list of sections and > attributes in case of error. You currently do not do this. > Function confdb_init_db you should destroy error_list of parse errors > after you printed errors using destroy_collection() function. > Function confdb_init_db you should destroy sssd_config collection > after you used it. I do not see it being destroyed anywhere. > > I know that there is a lack of time but better commenting and > tracing/debugging capabilities in the code would really be helpful to > understand what the code is doing. > Also an observation. John invested several weeks into inotify kind of > complex file monitoring. > Moving forward we should create a library out of it and put it into > common so that you can use his work in the other parts of the sssd. > I also think that the config reload code should probably be its > separate API based on John's code so that it can be easily used for > all daemons written in the scope of the project whether they are a > part of the sssd, audit or policy client. > And one other thing I forgot to mention. The collection is not intended to store large sets of data as you said in the package description. The collection is more oriented on the hierarchical complex sets of data but not big in size (dozens of items may be a hundred, but not thousands). It is good for collecting and iterating (serializing) but not optimal for search. With thousands items the hash table implementation might be a more preferable approach. In future however the collection can be improved to take advantage of hash table internally but currently it is not the case. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sgallagh at redhat.com Sun Apr 12 22:13:33 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 12 Apr 2009 18:13:33 -0400 Subject: [Freeipa-devel] Let me introduce myself ... (working with sssd) In-Reply-To: <1239529464.6415.9.camel@crow> References: <1239529464.6415.9.camel@crow> Message-ID: <49E2678D.6060008@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miguel P.C. wrote: > Hello everyone. > Hi Stephen, hi Simo. > > My name is Miguel P?rez Colino and I'm currently working in my Master's > Final Proyect which is focused in FreeIPA and Ubuntu. > > My background in systems administration is pretty good, but I can't say > the same about my programming and packaging skills. (Although I packaged > updated versions of NUT for RH9 some years ago). > > Right now, I'd like to start making an SSSD package for Ubuntu and I'm > looking for the needed documentation to read (specially about the > compilation/building part). Any advice will be really welcomed. > > Please, if I'm writting to the wrong list or asking for already written > information, let me know. I really do not want to be unpolite :-) > > Thanks in advance. > > M* > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Hello, Miguel. We would absolutely like to work with you to get SSSD running on Ubuntu. Right now, the build system is in a little bit of flux (I'm working on a patch that should be available in the source tree sometime tomorrow). Once that's done, you can find a good resource on building in the BUILD.txt in the root of the source checkout. Please note that right now the BUILD.txt is a bit out of date, so I'll let you know when it's updated. Beyond the BUILD.txt, another good reference is in the sssd.spec located in the root of the source checkout. It's moderately Fedora-specific, but it would give you a pretty good idea of exactly the configure flags that we're using. Welcome to the SSSD project! - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkniZ4oACgkQeiVVYja6o6N+IwCfQBp+MXF3yAry0P4D+D9w3abi wUQAoIsZjFtXh3cFzu6OX+U3ZafUJGEO =8dL7 -----END PGP SIGNATURE----- From sgallagh at redhat.com Sun Apr 12 23:51:58 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 12 Apr 2009 19:51:58 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert to using INI configuration file for the SSSD In-Reply-To: <49E264E4.9090801@redhat.com> References: <49E0A88A.3020403@redhat.com> <1239541863.1449.39.camel@localhost.localdomain> <49E26098.80003@redhat.com> <49E264E4.9090801@redhat.com> Message-ID: <49E27E9E.20600@redhat.com> Dmitri Pal wrote: > Dmitri Pal wrote: >> Simo Sorce wrote: >>> On Sat, 2009-04-11 at 10:26 -0400, Stephen Gallagher wrote: >>> >>>> See patch commit comments. >>>> >>>> Please note, review of these patches are a high priority, as >>>> successful >>>> completion of this task must be achieved no later than 11:00 EDT on >>>> Monday in order to be included in the F11 Release Candidate and the >>>> SSSD >>>> Test Day. >>>> >>> >>> 1st patch seem ok. >>> >>> 3rd patch is not ok, all configuration should be performed in the setup >>> step, and building only in the build step >>> running autoreconf and configure in the build step is not correct >>> >>> >>> On the 2nd I have a few comments. >>> >>> inotify: >>> 1) we cannot simply do an if/or with inotify just because we found it in >>> configure. >>> Support for inotify depends on the filesystem used. So even if the >>> kernel exposes the syscall we still don't know if inotify is going to be >>> really available or not. >>> If we fail to set up an inotify watch we should fallback to polling. >>> >>> Please use a function like try_inotify(...) and ifedf it to contain real >>> inotify code if if we have headers or to immediately return if not like: >>> >>> #ifdef HAVE_INOTIFY >>> int try_inotify(...) { >>> .. >>> } >>> #else >>> int try_inotify(...) { >>> return EINVAL; >>> } >>> #endif >>> >>> and in the core code always call try_inotify() first and if EINVAL is >>> returned fallback to polling. >>> >>> 2) inotify can return multiple events at the same time so you should >>> have a loop to read them >>> >>> 3) you use read() without retrying in case you read less than the >>> requested bytes. While a read() is unlikely to fail in this case, but >>> you never know if an interrupt will interrupt the call. So you should >>> really check if you need to reread. >>> >>> 4) You should use ioctl() to make the inotify descriptor O_NONBLOCK, >>> otherwise there is a risk of blocking on the call. >>> >>> 5) Are we sure we want to put the file monitoring functions in confdb ? >>> It seem to me monitor own code is the right place. >>> >>> >>> files: >>> 1) *never* install sssd.conf, it would overwrite existing legit ones, >>> let the rpm do it. (this is definitely a blocking issue for the patch) >>> >>> 2) please put the example sssd.conf under examples and at the same time >>> remove the ldif examples we have there as they are not necessary >>> anymore. (besides, the example config file, as is is not ok, you can't >>> use /lib64 on a 32 bit machine, and we don't want to use the LOCAL >>> compat mode by default upstream, it's only a migration mode) >>> >>> >>> server_setup(): >>> I think we should confine the config file manipulation within monitor, >>> so I would prefer not to pass the conf file to the general server_setup. >>> >>> Let server_setup create the basic empty ldb if no ldb is found, but also >>> let the monitor do all the file reading and initialization. We do not >>> want to expose to all process functions that can and should be performed >>> only by monitor. >>> >>> So move confdb_init_db() out of confdb_init() and call it from monitor >>> as the first thing. >>> >>> (This should also reduce the number of files touched by the patch) >>> >>> If this is too much work for now, we can move it later, although it >>> would be better to have it correct now. >>> >>> >>> >>> This is more or less all I can see that would need fixing. >>> Simo. >>> >>> >> In follow up to Simo's comment. >> Patch 2) >> Function confdb_create_ldif you should free the list of sections and >> attributes in case of error. You currently do not do this. >> Function confdb_init_db you should destroy error_list of parse errors >> after you printed errors using destroy_collection() function. >> Function confdb_init_db you should destroy sssd_config collection >> after you used it. I do not see it being destroyed anywhere. >> >> I know that there is a lack of time but better commenting and >> tracing/debugging capabilities in the code would really be helpful to >> understand what the code is doing. >> Also an observation. John invested several weeks into inotify kind of >> complex file monitoring. >> Moving forward we should create a library out of it and put it into >> common so that you can use his work in the other parts of the sssd. >> I also think that the config reload code should probably be its >> separate API based on John's code so that it can be easily used for >> all daemons written in the scope of the project whether they are a >> part of the sssd, audit or policy client. >> > And one other thing I forgot to mention. The collection is not intended > to store large sets of data as you said in the package description. The > collection is more oriented on the hierarchical complex sets of data but > not big in size (dozens of items may be a hundred, but not thousands). > It is good for collecting and iterating (serializing) but not optimal > for search. > With thousands items the hash table implementation might be a more > preferable approach. > In future however the collection can be improved to take advantage of > hash table internally but currently it is not the case. > I have made all of the changes recommended by Simo and Dmitri. Please re-review when you can. The new patches are attached. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Build-system-improvements-for-common-tools.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Allow-configuration-of-the-SSSD-through-etc-sssd-ss.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Update-RPM-build-for-configuration-changes.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Sun Apr 12 23:53:41 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 12 Apr 2009 19:53:41 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Remove InfoPipe from RPM build Message-ID: <49E27F05.6090803@redhat.com> Currently, the InfoPipe is undergoing a complete overhaul. We won't be including the current variant in the Fedora Test Day, and I think it's probably unwise to ship it (and have to support it) in its current state. The attached patch will remove the InfoPipe from the RPM build. We can re-add it later once the API is more nailed down. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0004-Remove-InfoPipe-from-the-RPM-build.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Mon Apr 13 00:06:29 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 12 Apr 2009 20:06:29 -0400 Subject: [Freeipa-devel] [PATCH] always pass as much info as possible In-Reply-To: <1239424721.26768.64.camel@localhost.localdomain> References: <1239424721.26768.64.camel@localhost.localdomain> Message-ID: <49E28205.2070108@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > In some sysdb function we were passing the domain name instaed of the > domain info structure. > Fix all functions to use the full domain info. > > Add helper function to retrieve just one domain info structure given the > domain name. > > Add option to not store passwords even if the remote backend offers them > (enabled by default) > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkniggIACgkQeiVVYja6o6OnvACeKFyihu364DHQQrVzvxNKcm8e tEQAoIpHPKRvvASZvFEOdPPlO3kkWCAW =741w -----END PGP SIGNATURE----- From ssorce at redhat.com Mon Apr 13 01:26:46 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 12 Apr 2009 21:26:46 -0400 Subject: [Freeipa-devel] [PATCH] Cahce credentials as hashes In-Reply-To: <49E261D6.9050908@redhat.com> References: <1239424995.26768.69.camel@localhost.localdomain> <49E261D6.9050908@redhat.com> Message-ID: <1239586006.1449.48.camel@localhost.localdomain> On Sun, 2009-04-12 at 23:49 +0200, Sumit Bose wrote: > Hi Simo, > > after reading the patch I would generally ACK it, but I think > pamsrv_cache.c is missing in the patch. Also the new definition of > dp_pack_pam_request and friends (delete from pamsrv.h and > pamsrv_util.h, > new prototypes in data_provider.h, but no code) are missing. Argghh. Right, added the new files and attached new revision of the patch. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Implement-credentials-caching-in-pam-responder.patch Type: text/x-patch Size: 56666 bytes Desc: not available URL: From mpcolino at gmail.com Mon Apr 13 08:36:36 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Mon, 13 Apr 2009 10:36:36 +0200 Subject: [Freeipa-devel] Let me introduce myself ... (working with sssd) In-Reply-To: <49E2638A.9000001@redhat.com> References: <1239529464.6415.9.camel@crow> <49E2638A.9000001@redhat.com> Message-ID: <1239611796.4787.4.camel@crow> [... snip ...] > Welcome Miguel! Thanks! > There are couple channels on irc.freenode.net #freeipa and > #freeipa-devel that you might want to join then. I'm not an IRC fan but, I'll surely try them. By now I'm trying to be ready to make proper/good questions, so I think it's better for me to start reading what's available. Thanks a lot Dmitri!. [... snip ...] -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Esto es una parte de mensaje firmado digitalmente URL: From mpcolino at gmail.com Mon Apr 13 08:49:09 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Mon, 13 Apr 2009 10:49:09 +0200 Subject: [Freeipa-devel] Let me introduce myself ... (working with sssd) In-Reply-To: <49E2678D.6060008@redhat.com> References: <1239529464.6415.9.camel@crow> <49E2678D.6060008@redhat.com> Message-ID: <1239612549.4787.16.camel@crow> > Hello, Miguel. Hi! > We would absolutely like to work with you to get SSSD > running on Ubuntu. Right now, the build system is in a little bit of > flux (I'm working on a patch that should be available in the source tree > sometime tomorrow). It seems that a deadline is getting close. Good luck!. > Once that's done, you can find a good resource on > building in the BUILD.txt in the root of the source checkout. Please > note that right now the BUILD.txt is a bit out of date, so I'll let you > know when it's updated. I was reading it right now. I'll take another look at it once it's updated. > Beyond the BUILD.txt, another good reference is in the sssd.spec located > in the root of the source checkout. It's moderately Fedora-specific, but > it would give you a pretty good idea of exactly the configure flags that > we're using. Let me see ... Oh!, great. Almost all the dependencies and build steps in only one file. This will be really helpful. Thanks! > Welcome to the SSSD project! Thanks again!. M* P.S.: Thanks you all also for providing such a quick response. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Esto es una parte de mensaje firmado digitalmente URL: From mpcolino at gmail.com Mon Apr 13 09:05:45 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Mon, 13 Apr 2009 11:05:45 +0200 Subject: [Freeipa-devel] Let me introduce myself ... (working with sssd) (take 2 In-Reply-To: <49E2638A.9000001@redhat.com> References: <1239529464.6415.9.camel@crow> <49E2638A.9000001@redhat.com> Message-ID: <1239613545.4787.26.camel@crow> Hi again ... I did not read the full message at once. [... snip ...] > Some information about the design of the sssd can be found on the > www.freeipa.org. OK. This one looks really good: http://www.freeipa.org/page/IPA_Client_Design_Overview > The best way to become familiar with the project is to look at the git > repository for it. > https://fedorahosted.org/sssd/ > https://fedorahosted.org/sssd/browser > We had a round of significant changes recently but now hopefully the > tree is stable. I already downloaded it, anyway, the URLs will be useful for documentation. Thanks! > > Please, if I'm writting to the wrong list or asking for already written > > information, let me know. I really do not want to be unpolite :-) > > > > > This is the right place and the right team. > Do not hesitate to ask. > We will try to help you as much as we can. Great. Thanks again. > We are at a bit of pressure before mid of the week but after it we might > be able to help you more. As I said before, good luck!. > I am also a novice to the project's code and trying to learn and contribute. > If you can send me the specific questions you want to know answers to I > will be glad try to answer them. I surely accept your offer. Thanks once more. M* -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Esto es una parte de mensaje firmado digitalmente URL: From sgallagh at redhat.com Mon Apr 13 12:55:58 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 13 Apr 2009 08:55:58 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert to using INI configuration file for the SSSD In-Reply-To: <49E27E9E.20600@redhat.com> References: <49E0A88A.3020403@redhat.com> <1239541863.1449.39.camel@localhost.localdomain> <49E26098.80003@redhat.com> <49E264E4.9090801@redhat.com> <49E27E9E.20600@redhat.com> Message-ID: <49E3365E.5010106@redhat.com> Stephen Gallagher wrote: > Dmitri Pal wrote: >> Dmitri Pal wrote: >>> Simo Sorce wrote: >>>> On Sat, 2009-04-11 at 10:26 -0400, Stephen Gallagher wrote: >>>> >>>>> See patch commit comments. >>>>> >>>>> Please note, review of these patches are a high priority, as >>>>> successful >>>>> completion of this task must be achieved no later than 11:00 EDT on >>>>> Monday in order to be included in the F11 Release Candidate and the >>>>> SSSD >>>>> Test Day. >>>>> >>>> 1st patch seem ok. >>>> >>>> 3rd patch is not ok, all configuration should be performed in the setup >>>> step, and building only in the build step >>>> running autoreconf and configure in the build step is not correct >>>> >>>> >>>> On the 2nd I have a few comments. >>>> >>>> inotify: >>>> 1) we cannot simply do an if/or with inotify just because we found it in >>>> configure. >>>> Support for inotify depends on the filesystem used. So even if the >>>> kernel exposes the syscall we still don't know if inotify is going to be >>>> really available or not. >>>> If we fail to set up an inotify watch we should fallback to polling. >>>> >>>> Please use a function like try_inotify(...) and ifedf it to contain real >>>> inotify code if if we have headers or to immediately return if not like: >>>> >>>> #ifdef HAVE_INOTIFY >>>> int try_inotify(...) { >>>> .. >>>> } >>>> #else >>>> int try_inotify(...) { >>>> return EINVAL; >>>> } >>>> #endif >>>> >>>> and in the core code always call try_inotify() first and if EINVAL is >>>> returned fallback to polling. >>>> >>>> 2) inotify can return multiple events at the same time so you should >>>> have a loop to read them >>>> >>>> 3) you use read() without retrying in case you read less than the >>>> requested bytes. While a read() is unlikely to fail in this case, but >>>> you never know if an interrupt will interrupt the call. So you should >>>> really check if you need to reread. >>>> >>>> 4) You should use ioctl() to make the inotify descriptor O_NONBLOCK, >>>> otherwise there is a risk of blocking on the call. >>>> >>>> 5) Are we sure we want to put the file monitoring functions in confdb ? >>>> It seem to me monitor own code is the right place. >>>> >>>> >>>> files: >>>> 1) *never* install sssd.conf, it would overwrite existing legit ones, >>>> let the rpm do it. (this is definitely a blocking issue for the patch) >>>> >>>> 2) please put the example sssd.conf under examples and at the same time >>>> remove the ldif examples we have there as they are not necessary >>>> anymore. (besides, the example config file, as is is not ok, you can't >>>> use /lib64 on a 32 bit machine, and we don't want to use the LOCAL >>>> compat mode by default upstream, it's only a migration mode) >>>> >>>> >>>> server_setup(): >>>> I think we should confine the config file manipulation within monitor, >>>> so I would prefer not to pass the conf file to the general server_setup. >>>> >>>> Let server_setup create the basic empty ldb if no ldb is found, but also >>>> let the monitor do all the file reading and initialization. We do not >>>> want to expose to all process functions that can and should be performed >>>> only by monitor. >>>> >>>> So move confdb_init_db() out of confdb_init() and call it from monitor >>>> as the first thing. >>>> >>>> (This should also reduce the number of files touched by the patch) >>>> >>>> If this is too much work for now, we can move it later, although it >>>> would be better to have it correct now. >>>> >>>> >>>> >>>> This is more or less all I can see that would need fixing. >>>> Simo. >>>> >>>> >>> In follow up to Simo's comment. >>> Patch 2) >>> Function confdb_create_ldif you should free the list of sections and >>> attributes in case of error. You currently do not do this. >>> Function confdb_init_db you should destroy error_list of parse errors >>> after you printed errors using destroy_collection() function. >>> Function confdb_init_db you should destroy sssd_config collection >>> after you used it. I do not see it being destroyed anywhere. >>> >>> I know that there is a lack of time but better commenting and >>> tracing/debugging capabilities in the code would really be helpful to >>> understand what the code is doing. >>> Also an observation. John invested several weeks into inotify kind of >>> complex file monitoring. >>> Moving forward we should create a library out of it and put it into >>> common so that you can use his work in the other parts of the sssd. >>> I also think that the config reload code should probably be its >>> separate API based on John's code so that it can be easily used for >>> all daemons written in the scope of the project whether they are a >>> part of the sssd, audit or policy client. >>> >> And one other thing I forgot to mention. The collection is not intended >> to store large sets of data as you said in the package description. The >> collection is more oriented on the hierarchical complex sets of data but >> not big in size (dozens of items may be a hundred, but not thousands). >> It is good for collecting and iterating (serializing) but not optimal >> for search. >> With thousands items the hash table implementation might be a more >> preferable approach. >> In future however the collection can be improved to take advantage of >> hash table internally but currently it is not the case. >> > > I have made all of the changes recommended by Simo and Dmitri. Please > re-review when you can. The new patches are attached. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel One more set of patches based on IRC discussion. Only patch 0002 has changed from the previous mailing. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Build-system-improvements-for-common-tools.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Allow-configuration-of-the-SSSD-through-etc-sssd-ss.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Update-RPM-build-for-configuration-changes.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Mon Apr 13 13:05:05 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 13 Apr 2009 09:05:05 -0400 Subject: [Freeipa-devel] [PATCH] Cahce credentials as hashes In-Reply-To: <1239586006.1449.48.camel@localhost.localdomain> References: <1239424995.26768.69.camel@localhost.localdomain> <49E261D6.9050908@redhat.com> <1239586006.1449.48.camel@localhost.localdomain> Message-ID: <49E33881.9030105@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Sun, 2009-04-12 at 23:49 +0200, Sumit Bose wrote: >> Hi Simo, >> >> after reading the patch I would generally ACK it, but I think >> pamsrv_cache.c is missing in the patch. Also the new definition of >> dp_pack_pam_request and friends (delete from pamsrv.h and >> pamsrv_util.h, >> new prototypes in data_provider.h, but no code) are missing. > > Argghh. > > Right, added the new files and attached new revision of the patch. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknjOH4ACgkQeiVVYja6o6OolgCfZN0P1PPD9IaAdve5bbrPmntY ctkAmQHEgEvsrMjbg+yZLLHWEArQmYDo =agEd -----END PGP SIGNATURE----- From ssorce at redhat.com Mon Apr 13 13:08:54 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 13 Apr 2009 09:08:54 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Convert to using INI configuration file for the SSSD In-Reply-To: <49E3365E.5010106@redhat.com> References: <49E0A88A.3020403@redhat.com> <1239541863.1449.39.camel@localhost.localdomain> <49E26098.80003@redhat.com> <49E264E4.9090801@redhat.com> <49E27E9E.20600@redhat.com> <49E3365E.5010106@redhat.com> Message-ID: <1239628134.1449.52.camel@localhost.localdomain> On Mon, 2009-04-13 at 08:55 -0400, Stephen Gallagher wrote: > > One more set of patches based on IRC discussion. Only patch 0002 has > changed from the previous mailing. ack, and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Apr 13 13:09:10 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 13 Apr 2009 09:09:10 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Remove InfoPipe from RPM build In-Reply-To: <49E27F05.6090803@redhat.com> References: <49E27F05.6090803@redhat.com> Message-ID: <1239628150.1449.53.camel@localhost.localdomain> On Sun, 2009-04-12 at 19:53 -0400, Stephen Gallagher wrote: > > > Currently, the InfoPipe is undergoing a complete overhaul. We won't be > including the current variant in the Fedora Test Day, and I think it's > probably unwise to ship it (and have to support it) in its current > state. > > The attached patch will remove the InfoPipe from the RPM build. We can > re-add it later once the API is more nailed down. Ack and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Apr 13 13:09:35 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 13 Apr 2009 09:09:35 -0400 Subject: [Freeipa-devel] [PATCH] always pass as much info as possible In-Reply-To: <49E28205.2070108@redhat.com> References: <1239424721.26768.64.camel@localhost.localdomain> <49E28205.2070108@redhat.com> Message-ID: <1239628175.1449.54.camel@localhost.localdomain> On Sun, 2009-04-12 at 20:06 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > In some sysdb function we were passing the domain name instaed of > the > > domain info structure. > > Fix all functions to use the full domain info. > > > > Add helper function to retrieve just one domain info structure given > the > > domain name. > > > > Add option to not store passwords even if the remote backend offers > them > > (enabled by default) > Ack. pushed, Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Apr 13 13:10:07 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 13 Apr 2009 09:10:07 -0400 Subject: [Freeipa-devel] [PATCH] Cahce credentials as hashes In-Reply-To: <49E33881.9030105@redhat.com> References: <1239424995.26768.69.camel@localhost.localdomain> <49E261D6.9050908@redhat.com> <1239586006.1449.48.camel@localhost.localdomain> <49E33881.9030105@redhat.com> Message-ID: <1239628207.1449.55.camel@localhost.localdomain> On Mon, 2009-04-13 at 09:05 -0400, Stephen Gallagher wrote: > > Ack. pushed, Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Mon Apr 13 13:26:11 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 13 Apr 2009 09:26:11 -0400 Subject: [Freeipa-devel] Let me introduce myself ... (working with sssd) In-Reply-To: <1239612549.4787.16.camel@crow> References: <1239529464.6415.9.camel@crow> <49E2678D.6060008@redhat.com> <1239612549.4787.16.camel@crow> Message-ID: <49E33D73.3000903@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miguel P.C. wrote: >> Hello, Miguel. > > Hi! > >> We would absolutely like to work with you to get SSSD >> running on Ubuntu. Right now, the build system is in a little bit of >> flux (I'm working on a patch that should be available in the source tree >> sometime tomorrow). > > It seems that a deadline is getting close. Good luck!. > >> Once that's done, you can find a good resource on >> building in the BUILD.txt in the root of the source checkout. Please >> note that right now the BUILD.txt is a bit out of date, so I'll let you >> know when it's updated. > > I was reading it right now. I'll take another look at it once it's > updated. > >> Beyond the BUILD.txt, another good reference is in the sssd.spec located >> in the root of the source checkout. It's moderately Fedora-specific, but >> it would give you a pretty good idea of exactly the configure flags that >> we're using. > > Let me see ... > Oh!, great. Almost all the dependencies and build steps in only one > file. This will be really helpful. Thanks! > >> Welcome to the SSSD project! > > Thanks again!. > > M* > > P.S.: Thanks you all also for providing such a quick response. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Miguel, as promised, the source code has been updated this morning. We've revved the sssd to 0.3.0 and updated the BUILD.txt and sssd.spec accordingly. Please see those two files for details, and feel free to direct any questions you may have to this mailing list. If you need information at a faster turnaround, feel free to join us on freenode IRC in #freeipa-devel. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknjPXAACgkQeiVVYja6o6OlgwCggIxy0P7vRQagy18Rqm3kvAq9 8vUAn3dwtL0o9bMXGawRy/9fsk7+a9ni =V6sD -----END PGP SIGNATURE----- From ssorce at redhat.com Mon Apr 13 14:21:50 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 13 Apr 2009 10:21:50 -0400 Subject: [Freeipa-devel] FYI pushed patch was:[Fwd: server/responder] Message-ID: <1239632510.1449.57.camel@localhost.localdomain> I pushed this patch to be able to release 0.3.0 today. It's tested and fixes clear segfaults. Simo. -------- Forwarded Message -------- From: Simo Sorce To: gitsssd-members at fedoraproject.org Subject: server/responder Date: Mon, 13 Apr 2009 14:18:58 +0000 (UTC) server/responder/nss/nsssrv_cmd.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) New commits: commit d497830d687951be2d49df1a9fa3cce57268670f Author: Simo Sorce Date: Mon Apr 13 10:15:50 2009 -0400 Fix segfaults when passing an unknown domain Also setting dctx->domain to NULL is a recipe for segfaults :-) Assign dctx->domain only when dom actually holds a domain pointer. diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c index 3531421..f5555ed 100644 --- a/server/responder/nss/nsssrv_cmd.c +++ b/server/responder/nss/nsssrv_cmd.c @@ -88,6 +88,8 @@ static struct sss_domain_info *nss_get_dom(struct sss_domain_info *doms, for (dom = doms; dom; dom = dom->next) { if (strcasecmp(dom->name, domain) == 0) break; } + if (!dom) DEBUG(2, ("Unknown domain [%s]!\n", domain)); + return dom; } @@ -340,8 +342,6 @@ static void nss_cmd_getpwnam_callback(void *ptr, int status, /* reset neghit if we still have a domain to check */ if (dom) neghit = false; - dctx->domain = dom; - if (neghit) { DEBUG(2, ("User [%s] does not exist! (negative cache)\n", cmdctx->name)); @@ -354,6 +354,7 @@ static void nss_cmd_getpwnam_callback(void *ptr, int status, } if (ret == EOK) { + dctx->domain = dom; dctx->check_provider = (dctx->domain->provider != NULL); if (dctx->res) talloc_free(res); dctx->res = NULL; @@ -519,6 +520,10 @@ static int nss_cmd_getpwnam(struct cli_ctx *cctx) if (domname) { dctx->domain = nss_get_dom(cctx->rctx->domains, domname); + if (!dctx->domain) { + ret = ENOENT; + goto done; + } /* verify this user has not yet been negatively cached, * or has been permanently filtered */ @@ -1713,9 +1718,7 @@ static void nss_cmd_getgrnam_callback(void *ptr, int status, /* reset neghit if we still have a domain to check */ if (dom) neghit = false; - dctx->domain = dom; - - if (neghit) { + if (neghit) { DEBUG(2, ("Group [%s] does not exist! (negative cache)\n", cmdctx->name)); ret = ENOENT; @@ -1727,6 +1730,7 @@ static void nss_cmd_getgrnam_callback(void *ptr, int status, } if (ret == EOK) { + dctx->domain = dom; dctx->check_provider = (dctx->domain->provider != NULL); if (dctx->res) talloc_free(res); dctx->res = NULL; @@ -1887,6 +1891,10 @@ static int nss_cmd_getgrnam(struct cli_ctx *cctx) if (domname) { dctx->domain = nss_get_dom(cctx->rctx->domains, domname); + if (!dctx->domain) { + ret = ENOENT; + goto done; + } /* verify this user has not yet been negatively cached, * or has been permanently filtered */ @@ -2880,20 +2888,19 @@ static void nss_cmd_getinit_callback(void *ptr, int status, /* reset neghit if we still have a domain to check */ if (dom) neghit = false; - dctx->domain = dom; - - if (neghit) { + if (neghit) { DEBUG(2, ("User [%s] does not exist! (negative cache)\n", cmdctx->name)); ret = ENOENT; } - if (dctx->domain == NULL) { + if (dom == NULL) { DEBUG(2, ("No matching domain found for [%s], fail!\n", cmdctx->name)); ret = ENOENT; } if (ret == EOK) { + dctx->domain = dom; dctx->check_provider = (dctx->domain->provider != NULL); if (dctx->res) talloc_free(res); dctx->res = NULL; @@ -3020,6 +3027,10 @@ static int nss_cmd_initgroups(struct cli_ctx *cctx) if (domname) { dctx->domain = nss_get_dom(cctx->rctx->domains, domname); + if (!dctx->domain) { + ret = ENOENT; + goto done; + } /* verify this user has not yet been negatively cached, * or has been permanently filtered */ -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Mon Apr 13 14:31:06 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 13 Apr 2009 10:31:06 -0400 Subject: [Freeipa-devel] FYI pushed patch was:[Fwd: server/responder] In-Reply-To: <1239632510.1449.57.camel@localhost.localdomain> References: <1239632510.1449.57.camel@localhost.localdomain> Message-ID: <49E34CAA.3020305@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > I pushed this patch to be able to release 0.3.0 today. > It's tested and fixes clear segfaults. > > Simo. > > -------- Forwarded Message -------- > From: Simo Sorce > To: gitsssd-members at fedoraproject.org > Subject: server/responder > Date: Mon, 13 Apr 2009 14:18:58 +0000 (UTC) > > server/responder/nss/nsssrv_cmd.c | 29 ++++++++++++++++++++--------- > 1 file changed, 20 insertions(+), 9 deletions(-) > > New commits: > commit d497830d687951be2d49df1a9fa3cce57268670f > Author: Simo Sorce > Date: Mon Apr 13 10:15:50 2009 -0400 > > Fix segfaults when passing an unknown domain > > Also setting dctx->domain to NULL is a recipe for segfaults :-) > Assign dctx->domain only when dom actually holds a domain pointer. > > diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c > index 3531421..f5555ed 100644 > --- a/server/responder/nss/nsssrv_cmd.c > +++ b/server/responder/nss/nsssrv_cmd.c > @@ -88,6 +88,8 @@ static struct sss_domain_info *nss_get_dom(struct sss_domain_info *doms, > for (dom = doms; dom; dom = dom->next) { > if (strcasecmp(dom->name, domain) == 0) break; > } > + if (!dom) DEBUG(2, ("Unknown domain [%s]!\n", domain)); > + > return dom; > } > > @@ -340,8 +342,6 @@ static void nss_cmd_getpwnam_callback(void *ptr, int status, > /* reset neghit if we still have a domain to check */ > if (dom) neghit = false; > > - dctx->domain = dom; > - > if (neghit) { > DEBUG(2, ("User [%s] does not exist! (negative cache)\n", > cmdctx->name)); > @@ -354,6 +354,7 @@ static void nss_cmd_getpwnam_callback(void *ptr, int status, > } > > if (ret == EOK) { > + dctx->domain = dom; > dctx->check_provider = (dctx->domain->provider != NULL); > if (dctx->res) talloc_free(res); > dctx->res = NULL; > @@ -519,6 +520,10 @@ static int nss_cmd_getpwnam(struct cli_ctx *cctx) > > if (domname) { > dctx->domain = nss_get_dom(cctx->rctx->domains, domname); > + if (!dctx->domain) { > + ret = ENOENT; > + goto done; > + } > > /* verify this user has not yet been negatively cached, > * or has been permanently filtered */ > @@ -1713,9 +1718,7 @@ static void nss_cmd_getgrnam_callback(void *ptr, int status, > /* reset neghit if we still have a domain to check */ > if (dom) neghit = false; > > - dctx->domain = dom; > - > - if (neghit) { > + if (neghit) { > DEBUG(2, ("Group [%s] does not exist! (negative cache)\n", > cmdctx->name)); > ret = ENOENT; > @@ -1727,6 +1730,7 @@ static void nss_cmd_getgrnam_callback(void *ptr, int status, > } > > if (ret == EOK) { > + dctx->domain = dom; > dctx->check_provider = (dctx->domain->provider != NULL); > if (dctx->res) talloc_free(res); > dctx->res = NULL; > @@ -1887,6 +1891,10 @@ static int nss_cmd_getgrnam(struct cli_ctx *cctx) > > if (domname) { > dctx->domain = nss_get_dom(cctx->rctx->domains, domname); > + if (!dctx->domain) { > + ret = ENOENT; > + goto done; > + } > > /* verify this user has not yet been negatively cached, > * or has been permanently filtered */ > @@ -2880,20 +2888,19 @@ static void nss_cmd_getinit_callback(void *ptr, int status, > /* reset neghit if we still have a domain to check */ > if (dom) neghit = false; > > - dctx->domain = dom; > - > - if (neghit) { > + if (neghit) { > DEBUG(2, ("User [%s] does not exist! (negative cache)\n", > cmdctx->name)); > ret = ENOENT; > } > - if (dctx->domain == NULL) { > + if (dom == NULL) { > DEBUG(2, ("No matching domain found for [%s], fail!\n", > cmdctx->name)); > ret = ENOENT; > } > > if (ret == EOK) { > + dctx->domain = dom; > dctx->check_provider = (dctx->domain->provider != NULL); > if (dctx->res) talloc_free(res); > dctx->res = NULL; > @@ -3020,6 +3027,10 @@ static int nss_cmd_initgroups(struct cli_ctx *cctx) > > if (domname) { > dctx->domain = nss_get_dom(cctx->rctx->domains, domname); > + if (!dctx->domain) { > + ret = ENOENT; > + goto done; > + } > > /* verify this user has not yet been negatively cached, > * or has been permanently filtered */ > > Ack (after the fact) - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknjTKYACgkQeiVVYja6o6OQswCeOAe78yyMkb1uq9ps/jBqhMV7 jYAAn2SfXqkJe5ebAbK6kN5/VcN0ZqE/ =pZ4D -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Apr 13 16:46:08 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 13 Apr 2009 18:46:08 +0200 Subject: [Freeipa-devel] [PATCH] InfoPipe tests Message-ID: <1239641168.24119.14.camel@hendrix> I wrote these before I knew that the current InfoPipe incarnation was going down the drain...but maybe at least parts will be useful anyway. These tests test the Infopipe methods that require the caller to be root as per the infp_get_permissions() check, so they reside in a separate test binary called tests/infopipe-privileged-tests. The second patch fixes some typos in the Introspection XML file. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Add-some-more-InfoPipe-tests.patch Type: application/mbox Size: 23271 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Fix-typos-in-the-Introspection-XML-file.patch Type: application/mbox Size: 2278 bytes Desc: not available URL: From jhrozek at redhat.com Mon Apr 13 16:46:11 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 13 Apr 2009 18:46:11 +0200 Subject: [Freeipa-devel] [PATCH] Add a LSB header to the initscript Message-ID: <1239641171.24119.15.camel@hendrix> This was brought up by Sumit some time ago as part of the SUSE packaging, but I think it is useful for broader audience b/c also Fedora and Debian are moving towards the LSB headers in initscripts. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-a-LSB-header-to-the-initscript.patch Type: application/mbox Size: 1231 bytes Desc: not available URL: From sgallagh at redhat.com Mon Apr 13 16:57:03 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 13 Apr 2009 12:57:03 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Build fixes for RPM packaging of SSSD Message-ID: <49E36EDF.3020205@redhat.com> We were missing several BuildRequires for the autotools. Also, we were linking against two external libraries in the common code that we do not actually use. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Build-fixes-for-RPM-packaging-of-SSSD.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Mon Apr 13 17:02:20 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 13 Apr 2009 13:02:20 -0400 Subject: [Freeipa-devel] [PATCH] Add a LSB header to the initscript In-Reply-To: <1239641171.24119.15.camel@hendrix> References: <1239641171.24119.15.camel@hendrix> Message-ID: <49E3701C.7030308@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > This was brought up by Sumit some time ago as part of the SUSE > packaging, but I think it is useful for broader audience b/c also Fedora > and Debian are moving towards the LSB headers in initscripts. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknjcBgACgkQeiVVYja6o6P+zACfRI7lHMwMcSLkwmkp8tjjjt+r IdoAnRLGWAaY/J/vRPs43/hn3UF0pusg =xB7u -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Apr 13 17:44:55 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Apr 2009 13:44:55 -0400 Subject: [Freeipa-devel] [PATCH] more CA installer work Message-ID: <49E37A17.3020300@redhat.com> This patch lets us issue DS and Apache server certs during CA installation. It also: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work Once I get an object signing profile for dogtag we can generate a signing cert and do the jar signing for Firefox. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-175-cainstall.patch Type: application/mbox Size: 35313 bytes Desc: not available URL: From rcritten at redhat.com Mon Apr 13 17:51:50 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Apr 2009 13:51:50 -0400 Subject: [Freeipa-devel] [PATCH] make RA plugin use nsslib Message-ID: <49E37BB6.3020100@redhat.com> Convert the RA plugin from using sslget to use nsslib instead. This makes SELinux happier too. I'm also removing the bootstrap code from the plugin. All of this is handled by the installer. