From deepsa at fedoraproject.org Sun Feb 1 05:13:56 2009 From: deepsa at fedoraproject.org (Deependra Singh Shekhawat) Date: Sat, 31 Jan 2009 21:13:56 -0800 Subject: [Freeipa-devel] FreeIPA presentation slides request Message-ID: <57127b5f0901312113o7412ba2fq936e5c375de536b4@mail.gmail.com> Good morning all, I am planning to give a presentation on IPA at my college technical fest scheduled for the next week. I am working on the presentation but I would like to use some of the existing presentations on the subject as reference. Basically I would like to know what all topics besides the basic functionality of IPA one can use to present in a seminar. Any help in this regard is greatly appreciaed. Thanks in advance Kind Regards Deependra Singh Shekhawat -- Type bits /keyID Date User ID pub 1024D/483B234C 2007/06/29 Deependra Singh Shekhawat (Fedora Project) < jeevanullas at gmail.com> Key fingerprint = ED45 62EA A4D7 53FB 44C7 774A D55B F3F0 483B 234C -------------- next part -------------- An HTML attachment was scrubbed... URL: From chorn at fluxcoil.net Sun Feb 1 18:04:02 2009 From: chorn at fluxcoil.net (Christian Horn) Date: Sun, 1 Feb 2009 19:04:02 +0100 Subject: [Freeipa-devel] FreeIPA presentation slides request In-Reply-To: <57127b5f0901312113o7412ba2fq936e5c375de536b4@mail.gmail.com> References: <57127b5f0901312113o7412ba2fq936e5c375de536b4@mail.gmail.com> Message-ID: <20090201180402.GA26518@fluxcoil.net> Mornings, On Sat, Jan 31, 2009 at 09:13:56PM -0800, Deependra Singh Shekhawat wrote: > > Basically I would like to know what all topics besides the basic > functionality of IPA one can use to present in a seminar. > > Any help in this regard is greatly appreciaed. I am working on a presentation for sysadmins, will probably call it 'A sysadmins guide to authentication and authorization' or 'Elegant logons in environments with mixed operating systems'. Already there is overview over important authentication/ authorization systems from the past and directories, so files/nis/radius/ldap/kerberos, will finally present crossrealm-trust and what ipa does. Maybe such a history part would also fit into your presentation. Christian From rcritten at redhat.com Mon Feb 2 19:25:20 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 Feb 2009 14:25:20 -0500 Subject: [Freeipa-devel] WARNING: patches coming Message-ID: <498748A0.7050109@redhat.com> I've completed a first pass at merging the new management framework and the v1 tree. It is now in a semi-installable state: it works for me, it may not for you. I haven't tested all the make targets yet and some are likely to go away. The target I tested most was rpms. This builds a set of rpms from a unified spec file. No more individual spec files to update. The downside is that it will be less easy to build rpms of individual components. I was able to take the rpms produced and install on a clean system and get the basic command-line programs working. I didn't test replication at all. So here comes 41 patches. 3 of them are my cleanup patches and 38 are patches from Jason. I compressed the mass removal and mass reorg patches because they are so big. rob From rcritten at redhat.com Mon Feb 2 19:26:28 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 Feb 2009 14:26:28 -0500 Subject: [Freeipa-devel] [PATCH] Mass reorg Message-ID: <498748E4.2030200@redhat.com> I gave up on my initial attempt at moving most things under ipaserver. Instead I'm going to leave ipaserver as a pure python directory. I did move the installer libraries there. I created a new top-level directory install into which all the html, configuration files, etc went. This is also where the tools used during installation and for now, replication, went. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Mass-tree-reorganization-for-IPAv2.patch.bz2 Type: application/x-bzip2 Size: 236851 bytes Desc: not available URL: From rcritten at redhat.com Mon Feb 2 19:27:05 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 Feb 2009 14:27:05 -0500 Subject: [Freeipa-devel] [PATCH] Mass file removal Message-ID: <49874909.7090902@redhat.com> Remove the old UI, admin library and command-line tools. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Mass-file-removal-for-IPAv2.patch.bz2 Type: application/x-bzip2 Size: 260921 bytes Desc: not available URL: From rcritten at redhat.com Mon Feb 2 19:28:44 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 Feb 2009 14:28:44 -0500 Subject: [Freeipa-devel] [PATCHES] Bring master up to Jason's tree Message-ID: <4987496C.9060605@redhat.com> Once we get things settled in master I'll leave it up to Jason to keep it up to date :-) For now, this refreshes from his tree. It is 38 patches. I've already done a cursory review. I'm going to respond to my own e-mail with some issues. I think it would be easiest if we commit all these patches and then address any issues found. It will make moving forward easier. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Command.takes_options-and-Command.takes_args-class-a.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0004-Started-roughing-out-new-crud-base-classes.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0005-Added-Command.args_options_2_params-method-and-its.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0006-Removed-depreciated-Command.args_to_kw-method-upd.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0007-Renamed-f_misc.py-plugin-module-to-misc.py.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0008-Added-Object.params_minus-method-various-small-tw.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0009-Added-ca_host-ca_port-and-ca_ssl_port-Env-variable.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0010-Removed-bogus-CLI.set_defaults-method-that-was-cau.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0011-Sundry-work-getting-ready-to-switch-to-new-XML-RPC-c.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0012-Further-migration-toward-new-xmlrcp-code-fixed-prob.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0013-More-xmlrpc-tweaks-xmlserver.execute-now-logs-non.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0014-More-work-on-xmlrpc-stuff-started-migrated-more-cod.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0015-Removed-lite-xmlrpc.py.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0016-Renamed-lite-xmlrpc2.py-to-lite-xmlrpc.py.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0017-Switched-back-to-generic-shabang-in-lite-xmlrpc.py.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0018-Fixed-a-few-problems-in-the-CLI-interactive-promptin.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0019-Fixed-another-small-CLI-decoding-problem-multivalue.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0020-CLI-now-logs-trace-if-it-catches-a-non-public-error.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0021-Added-some-missing-parameter-unit-tests-added-docst.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0022-Added-ServiceError-KerberosError-and-make-rpc.Kerb.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0023-Removed-depreciated-import-of-errors-in-frontend.py.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0024-Added-stuff-for-managing-connections-and-new-Executi.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0025-Removed-the-depreciated-Context-and-LazyContext-clas.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0026-Ported-xmlserver-to-subclass-from-Executioner.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0027-Ported-xmlclient-to-subclass-from-Connectible.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0028-Added-docstring-to-Connectible-class.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0029-Started-reworking-CLI-class-into-cli-plugin.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0030-Finished-reworked-cli.CLI-class-into-cli.cli-plugin.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0031-Got-new-ldap-connection-working-using-Connectible.co.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0032-Removed-depreciated-ipaserver-context.py-module-now.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0033-Fixed-bug-I-introduced-in-KerbTransport-started-wor.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0034-Mostly-got-the-test_xmlrpc-tests-working-again.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0035-Applied-Rob-s-errors-patch.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0036-Fixed-some-of-the-test_xmlrpc-unit-tests.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0037-Some-tweaks-in-user-plugins-ported-to-new-crud-base.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0038-Added-doodle-for-version-vars-in-ipalib.__init__.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0039-Started-work-on-a-much-simplified-mod_python-server.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0040-Finished-small-tweaks-to-get-new-ipaserver.xmlrpc.patch URL: From rcritten at redhat.com Mon Feb 2 19:29:19 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 Feb 2009 14:29:19 -0500 Subject: [Freeipa-devel] [PATCH] Bring it all together Message-ID: <4987498F.6030306@redhat.com> This final patch makes the tree buildable and installable. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0041-Get-merged-tree-into-an-installalble-state.patch URL: From rcritten at redhat.com Mon Feb 2 19:35:18 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 Feb 2009 14:35:18 -0500 Subject: [Freeipa-devel] [PATCHES] Bring master up to Jason's tree In-Reply-To: <4987496C.9060605@redhat.com> References: <4987496C.9060605@redhat.com> Message-ID: <49874AF6.50009@redhat.com> Rob Crittenden wrote: > Once we get things settled in master I'll leave it up to Jason to keep > it up to date :-) > > For now, this refreshes from his tree. It is 38 patches. I've already > done a cursory review. I'm going to respond to my own e-mail with some > issues. > > I think it would be easiest if we commit all these patches and then > address any issues found. It will make moving forward easier. Ok, here are the things I've found - Some of the tests where hosts are involved were switched from a hardcoded ipaexample.$DOMAIN to the current host. I purposely used this hostname so we could avoid collisions with real services. The tests actually delete data. Even though this shouldn't be run against a production server... - In KerbTransport() I originally was setting extra_headers directly. It was changed at some point to +=. I think this is probably better since extra_headers is passed in as an argument. We don't want to overwrite things passed in. - The # of plugins in misc/plugins.py is misleading. It is really the # of functions in the API, not the number of plugins. - The regisgrations of the ra plugin are currently all commented out -In some of the tests I use things like res.get('somevalue','') instead of res['somevalue'] so we don't crash on KeyError. Either way the test will fail, not sure which is easier to understand. rob From jderose at redhat.com Tue Feb 3 05:05:41 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 02 Feb 2009 22:05:41 -0700 Subject: [Freeipa-devel] [PATCH] Mass reorg In-Reply-To: <498748E4.2030200@redhat.com> References: <498748E4.2030200@redhat.com> Message-ID: <1233637541.11230.4.camel@jgd-dsk> On Mon, 2009-02-02 at 14:26 -0500, Rob Crittenden wrote: > I gave up on my initial attempt at moving most things under ipaserver. > Instead I'm going to leave ipaserver as a pure python directory. I did > move the installer libraries there. Thanks Rob! ;) > I created a new top-level directory install into which all the html, > configuration files, etc went. This is also where the tools used during > installation and for now, replication, went. > > rob > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Tue Feb 3 05:31:10 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 02 Feb 2009 22:31:10 -0700 Subject: [Freeipa-devel] [PATCHES] Bring master up to Jason's tree In-Reply-To: <4987496C.9060605@redhat.com> References: <4987496C.9060605@redhat.com> Message-ID: <1233639070.11230.54.camel@jgd-dsk> On Mon, 2009-02-02 at 14:28 -0500, Rob Crittenden wrote: > Once we get things settled in master I'll leave it up to Jason to keep > it up to date :-) Rob, let me know when you think things are ready for me to merge your changes into my branch, and then I'll start emailing patches to freeipa-devel. I hope all the coding I was doing in the mean time didn't cause you too much headache. Thanks for merging my patches and thanks all your work! Also, a little FYI for everyone: I'll continue to sync my day-to-day development to my fedorapeople.org git repo. So if anyone needs to follow my bleeding edge development, you can still pull it here: git clone git://fedorapeople.org/~jderose/freeipa2.git Whenever I get to a point where I have a stable and logically complete patch set, I'll email it to freeipa-devel where it can be reviewed and merged into master. However, while I'm still doing such far reaching development, I probably wont email a patch set more than once or twice per week. I just don't think it's productive for anyone if I'm emailing dozens of patches every day, but if anyone disagrees, I'm open to other suggestions. > For now, this refreshes from his tree. It is 38 patches. I've already > done a cursory review. I'm going to respond to my own e-mail with some > issues. > > I think it would be easiest if we commit all these patches and then > address any issues found. It will make moving forward easier. I agree. > rob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Tue Feb 3 06:37:21 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 02 Feb 2009 23:37:21 -0700 Subject: [Freeipa-devel] [PATCHES] Bring master up to Jason's tree In-Reply-To: <49874AF6.50009@redhat.com> References: <4987496C.9060605@redhat.com> <49874AF6.50009@redhat.com> Message-ID: <1233643041.11230.185.camel@jgd-dsk> On Mon, 2009-02-02 at 14:35 -0500, Rob Crittenden wrote: > Rob Crittenden wrote: > > Once we get things settled in master I'll leave it up to Jason to keep > > it up to date :-) > > > > For now, this refreshes from his tree. It is 38 patches. I've already > > done a cursory review. I'm going to respond to my own e-mail with some > > issues. > > > > I think it would be easiest if we commit all these patches and then > > address any issues found. It will make moving forward easier. > > Ok, here are the things I've found > > - Some of the tests where hosts are involved were switched from a > hardcoded ipaexample.$DOMAIN to the current host. I purposely used this > hostname so we could avoid collisions with real services. The tests > actually delete data. Even though this shouldn't be run against a > production server... > > - In KerbTransport() I originally was setting extra_headers directly. It > was changed at some point to +=. I think this is probably better since > extra_headers is passed in as an argument. We don't want to overwrite > things passed in. One thing I encountered here, Rob: I set it to += not realizing that extra_headers can be None. So we should check for this and do something like: added = [] if extra_headers is None: extra_headers = added else: extra_headers += added I don't know if the base class will return headers we actually need, but this is good future-proofing either way. > - The # of plugins in misc/plugins.py is misleading. It is really the # > of functions in the API, not the number of plugins. But each function (Command) is in fact a plugin, just usually a rather minimal one. And `./ipa plugins` shows the plugins loaded in all namespaces (api.Backend, api.Object, etc.), not just those in api.Command. You can also see what plugins are loaded on the server using the --server option, like this: ./ipa plugins --server The above requires the server (XML-RPC) to be running and reachable. From the source tree you can also run the CLI script with in_server=True, which will cause the script to load the available server plugins and do the execute internally rather than forwarding it. This is very helpful in debugging because the command will do the same thing but without the complexity of the XML-RPC call. Here is an example: ./ipa -e in_server=True plugins # Same list as above Or: ./ipa -e in_server=True user-add jderose It will probably be most productive to develop your plugins this way. You can make this the default by adding it in your ~/.ipa/cli.conf file, like this: # Put this in ~/.ipa/cli.conf # (but without the leading spaces in this email) [global] in_server = True But you should also test your plugins over XML-RPC. Even with in_server=True in your cli.conf, you can still override it on the command line, like this: ./ipa -e in_server=False user-add jderose # Will forward to server Those are my random tips for the day. > - The regisgrations of the ra plugin are currently all commented out > > -In some of the tests I use things like res.get('somevalue','') instead > of res['somevalue'] so we don't crash on KeyError. Either way the test > will fail, not sure which is easier to understand. Since the test fails either way, I recommend res['somevalue'] as res.get() makes it seem like there might be more than one condition under which the test can pass. If the 'somevalue' key is missing, the KeyError raised makes the trace easy to understand. For cases when the key is present but the value is incorrect, it's helpful to include the incorrect value in the assert message, like this: >>> assert res['somevalue'] == 'The value', repr(res['somevalue']) Traceback (most recent call last): ... AssertionError: 'Not the value' Otherwise the trace wont show the offending value. I'll try to be better about doing this in the unit tests for the core library. > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Tue Feb 3 19:29:23 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 03 Feb 2009 12:29:23 -0700 Subject: [Freeipa-devel] [PATCH] Mass reorg In-Reply-To: <498748E4.2030200@redhat.com> References: <498748E4.2030200@redhat.com> Message-ID: <1233689363.6916.43.camel@jgd-dsk> ack. These are all an ack from me as these patches don't change anything in the Python code from my branch. But I don't know enough about the v1 tree to comment on the rest, so maybe Simo or someone else should comment. On Mon, 2009-02-02 at 14:26 -0500, Rob Crittenden wrote: > I gave up on my initial attempt at moving most things under ipaserver. > Instead I'm going to leave ipaserver as a pure python directory. I did > move the installer libraries there. > > I created a new top-level directory install into which all the html, > configuration files, etc went. This is also where the tools used during > installation and for now, replication, went. > > rob > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Tue Feb 3 19:30:21 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 03 Feb 2009 12:30:21 -0700 Subject: [Freeipa-devel] [PATCH] Mass file removal In-Reply-To: <49874909.7090902@redhat.com> References: <49874909.7090902@redhat.com> Message-ID: <1233689421.6916.44.camel@jgd-dsk> ack. On Mon, 2009-02-02 at 14:27 -0500, Rob Crittenden wrote: > Remove the old UI, admin library and command-line tools. > > rob > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Tue Feb 3 19:31:19 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 03 Feb 2009 12:31:19 -0700 Subject: [Freeipa-devel] [PATCHES] Bring master up to Jason's tree In-Reply-To: <4987496C.9060605@redhat.com> References: <4987496C.9060605@redhat.com> Message-ID: <1233689479.6916.45.camel@jgd-dsk> ack. But of course, I wrote these. ;) On Mon, 2009-02-02 at 14:28 -0500, Rob Crittenden wrote: > Once we get things settled in master I'll leave it up to Jason to keep > it up to date :-) > > For now, this refreshes from his tree. It is 38 patches. I've already > done a cursory review. I'm going to respond to my own e-mail with some > issues. > > I think it would be easiest if we commit all these patches and then > address any issues found. It will make moving forward easier. > > rob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Tue Feb 3 19:33:14 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 03 Feb 2009 12:33:14 -0700 Subject: [Freeipa-devel] [PATCH] Bring it all together In-Reply-To: <4987498F.6030306@redhat.com> References: <4987498F.6030306@redhat.com> Message-ID: <1233689594.6916.47.camel@jgd-dsk> ack. I think you got us to a good starting point, Rob. We can get things buildable and then continue to reorganize as needed. Thanks! On Mon, 2009-02-02 at 14:29 -0500, Rob Crittenden wrote: > This final patch makes the tree buildable and installable. > > rob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From ssorce at redhat.com Tue Feb 3 20:05:55 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 03 Feb 2009 15:05:55 -0500 Subject: [Freeipa-devel] [PATCH] Mass reorg In-Reply-To: <498748E4.2030200@redhat.com> References: <498748E4.2030200@redhat.com> Message-ID: <1233691555.3655.43.camel@localhost.localdomain> On Mon, 2009-02-02 at 14:26 -0500, Rob Crittenden wrote: > I gave up on my initial attempt at moving most things under ipaserver. > Instead I'm going to leave ipaserver as a pure python directory. I did > move the installer libraries there. > > I created a new top-level directory install into which all the html, > configuration files, etc went. This is also where the tools used during > installation and for now, replication, went. I can't claim I have read all patches thoroughly, but it seem to me the direction is good so ACK for all the patches in this batch, and let's deal with any nitpick later. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Feb 3 20:28:40 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Feb 2009 15:28:40 -0500 Subject: [Freeipa-devel] [PATCH] Mass reorg In-Reply-To: <1233689363.6916.43.camel@jgd-dsk> References: <498748E4.2030200@redhat.com> <1233689363.6916.43.camel@jgd-dsk> Message-ID: <4988A8F8.2020300@redhat.com> Jason Gerard DeRose wrote: > ack. > > These are all an ack from me as these patches don't change anything in > the Python code from my branch. But I don't know enough about the v1 > tree to comment on the rest, so maybe Simo or someone else should > comment. > > On Mon, 2009-02-02 at 14:26 -0500, Rob Crittenden wrote: >> I gave up on my initial attempt at moving most things under ipaserver. >> Instead I'm going to leave ipaserver as a pure python directory. I did >> move the installer libraries there. >> >> I created a new top-level directory install into which all the html, >> configuration files, etc went. This is also where the tools used during >> installation and for now, replication, went. pushed From rcritten at redhat.com Tue Feb 3 20:28:48 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Feb 2009 15:28:48 -0500 Subject: [Freeipa-devel] [PATCH] Mass file removal In-Reply-To: <1233689421.6916.44.camel@jgd-dsk> References: <49874909.7090902@redhat.com> <1233689421.6916.44.camel@jgd-dsk> Message-ID: <4988A900.1070807@redhat.com> Jason Gerard DeRose wrote: > ack. > > On Mon, 2009-02-02 at 14:27 -0500, Rob Crittenden wrote: >> Remove the old UI, admin library and command-line tools. >> pushed From rcritten at redhat.com Tue Feb 3 20:28:57 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Feb 2009 15:28:57 -0500 Subject: [Freeipa-devel] [PATCHES] Bring master up to Jason's tree In-Reply-To: <1233689479.6916.45.camel@jgd-dsk> References: <4987496C.9060605@redhat.com> <1233689479.6916.45.camel@jgd-dsk> Message-ID: <4988A909.3060904@redhat.com> Jason Gerard DeRose wrote: > ack. > > But of course, I wrote these. ;) > > On Mon, 2009-02-02 at 14:28 -0500, Rob Crittenden wrote: >> Once we get things settled in master I'll leave it up to Jason to keep >> it up to date :-) >> >> For now, this refreshes from his tree. It is 38 patches. I've already >> done a cursory review. I'm going to respond to my own e-mail with some >> issues. >> >> I think it would be easiest if we commit all these patches and then >> address any issues found. It will make moving forward easier. >> >> rob > pushed From rcritten at redhat.com Tue Feb 3 20:29:06 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Feb 2009 15:29:06 -0500 Subject: [Freeipa-devel] [PATCH] Bring it all together In-Reply-To: <1233689594.6916.47.camel@jgd-dsk> References: <4987498F.6030306@redhat.com> <1233689594.6916.47.camel@jgd-dsk> Message-ID: <4988A912.8030502@redhat.com> Jason Gerard DeRose wrote: > ack. > > I think you got us to a good starting point, Rob. We can get things > buildable and then continue to reorganize as needed. Thanks! > > On Mon, 2009-02-02 at 14:29 -0500, Rob Crittenden wrote: >> This final patch makes the tree buildable and installable. >> >> rob > pushed From rcritten at redhat.com Tue Feb 3 20:31:14 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Feb 2009 15:31:14 -0500 Subject: [Freeipa-devel] [PATCH] Fix XML-RPC tests Message-ID: <4988A992.40702@redhat.com> This should fix up the remaining UTF-8 issues and some other minor things in the XML-RPC tests. Note that this will generally work against a v1-created server but some additional schema is needed for some tests to pass. The fixes for that will be forthcoming. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-110-tests.patch URL: From rcritten at redhat.com Tue Feb 3 21:03:02 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Feb 2009 16:03:02 -0500 Subject: [Freeipa-devel] [PATCH] some more make fixes Message-ID: <4988B106.6010003@redhat.com> Consolidate down to a single autogen.sh that assumes that the current directory contains the source. This way we can run it from anywhere. Also tweak it a little so it touches ChangeLog, README, etc. so we don't have to carry empty files in git. And I removed the autogen make target. It was used in only one place and wasn't any different from bootstrap-autogen. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-111-make.patch URL: From rcritten at redhat.com Tue Feb 3 21:56:51 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Feb 2009 16:56:51 -0500 Subject: [Freeipa-devel] [PATCH] some more make fixes In-Reply-To: <4988B106.6010003@redhat.com> References: <4988B106.6010003@redhat.com> Message-ID: <4988BDA3.80002@redhat.com> Rob Crittenden wrote: > Consolidate down to a single autogen.sh that assumes that the current > directory contains the source. This way we can run it from anywhere. > > Also tweak it a little so it touches ChangeLog, README, etc. so we don't > have to carry empty files in git. > > And I removed the autogen make target. It was used in only one place and > wasn't any different from bootstrap-autogen. > > rob > Er, here is the patch plus another that completes the work. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-111-make.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-112-make.patch URL: From ssorce at redhat.com Tue Feb 3 22:13:19 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 03 Feb 2009 17:13:19 -0500 Subject: [Freeipa-devel] [PATCH] some more make fixes In-Reply-To: <4988BDA3.80002@redhat.com> References: <4988B106.6010003@redhat.com> <4988BDA3.80002@redhat.com> Message-ID: <1233699199.3655.47.camel@localhost.localdomain> On Tue, 2009-02-03 at 16:56 -0500, Rob Crittenden wrote: > > Er, here is the patch plus another that completes the work. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Feb 3 22:13:40 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 03 Feb 2009 17:13:40 -0500 Subject: [Freeipa-devel] [PATCH] Fix XML-RPC tests In-Reply-To: <4988A992.40702@redhat.com> References: <4988A992.40702@redhat.com> Message-ID: <1233699220.3655.48.camel@localhost.localdomain> On Tue, 2009-02-03 at 15:31 -0500, Rob Crittenden wrote: > This should fix up the remaining UTF-8 issues and some other minor > things in the XML-RPC tests. > > Note that this will generally work against a v1-created server but > some > additional schema is needed for some tests to pass. The fixes for > that > will be forthcoming. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Feb 4 14:03:53 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Feb 2009 09:03:53 -0500 Subject: [Freeipa-devel] [PATCH] some more make fixes In-Reply-To: <1233699199.3655.47.camel@localhost.localdomain> References: <4988B106.6010003@redhat.com> <4988BDA3.80002@redhat.com> <1233699199.3655.47.camel@localhost.localdomain> Message-ID: <4989A049.6010601@redhat.com> Simo Sorce wrote: > On Tue, 2009-02-03 at 16:56 -0500, Rob Crittenden wrote: >> >> Er, here is the patch plus another that completes the work. > > ack > pushed From rcritten at redhat.com Wed Feb 4 14:04:01 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Feb 2009 09:04:01 -0500 Subject: [Freeipa-devel] [PATCH] Fix XML-RPC tests In-Reply-To: <1233699220.3655.48.camel@localhost.localdomain> References: <4988A992.40702@redhat.com> <1233699220.3655.48.camel@localhost.localdomain> Message-ID: <4989A051.5060005@redhat.com> Simo Sorce wrote: > On Tue, 2009-02-03 at 15:31 -0500, Rob Crittenden wrote: >> This should fix up the remaining UTF-8 issues and some other minor >> things in the XML-RPC tests. >> >> Note that this will generally work against a v1-created server but >> some >> additional schema is needed for some tests to pass. The fixes for >> that >> will be forthcoming. > > > ack > pushed to master From rcritten at redhat.com Wed Feb 4 15:57:07 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Feb 2009 10:57:07 -0500 Subject: [Freeipa-devel] [PATCH] Remove requires on TurboGears Message-ID: <4989BAD3.8060802@redhat.com> We aren't using TurboGears for the webUI now, remove the requirement from the spec file. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-113-noturbogears.patch URL: From rcritten at redhat.com Wed Feb 4 15:57:55 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Feb 2009 10:57:55 -0500 Subject: [Freeipa-devel] [PATCH] clean up rpmbuild dir Message-ID: <4989BB03.8060201@redhat.com> Remove the temporary directory we create when building rpms, rpmbuild, once the build is successfully completed. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-114-rpmbuild.patch URL: From rcritten at redhat.com Wed Feb 4 15:59:15 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Feb 2009 10:59:15 -0500 Subject: [Freeipa-devel] [PATCH] small configure.ac cleanup Message-ID: <4989BB53.5000905@redhat.com> No need for AC_CONFIG_SRCDIR in daemons. We *could* keep something like this if anyone wanted but its purpose is just to make sure you are sitting in the right directory when running configure. No need for libtool in ipa-client rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-115-configure.patch URL: From rcritten at redhat.com Wed Feb 4 15:59:57 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Feb 2009 10:59:57 -0500 Subject: [Freeipa-devel] [PATCH] don't start/stop webui in ipactl Message-ID: <4989BB7D.8060807@redhat.com> Remove webui start/stop from ipactl script. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-116-webui.patch URL: From rcritten at redhat.com Wed Feb 4 16:03:28 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Feb 2009 11:03:28 -0500 Subject: [Freeipa-devel] [PATCH] library cleanup Message-ID: <4989BC50.7080105@redhat.com> Some files have moved from ipa-python and ipaserver into ipalib. Remove these duplicated and in some cases unnecessary files. This also fixes the imports of those files. Note that ipaerror will be going away soon too. I fixed a few references here to make things work but didn't fix all occurances. The reason being to keep patches at a more manageable level. This also creates a new configuration file, /etc/ipa/default.conf, which is used to configure the ipa command-line tool and the XML-RPC server. Right now this file contains the basedn to search against. Do we want this hardcoded in the configuration file or determined based on the REALM as we did in v1? rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-117-cleanup.patch URL: From sgallagh at redhat.com Wed Feb 4 16:05:29 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 04 Feb 2009 11:05:29 -0500 Subject: [Freeipa-devel] [PATCH] clean up rpmbuild dir In-Reply-To: <4989BB03.8060201@redhat.com> References: <4989BB03.8060201@redhat.com> Message-ID: <4989BCC9.6010801@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob Crittenden wrote: > Remove the temporary directory we create when building rpms, rpmbuild, > once the build is successfully completed. > > rob > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- - -------------------- Stephen Gallagher RHCE 804006346421761 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmJvMkACgkQeiVVYja6o6NAzQCdG1faC6HbV78c5hKhjEetJ+D3 bdUAn0U4AP5yfYtOslfIk+CDxvXrhfre =CnDR -----END PGP SIGNATURE----- From sgallagh at redhat.com Wed Feb 4 16:06:07 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 04 Feb 2009 11:06:07 -0500 Subject: [Freeipa-devel] [PATCH] small configure.ac cleanup In-Reply-To: <4989BB53.5000905@redhat.com> References: <4989BB53.5000905@redhat.com> Message-ID: <4989BCEF.30307@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob Crittenden wrote: > No need for AC_CONFIG_SRCDIR in daemons. We *could* keep something like > this if anyone wanted but its purpose is just to make sure you are > sitting in the right directory when running configure. > > No need for libtool in ipa-client > > rob > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- - -------------------- Stephen Gallagher RHCE 804006346421761 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmJvO8ACgkQeiVVYja6o6ObugCgoWlkpTQJB/tZ7tjzaChfZFHL RMEAn0WjOXmKsjD9p3yDU5iWuU2pWKCe =OhPz -----END PGP SIGNATURE----- From sgallagh at redhat.com Wed Feb 4 16:07:51 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 04 Feb 2009 11:07:51 -0500 Subject: [Freeipa-devel] [PATCH] don't start/stop webui in ipactl In-Reply-To: <4989BB7D.8060807@redhat.com> References: <4989BB7D.8060807@redhat.com> Message-ID: <4989BD57.5040102@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob Crittenden wrote: > Remove webui start/stop from ipactl script. > > rob > > > ------------------------------------------------------------------------ Why exactly do we not want the webui restarted when performing an ipactl restart? I'd think we'd want to clean up all of our services. - -- - -------------------- Stephen Gallagher RHCE 804006346421761 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmJvVcACgkQeiVVYja6o6N/KACgg67lLw7x4U1BcuvLjm8G43d+ IZAAn1HtupZG7iE9FYhHhYRbxg/WEOs+ =Pgmr -----END PGP SIGNATURE----- From dpal at redhat.com Wed Feb 4 18:53:33 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 