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-176-ra.patch Type: application/mbox Size: 12164 bytes Desc: not available URL: From ssorce at redhat.com Mon Apr 13 18:02:29 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 13 Apr 2009 14:02:29 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Build fixes for RPM packaging of SSSD In-Reply-To: <49E36EDF.3020205@redhat.com> References: <49E36EDF.3020205@redhat.com> Message-ID: <1239645749.1449.58.camel@localhost.localdomain> On Mon, 2009-04-13 at 12:57 -0400, Stephen Gallagher wrote: > > We were missing several BuildRequires for the autotools. Also, we > were linking against two external libraries in the common code > that we do not actually use. Ack, and pushed. Also pushed a patch to change v. to 0.3.0 in configure.ac that I forgot to push earlier Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Mon Apr 13 18:23:55 2009 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 13 Apr 2009 14:23:55 -0400 Subject: [Freeipa-devel] Some thoughts about renaming SSSD Message-ID: <49E3833B.5010100@redhat.com> Hi, For the last week I was thinking a lot about the alternative name of the SSSD. It came to me that the SSSD is actually an Client Side Identity Services Framework. Well, sounds like CSI: SF for me :-) We can drop SF. Leaving just CSI. Other idea was ISF - Identity Services Framework. Other idea was ISI - Identity Services Infrastructure. We can also go with ISP - Identity Services Platform Or actually to APIS - Agent Platform Identity Services. And a slogan: "APIS is a piece of functionality that brings you a peace of mind!" Just some thoughts... -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Apr 13 18:53:10 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Apr 2009 14:53:10 -0400 Subject: [Freeipa-devel] [PATCH] configure right file in ipa-client In-Reply-To: <1239169148.17459.51.camel@jgd-dsk> References: <49D66F89.6000106@redhat.com> <1239169148.17459.51.camel@jgd-dsk> Message-ID: <49E38A16.1070208@redhat.com> Jason Gerard DeRose wrote: > On Fri, 2009-04-03 at 16:20 -0400, Rob Crittenden wrote: >> The new ipa tool uses a different configuration file than the old ipa-* >> tools so create that file in ipa-client-install. > > ack. > pushed to master From rcritten at redhat.com Mon Apr 13 18:54:13 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Apr 2009 14:54:13 -0400 Subject: [Freeipa-devel] [PATCH] default values in host plugin In-Reply-To: <1239166137.17459.9.camel@jgd-dsk> References: <49D651D9.6070600@redhat.com> <1239166137.17459.9.camel@jgd-dsk> Message-ID: <49E38A55.2080304@redhat.com> Jason Gerard DeRose wrote: > ack. > > One Python style nitpick: you shouldn't import multiple packages/modules > on the same line unless they're all from the same package (meaning > you're using the "from" keyword). > > So: > > import sys > import os > import platform > > Instead of: > > import sys, os, platform > > But this would be okay: > > from platform import architecture, system, uname > > > > > pushed to master From jderose at redhat.com Mon Apr 13 18:58:54 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 13 Apr 2009 12:58:54 -0600 Subject: [Freeipa-devel] [PATCH] make parentmap an autofill var, add more tests In-Reply-To: <4999CF5F.80007@redhat.com> References: <4999CF5F.80007@redhat.com> Message-ID: <1239649134.7527.1.camel@jgd-dsk> On Mon, 2009-02-16 at 15:41 -0500, Rob Crittenden wrote: > The helper function automount-addindirectmap does a lot of work in the > backend. It is supposed to assume that the new map is being attached to > auto.master but the variable wasn't set with the newish autofill option. > Set this option and add some tests where parentmap isn't specfied. > > rob ack. f_automount.py has been renamed to automount.py, so I don't know if some manual tweaking with be required to commit it. From rcritten at redhat.com Mon Apr 13 19:22:56 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Apr 2009 15:22:56 -0400 Subject: [Freeipa-devel] [PATCH] make parentmap an autofill var, add more tests In-Reply-To: <1239649134.7527.1.camel@jgd-dsk> References: <4999CF5F.80007@redhat.com> <1239649134.7527.1.camel@jgd-dsk> Message-ID: <49E39110.2030701@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-02-16 at 15:41 -0500, Rob Crittenden wrote: >> The helper function automount-addindirectmap does a lot of work in the >> backend. It is supposed to assume that the new map is being attached to >> auto.master but the variable wasn't set with the newish autofill option. >> Set this option and add some tests where parentmap isn't specfied. >> >> rob > > ack. > > f_automount.py has been renamed to automount.py, so I don't know if some > manual tweaking with be required to commit it. > Fortunately wasn't a big problem. pushed to master rob From ssorce at redhat.com Mon Apr 13 21:25:04 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 13 Apr 2009 17:25:04 -0400 Subject: [Freeipa-devel] [PATCH] last minute fixups Message-ID: <1239657904.1449.61.camel@localhost.localdomain> I think this patch fixes all the problems I could find in 0.3.0 after some tests. If there is nothing else coming up I'd lie to push a 0.3.1 release. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-a-couple-of-segfaults-and-timeout-checks.patch Type: text/x-patch Size: 4645 bytes Desc: not available URL: From rcritten at redhat.com Mon Apr 13 22:03:38 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Apr 2009 18:03:38 -0400 Subject: [Freeipa-devel] [PATCH] GSSAPI error handling Message-ID: <49E3B6BA.80201@redhat.com> Handle GSSAPI errors in a more graceful way (try #2). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-177-errors.patch Type: application/mbox Size: 6097 bytes Desc: not available URL: From ssorce at redhat.com Mon Apr 13 22:23:07 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 13 Apr 2009 18:23:07 -0400 Subject: [Freeipa-devel] [PATCH] last minute fixups In-Reply-To: <1239657904.1449.61.camel@localhost.localdomain> References: <1239657904.1449.61.camel@localhost.localdomain> Message-ID: <1239661387.1449.62.camel@localhost.localdomain> On Mon, 2009-04-13 at 17:25 -0400, Simo Sorce wrote: > I think this patch fixes all the problems I could find in 0.3.0 after > some tests. > If there is nothing else coming up I'd lie to push a 0.3.1 release. Ok revving up the patch, a previous patch to nsssrv_cmd.c didn't completely stamp out a problem with dctx->domain being set to NULL by error. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-a-couple-of-segfaults-and-timeout-checks.patch Type: text/x-patch Size: 8522 bytes Desc: not available URL: From sgallagh at redhat.com Mon Apr 13 22:25:09 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 13 Apr 2009 18:25:09 -0400 Subject: [Freeipa-devel] [PATCH] last minute fixups In-Reply-To: <1239661387.1449.62.camel@localhost.localdomain> References: <1239657904.1449.61.camel@localhost.localdomain> <1239661387.1449.62.camel@localhost.localdomain> Message-ID: <49E3BBC5.2060902@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Mon, 2009-04-13 at 17:25 -0400, Simo Sorce wrote: >> I think this patch fixes all the problems I could find in 0.3.0 after >> some tests. >> If there is nothing else coming up I'd lie to push a 0.3.1 release. > > Ok revving up the patch, a previous patch to nsssrv_cmd.c didn't > completely stamp out a problem with dctx->domain being set to NULL by > error. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknju8EACgkQeiVVYja6o6OX5QCghx1drWlGVnt74aeg0OlKOMpB lx0AnRxLt/uY/63wLkxTP/WTuS6pyO20 =XSqW -----END PGP SIGNATURE----- From ssorce at redhat.com Mon Apr 13 22:28:35 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 13 Apr 2009 18:28:35 -0400 Subject: [Freeipa-devel] [PATCH] last minute fixups In-Reply-To: <49E3BBC5.2060902@redhat.com> References: <1239657904.1449.61.camel@localhost.localdomain> <1239661387.1449.62.camel@localhost.localdomain> <49E3BBC5.2060902@redhat.com> Message-ID: <1239661715.1449.63.camel@localhost.localdomain> On Mon, 2009-04-13 at 18:25 -0400, Stephen Gallagher wrote: > > > Ok revving up the patch, a previous patch to nsssrv_cmd.c didn't > > completely stamp out a problem with dctx->domain being set to NULL > by > > error. > Ack ok, pushed together with a version bump to 0.3.1 Simo. -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Mon Apr 13 23:52:10 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 13 Apr 2009 17:52:10 -0600 Subject: [Freeipa-devel] Let me introduce myself ... (working with sssd) In-Reply-To: <1239529464.6415.9.camel@crow> References: <1239529464.6415.9.camel@crow> Message-ID: <1239666730.7527.64.camel@jgd-dsk> On Sun, 2009-04-12 at 11:44 +0200, Miguel P.C. wrote: > Hello everyone. > Hi Stephen, hi Simo. > > My name is Miguel P?rez Colino and I'm currently working in my Master's > Final Proyect which is focused in FreeIPA and Ubuntu. > > My background in systems administration is pretty good, but I can't say > the same about my programming and packaging skills. (Although I packaged > updated versions of NUT for RH9 some years ago). > > Right now, I'd like to start making an SSSD package for Ubuntu and I'm > looking for the needed documentation to read (specially about the > compilation/building part). Any advice will be really welcomed. I have some experience packaging for Debian and Ubuntu, and I bet you could talk Simo into dusting off his Debian packaging skills in order to answer a question or two. I'm no packaging guru, but here are some things to get you started: 1. Start by learning how to build binary Debian packages from the source package of something already in Debian/Ubuntu. I high recommend you jump right into building your packages using pbuilder: it will build your package in a clean chroot that is similar to the environment on a Debian or Ubuntu build server. You can install and setup pbuilder like this: sudo apt-get install pbuilder lintian sudo pbuilder create --debootstrapopts --variant=buildd Then say you want to build the `hello` package. You can get the source packages like this: cd /tmp apt-get source hello And you then build it with pbuilder like this: sudo pbuilder --build hello_2.2-2.dsc (Or whatever .dsc file you end up with.) The built packages will be placed in /var/cache/pbuilder/result/ 2. Read the "Debian New Maintainers' Guide", but you can kinda skim it as the examples may not apply well to what you are packaging. Just get the big picture: http://debian.org/doc/manuals/maint-guide/index.en.html 3. The "Debian Policy Manual" and "Debian Developer's Reference" are what you'll keep under your pillow to answer specific questions: http://debian.org/doc/debian-policy/ http://debian.org/doc/manuals/developers-reference/index.en.html 4. Definitely use CDBS (Common Debian Build System). CDBS is a bunch of macros that you can use in your debian/rules file. This file used to be where 75% of the packaging work was, but CDBS has made things much easier: http://build-common.alioth.debian.org/cdbs-doc.html 5. Just look at how similar packages have been packages. That's the best way to learn. Most of my Debian/Ubuntu packaging experience has been with pure-Python packages (which are silly easy with CDBS), so I probably don't have the knowledge to answer many specific questions on packaging SSSD. But if you get stuck, feel free to ping me... or Simo. ;) Are you thinking of packaging the freeIPA server also? Good luck and thanks for your interest in freeIPA! -Jason > Please, if I'm writting to the wrong list or asking for already written > information, let me know. I really do not want to be unpolite :-) > > Thanks in advance. > > M* From davido at redhat.com Tue Apr 14 14:02:02 2009 From: davido at redhat.com (David O'Brien) Date: Wed, 15 Apr 2009 00:02:02 +1000 Subject: [Freeipa-devel] Some thoughts about renaming SSSD In-Reply-To: <49E3833B.5010100@redhat.com> References: <49E3833B.5010100@redhat.com> Message-ID: <49E4975A.3030606@redhat.com> Dmitri Pal wrote: > Hi, > > For the last week I was thinking a lot about the alternative name of > the SSSD. > It came to me that the SSSD is actually an Client Side Identity > Services Framework. > Well, sounds like CSI: SF for me :-) > We can drop SF. Leaving just CSI. > > Other idea was ISF - Identity Services Framework. > Other idea was ISI - Identity Services Infrastructure. > We can also go with ISP - Identity Services Platform > Or actually to APIS - Agent Platform Identity Services. > And a slogan: > "APIS is a piece of functionality that brings you a peace of mind!" > > Just some thoughts... > Suggestions: 1. Something that rolls off the tongue easily (ISF does for me, not so much ISI) 2. Avoid something that's already used (ISP) 3. Easily-pronounceable acronyms are usually well-received, but I have to admit I don't grok APIS's expansion :( If you drop the SF and go with CSI, you get Client Side Identity, which doesn't really add up. It's too late for me to come up with any alternatives (midnight), so I guess this is only 1c worth... /dob -- David O'Brien IPA Content Author Red Hat Asia Pacific "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From sgallagh at redhat.com Tue Apr 14 14:42:57 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 14 Apr 2009 10:42:57 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Updates to reconnection logic Message-ID: <49E4A0F1.9090700@redhat.com> Patch 0001: Add reconnection code between the NSS responder and the Data provider Patch 0002: Replace the example sssd.conf file with the one used in Fedora Also remove the [services/infopipe] section, since we're not shipping InfoPipe yet, and that would be confusing. Simo, when updating the Fedora source, please make remove the InfoPipe section from the sssd.conf. Patch 0003: Make reconnection to the Data Provider a global setting Previously, every DP client was allowed to set its own "retries" option. This option was ambiguous, and useless. All DP clients will now use a global option set in the DP config called "reconnection_retries" -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-reconnection-code-between-the-NSS-responder-and.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Replace-the-example-sssd.conf-file-with-the-one-used.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Make-reconnection-to-the-Data-Provider-a-global-sett.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Tue Apr 14 15:28:08 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 14 Apr 2009 11:28:08 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Updates to reconnection logic In-Reply-To: <49E4A0F1.9090700@redhat.com> References: <49E4A0F1.9090700@redhat.com> Message-ID: <1239722888.1449.71.camel@localhost.localdomain> On Tue, 2009-04-14 at 10:42 -0400, Stephen Gallagher wrote: > Patch 0001: > Add reconnection code between the NSS responder and the Data provider ack > Patch 0002: > Replace the example sssd.conf file with the one used in Fedora > Also remove the [services/infopipe] section, since we're not > shipping InfoPipe yet, and that would be confusing. ack > Simo, when updating the Fedora source, please make remove the InfoPipe > section from the sssd.conf. ok > Patch 0003: > Make reconnection to the Data Provider a global setting > Previously, every DP client was allowed to set its own "retries" > option. This option was ambiguous, and useless. All DP clients > will now use a global option set in the DP config called > "reconnection_retries" the setting should be set in [services], otherwise ack. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Apr 14 15:29:09 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 14 Apr 2009 11:29:09 -0400 Subject: [Freeipa-devel] [PATCH] common fn. to read config strings as lists Message-ID: <1239722949.1449.72.camel@localhost.localdomain> This also fixes the [service/nss] filters so that you can specify a list of users/groups Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-common-function-to-retrieve-comma-sep.-lists.patch Type: text/x-patch Size: 12415 bytes Desc: not available URL: From sgallagh at redhat.com Tue Apr 14 16:18:00 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 14 Apr 2009 12:18:00 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Updates to reconnection logic In-Reply-To: <1239722888.1449.71.camel@localhost.localdomain> References: <49E4A0F1.9090700@redhat.com> <1239722888.1449.71.camel@localhost.localdomain> Message-ID: <49E4B738.6070105@redhat.com> Simo Sorce wrote: > On Tue, 2009-04-14 at 10:42 -0400, Stephen Gallagher wrote: >> Patch 0001: >> Add reconnection code between the NSS responder and the Data provider > > ack > >> Patch 0002: >> Replace the example sssd.conf file with the one used in Fedora >> Also remove the [services/infopipe] section, since we're not >> shipping InfoPipe yet, and that would be confusing. > > ack > >> Simo, when updating the Fedora source, please make remove the InfoPipe >> section from the sssd.conf. > > ok > >> Patch 0003: >> Make reconnection to the Data Provider a global setting >> Previously, every DP client was allowed to set its own "retries" >> option. This option was ambiguous, and useless. All DP clients >> will now use a global option set in the DP config called >> "reconnection_retries" > > the setting should be set in [services], otherwise ack. > > Simo. > Changes made. Please see attached patches. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-reconnection-code-between-the-NSS-responder-and.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Replace-the-example-sssd.conf-file-with-the-one-used.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Make-reconnection-to-the-Data-Provider-a-global-sett.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Tue Apr 14 17:52:12 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 14 Apr 2009 13:52:12 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Updates to reconnection logic In-Reply-To: <49E4B738.6070105@redhat.com> References: <49E4A0F1.9090700@redhat.com> <1239722888.1449.71.camel@localhost.localdomain> <49E4B738.6070105@redhat.com> Message-ID: <1239731533.1449.77.camel@localhost.localdomain> On Tue, 2009-04-14 at 12:18 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > On Tue, 2009-04-14 at 10:42 -0400, Stephen Gallagher wrote: > >> Patch 0001: > >> Add reconnection code between the NSS responder and the Data > provider > > > > ack > > > >> Patch 0002: > >> Replace the example sssd.conf file with the one used in Fedora > >> Also remove the [services/infopipe] section, since we're not > >> shipping InfoPipe yet, and that would be confusing. > > > > ack > > > >> Simo, when updating the Fedora source, please make remove the > InfoPipe > >> section from the sssd.conf. > > > > ok > > > >> Patch 0003: > >> Make reconnection to the Data Provider a global setting > >> Previously, every DP client was allowed to set its own "retries" > >> option. This option was ambiguous, and useless. All DP clients > >> will now use a global option set in the DP config called > >> "reconnection_retries" > > > > the setting should be set in [services], otherwise ack. > > > > Simo. > > > > Changes made. Please see attached patches. ack, and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Apr 14 18:02:24 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 14 Apr 2009 14:02:24 -0400 Subject: [Freeipa-devel] [PATCH] common fn. to read config strings as lists In-Reply-To: <1239722949.1449.72.camel@localhost.localdomain> References: <1239722949.1449.72.camel@localhost.localdomain> Message-ID: <1239732144.1449.79.camel@localhost.localdomain> On Tue, 2009-04-14 at 11:29 -0400, Simo Sorce wrote: > This also fixes the [service/nss] filters so that you can specify a > list > of users/groups New patch, to resolve merge issue with the patch for Steve that got just pushed. Also fix a copy&paste error in nss_get_config() Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-common-function-to-retrieve-comma-sep.-lists.patch Type: text/x-patch Size: 12860 bytes Desc: not available URL: From sgallagh at redhat.com Tue Apr 14 18:12:56 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 14 Apr 2009 14:12:56 -0400 Subject: [Freeipa-devel] [PATCH] common fn. to read config strings as lists In-Reply-To: <1239732144.1449.79.camel@localhost.localdomain> References: <1239722949.1449.72.camel@localhost.localdomain> <1239732144.1449.79.camel@localhost.localdomain> Message-ID: <49E4D228.2040405@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Tue, 2009-04-14 at 11:29 -0400, Simo Sorce wrote: >> This also fixes the [service/nss] filters so that you can specify a >> list >> of users/groups > > New patch, to resolve merge issue with the patch for Steve that got just > pushed. > Also fix a copy&paste error in nss_get_config() > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack, you should be using SERVICE_CONF_ENTRY here: @@ -557,61 +552,20 @@ int get_monitor_config(struct mt_ctx *ctx) return ret; } - - ret = confdb_get_string(ctx->cdb, ctx, - - SERVICE_CONF_ENTRY, "activeServices", - - NULL, &svcs); - - - - if (ret != EOK || svcs == NULL) { + ret = confdb_get_string_as_list(ctx->cdb, ctx, "config/services", + "activeServices", &ctx->services); + if (ret != EOK) { DEBUG(0, ("No services configured!\n")); return EINVAL; } Fix that one-liner and it's an Ack. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknk0iQACgkQeiVVYja6o6OZ7gCgjUPIQLo8l7Nw36Ggtl+4x276 aFsAnR+uRFC0mU75GrYbH3FoCZu75N0s =b3Rx -----END PGP SIGNATURE----- From ssorce at redhat.com Tue Apr 14 18:20:59 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 14 Apr 2009 14:20:59 -0400 Subject: [Freeipa-devel] [PATCH] common fn. to read config strings as lists In-Reply-To: <49E4D228.2040405@redhat.com> References: <1239722949.1449.72.camel@localhost.localdomain> <1239732144.1449.79.camel@localhost.localdomain> <49E4D228.2040405@redhat.com> Message-ID: <1239733259.1449.85.camel@localhost.localdomain> On Tue, 2009-04-14 at 14:12 -0400, Stephen Gallagher wrote: > > Fix that one-liner and it's an Ack. Oh, my bad, I intended to keep the macro and forgot, fixed one liner, and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Tue Apr 14 19:01:22 2009 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 14 Apr 2009 15:01:22 -0400 Subject: [Freeipa-devel] Memory issue in INI Message-ID: <49E4DD82.6060505@redhat.com> Patch to address the memory issue in INI. read_line() was using an internal buffer allocated on stack and returned pointers into that buffer - bad!!! Now buffer is passed in by the calling function. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fixing-memory-issue-in-the-INI-lib.patch Type: text/x-patch Size: 2632 bytes Desc: not available URL: From sgallagh at redhat.com Tue Apr 14 19:07:09 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 14 Apr 2009 15:07:09 -0400 Subject: [Freeipa-devel] Memory issue in INI In-Reply-To: <49E4DD82.6060505@redhat.com> References: <49E4DD82.6060505@redhat.com> Message-ID: <49E4DEDD.5050805@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dmitri Pal wrote: > Patch to address the memory issue in INI. > read_line() was using an internal buffer allocated on stack and returned > pointers into that buffer - bad!!! > Now buffer is passed in by the calling function. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack You need to memset to BUFFER_SIZE+1, or a line that is exactly BUFFER_SIZE long will result in an overrun. Or, better, omit the memset altogether and use buf[length] = '\0'; immediately following the status=read_line(...) This is much faster than writing zeroes across the whole buffer every time you read a line. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknk3tgACgkQeiVVYja6o6N54gCghlbMVRWupwbnbw/6T9ZUrm4j x14An0/p+q6dflhhrFhfirsXRlfhWUBh =dM6n -----END PGP SIGNATURE----- From dpal at redhat.com Tue Apr 14 20:51:59 2009 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 14 Apr 2009 16:51:59 -0400 Subject: [Freeipa-devel] A new patch on top of the previous one Message-ID: <49E4F76F.8020106@redhat.com> Used valgrind to check INI found couple issues and addressed them. a) Some cleanup was missing in case of error in unit tests b) The INI was getting section references (internally) and never freeing them. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Valgrind-showed-issues-addressed.patch Type: text/x-patch Size: 5494 bytes Desc: not available URL: From ssorce at redhat.com Tue Apr 14 21:15:59 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 14 Apr 2009 17:15:59 -0400 Subject: [Freeipa-devel] A new patch on top of the previous one In-Reply-To: <49E4F76F.8020106@redhat.com> References: <49E4F76F.8020106@redhat.com> Message-ID: <1239743759.1449.86.camel@localhost.localdomain> On Tue, 2009-04-14 at 16:51 -0400, Dmitri Pal wrote: > Used valgrind to check INI found couple issues and addressed them. > a) Some cleanup was missing in case of error in unit tests > b) The INI was getting section references (internally) and never freeing > them. Ok I combined the 2 patches in one and moved the buffer termination inside read_line() where it belongs. Auto-acking and pushing. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Apr 14 21:16:54 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 14 Apr 2009 17:16:54 -0400 Subject: [Freeipa-devel] A new patch on top of the previous one In-Reply-To: <1239743759.1449.86.camel@localhost.localdomain> References: <49E4F76F.8020106@redhat.com> <1239743759.1449.86.camel@localhost.localdomain> Message-ID: <1239743814.1449.87.camel@localhost.localdomain> On Tue, 2009-04-14 at 17:15 -0400, Simo Sorce wrote: > On Tue, 2009-04-14 at 16:51 -0400, Dmitri Pal wrote: > > Used valgrind to check INI found couple issues and addressed them. > > a) Some cleanup was missing in case of error in unit tests > > b) The INI was getting section references (internally) and never freeing > > them. > > Ok I combined the 2 patches in one and moved the buffer termination > inside read_line() where it belongs. > > Auto-acking and pushing. Forgot to attach the patch. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fixing-memory-issues-in-ini-and-collection.patch Type: text/x-patch Size: 7331 bytes Desc: not available URL: From sgallagh at redhat.com Tue Apr 14 23:02:38 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 14 Apr 2009 19:02:38 -0400 Subject: [Freeipa-devel] A new patch on top of the previous one In-Reply-To: <1239743814.1449.87.camel@localhost.localdomain> References: <49E4F76F.8020106@redhat.com> <1239743759.1449.86.camel@localhost.localdomain> <1239743814.1449.87.camel@localhost.localdomain> Message-ID: <49E5160E.1030207@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Tue, 2009-04-14 at 17:15 -0400, Simo Sorce wrote: >> On Tue, 2009-04-14 at 16:51 -0400, Dmitri Pal wrote: >>> Used valgrind to check INI found couple issues and addressed them. >>> a) Some cleanup was missing in case of error in unit tests >>> b) The INI was getting section references (internally) and never freeing >>> them. >> Ok I combined the 2 patches in one and moved the buffer termination >> inside read_line() where it belongs. >> >> Auto-acking and pushing. > > Forgot to attach the patch. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel After the fACKt - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknlFgoACgkQeiVVYja6o6MWiACghpsHbDXqYjXOzHKs4O40JQRb G4sAnjHAy1XBygOWz1dyarr6K0yYT+7Y =wjDV -----END PGP SIGNATURE----- From rcritten at redhat.com Wed Apr 15 14:35:51 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Apr 2009 10:35:51 -0400 Subject: [Freeipa-devel] [PATCH] Finish work replacing errors.py with errors2.py Message-ID: <49E5F0C7.202@redhat.com> Finish up the work replacing errors.py with errors2.py. I went ahead and updated both the old and the new ldap modules so we could get this done. The next step will be to rename errors2 to errors. I didn't do that here in order to simplify the review process. That patch will be done once this one is committed (it will be a super-trivial but very long patch). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-178-errors.patch Type: application/mbox Size: 61593 bytes Desc: not available URL: From dpal at redhat.com Wed Apr 15 16:02:56 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 15 Apr 2009 12:02:56 -0400 Subject: [Freeipa-devel] Improved error handling Message-ID: <49E60530.8050804@redhat.com> Hi, Tried to use the INI interface for the INI file validation and realized that there might be cases when the interface function returns error and the error list is destroyed but not NULL. Follow up printing function in this case would probably crash. The probability of such error is low though. Most likely it is ENOMEM condition when other things will start to fall apart too. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Better-error-handling-if-something-bad-happens.patch Type: text/x-patch Size: 3644 bytes Desc: not available URL: From dpal at redhat.com Wed Apr 15 16:29:37 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 15 Apr 2009 12:29:37 -0400 Subject: [Freeipa-devel] Improved error handling In-Reply-To: <49E60530.8050804@redhat.com> References: <49E60530.8050804@redhat.com> Message-ID: <49E60B71.7060301@redhat.com> Dmitri Pal wrote: > Hi, > > Tried to use the INI interface for the INI file validation and > realized that there might be cases when the interface function returns > error and the error list is destroyed but not NULL. > Follow up printing function in this case would probably crash. > The probability of such error is low though. Most likely it is ENOMEM > condition when other things will start to fall apart too. > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Changed the comment in the commit. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-INI-parser.-Better-error-handling-if-something-bad-h.patch Type: text/x-patch Size: 3656 bytes Desc: not available URL: From sgallagh at redhat.com Wed Apr 15 16:35:16 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 15 Apr 2009 12:35:16 -0400 Subject: [Freeipa-devel] Improved error handling In-Reply-To: <49E60B71.7060301@redhat.com> References: <49E60530.8050804@redhat.com> <49E60B71.7060301@redhat.com> Message-ID: <49E60CC4.8030206@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dmitri Pal wrote: > Dmitri Pal wrote: >> Hi, >> >> Tried to use the INI interface for the INI file validation and >> realized that there might be cases when the interface function returns >> error and the error list is destroyed but not NULL. >> Follow up printing function in this case would probably crash. >> The probability of such error is low though. Most likely it is ENOMEM >> condition when other things will start to fall apart too. >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Changed the comment in the commit. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknmDMEACgkQeiVVYja6o6MMDACeL0R/+BtmG3IlclHqGy068ZfL YDMAoK+HdONZXNK0ajLpGiTFWvPthYNy =IvsP -----END PGP SIGNATURE----- From rcritten at redhat.com Wed Apr 15 17:00:08 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Apr 2009 13:00:08 -0400 Subject: [Freeipa-devel] [PATCH] Add more sophisticated help interface. Split commands into 'topics'. In-Reply-To: <49DA36FE.2020109@redhat.com> References: <49DA36FE.2020109@redhat.com> Message-ID: <49E61298.8020307@redhat.com> Pavel Zuna wrote: > This is more of a suggestion than a real patch. I thought it might be > easier to actually show what I had in mind than explaining it. Sometimes > code is more than words. :) > > Pavel I think this is a good start. The output looks like: $ ipa Usage: ipa [global-options] COMMAND ... Use `ipa help TOPIC` for command listings. Topics: general General IPA management. aci ACI object. application Application object automount Automount object. delegation Delegation object. group group object. host Host object. hostgroup hostgroup object. netgroup netgroup object. rolegroup rolegroup object. service Service object. taskgroup taskgroup object. user User object. Try `ipa --help` for a list of global options. It looks like you dumped things that aren't related to a top-level class into general (things like passwd, the cert commands, and a few others). I guess they have to go somewhere, just not sure I'd know to look in general if I was a new user. Should we mandate an Object for every plugin? Or include the list of these general commands in the main topics list? That might be confusing too because that would mean that 'env' is on the same level as 'user'. Any suggestions? The patch is good and we could easily just apply this but I don't want to forget about these issues. In any case we'll want to go into each plugin and set the Object documentation to be more descriptive. rob From dpal at redhat.com Wed Apr 15 20:05:01 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 15 Apr 2009 16:05:01 -0400 Subject: [Freeipa-devel] Patch for the INI parser. Ceanup. Prep for INI validation. Message-ID: <49E63DED.5040704@redhat.com> Hi, INI parser. Cleanup. Prep for INI validation. This patch addresses several issues: a) Cleaning unit test to match coding standard b) Replace tabs with spaces - I do not know where they came but there were some. c) Allowing to read file and keep aside a collection of K-V pairs where key is the key in the INI file and value is the line number on which line the key appears. d) There will be different kinds of errors so error printing function was abstracted. g) Placeholders for other printing functions have been introduced. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-INI-parser.-Cleanup.-Prep-for-INI-validation.patch Type: text/x-patch Size: 50952 bytes Desc: not available URL: From ssorce at redhat.com Thu Apr 16 14:04:00 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 16 Apr 2009 10:04:00 -0400 Subject: [Freeipa-devel] [PATCH] fix id enumeration Message-ID: <1239890640.3696.0.camel@localhost.localdomain> This patch should solve ticket 21 but I have not tested it yet. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-by_id-enumeration-with-multiple-domains.patch Type: text/x-patch Size: 1837 bytes Desc: not available URL: From sgallagh at redhat.com Thu Apr 16 14:55:23 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 16 Apr 2009 10:55:23 -0400 Subject: [Freeipa-devel] [PATCH] fix id enumeration In-Reply-To: <1239890640.3696.0.camel@localhost.localdomain> References: <1239890640.3696.0.camel@localhost.localdomain> Message-ID: <49E746DB.6080704@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > This patch should solve ticket 21 but I have not tested it yet. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknnRtgACgkQeiVVYja6o6PCpgCaAyv0VioL5NCpGW7T6kUKM2Xm 8tAAn0CvKy5Nea4kFzvp4Q8PevA0VvoS =u2FX -----END PGP SIGNATURE----- From pzuna at redhat.com Thu Apr 16 15:00:22 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 16 Apr 2009 17:00:22 +0200 Subject: [Freeipa-devel] [PATCH] Add more sophisticated help interface. Split commands into 'topics'. In-Reply-To: <49E61298.8020307@redhat.com> References: <49DA36FE.2020109@redhat.com> <49E61298.8020307@redhat.com> Message-ID: <49E74806.5090209@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> This is more of a suggestion than a real patch. I thought it might be >> easier to actually show what I had in mind than explaining it. >> Sometimes code is more than words. :) >> >> Pavel > > I think this is a good start. The output looks like: > > $ ipa > Usage: ipa [global-options] COMMAND ... > > Use `ipa help TOPIC` for command listings. > > Topics: > general General IPA management. > aci ACI object. > application Application object > automount Automount object. > delegation Delegation object. > group group object. > host Host object. > hostgroup hostgroup object. > netgroup netgroup object. > rolegroup rolegroup object. > service Service object. > taskgroup taskgroup object. > user User object. > > Try `ipa --help` for a list of global options. > > It looks like you dumped things that aren't related to a top-level class > into general (things like passwd, the cert commands, and a few others). > I guess they have to go somewhere, just not sure I'd know to look in > general if I was a new user. > > Should we mandate an Object for every plugin? Or include the list of > these general commands in the main topics list? That might be confusing > too because that would mean that 'env' is on the same level as 'user'. > > Any suggestions? > > The patch is good and we could easily just apply this but I don't want > to forget about these issues. In any case we'll want to go into each > plugin and set the Object documentation to be more descriptive. > > rob I wrote another version of the help interface today taking into consideration the issues you mentioned. It's based on plugins this time instead of objects. The output looks like this: $ ipa Usage: ipa [global-options] COMMAND ... Built-in commands: console Start the IPA interactive Python console. help Display help for a command or topic. Help topics: aci Frontend plugins for managing DS ACIs application Frontend plugins for application policy containers. automount Frontend plugins for automount. defaultoptions Frontend plugin for default options in IPA. delegation Frontend plugins for delegations. dns Frontend plugin for DNS management. group Frontend plugins for groups. hbac Frontend plugin for HBAC management. host Frontend plugins for host/machine Identity. hostgroup Frontend plugins for hostgroups. join Machine join misc Misc frontend plugins. netgroup Frontend plugins for netgroups. passwd Frontend plugins for password changes. pwpolicy Frontend plugins for password policy. rolegroup Frontend plugins for rolegroups. service Frontend plugins for service (Identity). taskgroup Frontend plugins for taskgroups. user Frontend plugins for user (Identity). Try `ipa --help` for a list of global options. Commands not originating from plugins are listed as built-ins. The short description for topics is taken from the first line of the module's docstring. The code itself is a bit hacky, because I just couldn't find any better way to get every plugin module, it's docstring a list of commands it implements. I'll rewrite it if necessary. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Change-help-interface-to-display-builtin-commands-an.patch URL: From sgallagh at redhat.com Thu Apr 16 16:09:44 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 16 Apr 2009 12:09:44 -0400 Subject: [Freeipa-devel] Patch for the INI parser. Ceanup. Prep for INI validation. In-Reply-To: <49E63DED.5040704@redhat.com> References: <49E63DED.5040704@redhat.com> Message-ID: <49E75848.5010502@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dmitri Pal wrote: > Hi, > > INI parser. Cleanup. Prep for INI validation. > This patch addresses several issues: > a) Cleaning unit test to match coding standard > b) Replace tabs with spaces - I do not know where they came > but there were some. > c) Allowing to read file and keep aside a collection > of K-V pairs where key is the key in the INI file and value is the > line number on which line the key appears. > d) There will be different kinds of errors so > error printing function was abstracted. > g) Placeholders for other printing functions have been introduced. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack Do not include so many different changes in a single patch. Of note, never include formatting changes alongside functional changes. This needs to be broken up into at least two patches, one for the formatting and the other for the functional changes. There is no need to internationalize the empty string. It's a waste of gettext macros. I am morally opposed to the use of inline in a public API, but I can live with it. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknnWEUACgkQeiVVYja6o6MIRACgmWDiwkiY218KSSB5sJQERaEO crgAn1PsZlL5QrTgvAQV42QKq+86e+u3 =JB5u -----END PGP SIGNATURE----- From ssorce at redhat.com Thu Apr 16 16:13:21 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 16 Apr 2009 12:13:21 -0400 Subject: [Freeipa-devel] [PATCH] avoid reloads of config.ldb when not necessary Message-ID: <1239898401.3696.3.camel@localhost.localdomain> $subject Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Avoid-unnecessary-reloads-of-config.ldb.patch Type: text/x-patch Size: 2791 bytes Desc: not available URL: From sgallagh at redhat.com Thu Apr 16 16:16:10 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 16 Apr 2009 12:16:10 -0400 Subject: [Freeipa-devel] [PATCH] avoid reloads of config.ldb when not necessary In-Reply-To: <1239898401.3696.3.camel@localhost.localdomain> References: <1239898401.3696.3.camel@localhost.localdomain> Message-ID: <49E759CA.7040005@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > $subject > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknnWcYACgkQeiVVYja6o6NIcgCfVzcGlO9J5r8VOu4HHNSPwLAq DqAAoJk+Ed8vA8MJAF3GdLzOMcxcI7kp =kW2F -----END PGP SIGNATURE----- From ssorce at redhat.com Thu Apr 16 16:20:13 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 16 Apr 2009 12:20:13 -0400 Subject: [Freeipa-devel] [PATCH] avoid reloads of config.ldb when not necessary In-Reply-To: <49E759CA.7040005@redhat.com> References: <1239898401.3696.3.camel@localhost.localdomain> <49E759CA.7040005@redhat.com> Message-ID: <1239898813.3696.4.camel@localhost.localdomain> On Thu, 2009-04-16 at 12:16 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > $subject > Ack pushed, Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Thu Apr 16 20:50:56 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 16 Apr 2009 16:50:56 -0400 Subject: [Freeipa-devel] Patch for the INI parser. Ceanup. Prep for INI validation. In-Reply-To: <49E75848.5010502@redhat.com> References: <49E63DED.5040704@redhat.com> <49E75848.5010502@redhat.com> Message-ID: <49E79A30.6000104@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Gallagher wrote: > Dmitri Pal wrote: >> Hi, > >> INI parser. Cleanup. Prep for INI validation. >> This patch addresses several issues: >> a) Cleaning unit test to match coding standard >> b) Replace tabs with spaces - I do not know where they came >> but there were some. >> c) Allowing to read file and keep aside a collection >> of K-V pairs where key is the key in the INI file and value is the >> line number on which line the key appears. >> d) There will be different kinds of errors so >> error printing function was abstracted. >> g) Placeholders for other printing functions have been introduced. > > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Nack > > Do not include so many different changes in a single patch. Of note, > never include formatting changes alongside functional changes. This > needs to be broken up into at least two patches, one for the formatting > and the other for the functional changes. > > There is no need to internationalize the empty string. It's a waste of > gettext macros. > > I am morally opposed to the use of inline in a public API, but I can > live with it. > > > After several off-list discussions, I'm going to push this patch, and Dmitri will follow up with some additional fixes. Highlights: his copy of git is broken, so breaking the patch in two is non-trivial. The strings are placeholders, so it's fine to internationalize them. Inline may be removed in a subsequent patch. Ack and pushed. _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknnmi0ACgkQeiVVYja6o6NbqQCePr9CGtc/C3y+yF5kkAw/Ua5+ nqkAoJuYl5E3WIJFgt2s6+tI/il1zcY3 =vtdC -----END PGP SIGNATURE----- From ssorce at redhat.com Thu Apr 16 21:46:03 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 16 Apr 2009 17:46:03 -0400 Subject: [Freeipa-devel] Patch for the INI parser. Ceanup. Prep for INI validation. In-Reply-To: <49E79A30.6000104@redhat.com> References: <49E63DED.5040704@redhat.com> <49E75848.5010502@redhat.com> <49E79A30.6000104@redhat.com> Message-ID: <1239918363.3696.8.camel@localhost.localdomain> On Thu, 2009-04-16 at 16:50 -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Stephen Gallagher wrote: > > Dmitri Pal wrote: > >> Hi, > > > >> INI parser. Cleanup. Prep for INI validation. > >> This patch addresses several issues: > >> a) Cleaning unit test to match coding standard > >> b) Replace tabs with spaces - I do not know where they came > >> but there were some. > >> c) Allowing to read file and keep aside a collection > >> of K-V pairs where key is the key in the INI file and value is the > >> line number on which line the key appears. > >> d) There will be different kinds of errors so > >> error printing function was abstracted. > >> g) Placeholders for other printing functions have been introduced. > > > > > > > >> ------------------------------------------------------------------------ > > > >> _______________________________________________ > >> Freeipa-devel mailing list > >> Freeipa-devel at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > Nack > > > > Do not include so many different changes in a single patch. Of note, > > never include formatting changes alongside functional changes. This > > needs to be broken up into at least two patches, one for the formatting > > and the other for the functional changes. > > > > There is no need to internationalize the empty string. It's a waste of > > gettext macros. > > > > I am morally opposed to the use of inline in a public API, but I can > > live with it. > > > > > > > > After several off-list discussions, I'm going to push this patch, and > Dmitri will follow up with some additional fixes. > > Highlights: his copy of git is broken, so breaking the patch in two is > non-trivial. The strings are placeholders, so it's fine to > internationalize them. Inline may be removed in a subsequent patch. > > Ack and pushed. Please next time make these discussions public. There is no pressing need to push this patch immediately, if Dmitri has problems with his git tree, he better get it fixed before going forward. It's not an excuse to get poor patches in. Simo. -- Simo Sorce * Red Hat, Inc * New York From jdennis at redhat.com Thu Apr 16 22:14:34 2009 From: jdennis at redhat.com (John Dennis) Date: Thu, 16 Apr 2009 18:14:34 -0400 Subject: [Freeipa-devel] [PATCH] add dynamic hash table data structure implementation Message-ID: <49E7ADCA.607@redhat.com> This adds a dynamic hash table data structure to our common code area. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-add-dynamic-hash-table-data-structure-implementation.patch Type: application/mbox Size: 55632 bytes Desc: not available URL: From ssorce at redhat.com Thu Apr 16 22:44:42 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 16 Apr 2009 18:44:42 -0400 Subject: [Freeipa-devel] [PATCH] sssd_pam: Find the right domain to auth against Message-ID: <1239921882.3696.10.camel@localhost.localdomain> This should fix ticket #22 Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Force-user-check-and-discover-user-s-domain.patch Type: text/x-patch Size: 33033 bytes Desc: not available URL: From ssorce at redhat.com Thu Apr 16 22:58:17 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 16 Apr 2009 18:58:17 -0400 Subject: [Freeipa-devel] [PATCH] add dynamic hash table data structure implementation In-Reply-To: <49E7ADCA.607@redhat.com> References: <49E7ADCA.607@redhat.com> Message-ID: <1239922697.3696.12.camel@localhost.localdomain> On Thu, 2009-04-16 at 18:14 -0400, John Dennis wrote: > This adds a dynamic hash table data structure to our common code area. Still reading the patch, but one thing jumped out immediately. Why are you defining TRUE and FALSE and declaring functions as int ? Why don't you use bool, true and false ? Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Thu Apr 16 23:35:50 2009 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 16 Apr 2009 19:35:50 -0400 Subject: [Freeipa-devel] Patch for the INI parser. Ceanup. Prep for INI validation. In-Reply-To: <1239918363.3696.8.camel@localhost.localdomain> References: <49E63DED.5040704@redhat.com> <49E75848.5010502@redhat.com> <49E79A30.6000104@redhat.com> <1239918363.3696.8.camel@localhost.localdomain> Message-ID: <49E7C0D6.1000509@redhat.com> Simo Sorce wrote: > On Thu, 2009-04-16 at 16:50 -0400, Stephen Gallagher wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Stephen Gallagher wrote: >> >>> Dmitri Pal wrote: >>> >>>> Hi, >>>> >>>> INI parser. Cleanup. Prep for INI validation. >>>> This patch addresses several issues: >>>> a) Cleaning unit test to match coding standard >>>> b) Replace tabs with spaces - I do not know where they came >>>> but there were some. >>>> c) Allowing to read file and keep aside a collection >>>> of K-V pairs where key is the key in the INI file and value is the >>>> line number on which line the key appears. >>>> d) There will be different kinds of errors so >>>> error printing function was abstracted. >>>> g) Placeholders for other printing functions have been introduced. >>>> >>> >>> >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>> Nack >>> >>> Do not include so many different changes in a single patch. Of note, >>> never include formatting changes alongside functional changes. This >>> needs to be broken up into at least two patches, one for the formatting >>> and the other for the functional changes. >>> >>> There is no need to internationalize the empty string. It's a waste of >>> gettext macros. >>> >>> I am morally opposed to the use of inline in a public API, but I can >>> live with it. >>> >>> >>> >>> >> After several off-list discussions, I'm going to push this patch, and >> Dmitri will follow up with some additional fixes. >> >> Highlights: his copy of git is broken, so breaking the patch in two is >> non-trivial. The strings are placeholders, so it's fine to >> internationalize them. Inline may be removed in a subsequent patch. >> >> Ack and pushed. >> > > Please next time make these discussions public. > There is no pressing need to push this patch immediately, if Dmitri has > problems with his git tree, he better get it fixed before going forward. > It's not an excuse to get poor patches in. > > Simo. > > Simo, the point is that: a) There is no clear guidance about the "inline" thing. So it is not a bug and not an issue. But I am willing to correct it anyways with the follow up patch. b) The strings are placeholders and will be replaced by the full functionality and I am working on it. The functions that are committed that have there "strings" are not yet used by any code. Plus the code makes sure that these lines are never returned (the valid range is empty). It just seemed inefficient to clear this code. c) The only real issue is that formatting changes and real fixes are in the same patch. I would do my best to submit it as different patches in future. It seems really inefficient to force me to redo it now especially when I have issues with git merge. Simo I agree that should probably find the solution to the git problem but I currently do not see a way to do it without wasting a lot of time. I am already behind on other things and with all this volume of the tasks I can't afford redoing things twice. All the notes, comments and suggestions you and Steven give are factored and I do not repeat the mistakes twice. So there is a bit of difference between a "poor" patch and "sufficient under current circumstances patch". -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From davido at redhat.com Fri Apr 17 00:46:15 2009 From: davido at redhat.com (David O'Brien) Date: Fri, 17 Apr 2009 10:46:15 +1000 Subject: [Freeipa-devel] [PATCH] Add more sophisticated help interface. Split commands into 'topics'. In-Reply-To: <49E74806.5090209@redhat.com> References: <49DA36FE.2020109@redhat.com> <49E61298.8020307@redhat.com> <49E74806.5090209@redhat.com> Message-ID: <49E7D157.3010808@redhat.com> Pavel Zuna wrote: > Rob Crittenden wrote: >> Pavel Zuna wrote: >>> This is more of a suggestion than a real patch. I thought it might >>> be easier to actually show what I had in mind than explaining it. >>> Sometimes code is more than words. :) >>> >>> Pavel >> >> I think this is a good start. The output looks like: >> >> $ ipa >> Usage: ipa [global-options] COMMAND ... >> >> Use `ipa help TOPIC` for command listings. >> >> Topics: >> general General IPA management. >> aci ACI object. >> application Application object >> automount Automount object. >> delegation Delegation object. >> group group object. >> host Host object. >> hostgroup hostgroup object. >> netgroup netgroup object. >> rolegroup rolegroup object. >> service Service object. >> taskgroup taskgroup object. >> user User object. >> >> Try `ipa --help` for a list of global options. >> >> It looks like you dumped things that aren't related to a top-level >> class into general (things like passwd, the cert commands, and a few >> others). I guess they have to go somewhere, just not sure I'd know to >> look in general if I was a new user. >> >> Should we mandate an Object for every plugin? Or include the list of >> these general commands in the main topics list? That might be >> confusing too because that would mean that 'env' is on the same level >> as 'user'. >> >> Any suggestions? >> >> The patch is good and we could easily just apply this but I don't >> want to forget about these issues. In any case we'll want to go into >> each plugin and set the Object documentation to be more descriptive. >> >> rob > I wrote another version of the help interface today taking into > consideration the issues you mentioned. It's based on plugins this > time instead of objects. > > The output looks like this: > > $ ipa > Usage: ipa [global-options] COMMAND ... > > Built-in commands: > console Start the IPA interactive Python console. > help Display help for a command or topic. > > Help topics: > aci Frontend plugins for managing DS ACIs > application Frontend plugins for application policy containers. > automount Frontend plugins for automount. > defaultoptions Frontend plugin for default options in IPA. > delegation Frontend plugins for delegations. > dns Frontend plugin for DNS management. > group Frontend plugins for groups. > hbac Frontend plugin for HBAC management. > host Frontend plugins for host/machine Identity. > hostgroup Frontend plugins for hostgroups. > join Machine join > misc Misc frontend plugins. > netgroup Frontend plugins for netgroups. > passwd Frontend plugins for password changes. > pwpolicy Frontend plugins for password policy. > rolegroup Frontend plugins for rolegroups. > service Frontend plugins for service (Identity). > taskgroup Frontend plugins for taskgroups. > user Frontend plugins for user (Identity). > > Try `ipa --help` for a list of global options. > > Commands not originating from plugins are listed as built-ins. The > short description for topics is taken from the first line of the > module's docstring. > > The code itself is a bit hacky, because I just couldn't find any > better way to get every plugin module, it's docstring a list of > commands it implements. I'll rewrite it if necessary. > > Pavel > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel How much work is involved in editing the first line of a module's docstring? Is it developer-only territory or straight-forward enough that I could do it? I ask because I'm interested in keeping everything related to doc, help, etc., on an even keel and consistent, which in this case means: s/plugin/plug-in s/backend/back-end s/frontend/front-end I would also review the use of terms like "host/machine", because in IPA 2.0 "host" refers to the host object specifically created to represent the host *machine*, and which exists as a new object in DS. "Machine", on the other hand, refers to the computer itself. (This gets trickier when we start talking about the "host" where a virtual machine is running.) Hopefully my understanding of host objects and machines is correct here. So, in the case of "host : Frontend plugins for host/machine Identity." I'd suggest a change to "host : Front-end plug-ins for machine identity." 1. front-end (as per style guide) 2. plug-ins (as per style guide) 3. machine (we're identifying the machine, and using the host object to do it) 4. identity (lower case) regards, -- David O'Brien IPA Content Author Red Hat Asia Pacific +61 7 3514 8189 "The most valuable of all talents is that of never using two words when one will do." Thomas Jefferson From dpal at redhat.com Fri Apr 17 02:43:17 2009 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 16 Apr 2009 22:43:17 -0400 Subject: [Freeipa-devel] [PATCH] Three small INI parser patches Message-ID: <49E7ECC5.9010202@redhat.com> Hi, Patch 1: Removed inlines. Patch 2: Couple comments to avoid confusion. Patch 3: Actual code change to make the section line numbers negative so that one can differentiate sections and attributes. All three patches are small and simple. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-INI-parser.-Fix-for-line-numbers.patch Type: text/x-patch Size: 1235 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-INI-parser.-Adding-comments-to-avoid-confusion.patch Type: text/x-patch Size: 1313 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-INI-parser.-Removing-inlines.patch Type: text/x-patch Size: 5015 bytes Desc: not available URL: From jdennis at redhat.com Fri Apr 17 03:17:18 2009 From: jdennis at redhat.com (John Dennis) Date: Thu, 16 Apr 2009 23:17:18 -0400 Subject: [Freeipa-devel] [PATCH] add dynamic hash table data structure implementation In-Reply-To: <1239922697.3696.12.camel@localhost.localdomain> References: <49E7ADCA.607@redhat.com> <1239922697.3696.12.camel@localhost.localdomain> Message-ID: <49E7F4BE.9030302@redhat.com> Simo Sorce wrote: > On Thu, 2009-04-16 at 18:14 -0400, John Dennis wrote: > >> This adds a dynamic hash table data structure to our common code area. >> > > Still reading the patch, but one thing jumped out immediately. > Why are you defining TRUE and FALSE and declaring functions as int ? > Most of the functions are declared as returning int because they return integer error codes, not booleans. There is only one public function returning a boolean. However there are several internal functions returning a logical boolean value as an int. Each of these could be modified to return a bool instead. > Why don't you use bool, true and false ? > Good catch, I should use bool. I guess that's what happens when you've already been programming in a language for years before a feature is added, I still think in terms of zero and non-zero when programming in C :-) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Fri Apr 17 03:39:15 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Apr 2009 03:39:15 +0000 Subject: [Freeipa-devel] [PATCH] add dynamic hash table data structure implementation In-Reply-To: <49E7F4BE.9030302@redhat.com> References: <49E7ADCA.607@redhat.com> <1239922697.3696.12.camel@localhost.localdomain> <49E7F4BE.9030302@redhat.com> Message-ID: <1239939555.3696.30.camel@localhost.localdomain> On Thu, 2009-04-16 at 23:17 -0400, John Dennis wrote: > Simo Sorce wrote: > > On Thu, 2009-04-16 at 18:14 -0400, John Dennis wrote: > > > > > This adds a dynamic hash table data structure to our common code area. > > > > > > > Still reading the patch, but one thing jumped out immediately. > > Why are you defining TRUE and FALSE and declaring functions as int ? > > > Most of the functions are declared as returning int because they > return integer error codes, not booleans. There is only one public > function returning a boolean. However there are several internal > functions returning a logical boolean value as an int. Each of these > could be modified to return a bool instead. Yes I was thinking about these internal functions. also please use 'return true;' not 'return(TRUE);', I am not sure we have anything about 'return' in the style guide, but nowhere else we use return(). > > Why don't you use bool, true and false ? > > > Good catch, I should use bool. I guess that's what happens when you've > already been programming in a language for years before a feature is > added, I still think in terms of zero and non-zero when programming in > C :-) Eh, bool is standard since C99 :-) Btw, even tho I haven't finished reviewing the patch I have another nitpick: in lookup() you assert() if table is NULL. I really don't like to see assert() used in libraries. Given in all paths I could spot the table pointer comes from the calling app I would rather check for it's validity in the public functions and return EINVAL instead. Let the app decide if it wants to abort() in that case or handle the issue differently. Simo. -- Simo Sorce * Red Hat, Inc * New York From pzuna at redhat.com Fri Apr 17 08:24:06 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 17 Apr 2009 10:24:06 +0200 Subject: [Freeipa-devel] [PATCH] Add more sophisticated help interface. Split commands into 'topics'. In-Reply-To: <49E7D157.3010808@redhat.com> References: <49DA36FE.2020109@redhat.com> <49E61298.8020307@redhat.com> <49E74806.5090209@redhat.com> <49E7D157.3010808@redhat.com> Message-ID: <49E83CA6.8040403@redhat.com> David O'Brien wrote: > Pavel Zuna wrote: >> Rob Crittenden wrote: >>> Pavel Zuna wrote: >>>> This is more of a suggestion than a real patch. I thought it might >>>> be easier to actually show what I had in mind than explaining it. >>>> Sometimes code is more than words. :) >>>> >>>> Pavel >>> >>> I think this is a good start. The output looks like: >>> >>> $ ipa >>> Usage: ipa [global-options] COMMAND ... >>> >>> Use `ipa help TOPIC` for command listings. >>> >>> Topics: >>> general General IPA management. >>> aci ACI object. >>> application Application object >>> automount Automount object. >>> delegation Delegation object. >>> group group object. >>> host Host object. >>> hostgroup hostgroup object. >>> netgroup netgroup object. >>> rolegroup rolegroup object. >>> service Service object. >>> taskgroup taskgroup object. >>> user User object. >>> >>> Try `ipa --help` for a list of global options. >>> >>> It looks like you dumped things that aren't related to a top-level >>> class into general (things like passwd, the cert commands, and a few >>> others). I guess they have to go somewhere, just not sure I'd know to >>> look in general if I was a new user. >>> >>> Should we mandate an Object for every plugin? Or include the list of >>> these general commands in the main topics list? That might be >>> confusing too because that would mean that 'env' is on the same level >>> as 'user'. >>> >>> Any suggestions? >>> >>> The patch is good and we could easily just apply this but I don't >>> want to forget about these issues. In any case we'll want to go into >>> each plugin and set the Object documentation to be more descriptive. >>> >>> rob >> I wrote another version of the help interface today taking into >> consideration the issues you mentioned. It's based on plugins this >> time instead of objects. >> >> The output looks like this: >> >> $ ipa >> Usage: ipa [global-options] COMMAND ... >> >> Built-in commands: >> console Start the IPA interactive Python console. >> help Display help for a command or topic. >> >> Help topics: >> aci Frontend plugins for managing DS ACIs >> application Frontend plugins for application policy containers. >> automount Frontend plugins for automount. >> defaultoptions Frontend plugin for default options in IPA. >> delegation Frontend plugins for delegations. >> dns Frontend plugin for DNS management. >> group Frontend plugins for groups. >> hbac Frontend plugin for HBAC management. >> host Frontend plugins for host/machine Identity. >> hostgroup Frontend plugins for hostgroups. >> join Machine join >> misc Misc frontend plugins. >> netgroup Frontend plugins for netgroups. >> passwd Frontend plugins for password changes. >> pwpolicy Frontend plugins for password policy. >> rolegroup Frontend plugins for rolegroups. >> service Frontend plugins for service (Identity). >> taskgroup Frontend plugins for taskgroups. >> user Frontend plugins for user (Identity). >> >> Try `ipa --help` for a list of global options. >> >> Commands not originating from plugins are listed as built-ins. The >> short description for topics is taken from the first line of the >> module's docstring. >> >> The code itself is a bit hacky, because I just couldn't find any >> better way to get every plugin module, it's docstring a list of >> commands it implements. I'll rewrite it if necessary. >> >> Pavel >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > How much work is involved in editing the first line of a module's > docstring? Is it developer-only territory or straight-forward enough > that I could do it? > > I ask because I'm interested in keeping everything related to doc, help, > etc., on an even keel and consistent, which in this case means: > s/plugin/plug-in > s/backend/back-end > s/frontend/front-end > > I would also review the use of terms like "host/machine", because in IPA > 2.0 "host" refers to the host object specifically created to represent > the host *machine*, and which exists as a new object in DS. "Machine", > on the other hand, refers to the computer itself. (This gets trickier > when we start talking about the "host" where a virtual machine is > running.) Hopefully my understanding of host objects and machines is > correct here. > > So, in the case of "host : Frontend plugins for host/machine Identity." > I'd suggest a change to "host : Front-end plug-ins for machine identity." > > 1. front-end (as per style guide) > 2. plug-ins (as per style guide) > 3. machine (we're identifying the machine, and using the host object to > do it) > 4. identity (lower case) > > regards, > Docstrings are a feature of python for associating documentation with objects like modules, classes, function, etc. in the code. They are meant for developers, but are easy to spot and edit. They are always surrounded with 3 double quotes on both sides, like this: """docstring - this is the first line containing text, short help""" """ docstring - this is the first line containing text, short help blablabla """ Module docstrings are always located at the top of the file before any code, usually just after the authors/license comments (staring with #). Command docstrings can be found at the beginning of it's class definition. For example, if we have a command named Foo in plugin module Bar: (contents of ipalib/plugins/Bar.py) ... class Foo(Command): """ docstring - first line, short description of what the command does more information displayed on `ipa help Foo` """ ... The current text in module's docstrings were not meant to be displayed as help for topics. If we're going to use this help scheme, they'll have to be rewritten. For topics, I think the first line should say what the topic is, so the output look something like this: Topics: aci Directory Server Access Control Instructions hbac Host-Based Access Control ... Additional lines should offer more in depth information, possibly with links to online docs. Pavel From rcritten at redhat.com Fri Apr 17 15:36:51 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Apr 2009 11:36:51 -0400 Subject: [Freeipa-devel] [PATCH] add signing cert profile to installer Message-ID: <49E8A213.2010502@redhat.com> This patch adds a signing cert profile to dogtag that we use to generate an object signing cert that will work with signtool. We use this to create the signed jar file in order to do autoconfiguration in Firefox. This patch also does some file permission cleanup and fixes a few leaking fds. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-179-signcert.patch Type: application/mbox Size: 6169 bytes Desc: not available URL: From rcritten at redhat.com Fri Apr 17 15:47:21 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Apr 2009 11:47:21 -0400 Subject: [Freeipa-devel] [PATCH] Add more sophisticated help interface. Split commands into 'topics'. In-Reply-To: <49E83CA6.8040403@redhat.com> References: <49DA36FE.2020109@redhat.com> <49E61298.8020307@redhat.com> <49E74806.5090209@redhat.com> <49E7D157.3010808@redhat.com> <49E83CA6.8040403@redhat.com> Message-ID: <49E8A489.4090005@redhat.com> Pavel Zuna wrote: > David O'Brien wrote: >> Pavel Zuna wrote: >>> Rob Crittenden wrote: >>>> Pavel Zuna wrote: >>>>> This is more of a suggestion than a real patch. I thought it might >>>>> be easier to actually show what I had in mind than explaining it. >>>>> Sometimes code is more than words. :) >>>>> >>>>> Pavel >>>> >>>> I think this is a good start. The output looks like: >>>> >>>> $ ipa >>>> Usage: ipa [global-options] COMMAND ... >>>> >>>> Use `ipa help TOPIC` for command listings. >>>> >>>> Topics: >>>> general General IPA management. >>>> aci ACI object. >>>> application Application object >>>> automount Automount object. >>>> delegation Delegation object. >>>> group group object. >>>> host Host object. >>>> hostgroup hostgroup object. >>>> netgroup netgroup object. >>>> rolegroup rolegroup object. >>>> service Service object. >>>> taskgroup taskgroup object. >>>> user User object. >>>> >>>> Try `ipa --help` for a list of global options. >>>> >>>> It looks like you dumped things that aren't related to a top-level >>>> class into general (things like passwd, the cert commands, and a few >>>> others). I guess they have to go somewhere, just not sure I'd know >>>> to look in general if I was a new user. >>>> >>>> Should we mandate an Object for every plugin? Or include the list of >>>> these general commands in the main topics list? That might be >>>> confusing too because that would mean that 'env' is on the same >>>> level as 'user'. >>>> >>>> Any suggestions? >>>> >>>> The patch is good and we could easily just apply this but I don't >>>> want to forget about these issues. In any case we'll want to go into >>>> each plugin and set the Object documentation to be more descriptive. >>>> >>>> rob >>> I wrote another version of the help interface today taking into >>> consideration the issues you mentioned. It's based on plugins this >>> time instead of objects. >>> >>> The output looks like this: >>> >>> $ ipa >>> Usage: ipa [global-options] COMMAND ... >>> >>> Built-in commands: >>> console Start the IPA interactive Python console. >>> help Display help for a command or topic. >>> >>> Help topics: >>> aci Frontend plugins for managing DS ACIs >>> application Frontend plugins for application policy containers. >>> automount Frontend plugins for automount. >>> defaultoptions Frontend plugin for default options in IPA. >>> delegation Frontend plugins for delegations. >>> dns Frontend plugin for DNS management. >>> group Frontend plugins for groups. >>> hbac Frontend plugin for HBAC management. >>> host Frontend plugins for host/machine Identity. >>> hostgroup Frontend plugins for hostgroups. >>> join Machine join >>> misc Misc frontend plugins. >>> netgroup Frontend plugins for netgroups. >>> passwd Frontend plugins for password changes. >>> pwpolicy Frontend plugins for password policy. >>> rolegroup Frontend plugins for rolegroups. >>> service Frontend plugins for service (Identity). >>> taskgroup Frontend plugins for taskgroups. >>> user Frontend plugins for user (Identity). >>> >>> Try `ipa --help` for a list of global options. >>> >>> Commands not originating from plugins are listed as built-ins. The >>> short description for topics is taken from the first line of the >>> module's docstring. >>> >>> The code itself is a bit hacky, because I just couldn't find any >>> better way to get every plugin module, it's docstring a list of >>> commands it implements. I'll rewrite it if necessary. >>> >>> Pavel >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> How much work is involved in editing the first line of a module's >> docstring? Is it developer-only territory or straight-forward enough >> that I could do it? >> >> I ask because I'm interested in keeping everything related to doc, >> help, etc., on an even keel and consistent, which in this case means: >> s/plugin/plug-in >> s/backend/back-end >> s/frontend/front-end >> >> I would also review the use of terms like "host/machine", because in >> IPA 2.0 "host" refers to the host object specifically created to >> represent the host *machine*, and which exists as a new object in DS. >> "Machine", on the other hand, refers to the computer itself. (This >> gets trickier when we start talking about the "host" where a virtual >> machine is running.) Hopefully my understanding of host objects and >> machines is correct here. >> >> So, in the case of "host : Frontend plugins for host/machine >> Identity." I'd suggest a change to "host : Front-end plug-ins for >> machine identity." >> >> 1. front-end (as per style guide) >> 2. plug-ins (as per style guide) >> 3. machine (we're identifying the machine, and using the host object >> to do it) >> 4. identity (lower case) >> >> regards, >> > Docstrings are a feature of python for associating documentation with > objects like modules, classes, function, etc. in the code. They are > meant for developers, but are easy to spot and edit. They are always > surrounded with 3 double quotes on both sides, like this: > > """docstring - this is the first line containing text, short help""" > > """ > docstring - this is the first line containing text, short help > > blablabla > """ > > Module docstrings are always located at the top of the file before any > code, usually just after the authors/license comments (staring with #). > > Command docstrings can be found at the beginning of it's class > definition. For example, if we have a command named Foo in plugin module > Bar: > > (contents of ipalib/plugins/Bar.py) > ... > > class Foo(Command): > """ > docstring - first line, short description of what the command does > > more information displayed on `ipa help Foo` > """ > > ... > > The current text in module's docstrings were not meant to be displayed > as help for topics. If we're going to use this help scheme, they'll have > to be rewritten. > > For topics, I think the first line should say what the topic is, so the > output look something like this: > > Topics: > aci Directory Server Access Control Instructions > hbac Host-Based Access Control > ... > > Additional lines should offer more in depth information, possibly with > links to online docs. > > Pavel Pavel, can you update the topic descriptions along with this patch. Then I'll ack both. I think we're going to have to get this in place and use it a while to see what fine-tuning it needs. I think this is the right approach though. rob From jhrozek at redhat.com Fri Apr 17 18:43:52 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 17 Apr 2009 20:43:52 +0200 Subject: [Freeipa-devel] [PATCH] sssd_pam: Find the right domain to auth against In-Reply-To: <1239921882.3696.10.camel@localhost.localdomain> References: <1239921882.3696.10.camel@localhost.localdomain> Message-ID: <1239993832.20915.2.camel@zeppelin.englab.brq.redhat.com> On Thu, 2009-04-16 at 18:44 -0400, Simo Sorce wrote: > This should fix ticket #22 > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > Ack based on debug session done with Simo on packages with this patch. Jakub From ssorce at redhat.com Fri Apr 17 19:05:06 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Apr 2009 15:05:06 -0400 Subject: [Freeipa-devel] [PATCH] sssd_pam: Find the right domain to auth against In-Reply-To: <1239993832.20915.2.camel@zeppelin.englab.brq.redhat.com> References: <1239921882.3696.10.camel@localhost.localdomain> <1239993832.20915.2.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1239995106.3696.43.camel@localhost.localdomain> On Fri, 2009-04-17 at 20:43 +0200, Jakub Hrozek wrote: > > This should fix ticket #22 > Ack based on debug session done with Simo on packages with this patch. pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Apr 17 19:59:36 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Apr 2009 15:59:36 -0400 Subject: [Freeipa-devel] [PATCH] Three small INI parser patches In-Reply-To: <49E7ECC5.9010202@redhat.com> References: <49E7ECC5.9010202@redhat.com> Message-ID: <1239998376.3696.45.camel@localhost.localdomain> On Thu, 2009-04-16 at 22:43 -0400, Dmitri Pal wrote: > > Patch 1: Removed inlines. ack. > Patch 2: Couple comments to avoid confusion. ack, although it seem really useless to add a patch just to comment on temporary code. > Patch 3: Actual code change to make the section line numbers negative > so > that one can differentiate sections and attributes. ack all patches have been pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Apr 17 21:18:57 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Apr 2009 17:18:57 -0400 Subject: [Freeipa-devel] [PATCH] add signing cert profile to installer In-Reply-To: <49E8A213.2010502@redhat.com> References: <49E8A213.2010502@redhat.com> Message-ID: <49E8F241.3030302@redhat.com> Rob Crittenden wrote: > This patch adds a signing cert profile to dogtag that we use to generate > an object signing cert that will work with signtool. We use this to > create the signed jar file in order to do autoconfiguration in Firefox. > > This patch also does some file permission cleanup and fixes a few > leaking fds. > I goofed on the commit. It only contained the new file. Here is a revised patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-179-signcert.patch Type: application/mbox Size: 24675 bytes Desc: not available URL: From ssorce at redhat.com Fri Apr 17 21:31:22 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Apr 2009 17:31:22 -0400 Subject: [Freeipa-devel] [PATCH] GSSAPI error handling In-Reply-To: <49E3B6BA.80201@redhat.com> References: <49E3B6BA.80201@redhat.com> Message-ID: <1240003882.3696.46.camel@localhost.localdomain> On Mon, 2009-04-13 at 18:03 -0400, Rob Crittenden wrote: > Handle GSSAPI errors in a more graceful way (try #2). Looks good to me, ack Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Apr 17 21:38:22 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Apr 2009 17:38:22 -0400 Subject: [Freeipa-devel] [PATCH] Finish work replacing errors.py with errors2.py In-Reply-To: <49E5F0C7.202@redhat.com> References: <49E5F0C7.202@redhat.com> Message-ID: <1240004302.3696.47.camel@localhost.localdomain> On Wed, 2009-04-15 at 10:35 -0400, Rob Crittenden wrote: > Finish up the work replacing errors.py with errors2.py. > > I went ahead and updated both the old and the new ldap modules so we > could get this done. > > The next step will be to rename errors2 to errors. I didn't do that > here > in order to simplify the review process. That patch will be done once > this one is committed (it will be a super-trivial but very long > patch). looks good (although I'd split reformatting fixes in a separate patch) Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Apr 17 21:47:40 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Apr 2009 17:47:40 -0400 Subject: [Freeipa-devel] [PATCH] more CA installer work In-Reply-To: <49E37A17.3020300@redhat.com> References: <49E37A17.3020300@redhat.com> Message-ID: <1240004860.3696.56.camel@localhost.localdomain> On Mon, 2009-04-13 at 13:44 -0400, Rob Crittenden wrote: > This patch lets us issue DS and Apache server certs during CA > installation. > > It also: > - will create a CA instance (pki-ca) if it doesn't exist > - maintains support for a self-signed CA > - A signing cert is still not created so Firefox autoconfig still > won't work > > Once I get an object signing profile for dogtag we can generate a > signing cert and do the jar signing for Firefox. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Apr 17 21:49:58 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Apr 2009 17:49:58 -0400 Subject: [Freeipa-devel] [PATCH] make RA plugin use nsslib In-Reply-To: <49E37BB6.3020100@redhat.com> References: <49E37BB6.3020100@redhat.com> Message-ID: <1240004998.3696.59.camel@localhost.localdomain> On Mon, 2009-04-13 at 13:51 -0400, Rob Crittenden wrote: > Convert the RA plugin from using sslget to use nsslib instead. This > makes SELinux happier too. > > I'm also removing the bootstrap code from the plugin. All of this is > handled by the installer. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Apr 17 21:50:04 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Apr 2009 17:50:04 -0400 Subject: [Freeipa-devel] [PATCH] add signing cert profile to installer In-Reply-To: <49E8F241.3030302@redhat.com> References: <49E8A213.2010502@redhat.com> <49E8F241.3030302@redhat.com> Message-ID: <1240005004.3696.60.camel@localhost.localdomain> On Fri, 2009-04-17 at 17:18 -0400, Rob Crittenden wrote: > Rob Crittenden wrote: > > This patch adds a signing cert profile to dogtag that we use to > generate > > an object signing cert that will work with signtool. We use this to > > create the signed jar file in order to do autoconfiguration in > Firefox. > > > > This patch also does some file permission cleanup and fixes a few > > leaking fds. > > > > I goofed on the commit. It only contained the new file. Here is a > revised patch. I see we allow using MD5withRSA and MD2withRSA signatures, should we restrict by default to SHA only ? otherwise ack Simo. -- Simo Sorce * Red Hat, Inc * New York From mpcolino at gmail.com Sat Apr 18 11:18:47 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Sat, 18 Apr 2009 13:18:47 +0200 Subject: [Freeipa-devel] Need Advice on "DEB" packaging. Message-ID: <1240053527.5138.1.camel@crow> Hello everyone! I've finally done my first package for ubuntu. I'd like to thank you for the help and support received. Now I'm trying to package SSSD (BTW I like this name) and it would be really good to have the chance to compile all the pieces with a simple "make all" in the root directory. I'd like to work this way but, to do so, I need to have a script to configure all the pieces and set all the Makefiles before. So, what do you recommend to perform such a task? May I simply create a shell script that prepares the code or may I use a tool to do so (i.e. autoconf ...)? Thanks in advance M* -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Esto es una parte de mensaje firmado digitalmente URL: From mpcolino at gmail.com Sat Apr 18 16:49:20 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Sat, 18 Apr 2009 18:49:20 +0200 Subject: [Freeipa-devel] Re: Need Advice on "DEB" packaging. In-Reply-To: <1240053527.5138.1.camel@crow> References: <1240053527.5138.1.camel@crow> Message-ID: > Hello everyone! > > I've finally done my first package for ubuntu. I'd like to thank you for > the help and support received. > > Now I'm trying to package SSSD (BTW I like this name) and it would be > really good to have the chance to compile all the pieces with a simple > "make all" in the root directory. I'd like to work this way but, to do > so, I need to have a script to configure all the pieces and set all the > Makefiles before. > > So, what do you recommend to perform such a task? > May I simply create a shell script that prepares the code or may I use a > tool to do so (i.e. autoconf ...)