04 Feb 2009 13:53:33 -0500 Subject: [Freeipa-devel] Usability Testing Message-ID: <4989E42D.2010209@redhat.com> Hello, Last week the freeIPA development team conducted a series of usability testing sessions. The goal was to see how the user interface proposed for IPA v2 resonates with the administrators. We got a lot of interesting feedback and we will be changing the screens. However we also wanted to hear your opinion about the proposed UI. All the materials we used and feedback we got are now posted on the freeIPA site at: http://www.freeipa.org/page/IPAv2_development_status#User_Interface_Design Thank you for your interest in freeIPA. Any comments or suggestions are welcome! Dmitri From eric at vcardprocessor.com Thu Feb 5 11:37:45 2009 From: eric at vcardprocessor.com (Eric) Date: Thu, 5 Feb 2009 03:37:45 -0800 Subject: [Freeipa-devel] Usability Testing In-Reply-To: <4989E42D.2010209@redhat.com> Message-ID: <20092533745.012193@C840> An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Feb 5 14:32:23 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Feb 2009 09:32:23 -0500 Subject: [Freeipa-devel] [PATCH] clean up rpmbuild dir In-Reply-To: <4989BCC9.6010801@redhat.com> References: <4989BB03.8060201@redhat.com> <4989BCC9.6010801@redhat.com> Message-ID: <498AF877.4080806@redhat.com> Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rob Crittenden wrote: >> Remove the temporary directory we create when building rpms, rpmbuild, >> once the build is successfully completed. >> >> rob >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > Ack > pushed to master From rcritten at redhat.com Thu Feb 5 14:32:33 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Feb 2009 09:32:33 -0500 Subject: [Freeipa-devel] [PATCH] small configure.ac cleanup In-Reply-To: <4989BCEF.30307@redhat.com> References: <4989BB53.5000905@redhat.com> <4989BCEF.30307@redhat.com> Message-ID: <498AF881.7070802@redhat.com> Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rob Crittenden wrote: >> No need for AC_CONFIG_SRCDIR in daemons. We *could* keep something like >> this if anyone wanted but its purpose is just to make sure you are >> sitting in the right directory when running configure. >> >> No need for libtool in ipa-client >> >> rob >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Ack pushed to master From rcritten at redhat.com Thu Feb 5 14:32:58 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Feb 2009 09:32:58 -0500 Subject: [Freeipa-devel] [PATCH] don't start/stop webui in ipactl In-Reply-To: <4989BD57.5040102@redhat.com> References: <4989BB7D.8060807@redhat.com> <4989BD57.5040102@redhat.com> Message-ID: <498AF89A.9030503@redhat.com> Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rob Crittenden wrote: >> Remove webui start/stop from ipactl script. >> >> rob >> >> >> ------------------------------------------------------------------------ > > Why exactly do we not want the webui restarted when performing an ipactl > restart? I'd think we'd want to clean up all of our services. > Because this is the old webui that we've deprecated. rob From sgallagh at redhat.com Thu Feb 5 14:37:02 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 05 Feb 2009 09:37:02 -0500 Subject: [Freeipa-devel] [PATCH] don't start/stop webui in ipactl In-Reply-To: <498AF89A.9030503@redhat.com> References: <4989BB7D.8060807@redhat.com> <4989BD57.5040102@redhat.com> <498AF89A.9030503@redhat.com> Message-ID: <498AF98E.2020605@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob Crittenden wrote: > Stephen Gallagher wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Rob Crittenden wrote: >>> Remove webui start/stop from ipactl script. >>> >>> rob >>> >>> >>> ------------------------------------------------------------------------ >> >> Why exactly do we not want the webui restarted when performing an ipactl >> restart? I'd think we'd want to clean up all of our services. >> > > Because this is the old webui that we've deprecated. > > rob Ack - -- - -------------------- Stephen Gallagher RHCE 804006346421761 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmK+Y0ACgkQeiVVYja6o6MhrgCgsFGE8/6d4XPNAMvXOrkjf+ae ZTQAoKlaobXppYj3QiaVsBms5/LUQ31b =BcvL -----END PGP SIGNATURE----- From rcritten at redhat.com Thu Feb 5 14:42:29 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Feb 2009 09:42:29 -0500 Subject: [Freeipa-devel] [PATCH] don't start/stop webui in ipactl In-Reply-To: <498AF98E.2020605@redhat.com> References: <4989BB7D.8060807@redhat.com> <4989BD57.5040102@redhat.com> <498AF89A.9030503@redhat.com> <498AF98E.2020605@redhat.com> Message-ID: <498AFAD5.6040808@redhat.com> Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rob Crittenden wrote: >> Stephen Gallagher wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Rob Crittenden wrote: >>>> Remove webui start/stop from ipactl script. >>>> >>>> rob >>>> >>>> >>>> ------------------------------------------------------------------------ >>> Why exactly do we not want the webui restarted when performing an ipactl >>> restart? I'd think we'd want to clean up all of our services. >>> >> Because this is the old webui that we've deprecated. >> >> rob > > Ack > pushed to master From dpal at redhat.com Thu Feb 5 16:45:37 2009 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 05 Feb 2009 11:45:37 -0500 Subject: [Freeipa-devel] Usability Testing In-Reply-To: <20092533745.012193@C840> References: <20092533745.012193@C840> Message-ID: <498B17B1.30408@redhat.com> Hi Eric, Thank you for your feedback. It is interesting that we asked about collapsing or not collapsing sections on the page and also about making it two columns. Everybody we asked said : a) I want to see everything at once - less clicking the better b) I do not mind scrolling - two columns will make the page too overloaded But this is their opinion. Yours is the opposite. It would be interesting to learn more about your "clicking habits" and UI preferences. The other comments make sense to me : a) Password reset link b) Buttons per section May be "edit protected fields flag" should be in the section too rather than one per page? Thanks Dmitri Eric wrote: > Update User: > > My overall opionion is that the page is too long, and several fields > should be collapsed by default. It feels unatural to see the action > buttons 'Delete User', "Cancel', 'Update User' at the top right of the > page content. I believe they should appear at the bottom right of each > sub-sections. I also think a 2-column display would be more appropriate. > > Identity Details Account Status: > First Name: Username: > Last Name: (Collapsed) Password, UID, GID, Home directory, Login > shell, Gecos > Title: > Work number: > Cell number: > Email: > > Additional: (Collapsed) Fax, Pager, Full name, Display Name, Initials. > > Mailing: (Collapsed) > > Employee Info: (Collapsed) > > Misc info: (collapsed) > > > Password: I would only display a link: 'Reset password', then the 2 > boxes would appear > Add links: I would not repeat the field name, and I would also put the > delete link next to it: 'Add Delete' > > > Eric Desgranges > eric at vcardprocessor.com From jderose at redhat.com Thu Feb 5 19:45:10 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 05 Feb 2009 12:45:10 -0700 Subject: [Freeipa-devel] [PATCH] Remove depreciated mod_python_xmlrpc.py and test_client files from ipaserver/ Message-ID: <1233863110.15595.44.camel@jgd-dsk> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Remove-depreciated-mod_python_xmlrpc.py-and-test_cli.patch Type: text/x-patch Size: 12533 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Thu Feb 5 20:07:43 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Feb 2009 15:07:43 -0500 Subject: [Freeipa-devel] [PATCH] Remove depreciated mod_python_xmlrpc.py and test_client files from ipaserver/ In-Reply-To: <1233863110.15595.44.camel@jgd-dsk> References: <1233863110.15595.44.camel@jgd-dsk> Message-ID: <498B470F.1050000@redhat.com> Jason Gerard DeRose wrote: > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack From rcritten at redhat.com Thu Feb 5 20:08:34 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Feb 2009 15:08:34 -0500 Subject: [Freeipa-devel] [PATCH] Consolidate update files Message-ID: <498B4742.9030908@redhat.com> Update files are used to load schema or set up or change entries in the DIT over LDAP. There were some in Jason's tree and in the old v1 tree. This patch consolidates them into one location. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-118-update.patch URL: From rcritten at redhat.com Thu Feb 5 20:09:30 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Feb 2009 15:09:30 -0500 Subject: [Freeipa-devel] [PATCH] Remove unused files Message-ID: <498B477A.9030606@redhat.com> Remove some more unused/deprecated files from ipa-python. This eliminates the old error class handler (ipaerror). rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-119-unused.patch URL: From rcritten at redhat.com Thu Feb 5 20:10:57 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Feb 2009 15:10:57 -0500 Subject: [Freeipa-devel] [PATCH] Rename ipa-python to ipapython Message-ID: <498B47D1.3090402@redhat.com> Rename ipa-python into a name python can understand, ipapython. This is so in-tree development will work nicely. I've also renamed the installation directory from ipa to ipapython for consistency. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-120-ipapython.patch URL: From jderose at redhat.com Thu Feb 5 22:16:52 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 05 Feb 2009 15:16:52 -0700 Subject: [Freeipa-devel] [PATCH] Rename ipa-python to ipapython In-Reply-To: <498B47D1.3090402@redhat.com> References: <498B47D1.3090402@redhat.com> Message-ID: <1233872212.15595.45.camel@jgd-dsk> On Thu, 2009-02-05 at 15:10 -0500, Rob Crittenden wrote: > Rename ipa-python into a name python can understand, ipapython. This is > so in-tree development will work nicely. > > I've also renamed the installation directory from ipa to ipapython for > consistency. > > rob ack -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Fri Feb 6 15:13:59 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 06 Feb 2009 10:13:59 -0500 Subject: [Freeipa-devel] [PATCH] Remove depreciated mod_python_xmlrpc.py and test_client files from ipaserver/ In-Reply-To: <498B470F.1050000@redhat.com> References: <1233863110.15595.44.camel@jgd-dsk> <498B470F.1050000@redhat.com> Message-ID: <498C53B7.8040900@redhat.com> Rob Crittenden wrote: > Jason Gerard DeRose wrote: >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > ack I pushed this to master From jhrozek at redhat.com Fri Feb 6 16:41:22 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 06 Feb 2009 17:41:22 +0100 Subject: [Freeipa-devel] [PATCH] library cleanup In-Reply-To: <4989BC50.7080105@redhat.com> References: <4989BC50.7080105@redhat.com> Message-ID: <1233938482.25448.4.camel@jarilo.englab.brq.redhat.com> On Wed, 2009-02-04 at 11:03 -0500, Rob Crittenden wrote: > Right now this file contains the basedn to search against. Do we > want > this hardcoded in the configuration file or determined based on the > REALM as we did in v1? > > rob reviewed & tested => Ack (I guess we can answer the question on basedn later and change it to be determined if needed) Jakub From jhrozek at redhat.com Fri Feb 6 17:03:18 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 06 Feb 2009 18:03:18 +0100 Subject: [Freeipa-devel] [PATCH] Allow specifying search scope in {ldap, servercore}.search Message-ID: <1233939798.25448.22.camel@jarilo.englab.brq.redhat.com> This patch allows specifying the search scope for ipaserver.plugins.b_ldap.search(). The previously hardcoded ldap.SCOPE_SUBTREE is still the default, so no existing code should break. My rationale for this was searching on application containers - where the toplevel container and the application containers beneath them are the same objectclass, so search with SCOPE_SUBTREE could hit the toplevel container..but I guess that there can be more applications of this. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Allow-specifying-search-scope-in-ldap-servercore-.s.patch Type: text/x-patch Size: 3457 bytes Desc: not available URL: From jderose at redhat.com Fri Feb 6 19:55:08 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 06 Feb 2009 12:55:08 -0700 Subject: [Freeipa-devel] [PATCH] Remove requires on TurboGears In-Reply-To: <4989BAD3.8060802@redhat.com> References: <4989BAD3.8060802@redhat.com> Message-ID: <1233950108.11736.24.camel@jgd-dsk> On Wed, 2009-02-04 at 10:57 -0500, Rob Crittenden wrote: > We aren't using TurboGears for the webUI now, remove the requirement > from the spec file. > rob ack. > plain text document attachment (freeipa-113-noturbogears.patch) > >From ebf14cd6a97b134c48c214fe5c039ee268f7c47b Mon Sep 17 00:00:00 2001 > From: Rob Crittenden > Date: Wed, 4 Feb 2009 10:50:52 -0500 > Subject: [PATCH] Replace TurboGears requirement with python-cherrypy > Remove some commented-out files > Move /usr/bin/ipa to admintools package > > --- > ipa.spec.in | 51 ++++++--------------------------------------------- > 1 files changed, 6 insertions(+), 45 deletions(-) > > diff --git a/ipa.spec.in b/ipa.spec.in > index f3f21a6..e3c217e 100644 > --- a/ipa.spec.in > +++ b/ipa.spec.in > @@ -33,7 +33,7 @@ BuildRequires: popt-devel > BuildRequires: /usr/share/selinux/devel/Makefile > BuildRequires: m4 > BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} > -BuildRequires: TurboGears > +BuildRequires: python-cherrypy > > %description > IPA is an integrated solution to provide centrally managed Identity (machine, > @@ -70,8 +70,7 @@ Requires: mod_nss > %endif > Requires: python-ldap > Requires: python-krbV > -Requires: TurboGears > -Requires: python-tgexpandingformwidget > +Requires: python-cherrypy > Requires: acl > Requires: python-pyasn1 > Requires: libcap > @@ -323,7 +322,6 @@ fi > %{_sbindir}/ipactl > %{_sbindir}/ipa-upgradeconfig > %attr(755,root,root) %{_initrddir}/ipa_kpasswd > -%{_bindir}/ipa > %{python_sitelib}/ipalib/* > %{python_sitelib}/ipaserver/* > %{python_sitelib}/ipawebui/* > @@ -386,50 +384,10 @@ fi > %files admintools > %doc LICENSE README > %defattr(-,root,root,-) > -#%{_sbindir}/ipa-adddelegation > -#%{_sbindir}/ipa-addgroup > -#%{_sbindir}/ipa-addservice > -#%{_sbindir}/ipa-adduser > -#%{_sbindir}/ipa-defaultoptions > -#%{_sbindir}/ipa-deldelegation > -#%{_sbindir}/ipa-delgroup > -#%{_sbindir}/ipa-delservice > -#%{_sbindir}/ipa-deluser > -#%{_sbindir}/ipa-findgroup > -#%{_sbindir}/ipa-findservice > -#%{_sbindir}/ipa-finduser > -#%{_sbindir}/ipa-listdelegation > -#%{_sbindir}/ipa-lockuser > -#%{_sbindir}/ipa-modgroup > -#%{_sbindir}/ipa-moddelegation > -#%{_sbindir}/ipa-passwd > -#%{_sbindir}/ipa-moduser > -#%{_sbindir}/ipa-pwpolicy > -#%{_sbindir}/ipa-change-master-key > +%{_bindir}/ipa > %{_sbindir}/ipa-fix-CVE-2008-3274 > %{_sbindir}/ipa-ldap-updater > %{_sbindir}/ipa-compat-manage > -#%{_mandir}/man1/ipa-adddelegation.1.gz > -#%{_mandir}/man1/ipa-addgroup.1.gz > -#%{_mandir}/man1/ipa-addservice.1.gz > -#%{_mandir}/man1/ipa-adduser.1.gz > -#%{_mandir}/man1/ipa-defaultoptions.1.gz > -#%{_mandir}/man1/ipa-deldelegation.1.gz > -#%{_mandir}/man1/ipa-delgroup.1.gz > -#%{_mandir}/man1/ipa-delservice.1.gz > -#%{_mandir}/man1/ipa-deluser.1.gz > -#%{_mandir}/man1/ipa-findgroup.1.gz > -#%{_mandir}/man1/ipa-findservice.1.gz > -#%{_mandir}/man1/ipa-finduser.1.gz > -#%{_mandir}/man1/ipa-modgroup.1.gz > -#%{_mandir}/man1/ipa-listdelegation.1.gz > -#%{_mandir}/man1/ipa-lockuser.1.gz > -#%{_mandir}/man1/ipa-moddelegation.1.gz > -#%{_mandir}/man1/ipa-passwd.1.gz > -#%{_mandir}/man1/ipa-moduser.1.gz > -#%{_mandir}/man1/ipa-pwpolicy.1.gz > -#%{_mandir}/man1/ipa-ldap-updater.1.gz > -#%{_mandir}/man1/ipa-compat-manage.1.gz > > %files python > %doc LICENSE README > @@ -460,6 +418,9 @@ fi > %{_sbindir}/ipa-modradiusprofile > > %changelog > +* Tue Feb 3 2009 Rob Crittenden - 1.99-1 > +- Replace TurboGears requirement with python-cherrypy > + > * Sat Jan 17 2009 Tomas Mraz - 1.2.1-3 > - rebuild with new openssl > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Fri Feb 6 20:00:27 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 06 Feb 2009 13:00:27 -0700 Subject: [Freeipa-devel] [PATCH] library cleanup In-Reply-To: <4989BC50.7080105@redhat.com> References: <4989BC50.7080105@redhat.com> Message-ID: <1233950427.11736.25.camel@jgd-dsk> On Wed, 2009-02-04 at 11:03 -0500, Rob Crittenden wrote: > Some files have moved from ipa-python and ipaserver into ipalib. Remove > these duplicated and in some cases unnecessary files. This also fixes > the imports of those files. > > Note that ipaerror will be going away soon too. I fixed a few references > here to make things work but didn't fix all occurances. The reason being > to keep patches at a more manageable level. > > This also creates a new configuration file, /etc/ipa/default.conf, which > is used to configure the ipa command-line tool and the XML-RPC server. > > Right now this file contains the basedn to search against. Do we want > this hardcoded in the configuration file or determined based on the > REALM as we did in v1? > > rob ack. > plain text document attachment (freeipa-117-cleanup.patch) > >From ca42277114a342b0c4bea1088dadeb1d73c969ec Mon Sep 17 00:00:00 2001 > From: Rob Crittenden > Date: Wed, 4 Feb 2009 10:53:34 -0500 > Subject: [PATCH] Remove some duplicated code that was moved to ipaserver and use it > Remove some unused files > > --- > install/tools/ipa-ldap-updater | 4 +- > install/tools/ipa-replica-install | 9 +- > install/tools/ipa-replica-prepare | 3 +- > install/tools/ipa-server-install | 11 + > ipa-python/aci.py | 166 ------- > ipa-python/group.py | 24 - > ipa-python/krbtransport.py | 54 --- > ipa-python/rpcclient.py | 906 ------------------------------------- > ipa-python/user.py | 24 - > ipalib/util.py | 5 + > ipaserver/install/dsinstance.py | 13 +- > ipaserver/install/ipaldap.py | 701 ---------------------------- > ipaserver/install/krbinstance.py | 5 +- > ipaserver/install/ldapupdate.py | 44 +- > ipaserver/install/replication.py | 7 +- > 15 files changed, 59 insertions(+), 1917 deletions(-) > mode change 100644 => 100755 install/tools/ipa-replica-install > mode change 100644 => 100755 install/tools/ipa-replica-prepare > delete mode 100644 ipa-python/aci.py > delete mode 100644 ipa-python/group.py > delete mode 100644 ipa-python/krbtransport.py > delete mode 100644 ipa-python/rpcclient.py > delete mode 100644 ipa-python/user.py > delete mode 100644 ipaserver/install/ipaldap.py > > diff --git a/install/tools/ipa-ldap-updater b/install/tools/ipa-ldap-updater > index 28fb1a1..a704d8f 100755 > --- a/install/tools/ipa-ldap-updater > +++ b/install/tools/ipa-ldap-updater > @@ -28,8 +28,8 @@ try: > from optparse import OptionParser > from ipaserver import ipaldap > from ipa import entity, ipaerror, ipautil, config > - from ipaserver import installutils > - from ipaserver.