? By now I've made a a couple of dirty hacks in order to be able to build all from root. I send a diff file for "Makefile" and the script i call "preconf". > Thanks in advance > > M* > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Makefile-diff-build-all-from-root.diff Type: text/x-patch Size: 71 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-preconf-script-to-config-all-from-root.sh Type: application/x-sh Size: 253 bytes Desc: not available URL: From jdennis at redhat.com Sun Apr 19 17:45:56 2009 From: jdennis at redhat.com (John Dennis) Date: Sun, 19 Apr 2009 13:45:56 -0400 Subject: [Freeipa-devel] [PATCH] add dynamic hash table data structure implementation (with review modifications) Message-ID: <49EB6354.8050406@redhat.com> * add dynamic hash table data structure implementation Apply suggested fixes by Simo after code review * return statements no longer use () unless it's an expression * remove all use of assert() in library * use bool,true,false instead of int,TRUE,FALSE * add check for NULL hash table in public entry points * example code in header file now a seperate file -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-add-dynamic-hash-table-data-structure-implementation.patch Type: application/mbox Size: 60437 bytes Desc: not available URL: From mnagy at redhat.com Mon Apr 20 09:49:42 2009 From: mnagy at redhat.com (Martin Nagy) Date: Mon, 20 Apr 2009 11:49:42 +0200 Subject: [Freeipa-devel] [PATCH] add dynamic hash table data structure implementation (with review modifications) In-Reply-To: <49EB6354.8050406@redhat.com> References: <49EB6354.8050406@redhat.com> Message-ID: <20090420114942.6b3d7823@notas> Hi, I didn't really review the code, but I took a quick peek out of curiosity and noticed few bits. John Dennis wrote: > From 5788dcd44bafd76d5d8a843d30c2178ce34397ce Mon Sep 17 00:00:00 2001 > From: John Dennis > Date: Thu, 16 Apr 2009 17:48:13 -0400 > Subject: [PATCH] add dynamic hash table data structure implementation > > Apply suggested fixes by Simo after code review > * return statements no longer use () unless it's an expression You actually don't need () even if it's a more complicated expression. BTW, you don't need to include comments of what changes you did since your last patch in the commit message itself. > +#define SEGMENT_SIZE 32 > +#define SEGMENT_SIZE_SHIFT 5 /* log2(SEGMENT_SIZE) */ > +#define DIRECTORY_SIZE 32 > +#define DIRECTORY_SIZE_SHIFT 5 /* log2(DIRECTORY_SIZE) */ > +#define PRIME_1 37 > +#define PRIME_2 1048583 > +#define DEFAULT_MAX_LOAD_FACTOR 5 > + > + /* > + * Fast arithmetic, relying on powers of 2, and on pre-processor > + * concatenation property > + */ > + > +#define MUL(x,y) ((x) << (y##_SHIFT)) > +#define DIV(x,y) ((x) >> (y##_SHIFT)) > +#define MOD(x,y) ((x) & ((y)-1)) No need for these, please leave this on the compiler. GCC will turn it into shifts even if you don't optimize. Also, you have to be careful with signed integers. Shifting a signed integer to the right is not the same as dividing it. > +struct hash_table_str { > + long p; /* Next bucket to be split */ > + long maxp; /* upper bound on p during expansion */ > + long entry_count; /* current # entries */ > + long bucket_count; /* current # buckets */ > + long segment_count; /* current # segments */ > + long min_load_factor; > + long max_load_factor; > + hash_delete_callback delete_callback; > + segment_t *directory[DIRECTORY_SIZE]; > +#ifdef HASH_STATISTICS > + long hash_accesses, hash_collisions, table_expansions, table_contractions; > +#endif > + > +}; Would it be possible to make some of these members unsigned (see my previous comment)? Also, you're using tabs here (also on couple of other places). Martin From pzuna at redhat.com Mon Apr 20 12:15:52 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 20 Apr 2009 14:15:52 +0200 Subject: [Freeipa-devel] [PATCH] Change help interface to display builtin commands and a list of topics based on plugins. In-Reply-To: <49E8A489.4090005@redhat.com> References: <49DA36FE.2020109@redhat.com> <49E61298.8020307@redhat.com> <49E74806.5090209@redhat.com> <49E7D157.3010808@redhat.com> <49E83CA6.8040403@redhat.com> <49E8A489.4090005@redhat.com> Message-ID: <49EC6778.3070000@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> David O'Brien wrote: >>> Pavel Zuna wrote: >>>> Rob Crittenden wrote: >>>>> Pavel Zuna wrote: >>>>>> This is more of a suggestion than a real patch. I thought it might >>>>>> be easier to actually show what I had in mind than explaining it. >>>>>> Sometimes code is more than words. :) >>>>>> >>>>>> Pavel >>>>> >>>>> I think this is a good start. The output looks like: >>>>> >>>>> $ ipa >>>>> Usage: ipa [global-options] COMMAND ... >>>>> >>>>> Use `ipa help TOPIC` for command listings. >>>>> >>>>> Topics: >>>>> general General IPA management. >>>>> aci ACI object. >>>>> application Application object >>>>> automount Automount object. >>>>> delegation Delegation object. >>>>> group group object. >>>>> host Host object. >>>>> hostgroup hostgroup object. >>>>> netgroup netgroup object. >>>>> rolegroup rolegroup object. >>>>> service Service object. >>>>> taskgroup taskgroup object. >>>>> user User object. >>>>> >>>>> Try `ipa --help` for a list of global options. >>>>> >>>>> It looks like you dumped things that aren't related to a top-level >>>>> class into general (things like passwd, the cert commands, and a >>>>> few others). I guess they have to go somewhere, just not sure I'd >>>>> know to look in general if I was a new user. >>>>> >>>>> Should we mandate an Object for every plugin? Or include the list >>>>> of these general commands in the main topics list? That might be >>>>> confusing too because that would mean that 'env' is on the same >>>>> level as 'user'. >>>>> >>>>> Any suggestions? >>>>> >>>>> The patch is good and we could easily just apply this but I don't >>>>> want to forget about these issues. In any case we'll want to go >>>>> into each plugin and set the Object documentation to be more >>>>> descriptive. >>>>> >>>>> rob >>>> I wrote another version of the help interface today taking into >>>> consideration the issues you mentioned. It's based on plugins this >>>> time instead of objects. >>>> >>>> The output looks like this: >>>> >>>> $ ipa >>>> Usage: ipa [global-options] COMMAND ... >>>> >>>> Built-in commands: >>>> console Start the IPA interactive Python console. >>>> help Display help for a command or topic. >>>> >>>> Help topics: >>>> aci Frontend plugins for managing DS ACIs >>>> application Frontend plugins for application policy containers. >>>> automount Frontend plugins for automount. >>>> defaultoptions Frontend plugin for default options in IPA. >>>> delegation Frontend plugins for delegations. >>>> dns Frontend plugin for DNS management. >>>> group Frontend plugins for groups. >>>> hbac Frontend plugin for HBAC management. >>>> host Frontend plugins for host/machine Identity. >>>> hostgroup Frontend plugins for hostgroups. >>>> join Machine join >>>> misc Misc frontend plugins. >>>> netgroup Frontend plugins for netgroups. >>>> passwd Frontend plugins for password changes. >>>> pwpolicy Frontend plugins for password policy. >>>> rolegroup Frontend plugins for rolegroups. >>>> service Frontend plugins for service (Identity). >>>> taskgroup Frontend plugins for taskgroups. >>>> user Frontend plugins for user (Identity). >>>> >>>> Try `ipa --help` for a list of global options. >>>> >>>> Commands not originating from plugins are listed as built-ins. The >>>> short description for topics is taken from the first line of the >>>> module's docstring. >>>> >>>> The code itself is a bit hacky, because I just couldn't find any >>>> better way to get every plugin module, it's docstring a list of >>>> commands it implements. I'll rewrite it if necessary. >>>> >>>> Pavel >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> How much work is involved in editing the first line of a module's >>> docstring? Is it developer-only territory or straight-forward enough >>> that I could do it? >>> >>> I ask because I'm interested in keeping everything related to doc, >>> help, etc., on an even keel and consistent, which in this case means: >>> s/plugin/plug-in >>> s/backend/back-end >>> s/frontend/front-end >>> >>> I would also review the use of terms like "host/machine", because in >>> IPA 2.0 "host" refers to the host object specifically created to >>> represent the host *machine*, and which exists as a new object in DS. >>> "Machine", on the other hand, refers to the computer itself. (This >>> gets trickier when we start talking about the "host" where a virtual >>> machine is running.) Hopefully my understanding of host objects and >>> machines is correct here. >>> >>> So, in the case of "host : Frontend plugins for host/machine >>> Identity." I'd suggest a change to "host : Front-end plug-ins for >>> machine identity." >>> >>> 1. front-end (as per style guide) >>> 2. plug-ins (as per style guide) >>> 3. machine (we're identifying the machine, and using the host object >>> to do it) >>> 4. identity (lower case) >>> >>> regards, >>> >> Docstrings are a feature of python for associating documentation with >> objects like modules, classes, function, etc. in the code. They are >> meant for developers, but are easy to spot and edit. They are always >> surrounded with 3 double quotes on both sides, like this: >> >> """docstring - this is the first line containing text, short help""" >> >> """ >> docstring - this is the first line containing text, short help >> >> blablabla >> """ >> >> Module docstrings are always located at the top of the file before any >> code, usually just after the authors/license comments (staring with #). >> >> Command docstrings can be found at the beginning of it's class >> definition. For example, if we have a command named Foo in plugin >> module Bar: >> >> (contents of ipalib/plugins/Bar.py) >> ... >> >> class Foo(Command): >> """ >> docstring - first line, short description of what the command does >> >> more information displayed on `ipa help Foo` >> """ >> >> ... >> >> The current text in module's docstrings were not meant to be displayed >> as help for topics. If we're going to use this help scheme, they'll >> have to be rewritten. >> >> For topics, I think the first line should say what the topic is, so >> the output look something like this: >> >> Topics: >> aci Directory Server Access Control Instructions >> hbac Host-Based Access Control >> ... >> >> Additional lines should offer more in depth information, possibly with >> links to online docs. >> >> Pavel > > Pavel, can you update the topic descriptions along with this patch. Then > I'll ack both. I think we're going to have to get this in place and use > it a while to see what fine-tuning it needs. I think this is the right > approach though. > > rob There, I also made some small changes to the code and added a few comments to make it a little more readable. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Change-help-interface-to-display-builtin-commands-an.patch URL: From sgallagh at redhat.com Mon Apr 20 12:28:46 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 20 Apr 2009 08:28:46 -0400 Subject: [Freeipa-devel] Re: Need Advice on "DEB" packaging. In-Reply-To: References: <1240053527.5138.1.camel@crow> Message-ID: <49EC6A7E.6030009@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miguel P.C. wrote: >> Hello everyone! >> >> I've finally done my first package for ubuntu. I'd like to thank you for >> the help and support received. >> >> Now I'm trying to package SSSD (BTW I like this name) and it would be >> really good to have the chance to compile all the pieces with a simple >> "make all" in the root directory. I'd like to work this way but, to do >> so, I need to have a script to configure all the pieces and set all the >> Makefiles before. >> >> So, what do you recommend to perform such a task? >> May I simply create a shell script that prepares the code or may I use a >> tool to do so (i.e. autoconf ...)? > > By now I've made a a couple of dirty hacks in order to be able to > build all from root. > I send a diff file for "Makefile" and the script i call "preconf". > >> Thanks in advance >> >> M* >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel Miguel, these patches are appreciated, but ultimately they will be unnecessary. Please see https://fedorahosted.org/sssd/ticket/16 We will be converting the complete build system to full autotools, within a month, rather than our current home-grown Makefile system. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknsansACgkQeiVVYja6o6NG8wCgqLpCkAB4qH1JX5MfTpJwe0lm SXcAn0nM2+yQ70cqaSFeizyWB0YnUPAM =4YC9 -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Apr 20 17:40:48 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 20 Apr 2009 19:40:48 +0200 Subject: [Freeipa-devel] [PATCH] sssd 0.3.2 Message-ID: <1240249248.3445.7.camel@zeppelin.englab.brq.redhat.com> As agreed on IRC with Stephen, we'll try to break the Fedora freeze and relase a bugfix 0.3.2 version of sssd that contains the PAM fixes Simo did last week. The attached patch bumps the appropriate version strings. I don't have write access to git, so I can't tag the relase in there as Simo does, someone else has to do it. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-sssd-0.3.2.patch Type: text/x-patch Size: 1880 bytes Desc: not available URL: From jderose at redhat.com Mon Apr 20 17:47:45 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 20 Apr 2009 11:47:45 -0600 Subject: [Freeipa-devel] [PATCH] Add more sophisticated help interface. Split commands into 'topics'. In-Reply-To: <49E7D157.3010808@redhat.com> References: <49DA36FE.2020109@redhat.com> <49E61298.8020307@redhat.com> <49E74806.5090209@redhat.com> <49E7D157.3010808@redhat.com> Message-ID: <1240249665.6921.59.camel@jgd-dsk> On Fri, 2009-04-17 at 10:46 +1000, David O'Brien wrote: > Pavel Zuna wrote: > > Rob Crittenden wrote: > >> Pavel Zuna wrote: > >>> This is more of a suggestion than a real patch. I thought it might > >>> be easier to actually show what I had in mind than explaining it. > >>> Sometimes code is more than words. :) > >>> > >>> Pavel > >> > >> I think this is a good start. The output looks like: > >> > >> $ ipa > >> Usage: ipa [global-options] COMMAND ... > >> > >> Use `ipa help TOPIC` for command listings. > >> > >> Topics: > >> general General IPA management. > >> aci ACI object. > >> application Application object > >> automount Automount object. > >> delegation Delegation object. > >> group group object. > >> host Host object. > >> hostgroup hostgroup object. > >> netgroup netgroup object. > >> rolegroup rolegroup object. > >> service Service object. > >> taskgroup taskgroup object. > >> user User object. > >> > >> Try `ipa --help` for a list of global options. > >> > >> It looks like you dumped things that aren't related to a top-level > >> class into general (things like passwd, the cert commands, and a few > >> others). I guess they have to go somewhere, just not sure I'd know to > >> look in general if I was a new user. > >> > >> Should we mandate an Object for every plugin? Or include the list of > >> these general commands in the main topics list? That might be > >> confusing too because that would mean that 'env' is on the same level > >> as 'user'. > >> > >> Any suggestions? > >> > >> The patch is good and we could easily just apply this but I don't > >> want to forget about these issues. In any case we'll want to go into > >> each plugin and set the Object documentation to be more descriptive. > >> > >> rob > > I wrote another version of the help interface today taking into > > consideration the issues you mentioned. It's based on plugins this > > time instead of objects. > > > > The output looks like this: > > > > $ ipa > > Usage: ipa [global-options] COMMAND ... > > > > Built-in commands: > > console Start the IPA interactive Python console. > > help Display help for a command or topic. > > > > Help topics: > > aci Frontend plugins for managing DS ACIs > > application Frontend plugins for application policy containers. > > automount Frontend plugins for automount. > > defaultoptions Frontend plugin for default options in IPA. > > delegation Frontend plugins for delegations. > > dns Frontend plugin for DNS management. > > group Frontend plugins for groups. > > hbac Frontend plugin for HBAC management. > > host Frontend plugins for host/machine Identity. > > hostgroup Frontend plugins for hostgroups. > > join Machine join > > misc Misc frontend plugins. > > netgroup Frontend plugins for netgroups. > > passwd Frontend plugins for password changes. > > pwpolicy Frontend plugins for password policy. > > rolegroup Frontend plugins for rolegroups. > > service Frontend plugins for service (Identity). > > taskgroup Frontend plugins for taskgroups. > > user Frontend plugins for user (Identity). > > > > Try `ipa --help` for a list of global options. I think these docstrings should not include the phrase "frontend plugins". I think changing them to read something like this would be better: aci Commands to manage accesses control ACIs. application Commands to manage application policy containers. automount Commands to manage automount maps. Or something like that, perhaps even more concise. > > Commands not originating from plugins are listed as built-ins. The > > short description for topics is taken from the first line of the > > module's docstring. > > > > The code itself is a bit hacky, because I just couldn't find any > > better way to get every plugin module, it's docstring a list of > > commands it implements. I'll rewrite it if necessary. > > > > Pavel > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > How much work is involved in editing the first line of a module's > docstring? Is it developer-only territory or straight-forward enough > that I could do it? It's strait-forward. > I ask because I'm interested in keeping everything related to doc, help, > etc., on an even keel and consistent, which in this case means: > s/plugin/plug-in > s/backend/back-end > s/frontend/front-end As mentioned, in this case I we should use more concise docstrings instead. I think it's a great idea to have the CLI help and the documentation be consistent where possible, but the help docstrings have very space constrained because ideally the should be short enough as to not wrap on a 80 character wide terminal. > I would also review the use of terms like "host/machine", because in IPA > 2.0 "host" refers to the host object specifically created to represent > the host *machine*, and which exists as a new object in DS. "Machine", > on the other hand, refers to the computer itself. (This gets trickier > when we start talking about the "host" where a virtual machine is > running.) Hopefully my understanding of host objects and machines is > correct here. > > So, in the case of "host : Frontend plugins for host/machine Identity." > I'd suggest a change to "host : Front-end plug-ins for machine identity." > > 1. front-end (as per style guide) > 2. plug-ins (as per style guide) > 3. machine (we're identifying the machine, and using the host object to > do it) > 4. identity (lower case) > > regards, > From sgallagh at redhat.com Mon Apr 20 18:00:30 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 20 Apr 2009 14:00:30 -0400 Subject: [Freeipa-devel] [PATCH] sssd 0.3.2 In-Reply-To: <1240249248.3445.7.camel@zeppelin.englab.brq.redhat.com> References: <1240249248.3445.7.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49ECB83E.1060808@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > As agreed on IRC with Stephen, we'll try to break the Fedora freeze and > relase a bugfix 0.3.2 version of sssd that contains the PAM fixes Simo > did last week. > > The attached patch bumps the appropriate version strings. I don't have > write access to git, so I can't tag the relase in there as Simo does, > someone else has to do it. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack, pushed and tagged. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknsuDkACgkQeiVVYja6o6NRngCcCbTuFtaoBH+DgTIc8X1Bz9lP q9sAoIlmoZw2rPLaiYs4ZXdjFVpJuFqA =7CHu -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Apr 20 18:01:32 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Apr 2009 14:01:32 -0400 Subject: [Freeipa-devel] [PATCH] GSSAPI error handling In-Reply-To: <1240003882.3696.46.camel@localhost.localdomain> References: <49E3B6BA.80201@redhat.com> <1240003882.3696.46.camel@localhost.localdomain> Message-ID: <49ECB87C.9030800@redhat.com> Simo Sorce wrote: > On Mon, 2009-04-13 at 18:03 -0400, Rob Crittenden wrote: >> Handle GSSAPI errors in a more graceful way (try #2). > > Looks good to me, > ack > > Simo. > pushed to master From rcritten at redhat.com Mon Apr 20 18:02:08 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Apr 2009 14:02:08 -0400 Subject: [Freeipa-devel] [PATCH] Finish work replacing errors.py with errors2.py In-Reply-To: <1240004302.3696.47.camel@localhost.localdomain> References: <49E5F0C7.202@redhat.com> <1240004302.3696.47.camel@localhost.localdomain> Message-ID: <49ECB8A0.20308@redhat.com> Simo Sorce wrote: > On Wed, 2009-04-15 at 10:35 -0400, Rob Crittenden wrote: >> Finish up the work replacing errors.py with errors2.py. >> >> I went ahead and updated both the old and the new ldap modules so we >> could get this done. >> >> The next step will be to rename errors2 to errors. I didn't do that >> here >> in order to simplify the review process. That patch will be done once >> this one is committed (it will be a super-trivial but very long >> patch). > > looks good > (although I'd split reformatting fixes in a separate patch) > > Simo. > I split the whitespace changes into a separate commit. My editor automatically did that whitespace removal :-) pushed to master rob From rcritten at redhat.com Mon Apr 20 18:02:15 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Apr 2009 14:02:15 -0400 Subject: [Freeipa-devel] [PATCH] more CA installer work In-Reply-To: <1240004860.3696.56.camel@localhost.localdomain> References: <49E37A17.3020300@redhat.com> <1240004860.3696.56.camel@localhost.localdomain> Message-ID: <49ECB8A7.8090103@redhat.com> Simo Sorce wrote: > On Mon, 2009-04-13 at 13:44 -0400, Rob Crittenden wrote: >> This patch lets us issue DS and Apache server certs during CA >> installation. >> >> It also: >> - will create a CA instance (pki-ca) if it doesn't exist >> - maintains support for a self-signed CA >> - A signing cert is still not created so Firefox autoconfig still >> won't work >> >> Once I get an object signing profile for dogtag we can generate a >> signing cert and do the jar signing for Firefox. > > ack > pushed to master From rcritten at redhat.com Mon Apr 20 18:02:22 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Apr 2009 14:02:22 -0400 Subject: [Freeipa-devel] [PATCH] make RA plugin use nsslib In-Reply-To: <1240004998.3696.59.camel@localhost.localdomain> References: <49E37BB6.3020100@redhat.com> <1240004998.3696.59.camel@localhost.localdomain> Message-ID: <49ECB8AE.70607@redhat.com> Simo Sorce wrote: > On Mon, 2009-04-13 at 13:51 -0400, Rob Crittenden wrote: >> Convert the RA plugin from using sslget to use nsslib instead. This >> makes SELinux happier too. >> >> I'm also removing the bootstrap code from the plugin. All of this is >> handled by the installer. > > ack > pushed to master From rcritten at redhat.com Mon Apr 20 18:02:41 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Apr 2009 14:02:41 -0400 Subject: [Freeipa-devel] [PATCH] add signing cert profile to installer In-Reply-To: <1240005004.3696.60.camel@localhost.localdomain> References: <49E8A213.2010502@redhat.com> <49E8F241.3030302@redhat.com> <1240005004.3696.60.camel@localhost.localdomain> Message-ID: <49ECB8C1.7020604@redhat.com> Simo Sorce wrote: > On Fri, 2009-04-17 at 17:18 -0400, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> This patch adds a signing cert profile to dogtag that we use to >> generate >>> an object signing cert that will work with signtool. We use this to >>> create the signed jar file in order to do autoconfiguration in >> Firefox. >>> This patch also does some file permission cleanup and fixes a few >>> leaking fds. >>> >> I goofed on the commit. It only contained the new file. Here is a >> revised patch. > > > I see we allow using MD5withRSA and MD2withRSA signatures, should we > restrict by default to SHA only ? > > otherwise ack > > Simo. > Hmm, good point. Andrew, any reason not to remove these? rob From jderose at redhat.com Mon Apr 20 18:54:25 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 20 Apr 2009 12:54:25 -0600 Subject: [Freeipa-devel] [PATCH] Finish work replacing errors.py with errors2.py In-Reply-To: <49ECB8A0.20308@redhat.com> References: <49E5F0C7.202@redhat.com> <1240004302.3696.47.camel@localhost.localdomain> <49ECB8A0.20308@redhat.com> Message-ID: <1240253665.6921.68.camel@jgd-dsk> On Mon, 2009-04-20 at 14:02 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Wed, 2009-04-15 at 10:35 -0400, Rob Crittenden wrote: > >> Finish up the work replacing errors.py with errors2.py. > >> > >> I went ahead and updated both the old and the new ldap modules so we > >> could get this done. > >> > >> The next step will be to rename errors2 to errors. I didn't do that > >> here > >> in order to simplify the review process. That patch will be done once > >> this one is committed (it will be a super-trivial but very long > >> patch). > > > > looks good > > (although I'd split reformatting fixes in a separate patch) > > > > Simo. > > > > I split the whitespace changes into a separate commit. My editor > automatically did that whitespace removal :-) > > pushed to master > > rob Thanks, Rob. We should really all have our editors configured to strip trailing whitespace... it helps keep the diffs meaningful and readable. From ssorce at redhat.com Mon Apr 20 20:23:24 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 20 Apr 2009 16:23:24 -0400 Subject: [Freeipa-devel] [PATCH] Finish work replacing errors.py with errors2.py In-Reply-To: <1240253665.6921.68.camel@jgd-dsk> References: <49E5F0C7.202@redhat.com> <1240004302.3696.47.camel@localhost.localdomain> <49ECB8A0.20308@redhat.com> <1240253665.6921.68.camel@jgd-dsk> Message-ID: <1240259004.32546.4.camel@hopeson> On Mon, 2009-04-20 at 12:54 -0600, Jason Gerard DeRose wrote: > On Mon, 2009-04-20 at 14:02 -0400, Rob Crittenden wrote: > > Simo Sorce wrote: > > > On Wed, 2009-04-15 at 10:35 -0400, Rob Crittenden wrote: > > >> Finish up the work replacing errors.py with errors2.py. > > >> > > >> I went ahead and updated both the old and the new ldap modules so we > > >> could get this done. > > >> > > >> The next step will be to rename errors2 to errors. I didn't do that > > >> here > > >> in order to simplify the review process. That patch will be done once > > >> this one is committed (it will be a super-trivial but very long > > >> patch). > > > > > > looks good > > > (although I'd split reformatting fixes in a separate patch) > > > > > > Simo. > > > > > > > I split the whitespace changes into a separate commit. My editor > > automatically did that whitespace removal :-) > > > > pushed to master > > > > rob > > Thanks, Rob. > > We should really all have our editors configured to strip trailing > whitespace... it helps keep the diffs meaningful and readable. Or change our git config to always use --withespace=fix :-) Simo. From ssorce at redhat.com Mon Apr 20 21:10:12 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 20 Apr 2009 17:10:12 -0400 Subject: [Freeipa-devel] [PATCH] Add release script Message-ID: <1240261812.32546.9.camel@hopeson> Attached a very simple release script to be run in the git root: ./script/release.sh It generates a tarball using the version in server/configure.ac and signs it with your gpg key. Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-a-release-script-to-help-building-tarballs.patch Type: application/mbox Size: 834 bytes Desc: not available URL: From rcritten at redhat.com Mon Apr 20 21:12:02 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Apr 2009 17:12:02 -0400 Subject: [Freeipa-devel] [PATCH] Rename errors2.py to errors.py Message-ID: <49ECE522.2080406@redhat.com> The renaming will be completed with this patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-181-errors.patch Type: application/mbox Size: 140607 bytes Desc: not available URL: From rcritten at redhat.com Mon Apr 20 21:14:19 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Apr 2009 17:14:19 -0400 Subject: [Freeipa-devel] [PATCH] Add release script In-Reply-To: <1240261812.32546.9.camel@hopeson> References: <1240261812.32546.9.camel@hopeson> Message-ID: <49ECE5AB.3090001@redhat.com> Simo Sorce wrote: > Attached a very simple release script to be run in the git root: > ./script/release.sh > > It generates a tarball using the version in server/configure.ac and > signs it with your gpg key. > > > Simo. ack. One suggestion would be to add a test for gpg and either not try to sign the tarball or not create it at all. Perhaps run gpg --list-keys to see if a key exists. rob From ssorce at redhat.com Mon Apr 20 21:15:47 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 20 Apr 2009 17:15:47 -0400 Subject: [Freeipa-devel] [PATCH] Add release script In-Reply-To: <49ECE5AB.3090001@redhat.com> References: <1240261812.32546.9.camel@hopeson> <49ECE5AB.3090001@redhat.com> Message-ID: <1240262147.32546.12.camel@hopeson> On Mon, 2009-04-20 at 17:14 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > Attached a very simple release script to be run in the git root: > > ./script/release.sh > > > > It generates a tarball using the version in server/configure.ac and > > signs it with your gpg key. > > > > > > Simo. > > ack. > > One suggestion would be to add a test for gpg and either not try to sign > the tarball or not create it at all. Perhaps run gpg --list-keys to see > if a key exists. Well, worst case it will error out, given the script is just for release managers I guess that's ok. Once we have a release key, maybe we will make sure that we are actually using the right key. But for now I think it is ok to just throw gpg errors :) Simo. From ssorce at redhat.com Mon Apr 20 21:16:25 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 20 Apr 2009 17:16:25 -0400 Subject: [Freeipa-devel] [PATCH] Add release script In-Reply-To: <49ECE5AB.3090001@redhat.com> References: <1240261812.32546.9.camel@hopeson> <49ECE5AB.3090001@redhat.com> Message-ID: <1240262185.32546.14.camel@hopeson> On Mon, 2009-04-20 at 17:14 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > Attached a very simple release script to be run in the git root: > > ./script/release.sh > > > > It generates a tarball using the version in server/configure.ac and > > signs it with your gpg key. > > > > > > Simo. > > ack. > > One suggestion would be to add a test for gpg and either not try to sign > the tarball or not create it at all. Perhaps run gpg --list-keys to see > if a key exists. pushed Simo. From mnagy at redhat.com Mon Apr 20 21:30:48 2009 From: mnagy at redhat.com (Martin Nagy) Date: Mon, 20 Apr 2009 23:30:48 +0200 Subject: [Freeipa-devel] [PATCH] Rename errors2.py to errors.py In-Reply-To: <49ECE522.2080406@redhat.com> References: <49ECE522.2080406@redhat.com> Message-ID: <20090420233048.59dccb18@notas> Rob Crittenden wrote: > The renaming will be completed with this patch. > > rob Tip for today: use -M when generating patches with renames to avoid big patches :) [1] [1] http://lkml.org/lkml/2009/4/9/367 Martin From davido at redhat.com Mon Apr 20 22:21:40 2009 From: davido at redhat.com (David O'Brien) Date: Tue, 21 Apr 2009 08:21:40 +1000 Subject: [Freeipa-devel] [PATCH] Add more sophisticated help interface. Split commands into 'topics'. In-Reply-To: <1240249665.6921.59.camel@jgd-dsk> References: <49DA36FE.2020109@redhat.com> <49E61298.8020307@redhat.com> <49E74806.5090209@redhat.com> <49E7D157.3010808@redhat.com> <1240249665.6921.59.camel@jgd-dsk> Message-ID: <49ECF574.3040508@redhat.com> Jason Gerard DeRose wrote: > On Fri, 2009-04-17 at 10:46 +1000, David O'Brien wrote: > >> Pavel Zuna wrote: >> >>> Rob Crittenden wrote: >>> >>>> Pavel Zuna wrote: >>>> >>>>> This is more of a suggestion than a real patch. I thought it might >>>>> be easier to actually show what I had in mind than explaining it. >>>>> Sometimes code is more than words. :) >>>>> >>>>> Pavel >>>>> >>>> I think this is a good start. The output looks like: >>>> >>>> $ ipa >>>> Usage: ipa [global-options] COMMAND ... >>>> >>>> Use `ipa help TOPIC` for command listings. >>>> >>>> Topics: >>>> general General IPA management. >>>> aci ACI object. >>>> application Application object >>>> automount Automount object. >>>> delegation Delegation object. >>>> group group object. >>>> host Host object. >>>> hostgroup hostgroup object. >>>> netgroup netgroup object. >>>> rolegroup rolegroup object. >>>> service Service object. >>>> taskgroup taskgroup object. >>>> user User object. >>>> >>>> Try `ipa --help` for a list of global options. >>>> >>>> It looks like you dumped things that aren't related to a top-level >>>> class into general (things like passwd, the cert commands, and a few >>>> others). I guess they have to go somewhere, just not sure I'd know to >>>> look in general if I was a new user. >>>> >>>> Should we mandate an Object for every plugin? Or include the list of >>>> these general commands in the main topics list? That might be >>>> confusing too because that would mean that 'env' is on the same level >>>> as 'user'. >>>> >>>> Any suggestions? >>>> >>>> The patch is good and we could easily just apply this but I don't >>>> want to forget about these issues. In any case we'll want to go into >>>> each plugin and set the Object documentation to be more descriptive. >>>> >>>> rob >>>> >>> I wrote another version of the help interface today taking into >>> consideration the issues you mentioned. It's based on plugins this >>> time instead of objects. >>> >>> The output looks like this: >>> >>> $ ipa >>> Usage: ipa [global-options] COMMAND ... >>> >>> Built-in commands: >>> console Start the IPA interactive Python console. >>> help Display help for a command or topic. >>> >>> Help topics: >>> aci Frontend plugins for managing DS ACIs >>> application Frontend plugins for application policy containers. >>> automount Frontend plugins for automount. >>> defaultoptions Frontend plugin for default options in IPA. >>> delegation Frontend plugins for delegations. >>> dns Frontend plugin for DNS management. >>> group Frontend plugins for groups. >>> hbac Frontend plugin for HBAC management. >>> host Frontend plugins for host/machine Identity. >>> hostgroup Frontend plugins for hostgroups. >>> join Machine join >>> misc Misc frontend plugins. >>> netgroup Frontend plugins for netgroups. >>> passwd Frontend plugins for password changes. >>> pwpolicy Frontend plugins for password policy. >>> rolegroup Frontend plugins for rolegroups. >>> service Frontend plugins for service (Identity). >>> taskgroup Frontend plugins for taskgroups. >>> user Frontend plugins for user (Identity). >>> >>> Try `ipa --help` for a list of global options. >>> > > I think these docstrings should not include the phrase "frontend > plugins". I think changing them to read something like this would be > better: > > aci Commands to manage accesses control ACIs. > application Commands to manage application policy containers. > automount Commands to manage automount maps. > > Or something like that, perhaps even more concise. > > >>> Commands not originating from plugins are listed as built-ins. The >>> short description for topics is taken from the first line of the >>> module's docstring. >>> >>> The code itself is a bit hacky, because I just couldn't find any >>> better way to get every plugin module, it's docstring a list of >>> commands it implements. I'll rewrite it if necessary. >>> >>> Pavel >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> How much work is involved in editing the first line of a module's >> docstring? Is it developer-only territory or straight-forward enough >> that I could do it? >> > > It's strait-forward. > > >> I ask because I'm interested in keeping everything related to doc, help, >> etc., on an even keel and consistent, which in this case means: >> s/plugin/plug-in >> s/backend/back-end >> s/frontend/front-end >> > > As mentioned, in this case I we should use more concise docstrings > instead. I think it's a great idea to have the CLI help and the > documentation be consistent where possible, but the help docstrings have > very space constrained because ideally the should be short enough as to > not wrap on a 80 character wide terminal. > > OK, I'm happy to go either way, providing suggestions like I am here, or being more actively involved, editing directly and providing patches. What's the process? >> I would also review the use of terms like "host/machine", because in IPA >> 2.0 "host" refers to the host object specifically created to represent >> the host *machine*, and which exists as a new object in DS. "Machine", >> on the other hand, refers to the computer itself. (This gets trickier >> when we start talking about the "host" where a virtual machine is >> running.) Hopefully my understanding of host objects and machines is >> correct here. >> >> So, in the case of "host : Frontend plugins for host/machine Identity." >> I'd suggest a change to "host : Front-end plug-ins for machine identity." >> >> 1. front-end (as per style guide) >> 2. plug-ins (as per style guide) >> 3. machine (we're identifying the machine, and using the host object to >> do it) >> 4. identity (lower case) >> >> regards, >> >> > > -- David O'Brien IPA Content Author Red Hat Asia Pacific +61 7 3514 8189 "The most valuable of all talents is that of never using two words when one will do." Thomas Jefferson From rcritten at redhat.com Tue Apr 21 12:05:02 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Apr 2009 08:05:02 -0400 Subject: [Freeipa-devel] [PATCH] Add more sophisticated help interface. Split commands into 'topics'. In-Reply-To: <49ECF574.3040508@redhat.com> References: <49DA36FE.2020109@redhat.com> <49E61298.8020307@redhat.com> <49E74806.5090209@redhat.com> <49E7D157.3010808@redhat.com> <1240249665.6921.59.camel@jgd-dsk> <49ECF574.3040508@redhat.com> Message-ID: <49EDB66E.4040003@redhat.com> David O'Brien wrote: > Jason Gerard DeRose wrote: >> As mentioned, in this case I we should use more concise docstrings >> instead. I think it's a great idea to have the CLI help and the >> documentation be consistent where possible, but the help docstrings have >> very space constrained because ideally the should be short enough as to >> not wrap on a 80 character wide terminal. >> >> > OK, I'm happy to go either way, providing suggestions like I am here, or > being more actively involved, editing directly and providing patches. > What's the process? Pull the source to our git tree: git clone git://git.fedorahosted.org/git/freeipa.git Modify the docstrings in the plugins (ipalib/plugins/*.py) In this case the docstring to look at is the first one after the copyright. It will look something like the one in user.py: """ Frontend plugins for user (Identity). """ Make your change, commit it and send a patch to this list: $ ipalib/plugins/ [ repeat as needed ] $ git commit -a $ git format-patch -1 $ [send the output file to this list as an attachment] Note that the -1 for the git format-patch pulls only the *last* change you did. I'd recommend this way for starting out so you can clearly see what changes have been made and sent for review. rob From pzuna at redhat.com Tue Apr 21 13:36:00 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 21 Apr 2009 15:36:00 +0200 Subject: [Freeipa-devel] [PATCH] Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new LDAP backend debugging. Message-ID: <49EDCBC0.1040005@redhat.com> container_dns is required by the DNS plugin (currently being reviewed). use_ldap2 is for testing purposes: just a temporary and should be deleted after we switch completely to the new LDAP backend. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-new-env-variables.-container_dns-for-DNS-plugi.patch URL: From pzuna at redhat.com Tue Apr 21 13:41:05 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 21 Apr 2009 15:41:05 +0200 Subject: [Freeipa-devel] [PATCH] Add conditional (env.use_ldap2 is True) modifications required by new LDAP backend. Message-ID: <49EDCCF1.2090503@redhat.com> Changes to backend.py: - in Executioner.create_context, if use_ldap2 is True, connect to LDAP using Backend.ldap2 instead of Backend.ldap. Changes to frontend.py: - in Command.__attributes_2_entry, if use_ldap2 is True, don't convert attribute values to strings. Converting to strings was in place for the old LDAP backend to work. It is buggy with unicode strings. The new LDAP backend makes it's own safe conversions. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-conditional-env.use_ldap2-is-True-modification.patch URL: From pzuna at redhat.com Tue Apr 21 13:46:49 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 21 Apr 2009 15:46:49 +0200 Subject: [Freeipa-devel] [PATCH] Make LDAP entry output slightly nicer, don't print u's in front of unicode strings etc. Message-ID: <49EDCE49.60907@redhat.com> Minor change to the way textui.print_entry works. The old version was printing the python representation of values, which looks weird for users not familiar with python, especially with unicode strings having the letter 'u' prepended to them. I think it's a bit nicer this way and no value is lost. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Make-LDAP-entry-output-slightly-nicer-don-t-print-u.patch URL: From pzuna at redhat.com Tue Apr 21 13:51:47 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 21 Apr 2009 15:51:47 +0200 Subject: [Freeipa-devel] [PATCH] Fix filter generator in ldapapi. Shouldn't produce invalid filters anymore. Message-ID: <49EDCF73.9090001@redhat.com> ldap search method was generating invalid filters when the list of search keywords was empty making it impossible to search by objectClass or base alone. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-filter-generator-in-ldapapi.-Shouldn-t-produce-i.patch URL: From pzuna at redhat.com Tue Apr 21 13:55:58 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 21 Apr 2009 15:55:58 +0200 Subject: [Freeipa-devel] [PATCH] Add missing _sasl_auth variable and fix some minor bugs, all in ldap2. Message-ID: <49EDD06E.80704@redhat.com> ldap2 currently isn't functional without this patch. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-missing-_sasl_auth-variable-and-fix-some-minor-b.patch URL: From pzuna at redhat.com Tue Apr 21 13:58:35 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 21 Apr 2009 15:58:35 +0200 Subject: [Freeipa-devel] [PATCH] Add user plugin port with some bugs fixed to the new LDAP backend. Message-ID: <49EDD10B.3090805@redhat.com> user plugin port, only works with use_ldap2=True and the last ldap2 patch I posted a few minutes ago. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-user-plugin-port-with-some-bugs-fixed-to-the-new.patch URL: From rcritten at redhat.com Tue Apr 21 14:01:23 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Apr 2009 10:01:23 -0400 Subject: [Freeipa-devel] [PATCH] Add missing _sasl_auth variable and fix some minor bugs, all in ldap2. In-Reply-To: <49EDD06E.80704@redhat.com> References: <49EDD06E.80704@redhat.com> Message-ID: <49EDD1B3.3090902@redhat.com> Pavel Zuna wrote: > ldap2 currently isn't functional without this patch. > > Pavel This patch does a lot more than just add the _sasl_auth variable. What is the purpose of the other changes? IIRC Jason has said it is good practice to include () when raising an exception. rob From rcritten at redhat.com Tue Apr 21 14:02:07 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Apr 2009 10:02:07 -0400 Subject: [Freeipa-devel] [PATCH] Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new LDAP backend debugging. In-Reply-To: <49EDCBC0.1040005@redhat.com> References: <49EDCBC0.1040005@redhat.com> Message-ID: <49EDD1DF.2020808@redhat.com> Pavel Zuna wrote: > container_dns is required by the DNS plugin (currently being reviewed). > > use_ldap2 is for testing purposes: just a temporary and should be > deleted after we switch completely to the new LDAP backend. > > Pavel > What will be stored in cn=dns? I haven't seen the plugin. rob From mnagy at redhat.com Tue Apr 21 14:09:43 2009 From: mnagy at redhat.com (Martin Nagy) Date: Tue, 21 Apr 2009 16:09:43 +0200 Subject: [Freeipa-devel] [PATCH] Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new LDAP backend debugging. In-Reply-To: <49EDD1DF.2020808@redhat.com> References: <49EDCBC0.1040005@redhat.com> <49EDD1DF.2020808@redhat.com> Message-ID: <20090421160943.5606cc82@wolverine.englab.brq.redhat.com> On Tue, 21 Apr 2009 10:02:07 -0400, Rob Crittenden wrote: > Pavel Zuna wrote: > > container_dns is required by the DNS plugin (currently being > > reviewed). > > > > use_ldap2 is for testing purposes: just a temporary and should be > > deleted after we switch completely to the new LDAP backend. > > > > Pavel > > > > What will be stored in cn=dns? I haven't seen the plugin. DNS records for the bind LDAP plug-in. Martin From rcritten at redhat.com Tue Apr 21 14:21:17 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Apr 2009 10:21:17 -0400 Subject: [Freeipa-devel] [PATCH] Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new LDAP backend debugging. In-Reply-To: <20090421160943.5606cc82@wolverine.englab.brq.redhat.com> References: <49EDCBC0.1040005@redhat.com> <49EDD1DF.2020808@redhat.com> <20090421160943.5606cc82@wolverine.englab.brq.redhat.com> Message-ID: <49EDD65D.8060304@redhat.com> Martin Nagy wrote: > On Tue, 21 Apr 2009 10:02:07 -0400, Rob Crittenden > wrote: > >> Pavel Zuna wrote: >>> container_dns is required by the DNS plugin (currently being >>> reviewed). >>> >>> use_ldap2 is for testing purposes: just a temporary and should be >>> deleted after we switch completely to the new LDAP backend. >>> >>> Pavel >>> >> What will be stored in cn=dns? I haven't seen the plugin. > > DNS records for the bind LDAP plug-in. > Ok, maybe this has been discussed before and I've forgotten, but is there going to be any linkage between DNS host entries and cn=hosts? Should any referential integrity be done? It is quite a rat hole if we start down that path. rob From rcritten at redhat.com Tue Apr 21 14:24:21 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Apr 2009 10:24:21 -0400 Subject: [Freeipa-devel] [PATCH] add requires_root option to Command Message-ID: <49EDD715.2050700@redhat.com> Some commands will require that the local user have root permissions. I'm not 100% sure this is the right place to put it but it at least starts the conversation. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-182-root.patch Type: application/mbox Size: 1316 bytes Desc: not available URL: From mnagy at redhat.com Tue Apr 21 14:27:05 2009 From: mnagy at redhat.com (Martin Nagy) Date: Tue, 21 Apr 2009 16:27:05 +0200 Subject: [Freeipa-devel] [PATCH] Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new LDAP backend debugging. In-Reply-To: <49EDD65D.8060304@redhat.com> References: <49EDCBC0.1040005@redhat.com> <49EDD1DF.2020808@redhat.com> <20090421160943.5606cc82@wolverine.englab.brq.redhat.com> <49EDD65D.8060304@redhat.com> Message-ID: <20090421162705.02bad510@wolverine.englab.brq.redhat.com> On Tue, 21 Apr 2009 10:21:17 -0400, Rob Crittenden wrote: > Martin Nagy wrote: > > On Tue, 21 Apr 2009 10:02:07 -0400, Rob Crittenden > > wrote: > > > >> Pavel Zuna wrote: > >>> container_dns is required by the DNS plugin (currently being > >>> reviewed). > >>> > >>> use_ldap2 is for testing purposes: just a temporary and should be > >>> deleted after we switch completely to the new LDAP backend. > >>> > >>> Pavel > >>> > >> What will be stored in cn=dns? I haven't seen the plugin. > > > > DNS records for the bind LDAP plug-in. > > > > Ok, maybe this has been discussed before and I've forgotten, but is > there going to be any linkage between DNS host entries and cn=hosts? > Should any referential integrity be done? It is quite a rat hole if > we start down that path. IIRC we (me, Simo and Dmitri) agreed that there won't be any linkage. At best, we could provide a link from one to the other in the Web UI, but that's not necessary at all. Everything under cn=dns will be used by the DNS server, so there might actually be records that IPA has no idea about. It's basically just a replacement for flat zone files. Martin From rcritten at redhat.com Tue Apr 21 14:35:54 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Apr 2009 10:35:54 -0400 Subject: [Freeipa-devel] [PATCH] Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new LDAP backend debugging. In-Reply-To: <20090421162705.02bad510@wolverine.englab.brq.redhat.com> References: <49EDCBC0.1040005@redhat.com> <49EDD1DF.2020808@redhat.com> <20090421160943.5606cc82@wolverine.englab.brq.redhat.com> <49EDD65D.8060304@redhat.com> <20090421162705.02bad510@wolverine.englab.brq.redhat.com> Message-ID: <49EDD9CA.5020500@redhat.com> Martin Nagy wrote: > On Tue, 21 Apr 2009 10:21:17 -0400, Rob Crittenden > wrote: > >> Martin Nagy wrote: >>> On Tue, 21 Apr 2009 10:02:07 -0400, Rob Crittenden >>> wrote: >>> >>>> Pavel Zuna wrote: >>>>> container_dns is required by the DNS plugin (currently being >>>>> reviewed). >>>>> >>>>> use_ldap2 is for testing purposes: just a temporary and should be >>>>> deleted after we switch completely to the new LDAP backend. >>>>> >>>>> Pavel >>>>> >>>> What will be stored in cn=dns? I haven't seen the plugin. >>> DNS records for the bind LDAP plug-in. >>> >> Ok, maybe this has been discussed before and I've forgotten, but is >> there going to be any linkage between DNS host entries and cn=hosts? >> Should any referential integrity be done? It is quite a rat hole if >> we start down that path. > > IIRC we (me, Simo and Dmitri) agreed that there won't be any linkage. At > best, we could provide a link from one to the other in the Web UI, but > that's not necessary at all. Everything under cn=dns will be used by > the DNS server, so there might actually be records that IPA has no idea > about. It's basically just a replacement for flat zone files. > > Martin Ok, we can always add that in the future too. So in v1 when creating principals we would do a DNS lookup to ensure that the host existed. Is it safe to say that this can be replaced with an internal lookup for the host or should we stick with DNS? rob From pzuna at redhat.com Tue Apr 21 14:40:17 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 21 Apr 2009 16:40:17 +0200 Subject: [Freeipa-devel] [PATCH] Add missing _sasl_auth variable and fix some minor bugs, all in ldap2. In-Reply-To: <49EDD1B3.3090902@redhat.com> References: <49EDD06E.80704@redhat.com> <49EDD1B3.3090902@redhat.com> Message-ID: <49EDDAD1.9090103@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> ldap2 currently isn't functional without this patch. >> >> Pavel > > This patch does a lot more than just add the _sasl_auth variable. What > is the purpose of the other changes? Sorry my bad, I made more changes and forgot about it when making the patch. I'll make separate patches for the other changes, namely: - added a new keyword argument to ldap2.make_filter and ldap2.make_filter_from_attr, the boolean 'exact'. If it's True, filter is build as (attribute=value), else (attribute=*value*). - moved ldap2.__handle_errors to _handle_errors outside of the ldap2 class It can't be in the class itself, because it is used in the _load_schema function. I didn't notice this at first. OT: I don't like using private ('__' prefix) when not absolutely necessary. I think it's a little bit unpythonic. If an name starts with _, everyone knows it's not indented to be used outside the scope/class it was defined in, but they still have the freedom to do as they please at their own risk. - when raising exceptions with no arguments, use 'raise ExceptionClass' instead of 'raise ExceptionClass()' Well, that's just a matter of preference I guess and I only changed it to make it more consistent with the way I usually write it. I'll change it back, since the second form seems to be in favor in freeIPA code. > IIRC Jason has said it is good practice to include () when raising an > exception. > > rob Pavel From mnagy at redhat.com Tue Apr 21 14:57:52 2009 From: mnagy at redhat.com (Martin Nagy) Date: Tue, 21 Apr 2009 16:57:52 +0200 Subject: [Freeipa-devel] [PATCH] Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new LDAP backend debugging. In-Reply-To: <49EDD9CA.5020500@redhat.com> References: <49EDCBC0.1040005@redhat.com> <49EDD1DF.2020808@redhat.com> <20090421160943.5606cc82@wolverine.englab.brq.redhat.com> <49EDD65D.8060304@redhat.com> <20090421162705.02bad510@wolverine.englab.brq.redhat.com> <49EDD9CA.5020500@redhat.com> Message-ID: <20090421165752.3174e5ab@wolverine.englab.brq.redhat.com> On Tue, 21 Apr 2009 10:35:54 -0400, Rob Crittenden wrote: > Martin Nagy wrote: > > On Tue, 21 Apr 2009 10:21:17 -0400, Rob Crittenden > > wrote: > > > >> Martin Nagy wrote: > >>> On Tue, 21 Apr 2009 10:02:07 -0400, Rob Crittenden > >>> wrote: > >>> > >>>> Pavel Zuna wrote: > >>>>> container_dns is required by the DNS plugin (currently being > >>>>> reviewed). > >>>>> > >>>>> use_ldap2 is for testing purposes: just a temporary and should > >>>>> be deleted after we switch completely to the new LDAP backend. > >>>>> > >>>>> Pavel > >>>>> > >>>> What will be stored in cn=dns? I haven't seen the plugin. > >>> DNS records for the bind LDAP plug-in. > >>> > >> Ok, maybe this has been discussed before and I've forgotten, but > >> is there going to be any linkage between DNS host entries and > >> cn=hosts? Should any referential integrity be done? It is quite a > >> rat hole if we start down that path. > > > > IIRC we (me, Simo and Dmitri) agreed that there won't be any > > linkage. At best, we could provide a link from one to the other in > > the Web UI, but that's not necessary at all. Everything under > > cn=dns will be used by the DNS server, so there might actually be > > records that IPA has no idea about. It's basically just a > > replacement for flat zone files. > > > > Martin > > Ok, we can always add that in the future too. > > So in v1 when creating principals we would do a DNS lookup to ensure > that the host existed. Is it safe to say that this can be replaced > with an internal lookup for the host or should we stick with DNS? Let's stick with DNS. We want to be able to support external DNS servers. Martin From rcritten at redhat.com Tue Apr 21 14:59:06 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Apr 2009 10:59:06 -0400 Subject: [Freeipa-devel] [PATCH] Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new LDAP backend debugging. In-Reply-To: <20090421165752.3174e5ab@wolverine.englab.brq.redhat.com> References: <49EDCBC0.1040005@redhat.com> <49EDD1DF.2020808@redhat.com> <20090421160943.5606cc82@wolverine.englab.brq.redhat.com> <49EDD65D.8060304@redhat.com> <20090421162705.02bad510@wolverine.englab.brq.redhat.com> <49EDD9CA.5020500@redhat.com> <20090421165752.3174e5ab@wolverine.englab.brq.redhat.com> Message-ID: <49EDDF3A.9040109@redhat.com> Martin Nagy wrote: > On Tue, 21 Apr 2009 10:35:54 -0400, Rob Crittenden > wrote: > >> Martin Nagy wrote: >>> On Tue, 21 Apr 2009 10:21:17 -0400, Rob Crittenden >>> wrote: >>> >>>> Martin Nagy wrote: >>>>> On Tue, 21 Apr 2009 10:02:07 -0400, Rob Crittenden >>>>> wrote: >>>>> >>>>>> Pavel Zuna wrote: >>>>>>> container_dns is required by the DNS plugin (currently being >>>>>>> reviewed). >>>>>>> >>>>>>> use_ldap2 is for testing purposes: just a temporary and should >>>>>>> be deleted after we switch completely to the new LDAP backend. >>>>>>> >>>>>>> Pavel >>>>>>> >>>>>> What will be stored in cn=dns? I haven't seen the plugin. >>>>> DNS records for the bind LDAP plug-in. >>>>> >>>> Ok, maybe this has been discussed before and I've forgotten, but >>>> is there going to be any linkage between DNS host entries and >>>> cn=hosts? Should any referential integrity be done? It is quite a >>>> rat hole if we start down that path. >>> IIRC we (me, Simo and Dmitri) agreed that there won't be any >>> linkage. At best, we could provide a link from one to the other in >>> the Web UI, but that's not necessary at all. Everything under >>> cn=dns will be used by the DNS server, so there might actually be >>> records that IPA has no idea about. It's basically just a >>> replacement for flat zone files. >>> >>> Martin >> Ok, we can always add that in the future too. >> >> So in v1 when creating principals we would do a DNS lookup to ensure >> that the host existed. Is it safe to say that this can be replaced >> with an internal lookup for the host or should we stick with DNS? > > Let's stick with DNS. We want to be able to support external DNS > servers. > > Martin Alright then. ack for the patch. rob From ssorce at redhat.com Tue Apr 21 21:10:46 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 21 Apr 2009 17:10:46 -0400 Subject: [Freeipa-devel] [PATCH] add requires_root option to Command In-Reply-To: <49EDD715.2050700@redhat.com> References: <49EDD715.2050700@redhat.com> Message-ID: <1240348246.15125.17.camel@hopeson> On Tue, 2009-04-21 at 10:24 -0400, Rob Crittenden wrote: > Some commands will require that the local user have root permissions. > I'm not 100% sure this is the right place to put it but it at least > starts the conversation. Speaking just in general terms I don't like doings things like: if uid == 0 fail; I think that we should gracefully catch whatever exception is thrown up (access denied or whatever) and then return an error. Some times this is not possible, and I haven't looked at what's around that patch, so this may be the right way in this case. Simo. From rcritten at redhat.com Tue Apr 21 21:16:02 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Apr 2009 17:16:02 -0400 Subject: [Freeipa-devel] [PATCH] add requires_root option to Command In-Reply-To: <1240348246.15125.17.camel@hopeson> References: <49EDD715.2050700@redhat.com> <1240348246.15125.17.camel@hopeson> Message-ID: <49EE3792.80704@redhat.com> Simo Sorce wrote: > On Tue, 2009-04-21 at 10:24 -0400, Rob Crittenden wrote: >> Some commands will require that the local user have root permissions. >> I'm not 100% sure this is the right place to put it but it at least >> starts the conversation. > > Speaking just in general terms I don't like doings things like: > if uid == 0 fail; > > I think that we should gracefully catch whatever exception is thrown up > (access denied or whatever) and then return an error. > > Some times this is not possible, and I haven't looked at what's around > that patch, so this may be the right way in this case. > > Simo. > That is exactly what this does. It raises an exception that Root is required and the client catches this and displays it: $ ipa join foo.example.com ipa: ERROR: This command requires root access Otherwise we're going to get file permission errors and nasty things like that which won't provide a useful error message to the client. If we catch this up front then we can prevent doing unnecessary things. Note that this is only for client-side stuff. In this case, when joining a machine to the IPA domain I want root access so the keytab we retrieve will be protected (and since I'll ultimiately update /etc/krb5.keytab root will be mandatory). rob From jdennis at redhat.com Tue Apr 21 22:41:42 2009 From: jdennis at redhat.com (John Dennis) Date: Tue, 21 Apr 2009 18:41:42 -0400 Subject: [Freeipa-devel] [PATCH] add dynamic hash table data structure implementation (with review modifications) In-Reply-To: <20090420114942.6b3d7823@notas> References: <49EB6354.8050406@redhat.com> <20090420114942.6b3d7823@notas> Message-ID: <49EE4BA6.9010400@redhat.com> I have updated the patch folding in all the suggestions received so far. Simo, you will be pleased to note there is now a create_hash_ex() function which accepts tuning parameters as well as alloc()/free() function pointers to support customized allocation methods. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-add-dynamic-hash-table-data-structure-implementation.patch Type: application/mbox Size: 68125 bytes Desc: not available URL: From ssorce at redhat.com Wed Apr 22 08:45:04 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 22 Apr 2009 04:45:04 -0400 Subject: [Freeipa-devel] [PATCH] add dynamic hash table data structure implementation (with review modifications) In-Reply-To: <49EE4BA6.9010400@redhat.com> References: <49EB6354.8050406@redhat.com> <20090420114942.6b3d7823@notas> <49EE4BA6.9010400@redhat.com> Message-ID: <1240389904.3479.16.camel@hopeson> On Tue, 2009-04-21 at 18:41 -0400, John Dennis wrote: > I have updated the patch folding in all the suggestions received so > far. > > Simo, you will be pleased to note there is now a create_hash_ex() > function which accepts tuning parameters as well as alloc()/free() > function pointers to support customized allocation methods. Oh, no, I am not merely pleased, I am truly delighted. Full ack and pushed! Simo. From ssorce at redhat.com Wed Apr 22 08:46:46 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 22 Apr 2009 04:46:46 -0400 Subject: [Freeipa-devel] [PATCH] add requires_root option to Command In-Reply-To: <49EE3792.80704@redhat.com> References: <49EDD715.2050700@redhat.com> <1240348246.15125.17.camel@hopeson> <49EE3792.80704@redhat.com> Message-ID: <1240390006.3479.18.camel@hopeson> On Tue, 2009-04-21 at 17:16 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 2009-04-21 at 10:24 -0400, Rob Crittenden wrote: > >> Some commands will require that the local user have root permissions. > >> I'm not 100% sure this is the right place to put it but it at least > >> starts the conversation. > > > > Speaking just in general terms I don't like doings things like: > > if uid == 0 fail; > > > > I think that we should gracefully catch whatever exception is thrown up > > (access denied or whatever) and then return an error. > > > > Some times this is not possible, and I haven't looked at what's around > > that patch, so this may be the right way in this case. > > > > Simo. > > > > That is exactly what this does. It raises an exception that Root is > required and the client catches this and displays it: > > $ ipa join foo.example.com > ipa: ERROR: This command requires root access > > Otherwise we're going to get file permission errors and nasty things > like that which won't provide a useful error message to the client. If > we catch this up front then we can prevent doing unnecessary things. > > Note that this is only for client-side stuff. In this case, when joining > a machine to the IPA domain I want root access so the keytab we retrieve > will be protected (and since I'll ultimiately update /etc/krb5.keytab > root will be mandatory). Yet, but I would rather check if we can write to /etc/krb5.keytab with the current user (even just using access(2)), not just check if geteuid == 0 Simo. From pzuna at redhat.com Wed Apr 22 09:34:32 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 22 Apr 2009 11:34:32 +0200 Subject: [Freeipa-devel] [PATCHES] Make it possible to construct partial match filters using make_filter* methods. Add missing _sasl_auth variable. + Change ldap2.__handle_errors into the global _handle_errors function. Message-ID: <49EEE4A8.3070109@redhat.com> Patch 0001: Make it possible to construct partial match filters using make_filter* methods. Add missing _sasl_auth variable. _sasl_auth variable required to make a connection to the LDAP server has gone missing. make_filter* methods now take an additional boolean argument 'exact'. When True it build exact match filters (attribute=value), when False (attribute=*value*). Patch 0002: Change ldap2.__handle_errors into the global _handle_errors function. __handle_errors was used outside the class and it's universal enough to earn the place of a global function. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Make-it-possible-to-construct-partial-match-filters.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Change-ldap2.__handle_errors-into-the-global-_handle.patch URL: From pzuna at redhat.com Wed Apr 22 09:38:39 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 22 Apr 2009 11:38:39 +0200 Subject: [Freeipa-devel] [PATCHES] Introduce AlreadyGroupMember exception, raised when a member is attempted to be re-added to a group. + Throw AlreadyGroupMember instead of EmptyModlist when trying to re-add member to a group. Message-ID: <49EEE59F.603@redhat.com> Patch 0001: Introduce AlreadyGroupMember exception, raised when a member is attempted to be re-added to a group. The EmptyModlist exception is currently used when this error occurs. Patch 0002: Throw AlreadyGroupMember instead of EmptyModlist when trying to re-add member to a group. Make use of the new exception. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Introduce-AlreadyGroupMember-exception-raised-when.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Throw-AlreadyGroupMember-instead-of-EmptyModlist-whe.patch URL: From rcritten at redhat.com Wed Apr 22 13:40:44 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 09:40:44 -0400 Subject: [Freeipa-devel] [PATCH] add requires_root option to Command In-Reply-To: <1240390006.3479.18.camel@hopeson> References: <49EDD715.2050700@redhat.com> <1240348246.15125.17.camel@hopeson> <49EE3792.80704@redhat.com> <1240390006.3479.18.camel@hopeson> Message-ID: <49EF1E5C.20303@redhat.com> Simo Sorce wrote: > On Tue, 2009-04-21 at 17:16 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >>> On Tue, 2009-04-21 at 10:24 -0400, Rob Crittenden wrote: >>>> Some commands will require that the local user have root permissions. >>>> I'm not 100% sure this is the right place to put it but it at least >>>> starts the conversation. >>> Speaking just in general terms I don't like doings things like: >>> if uid == 0 fail; >>> >>> I think that we should gracefully catch whatever exception is thrown up >>> (access denied or whatever) and then return an error. >>> >>> Some times this is not possible, and I haven't looked at what's around >>> that patch, so this may be the right way in this case. >>> >>> Simo. >>> >> That is exactly what this does. It raises an exception that Root is >> required and the client catches this and displays it: >> >> $ ipa join foo.example.com >> ipa: ERROR: This command requires root access >> >> Otherwise we're going to get file permission errors and nasty things >> like that which won't provide a useful error message to the client. If >> we catch this up front then we can prevent doing unnecessary things. >> >> Note that this is only for client-side stuff. In this case, when joining >> a machine to the IPA domain I want root access so the keytab we retrieve >> will be protected (and since I'll ultimiately update /etc/krb5.keytab >> root will be mandatory). > > Yet, but I would rather check if we can write to /etc/krb5.keytab with > the current user (even just using access(2)), not just check if geteuid > == 0 From access(2): Warning: Using access() to check if a user is authorized to, for example, open a file before actually doing so using open(2) creates a security hole, because the user might exploit the short time interval between checking and opening the file to manipulate it. For this reason, the use of this system call should be avoided. But I see what you are saying. I can probably do this but it is going to take considerably more work and in all likelihood end up with the user needing to be root anyway. This affects way more than just /etc/krb5.keytab. rob From ssorce at redhat.com Wed Apr 22 14:19:10 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 22 Apr 2009 10:19:10 -0400 Subject: [Freeipa-devel] [PATCH] add requires_root option to Command In-Reply-To: <49EF1E5C.20303@redhat.com> References: <49EDD715.2050700@redhat.com> <1240348246.15125.17.camel@hopeson> <49EE3792.80704@redhat.com> <1240390006.3479.18.camel@hopeson> <49EF1E5C.20303@redhat.com> Message-ID: <1240409950.3479.23.camel@hopeson> On Wed, 2009-04-22 at 09:40 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Tue, 2009-04-21 at 17:16 -0400, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> On Tue, 2009-04-21 at 10:24 -0400, Rob Crittenden wrote: > >>>> Some commands will require that the local user have root permissions. > >>>> I'm not 100% sure this is the right place to put it but it at least > >>>> starts the conversation. > >>> Speaking just in general terms I don't like doings things like: > >>> if uid == 0 fail; > >>> > >>> I think that we should gracefully catch whatever exception is thrown up > >>> (access denied or whatever) and then return an error. > >>> > >>> Some times this is not possible, and I haven't looked at what's around > >>> that patch, so this may be the right way in this case. > >>> > >>> Simo. > >>> > >> That is exactly what this does. It raises an exception that Root is > >> required and the client catches this and displays it: > >> > >> $ ipa join foo.example.com > >> ipa: ERROR: This command requires root access > >> > >> Otherwise we're going to get file permission errors and nasty things > >> like that which won't provide a useful error message to the client. If > >> we catch this up front then we can prevent doing unnecessary things. > >> > >> Note that this is only for client-side stuff. In this case, when joining > >> a machine to the IPA domain I want root access so the keytab we retrieve > >> will be protected (and since I'll ultimiately update /etc/krb5.keytab > >> root will be mandatory). > > > > Yet, but I would rather check if we can write to /etc/krb5.keytab with > > the current user (even just using access(2)), not just check if geteuid > > == 0 > > From access(2): > > Warning: Using access() to check if a user is authorized to, for > example, open a file before actually doing so using open(2) creates a > security hole, because the user might exploit the short time > interval between checking and opening the file to manipulate it. For > this reason, the use of this system call should be avoided. access should be avoided to take security decisions, but we are not taking a security decision here, we are just trying to make a more graceful exit if the user does not have privileges. > But I see what you are saying. I can probably do this but it is going to > take considerably more work and in all likelihood end up with the user > needing to be root anyway. This affects way more than just /etc/krb5.keytab. Ok, then let's get on with the getuid check for now, but add a FIXME comment that states what we should really do. Simo. From jdennis at redhat.com Wed Apr 22 14:46:00 2009 From: jdennis at redhat.com (John Dennis) Date: Wed, 22 Apr 2009 10:46:00 -0400 Subject: [Freeipa-devel] [PATCH] add requires_root option to Command In-Reply-To: <1240409950.3479.23.camel@hopeson> References: <49EDD715.2050700@redhat.com> <1240348246.15125.17.camel@hopeson> <49EE3792.80704@redhat.com> <1240390006.3479.18.camel@hopeson> <49EF1E5C.20303@redhat.com> <1240409950.3479.23.camel@hopeson> Message-ID: <49EF2DA8.3020205@redhat.com> >> Warning: Using access() to check if a user is authorized to, for >> example, open a file before actually doing so using open(2) creates a >> security hole, because the user might exploit the short time >> interval between checking and opening the file to manipulate it. For >> this reason, the use of this system call should be avoided. >> Out of curiosity and for my own edification what is the exploit and why use access() at all? If access() returns denied the file won't attempt to be opened, how is this different than calling open() and getting an EPERM? If access() returns success then you attempt to open the file which either succeeds or fails, presumably based on the same permission check access() just performed. Trying to exploit the interval of time between the two system calls seems extraordinarily difficult. If the user has permission to change the protection on the file then why is the interval of time between access() and open() meaningful, they have the capacity to manipulate the file. Finally, why use access() at all, why not just try open() and check for EPERM? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Wed Apr 22 15:01:07 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 22 Apr 2009 11:01:07 -0400 Subject: [Freeipa-devel] [PATCH] add requires_root option to Command In-Reply-To: <49EF2DA8.3020205@redhat.com> References: <49EDD715.2050700@redhat.com> <1240348246.15125.17.camel@hopeson> <49EE3792.80704@redhat.com> <1240390006.3479.18.camel@hopeson> <49EF1E5C.20303@redhat.com> <1240409950.3479.23.camel@hopeson> <49EF2DA8.3020205@redhat.com> Message-ID: <49EF3133.20205@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Dennis wrote: > >>> Warning: Using access() to check if a user is authorized to, for >>> example, open a file before actually doing so using open(2) creates a >>> security hole, because the user might exploit the short time >>> interval between checking and opening the file to manipulate it. For >>> this reason, the use of this system call should be avoided. >>> > > Out of curiosity and for my own edification what is the exploit and why > use access() at all? If access() returns denied the file won't attempt > to be opened, how is this different than calling open() and getting an > EPERM? If access() returns success then you attempt to open the file > which either succeeds or fails, presumably based on the same permission > check access() just performed. Trying to exploit the interval of time > between the two system calls seems extraordinarily difficult. If the > user has permission to change the protection on the file then why is the > interval of time between access() and open() meaningful, they have the > capacity to manipulate the file. Finally, why use access() at all, why > not just try open() and check for EPERM? > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Exploiting the interval of time isn't that difficult. All a hacker would need to do is have an inotify listener on the file. If the action they perform on receipt of that notification is faster than the other program's ability to call open(), then there you have it. The reason to do this might be to replace the file with a symlink to fake data you want read in that might contain instructions to run in a buffer overflow, or even just falsified data for a database. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknvMSwACgkQeiVVYja6o6N0FACfXRfrqwjPQarM8/+SkqMJca5U cEwAnRavYJY9OJwhrLM2R0T+yiYkVv4n =GJhV -----END PGP SIGNATURE----- From sbose at redhat.com Wed Apr 22 15:04:41 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 22 Apr 2009 17:04:41 +0200 Subject: [Freeipa-devel] [PATCH] fix for a seq fault when pam_reply_delay is called Message-ID: <49EF3209.90204@redhat.com> Hi, this one should fix https://fedorahosted.org/sssd/ticket/25 . Jakub, can you check? bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fix-for-a-seq-fault-when-pam_reply_delay-is-called.patch Type: text/x-patch Size: 1051 bytes Desc: not available URL: From jhrozek at redhat.com Wed Apr 22 15:50:06 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 22 Apr 2009 17:50:06 +0200 Subject: [Freeipa-devel] [PATCH] fix for a seq fault when pam_reply_delay is called In-Reply-To: <49EF3209.90204@redhat.com> References: <49EF3209.90204@redhat.com> Message-ID: <1240415406.9206.27.camel@zeppelin.englab.brq.redhat.com> On Wed, 2009-04-22 at 17:04 +0200, Sumit Bose wrote: > Hi, > > this one should fix https://fedorahosted.org/sssd/ticket/25 . Jakub, > can > you check? > > bye, > Sumit > The segfault is gone, code looks sane, ack. Thanks! Jakub From sgallagh at redhat.com Wed Apr 22 18:32:20 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 22 Apr 2009 14:32:20 -0400 Subject: [Freeipa-devel] [PATCH] fix for a seq fault when pam_reply_delay is called In-Reply-To: <1240415406.9206.27.camel@zeppelin.englab.brq.redhat.com> References: <49EF3209.90204@redhat.com> <1240415406.9206.27.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49EF62B4.20207@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Wed, 2009-04-22 at 17:04 +0200, Sumit Bose wrote: >> Hi, >> >> this one should fix https://fedorahosted.org/sssd/ticket/25 . Jakub, >> can >> you check? >> >> bye, >> Sumit >> > > The segfault is gone, code looks sane, ack. > > Thanks! > Jakub > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknvYrAACgkQeiVVYja6o6MivwCeI5pfaV798jeZ7VodCbBz1UCI SqAAoJnr7VghA4wzIKNDwcNWH2BcSRXS =qfRe -----END PGP SIGNATURE----- From rcritten at redhat.com Wed Apr 22 19:08:29 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:08:29 -0400 Subject: [Freeipa-devel] [PATCH] Make LDAP entry output slightly nicer, don't print u's in front of unicode strings etc. In-Reply-To: <49EDCE49.60907@redhat.com> References: <49EDCE49.60907@redhat.com> Message-ID: <49EF6B2D.1060908@redhat.com> Pavel Zuna wrote: > Minor change to the way textui.print_entry works. The old version was > printing the python representation of values, which looks weird for > users not familiar with python, especially with unicode strings having > the letter 'u' prepended to them. I think it's a bit nicer this way and > no value is lost. > > Pavel > Partial ack. This is a good addition but at least the env plugin should continue using repr. We really need both capabilities. How about adding either a second function (or perhaps a flag) to do the repr() version and change the env plugin to use that. Can you resubmit with these changes? rob From rcritten at redhat.com Wed Apr 22 19:12:49 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:12:49 -0400 Subject: [Freeipa-devel] [PATCH] Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new LDAP backend debugging. In-Reply-To: <49EDCBC0.1040005@redhat.com> References: <49EDCBC0.1040005@redhat.com> Message-ID: <49EF6C31.3060401@redhat.com> Pavel Zuna wrote: > container_dns is required by the DNS plugin (currently being reviewed). > > use_ldap2 is for testing purposes: just a temporary and should be > deleted after we switch completely to the new LDAP backend. > > Pavel Ack and pushed to master From rcritten at redhat.com Wed Apr 22 19:14:14 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:14:14 -0400 Subject: [Freeipa-devel] [PATCH] Add conditional (env.use_ldap2 is True) modifications required by new LDAP backend. In-Reply-To: <49EDCCF1.2090503@redhat.com> References: <49EDCCF1.2090503@redhat.com> Message-ID: <49EF6C86.80807@redhat.com> Pavel Zuna wrote: > Changes to backend.py: > - in Executioner.create_context, if use_ldap2 is True, connect to LDAP > using Backend.ldap2 instead of Backend.ldap. > > Changes to frontend.py: > - in Command.__attributes_2_entry, if use_ldap2 is True, don't convert > attribute values to strings. Converting to strings was in place for the > old LDAP backend to work. It is buggy with unicode strings. The new LDAP > backend makes it's own safe conversions. > > Pavel Ack. Pushed to master. rob From rcritten at redhat.com Wed Apr 22 19:16:02 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:16:02 -0400 Subject: [Freeipa-devel] [PATCH] Fix filter generator in ldapapi. Shouldn't produce invalid filters anymore. In-Reply-To: <49EDCF73.9090001@redhat.com> References: <49EDCF73.9090001@redhat.com> Message-ID: <49EF6CF2.6070703@redhat.com> Pavel Zuna wrote: > ldap search method was generating invalid filters when the list of > search keywords was empty making it impossible to search by objectClass > or base alone. > > Pavel Before I ack, under what conditions are there no search keywords? rob From rcritten at redhat.com Wed Apr 22 19:16:40 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:16:40 -0400 Subject: [Freeipa-devel] [PATCH] Add user plugin port with some bugs fixed to the new LDAP backend. In-Reply-To: <49EDD10B.3090805@redhat.com> References: <49EDD10B.3090805@redhat.com> Message-ID: <49EF6D18.3060904@redhat.com> Pavel Zuna wrote: > user plugin port, only works with use_ldap2=True and the last ldap2 > patch I posted a few minutes ago. > > Pavel > Ack. Pushed to master. rob From rcritten at redhat.com Wed Apr 22 19:17:28 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:17:28 -0400 Subject: [Freeipa-devel] [PATCHES] Make it possible to construct partial match filters using make_filter* methods. Add missing _sasl_auth variable. + Change ldap2.__handle_errors into the global _handle_errors function. In-Reply-To: <49EEE4A8.3070109@redhat.com> References: <49EEE4A8.3070109@redhat.com> Message-ID: <49EF6D48.3080207@redhat.com> Pavel Zuna wrote: > Patch 0001: Make it possible to construct partial match filters using > make_filter* methods. Add missing _sasl_auth variable. > > _sasl_auth variable required to make a connection to the LDAP server has > gone missing. > > make_filter* methods now take an additional boolean argument 'exact'. > When True it build exact match filters (attribute=value), when False > (attribute=*value*). > > > Patch 0002: Change ldap2.__handle_errors into the global _handle_errors > function. > > __handle_errors was used outside the class and it's universal enough to > earn the place of a global function. > ack and pushed to master rob From rcritten at redhat.com Wed Apr 22 19:18:47 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:18:47 -0400 Subject: [Freeipa-devel] [PATCHES] Introduce AlreadyGroupMember exception, raised when a member is attempted to be re-added to a group. + Throw AlreadyGroupMember instead of EmptyModlist when trying to re-add member to a group. In-Reply-To: <49EEE59F.603@redhat.com> References: <49EEE59F.603@redhat.com> Message-ID: <49EF6D97.9070001@redhat.com> Pavel Zuna wrote: > Patch 0001: Introduce AlreadyGroupMember exception, raised when a member > is attempted to be re-added to a group. > > The EmptyModlist exception is currently used when this error occurs. > > > Patch 0002: Throw AlreadyGroupMember instead of EmptyModlist when trying > to re-add member to a group. > > Make use of the new exception. > > > Pavel Ack x2 and pushed to master From rcritten at redhat.com Wed Apr 22 19:26:22 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:26:22 -0400 Subject: [Freeipa-devel] [PATCH] 183 Fix some python style issues in host plugin Message-ID: <49EF6F5E.1060706@redhat.com> Fix some python style issues in the host plugin. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-183-style.patch Type: application/mbox Size: 1169 bytes Desc: not available URL: From rcritten at redhat.com Wed Apr 22 19:27:32 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:27:32 -0400 Subject: [Freeipa-devel] [PATCH] 184 change dogtag port Message-ID: <49EF6FA4.7090601@redhat.com> Dogtag keeps telling me that I should use port 9444 and not 9443 so I'm going to listen. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-184-port.patch Type: application/mbox Size: 713 bytes Desc: not available URL: From rcritten at redhat.com Wed Apr 22 19:30:10 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:30:10 -0400 Subject: [Freeipa-devel] [PATCH] 185 fix small issue with RequiresRoot Message-ID: <49EF7042.9090404@redhat.com> Fix small import error on RequiresRoot and make a note to do more fine-grained access control in the future. I think ultimately this will become something like LacksPermission(reason). As Simo pointed out, doing this will require a thorough understanding of what we're reading/writing and why rather than the cover-all-bases approach of requiring root for everything. We just need to be careful that this doesn't encourable people to screw up their FS permissions just so they can write things. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-185-root.patch Type: application/mbox Size: 1320 bytes Desc: not available URL: From rcritten at redhat.com Wed Apr 22 19:31:45 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:31:45 -0400 Subject: [Freeipa-devel] [PATCH] 186 Use XML routines in ra plugin Message-ID: <49EF70A1.4030101@redhat.com> Some of the data coming back from dogtag is a horrific javascript jumble, some of it is valid XML. In the case of XML lets use xml parsing functions instead. Also strip any CR/LF off stored passwords. Leaving them in will cause NSS certdb authentication issues. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-186-ra.patch Type: application/mbox Size: 2870 bytes Desc: not available URL: From rcritten at redhat.com Wed Apr 22 19:32:33 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:32:33 -0400 Subject: [Freeipa-devel] [PATCH] 187 Add dogtag library Message-ID: <49EF70D1.1010003@redhat.com> Add a new python library for dogtag related functions. Right now it only handles fetching the CA cert chain but I suspect it will grow with time. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-187-dogtag.patch Type: application/mbox Size: 1959 bytes Desc: not available URL: From rcritten at redhat.com Wed Apr 22 19:49:03 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:49:03 -0400 Subject: [Freeipa-devel] [PATCH] 188 Add temporary certdb library Message-ID: <49EF74AF.9090702@redhat.com> Add a new class for handling temporary NSS certificate database. The only current consumer is the join plugin. This patch also contains the start of issuing server certs in the join plugin. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-188-certdb.patch Type: application/mbox Size: 7777 bytes Desc: not available URL: From rcritten at redhat.com Wed Apr 22 19:50:05 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:50:05 -0400 Subject: [Freeipa-devel] [PATCH] 189 finish up join issuing SSL certs Message-ID: <49EF74ED.2080700@redhat.com> Finish up the join plugin to issue SSL server certs. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-189-join.patch Type: application/mbox Size: 3734 bytes Desc: not available URL: From rcritten at redhat.com Wed Apr 22 19:50:39 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 15:50:39 -0400 Subject: [Freeipa-devel] [PATCH] 190 Use dogtag functions Message-ID: <49EF750F.6090307@redhat.com> Use the CA cert fetch function in the CA installer. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-190-chain.patch Type: application/mbox Size: 1553 bytes Desc: not available URL: From rcritten at redhat.com Wed Apr 22 21:14:48 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2009 17:14:48 -0400 Subject: [Freeipa-devel] [PATCH] Add python-nss as a dependency Message-ID: <49EF88C8.6010609@redhat.com> Add the python-nss package as a dependency. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-191-nss.patch Type: application/mbox Size: 916 bytes Desc: not available URL: From jderose at redhat.com Wed Apr 22 22:52:31 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 22 Apr 2009 16:52:31 -0600 Subject: [Freeipa-devel] [PATCH] Add missing _sasl_auth variable and fix some minor bugs, all in ldap2. In-Reply-To: <49EDDAD1.9090103@redhat.com> References: <49EDD06E.80704@redhat.com> <49EDD1B3.3090902@redhat.com> <49EDDAD1.9090103@redhat.com> Message-ID: <1240440751.7344.36.camel@jgd-dsk> On Tue, 2009-04-21 at 16:40 +0200, Pavel Zuna wrote: > Rob Crittenden wrote: > > Pavel Zuna wrote: > >> ldap2 currently isn't functional without this patch. > >> > >> Pavel > > > > This patch does a lot more than just add the _sasl_auth variable. What > > is the purpose of the other changes? > Sorry my bad, I made more changes and forgot about it when making the patch. > I'll make separate patches for the other changes, namely: > > - added a new keyword argument to ldap2.make_filter and > ldap2.make_filter_from_attr, the boolean 'exact'. > > If it's True, filter is build as (attribute=value), else (attribute=*value*). > > - moved ldap2.__handle_errors to _handle_errors outside of the ldap2 class > > It can't be in the class itself, because it is used in the _load_schema > function. I didn't notice this at first. > > OT: I don't like using private ('__' prefix) when not absolutely necessary. I > think it's a little bit unpythonic. If an name starts with _, everyone knows > it's not indented to be used outside the scope/class it was defined in, but they > still have the freedom to do as they please at their own risk. > > - when raising exceptions with no arguments, use 'raise ExceptionClass' instead > of 'raise ExceptionClass()' I need to clarify the documentation on PublicError and its subclasses, their intended use, because there seems to be a lot of confusion around them. PublicError is not just a custom exception, but also a way to relay *translated* error messages to the user. The translation must happen at the time the exception is raised because each request can be in different locale. Among other things, PublicError.__init__() does the gettext translation of the error message using a thread-local gettext.Translation instance initialized with the correct local. Not code still needs implemented, but we should really get in the habit of raising instances instead of classes, if your custom exception doesn't take any arguments. I'll try clairify the docstrings on this this week. > Well, that's just a matter of preference I guess and I only changed it to make > it more consistent with the way I usually write it. I'll change it back, since > the second form seems to be in favor in freeIPA code. > > > IIRC Jason has said it is good practice to include () when raising an > > exception. > > > > rob > > Pavel > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From jderose at redhat.com Thu Apr 23 03:28:37 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 22 Apr 2009 21:28:37 -0600 Subject: [Freeipa-devel] [PATCH] 183 Fix some python style issues in host plugin In-Reply-To: <49EF6F5E.1060706@redhat.com> References: <49EF6F5E.1060706@redhat.com> Message-ID: <1240457317.7344.79.camel@jgd-dsk> On Wed, 2009-04-22 at 15:26 -0400, Rob Crittenden wrote: > Fix some python style issues in the host plugin. > > rob ack. From sbose at redhat.com Thu Apr 23 10:03:17 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 23 Apr 2009 12:03:17 +0200 Subject: [Freeipa-devel] [PATCH] fixes for user and group creation in LOCAL domain Message-ID: <49F03CE5.8000206@redhat.com> Hi, this patch will fix two issues I found when running the proposed test for the Fedora test day. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fixes-for-user-and-group-creation-in-LOCAL-domain.patch Type: text/x-patch Size: 2240 bytes Desc: not available URL: From pzuna at redhat.com Thu Apr 23 11:14:52 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 23 Apr 2009 13:14:52 +0200 Subject: [Freeipa-devel] [PATCH] Make LDAP entry output slightly nicer, don't print u's in front of unicode strings etc. In-Reply-To: <49EF6B2D.1060908@redhat.com> References: <49EDCE49.60907@redhat.com> <49EF6B2D.1060908@redhat.com> Message-ID: <49F04DAC.8040602@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> Minor change to the way textui.print_entry works. The old version was >> printing the python representation of values, which looks weird for >> users not familiar with python, especially with unicode strings having >> the letter 'u' prepended to them. I think it's a bit nicer this way >> and no value is lost. >> >> Pavel >> > > Partial ack. > > This is a good addition but at least the env plugin should continue > using repr. > > We really need both capabilities. How about adding either a second > function (or perhaps a flag) to do the repr() version and change the env > plugin to use that. > > Can you resubmit with these changes? > > rob The env plugin uses textui.print_keyval that uses repr(), although not explicitly. print '%s = %r' % (key, value) # same as: print '%s = %s' % (key, repr(value)) Pavel From pzuna at redhat.com Thu Apr 23 11:33:34 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 23 Apr 2009 13:33:34 +0200 Subject: [Freeipa-devel] [PATCH] Fix filter generator in ldapapi. Shouldn't produce invalid filters anymore. In-Reply-To: <49EF6CF2.6070703@redhat.com> References: <49EDCF73.9090001@redhat.com> <49EF6CF2.6070703@redhat.com> Message-ID: <49F0520E.8030202@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> ldap search method was generating invalid filters when the list of >> search keywords was empty making it impossible to search by >> objectClass or base alone. >> >> Pavel > > Before I ack, under what conditions are there no search keywords? > > rob Some cases I can think of now: 1) We want to specify our own filter using the sfilter keyword argument without any additional filters generated by the ldapapi. 2) Searching by objectclass only like this: search_kw['objectlass'] = 'posixUser' # generates invalid filter (There was a workaround for this though: search_kw['objectClass'] = 'posixUser') 3) Searching by base/scope only, for example searching for all direct subentries of DN: search_kw['base'] = DN search_kw['scope'] = 'one' Pavel From sbose at redhat.com Thu Apr 23 11:45:31 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 23 Apr 2009 13:45:31 +0200 Subject: [Freeipa-devel] [PATCH] removed length of unused element from packet size calculation Message-ID: <49F054DB.1040304@redhat.com> Hi, this patch will fix a seg fault when sssd_pam is called with an unknown user. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-removed-length-of-unused-element-from-packet-size-ca.patch Type: text/x-patch Size: 1155 bytes Desc: not available URL: From sbose at redhat.com Thu Apr 23 11:48:05 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 23 Apr 2009 13:48:05 +0200 Subject: [Freeipa-devel] [PATCH] allow to forward the authtok to other pam modules Message-ID: <49F05575.4000903@redhat.com> Hi, this patch makes pam_sss.so to play nicely with other pam modules which want to use try_first_pass or use_first_pass. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-allow-to-forward-the-authtok-to-other-pam-modules.patch Type: text/x-patch Size: 1868 bytes Desc: not available URL: From ssorce at redhat.com Thu Apr 23 11:48:41 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 23 Apr 2009 07:48:41 -0400 Subject: [Freeipa-devel] [PATCH] fixes for user and group creation in LOCAL domain In-Reply-To: <49F03CE5.8000206@redhat.com> References: <49F03CE5.8000206@redhat.com> Message-ID: <1240487321.5696.9.camel@hopeson> On Thu, 2009-04-23 at 12:03 +0200, Sumit Bose wrote: > > Hi, > > this patch will fix two issues I found when running the proposed test > for the Fedora test day. Ack From ssorce at redhat.com Thu Apr 23 11:49:26 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 23 Apr 2009 07:49:26 -0400 Subject: [Freeipa-devel] [PATCH] removed length of unused element from packet size calculation In-Reply-To: <49F054DB.1040304@redhat.com> References: <49F054DB.1040304@redhat.com> Message-ID: <1240487366.5696.11.camel@hopeson> On Thu, 2009-04-23 at 13:45 +0200, Sumit Bose wrote: > > this patch will fix a seg fault when sssd_pam is called with an > unknown > user. Ack Simo. From ssorce at redhat.com Thu Apr 23 11:52:56 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 23 Apr 2009 07:52:56 -0400 Subject: [Freeipa-devel] [PATCH] allow to forward the authtok to other pam modules In-Reply-To: <49F05575.4000903@redhat.com> References: <49F05575.4000903@redhat.com> Message-ID: <1240487576.5696.13.camel@hopeson> On Thu, 2009-04-23 at 13:48 +0200, Sumit Bose wrote: > > > this patch makes pam_sss.so to play nicely with other pam modules > which > want to use try_first_pass or use_first_pass. Ack. Simo. From pzuna at redhat.com Thu Apr 23 12:59:04 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 23 Apr 2009 14:59:04 +0200 Subject: [Freeipa-devel] [PATCH] Rename errors2.py to errors.py In-Reply-To: <20090420233048.59dccb18@notas> References: <49ECE522.2080406@redhat.com> <20090420233048.59dccb18@notas> Message-ID: <49F06618.4070803@redhat.com> Martin Nagy wrote: > Rob Crittenden wrote: >> The renaming will be completed with this patch. >> >> rob > > Tip for today: use -M when generating patches with renames to avoid big > patches :) [1] > > [1] http://lkml.org/lkml/2009/4/9/367 > > Martin > I wanted to ack the patch, but there were some more patches since this was posted and it won't apply anymore. So, I took the liberty of making a new patch based on yours (with -M to make Martin happy ;-)). I hope you don't mind. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Rename-errors2.py-to-errors.py.-Modify-all-affected.patch Type: application/mbox Size: 86368 bytes Desc: not available URL: From sgallagh at redhat.com Thu Apr 23 13:07:09 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 23 Apr 2009 09:07:09 -0400 Subject: [Freeipa-devel] [PATCH] fixes for user and group creation in LOCAL domain In-Reply-To: <1240487321.5696.9.camel@hopeson> References: <49F03CE5.8000206@redhat.com> <1240487321.5696.9.camel@hopeson> Message-ID: <49F067FD.7030007@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Thu, 2009-04-23 at 12:03 +0200, Sumit Bose wrote: >> Hi, >> >> this patch will fix two issues I found when running the proposed test >> for the Fedora test day. > > Ack > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknwZ/cACgkQeiVVYja6o6MfjQCgiCcJbGpYFbcaFt7GAV5Iiqbb gawAoIz2fQK0e/n3OgFI4FOf0W41aEnP =EhQ9 -----END PGP SIGNATURE----- From sgallagh at redhat.com Thu Apr 23 13:07:18 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 23 Apr 2009 09:07:18 -0400 Subject: [Freeipa-devel] [PATCH] removed length of unused element from packet size calculation In-Reply-To: <1240487366.5696.11.camel@hopeson> References: <49F054DB.1040304@redhat.com> <1240487366.5696.11.camel@hopeson> Message-ID: <49F06806.6030003@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Thu, 2009-04-23 at 13:45 +0200, Sumit Bose wrote: >> this patch will fix a seg fault when sssd_pam is called with an >> unknown >> user. > > Ack > > Simo. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknwaAYACgkQeiVVYja6o6OfPgCfbnPXVyP9f+lJ8FJVHeeChw8S e2cAnjp2ctTNoP4ZtP+KGzIxgNoqdNFj =nyu9 -----END PGP SIGNATURE----- From sgallagh at redhat.com Thu Apr 23 13:07:28 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 23 Apr 2009 09:07:28 -0400 Subject: [Freeipa-devel] [PATCH] allow to forward the authtok to other pam modules In-Reply-To: <1240487576.5696.13.camel@hopeson> References: <49F05575.4000903@redhat.com> <1240487576.5696.13.camel@hopeson> Message-ID: <49F06810.1070005@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Thu, 2009-04-23 at 13:48 +0200, Sumit Bose wrote: >> >> this patch makes pam_sss.so to play nicely with other pam modules >> which >> want to use try_first_pass or use_first_pass. > > Ack. > > Simo. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknwaBAACgkQeiVVYja6o6OUzACgsZj5GidurQyp3LcBJU82gb5q N08AmwWf775KiVwsFjF7p5/8j5pr7to+ =8jPc -----END PGP SIGNATURE----- From rcritten at redhat.com Thu Apr 23 14:23:26 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Apr 2009 10:23:26 -0400 Subject: [Freeipa-devel] [PATCH] Fix filter generator in ldapapi. Shouldn't produce invalid filters anymore. In-Reply-To: <49F0520E.8030202@redhat.com> References: <49EDCF73.9090001@redhat.com> <49EF6CF2.6070703@redhat.com> <49F0520E.8030202@redhat.com> Message-ID: <49F079DE.7070704@redhat.com> Pavel Zuna wrote: > Rob Crittenden wrote: >> Pavel Zuna wrote: >>> ldap search method was generating invalid filters when the list of >>> search keywords was empty making it impossible to search by >>> objectClass or base alone. >>> >>> Pavel >> >> Before I ack, under what conditions are there no search keywords? >> >> rob > Some cases I can think of now: > > 1) We want to specify our own filter using the sfilter keyword argument > without any additional filters generated by the ldapapi. > > 2) Searching by objectclass only like this: > > search_kw['objectlass'] = 'posixUser' # generates invalid filter > > (There was a workaround for this though: search_kw['objectClass'] = > 'posixUser') > > 3) Searching by base/scope only, for example searching for all direct > subentries of DN: > > search_kw['base'] = DN > search_kw['scope'] = 'one' > > Pavel Ok, works for me. Ack and pushed to master rob From rcritten at redhat.com Thu Apr 23 14:25:50 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Apr 2009 10:25:50 -0400 Subject: [Freeipa-devel] [PATCH] Make LDAP entry output slightly nicer, don't print u's in front of unicode strings etc. In-Reply-To: <49F04DAC.8040602@redhat.com> References: <49EDCE49.60907@redhat.com> <49EF6B2D.1060908@redhat.com> <49F04DAC.8040602@redhat.com> Message-ID: <49F07A6E.1030902@redhat.com> Pavel Zuna wrote: > Rob Crittenden wrote: >> Pavel Zuna wrote: >>> Minor change to the way textui.print_entry works. The old version was >>> printing the python representation of values, which looks weird for >>> users not familiar with python, especially with unicode strings >>> having the letter 'u' prepended to them. I think it's a bit nicer >>> this way and no value is lost. >>> >>> Pavel >>> >> >> Partial ack. >> >> This is a good addition but at least the env plugin should continue >> using repr. >> >> We really need both capabilities. How about adding either a second >> function (or perhaps a flag) to do the repr() version and change the >> env plugin to use that. >> >> Can you resubmit with these changes? >> >> rob > The env plugin uses textui.print_keyval that uses repr(), although not > explicitly. > > print '%s = %r' % (key, value) # same as: print '%s = %s' % (key, > repr(value)) > > Pavel Ah, right you are. Ack and pushed to master. rob From rcritten at redhat.com Thu Apr 23 14:29:07 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Apr 2009 10:29:07 -0400 Subject: [Freeipa-devel] [PATCH] Rename errors2.py to errors.py In-Reply-To: <49F06618.4070803@redhat.com> References: <49ECE522.2080406@redhat.com> <20090420233048.59dccb18@notas> <49F06618.4070803@redhat.com> Message-ID: <49F07B33.6090509@redhat.com> Pavel Zuna wrote: > Martin Nagy wrote: >> Rob Crittenden wrote: >>> The renaming will be completed with this patch. >>> >>> rob >> >> Tip for today: use -M when generating patches with renames to avoid big >> patches :) [1] >> >> [1] http://lkml.org/lkml/2009/4/9/367 >> >> Martin > > > I wanted to ack the patch, but there were some more patches since this > was posted and it won't apply anymore. So, I took the liberty of making > a new patch based on yours (with -M to make Martin happy ;-)). I hope > you don't mind. > > Pavel That's fine. Ack and pushed to master rob From sbose at redhat.com Thu Apr 23 14:46:03 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 23 Apr 2009 16:46:03 +0200 Subject: [Freeipa-devel] [PATCH] fix for pam proxy chauthtok Message-ID: <49F07F2B.3030806@redhat.com> Hi, users coming via proxy backend (LEGACYLOCAL) can reset their passwords without providing a valid old password. This patch should fix this. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fix-for-pam-proxy-chauthtok.patch Type: text/x-patch Size: 5482 bytes Desc: not available URL: From pzuna at redhat.com Thu Apr 23 15:39:29 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 23 Apr 2009 17:39:29 +0200 Subject: [Freeipa-devel] [PATCH] 186 Use XML routines in ra plugin In-Reply-To: <49EF70A1.4030101@redhat.com> References: <49EF70A1.4030101@redhat.com> Message-ID: <49F08BB1.2020304@redhat.com> Rob Crittenden wrote: > Some of the data coming back from dogtag is a horrific javascript > jumble, some of it is valid XML. In the case of XML lets use xml parsing > functions instead. > > Also strip any CR/LF off stored passwords. Leaving them in will cause > NSS certdb authentication issues. > > rob I don't know much about dogtag, but after playing a bit with xml.dom.minidom, I think some of the checks in this patch need to be changed. doc = xml.dom.minidom.parseString(stdout) item_node = doc.getElementByTagName('Status') # if there's no Status tag, item_node is empty, item_node[0] raises IndexError # if the value is empty ('') item_node[0].childNodes is empty, item_node.childNodes[0] raises IndexError status = item_node[0].childNodes[0].data # I think that status will never be None at this point if status is not None: #... Something like this would probably make more sense: item_node = doc.getElementsByTagName('Status') try: status = item_node[0].childNodes[0].data except (IndexError, AttributeError): pass else: response['status'] = status Other than that, it looks fine. As I said I know almost nothing about dogtag, so maybe I'm wrong. I'm just commenting on what I can read from the code alone. Pavel From pzuna at redhat.com Thu Apr 23 15:40:30 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 23 Apr 2009 17:40:30 +0200 Subject: [Freeipa-devel] [PATCH] 187 Add dogtag library In-Reply-To: <49EF70D1.1010003@redhat.com> References: <49EF70D1.1010003@redhat.com> Message-ID: <49F08BEE.7020703@redhat.com> Rob Crittenden wrote: > Add a new python library for dogtag related functions. Right now it only > handles fetching the CA cert chain but I suspect it will grow with time. > > rob ack. Pavel From pzuna at redhat.com Thu Apr 23 15:47:52 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 23 Apr 2009 17:47:52 +0200 Subject: [Freeipa-devel] [PATCH] Add python-nss as a dependency In-Reply-To: <49EF88C8.6010609@redhat.com> References: <49EF88C8.6010609@redhat.com> Message-ID: <49F08DA8.7020201@redhat.com> Rob Crittenden wrote: > Add the python-nss package as a dependency. > > rob ack. Pavel From pzuna at redhat.com Thu Apr 23 16:22:51 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 23 Apr 2009 18:22:51 +0200 Subject: [Freeipa-devel] [PATCH] 190 Use dogtag functions In-Reply-To: <49EF750F.6090307@redhat.com> References: <49EF750F.6090307@redhat.com> Message-ID: <49F095DB.6080605@redhat.com> Rob Crittenden wrote: > Use the CA cert fetch function in the CA installer. > > rob ack. Pavel From ssorce at redhat.com Thu Apr 23 16:25:48 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 23 Apr 2009 12:25:48 -0400 Subject: [Freeipa-devel] [PATCH] fix for pam proxy chauthtok In-Reply-To: <49F07F2B.3030806@redhat.com> References: <49F07F2B.3030806@redhat.com> Message-ID: <1240503948.25715.0.camel@hopeson> On Thu, 2009-04-23 at 16:46 +0200, Sumit Bose wrote: > > users coming via proxy backend (LEGACYLOCAL) can reset their passwords > without providing a valid old password. This patch should fix this. Ack! Simo. From sbose at redhat.com Fri Apr 24 09:21:23 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 24 Apr 2009 11:21:23 +0200 Subject: [Freeipa-devel] [PATCH] handle pam acct_mgmt, setcred and open/close_session before user bind in ldap backend Message-ID: <49F18493.7040306@redhat.com> Hi, this patch moves the response to pam_acct_mgmt, pam_setcred, pam_open_session and pam_close_session before the bind request with user dn. For the request mentioned above we do not send any credentials to the backend and will fail because the user bind fails. I'm wondering why I first see this when testing with rawhide1.fedoraproject.org, because it seemed to work with my local openLDAP server. This patch is needed to make the PAM_LDAP_Native test work. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-handle-pam-acct_mgmt-setcred-and-open-close_session.patch Type: text/x-patch Size: 1478 bytes Desc: not available URL: From ssorce at redhat.com Fri Apr 24 09:50:21 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 24 Apr 2009 05:50:21 -0400 Subject: [Freeipa-devel] [PATCH] handle pam acct_mgmt, setcred and open/close_session before user bind in ldap backend In-Reply-To: <49F18493.7040306@redhat.com> References: <49F18493.7040306@redhat.com> Message-ID: <1240566621.25715.8.camel@hopeson> On Fri, 2009-04-24 at 11:21 +0200, Sumit Bose wrote: > > this patch moves the response to pam_acct_mgmt, pam_setcred, > pam_open_session and pam_close_session before the bind request with > user > dn. For the request mentioned above we do not send any credentials to > the backend and will fail because the user bind fails. I'm wondering > why > I first see this when testing with rawhide1.fedoraproject.org, because > it seemed to work with my local openLDAP server. > > This patch is needed to make the PAM_LDAP_Native test work. ack Simo. From sbose at redhat.com Fri Apr 24 10:13:43 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 24 Apr 2009 12:13:43 +0200 Subject: [Freeipa-devel] [PATCH] lower fixed timeout values Message-ID: <49F190D7.6030907@redhat.com> Hi, this patch lowers some hardcoded timeout values. 'getent groups' with rawhide1.fedoraproject.org needs some time on my notebook and while the client is waiting for 300s for a response the proxy backend got killed by the monitor and the sysdb call run into a timeout, too. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-lower-fixed-timeout-values.patch Type: text/x-patch Size: 2812 bytes Desc: not available URL: From sbose at redhat.com Fri Apr 24 14:20:35 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 24 Apr 2009 16:20:35 +0200 Subject: [Freeipa-devel] [PATCH] enable uid/gid generation again Message-ID: <49F1CAB3.9080700@redhat.com> Hi, sorry but my range check patch was bit flawed and disabled the uid/gid generation. This patch should fix it. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-enable-uid-gid-generation-again.patch Type: text/x-patch Size: 1697 bytes Desc: not available URL: From jhrozek at redhat.com Fri Apr 24 14:38:02 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 24 Apr 2009 16:38:02 +0200 Subject: [Freeipa-devel] [PATCH] enable uid/gid generation again In-Reply-To: <49F1CAB3.9080700@redhat.com> References: <49F1CAB3.9080700@redhat.com> Message-ID: <1240583882.24700.20.camel@zeppelin.englab.brq.redhat.com> On Fri, 2009-04-24 at 16:20 +0200, Sumit Bose wrote: > Hi, > > sorry but my range check patch was bit flawed and disabled the uid/gid > generation. This patch should fix it. > > bye, > Sumit > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack. From jhrozek at redhat.com Fri Apr 24 15:49:30 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 24 Apr 2009 17:49:30 +0200 Subject: [Freeipa-devel] [PATCH] fix manual UID assigment in sss_useradd Message-ID: <1240588170.24700.31.camel@zeppelin.englab.brq.redhat.com> att. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Fix-manual-setting-of-UID.patch Type: text/x-patch Size: 791 bytes Desc: not available URL: From jhrozek at redhat.com Fri Apr 24 15:49:47 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 24 Apr 2009 17:49:47 +0200 Subject: [Freeipa-devel] [PATCH] Invoke shadow-utils from sss_tools for legacy domains Message-ID: <1240588187.24700.32.camel@zeppelin.englab.brq.redhat.com> The attached patch addresses ticket #23. A few comments: * when adding, the legacy tools are used when user selects ID from legacy domain or outside any domain * changing IDs is allowed only inside the same domain * whether a domain is legacy proxying to files is determined by looking directly to confdb if provider is set to "proxy" and libName to "files" Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-invoke-shadow-utils-in-sss_-tools.patch Type: text/x-patch Size: 26431 bytes Desc: not available URL: From jhrozek at redhat.com Fri Apr 24 17:20:55 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 24 Apr 2009 19:20:55 +0200 Subject: [Freeipa-devel] [PATCH] stress test Message-ID: <1240593655.24700.41.camel@zeppelin.englab.brq.redhat.com> I wrote this some time ago, but forgot to post it..sorry. Attached is a simple stress test for sssd that reads or generates a list of usernames or groupnames, forks a process for every name and asks for a single name via getpwnam/getgrnam. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Stress-test.patch Type: text/x-patch Size: 11133 bytes Desc: not available URL: From rcritten at redhat.com Fri Apr 24 19:37:21 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Apr 2009 15:37:21 -0400 Subject: [Freeipa-devel] [PATCH] 192 Add task and ACI so ipa-getkeytab can be delegated Message-ID: <49F214F1.3040501@redhat.com> Add an ACI so we can delegate writing the krbPrincipalKey of host entries, to be used for granting the ability to create keytabs for a service principal. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-192-aci.patch Type: application/mbox Size: 1464 bytes Desc: not available URL: From rcritten at redhat.com Fri Apr 24 19:56:21 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Apr 2009 15:56:21 -0400 Subject: [Freeipa-devel] [PATCH] 186 Use XML routines in ra plugin In-Reply-To: <49F08BB1.2020304@redhat.com> References: <49EF70A1.4030101@redhat.com> <49F08BB1.2020304@redhat.com> Message-ID: <49F21965.6030509@redhat.com> Pavel Zuna wrote: > Rob Crittenden wrote: >> Some of the data coming back from dogtag is a horrific javascript >> jumble, some of it is valid XML. In the case of XML lets use xml >> parsing functions instead. >> >> Also strip any CR/LF off stored passwords. Leaving them in will cause >> NSS certdb authentication issues. >> >> rob > I don't know much about dogtag, but after playing a bit with > xml.dom.minidom, I think some of the checks in this patch need to be > changed. > > doc = xml.dom.minidom.parseString(stdout) > > item_node = doc.getElementByTagName('Status') > # if there's no Status tag, item_node is empty, item_node[0] raises > IndexError > # if the value is empty ('') item_node[0].childNodes is > empty, item_node.childNodes[0] raises IndexError > status = item_node[0].childNodes[0].data > # I think that status will never be None at this point > if status is not None: > #... > > Something like this would probably make more sense: > > item_node = doc.getElementsByTagName('Status') > try: > status = item_node[0].childNodes[0].data > except (IndexError, AttributeError): > pass > else: > response['status'] = status > > Other than that, it looks fine. > > As I said I know almost nothing about dogtag, so maybe I'm wrong. I'm > just commenting on what I can read from the code alone. > > Pavel Bah, thanks for catching that. I've attached a revised patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-186-2-ra.patch Type: application/mbox Size: 2758 bytes Desc: not available URL: From rcritten at redhat.com Fri Apr 24 20:23:13 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Apr 2009 16:23:13 -0400 Subject: [Freeipa-devel] [PATCH] 187 Add dogtag library In-Reply-To: <49F08BEE.7020703@redhat.com> References: <49EF70D1.1010003@redhat.com> <49F08BEE.7020703@redhat.com> Message-ID: <49F21FB1.60202@redhat.com> Pavel Zuna wrote: > Rob Crittenden wrote: >> Add a new python library for dogtag related functions. Right now it >> only handles fetching the CA cert chain but I suspect it will grow >> with time. >> >> rob > > ack. > > Pavel pushed to master From rcritten at redhat.com Fri Apr 24 20:23:38 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Apr 2009 16:23:38 -0400 Subject: [Freeipa-devel] [PATCH] 185 fix small issue with RequiresRoot In-Reply-To: <49EF7042.9090404@redhat.com> References: <49EF7042.9090404@redhat.com> Message-ID: <49F21FCA.1020203@redhat.com> Rob Crittenden wrote: > Fix small import error on RequiresRoot and make a note to do more > fine-grained access control in the future. > > I think ultimately this will become something like LacksPermission(reason). > > As Simo pointed out, doing this will require a thorough understanding of > what we're reading/writing and why rather than the cover-all-bases > approach of requiring root for everything. We just need to be careful > that this doesn't encourable people to screw up their FS permissions > just so they can write things. > > rob This was breaking the tree, pushed under the 1-liner rule. rob From sbose at redhat.com Mon Apr 27 07:22:37 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 27 Apr 2009 09:22:37 +0200 Subject: [Freeipa-devel] [PATCH] fix manual UID assigment in sss_useradd In-Reply-To: <1240588170.24700.31.camel@zeppelin.englab.brq.redhat.com> References: <1240588170.24700.31.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49F55D3D.4040202@redhat.com> Jakub Hrozek schrieb: > att. > > Jakub > ACK, although I'm wondering if this should be moved to sysdb_add_user together with a check if uid==gid in an MPG domain. bye, Sumit From sgallagh at redhat.com Mon Apr 27 11:06:58 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 27 Apr 2009 07:06:58 -0400 Subject: [Freeipa-devel] [PATCH] lower fixed timeout values In-Reply-To: <49F190D7.6030907@redhat.com> References: <49F190D7.6030907@redhat.com> Message-ID: <49F591D2.8080408@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sumit Bose wrote: > Hi, > > this patch lowers some hardcoded timeout values. 'getent groups' with > rawhide1.fedoraproject.org needs some time on my notebook and while the > client is waiting for 300s for a response the proxy backend got killed > by the monitor and the sysdb call run into a timeout, too. > > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack. If we're going to lower those timeouts for these reasons, I'd rather see their value being tied to the timeouts they interfere with. For example, if the socket timeout is causing the monitor to kill the service, then we need to have a check in the configuration that the monitor check time must be greater than the socket timeout. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn1kc8ACgkQeiVVYja6o6P4eACgi/HYfKw+zhmQ/Wchnq9s2aTv v6gAoJXdD87I1oH4/uTgZpzk4Xnpg6PY =gpdy -----END PGP SIGNATURE----- From sgallagh at redhat.com Mon Apr 27 11:24:05 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 27 Apr 2009 07:24:05 -0400 Subject: [Freeipa-devel] [PATCH] Invoke shadow-utils from sss_tools for legacy domains In-Reply-To: <1240588187.24700.32.camel@zeppelin.englab.brq.redhat.com> References: <1240588187.24700.32.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49F595D5.2050308@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > The attached patch addresses ticket #23. A few comments: > > * when adding, the legacy tools are used when user selects ID from > legacy domain or outside any domain > * changing IDs is allowed only inside the same domain > * whether a domain is legacy proxying to files is determined by looking > directly to confdb if provider is set to "proxy" and libName to "files" > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack. Shadow utils path needs to be a configure option, since it may not be in sbindir on all platforms. In is_domain_local_legacy(), you check twice for strcasecmp(dom->provider, "proxy"). The second one (ANDed with the check for "files") is completely redundant, because it's sitting within the block from the previous check, and dom has not changed. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn1lc8ACgkQeiVVYja6o6MLdgCePBkhNO0q7gWQJs+VzoyoZY6t uP4An1aU+v3Dm+XT9luZHfS/w3ir8ezR =IF2g -----END PGP SIGNATURE----- From sbose at redhat.com Mon Apr 27 11:35:06 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 27 Apr 2009 13:35:06 +0200 Subject: [Freeipa-devel] [PATCH] lower fixed timeout values In-Reply-To: <49F591D2.8080408@redhat.com> References: <49F190D7.6030907@redhat.com> <49F591D2.8080408@redhat.com> Message-ID: <49F5986A.4060807@redhat.com> Stephen Gallagher schrieb: > Sumit Bose wrote: >> Hi, > >> this patch lowers some hardcoded timeout values. 'getent groups' with >> rawhide1.fedoraproject.org needs some time on my notebook and while the >> client is waiting for 300s for a response the proxy backend got killed >> by the monitor and the sysdb call run into a timeout, too. > >> bye, >> Sumit > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Nack. > > If we're going to lower those timeouts for these reasons, I'd rather see > their value being tied to the timeouts they interfere with. For example, > if the socket timeout is causing the monitor to kill the service, then > we need to have a check in the configuration that the monitor check time > must be greater than the socket timeout. > I agree, I think it would make sense to define a very small number, or maybe only one, base timeout values and derive all other from them. Do we want 'getent passwd' to return after a fixed time or only when all information is read and shown to the user? bye, Sumit From sgallagh at redhat.com Mon Apr 27 11:37:44 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 27 Apr 2009 07:37:44 -0400 Subject: [Freeipa-devel] [PATCH] fix manual UID assigment in sss_useradd In-Reply-To: <1240588170.24700.31.camel@zeppelin.englab.brq.redhat.com> References: <1240588170.24700.31.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49F59908.2000405@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > att. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack. Unless this is an MPG domain, we cannot guarantee that gid==uid is available. I think what we need to do here is this: If it's an MPG domain, set them equal. If it's a non-MPG domain, get the next available GID and use that. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn1mQEACgkQeiVVYja6o6NBOwCggUMB3m+1MWB8szILd9th4Aed x0AAn2AGj6HCoeP2VC58IYUIvpPZFc46 =+aGm -----END PGP SIGNATURE----- From sgallagh at redhat.com Mon Apr 27 11:39:18 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 27 Apr 2009 07:39:18 -0400 Subject: [Freeipa-devel] [PATCH] fix for pam proxy chauthtok In-Reply-To: <1240503948.25715.0.camel@hopeson> References: <49F07F2B.3030806@redhat.com> <1240503948.25715.0.camel@hopeson> Message-ID: <49F59966.5010300@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Thu, 2009-04-23 at 16:46 +0200, Sumit Bose wrote: >> users coming via proxy backend (LEGACYLOCAL) can reset their passwords >> without providing a valid old password. This patch should fix this. > > Ack! > > Simo. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEUEARECAAYFAkn1mWYACgkQeiVVYja6o6OjNwCYtT+zLVdTNHx8Dp4h7Ndxk2GR wQCeL/I9F8DnUTvgijgJpE1fhQL7fKQ= =+6BJ -----END PGP SIGNATURE----- From sgallagh at redhat.com Mon Apr 27 11:39:32 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 27 Apr 2009 07:39:32 -0400 Subject: [Freeipa-devel] [PATCH] handle pam acct_mgmt, setcred and open/close_session before user bind in ldap backend In-Reply-To: <1240566621.25715.8.camel@hopeson> References: <49F18493.7040306@redhat.com> <1240566621.25715.8.camel@hopeson> Message-ID: <49F59974.9030804@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Fri, 2009-04-24 at 11:21 +0200, Sumit Bose wrote: >> this patch moves the response to pam_acct_mgmt, pam_setcred, >> pam_open_session and pam_close_session before the bind request with >> user >> dn. For the request mentioned above we do not send any credentials to >> the backend and will fail because the user bind fails. I'm wondering >> why >> I first see this when testing with rawhide1.fedoraproject.org, because >> it seemed to work with my local openLDAP server. >> >> This patch is needed to make the PAM_LDAP_Native test work. > > ack > > Simo. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn1mXQACgkQeiVVYja6o6NP2QCgsFH3gpCKb19MMua4qXvg91HY 9EAAniNXBzBviMejYEJO1X8WPOKqKiF/ =RBpj -----END PGP SIGNATURE----- From sgallagh at redhat.com Mon Apr 27 11:40:23 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 27 Apr 2009 07:40:23 -0400 Subject: [Freeipa-devel] [PATCH] enable uid/gid generation again In-Reply-To: <1240583882.24700.20.camel@zeppelin.englab.brq.redhat.com> References: <49F1CAB3.9080700@redhat.com> <1240583882.24700.20.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49F599A7.10703@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Fri, 2009-04-24 at 16:20 +0200, Sumit Bose wrote: >> Hi, >> >> sorry but my range check patch was bit flawed and disabled the uid/gid >> generation. This patch should fix it. >> >> bye, >> Sumit >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Ack. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn1macACgkQeiVVYja6o6NIRgCePxAH6JXkgHMrlJ//oAJJ3Fm4 WdsAoJHvc1fmGiHZ/SOA/wpoi52iPRct =1Aap -----END PGP SIGNATURE----- From sgallagh at redhat.com Mon Apr 27 11:47:00 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 27 Apr 2009 07:47:00 -0400 Subject: [Freeipa-devel] [PATCH] stress test In-Reply-To: <1240593655.24700.41.camel@zeppelin.englab.brq.redhat.com> References: <1240593655.24700.41.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49F59B34.4000303@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > I wrote this some time ago, but forgot to post it..sorry. > > Attached is a simple stress test for sssd that reads or generates a list > of usernames or groupnames, forks a process for every name and asks for > a single name via getpwnam/getgrnam. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Jakub, this does not apply cleanly against the current master. Please rebase it. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn1mzAACgkQeiVVYja6o6N4UQCcC8MbgHDwuU7baucpbYr67UIE 260AniSLEbBTCF5k+3+dkeAGTFj7k50n =eyRO -----END PGP SIGNATURE----- From sgallagh at redhat.com Mon Apr 27 12:24:52 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 27 Apr 2009 08:24:52 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Eliminate startup segfault in NSS and PAM Message-ID: <49F5A414.1070207@redhat.com> This is not a long-term fix, but it eliminates the segmentation fault for now. A better fix would be to rewrite the monitor such that none of the other services are launched until the Data Provider is alive, but that is much larger in scale. This will be done eventually, but I'm trying to get this patch out in time for the Fedora Test Day. This patch will simply have sss_process_init() check whether the dp_ctx returned from sss_dp_init() is NULL, and return EIO if it is. This in turn will cause the service to exit gracefully and allow the monitor to restart it. The time it takes to do so should be ample for the Data Provider to finish loading. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Eliminate-segfault-on-NSS-and-PAM-responder-startup.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From jhrozek at redhat.com Mon Apr 27 12:28:23 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 27 Apr 2009 14:28:23 +0200 Subject: [Freeipa-devel] [PATCH] stress test In-Reply-To: <49F59B34.4000303@redhat.com> References: <1240593655.24700.41.camel@zeppelin.englab.brq.redhat.com> <49F59B34.4000303@redhat.com> Message-ID: <1240835303.31750.21.camel@zeppelin.englab.brq.redhat.com> > Jakub, this does not apply cleanly against the current master. Please > rebase it. > Sorry, attached once again. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Stress-test.patch Type: text/x-patch Size: 10994 bytes Desc: not available URL: From jhrozek at redhat.com Mon Apr 27 12:50:20 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 27 Apr 2009 14:50:20 +0200 Subject: [Freeipa-devel] [PATCH] Invoke shadow-utils from sss_tools for legacy domains In-Reply-To: <49F595D5.2050308@redhat.com> References: <1240588187.24700.32.camel@zeppelin.englab.brq.redhat.com> <49F595D5.2050308@redhat.com> Message-ID: <1240836620.31750.30.camel@zeppelin.englab.brq.redhat.com> On Mon, 2009-04-27 at 07:24 -0400, Stephen Gallagher wrote: > Nack. > > Shadow utils path needs to be a configure option, since it may not be > in > sbindir on all platforms. > > In is_domain_local_legacy(), you check twice for > strcasecmp(dom->provider, "proxy"). The second one (ANDed with the > check > for "files") is completely redundant, because it's sitting within the > block from the previous check, and dom has not changed. Thank you, new patch attached. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Invoke-shadow-utils-in-sss_-tools.patch Type: text/x-patch Size: 27499 bytes Desc: not available URL: From ssorce at redhat.com Mon Apr 27 13:20:54 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 27 Apr 2009 09:20:54 -0400 Subject: [Freeipa-devel] [PATCH] lower fixed timeout values In-Reply-To: <49F5986A.4060807@redhat.com> References: <49F190D7.6030907@redhat.com> <49F591D2.8080408@redhat.com> <49F5986A.4060807@redhat.com> Message-ID: <1240838454.3591.13.camel@localhost.localdomain> On Mon, 2009-04-27 at 13:35 +0200, Sumit Bose wrote: > Stephen Gallagher schrieb: > > Sumit Bose wrote: > >> Hi, > > > >> this patch lowers some hardcoded timeout values. 'getent groups' with > >> rawhide1.fedoraproject.org needs some time on my notebook and while the > >> client is waiting for 300s for a response the proxy backend got killed > >> by the monitor and the sysdb call run into a timeout, too. > > > >> bye, > >> Sumit > > > > > >> ------------------------------------------------------------------------ > > > >> _______________________________________________ > >> Freeipa-devel mailing list > >> Freeipa-devel at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > Nack. > > > > If we're going to lower those timeouts for these reasons, I'd rather see > > their value being tied to the timeouts they interfere with. For example, > > if the socket timeout is causing the monitor to kill the service, then > > we need to have a check in the configuration that the monitor check time > > must be greater than the socket timeout. > > > > I agree, I think it would make sense to define a very small number, or > maybe only one, base timeout values and derive all other from them. > > Do we want 'getent passwd' to return after a fixed time or only when all > information is read and shown to the user? getent by definition is synchronous so it should wait. we have timeouts right now because we may still have bugs in the implementation and spots where we can't correctly catch if the operation will ever successfully finish. But the timeout is only a last resort measure and anything below 5 minutes is going to be more harm then help. Simo. -- Simo Sorce * Red Hat, Inc * New York From pzuna at redhat.com Mon Apr 27 14:41:08 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 27 Apr 2009 16:41:08 +0200 Subject: [Freeipa-devel] [PATCH] 186 Use XML routines in ra plugin In-Reply-To: <49F21965.6030509@redhat.com> References: <49EF70A1.4030101@redhat.com> <49F08BB1.2020304@redhat.com> <49F21965.6030509@redhat.com> Message-ID: <49F5C404.3090009@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> Rob Crittenden wrote: >>> Some of the data coming back from dogtag is a horrific javascript >>> jumble, some of it is valid XML. In the case of XML lets use xml >>> parsing functions instead. >>> >>> Also strip any CR/LF off stored passwords. Leaving them in will cause >>> NSS certdb authentication issues. >>> >>> rob >> I don't know much about dogtag, but after playing a bit with >> xml.dom.minidom, I think some of the checks in this patch need to be >> changed. >> >> doc = xml.dom.minidom.parseString(stdout) >> >> item_node = doc.getElementByTagName('Status') >> # if there's no Status tag, item_node is empty, item_node[0] raises >> IndexError >> # if the value is empty ('') item_node[0].childNodes >> is empty, item_node.childNodes[0] raises IndexError >> status = item_node[0].childNodes[0].data >> # I think that status will never be None at this point >> if status is not None: >> #... >> >> Something like this would probably make more sense: >> >> item_node = doc.getElementsByTagName('Status') >> try: >> status = item_node[0].childNodes[0].data >> except (IndexError, AttributeError): >> pass >> else: >> response['status'] = status >> >> Other than that, it looks fine. >> >> As I said I know almost nothing about dogtag, so maybe I'm wrong. I'm >> just commenting on what I can read from the code alone. >> >> Pavel > > Bah, thanks for catching that. I've attached a revised patch. > > rob ack. Pavel From pzuna at redhat.com Mon Apr 27 14:56:06 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 27 Apr 2009 16:56:06 +0200 Subject: [Freeipa-devel] [PATCH] Change help interface to display builtin commands and a list of topics based on plugin modules. Message-ID: <49F5C786.2070606@redhat.com> Structured help interface. The same as before, but this time with even less ugly code and it applies to the current master branch. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Change-help-interface-to-display-builtin-commands-an.patch Type: application/mbox Size: 4523 bytes Desc: not available URL: From pzuna at redhat.com Mon Apr 27 19:26:52 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 27 Apr 2009 21:26:52 +0200 Subject: [Freeipa-devel] [PATCHES] Make search filter generation a bit safer. Minor bug fixes/code improvements. + Add DNS management plugin port to the new ldap backend. Message-ID: <49F606FC.2090209@redhat.com> Patch 0001: Make search filter generation a bit safer. Minor bug fixes/code improvements. - Make filter generation safer, for example if someone tries to generate a filter from an empty dict, the resulting filter will be '' instead of an exception thrown in the user's face. - In find_entries filter now defaults to '(objectClass=*)' when an empty string or None is passed to it, the same way ldapsearch does it. - Corrects minor defects from previous patches. Patch 0002: Add DNS management plugin port to the new ldap backend. I know the word 'port' might seem a bit out of place, because most people on freeipa-devel haven't seen the original version for the old LDAP backend. I made the first version a long time ago and since it was my first plugin, it wasn't very good. Anyway, this plugin is a bit special, because of the underlying LDAP schema. I tried to make it's commands as powerful and easy to use as possible. Examples of use are in the module's docstring. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-search-filter-generation-a-bit-safer.-Minor-bug.patch Type: application/mbox Size: 3359 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Add-DNS-management-plugin-port-to-the-new-ldap-backe.patch Type: application/mbox Size: 24348 bytes Desc: not available URL: From rcritten at redhat.com Mon Apr 27 19:45:30 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Apr 2009 15:45:30 -0400 Subject: [Freeipa-devel] [PATCH] fix --setup-bind Message-ID: <49F60B5A.2080804@redhat.com> Fix the --setup-bind option. This creates the zone file used for auto-discovery. I guess I never tested this since changing the installer code. Pushed to master under the 1-liner rule. This was causing the installer to bail out. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-193-bindsetup.patch Type: application/mbox Size: 875 bytes Desc: not available URL: From ssorce at redhat.com Mon Apr 27 20:12:59 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 27 Apr 2009 16:12:59 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Eliminate startup segfault in NSS and PAM In-Reply-To: <49F5A414.1070207@redhat.com> References: <49F5A414.1070207@redhat.com> Message-ID: <1240863179.3591.91.camel@localhost.localdomain> On Mon, 2009-04-27 at 08:24 -0400, Stephen Gallagher wrote: > This is not a long-term fix, but it eliminates the segmentation fault > for now. A better fix would be to rewrite the monitor such that none > of > the other services are launched until the Data Provider is alive, but > that is much larger in scale. This will be done eventually, but I'm > trying to get this patch out in time for the Fedora Test Day. > > This patch will simply have sss_process_init() check whether the > dp_ctx > returned from sss_dp_init() is NULL, and return EIO if it is. This in > turn will cause the service to exit gracefully and allow the monitor > to > restart it. The time it takes to do so should be ample for the Data > Provider to finish loading. ack -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Mon Apr 27 20:30:46 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 27 Apr 2009 16:30:46 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Eliminate startup segfault in NSS and PAM In-Reply-To: <1240863179.3591.91.camel@localhost.localdomain> References: <49F5A414.1070207@redhat.com> <1240863179.3591.91.camel@localhost.localdomain> Message-ID: <49F615F6.9020808@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Mon, 2009-04-27 at 08:24 -0400, Stephen Gallagher wrote: >> This is not a long-term fix, but it eliminates the segmentation fault >> for now. A better fix would be to rewrite the monitor such that none >> of >> the other services are launched until the Data Provider is alive, but >> that is much larger in scale. This will be done eventually, but I'm >> trying to get this patch out in time for the Fedora Test Day. >> >> This patch will simply have sss_process_init() check whether the >> dp_ctx >> returned from sss_dp_init() is NULL, and return EIO if it is. This in >> turn will cause the service to exit gracefully and allow the monitor >> to >> restart it. The time it takes to do so should be ample for the Data >> Provider to finish loading. > > ack > Pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn2FfMACgkQeiVVYja6o6OSiACdH9jPuwMYoDV4AHhwv4QVkYSw al8AnRn1pufj6vWYip7FSX2gspPFyuXU =wGVw -----END PGP SIGNATURE----- From sgallagh at redhat.com Mon Apr 27 20:36:13 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 27 Apr 2009 16:36:13 -0400 Subject: [Freeipa-devel] [PATCH] stress test In-Reply-To: <1240835303.31750.21.camel@zeppelin.englab.brq.redhat.com> References: <1240593655.24700.41.camel@zeppelin.englab.brq.redhat.com> <49F59B34.4000303@redhat.com> <1240835303.31750.21.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49F6173D.9080600@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: >> Jakub, this does not apply cleanly against the current master. Please >> rebase it. >> > > Sorry, attached once again. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn2Fz0ACgkQeiVVYja6o6OgiwCeJS6dhZD5Rn9VODkyslSzz1Vk wOwAnRPqKoMEofXtlQDAO64uV7EijVwe =EWCL -----END PGP SIGNATURE----- From ssorce at redhat.com Mon Apr 27 22:26:08 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 27 Apr 2009 18:26:08 -0400 Subject: [Freeipa-devel] [PATCH] Fix password cache Message-ID: <1240871168.3591.95.camel@localhost.localdomain> We were deleting the cached password by mistake. Use a different attribute for cached passwords so that we don't get in trouble when using legacy backends. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Use-different-attribute-for-cached-passwords.patch Type: text/x-patch Size: 2312 bytes Desc: not available URL: From davido at redhat.com Tue Apr 28 07:52:21 2009 From: davido at redhat.com (David O'Brien) Date: Tue, 28 Apr 2009 17:52:21 +1000 Subject: [Freeipa-devel] [PATCH] trivial update to standardize terms in docstring Message-ID: <49F6B5B5.9010302@redhat.com> Super-trivial update to aci.py to make sure I get the process right and don't break anything. -- David O'Brien IPA Content Author Red Hat Asia Pacific +61 7 3514 8189 "The most valuable of all talents is that of never using two words when one will do." Thomas Jefferson -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-trivial-update-to-standardize-terms-in-docstring.patch Type: text/x-patch Size: 691 bytes Desc: not available URL: From sbose at redhat.com Tue Apr 28 09:21:17 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 28 Apr 2009 11:21:17 +0200 Subject: [Freeipa-devel] [PATCH] Fix password cache In-Reply-To: <1240871168.3591.95.camel@localhost.localdomain> References: <1240871168.3591.95.camel@localhost.localdomain> Message-ID: <49F6CA8D.1090300@redhat.com> Simo Sorce schrieb: > We were deleting the cached password by mistake. > Use a different attribute for cached passwords so that we don't get in > trouble when using legacy backends. > > Simo. > ACK, works great. I think after this change the attached patch makes sense, too. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Use-different-attribute-for-cached-passwords-change.patch Type: text/x-patch Size: 1440 bytes Desc: not available URL: From sbose at redhat.com Tue Apr 28 09:24:34 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 28 Apr 2009 11:24:34 +0200 Subject: [Freeipa-devel] [PATCH] change PAM timeout the match NSS time Message-ID: <49F6CB52.9080904@redhat.com> Hi, this patch removes a hardcoded timeout and introduces the same scheme used by NSS. As a result the timeout is much higher which I found necessary during offline tests, because otherwise the bind_timeout has to be set to a very low value. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-change-PAM-timeout-the-match-NSS-time.patch Type: text/x-patch Size: 1254 bytes Desc: not available URL: From sbose at redhat.com Tue Apr 28 09:29:01 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 28 Apr 2009 11:29:01 +0200 Subject: [Freeipa-devel] [PATCH] handle other pam calls when offline Message-ID: <49F6CC5D.9040902@redhat.com> Hi, so far only pam_authenticate is handled in the offline case. This patch sends PAM_SUCCESS for the other pam calls except pam_chauthtok in the offline case. After introducing pam session cookies this can be handled much nicer and earlier. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-handle-other-pam-calls-when-offline.patch Type: text/x-patch Size: 1163 bytes Desc: not available URL: From sbose at redhat.com Tue Apr 28 11:39:26 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 28 Apr 2009 13:39:26 +0200 Subject: [Freeipa-devel] [PATCH] enable offline handling for native LDAP backend Message-ID: <49F6EAEE.9070302@redhat.com> Hi, this patch enable basic offline capabilities in the native LDAP backend. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-enable-offline-handling-for-native-LDAP-backend.patch Type: text/x-patch Size: 4249 bytes Desc: not available URL: From jhrozek at redhat.com Tue Apr 28 12:27:27 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 28 Apr 2009 14:27:27 +0200 Subject: [Freeipa-devel] [PATCH] Invoke shadow-utils from sss_tools for legacy domains In-Reply-To: <1240836620.31750.30.camel@zeppelin.englab.brq.redhat.com> References: <1240588187.24700.32.camel@zeppelin.englab.brq.redhat.com> <49F595D5.2050308@redhat.com> <1240836620.31750.30.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1240921647.9816.10.camel@zeppelin.englab.brq.redhat.com> On Mon, 2009-04-27 at 14:50 +0200, Jakub Hrozek wrote: > Thank you, new patch attached. > > Jakub Another patch attached, has changes w.r.t. handling of different parameters (has been discussed on IRC). A though related to supporting different domains with the sss_ tools - would a parameter "--domain" be useful, to allow creation of user with system-selected UID in a specific domain? Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Invoke-shadow-utils-in-sss_-tools.patch Type: text/x-patch Size: 28329 bytes Desc: not available URL: From jhrozek at redhat.com Tue Apr 28 12:43:25 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 28 Apr 2009 14:43:25 +0200 Subject: [Freeipa-devel] [PATCH] Add debug param to the tools, fix lock/unlock in sss_usermod Message-ID: <1240922605.9816.14.camel@zeppelin.englab.brq.redhat.com> There's quite a lot of debug info is sysdb user/group operations that may be useful for..well..debugging, but the tools have debug_level set to 0 by default. This patch adds a hidden(*) parameter --debug that allows the debug level to be set when invoking the tool. Also fixes a bug in usermod's --lock/--unlock parameters that were declared as POPT_ARG_INT, they should have been POPT_ARG_NONE. Jakub (*) hidden because I recall some discussion in which it was considered bad manners to have this parameter for user tools -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Add-debug-param-to-the-tools-fix-lock-unlock-in-sss.patch Type: text/x-patch Size: 7438 bytes Desc: not available URL: From sgallagh at redhat.com Tue Apr 28 12:46:58 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 28 Apr 2009 08:46:58 -0400 Subject: [Freeipa-devel] [PATCH] Add debug param to the tools, fix lock/unlock in sss_usermod In-Reply-To: <1240922605.9816.14.camel@zeppelin.englab.brq.redhat.com> References: <1240922605.9816.14.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49F6FAC2.5000002@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > There's quite a lot of debug info is sysdb user/group operations that > may be useful for..well..debugging, but the tools have debug_level set > to 0 by default. This patch adds a hidden(*) parameter --debug that > allows the debug level to be set when invoking the tool. > > Also fixes a bug in usermod's --lock/--unlock parameters that were > declared as POPT_ARG_INT, they should have been POPT_ARG_NONE. > > Jakub > > (*) hidden because I recall some discussion in which it was considered > bad manners to have this parameter for user tools > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn2+r4ACgkQeiVVYja6o6Pq0QCcCCElcM0KhOSHh9bSh5auYhL6 PcMAnjeFkdb72FOrpjyveWHVUVThfv6n =ZVwh -----END PGP SIGNATURE----- From ssorce at redhat.com Tue Apr 28 17:07:55 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 28 Apr 2009 13:07:55 -0400 Subject: [Freeipa-devel] [PATCH] Fix password cache In-Reply-To: <49F6CA8D.1090300@redhat.com> References: <1240871168.3591.95.camel@localhost.localdomain> <49F6CA8D.1090300@redhat.com> Message-ID: <1240938475.3591.98.camel@localhost.localdomain> On Tue, 2009-04-28 at 11:21 +0200, Sumit Bose wrote: > ACK, works great. I think after this change the attached patch makes > sense, too. acked and pushed both Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Apr 28 17:08:18 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 28 Apr 2009 13:08:18 -0400 Subject: [Freeipa-devel] [PATCH] change PAM timeout the match NSS time In-Reply-To: <49F6CB52.9080904@redhat.com> References: <49F6CB52.9080904@redhat.com> Message-ID: <1240938498.3591.99.camel@localhost.localdomain> On Tue, 2009-04-28 at 11:24 +0200, Sumit Bose wrote: > Hi, > > this patch removes a hardcoded timeout and introduces the same scheme > used by NSS. As a result the timeout is much higher which I found > necessary during offline tests, because otherwise the bind_timeout has > to be set to a very low value. Ack and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Apr 28 17:08:33 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 28 Apr 2009 13:08:33 -0400 Subject: [Freeipa-devel] [PATCH] handle other pam calls when offline In-Reply-To: <49F6CC5D.9040902@redhat.com> References: <49F6CC5D.9040902@redhat.com> Message-ID: <1240938513.3591.100.camel@localhost.localdomain> On Tue, 2009-04-28 at 11:29 +0200, Sumit Bose wrote: > Hi, > > so far only pam_authenticate is handled in the offline case. This > patch > sends PAM_SUCCESS for the other pam calls except pam_chauthtok in the > offline case. After introducing pam session cookies this can be > handled > much nicer and earlier. Ack and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Apr 28 17:08:51 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 28 Apr 2009 13:08:51 -0400 Subject: [Freeipa-devel] [PATCH] enable offline handling for native LDAP backend In-Reply-To: <49F6EAEE.9070302@redhat.com> References: <49F6EAEE.9070302@redhat.com> Message-ID: <1240938531.3591.101.camel@localhost.localdomain> On Tue, 2009-04-28 at 13:39 +0200, Sumit Bose wrote: > > this patch enable basic offline capabilities in the native LDAP > backend. Ack and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Apr 28 17:09:07 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 28 Apr 2009 13:09:07 -0400 Subject: [Freeipa-devel] [PATCH] Invoke shadow-utils from sss_tools for legacy domains In-Reply-To: <1240921647.9816.10.camel@zeppelin.englab.brq.redhat.com> References: <1240588187.24700.32.camel@zeppelin.englab.brq.redhat.com> <49F595D5.2050308@redhat.com> <1240836620.31750.30.camel@zeppelin.englab.brq.redhat.com> <1240921647.9816.10.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1240938547.3591.102.camel@localhost.localdomain> On Tue, 2009-04-28 at 14:27 +0200, Jakub Hrozek wrote: > Another patch attached, has changes w.r.t. handling of different > parameters (has been discussed on IRC). > > A though related to supporting different domains with the sss_ tools - > would a parameter "--domain" be useful, to allow creation of user with > system-selected UID in a specific domain? Ack and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Apr 28 17:09:34 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 28 Apr 2009 13:09:34 -0400 Subject: [Freeipa-devel] [PATCH] Add debug param to the tools, fix lock/unlock in sss_usermod In-Reply-To: <49F6FAC2.5000002@redhat.com> References: <1240922605.9816.14.camel@zeppelin.englab.brq.redhat.com> <49F6FAC2.5000002@redhat.com> Message-ID: <1240938574.3591.103.camel@localhost.localdomain> On Tue, 2009-04-28 at 08:46 -0400, Stephen Gallagher wrote: > > Jakub Hrozek wrote: > > There's quite a lot of debug info is sysdb user/group operations > that > > may be useful for..well..debugging, but the tools have debug_level > set > > to 0 by default. This patch adds a hidden(*) parameter --debug that > > allows the debug level to be set when invoking the tool. > > > > Also fixes a bug in usermod's --lock/--unlock parameters that were > > declared as POPT_ARG_INT, they should have been POPT_ARG_NONE. > > > > Jakub > > > > (*) hidden because I recall some discussion in which it was > considered > > bad manners to have this parameter for user tools > Ack. pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Apr 28 17:31:52 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Apr 2009 13:31:52 -0400 Subject: [Freeipa-devel] [PATCH] trivial update to standardize terms in docstring In-Reply-To: <49F6B5B5.9010302@redhat.com> References: <49F6B5B5.9010302@redhat.com> Message-ID: <49F73D88.1090404@redhat.com> David O'Brien wrote: > Super-trivial update to aci.py to make sure I get the process right and > don't break anything. ack and pushed to master. rob From rcritten at redhat.com Tue Apr 28 21:06:40 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Apr 2009 17:06:40 -0400 Subject: [Freeipa-devel] [PATCH] fix replication installation Message-ID: <49F76FE0.2060605@redhat.com> This patch fixes replication creation and installation. This is only for the certutil-based self-signed CA. It will not work with dogtag. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-194-replication.patch Type: application/mbox Size: 8441 bytes Desc: not available URL: From rcritten at redhat.com Tue Apr 28 21:21:56 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Apr 2009 17:21:56 -0400 Subject: [Freeipa-devel] [PATCH] 180 Don't hardcode requestId Message-ID: <49F77374.6040506@redhat.com> During dogtag installation we request and issue the RA user certificate. Don't hardcode the requestId as it is available in the output when we issue the request to the CA. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-180-requestid.patch Type: application/mbox Size: 5718 bytes Desc: not available URL: From rcritten at redhat.com Tue Apr 28 21:22:33 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Apr 2009 17:22:33 -0400 Subject: [Freeipa-devel] [PATCH] 186 Use XML routines in ra plugin In-Reply-To: <49F5C404.3090009@redhat.com> References: <49EF70A1.4030101@redhat.com> <49F08BB1.2020304@redhat.com> <49F21965.6030509@redhat.com> <49F5C404.3090009@redhat.com> Message-ID: <49F77399.9090209@redhat.com> Pavel Zuna wrote: > Rob Crittenden wrote: >> Pavel Zuna wrote: >>> Rob Crittenden wrote: >>>> Some of the data coming back from dogtag is a horrific javascript >>>> jumble, some of it is valid XML. In the case of XML lets use xml >>>> parsing functions instead. >>>> >>>> Also strip any CR/LF off stored passwords. Leaving them in will >>>> cause NSS certdb authentication issues. >>>> >>>> rob >>> I don't know much about dogtag, but after playing a bit with >>> xml.dom.minidom, I think some of the checks in this patch need to be >>> changed. >>> >>> doc = xml.dom.minidom.parseString(stdout) >>> >>> item_node = doc.getElementByTagName('Status') >>> # if there's no Status tag, item_node is empty, item_node[0] raises >>> IndexError >>> # if the value is empty ('') item_node[0].childNodes >>> is empty, item_node.childNodes[0] raises IndexError >>> status = item_node[0].childNodes[0].data >>> # I think that status will never be None at this point >>> if status is not None: >>> #... >>> >>> Something like this would probably make more sense: >>> >>> item_node = doc.getElementsByTagName('Status') >>> try: >>> status = item_node[0].childNodes[0].data >>> except (IndexError, AttributeError): >>> pass >>> else: >>> response['status'] = status >>> >>> Other than that, it looks fine. >>> >>> As I said I know almost nothing about dogtag, so maybe I'm wrong. I'm >>> just commenting on what I can read from the code alone. >>> >>> Pavel >> >> Bah, thanks for catching that. I've attached a revised patch. >> >> rob > > ack. > > Pavel pushed to master From jderose at redhat.com Tue Apr 28 22:04:54 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 28 Apr 2009 16:04:54 -0600 Subject: [Freeipa-devel] [PATCH] jderose 002 - Fix #498088 Message-ID: <1240956294.7293.15.camel@jgd-dsk> This patch fixes #498088: https://bugzilla.redhat.com/show_bug.cgi?id=498088 Under Python2.4 SystemExit subclasses from Exception (rather than from BaseException like in Python2.5), so cli.run() was catching a SystemExit raised by optparse. This patch changes cli.run() so it catches all StandardError instead of all Exception. I've been pretty good about doing this correctly, but I guess I missed this one. To reiterate the correct use: all custom exceptions should subclass from StandardError instead of Exception, and if doing a catch-all try/except, you should almost always do an `except StandardError` instead of `except Exception`. See the exception class hierarchy at the bottom each of these pages: http://www.python.org/doc/2.4.4/lib/module-exceptions.html http://www.python.org/doc/2.5.4/lib/module-exceptions.html -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jderose-002-fix-cli.run-under-python24.patch Type: text/x-patch Size: 750 bytes Desc: not available URL: From rcritten at redhat.com Wed Apr 29 02:29:25 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Apr 2009 22:29:25 -0400 Subject: [Freeipa-devel] [PATCH] jderose 002 - Fix #498088 In-Reply-To: <1240956294.7293.15.camel@jgd-dsk> References: <1240956294.7293.15.camel@jgd-dsk> Message-ID: <49F7BB85.6030304@redhat.com> Jason Gerard DeRose wrote: > This patch fixes #498088: > > https://bugzilla.redhat.com/show_bug.cgi?id=498088 > > Under Python2.4 SystemExit subclasses from Exception (rather than from > BaseException like in Python2.5), so cli.run() was catching a SystemExit > raised by optparse. > > This patch changes cli.run() so it catches all StandardError instead of > all Exception. I've been pretty good about doing this correctly, but I > guess I missed this one. > > To reiterate the correct use: all custom exceptions should subclass from > StandardError instead of Exception, and if doing a catch-all try/except, > you should almost always do an `except StandardError` instead of `except > Exception`. > > See the exception class hierarchy at the bottom each of these pages: > > http://www.python.org/doc/2.4.4/lib/module-exceptions.html > > http://www.python.org/doc/2.5.4/lib/module-exceptions.html Ack and pushed to master rob From ssorce at redhat.com Wed Apr 29 14:09:07 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 29 Apr 2009 10:09:07 -0400 Subject: [Freeipa-devel] [PATCH] Fix for ticket #30 Message-ID: <1241014147.3591.167.camel@localhost.localdomain> These are real errors, we were returning random errors back in case of failure. Luckily these code paths normally should not be exercised as they deal with pathological errors. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-use-of-uninitialized-return-variable.patch Type: text/x-patch Size: 2267 bytes Desc: not available URL: From sgallagh at redhat.com Wed Apr 29 14:18:35 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 29 Apr 2009 10:18:35 -0400 Subject: [Freeipa-devel] [PATCH] Fix for ticket #30 In-Reply-To: <1241014147.3591.167.camel@localhost.localdomain> References: <1241014147.3591.167.camel@localhost.localdomain> Message-ID: <49F861BB.7010001@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > These are real errors, we were returning random errors back in case of > failure. Luckily these code paths normally should not be exercised as > they deal with pathological errors. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn4YbgACgkQeiVVYja6o6MaLgCeJk8sTVRup1cZyKDJ+8q+ENgY R3MAnioN0FeQ77WQLqokQM1r2+EiNEPs =2beP -----END PGP SIGNATURE----- From ssorce at redhat.com Wed Apr 29 14:24:29 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 29 Apr 2009 10:24:29 -0400 Subject: [Freeipa-devel] [PATCH] Fix for ticket #30 In-Reply-To: <49F861BB.7010001@redhat.com> References: <1241014147.3591.167.camel@localhost.localdomain> <49F861BB.7010001@redhat.com> Message-ID: <1241015069.3591.170.camel@localhost.localdomain> On Wed, 2009-04-29 at 10:18 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > These are real errors, we were returning random errors back in case of > > failure. Luckily these code paths normally should not be exercised as > > they deal with pathological errors. > Ack. pushed. -- Simo Sorce * Red Hat, Inc * New York From stephen at gallagherhome.com Wed Apr 29 15:21:44 2009 From: stephen at gallagherhome.com (Stephen Gallagher) Date: Wed, 29 Apr 2009 11:21:44 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix startup configuration corruption Message-ID: <49F87088.7070905@gallagherhome.com> This should resolve https://fedorahosted.org/sssd/ticket/29 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-configuration-corruption-issue.patch URL: From rcritten at redhat.com Wed Apr 29 17:52:26 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Apr 2009 13:52:26 -0400 Subject: [Freeipa-devel] [PATCH] correct e-mail attribute Message-ID: <49F893DA.4020206@redhat.com> We had the e-mail attribute wrong in the user plugin. Pushed to master under 1-liner rule. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-195-email.patch Type: text/x-patch Size: 786 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Apr 29 18:36:27 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Apr 2009 14:36:27 -0400 Subject: [Freeipa-devel] [PATCH] 196 add missing attribute Message-ID: <49F89E2B.6000608@redhat.com> I somehow missed one of the most important attributes for netgroup: the NIS domain. Add this in as a required attribute. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-196-netgroup.patch Type: text/x-patch Size: 1073 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sbose at redhat.com Wed Apr 29 19:13:26 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 29 Apr 2009 21:13:26 +0200 Subject: [Freeipa-devel] [PATCH] reuse authtok which is already in the pam stack Message-ID: <49F8A6D6.1020302@redhat.com> Hi, this is a quick and dirty patch for the use_first_pass issue, please test. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-reuse-authtok-which-is-already-in-the-pam-stack.patch Type: text/x-patch Size: 1418 bytes Desc: not available URL: From sbose at redhat.com Wed Apr 29 19:44:46 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 29 Apr 2009 21:44:46 +0200 Subject: [Freeipa-devel] [PATCH] reuse authtok which is already in the pam stack In-Reply-To: <49F8A6D6.1020302@redhat.com> References: <49F8A6D6.1020302@redhat.com> Message-ID: <49F8AE2E.1090808@redhat.com> Sumit Bose schrieb: > Hi, > > this is a quick and dirty patch for the use_first_pass issue, please test. > > bye, > Sumit > Hi, this new version adds the 'use_first_pass' option. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-reuse-authtok-which-is-already-in-the-pam-stack.patch Type: text/x-patch Size: 2954 bytes Desc: not available URL: From sbose at redhat.com Wed Apr 29 21:23:58 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 29 Apr 2009 23:23:58 +0200 Subject: [Freeipa-devel] [PATCH] reuse authtok which is already in the pam stack In-Reply-To: <49F8AE2E.1090808@redhat.com> References: <49F8A6D6.1020302@redhat.com> <49F8AE2E.1090808@redhat.com> Message-ID: <49F8C56E.8020602@redhat.com> Sumit Bose schrieb: > Sumit Bose schrieb: >> Hi, >> >> this is a quick and dirty patch for the use_first_pass issue, please test. >> >> bye, >> Sumit >> > Hi, > > this new version adds the 'use_first_pass' option. > this new version fixes a problem when compiling with -DDEBUG bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-reuse-authtok-which-is-already-in-the-pam-stack.patch Type: text/x-patch Size: 3053 bytes Desc: not available URL: From ssorce at redhat.com Wed Apr 29 22:09:16 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 29 Apr 2009 18:09:16 -0400 Subject: [Freeipa-devel] [PATCH] reuse authtok which is already in the pam stack In-Reply-To: <49F8C56E.8020602@redhat.com> References: <49F8A6D6.1020302@redhat.com> <49F8AE2E.1090808@redhat.com> <49F8C56E.8020602@redhat.com> Message-ID: <1241042956.29148.5.camel@localhost.localdomain> On Wed, 2009-04-29 at 23:23 +0200, Sumit Bose wrote: > Sumit Bose schrieb: > > Sumit Bose schrieb: > >> Hi, > >> > >> this is a quick and dirty patch for the use_first_pass issue, > please test. > >> > >> bye, > >> Sumit > >> > > Hi, > > > > this new version adds the 'use_first_pass' option. > > > this new version fixes a problem when compiling with -DDEBUG ack and pushed. I also pusehd a patch that fixes indentation, it doesn't change any code so I didn't put it on for review. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Apr 29 22:15:18 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 29 Apr 2009 18:15:18 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix startup configuration corruption In-Reply-To: <49F87088.7070905@gallagherhome.com> References: <49F87088.7070905@gallagherhome.com> Message-ID: <1241043318.29148.6.camel@localhost.localdomain> On Wed, 2009-04-29 at 11:21 -0400, Stephen Gallagher wrote: > > > This should resolve https://fedorahosted.org/sssd/ticket/29 Ack and pushed but I had to fix tabs in it before pushing. Simo. -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Wed Apr 29 23:57:32 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 29 Apr 2009 17:57:32 -0600 Subject: [Freeipa-devel] [PATCH] 196 add missing attribute In-Reply-To: <49F89E2B.6000608@redhat.com> References: <49F89E2B.6000608@redhat.com> Message-ID: <1241049452.7910.1.camel@jgd-dsk> On Wed, 2009-04-29 at 14:36 -0400, Rob Crittenden wrote: > I somehow missed one of the most important attributes for netgroup: the > NIS domain. Add this in as a required attribute. > > rob ack. From rcritten at redhat.com Thu Apr 30 02:26:33 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Apr 2009 22:26:33 -0400 Subject: [Freeipa-devel] [PATCH] 197 add posixGroup to objectclass if gidnumber is set Message-ID: <49F90C59.3070208@redhat.com> We added posixGroup to the objectclass list if --posix was passed in but not if one wanted to set an explicit gidnumber. This caused an objectclass violation. Add this objectclass if --gid is passed in. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-197-group.patch Type: application/mbox Size: 2285 bytes Desc: not available URL: From sbose at redhat.com Thu Apr 30 09:23:08 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 30 Apr 2009 11:23:08 +0200 Subject: [Freeipa-devel] [PATCH] reuse authtok which is already in the pam stack In-Reply-To: <1241042956.29148.5.camel@localhost.localdomain> References: <49F8A6D6.1020302@redhat.com> <49F8AE2E.1090808@redhat.com> <49F8C56E.8020602@redhat.com> <1241042956.29148.5.camel@localhost.localdomain> Message-ID: <49F96DFC.5020403@redhat.com> Simo Sorce schrieb: > On Wed, 2009-04-29 at 23:23 +0200, Sumit Bose wrote: >> Sumit Bose schrieb: >>> Sumit Bose schrieb: >>>> Hi, >>>> >>>> this is a quick and dirty patch for the use_first_pass issue, >> please test. >>>> bye, >>>> Sumit >>>> >>> Hi, >>> >>> this new version adds the 'use_first_pass' option. >>> >> this new version fixes a problem when compiling with -DDEBUG > > ack and pushed. > > I also pusehd a patch that fixes indentation, it doesn't change any code > so I didn't put it on for review. > sorry, I just found out that pam_sss didn't play nice with pam_cracklib.so, because pam_cracklib.so only provides a new password and not the old one. If you want to change the password for a user from the LOCAL domain a workaround is either to disable pam_cracklib.so in system-auth, or to ignore the first three requests to enter a new password and then enter old and new password. bye, Sumit From ssorce at redhat.com Thu Apr 30 12:52:50 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 30 Apr 2009 08:52:50 -0400 Subject: [Freeipa-devel] [PATCH] reuse authtok which is already in the pam stack In-Reply-To: <49F96DFC.5020403@redhat.com> References: <49F8A6D6.1020302@redhat.com> <49F8AE2E.1090808@redhat.com> <49F8C56E.8020602@redhat.com> <1241042956.29148.5.camel@localhost.localdomain> <49F96DFC.5020403@redhat.com> Message-ID: <1241095970.29148.24.camel@localhost.localdomain> On Thu, 2009-04-30 at 11:23 +0200, Sumit Bose wrote: > Simo Sorce schrieb: > > On Wed, 2009-04-29 at 23:23 +0200, Sumit Bose wrote: > >> Sumit Bose schrieb: > >>> Sumit Bose schrieb: > >>>> Hi, > >>>> > >>>> this is a quick and dirty patch for the use_first_pass issue, > >> please test. > >>>> bye, > >>>> Sumit > >>>> > >>> Hi, > >>> > >>> this new version adds the 'use_first_pass' option. > >>> > >> this new version fixes a problem when compiling with -DDEBUG > > > > ack and pushed. > > > > I also pusehd a patch that fixes indentation, it doesn't change any code > > so I didn't put it on for review. > > > sorry, I just found out that pam_sss didn't play nice with > pam_cracklib.so, because pam_cracklib.so only provides a new password > and not the old one. > > If you want to change the password for a user from the LOCAL domain a > workaround is either to disable pam_cracklib.so in system-auth, or to > ignore the first three requests to enter a new password and then enter > old and new password. Ok, not a big deal really, let's just remove cracklib for now. I think we should integrate cracklib functionality within pam_sss anyway and use the machine policy to determine its parameters. Simo. -- Simo Sorce * Red Hat, Inc * New York From pzuna at redhat.com Thu Apr 30 14:05:24 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 30 Apr 2009 16:05:24 +0200 Subject: [Freeipa-devel] [PATCH] Add method to generate DN from attribute directly, without making RDN first. Message-ID: <49F9B024.7010000@redhat.com> Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-method-to-generate-DN-from-attribute-directly-w.patch Type: application/mbox Size: 1133 bytes Desc: not available URL: From pzuna at redhat.com Thu Apr 30 14:06:58 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 30 Apr 2009 16:06:58 +0200 Subject: [Freeipa-devel] [PATCH] User right attribute name for e-mail in user2 plugin. Message-ID: <49F9B082.4050608@redhat.com> Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Use-right-attribute-name-for-e-mail-in-user2-plugin.patch Type: application/mbox Size: 835 bytes Desc: not available URL: From rcritten at redhat.com Thu Apr 30 14:05:55 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Apr 2009 10:05:55 -0400 Subject: [Freeipa-devel] [PATCH] Add method to generate DN from attribute directly, without making RDN first. In-Reply-To: <49F9B024.7010000@redhat.com> References: <49F9B024.7010000@redhat.com> Message-ID: <49F9B043.7060603@redhat.com> Pavel Zuna wrote: > Pavel > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack. There is a typo in the docstring that I'll fix when I push it. rob From pzuna at redhat.com Thu Apr 30 14:11:15 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 30 Apr 2009 16:11:15 +0200 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. Message-ID: <49F9B183.5090902@redhat.com> By the way, there's a little bug I discovered while testing this plugin. It affects the old group plugin as well. When trying to modify a group into a posixGroup, gidNumber doesn't get generated automatically resulting in a object violation LDAP error. Solution is to generate it ourselves, but I didn't know how it works, so I commented that part out for now. (/FIXME in vim) Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-group-plugin-port-to-new-LDAP-backend.patch Type: application/mbox Size: 23196 bytes Desc: not available URL: From rcritten at redhat.com Thu Apr 30 14:09:18 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Apr 2009 10:09:18 -0400 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <49F9B183.5090902@redhat.com> References: <49F9B183.5090902@redhat.com> Message-ID: <49F9B10E.4060209@redhat.com> Pavel Zuna wrote: > By the way, there's a little bug I discovered while testing this plugin. > It affects the old group plugin as well. When trying to modify a group > into a posixGroup, gidNumber doesn't get generated automatically > resulting in a object violation LDAP error. Solution is to generate it > ourselves, but I didn't know how it works, so I commented that part out > for now. (/FIXME in vim) > This should be fixed in FDS 1.2. Can you update and give it a try? rob From pzuna at redhat.com Thu Apr 30 14:42:48 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Thu, 30 Apr 2009 16:42:48 +0200 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <49F9B10E.4060209@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> Message-ID: <49F9B8E8.1010403@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> By the way, there's a little bug I discovered while testing this >> plugin. It affects the old group plugin as well. When trying to modify >> a group into a posixGroup, gidNumber doesn't get generated >> automatically resulting in a object violation LDAP error. Solution is >> to generate it ourselves, but I didn't know how it works, so I >> commented that part out for now. (/FIXME in vim) >> > > This should be fixed in FDS 1.2. Can you update and give it a try? > > rob Sure, just updated and you're right, it works. :) Updated patch attached. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-group-plugin-port-to-new-LDAP-backend.patch Type: application/mbox Size: 23029 bytes Desc: not available URL: From jhrozek at redhat.com Thu Apr 30 15:49:52 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 30 Apr 2009 17:49:52 +0200 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes Message-ID: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> Hi, attached are four small fixes (separately b/c they fix different issues) that deal with start and stop sequence of sssd. The first one reads the config file before calling server_setup() which daemonizes, so errors in config file are caught before becoming a daemon. Would it make sense to do as many configuration steps (from monitor_process_init() - like actually initializing confdb etc.) as possible before the daemonization? Fix initscript return codes is pretty straightforward - just return correct values in initscript functions. These two patches should address ticket #28. The third one redirects stderr when starting sssd to a temporary logfile and only prints it when something fails during the startup. This should address ticket #27. The last one removes the pid file on quitting sssd, right now the pid file is left in /var/run after sssd finished which doesn't seem right. Related to this - should sssd be a single-instance daemon? If so, there's another bug in pidfile() - a second instance of sssd that's ran overwrites the pid file. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Read-the-config-before-startup.patch Type: text/x-patch Size: 2015 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Fix-initscript-return-codes.patch Type: text/x-patch Size: 1136 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-redirect-stderr-to-logfile-in-initscript.patch Type: text/x-patch Size: 906 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Remove-pidfile-on-SIGTERM-and-SIGINT.patch Type: text/x-patch Size: 1962 bytes Desc: not available URL: From sgallagh at redhat.com Thu Apr 30 16:02:50 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 30 Apr 2009 12:02:50 -0400 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes In-Reply-To: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> References: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49F9CBAA.3020401@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > Hi, > attached are four small fixes (separately b/c they fix different issues) > that deal with start and stop sequence of sssd. > > The first one reads the config file before calling server_setup() which > daemonizes, so errors in config file are caught before becoming a > daemon. Would it make sense to do as many configuration steps (from > monitor_process_init() - like actually initializing confdb etc.) as > possible before the daemonization? Due to a bug in D-BUS, we cannot set up any portion of the SBUS functionality until after the daemonization, or it will be torn down when we fork and kill the original. > > Fix initscript return codes is pretty straightforward - just return > correct values in initscript functions. These two patches should address > ticket #28. > > The third one redirects stderr when starting sssd to a temporary logfile > and only prints it when something fails during the startup. This should > address ticket #27. Why are you doing rm -f $LOGFILE at the end of start()? Won't you erase any startup error messages? > The last one removes the pid file on quitting sssd, right now the pid > file is left in /var/run after sssd finished which doesn't seem right. > Related to this - should sssd be a single-instance daemon? If so, > there's another bug in pidfile() - a second instance of sssd that's ran > overwrites the pid file. > Yes, SSSD MUST be single-instance. Please fix that and roll it into this patch. > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn5y6cACgkQeiVVYja6o6OmJgCaAuWjHWwKUy0LaPx9nfz/NgS8 kJgAoJBw5NZkhMu3kMrlzJbFvDzSXNzg =QD9i -----END PGP SIGNATURE----- From mpcolino at gmail.com Thu Apr 30 16:07:42 2009 From: mpcolino at gmail.com (Miguel P.C.) Date: Thu, 30 Apr 2009 18:07:42 +0200 Subject: [Freeipa-devel] Re: Need Advice on "DEB" packaging. In-Reply-To: <49EC6A7E.6030009@redhat.com> References: <1240053527.5138.1.camel@crow> <49EC6A7E.6030009@redhat.com> Message-ID: Hi Stephen, hello everone!, As you probably know I'm trying to package sssd for ubuntu. I've been reading further and getting some experience in packaging. I suggested I needed a ./configure and a Makefile to build everything from root. It took me quite long to discover it was not necessary. I read this from Stephen: > Miguel, these patches are appreciated, but ultimately they will be > unnecessary. Please see https://fedorahosted.org/sssd/ticket/16 > > We will be converting the complete build system to full autotools, > within a month, rather than our current home-grown Makefile system. I'm now working on version 0.3.3 I've built some of the files needed but I've found a couple of problems you may consider suggesting me how to go ahead. First: "./configure" for server does not find tevent properly: [migpc at crow:~/Code/sssd/sssd-0.3.3/server]$ ./configure --without-tests \ > --without-policykit \ > --without-infopipe [snip] checking tevent.h usability... no checking tevent.h presence... no checking for tevent.h... no checking for TEVENT... configure: error: Package requirements (tevent) were not met: No package 'tevent' found [snip] I attach the full output. There are more included files in /usr/include/samba-4.0/ When I create a couple of symlinks it works. Just doing that: [root at crow:~]# ln -s /usr/include/samba-4.0/tevent* /usr/include/ Any suggestion on how to handle "pkg-config" to find the right files. BTW, Do libs have to be from samba4? Second: With tevent libs "linked" the way I said before, I try to build everything but, when building server, I find this: [snip] In file included from providers/data_provider.h:30, from providers/dp_auth_util.c:22: /usr/include/samba-4.0/ldb.h:789: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'ldb_request_is_done' /usr/include/samba-4.0/ldb.h:849: error: expected declaration specifiers or '...' before '*' token /usr/include/samba-4.0/ldb.h:849: error: 'bool' declared as function returning a function [snip] ... and many "function returning a function" errors. Any suggestion on what I'm doing wrong? I also attach the full output. Thanks in advance. M* P.S.: If you can suggest me on how to report better the problems I find, I'll be really happy. -------------- next part -------------- [migpc at crow:~/Code/sssd/sssd-0.3.3]$ cd server/ [migpc at crow:~/Code/sssd/sssd-0.3.3/server]$ ./autogen.sh Now run ./configure and then make. [migpc at crow:~/Code/sssd/sssd-0.3.3/server]$ ./configure --without-tests \ > --without-policykit \ > --without-infopipe \ > LIBREPLACE_LOCATION_CHECKS: START checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu LIBREPLACE_LOCATION_CHECKS: END LIBREPLACE_CC_CHECKS: START checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for version of gcc... 4.3.3 checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking minix/config.h usability... no checking minix/config.h presence... no checking for minix/config.h... no checking whether it is safe to define __EXTENSIONS__... yes checking whether byte ordering is bigendian... no checking for inline... inline checking for C99 designated initializers... yes checking for a BSD-compatible install... /usr/bin/install -c checking for library containing strerror... none required checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... 64 checking standards.h usability... no checking standards.h presence... no checking for standards.h... no checking for long long... yes checking size of int... 4 checking size of char... 1 checking size of short... 2 checking size of long... 4 checking size of long long... 8 checking for uint_t... no checking for int8_t... yes checking for uint8_t... yes checking for int16_t... yes checking for uint16_t... yes checking for int32_t... yes checking for uint32_t... yes checking for int64_t... yes checking for uint64_t... yes checking for size_t... yes checking for ssize_t... yes checking size of off_t... 8 checking size of size_t... 4 checking size of ssize_t... 4 checking for intptr_t... yes checking for uintptr_t... yes checking for ptrdiff_t... yes checking for immediate structures... yes LIBREPLACE_CC_CHECKS: END LIBREPLACE_BROKEN_CHECKS: START checking return type of signal handlers... void checking for uid_t in sys/types.h... yes checking for mode_t... yes checking for off_t... yes checking for size_t... (cached) yes checking for pid_t... yes checking for struct stat.st_rdev... yes checking for ino_t... yes checking for loff_t... yes checking for offset_t... no checking for working memcmp... yes checking for pipe... yes checking for strftime... yes checking for srandom... yes checking for random... yes checking for srand... yes checking for rand... yes checking for usleep... yes checking for setbuffer... yes checking for lstat... yes checking for getpgrp... yes checking stdbool.h usability... yes checking stdbool.h presence... yes checking for stdbool.h... yes checking for stdint.h... (cached) yes checking sys/select.h usability... yes checking sys/select.h presence... yes checking for sys/select.h... yes checking setjmp.h usability... yes checking setjmp.h presence... yes checking for setjmp.h... yes checking for stdint.h... (cached) yes checking for stdbool.h... (cached) yes checking for bool... yes checking for _Bool... yes checking for working mmap... yes checking sys/syslog.h usability... yes checking sys/syslog.h presence... yes checking for sys/syslog.h... yes checking syslog.h usability... yes checking syslog.h presence... yes checking for syslog.h... yes checking sys/time.h usability... yes checking sys/time.h presence... yes checking for sys/time.h... yes checking time.h usability... yes checking time.h presence... yes checking for time.h... yes checking stdarg.h usability... yes checking stdarg.h presence... yes checking for stdarg.h... yes checking vararg.h usability... no checking vararg.h presence... no checking for vararg.h... no checking sys/mount.h usability... yes checking sys/mount.h presence... yes checking for sys/mount.h... yes checking mntent.h usability... yes checking mntent.h presence... yes checking for mntent.h... yes checking stropts.h usability... yes checking stropts.h presence... yes checking for stropts.h... yes checking for seteuid... yes checking for setresuid... yes checking for setegid... yes checking for setresgid... yes checking for chroot... yes checking for bzero... yes checking for strerror... yes checking for vsyslog... yes checking for setlinebuf... yes checking for mktime... yes checking for ftruncate... yes checking for chsize... no checking for rename... yes checking for waitpid... yes checking for strlcpy... no checking for strlcat... no checking for initgroups... yes checking for memmove... yes checking for strdup... yes checking for pread... yes checking for pwrite... yes checking for strndup... yes checking for strcasestr... yes checking for strtok_r... yes checking for mkdtemp... yes checking for isatty... yes checking for setresuid declaration... yes checking for setresgid declaration... yes checking for errno declaration... yes checking for secure mkstemp... yes checking stdio.h usability... yes checking stdio.h presence... yes checking for stdio.h... yes checking for strings.h... (cached) yes checking whether snprintf is declared... yes checking whether vsnprintf is declared... yes checking whether asprintf is declared... yes checking whether vasprintf is declared... yes checking for snprintf... yes checking for vsnprintf... yes checking for asprintf... yes checking for vasprintf... yes checking for C99 vsnprintf... yes checking for va_copy... yes checking for __FUNCTION__ macro... yes checking sys/param.h usability... yes checking sys/param.h presence... yes checking for sys/param.h... yes checking limits.h usability... yes checking limits.h presence... yes checking for limits.h... yes checking for comparison_fn_t... yes checking for setenv declaration... yes checking for setenv... yes checking for unsetenv... yes checking for strnlen... yes checking for strtoull... yes checking for __strtoull... no checking for strtouq... yes checking for strtoll... yes checking for __strtoll... no checking for strtoq... yes checking for sig_atomic_t type... yes checking for O_DIRECT flag to open(2)... no checking that the C compiler understands volatile... yes checking for dirent.h that defines DIR... yes checking for library containing opendir... none required checking fcntl.h usability... yes checking fcntl.h presence... yes checking for fcntl.h... yes checking sys/fcntl.h usability... yes checking sys/fcntl.h presence... yes checking for sys/fcntl.h... yes checking sys/resource.h usability... yes checking sys/resource.h presence... yes checking for sys/resource.h... yes checking sys/ioctl.h usability... yes checking sys/ioctl.h presence... yes checking for sys/ioctl.h... yes checking sys/mode.h usability... no checking sys/mode.h presence... no checking for sys/mode.h... no checking sys/filio.h usability... no checking sys/filio.h presence... no checking for sys/filio.h... no checking sys/fs/s5param.h usability... no checking sys/fs/s5param.h presence... no checking for sys/fs/s5param.h... no checking sys/filsys.h usability... no checking sys/filsys.h presence... no checking for sys/filsys.h... no checking sys/acl.h usability... no checking sys/acl.h presence... no checking for sys/acl.h... no checking acl/libacl.h usability... no checking acl/libacl.h presence... no checking for acl/libacl.h... no checking for sys/select.h... (cached) yes checking for sys/time.h... (cached) yes checking utime.h usability... yes checking utime.h presence... yes checking for utime.h... yes checking whether time.h and sys/time.h may both be included... yes checking for utime... yes checking for utimes... yes checking for sys/wait.h that is POSIX.1 compatible... yes checking sys/capability.h usability... no checking sys/capability.h presence... no checking for sys/capability.h... no checking for broken RedHat 7.2 system header files... no checking for broken RHEL5 sys/capability.h... no checking grp.h usability... yes checking grp.h presence... yes checking for grp.h... yes checking sys/id.h usability... no checking sys/id.h presence... no checking for sys/id.h... no checking compat.h usability... no checking compat.h presence... no checking for compat.h... no checking shadow.h usability... yes checking shadow.h presence... yes checking for shadow.h... yes checking sys/priv.h usability... no checking sys/priv.h presence... no checking for sys/priv.h... no checking pwd.h usability... yes checking pwd.h presence... yes checking for pwd.h... yes checking sys/security.h usability... no checking sys/security.h presence... no checking for sys/security.h... no checking for getpwnam_r... yes checking for getpwuid_r... yes checking for getpwent_r... yes checking for getpwent_r declaration... yes checking for prototype struct passwd *getpwent_r(struct passwd *src, char *buf, int buflen)... no checking for prototype struct passwd *getpwent_r(struct passwd *src, char *buf, size_t buflen)... no checking for getgrnam_r... yes checking for getgrgid_r... yes checking for getgrent_r... yes checking for getgrent_r declaration... yes checking for prototype struct group *getgrent_r(struct group *src, char *buf, int buflen)... no checking for prototype struct group *getgrent_r(struct group *src, char *buf, size_t buflen)... no checking ctype.h usability... yes checking ctype.h presence... yes checking for ctype.h... yes checking locale.h usability... yes checking locale.h presence... yes checking for locale.h... yes checking fnmatch.h usability... yes checking fnmatch.h presence... yes checking for fnmatch.h... yes checking sys/ipc.h usability... yes checking sys/ipc.h presence... yes checking for sys/ipc.h... yes checking sys/mman.h usability... yes checking sys/mman.h presence... yes checking for sys/mman.h... yes checking sys/shm.h usability... yes checking sys/shm.h presence... yes checking for sys/shm.h... yes checking termios.h usability... yes checking termios.h presence... yes checking for termios.h... yes checking termio.h usability... yes checking termio.h presence... yes checking for termio.h... yes checking sys/termio.h usability... no checking sys/termio.h presence... no checking for sys/termio.h... no checking for library containing dlopen... -ldl checking dlfcn.h usability... yes checking dlfcn.h presence... yes checking for dlfcn.h... yes checking for dlopen... yes checking for dlsym... yes checking for dlerror... yes checking for dlclose... yes checking for library containing shl_load... no checking dl.h usability... no checking dl.h presence... no checking for dl.h... no checking for shl_load... no checking for shl_unload... no checking for shl_findsym... no checking for prototype void *dlopen(const char* filename, unsigned int flags)... no checking for getpass... yes checking for getpassphrase... no checking whether getpass should be replaced... yes checking whether strptime is available and works... yes checking direct.h usability... no checking direct.h presence... no checking for direct.h... no checking windows.h usability... no checking windows.h presence... no checking for windows.h... no checking winsock2.h usability... no checking winsock2.h presence... no checking for winsock2.h... no checking ws2tcpip.h usability... no checking ws2tcpip.h presence... no checking for ws2tcpip.h... no checking whether mkdir supports mode... yes checking for timegm... yes checking for broken readdir... no checking a usable readdir()... yes checking for syslog... yes checking for printf... yes checking for memset... yes checking for memcpy... yes LIBREPLACE_BROKEN_CHECKS: END checking for stdint.h... (cached) yes checking for dlfcn.h... (cached) yes checking popt.h usability... yes checking popt.h presence... yes checking for popt.h... yes checking for poptGetContext in -lpopt... yes checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking talloc.h usability... yes checking talloc.h presence... yes checking for talloc.h... yes checking for talloc_init in -ltalloc... yes checking tdb.h usability... yes checking tdb.h presence... yes checking for tdb.h... yes checking for tdb_repack in -ltdb... yes checking tevent.h usability... no checking tevent.h presence... no checking for tevent.h... no checking for TEVENT... configure: error: Package requirements (tevent) were not met: No package 'tevent' found Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Alternatively, you may set the environment variables TEVENT_CFLAGS and TEVENT_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-sssd-0.3.3-debian_files_mig.tar.gz Type: application/x-gzip Size: 15150 bytes Desc: not available URL: -------------- next part -------------- # server cd server;\ /usr/bin/make make[1]: Entering directory `/home/migpc/Code/sssd/sssd-0.3.3/server' server will be compiled with flags: CFLAGS = -I./include -Iinclude -I. -I./.. -I/usr/include/samba-4.0 -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -I ../common/collection -I../common/trace -I ../common/ini -DLIBDIR=\"/home/migpc/Code/sssd/sssd-0.3.3/server/debian/tmp/lib\" -DVARDIR=\"/home/migpc/Code/sssd/sssd-0.3.3/server/debian/tmp/var\" -DSHLIBEXT=\"so\" -DSSSD_LIBEXEC_PATH=\"/home/migpc/Code/sssd/sssd-0.3.3/server/debian/tmp/libexec/sssd\" -DSSSD_INTROSPECT_PATH=\"/home/migpc/Code/sssd/sssd-0.3.3/server/debian/tmp/share/sssd/introspect\" -DSSSD_CONF_DIR=\"/home/migpc/Code/sssd/sssd-0.3.3/server/debian/tmp/etc/sssd\" -DUSE_MMAP=1 -g -O2 LIBS = -ltalloc -ltdb -lpopt -lldb -ltalloc -L//lib -ldbus-1 -lpcre -L ../common/ini/.libs/ -lini_config -L ../common/collection/.libs/ -lcollection Compiling monitor/monitor.c Compiling util/debug.c util/debug.c: In function 'debug_fn': util/debug.c:19: warning: format not a string literal and no format arguments util/debug.c:15: warning: ignoring return value of 'vasprintf', declared with attribute warn_unused_result Compiling util/signal.c Compiling util/server.c util/server.c: In function 'pidfile': util/server.c:98: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result Compiling util/memory.c Compiling util/btreemap.c Compiling util/usertools.c Compiling monitor/monitor_sbus.c Compiling providers/dp_sbus.c Compiling providers/dp_auth_util.c In file included from providers/data_provider.h:30, from providers/dp_auth_util.c:22: /usr/include/samba-4.0/ldb.h:789: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'ldb_request_is_done' /usr/include/samba-4.0/ldb.h:849: error: expected declaration specifiers or '...' before '*' token /usr/include/samba-4.0/ldb.h:849: error: 'bool' declared as function returning a function /usr/include/samba-4.0/ldb.h:850: error: expected declaration specifiers or '...' before 'ldb_async_callback_fn' /usr/include/samba-4.0/ldb.h:1471: error: 'ldb_dn_has_extended' declared as function returning a function /usr/include/samba-4.0/ldb.h:1514: error: 'ldb_dn_validate' declared as function returning a function /usr/include/samba-4.0/ldb.h:1523: error: 'ldb_dn_add_base' declared as function returning a function /usr/include/samba-4.0/ldb.h:1524: error: 'ldb_dn_add_base_fmt' declared as function returning a function /usr/include/samba-4.0/ldb.h:1525: error: 'ldb_dn_add_child' declared as function returning a function /usr/include/samba-4.0/ldb.h:1526: error: 'ldb_dn_add_child_fmt' declared as function returning a function /usr/include/samba-4.0/ldb.h:1527: error: 'ldb_dn_remove_base_components' declared as function returning a function /usr/include/samba-4.0/ldb.h:1528: error: 'ldb_dn_remove_child_components' declared as function returning a function /usr/include/samba-4.0/ldb.h:1541: error: 'ldb_dn_is_valid' declared as function returning a function /usr/include/samba-4.0/ldb.h:1542: error: 'ldb_dn_is_special' declared as function returning a function /usr/include/samba-4.0/ldb.h:1543: error: 'ldb_dn_check_special' declared as function returning a function /usr/include/samba-4.0/ldb.h:1544: error: 'ldb_dn_is_null' declared as function returning a function make[1]: *** [providers/dp_auth_util.o] Error 1 make[1]: Leaving directory `/home/migpc/Code/sssd/sssd-0.3.3/server' make: *** [build-arch-stamp] Error 2 dpkg-buildpackage: failure: debian/rules build gave error exit status 2 debuild: fatal error at line 1329: dpkg-buildpackage -rfakeroot -D -us -uc failed From jhrozek at redhat.com Thu Apr 30 16:45:26 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 30 Apr 2009 18:45:26 +0200 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes In-Reply-To: <49F9CBAA.3020401@redhat.com> References: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> <49F9CBAA.3020401@redhat.com> Message-ID: <1241109926.29393.48.camel@zeppelin.englab.brq.redhat.com> On Thu, 2009-04-30 at 12:02 -0400, Stephen Gallagher wrote: > > > > Fix initscript return codes is pretty straightforward - just return > > correct values in initscript functions. These two patches should > address > > ticket #28. > > > > The third one redirects stderr when starting sssd to a temporary > logfile > > and only prints it when something fails during the startup. This > should > > address ticket #27. > > Why are you doing rm -f $LOGFILE at the end of start()? Won't you > erase > any startup error messages? > Yes, but after printing them to stderr if needed. The logfile is temporary for the startup. The intent was to save stderr to a temporary logfile, check if sssd started correctly, if so, don't show the stderr output (as it contains the "Unable to register control with rootdse!" messages), if it failed to start, print the error messages. > > The last one removes the pid file on quitting sssd, right now the > pid > > file is left in /var/run after sssd finished which doesn't seem > right. > > Related to this - should sssd be a single-instance daemon? If so, > > there's another bug in pidfile() - a second instance of sssd that's > ran > > overwrites the pid file. > > > > Yes, SSSD MUST be single-instance. Please fix that and roll it into > this > patch. > OK. I also noticed that it's trying to remove the pid file for all processes, which is wrong, should be done only for sssd, I need to fix that, too. From sgallagh at redhat.com Thu Apr 30 17:11:51 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 30 Apr 2009 13:11:51 -0400 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes In-Reply-To: <1241109926.29393.48.camel@zeppelin.englab.brq.redhat.com> References: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> <49F9CBAA.3020401@redhat.com> <1241109926.29393.48.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49F9DBD7.20704@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Thu, 2009-04-30 at 12:02 -0400, Stephen Gallagher wrote: >>> Fix initscript return codes is pretty straightforward - just return >>> correct values in initscript functions. These two patches should >> address >>> ticket #28. >>> >>> The third one redirects stderr when starting sssd to a temporary >> logfile >>> and only prints it when something fails during the startup. This >> should >>> address ticket #27. >> Why are you doing rm -f $LOGFILE at the end of start()? Won't you >> erase >> any startup error messages? >> > > Yes, but after printing them to stderr if needed. The logfile is > temporary for the startup. > > The intent was to save stderr to a temporary logfile, check if sssd > started correctly, if so, don't show the stderr output (as it contains > the "Unable to register control with rootdse!" messages), if it failed > to start, print the error messages. > Ok, I think I misread it. In that case, it's fine. >>> The last one removes the pid file on quitting sssd, right now the >> pid >>> file is left in /var/run after sssd finished which doesn't seem >> right. >>> Related to this - should sssd be a single-instance daemon? If so, >>> there's another bug in pidfile() - a second instance of sssd that's >> ran >>> overwrites the pid file. >>> >> Yes, SSSD MUST be single-instance. Please fix that and roll it into >> this >> patch. >> > > OK. I also noticed that it's trying to remove the pid file for all > processes, which is wrong, should be done only for sssd, I need to fix > that, too. > - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn529QACgkQeiVVYja6o6N4wQCfXhuvd1/aBQh5nAMNAJDwH6dV Ly0AnRmHA/LKxqCuR1E6FEDPkot5NxWc =jRvw -----END PGP SIGNATURE----- From rcritten at redhat.com Thu Apr 30 17:27:37 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Apr 2009 13:27:37 -0400 Subject: [Freeipa-devel] [PATCH] 196 add missing attribute In-Reply-To: <1241049452.7910.1.camel@jgd-dsk> References: <49F89E2B.6000608@redhat.com> <1241049452.7910.1.camel@jgd-dsk> Message-ID: <49F9DF89.2050707@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-04-29 at 14:36 -0400, Rob Crittenden wrote: >> I somehow missed one of the most important attributes for netgroup: the >> NIS domain. Add this in as a required attribute. >> >> rob > > ack. > pushed to master From rcritten at redhat.com Thu Apr 30 17:49:48 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Apr 2009 13:49:48 -0400 Subject: [Freeipa-devel] [PATCH] User right attribute name for e-mail in user2 plugin. In-Reply-To: <49F9B082.4050608@redhat.com> References: <49F9B082.4050608@redhat.com> Message-ID: <49F9E4BC.8030204@redhat.com> Pavel Zuna wrote: > Pavel > > I probably should have fixed this in my earlier patch, thanks for adding it. Pushed to master rob From rcritten at redhat.com Thu Apr 30 17:51:32 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Apr 2009 13:51:32 -0400 Subject: [Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend. In-Reply-To: <49F9B8E8.1010403@redhat.com> References: <49F9B183.5090902@redhat.com> <49F9B10E.4060209@redhat.com> <49F9B8E8.1010403@redhat.com> Message-ID: <49F9E524.7040804@redhat.com> Pavel Zuna wrote: > Rob Crittenden wrote: >> Pavel Zuna wrote: >>> By the way, there's a little bug I discovered while testing this >>> plugin. It affects the old group plugin as well. When trying to >>> modify a group into a posixGroup, gidNumber doesn't get generated >>> automatically resulting in a object violation LDAP error. Solution is >>> to generate it ourselves, but I didn't know how it works, so I >>> commented that part out for now. (/FIXME in vim) >>> >> >> This should be fixed in FDS 1.2. Can you update and give it a try? >> >> rob > Sure, just updated and you're right, it works. :) > Updated patch attached. > > Pavel nack. This won't handle someone using group-mod to set a specific gidnumber. The posixGroup objectclass won't be added. rob From rcritten at redhat.com Thu Apr 30 18:08:13 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Apr 2009 14:08:13 -0400 Subject: [Freeipa-devel] [PATCH] Add method to generate DN from attribute directly, without making RDN first. In-Reply-To: <49F9B043.7060603@redhat.com> References: <49F9B024.7010000@redhat.com> <49F9B043.7060603@redhat.com> Message-ID: <49F9E90D.5060509@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> Pavel >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Ack. There is a typo in the docstring that I'll fix when I push it. > pushed to master From jhrozek at redhat.com Thu Apr 30 18:25:41 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 30 Apr 2009 20:25:41 +0200 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes In-Reply-To: <49F9CBAA.3020401@redhat.com> References: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> <49F9CBAA.3020401@redhat.com> Message-ID: <1241115941.29393.57.camel@zeppelin.englab.brq.redhat.com> On Thu, 2009-04-30 at 12:02 -0400, Stephen Gallagher wrote: > > The last one removes the pid file on quitting sssd, right now the > pid > > file is left in /var/run after sssd finished which doesn't seem > right. > > Related to this - should sssd be a single-instance daemon? If so, > > there's another bug in pidfile() - a second instance of sssd that's > ran > > overwrites the pid file. > > > > Yes, SSSD MUST be single-instance. Please fix that and roll it into > this > patch. Thanks, patch attached. I changed the conditionals in pidfile() so that we error out if we succeed in signaling the PID from pidfile. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Remove-old-pidfile-make-sssd-single-instance.patch Type: text/x-patch Size: 2920 bytes Desc: not available URL: From rcritten at redhat.com Thu Apr 30 19:08:01 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Apr 2009 15:08:01 -0400 Subject: [Freeipa-devel] [PATCH] allow password to be sent in via pipe Message-ID: <49F9F711.9030300@redhat.com> When reading a password, if there is no tty, read from stdin instead. This will allow one to pipe a password in: echo -e "secret123\secret123\n" | ipa password someuser rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-198-password.patch Type: application/mbox Size: 1540 bytes Desc: not available URL: From rcritten at redhat.com Thu Apr 30 19:55:00 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Apr 2009 15:55:00 -0400 Subject: [Freeipa-devel] [PATCH] Change help interface to display builtin commands and a list of topics based on plugin modules. In-Reply-To: <49F5C786.2070606@redhat.com> References: <49F5C786.2070606@redhat.com> Message-ID: <49FA0214.2010600@redhat.com> Pavel Zuna wrote: > Structured help interface. The same as before, but this time with even > less ugly code and it applies to the current master branch. > > Pavel > Ack and pushed to master. Pavel, can you add some sort of 'all' option to print every command? rob From ssorce at redhat.com Thu Apr 30 20:08:33 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 30 Apr 2009 16:08:33 -0400 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes In-Reply-To: <49F9DBD7.20704@redhat.com> References: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> <49F9CBAA.3020401@redhat.com> <1241109926.29393.48.camel@zeppelin.englab.brq.redhat.com> <49F9DBD7.20704@redhat.com> Message-ID: <1241122113.29148.42.camel@localhost.localdomain> On Thu, 2009-04-30 at 13:11 -0400, Stephen Gallagher wrote: > >> Why are you doing rm -f $LOGFILE at the end of start()? Won't you > >> erase > >> any startup error messages? > >> > > > > Yes, but after printing them to stderr if needed. The logfile is > > temporary for the startup. > > > > The intent was to save stderr to a temporary logfile, check if sssd > > started correctly, if so, don't show the stderr output (as it > contains > > the "Unable to register control with rootdse!" messages), if it > failed > > to start, print the error messages. > > > > Ok, I think I misread it. > In that case, it's fine. No, not really, rm will only remove the file from the directory, but the file will exist until it is closed. If sssd starts spitting a consistent amount of data to stderr it will go into that file and the admin will not see it growing and eating disk space. I think we should really just redirect to /dev/null, if someone is interested in debug output then he can just run it manually or change the init file. IMO. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Apr 30 20:13:36 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 30 Apr 2009 16:13:36 -0400 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes In-Reply-To: <1241115941.29393.57.camel@zeppelin.englab.brq.redhat.com> References: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> <49F9CBAA.3020401@redhat.com> <1241115941.29393.57.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1241122416.29148.43.camel@localhost.localdomain> On Thu, 2009-04-30 at 20:25 +0200, Jakub Hrozek wrote: > Thanks, patch attached. I changed the conditionals in pidfile() so > that > we error out if we succeed in signaling the PID from pidfile. NACK, you cannot allocate memory in a signal handler. Please use tevent signal handlers in monitor's main. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Apr 30 20:16:58 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Apr 2009 16:16:58 -0400 Subject: [Freeipa-devel] [PATCHES] Make search filter generation a bit safer. Minor bug fixes/code improvements. + Add DNS management plugin port to the new ldap backend. In-Reply-To: <49F606FC.2090209@redhat.com> References: <49F606FC.2090209@redhat.com> Message-ID: <49FA073A.9060802@redhat.com> Pavel Zuna wrote: > Patch 0001: Make search filter generation a bit safer. Minor bug > fixes/code improvements. > > - Make filter generation safer, for example if someone tries to generate > a filter from an empty dict, the resulting filter will be '' instead of > an exception thrown in the user's face. > - In find_entries filter now defaults to '(objectClass=*)' when an empty > string or None is passed to it, the same way ldapsearch does it. > - Corrects minor defects from previous patches. > > > Patch 0002: Add DNS management plugin port to the new ldap backend. > > I know the word 'port' might seem a bit out of place, because most > people on freeipa-devel haven't seen the original version for the old > LDAP backend. I made the first version a long time ago and since it was > my first plugin, it wasn't very good. > > Anyway, this plugin is a bit special, because of the underlying LDAP > schema. I tried to make it's commands as powerful and easy to use as > possible. Examples of use are in the module's docstring. Ack both and pushed to master rob From jhrozek at redhat.com Thu Apr 30 20:45:47 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 30 Apr 2009 22:45:47 +0200 Subject: [Freeipa-devel] [PATCHES] start/stop related fixes In-Reply-To: <1241122113.29148.42.camel@localhost.localdomain> References: <1241106592.29393.40.camel@zeppelin.englab.brq.redhat.com> <49F9CBAA.3020401@redhat.com> <1241109926.29393.48.camel@zeppelin.englab.brq.redhat.com> <49F9DBD7.20704@redhat.com> <1241122113.29148.42.camel@localhost.localdomain> Message-ID: <1241124347.16180.2.camel@hendrix> On Thu, 2009-04-30 at 16:08 -0400, Simo Sorce wrote: > > Ok, I think I misread it. > > In that case, it's fine. > > No, not really, rm will only remove the file from the directory, but > the > file will exist until it is closed. If sssd starts spitting a > consistent > amount of data to stderr it will go into that file and the admin will > not see it growing and eating disk space. > > I think we should really just redirect to /dev/null, if someone is > interested in debug output then he can just run it manually or change > the init file. > > IMO. > OK, that makes it a one-liner. att. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-redirect-stderr-to-dev-null-in-initscript.patch Type: application/mbox Size: 715 bytes Desc: not available URL: From ssorce at redhat.com Thu Apr 30 21:12:30 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 30 Apr 2009 17:12:30 -0400 Subject: [Freeipa-devel] [PATCH] Some more return value fixes (ticket #30) Message-ID: <1241125950.29148.44.camel@localhost.localdomain> see subj -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-some-more-return-paths-using-uninitalized-ret.patch Type: text/x-patch Size: 1570 bytes Desc: not available URL: From sbose at redhat.com Thu Apr 30 22:13:30 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 01 May 2009 00:13:30 +0200 Subject: [Freeipa-devel] [PATCH] Some more return value fixes (ticket #30) In-Reply-To: <1241125950.29148.44.camel@localhost.localdomain> References: <1241125950.29148.44.camel@localhost.localdomain> Message-ID: <49FA228A.3000502@redhat.com> Simo Sorce schrieb: > see subj > ACK bye, Sumit