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR > + from ipaserver.install import installutils > + from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR > import ldap > import logging > import re > diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install > old mode 100644 > new mode 100755 > index c2704be..c34d3f6 > --- a/install/tools/ipa-replica-install > +++ b/install/tools/ipa-replica-install > @@ -26,8 +26,9 @@ import ldap > > from ipa import ipautil > > -from ipaserver import dsinstance, replication, installutils, krbinstance, service > -from ipaserver import httpinstance, ntpinstance, certs, ipaldap > +from ipaserver.install import dsinstance, replication, installutils, krbinstance, service > +from ipaserver.install import httpinstance, ntpinstance, certs > +from ipaserver import ipaldap > from ipa import version > > CACERT="/usr/share/ipa/html/ca.crt" > @@ -266,10 +267,6 @@ def main(): > fd.write("domain=" + config.domain_name + "\n") > fd.close() > > - # Create a Web Gui instance > - webgui = httpinstance.WebGuiInstance() > - webgui.create_instance() > - > # Apply any LDAP updates. Needs to be done after the replica is synced-up > service.print_msg("Applying LDAP updates") > ds.apply_updates() > diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare > old mode 100644 > new mode 100755 > index eb962b4..3374133 > --- a/install/tools/ipa-replica-prepare > +++ b/install/tools/ipa-replica-prepare > @@ -28,7 +28,8 @@ from optparse import OptionParser > > import ipa.config > from ipa import ipautil > -from ipaserver import dsinstance, installutils, certs, ipaldap > +from ipaserver.install import dsinstance, installutils, certs > +from ipaserver import ipaldap > from ipa import version > import ldap > > diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install > index 70e74ac..2c5e987 100755 > --- a/install/tools/ipa-server-install > +++ b/install/tools/ipa-server-install > @@ -49,6 +49,7 @@ from ipaserver.install.installutils import * > > from ipa import sysrestore > from ipa.ipautil import * > +from ipalib import util > > pw_name = None > > @@ -531,6 +532,16 @@ def main(): > fd.write("domain=" + domain_name + "\n") > fd.close() > > + # Create the management framework config file > + fstore.backup_file("/etc/ipa/default.conf") > + fd = open("/etc/ipa/default.conf", "w") > + fd.write("[global]\n") > + fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n") > + fd.write("realm=" + realm_name + "\n") > + fd.write("domain=" + domain_name + "\n") > + fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name) > + fd.close() > + > bind = bindinstance.BindInstance(fstore) > bind.setup(host_name, ip_address, realm_name, domain_name) > if options.setup_bind: > diff --git a/ipa-python/aci.py b/ipa-python/aci.py > deleted file mode 100644 > index 58a3b1d..0000000 > --- a/ipa-python/aci.py > +++ /dev/null > @@ -1,166 +0,0 @@ > -# Copyright (C) 2007 Red Hat > -# see file 'COPYING' for use and warranty information > -# > -# This program is free software; you can redistribute it and/or > -# modify it under the terms of the GNU General Public License as > -# published by the Free Software Foundation; version 2 only > -# > -# This program is distributed in the hope that it will be useful, > -# but WITHOUT ANY WARRANTY; without even the implied warranty of > -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > -# GNU General Public License for more details. > -# > -# You should have received a copy of the GNU General Public License > -# along with this program; if not, write to the Free Software > -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > -# > - > -import re > -import urllib > -import ldap > - > -import ipa.ipautil > - > -class ACI: > - """ > - Holds the basic data for an ACI entry, as stored in the cn=accounts > - entry in LDAP. Has methods to parse an ACI string and export to an > - ACI String. > - """ > - > - def __init__(self,acistr=None): > - self.name = '' > - self.source_group = '' > - self.dest_group = '' > - self.attrs = [] > - self.orig_acistr = acistr > - if acistr is not None: > - self.parse_acistr(acistr) > - > - def __getitem__(self,key): > - """Fake getting attributes by key for sorting""" > - if key == 0: > - return self.name > - if key == 1: > - return self.source_group > - if key == 2: > - return self.dest_group > - raise TypeError("Unknown key value %s" % key) > - > - def export_to_string(self): > - """Converts the ACI to a string suitable for an LDAP aci attribute.""" > - attrs_str = ' || '.join(self.attrs) > - > - # dest_group and source_group are assumed to be pre-escaped. > - # dn's aren't typed in, but searched for, and the search results > - # will return escaped dns > - > - acistr = ('(targetattr="%s")' + > - '(targetfilter="(memberOf=%s)")' + > - '(version 3.0;' + > - 'acl "%s";' + > - 'allow (write) ' + > - 'groupdn="ldap:///%s";)') % (attrs_str, > - self.dest_group, > - self.name, > - urllib.quote(self.source_group, "/=, ")) > - return acistr > - > - def to_dict(self): > - result = ipa.ipautil.CIDict() > - result['name'] = self.name > - result['source_group'] = self.source_group > - result['dest_group'] = self.dest_group > - result['attrs'] = self.attrs > - result['orig_acistr'] = self.orig_acistr > - > - return result > - > - def _match(self, prefix, inputstr): > - """Returns inputstr with prefix removed, or else raises a > - SyntaxError.""" > - if inputstr.startswith(prefix): > - return inputstr[len(prefix):] > - else: > - raise SyntaxError, "'%s' not found at '%s'" % (prefix, inputstr) > - > - def _match_str(self, inputstr): > - """Tries to extract a " delimited string from the front of inputstr. > - Returns (string, inputstr) where: > - - string is the extracted string (minus the enclosing " chars) > - - inputstr is the parameter with the string removed. > - Raises SyntaxError is a string is not found.""" > - if not inputstr.startswith('"'): > - raise SyntaxError, "string not found at '%s'" % inputstr > - > - found = False > - start_index = 1 > - final_index = 1 > - while not found and (final_index < len(inputstr)): > - if inputstr[final_index] == '\\': > - final_index += 2 > - elif inputstr[final_index] == '"': > - found = True > - else: > - final_index += 1 > - if not found: > - raise SyntaxError, "string not found at '%s'" % inputstr > - > - match = inputstr[start_index:final_index] > - inputstr = inputstr[final_index + 1:] > - > - return(match, inputstr) > - > - def parse_acistr(self, acistr): > - """Parses the acistr. If the string isn't recognized, a SyntaxError > - is raised.""" > - self.orig_acistr = acistr > - > - acistr = self._match('(targetattr=', acistr) > - (attrstr, acistr) = self._match_str(acistr) > - self.attrs = attrstr.split(' || ') > - > - acistr = self._match(')(targetfilter=', acistr) > - (target_dn_str, acistr) = self._match_str(acistr) > - target_dn_str = self._match('(memberOf=', target_dn_str) > - if target_dn_str.endswith(')'): > - self.dest_group = target_dn_str[:-1] > - else: > - raise SyntaxError, "illegal dest_group at '%s'" % target_dn_str > - > - acistr = self._match(')(version 3.0;acl ', acistr) > - (name_str, acistr) = self._match_str(acistr) > - self.name = name_str > - > - acistr = self._match(';allow (write) groupdn=', acistr) > - (src_dn_str, acistr) = self._match_str(acistr) > - src_dn_str = self._match('ldap:///', src_dn_str) > - self.source_group = urllib.unquote(src_dn_str) > - > - acistr = self._match(';)', acistr) > - if len(acistr) > 0: > - raise SyntaxError, "unexpected aci suffix at '%s'" % acistr > - > -def extract_group_cns(aci_list, client): > - """Extracts all the cn's from a list of aci's and returns them as a hash > - from group_dn to group_cn. > - > - It first tries to cheat by looking at the first rdn for the > - group dn. If that's not cn for some reason, it looks up the group.""" > - group_dn_to_cn = {} > - for aci in aci_list: > - for dn in (aci.source_group, aci.dest_group): > - if not group_dn_to_cn.has_key(dn): > - rdn_list = ldap.explode_dn(dn, 0) > - first_rdn = rdn_list[0] > - (type,value) = first_rdn.split('=') > - if type == "cn": > - group_dn_to_cn[dn] = value > - else: > - try: > - group = client.get_entry_by_dn(dn, ['cn']) > - group_dn_to_cn[dn] = group.getValue('cn') > - except ipaerror.IPAError, e: > - group_dn_to_cn[dn] = 'unknown' > - > - return group_dn_to_cn > diff --git a/ipa-python/group.py b/ipa-python/group.py > deleted file mode 100644 > index 342a905..0000000 > --- a/ipa-python/group.py > +++ /dev/null > @@ -1,24 +0,0 @@ > -# Copyright (C) 2007 Red Hat > -# see file 'COPYING' for use and warranty information > -# > -# This program is free software; you can redistribute it and/or > -# modify it under the terms of the GNU General Public License as > -# published by the Free Software Foundation; version 2 only > -# > -# This program is distributed in the hope that it will be useful, > -# but WITHOUT ANY WARRANTY; without even the implied warranty of > -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > -# GNU General Public License for more details. > -# > -# You should have received a copy of the GNU General Public License > -# along with this program; if not, write to the Free Software > -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > -# > - > -from ipa.entity import Entity > - > -class Group(Entity): > - > - def __init2__(self): > - pass > - > diff --git a/ipa-python/krbtransport.py b/ipa-python/krbtransport.py > deleted file mode 100644 > index b700afe..0000000 > --- a/ipa-python/krbtransport.py > +++ /dev/null > @@ -1,54 +0,0 @@ > -# Authors: Rob Crittenden > -# > -# Copyright (C) 2007 Red Hat > -# see file 'COPYING' for use and warranty information > -# > -# This program is free software; you can redistribute it and/or > -# modify it under the terms of the GNU General Public License as > -# published by the Free Software Foundation; version 2 only > -# > -# This program is distributed in the hope that it will be useful, > -# but WITHOUT ANY WARRANTY; without even the implied warranty of > -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > -# GNU General Public License for more details. > -# > -# You should have received a copy of the GNU General Public License > -# along with this program; if not, write to the Free Software > -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > -# > - > -import httplib > -import xmlrpclib > -import kerberos > - > -class KerbTransport(xmlrpclib.SafeTransport): > - """Handles Kerberos Negotiation authentication to an XML-RPC server.""" > - > - def get_host_info(self, host): > - > - host, extra_headers, x509 = xmlrpclib.Transport.get_host_info(self, host) > - > - # Set the remote host principal > - h = host > - hostinfo = h.split(':') > - service = "HTTP@" + hostinfo[0] > - > - try: > - rc, vc = kerberos.authGSSClientInit(service, > - kerberos.GSS_C_DELEG_FLAG | > - kerberos.GSS_C_MUTUAL_FLAG | > - kerberos.GSS_C_SEQUENCE_FLAG) > - except kerberos.GSSError, e: > - raise kerberos.GSSError(e) > - > - try: > - kerberos.authGSSClientStep(vc, ""); > - except kerberos.GSSError, e: > - raise kerberos.GSSError(e) > - > - extra_headers = [ > - ("Authorization", "negotiate %s" % kerberos.authGSSClientResponse(vc) ) > - ] > - > - return host, extra_headers, x509 > - > diff --git a/ipa-python/rpcclient.py b/ipa-python/rpcclient.py > deleted file mode 100644 > index a800176..0000000 > --- a/ipa-python/rpcclient.py > +++ /dev/null > @@ -1,906 +0,0 @@ > -# Authors: Rob Crittenden > -# > -# Copyright (C) 2007 Red Hat > -# see file 'COPYING' for use and warranty information > -# > -# This program is free software; you can redistribute it and/or > -# modify it under the terms of the GNU General Public License as > -# published by the Free Software Foundation; version 2 only > -# > -# This program is distributed in the hope that it will be useful, > -# but WITHOUT ANY WARRANTY; without even the implied warranty of > -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > -# GNU General Public License for more details. > -# > -# You should have received a copy of the GNU General Public License > -# along with this program; if not, write to the Free Software > -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > -# > - > -import xmlrpclib > -import socket > -import config > -import errno > -from krbtransport import KerbTransport > -from kerberos import GSSError > -from ipa import ipaerror, ipautil > -from ipa import config > - > -# Some errors to catch > -# http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/README?root=dirsec&rev=1.6&view=auto > - > -class RPCClient: > - > - def __init__(self, verbose=False): > - self.server = None > - self.verbose = verbose > - config.init_config() > - > - def server_url(self, server): > - """Build the XML-RPC server URL from our configuration""" > - url = "https://" + server + "/ipa/xml" > - if self.verbose: > - print "Connecting to IPA server: %s" % url > - return url > - > - def setup_server(self): > - """Create our XML-RPC server connection using kerberos > - authentication""" > - if not self.server: > - serverlist = config.config.get_server() > - > - # Try each server until we succeed or run out of servers to try > - # Guaranteed by ipa.config to have at least 1 in the list > - for s in serverlist: > - try: > - self.server = s > - remote = xmlrpclib.ServerProxy(self.server_url(s), KerbTransport()) > - result = remote.ping() > - break > - except socket.error, e: > - if (e[0] == errno.ECONNREFUSED) or (e[0] == errno.ECONNREFUSED) or (e[0] == errno.EHOSTDOWN) or (e[0] == errno.EHOSTUNREACH): > - continue > - else: > - raise e > - except GSSError: > - continue > - > - return xmlrpclib.ServerProxy(self.server_url(self.server), KerbTransport(), verbose=self.verbose) > - > -# Higher-level API > - > - def get_aci_entry(self, sattrs=None): > - """Returns the entry containing access control ACIs.""" > - server = self.setup_server() > - if sattrs is None: > - sattrs = "__NONE__" > - try: > - result = server.get_aci_entry(sattrs) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - > -# General searches > - > - def get_entry_by_dn(self,dn,sattrs=None): > - """Get a specific entry. If sattrs is not None then only those > - attributes will be returned, otherwise all available > - attributes are returned. The result is a dict.""" > - server = self.setup_server() > - if sattrs is None: > - sattrs = "__NONE__" > - try: > - result = server.get_entry_by_dn(dn, sattrs) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def get_entry_by_cn(self,cn,sattrs=None): > - """Get a specific entry by cn. If sattrs is not None then only those > - attributes will be returned, otherwise all available > - attributes are returned. The result is a dict.""" > - server = self.setup_server() > - if sattrs is None: > - sattrs = "__NONE__" > - try: > - result = server.get_entry_by_cn(cn, sattrs) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def update_entry(self,oldentry,newentry): > - """Update an existing entry. oldentry and newentry are dicts of attributes""" > - server = self.setup_server() > - > - try: > - result = server.update_entry(ipautil.wrap_binary_data(oldentry), > - ipautil.wrap_binary_data(newentry)) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - > -# User support > - > - def get_user_by_uid(self,uid,sattrs=None): > - """Get a specific user. If sattrs is not None then only those > - attributes will be returned, otherwise all available > - attributes are returned. The result is a dict.""" > - server = self.setup_server() > - if sattrs is None: > - sattrs = "__NONE__" > - try: > - result = server.get_user_by_uid(uid, sattrs) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def get_user_by_principal(self,principal,sattrs=None): > - """Get a specific user. If sattrs is not None then only those > - attributes will be returned, otherwise all available > - attributes are returned. The result is a dict.""" > - server = self.setup_server() > - if sattrs is None: > - sattrs = "__NONE__" > - try: > - result = server.get_user_by_principal(principal, sattrs) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def get_user_by_email(self,email,sattrs=None): > - """Get a specific user's entry. Return as a dict of values. > - Multi-valued fields are represented as lists. The result is a > - dict. > - """ > - server = self.setup_server() > - if sattrs is None: > - sattrs = "__NONE__" > - try: > - result = server.get_user_by_email(email, sattrs) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def get_users_by_manager(self,manager_dn,sattrs=None): > - """Gets the users that report to a manager. > - If sattrs is not None then only those > - attributes will be returned, otherwise all available > - attributes are returned. The result is a list of dicts.""" > - server = self.setup_server() > - if sattrs is None: > - sattrs = "__NONE__" > - try: > - result = server.get_users_by_manager(manager_dn, sattrs) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def add_user(self,user,user_container=None): > - """Add a new user. Takes as input a dict where the key is the > - attribute name and the value is either a string or in the case > - of a multi-valued field a list of values""" > - server = self.setup_server() > - > - if user_container is None: > - user_container = "__NONE__" > - > - try: > - result = server.add_user(ipautil.wrap_binary_data(user), > - user_container) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def get_custom_fields(self): > - """Get custom user fields.""" > - server = self.setup_server() > - > - try: > - result = server.get_custom_fields() > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def set_custom_fields(self, schema): > - """Set custom user fields.""" > - server = self.setup_server() > - > - try: > - result = server.set_custom_fields(schema) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def get_all_users (self): > - """Return a list containing a dict for each existing user.""" > - > - server = self.setup_server() > - try: > - result = server.get_all_users() > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def find_users (self, criteria, sattrs=None, sizelimit=-1, timelimit=-1): > - """Return a list: counter followed by a dict for each user that > - matches the criteria. If the results are truncated, counter will > - be set to -1""" > - > - server = self.setup_server() > - try: > - # None values are not allowed in XML-RPC > - if sattrs is None: > - sattrs = "__NONE__" > - result = server.find_users(criteria, sattrs, sizelimit, timelimit) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def update_user(self,olduser,newuser): > - """Update an existing user. olduser and newuser are dicts of attributes""" > - server = self.setup_server() > - > - try: > - result = server.update_user(ipautil.wrap_binary_data(olduser), > - ipautil.wrap_binary_data(newuser)) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def delete_user(self,uid): > - """Delete a user. uid is the uid of the user to delete.""" > - server = self.setup_server() > - > - try: > - result = server.delete_user(uid) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return result > - > - def modifyPassword(self,principal,oldpass,newpass): > - """Modify a user's password""" > - server = self.setup_server() > - > - if oldpass is None: > - oldpass = "__NONE__" > - > - try: > - result = server.modifyPassword(principal,oldpass,newpass) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return result > - > - def mark_user_active(self,uid): > - """Mark a user as active""" > - server = self.setup_server() > - > - try: > - result = server.mark_user_active(uid) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def mark_user_inactive(self,uid): > - """Mark a user as inactive""" > - server = self.setup_server() > - > - try: > - result = server.mark_user_inactive(uid) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - > -# Group support > - > - def get_groups_by_member(self,member_dn,sattrs=None): > - """Gets the groups that member_dn belongs to. > - If sattrs is not None then only those > - attributes will be returned, otherwise all available > - attributes are returned. The result is a list of dicts.""" > - server = self.setup_server() > - if sattrs is None: > - sattrs = "__NONE__" > - try: > - result = server.get_groups_by_member(member_dn, sattrs) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def add_group(self,group,group_container=None): > - """Add a new group. Takes as input a dict where the key is the > - attribute name and the value is either a string or in the case > - of a multi-valued field a list of values""" > - server = self.setup_server() > - > - if group_container is None: > - group_container = "__NONE__" > - > - try: > - result = server.add_group(ipautil.wrap_binary_data(group), > - group_container) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def find_groups (self, criteria, sattrs=None, sizelimit=-1, timelimit=-1): > - """Return a list containing a Group object for each group that matches > - the criteria.""" > - > - server = self.setup_server() > - try: > - # None values are not allowed in XML-RPC > - if sattrs is None: > - sattrs = "__NONE__" > - result = server.find_groups(criteria, sattrs, sizelimit, timelimit) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def add_member_to_group(self, member_dn, group_dn): > - """Add a new member to an existing group. > - """ > - server = self.setup_server() > - try: > - result = server.add_member_to_group(member_dn, group_dn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def add_members_to_group(self, member_dns, group_dn): > - """Add several members to an existing group. > - member_dns is a list of the dns to add > - > - Returns a list of the dns that were not added. > - """ > - server = self.setup_server() > - try: > - result = server.add_members_to_group(member_dns, group_dn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def remove_member_from_group(self, member_dn, group_dn): > - """Remove a member from an existing group. > - """ > - server = self.setup_server() > - try: > - result = server.remove_member_from_group(member_dn, group_dn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def remove_members_from_group(self, member_dns, group_dn): > - """Remove several members from an existing group. > - > - Returns a list of the dns that were not removed. > - """ > - server = self.setup_server() > - try: > - result = server.remove_members_from_group(member_dns, group_dn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def add_user_to_group(self, user_uid, group_dn): > - """Add a user to an existing group. > - """ > - server = self.setup_server() > - try: > - result = server.add_user_to_group(user_uid, group_dn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def add_users_to_group(self, user_uids, group_dn): > - """Add several users to an existing group. > - user_uids is a list of the uids of the users to add > - > - Returns a list of the user uids that were not added. > - """ > - server = self.setup_server() > - try: > - result = server.add_users_to_group(user_uids, group_dn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def remove_user_from_group(self, user_uid, group_dn): > - """Remove a user from an existing group. > - """ > - server = self.setup_server() > - try: > - result = server.remove_user_from_group(user_uid, group_dn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def remove_users_from_group(self, user_uids, group_dn): > - """Remove several users from an existing group. > - user_uids is a list of the uids of the users to remove > - > - Returns a list of the user uids that were not removed. > - """ > - server = self.setup_server() > - try: > - result = server.remove_users_from_group(user_uids, group_dn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def add_groups_to_user(self, group_dns, user_dn): > - """Given a list of group dn's add them to the user. > - > - Returns a list of the group dns that were not added. > - """ > - server = self.setup_server() > - try: > - result = server.add_groups_to_user(group_dns, user_dn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def remove_groups_from_user(self, group_dns, user_dn): > - """Given a list of group dn's remove them from the user. > - > - Returns a list of the group dns that were not removed. > - """ > - server = self.setup_server() > - try: > - result = server.remove_groups_from_user(group_dns, user_dn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def update_group(self,oldgroup,newgroup): > - """Update an existing group. oldgroup and newgroup are dicts of attributes""" > - server = self.setup_server() > - > - try: > - result = server.update_group(ipautil.wrap_binary_data(oldgroup), > - ipautil.wrap_binary_data(newgroup)) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def delete_group(self,group_dn): > - """Delete a group. group_dn is the dn of the group to be deleted.""" > - server = self.setup_server() > - > - try: > - result = server.delete_group(group_dn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def add_group_to_group(self, group_cn, tgroup_cn): > - """Add a group to an existing group. > - group_cn is a cn of the group to add > - tgroup_cn is the cn of the group to be added to > - """ > - server = self.setup_server() > - try: > - result = server.add_group_to_group(group_cn, tgroup_cn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def attrs_to_labels(self,attrs): > - """Convert a list of LDAP attributes into a more readable form.""" > - > - server = self.setup_server() > - try: > - result = server.attrs_to_labels(attrs) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def get_all_attrs(self): > - """We have a list of hardcoded attributes -> readable labels. Return > - that complete list if someone wants it. > - """ > - > - server = self.setup_server() > - try: > - result = server.get_all_attrs() > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def group_members(self, groupdn, attr_list=None, memberstype=0): > - """Do a memberOf search of groupdn and return the attributes in > - attr_list (an empty list returns everything).""" > - > - if attr_list is None: > - attr_list = "__NONE__" > - > - server = self.setup_server() > - try: > - result = server.group_members(groupdn, attr_list, memberstype) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def mark_group_active(self,cn): > - """Mark a group as active""" > - server = self.setup_server() > - > - try: > - result = server.mark_group_active(cn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def mark_group_inactive(self,cn): > - """Mark a group as inactive""" > - server = self.setup_server() > - > - try: > - result = server.mark_group_inactive(cn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > -# Configuration support > - > - def get_ipa_config(self): > - """Get the IPA configuration""" > - server = self.setup_server() > - try: > - result = server.get_ipa_config() > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def update_ipa_config(self, oldconfig, newconfig): > - """Update the IPA configuration""" > - server = self.setup_server() > - try: > - result = server.update_ipa_config(ipautil.wrap_binary_data(oldconfig), ipautil.wrap_binary_data(newconfig)) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def get_password_policy(self): > - """Get the IPA password policy""" > - server = self.setup_server() > - try: > - result = server.get_password_policy() > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def update_password_policy(self, oldpolicy, newpolicy): > - """Update the IPA password policy""" > - server = self.setup_server() > - try: > - result = server.update_password_policy(ipautil.wrap_binary_data(oldpolicy), ipautil.wrap_binary_data(newpolicy)) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def add_service_principal(self, princ_name, force): > - server = self.setup_server() > - > - try: > - result = server.add_service_principal(princ_name, force) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def delete_service_principal(self, principal_dn): > - server = self.setup_server() > - > - try: > - result = server.delete_service_principal(principal_dn) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def find_service_principal (self, criteria, sattrs=None, sizelimit=-1, timelimit=-1): > - """Return a list: counter followed by a Entity object for each host that > - matches the criteria. If the results are truncated, counter will > - be set to -1""" > - > - server = self.setup_server() > - try: > - # None values are not allowed in XML-RPC > - if sattrs is None: > - sattrs = "__NONE__" > - result = server.find_service_principal(criteria, sattrs, sizelimit, timelimit) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def get_keytab(self, princ_name): > - server = self.setup_server() > - > - try: > - result = server.get_keytab(princ_name) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > -# radius support > - > - def get_radius_client_by_ip_addr(self, ip_addr, container, sattrs=None): > - server = self.setup_server() > - if container is None: container = "__NONE__" > - if sattrs is None: sattrs = "__NONE__" > - try: > - result = server.get_radius_client_by_ip_addr(ip_addr, container, sattrs) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def add_radius_client(self, client, container=None): > - server = self.setup_server() > - > - if container is None: container = "__NONE__" > - > - try: > - result = server.add_radius_client(ipautil.wrap_binary_data(client), container) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def update_radius_client(self, oldclient, newclient): > - server = self.setup_server() > - > - try: > - result = server.update_radius_client(ipautil.wrap_binary_data(oldclient), > - ipautil.wrap_binary_data(newclient)) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - > - def delete_radius_client(self, ip_addr, container=None): > - server = self.setup_server() > - if container is None: container = "__NONE__" > - > - try: > - result = server.delete_radius_client(ip_addr, container) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def find_radius_clients(self, criteria, container=None, sattrs=None, sizelimit=-1, timelimit=-1): > - server = self.setup_server() > - if container is None: container = "__NONE__" > - try: > - # None values are not allowed in XML-RPC > - if sattrs is None: > - sattrs = "__NONE__" > - result = server.find_radius_clients(criteria, container, sattrs, sizelimit, timelimit) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def get_radius_profile_by_uid(self, ip_addr, user_profile, sattrs=None): > - server = self.setup_server() > - if user_profile is None: user_profile = "__NONE__" > - if sattrs is None: sattrs = "__NONE__" > - try: > - result = server.get_radius_profile_by_uid(ip_addr, user_profile, sattrs) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def add_radius_profile(self, profile, user_profile=None): > - server = self.setup_server() > - > - if user_profile is None: user_profile = "__NONE__" > - > - try: > - result = server.add_radius_profile(ipautil.wrap_binary_data(profile), user_profile) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def update_radius_profile(self, oldprofile, newprofile): > - server = self.setup_server() > - > - try: > - result = server.update_radius_profile(ipautil.wrap_binary_data(oldprofile), > - ipautil.wrap_binary_data(newprofile)) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - > - def delete_radius_profile(self, ip_addr, user_profile=None): > - server = self.setup_server() > - if user_profile is None: user_profile = "__NONE__" > - > - try: > - result = server.delete_radius_profile(ip_addr, user_profile) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > - def find_radius_profiles(self, criteria, user_profile=None, sattrs=None, sizelimit=-1, timelimit=-1): > - server = self.setup_server() > - if user_profile is None: user_profile = "__NONE__" > - try: > - # None values are not allowed in XML-RPC > - if sattrs is None: > - sattrs = "__NONE__" > - result = server.find_radius_profiles(criteria, user_profile, sattrs, sizelimit, timelimit) > - except xmlrpclib.Fault, fault: > - raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > - except socket.error, (value, msg): > - raise xmlrpclib.Fault(value, msg) > - > - return ipautil.unwrap_binary_data(result) > - > diff --git a/ipa-python/user.py b/ipa-python/user.py > deleted file mode 100644 > index d638cc4..0000000 > --- a/ipa-python/user.py > +++ /dev/null > @@ -1,24 +0,0 @@ > -# Copyright (C) 2007 Red Hat > -# see file 'COPYING' for use and warranty information > -# > -# This program is free software; you can redistribute it and/or > -# modify it under the terms of the GNU General Public License as > -# published by the Free Software Foundation; version 2 only > -# > -# This program is distributed in the hope that it will be useful, > -# but WITHOUT ANY WARRANTY; without even the implied warranty of > -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > -# GNU General Public License for more details. > -# > -# You should have received a copy of the GNU General Public License > -# along with this program; if not, write to the Free Software > -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > -# > - > -from ipa.entity import Entity > - > -class User(Entity): > - > - def __init2__(self): > - pass > - > diff --git a/ipalib/util.py b/ipalib/util.py > index d922160..9c99582 100644 > --- a/ipalib/util.py > +++ b/ipalib/util.py > @@ -150,3 +150,8 @@ def make_repr(name, *args, **kw): > args = [repr(a) for a in args] > kw = ['%s=%r' % (k, kw[k]) for k in sorted(kw)] > return '%s(%s)' % (name, ', '.join(args + kw)) > + > +def realm_to_suffix(realm_name): > + s = realm_name.split(".") > + terms = ["dc=" + x.lower() for x in s] > + return ",".join(terms) > diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py > index 7ddcbc4..bc6393f 100644 > --- a/ipaserver/install/dsinstance.py > +++ b/ipaserver/install/dsinstance.py > @@ -34,17 +34,14 @@ from ipa import ipautil > import service > import installutils > import certs > -import ipaldap, ldap > +import ldap > +from ipaserver import ipaldap > from ipaserver.install import ldapupdate > +from ipalib import util > > SERVER_ROOT_64 = "/usr/lib64/dirsrv" > SERVER_ROOT_32 = "/usr/lib/dirsrv" > > -def realm_to_suffix(realm_name): > - s = realm_name.split(".") > - terms = ["dc=" + x.lower() for x in s] > - return ",".join(terms) > - > def find_server_root(): > if ipautil.dir_exists(SERVER_ROOT_64): > return SERVER_ROOT_64 > @@ -152,7 +149,7 @@ class DsInstance(service.Service): > self.pkcs12_info = None > self.ds_user = None > if realm_name: > - self.suffix = realm_to_suffix(self.realm_name) > + self.suffix = util.realm_to_suffix(self.realm_name) > self.__setup_sub_dict() > else: > self.suffix = None > @@ -161,7 +158,7 @@ class DsInstance(service.Service): > self.ds_user = ds_user > self.realm_name = realm_name.upper() > self.serverid = realm_to_serverid(self.realm_name) > - self.suffix = realm_to_suffix(self.realm_name) > + self.suffix = util.realm_to_suffix(self.realm_name) > self.host_name = host_name > self.dm_password = dm_password > self.domain = domain_name > diff --git a/ipaserver/install/ipaldap.py b/ipaserver/install/ipaldap.py > deleted file mode 100644 > index c2dbe4e..0000000 > --- a/ipaserver/install/ipaldap.py > +++ /dev/null > @@ -1,701 +0,0 @@ > -# Authors: Rich Megginson > -# Rob Crittenden -# > -# Copyright (C) 2007 Red Hat > -# see file 'COPYING' for use and warranty information > -# > -# This program is free software; you can redistribute it and/or > -# modify it under the terms of the GNU General Public License as > -# published by the Free Software Foundation; version 2 only > -# > -# This program is distributed in the hope that it will be useful, > -# but WITHOUT ANY WARRANTY; without even the implied warranty of > -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > -# GNU General Public License for more details. > -# > -# You should have received a copy of the GNU General Public License > -# along with this program; if not, write to the Free Software > -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > -# > - > -import sys > -import os > -import os.path > -import popen2 > -import base64 > -import urllib > -import urllib2 > -import socket > -import ldif > -import re > -import string > -import ldap > -import cStringIO > -import time > -import operator > -import struct > -import ldap.sasl > -from ldap.controls import LDAPControl,DecodeControlTuples,EncodeControlTuples > -from ldap.ldapobject import SimpleLDAPObject > -from ipa import ipaerror, ipautil > - > -# Global variable to define SASL auth > -sasl_auth = ldap.sasl.sasl({},'GSSAPI') > - > -class Entry: > - """This class represents an LDAP Entry object. An LDAP entry consists of a DN > - and a list of attributes. Each attribute consists of a name and a list of > - values. In python-ldap, entries are returned as a list of 2-tuples. > - Instance variables: > - dn - string - the string DN of the entry > - data - CIDict - case insensitive dict of the attributes and values""" > - > - def __init__(self,entrydata): > - """data is the raw data returned from the python-ldap result method, which is > - a search result entry or a reference or None. > - If creating a new empty entry, data is the string DN.""" > - if entrydata: > - if isinstance(entrydata,tuple): > - self.dn = entrydata[0] > - self.data = ipautil.CIDict(entrydata[1]) > - elif isinstance(entrydata,str) or isinstance(entrydata,unicode): > - self.dn = entrydata > - self.data = ipautil.CIDict() > - else: > - self.dn = '' > - self.data = ipautil.CIDict() > - > - def __nonzero__(self): > - """This allows us to do tests like if entry: returns false if there is no data, > - true otherwise""" > - return self.data != None and len(self.data) > 0 > - > - def hasAttr(self,name): > - """Return True if this entry has an attribute named name, False otherwise""" > - return self.data and self.data.has_key(name) > - > - def __getattr__(self,name): > - """If name is the name of an LDAP attribute, return the first value for that > - attribute - equivalent to getValue - this allows the use of > - entry.cn > - instead of > - entry.getValue('cn') > - This also allows us to return None if an attribute is not found rather than > - throwing an exception""" > - return self.getValue(name) > - > - def getValues(self,name): > - """Get the list (array) of values for the attribute named name""" > - return self.data.get(name) > - > - def getValue(self,name): > - """Get the first value for the attribute named name""" > - return self.data.get(name,[None])[0] > - > - def setValue(self,name,*value): > - """Value passed in may be a single value, several values, or a single sequence. > - For example: > - ent.setValue('name', 'value') > - ent.setValue('name', 'value1', 'value2', ..., 'valueN') > - ent.setValue('name', ['value1', 'value2', ..., 'valueN']) > - ent.setValue('name', ('value1', 'value2', ..., 'valueN')) > - Since *value is a tuple, we may have to extract a list or tuple from that > - tuple as in the last two examples above""" > - if isinstance(value[0],list) or isinstance(value[0],tuple): > - self.data[name] = value[0] > - else: > - self.data[name] = value > - > - setValues = setValue > - > - def toTupleList(self): > - """Convert the attrs and values to a list of 2-tuples. The first element > - of the tuple is the attribute name. The second element is either a > - single value or a list of values.""" > - return self.data.items() > - > - def __str__(self): > - """Convert the Entry to its LDIF representation""" > - return self.__repr__() > - > - # the ldif class base64 encodes some attrs which I would rather see in raw form - to > - # encode specific attrs as base64, add them to the list below > - ldif.safe_string_re = re.compile('^$') > - base64_attrs = ['nsstate', 'krbprincipalkey', 'krbExtraData'] > - > - def __repr__(self): > - """Convert the Entry to its LDIF representation""" > - sio = cStringIO.StringIO() > - # what's all this then? the unparse method will currently only accept > - # a list or a dict, not a class derived from them. self.data is a > - # cidict, so unparse barfs on it. I've filed a bug against python-ldap, > - # but in the meantime, we have to convert to a plain old dict for printing > - # I also don't want to see wrapping, so set the line width really high (1000) > - newdata = {} > - newdata.update(self.data) > - ldif.LDIFWriter(sio,Entry.base64_attrs,1000).unparse(self.dn,newdata) > - return sio.getvalue() > - > -def wrapper(f,name): > - """This is the method that wraps all of the methods of the superclass. This seems > - to need to be an unbound method, that's why it's outside of IPAdmin. Perhaps there > - is some way to do this with the new classmethod or staticmethod of 2.4. > - Basically, we replace every call to a method in SimpleLDAPObject (the superclass > - of IPAdmin) with a call to inner. The f argument to wrapper is the bound method > - of IPAdmin (which is inherited from the superclass). Bound means that it will implicitly > - be called with the self argument, it is not in the args list. name is the name of > - the method to call. If name is a method that returns entry objects (e.g. result), > - we wrap the data returned by an Entry class. If name is a method that takes an entry > - argument, we extract the raw data from the entry object to pass in.""" > - def inner(*args, **kargs): > - if name == 'result': > - type, data = f(*args, **kargs) > - # data is either a 2-tuple or a list of 2-tuples > - # print data > - if data: > - if isinstance(data,tuple): > - return type, Entry(data) > - elif isinstance(data,list): > - return type, [Entry(x) for x in data] > - else: > - raise TypeError, "unknown data type %s returned by result" % type(data) > - else: > - return type, data > - elif name.startswith('add'): > - # the first arg is self > - # the second and third arg are the dn and the data to send > - # We need to convert the Entry into the format used by > - # python-ldap > - ent = args[0] > - if isinstance(ent,Entry): > - return f(ent.dn, ent.toTupleList(), *args[2:]) > - else: > - return f(*args, **kargs) > - else: > - return f(*args, **kargs) > - return inner > - > -class LDIFConn(ldif.LDIFParser): > - def __init__( > - self, > - input_file, > - ignored_attr_types=None,max_entries=0,process_url_schemes=None > - ): > - """ > - See LDIFParser.__init__() > - > - Additional Parameters: > - all_records > - List instance for storing parsed records > - """ > - self.dndict = {} # maps dn to Entry > - self.dnlist = [] # contains entries in order read > - myfile = input_file > - if isinstance(input_file,str) or isinstance(input_file,unicode): > - myfile = open(input_file, "r") > - ldif.LDIFParser.__init__(self,myfile,ignored_attr_types,max_entries,process_url_schemes) > - self.parse() > - if isinstance(input_file,str) or isinstance(input_file,unicode): > - myfile.close() > - > - def handle(self,dn,entry): > - """ > - Append single record to dictionary of all records. > - """ > - if not dn: > - dn = '' > - newentry = Entry((dn, entry)) > - self.dndict[IPAdmin.normalizeDN(dn)] = newentry > - self.dnlist.append(newentry) > - > - def get(self,dn): > - ndn = IPAdmin.normalizeDN(dn) > - return self.dndict.get(ndn, Entry(None)) > - > -class IPAdmin(SimpleLDAPObject): > - CFGSUFFIX = "o=NetscapeRoot" > - DEFAULT_USER_ID = "nobody" > - > - def getDseAttr(self,attrname): > - conffile = self.confdir + '/dse.ldif' > - dseldif = LDIFConn(conffile) > - cnconfig = dseldif.get("cn=config") > - if cnconfig: > - return cnconfig.getValue(attrname) > - return None > - > - def __initPart2(self): > - if self.binddn and len(self.binddn) and not hasattr(self,'sroot'): > - try: > - ent = self.getEntry('cn=config', ldap.SCOPE_BASE, '(objectclass=*)', > - [ 'nsslapd-instancedir', 'nsslapd-errorlog', > - 'nsslapd-certdir', 'nsslapd-schemadir' ]) > - self.errlog = ent.getValue('nsslapd-errorlog') > - self.confdir = ent.getValue('nsslapd-certdir') > - if not self.confdir: > - self.confdir = ent.getValue('nsslapd-schemadir') > - if self.confdir: > - self.confdir = os.path.dirname(self.confdir) > - instdir = ent.getValue('nsslapd-instancedir') > - ent = self.getEntry('cn=config,cn=ldbm database,cn=plugins,cn=config', > - ldap.SCOPE_BASE, '(objectclass=*)', > - [ 'nsslapd-directory' ]) > - self.dbdir = os.path.dirname(ent.getValue('nsslapd-directory')) > - except (ldap.INSUFFICIENT_ACCESS, ldap.CONNECT_ERROR): > - pass # usually means > - except ldap.OPERATIONS_ERROR, e: > - pass # usually means this is Active Directory > - except ldap.LDAPError, e: > - print "caught exception ", e > - raise > - > - def __localinit__(self): > - """If a CA certificate is provided then it is assumed that we are > - doing SSL client authentication with proxy auth. > - > - If a CA certificate is not present then it is assumed that we are > - using a forwarded kerberos ticket for SASL auth. SASL provides > - its own encryption. > - """ > - if self.cacert is not None: > - SimpleLDAPObject.__init__(self,'ldaps://%s:%d' % (self.host,self.port)) > - else: > - SimpleLDAPObject.__init__(self,'ldap://%s:%d' % (self.host,self.port)) > - > - def __init__(self,host,port=389,cacert=None,bindcert=None,bindkey=None,proxydn=None,debug=None): > - """We just set our instance variables and wrap the methods - the real > - work is done in __localinit__ and __initPart2 - these are separated > - out this way so that we can call them from places other than > - instance creation e.g. when we just need to reconnect, not create a > - new instance""" > - if debug and debug.lower() == "on": > - ldap.set_option(ldap.OPT_DEBUG_LEVEL,255) > - if cacert is not None: > - ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,cacert) > - if bindcert is not None: > - ldap.set_option(ldap.OPT_X_TLS_CERTFILE,bindcert) > - if bindkey is not None: > - ldap.set_option(ldap.OPT_X_TLS_KEYFILE,bindkey) > - > - self.__wrapmethods() > - self.port = port > - self.host = host > - self.cacert = cacert > - self.bindcert = bindcert > - self.bindkey = bindkey > - self.proxydn = proxydn > - self.suffixes = {} > - self.__localinit__() > - > - def __str__(self): > - return self.host + ":" + str(self.port) > - > - def __get_server_controls__(self): > - """Create the proxy user server control. The control has the form > - 0x04 = Octet String > - 4|0x80 sets the length of the string length field at 4 bytes > - the struct() gets us the length in bytes of string self.proxydn > - self.proxydn is the proxy dn to send""" > - > - import sys > - > - if self.proxydn is not None: > - proxydn = chr(0x04) + chr(4|0x80) + struct.pack('l', socket.htonl(len(self.proxydn))) + self.proxydn; > - > - # Create the proxy control > - sctrl=[] > - sctrl.append(LDAPControl('2.16.840.1.113730.3.4.18',True,proxydn)) > - else: > - sctrl=None > - > - return sctrl > - > - def toLDAPURL(self): > - return "ldap://%s:%d/" % (self.host,self.port) > - > - def set_proxydn(self, proxydn): > - self.proxydn = proxydn > - > - def set_krbccache(self, krbccache, principal): > - if krbccache is not None: > - os.environ["KRB5CCNAME"] = krbccache > - self.sasl_interactive_bind_s("", sasl_auth) > - self.principal = principal > - self.proxydn = None > - > - def do_simple_bind(self, binddn="cn=directory manager", bindpw=""): > - self.binddn = binddn > - self.bindpwd = bindpw > - self.simple_bind_s(binddn, bindpw) > - self.__initPart2() > - > - def getEntry(self,*args): > - """This wraps the search function. It is common to just get one entry""" > - > - sctrl = self.__get_server_controls__() > - > - if sctrl is not None: > - self.set_option(ldap.OPT_SERVER_CONTROLS, sctrl) > - > - try: > - res = self.search(*args) > - type, obj = self.result(res) > - except ldap.NO_SUCH_OBJECT: > - raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND, > - notfound(args)) > - except ldap.LDAPError, e: > - raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e) > - > - if not obj: > - raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND, > - notfound(args)) > - elif isinstance(obj,Entry): > - return obj > - else: # assume list/tuple > - return obj[0] > - > - def getList(self,*args): > - """This wraps the search function to find all users.""" > - > - sctrl = self.__get_server_controls__() > - if sctrl is not None: > - self.set_option(ldap.OPT_SERVER_CONTROLS, sctrl) > - > - try: > - res = self.search(*args) > - type, obj = self.result(res) > - except (ldap.ADMINLIMIT_EXCEEDED, ldap.SIZELIMIT_EXCEEDED), e: > - raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, > - "Too many results returned by search", e) > - except ldap.LDAPError, e: > - raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e) > - > - if not obj: > - raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND, > - notfound(args)) > - > - all_users = [] > - for s in obj: > - all_users.append(s) > - > - return all_users > - > - def getListAsync(self,*args): > - """This version performs an asynchronous search, to allow > - results even if we hit a limit. > - > - It returns a list: counter followed by the results. > - If the results are truncated, counter will be set to -1. > - """ > - > - sctrl = self.__get_server_controls__() > - if sctrl is not None: > - self.set_option(ldap.OPT_SERVER_CONTROLS, sctrl) > - > - entries = [] > - partial = 0 > - > - try: > - msgid = self.search_ext(*args) > - type, result_list = self.result(msgid, 0) > - while result_list: > - for result in result_list: > - entries.append(result) > - type, result_list = self.result(msgid, 0) > - except (ldap.ADMINLIMIT_EXCEEDED, ldap.SIZELIMIT_EXCEEDED, > - ldap.TIMELIMIT_EXCEEDED), e: > - partial = 1 > - except ldap.LDAPError, e: > - raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e) > - > - if not entries: > - raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND, > - notfound(args)) > - > - if partial == 1: > - counter = -1 > - else: > - counter = len(entries) > - > - return [counter] + entries > - > - def addEntry(self,*args): > - """This wraps the add function. It assumes that the entry is already > - populated with all of the desired objectclasses and attributes""" > - > - sctrl = self.__get_server_controls__() > - > - try: > - if sctrl is not None: > - self.set_option(ldap.OPT_SERVER_CONTROLS, sctrl) > - self.add_s(*args) > - except ldap.ALREADY_EXISTS: > - raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE) > - except ldap.LDAPError, e: > - raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e) > - return "Success" > - > - def updateRDN(self, dn, newrdn): > - """Wrap the modrdn function.""" > - > - sctrl = self.__get_server_controls__() > - > - if dn == newrdn: > - # no need to report an error > - return "Success" > - > - try: > - if sctrl is not None: > - self.set_option(ldap.OPT_SERVER_CONTROLS, sctrl) > - self.modrdn_s(dn, newrdn, delold=1) > - except ldap.LDAPError, e: > - raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e) > - return "Success" > - > - def updateEntry(self,dn,olduser,newuser): > - """This wraps the mod function. It assumes that the entry is already > - populated with all of the desired objectclasses and attributes""" > - > - sctrl = self.__get_server_controls__() > - > - modlist = self.generateModList(olduser, newuser) > - > - if len(modlist) == 0: > - raise ipaerror.gen_exception(ipaerror.LDAP_EMPTY_MODLIST) > - > - try: > - if sctrl is not None: > - self.set_option(ldap.OPT_SERVER_CONTROLS, sctrl) > - self.modify_s(dn, modlist) > - # this is raised when a 'delete' attribute isn't found. > - # it indicates the previous attribute was removed by another > - # update, making the olduser stale. > - except ldap.NO_SUCH_ATTRIBUTE: > - raise ipaerror.gen_exception(ipaerror.LDAP_MIDAIR_COLLISION) > - except ldap.LDAPError, e: > - raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e) > - return "Success" > - > - def generateModList(self, old_entry, new_entry): > - """A mod list generator that computes more precise modification lists > - than the python-ldap version. This version purposely generates no > - REPLACE operations, to deal with multi-user updates more properly.""" > - modlist = [] > - > - old_entry = ipautil.CIDict(old_entry) > - new_entry = ipautil.CIDict(new_entry) > - > - keys = set(map(string.lower, old_entry.keys())) > - keys.update(map(string.lower, new_entry.keys())) > - > - for key in keys: > - new_values = new_entry.get(key, []) > - if not(isinstance(new_values,list) or isinstance(new_values,tuple)): > - new_values = [new_values] > - new_values = filter(lambda value:value!=None, new_values) > - new_values = set(new_values) > - > - old_values = old_entry.get(key, []) > - if not(isinstance(old_values,list) or isinstance(old_values,tuple)): > - old_values = [old_values] > - old_values = filter(lambda value:value!=None, old_values) > - old_values = set(old_values) > - > - adds = list(new_values.difference(old_values)) > - removes = list(old_values.difference(new_values)) > - > - if len(removes) > 0: > - modlist.append((ldap.MOD_DELETE, key, removes)) > - if len(adds) > 0: > - modlist.append((ldap.MOD_ADD, key, adds)) > - > - return modlist > - > - def inactivateEntry(self,dn,has_key): > - """Rather than deleting entries we mark them as inactive. > - has_key defines whether the entry already has nsAccountlock > - set so we can determine which type of mod operation to run.""" > - > - sctrl = self.__get_server_controls__() > - modlist=[] > - > - if has_key == True: > - operation = ldap.MOD_REPLACE > - else: > - operation = ldap.MOD_ADD > - > - modlist.append((operation, "nsAccountlock", "true")) > - > - try: > - if sctrl is not None: > - self.set_option(ldap.OPT_SERVER_CONTROLS, sctrl) > - self.modify_s(dn, modlist) > - except ldap.LDAPError, e: > - raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e) > - return "Success" > - > - def deleteEntry(self,*args): > - """This wraps the delete function. Use with caution.""" > - > - sctrl = self.__get_server_controls__() > - > - try: > - if sctrl is not None: > - self.set_option(ldap.OPT_SERVER_CONTROLS, sctrl) > - self.delete_s(*args) > - except ldap.LDAPError, e: > - raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e) > - return "Success" > - > - def modifyPassword(self,dn,oldpass,newpass): > - """Set the user password using RFC 3062, LDAP Password Modify Extended > - Operation. This ends up calling the IPA password slapi plugin > - handler so the Kerberos password gets set properly. > - > - oldpass is not mandatory > - """ > - > - sctrl = self.__get_server_controls__() > - > - try: > - if sctrl is not None: > - self.set_option(ldap.OPT_SERVER_CONTROLS, sctrl) > - self.passwd_s(dn, oldpass, newpass) > - except ldap.LDAPError, e: > - raise ipaerror.gen_exception(ipaerror.LDAP_DATABASE_ERROR, None, e) > - return "Success" > - > - def __wrapmethods(self): > - """This wraps all methods of SimpleLDAPObject, so that we can intercept > - the methods that deal with entries. Instead of using a raw list of tuples > - of lists of hashes of arrays as the entry object, we want to wrap entries > - in an Entry class that provides some useful methods""" > - for name in dir(self.__class__.__bases__[0]): > - attr = getattr(self, name) > - if callable(attr): > - setattr(self, name, wrapper(attr, name)) > - > - def exportLDIF(self, file, suffix, forrepl=False, verbose=False): > - cn = "export" + str(int(time.time())) > - dn = "cn=%s, cn=export, cn=tasks, cn=config" % cn > - entry = Entry(dn) > - entry.setValues('objectclass', 'top', 'extensibleObject') > - entry.setValues('cn', cn) > - entry.setValues('nsFilename', file) > - entry.setValues('nsIncludeSuffix', suffix) > - if forrepl: > - entry.setValues('nsExportReplica', 'true') > - > - rc = self.startTaskAndWait(entry, verbose) > - > - if rc: > - if verbose: > - print "Error: export task %s for file %s exited with %d" % (cn,file,rc) > - else: > - if verbose: > - print "Export task %s for file %s completed successfully" % (cn,file) > - return rc > - > - def waitForEntry(self, dn, timeout=7200, attr='', quiet=True): > - scope = ldap.SCOPE_BASE > - filter = "(objectclass=*)" > - attrlist = [] > - if attr: > - filter = "(%s=*)" % attr > - attrlist.append(attr) > - timeout += int(time.time()) > - > - if isinstance(dn,Entry): > - dn = dn.dn > - > - # wait for entry and/or attr to show up > - if not quiet: > - sys.stdout.write("Waiting for %s %s:%s " % (self,dn,attr)) > - sys.stdout.flush() > - entry = None > - while not entry and int(time.time()) < timeout: > - try: > - entry = self.getEntry(dn, scope, filter, attrlist) > - except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): > - pass # found entry, but no attr > - except ldap.NO_SUCH_OBJECT: > - pass # no entry yet > - except ldap.LDAPError, e: # badness > - print "\nError reading entry", dn, e > - break > - if not entry: > - if not quiet: > - sys.stdout.write(".") > - sys.stdout.flush() > - time.sleep(1) > - > - if not entry and int(time.time()) > timeout: > - print "\nwaitForEntry timeout for %s for %s" % (self,dn) > - elif entry and not quiet: > - print "\nThe waited for entry is:", entry > - elif not entry: > - print "\nError: could not read entry %s from %s" % (dn,self) > - > - return entry > - > - def addSchema(self, attr, val): > - dn = "cn=schema" > - self.modify_s(dn, [(ldap.MOD_ADD, attr, val)]) > - > - def addAttr(self, *args): > - return self.addSchema('attributeTypes', args) > - > - def addObjClass(self, *args): > - return self.addSchema('objectClasses', args) > - > - ########################### > - # Static methods start here > - ########################### > - def normalizeDN(dn): > - # not great, but will do until we use a newer version of python-ldap > - # that has DN utilities > - ary = ldap.explode_dn(dn.lower()) > - return ",".join(ary) > - normalizeDN = staticmethod(normalizeDN) > - > - def getfqdn(name=''): > - return socket.getfqdn(name) > - getfqdn = staticmethod(getfqdn) > - > - def getdomainname(name=''): > - fqdn = IPAdmin.getfqdn(name) > - index = fqdn.find('.') > - if index >= 0: > - return fqdn[index+1:] > - else: > - return fqdn > - getdomainname = staticmethod(getdomainname) > - > - def getdefaultsuffix(name=''): > - dm = IPAdmin.getdomainname(name) > - if dm: > - return "dc=" + dm.replace('.', ', dc=') > - else: > - return 'dc=localdomain' > - getdefaultsuffix = staticmethod(getdefaultsuffix) > - > - def is_a_dn(dn): > - """Returns True if the given string is a DN, False otherwise.""" > - return (dn.find("=") > 0) > - is_a_dn = staticmethod(is_a_dn) > - > - > -def notfound(args): > - """Return a string suitable for displaying as an error when a > - search returns no results. > - > - This just returns whatever is after the equals sign""" > - if len(args) > 2: > - filter = args[2] > - try: > - target = re.match(r'\(.*=(.*)\)', filter).group(1) > - except: > - target = filter > - return "%s not found" % str(target) > - else: > - return args[0] > diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py > index 2528443..fb99604 100644 > --- a/ipaserver/install/krbinstance.py > +++ b/ipaserver/install/krbinstance.py > @@ -35,8 +35,9 @@ import installutils > from ipa import sysrestore > from ipa import ipautil > from ipa import ipaerror > +from ipalib import util > > -import ipaldap > +from ipaserver import ipaldap > > import ldap > from ldap import LDAPError > @@ -104,7 +105,7 @@ class KrbInstance(service.Service): > self.host = host_name.split(".")[0] > self.ip = socket.gethostbyname(host_name) > self.domain = domain_name > - self.suffix = ipautil.realm_to_suffix(self.realm) > + self.suffix = util.realm_to_suffix(self.realm) > self.kdc_password = ipautil.ipa_generate_password() > self.admin_password = admin_password > > diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py > index f6d2fb4..b9efe84 100644 > --- a/ipaserver/install/ldapupdate.py > +++ b/ipaserver/install/ldapupdate.py > @@ -25,8 +25,10 @@ > UPDATES_DIR="/usr/share/ipa/updates/" > > import sys > -from ipaserver.install import ipaldap, installutils > +from ipaserver.install import installutils > +from ipaserver import ipaldap > from ipa import entity, ipaerror, ipautil > +from ipalib import util > import ldap > import logging > import krbV > @@ -56,14 +58,14 @@ class LDAPUpdate: > self.modified = False > > krbctx = krbV.default_context() > - > + > fqdn = installutils.get_fqdn() > if fqdn is None: > raise RuntimeError("Unable to determine hostname") > - > + > domain = ipautil.get_domain_name() > libarch = self.__identify_arch() > - suffix = ipautil.realm_to_suffix(krbctx.default_realm) > + suffix = util.realm_to_suffix(krbctx.default_realm) > > if not self.sub_dict.get("REALM"): > self.sub_dict["REALM"] = krbctx.default_realm > @@ -324,7 +326,7 @@ class LDAPUpdate: > while True: > try: > entry = self.conn.getEntry(dn, ldap.SCOPE_BASE, "(objectclass=*)", attrlist) > - except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): > + except ldap.NO_SUCH_OBJECT: > logging.error("Task not found: %s", dn) > return > except ipaerror.exception_for(ipaerror.LDAP_DATABASE_ERROR), e: > @@ -434,11 +436,11 @@ class LDAPUpdate: > only[k] = True > entry.setValues(k, e) > logging.debug('only: updated value %s', e) > - > + > self.print_entity(entry) > - > + > return entry > - > + > def print_entity(self, e, message=None): > """The entity object currently lacks a str() method""" > logging.debug("---------------------------------------------") > @@ -479,13 +481,13 @@ class LDAPUpdate: > return False > else: > return True > - > + > def __update_record(self, update): > found = False > - > + > new_entry = self.__create_default_entry(update.get('dn'), > update.get('default')) > - > + > try: > e = self.__get_entry(new_entry.dn) > if len(e) > 1: > @@ -494,7 +496,7 @@ class LDAPUpdate: > entry = self.__entry_to_entity(e[0]) > found = True > logging.info("Updating existing entry: %s", entry.dn) > - except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): > + except ldap.NO_SUCH_OBJECT: > # Doesn't exist, start with the default entry > entry = new_entry > logging.info("New entry: %s", entry.dn) > @@ -502,14 +504,14 @@ class LDAPUpdate: > # Doesn't exist, start with the default entry > entry = new_entry > logging.info("New entry, using default value: %s", entry.dn) > - > + > self.print_entity(entry) > - > + > # Bring this entry up to date > entry = self.__apply_updates(update.get('updates'), entry) > - > + > self.print_entity(entry, "Final value") > - > + > if not found: > # New entries get their orig_data set to the entry itself. We want to > # empty that so that everything appears new when generating the > @@ -540,7 +542,7 @@ class LDAPUpdate: > except ipaerror.exception_for(ipaerror.LDAP_DATABASE_ERROR), e: > logging.error("Update failed: %s: %s", e, self.__detail_error(e.detail)) > updated = False > - > + > if ("cn=index" in entry.dn and > "cn=userRoot" in entry.dn): > taskid = self.create_index_task(entry.cn) > @@ -566,7 +568,7 @@ class LDAPUpdate: > > returns True if anything was changed, otherwise False > """ > - > + > try: > self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN']) > self.conn.do_simple_bind(bindpw=self.dm_password) > @@ -579,9 +581,9 @@ class LDAPUpdate: > except Exception, e: > print e > sys.exit(1) > - > + > (all_updates, dn_list) = self.parse_update_file(data, all_updates, dn_list) > - > + > sortedkeys = dn_list.keys() > sortedkeys.sort() > for k in sortedkeys: > @@ -589,5 +591,5 @@ class LDAPUpdate: > self.__update_record(all_updates[dn]) > finally: > if self.conn: self.conn.unbind() > - > + > return self.modified > diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py > index 8477bd1..33ed9c8 100644 > --- a/ipaserver/install/replication.py > +++ b/ipaserver/install/replication.py > @@ -19,9 +19,12 @@ > > import time, logging > > -import ipaldap, ldap, dsinstance > +import ldap > +from ipaserver.install import dsinstance > +from ipaserver import ipaldap > from ldap import modlist > from ipa import ipaerror > +from ipalib import util > > DIRMAN_CN = "cn=directory manager" > CACERT="/usr/share/ipa/html/ca.crt" > @@ -469,7 +472,7 @@ class ReplicationManager: > else: > raise e > > - self.suffix = ipaldap.IPAdmin.normalizeDN(dsinstance.realm_to_suffix(realm_name)) > + self.suffix = ipaldap.IPAdmin.normalizeDN(util.realm_to_suffix(realm_name)) > > if not iswinsync: > local_id = self._get_replica_id(self.conn, other_conn) > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Fri Feb 6 20:15:48 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 06 Feb 2009 15:15:48 -0500 Subject: [Freeipa-devel] [PATCH] Remove requires on TurboGears In-Reply-To: <1233950108.11736.24.camel@jgd-dsk> References: <4989BAD3.8060802@redhat.com> <1233950108.11736.24.camel@jgd-dsk> Message-ID: <498C9A74.2000900@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-02-04 at 10:57 -0500, Rob Crittenden wrote: >> We aren't using TurboGears for the webUI now, remove the requirement >> from the spec file. >> rob > > ack. > pushed to master From rcritten at redhat.com Fri Feb 6 20:16:08 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 06 Feb 2009 15:16:08 -0500 Subject: [Freeipa-devel] [PATCH] library cleanup In-Reply-To: <1233950427.11736.25.camel@jgd-dsk> References: <4989BC50.7080105@redhat.com> <1233950427.11736.25.camel@jgd-dsk> Message-ID: <498C9A88.5080201@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-02-04 at 11:03 -0500, Rob Crittenden wrote: >> Some files have moved from ipa-python and ipaserver into ipalib. Remove >> these duplicated and in some cases unnecessary files. This also fixes >> the imports of those files. >> >> Note that ipaerror will be going away soon too. I fixed a few references >> here to make things work but didn't fix all occurances. The reason being >> to keep patches at a more manageable level. >> >> This also creates a new configuration file, /etc/ipa/default.conf, which >> is used to configure the ipa command-line tool and the XML-RPC server. >> >> Right now this file contains the basedn to search against. Do we want >> this hardcoded in the configuration file or determined based on the >> REALM as we did in v1? >> >> rob > > ack. > pushed to master From jderose at redhat.com Fri Feb 6 20:20:03 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 06 Feb 2009 13:20:03 -0700 Subject: [Freeipa-devel] [PATCH] Consolidate update files In-Reply-To: <498B4742.9030908@redhat.com> References: <498B4742.9030908@redhat.com> Message-ID: <1233951603.11736.26.camel@jgd-dsk> On Thu, 2009-02-05 at 15:08 -0500, Rob Crittenden wrote: > Update files are used to load schema or set up or change entries in the > DIT over LDAP. There were some in Jason's tree and in the old v1 tree. > This patch consolidates them into one location. > > rob ack. > plain text document attachment (freeipa-118-update.patch) > >From fe656f2720847170af00c71ecc925c0d32045621 Mon Sep 17 00:00:00 2001 > From: Rob Crittenden > Date: Thu, 5 Feb 2009 09:39:17 -0500 > Subject: [PATCH] Consolidate all update files into one location > > --- > install/updates/Makefile.am | 11 ++++-- > install/updates/automount.update | 54 +++++++++++++++++++++++++++++++++ > install/updates/groupofhosts.update | 5 +++ > install/updates/host.update | 25 +++++++++++++++ > ipaserver/updates/automount.update | 54 --------------------------------- > ipaserver/updates/groupofhosts.update | 5 --- > ipaserver/updates/host.update | 25 --------------- > 7 files changed, 91 insertions(+), 88 deletions(-) > create mode 100644 install/updates/automount.update > create mode 100644 install/updates/groupofhosts.update > create mode 100644 install/updates/host.update > delete mode 100644 ipaserver/updates/automount.update > delete mode 100644 ipaserver/updates/groupofhosts.update > delete mode 100644 ipaserver/updates/host.update > > diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am > index 11d20dd..002a83b 100644 > --- a/install/updates/Makefile.am > +++ b/install/updates/Makefile.am > @@ -2,12 +2,15 @@ NULL = > > appdir = $(IPA_DATA_DIR)/updates > app_DATA = \ > - RFC4876.update \ > - RFC2307bis.update \ > + automount.update \ > + groupofhosts.update \ > + host.update \ > + indices.update \ > nss_ldap.update \ > - winsync_index.update \ > replication.update \ > - indices.update \ > + RFC2307bis.update \ > + RFC4876.update \ > + winsync_index.update \ > $(NULL) > > EXTRA_DIST = \ > diff --git a/install/updates/automount.update b/install/updates/automount.update > new file mode 100644 > index 0000000..13d9a6d > --- /dev/null > +++ b/install/updates/automount.update > @@ -0,0 +1,54 @@ > +# > +# An automount schema based on RFC 2307-bis. > +# > +# This schema defines new automount and automountMap objectclasses to represent > +# the automount maps and their entries. > +# > +dn: cn=schema > +add:attributeTypes: > + ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' > + DESC 'automount Map Name' > + EQUALITY caseExactIA5Match > + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE > + X-ORIGIN 'RFC 2307bis' ) > +add:attributeTypes: > + ( 1.3.6.1.1.1.1.32 NAME 'automountKey' > + DESC 'Automount Key value' > + EQUALITY caseExactIA5Match > + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE > + X-ORIGIN 'RFC 2307bis' ) > +add:attributeTypes: > + ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' > + DESC 'Automount information' > + EQUALITY caseExactIA5Match > + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE > + X-ORIGIN 'RFC 2307bis' ) > +add:objectClasses: > + ( 1.3.6.1.1.1.2.16 NAME 'automountMap' > + DESC 'Automount Map information' SUP top > + STRUCTURAL MUST automountMapName MAY description > + X-ORIGIN 'RFC 2307bis' ) > +add:objectClasses: > + ( 1.3.6.1.1.1.2.17 NAME 'automount' > + DESC 'Automount information' SUP top STRUCTURAL > + MUST ( automountKey $ automountInformation ) MAY description > + X-ORIGIN 'RFC 2307bis' ) > + > +# Add the default automount entries > + > +dn: cn=automount,$SUFFIX > +add:objectClass: nsContainer > +add:cn: automount > + > +dn: automountmapname=auto.master,cn=automount,$SUFFIX > +add:objectClass: automountMap > +add:automountMapName: auto.master > + > +dn: automountkey=/-,automountmapname=auto.master,cn=automount,$SUFFIX > +add:objectClass: automount > +add:automountKey: '/-' > +add:automountInformation: auto.direct > + > +dn: automountmapname=auto.direct,cn=automount,$SUFFIX > +add:objectClass: automountMap > +add:automountMapName: auto.direct > diff --git a/install/updates/groupofhosts.update b/install/updates/groupofhosts.update > new file mode 100644 > index 0000000..fb39c5e > --- /dev/null > +++ b/install/updates/groupofhosts.update > @@ -0,0 +1,5 @@ > +dn: cn=hostgroups,cn=accounts,$SUFFIX > +add:objectClass: top > +add:objectClass: nsContainer > +add:cn: hostgroups > + > diff --git a/install/updates/host.update b/install/updates/host.update > new file mode 100644 > index 0000000..f5ecda5 > --- /dev/null > +++ b/install/updates/host.update > @@ -0,0 +1,25 @@ > +# > +# Schema for IPA Hosts > +# > +dn: cn=schema > +add: attributeTypes: > + ( 2.16.840.1.113730.3.8.3.10 NAME 'ipaClientVersion' > + DESC 'Text string describing client version of the IPA software installed' > + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 > + X-ORIGIN 'IPA v2' ) > + > +add: attributeTypes: > + ( 2.16.840.1.113730.3.8.3.11 NAME 'enrolledBy' > + DESC 'DN of administrator who performed manual enrollment of the host' > + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > + X-ORIGIN 'IPA v2' ) > +add: objectClasses: > + ( 2.16.840.1.113730.3.8.4.2 NAME 'ipaHost' > + AUXILIARY > + MAY ( userPassword $ ipaClientVersion $ enrolledBy) > + X-ORIGIN 'IPA v2' ) > +add: objectClasses: > + ( 2.5.6.21 NAME 'pkiUser' > + SUP top AUXILIARY > + MAY ( userCertificate ) > + X-ORIGIN 'RFC 2587' ) > diff --git a/ipaserver/updates/automount.update b/ipaserver/updates/automount.update > deleted file mode 100644 > index 13d9a6d..0000000 > --- a/ipaserver/updates/automount.update > +++ /dev/null > @@ -1,54 +0,0 @@ > -# > -# An automount schema based on RFC 2307-bis. > -# > -# This schema defines new automount and automountMap objectclasses to represent > -# the automount maps and their entries. > -# > -dn: cn=schema > -add:attributeTypes: > - ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' > - DESC 'automount Map Name' > - EQUALITY caseExactIA5Match > - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE > - X-ORIGIN 'RFC 2307bis' ) > -add:attributeTypes: > - ( 1.3.6.1.1.1.1.32 NAME 'automountKey' > - DESC 'Automount Key value' > - EQUALITY caseExactIA5Match > - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE > - X-ORIGIN 'RFC 2307bis' ) > -add:attributeTypes: > - ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' > - DESC 'Automount information' > - EQUALITY caseExactIA5Match > - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE > - X-ORIGIN 'RFC 2307bis' ) > -add:objectClasses: > - ( 1.3.6.1.1.1.2.16 NAME 'automountMap' > - DESC 'Automount Map information' SUP top > - STRUCTURAL MUST automountMapName MAY description > - X-ORIGIN 'RFC 2307bis' ) > -add:objectClasses: > - ( 1.3.6.1.1.1.2.17 NAME 'automount' > - DESC 'Automount information' SUP top STRUCTURAL > - MUST ( automountKey $ automountInformation ) MAY description > - X-ORIGIN 'RFC 2307bis' ) > - > -# Add the default automount entries > - > -dn: cn=automount,$SUFFIX > -add:objectClass: nsContainer > -add:cn: automount > - > -dn: automountmapname=auto.master,cn=automount,$SUFFIX > -add:objectClass: automountMap > -add:automountMapName: auto.master > - > -dn: automountkey=/-,automountmapname=auto.master,cn=automount,$SUFFIX > -add:objectClass: automount > -add:automountKey: '/-' > -add:automountInformation: auto.direct > - > -dn: automountmapname=auto.direct,cn=automount,$SUFFIX > -add:objectClass: automountMap > -add:automountMapName: auto.direct > diff --git a/ipaserver/updates/groupofhosts.update b/ipaserver/updates/groupofhosts.update > deleted file mode 100644 > index fb39c5e..0000000 > --- a/ipaserver/updates/groupofhosts.update > +++ /dev/null > @@ -1,5 +0,0 @@ > -dn: cn=hostgroups,cn=accounts,$SUFFIX > -add:objectClass: top > -add:objectClass: nsContainer > -add:cn: hostgroups > - > diff --git a/ipaserver/updates/host.update b/ipaserver/updates/host.update > deleted file mode 100644 > index f5ecda5..0000000 > --- a/ipaserver/updates/host.update > +++ /dev/null > @@ -1,25 +0,0 @@ > -# > -# Schema for IPA Hosts > -# > -dn: cn=schema > -add: attributeTypes: > - ( 2.16.840.1.113730.3.8.3.10 NAME 'ipaClientVersion' > - DESC 'Text string describing client version of the IPA software installed' > - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 > - X-ORIGIN 'IPA v2' ) > - > -add: attributeTypes: > - ( 2.16.840.1.113730.3.8.3.11 NAME 'enrolledBy' > - DESC 'DN of administrator who performed manual enrollment of the host' > - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > - X-ORIGIN 'IPA v2' ) > -add: objectClasses: > - ( 2.16.840.1.113730.3.8.4.2 NAME 'ipaHost' > - AUXILIARY > - MAY ( userPassword $ ipaClientVersion $ enrolledBy) > - X-ORIGIN 'IPA v2' ) > -add: objectClasses: > - ( 2.5.6.21 NAME 'pkiUser' > - SUP top AUXILIARY > - MAY ( userCertificate ) > - X-ORIGIN 'RFC 2587' ) > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Fri Feb 6 20:20:51 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 06 Feb 2009 13:20:51 -0700 Subject: [Freeipa-devel] [PATCH] Remove unused files In-Reply-To: <498B477A.9030606@redhat.com> References: <498B477A.9030606@redhat.com> Message-ID: <1233951651.11736.27.camel@jgd-dsk> On Thu, 2009-02-05 at 15:09 -0500, Rob Crittenden wrote: > Remove some more unused/deprecated files from ipa-python. This > eliminates the old error class handler (ipaerror). > > rob ack. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Fri Feb 6 20:25:36 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 06 Feb 2009 15:25:36 -0500 Subject: [Freeipa-devel] [PATCH] Consolidate update files In-Reply-To: <1233951603.11736.26.camel@jgd-dsk> References: <498B4742.9030908@redhat.com> <1233951603.11736.26.camel@jgd-dsk> Message-ID: <498C9CC0.101@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-02-05 at 15:08 -0500, Rob Crittenden wrote: >> Update files are used to load schema or set up or change entries in the >> DIT over LDAP. There were some in Jason's tree and in the old v1 tree. >> This patch consolidates them into one location. >> >> rob > > ack. pushed to master From rcritten at redhat.com Fri Feb 6 20:25:59 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 06 Feb 2009 15:25:59 -0500 Subject: [Freeipa-devel] [PATCH] Remove unused files In-Reply-To: <1233951651.11736.27.camel@jgd-dsk> References: <498B477A.9030606@redhat.com> <1233951651.11736.27.camel@jgd-dsk> Message-ID: <498C9CD7.1090401@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-02-05 at 15:09 -0500, Rob Crittenden wrote: >> Remove some more unused/deprecated files from ipa-python. This >> eliminates the old error class handler (ipaerror). >> >> rob > > ack. pushed to master From jderose at redhat.com Fri Feb 6 20:29:31 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 06 Feb 2009 13:29:31 -0700 Subject: [Freeipa-devel] [PATCHES] jderose 0001-0007 Message-ID: <1233952171.11736.30.camel@jgd-dsk> * Various cleanup in RA frontend and backend plugins. * Add pattern matching support to Str and Bytes -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Renamed-f_ra.py-plugin-to-cert.py.patch Type: text/x-patch Size: 9166 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Some-cleanup-in-cert-plugins-module-changed-to-shor.patch Type: text/x-patch Size: 4225 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Renamed-b_ra.py-plugin-module-to-ra.py.patch Type: text/x-patch Size: 39239 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Started-cleanup-work-on-ra-plugin-fixed-problem-in.patch Type: text/x-patch Size: 19059 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0005-Removed-depreciated-ipalib-plugins-b_xmlrpc.py-modul.patch Type: text/x-patch Size: 4265 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0006-Removed-depreciated-xmlrpc_marshal-and-xmlrpc_unma.patch Type: text/x-patch Size: 2521 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0007-Add-pattern-matching-to-Str-and-Bytes.patch Type: text/x-patch Size: 6646 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Fri Feb 6 21:28:58 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 06 Feb 2009 16:28:58 -0500 Subject: [Freeipa-devel] [PATCHES] jderose 0001-0007 In-Reply-To: <1233952171.11736.30.camel@jgd-dsk> References: <1233952171.11736.30.camel@jgd-dsk> Message-ID: <498CAB9A.9070008@redhat.com> Jason Gerard DeRose wrote: > * Various cleanup in RA frontend and backend plugins. > * Add pattern matching support to Str and Bytes > > > ------------------------------------------------------------------------ > Patch 1: ack Patch 2: There is no help on the arguments or options Patch 3: ack Patch 4: Should the plugin enforce a set of values for request_type? Will CS return a usable error msg to IPA if it is invalid? Patch 5: ack Patch 6: ack Patch 7: I think there should be another option for patterns, the error message if the pattern is not matched. Some of these could be quite complex and is going to completely confuse a user if they get it back. rob From eric at vcardprocessor.com Sat Feb 7 03:21:20 2009 From: eric at vcardprocessor.com (Eric) Date: Fri, 6 Feb 2009 19:21:20 -0800 Subject: [Freeipa-devel] Usability Testing In-Reply-To: <498B17B1.30408@redhat.com> Message-ID: <200926192120.512727@C840> An HTML attachment was scrubbed... URL: From eric at vcardprocessor.com Sat Feb 7 04:11:37 2009 From: eric at vcardprocessor.com (Eric) Date: Fri, 6 Feb 2009 20:11:37 -0800 Subject: [Freeipa-devel] Usability Testing In-Reply-To: <498CFF73.6030803@redhat.com> Message-ID: <200926201137.098755@C840> An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Feb 9 18:12:39 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 Feb 2009 13:12:39 -0500 Subject: [Freeipa-devel] [PATCH] Allow specifying search scope in {ldap, servercore}.search In-Reply-To: <1233939798.25448.22.camel@jarilo.englab.brq.redhat.com> References: <1233939798.25448.22.camel@jarilo.englab.brq.redhat.com> Message-ID: <49907217.4030404@redhat.com> Jakub Hrozek wrote: > This patch allows specifying the search scope for > ipaserver.plugins.b_ldap.search(). The previously hardcoded > ldap.SCOPE_SUBTREE is still the default, so no existing code should > break. > > My rationale for this was searching on application containers - where > the toplevel container and the application containers beneath them are > the same objectclass, so search with SCOPE_SUBTREE could hit the > toplevel container..but I guess that there can be more applications of > this. > > Jakub ack pushed to master rob From rcritten at redhat.com Mon Feb 9 19:34:38 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 Feb 2009 14:34:38 -0500 Subject: [Freeipa-devel] [PATCH] Rename ipa-python to ipapython In-Reply-To: <1233872212.15595.45.camel@jgd-dsk> References: <498B47D1.3090402@redhat.com> <1233872212.15595.45.camel@jgd-dsk> Message-ID: <4990854E.7090304@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-02-05 at 15:10 -0500, Rob Crittenden wrote: >> Rename ipa-python into a name python can understand, ipapython. This is >> so in-tree development will work nicely. >> >> I've also renamed the installation directory from ipa to ipapython for >> consistency. >> >> rob > > ack pushed From ssorce at redhat.com Mon Feb 9 19:46:43 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Feb 2009 14:46:43 -0500 Subject: [Freeipa-devel] FreeIPA presentation slides request In-Reply-To: <57127b5f0901312113o7412ba2fq936e5c375de536b4@mail.gmail.com> References: <57127b5f0901312113o7412ba2fq936e5c375de536b4@mail.gmail.com> Message-ID: <1234208803.3787.4.camel@localhost.localdomain> On Sat, 2009-01-31 at 21:13 -0800, Deependra Singh Shekhawat wrote: > > Good morning all, > > > > I am planning to give a presentation on IPA at my college technical > fest scheduled for the next week. I am working on the presentation but > I would like to use some of the existing presentations on the subject > as reference. > > > > Basically I would like to know what all topics besides the basic > functionality of IPA one can use to present in a seminar. > > > > Any help in this regard is greatly appreciaed. > > > > Thanks in advance Hi, I will post the slides I've used at FOSDEM asap, I think they might help you presenting it although they are not very verbose. Simo. -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Mon Feb 9 20:25:32 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 09 Feb 2009 13:25:32 -0700 Subject: [Freeipa-devel] [PATCH] jderose 0008 Fixed problems in ipapython/test/ Message-ID: <1234211132.15930.11.camel@jgd-dsk> This patch brings the unit tests (when run with ./make-test) into working order again. - ipapython/test/test_aci.py is now depreciated. - test_ipautil.py: fixed broken "import ipautil" - test_ipavalidate.py: fixed broken "import ipavalidate" -------------- next part -------------- A non-text attachment was scrubbed... Name: 0008-Fixed-problems-in-ipapython-test.patch Type: text/x-patch Size: 6057 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Mon Feb 9 20:49:30 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 Feb 2009 15:49:30 -0500 Subject: [Freeipa-devel] [PATCH] fix group deletion in UI Message-ID: <499096DA.9040102@redhat.com> This patch is against the ipa-1-2 branch. We drop fields that aren't used in the UI. dn is such a field but we do need this in order to a delete so I added it as a hidden field. This fixes group deletes in the UI. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa12-1.patch URL: From rcritten at redhat.com Mon Feb 9 21:36:25 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 Feb 2009 16:36:25 -0500 Subject: [Freeipa-devel] [PATCH] jderose 0008 Fixed problems in ipapython/test/ In-Reply-To: <1234211132.15930.11.camel@jgd-dsk> References: <1234211132.15930.11.camel@jgd-dsk> Message-ID: <4990A1D9.40900@redhat.com> Jason Gerard DeRose wrote: > This patch brings the unit tests (when run with ./make-test) into > working order again. > > - ipapython/test/test_aci.py is now depreciated. > - test_ipautil.py: fixed broken "import ipautil" > - test_ipavalidate.py: fixed broken "import ipavalidate" ack pushed to master rob From ssorce at redhat.com Mon Feb 9 22:03:34 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Feb 2009 17:03:34 -0500 Subject: [Freeipa-devel] [PATCH] fix group deletion in UI In-Reply-To: <499096DA.9040102@redhat.com> References: <499096DA.9040102@redhat.com> Message-ID: <1234217014.3787.7.camel@localhost.localdomain> On Mon, 2009-02-09 at 15:49 -0500, Rob Crittenden wrote: > This patch is against the ipa-1-2 branch. > > We drop fields that aren't used in the UI. dn is such a field but we > do > need this in order to a delete so I added it as a hidden field. > > This fixes group deletes in the UI. ack -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Tue Feb 10 10:12:57 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 10 Feb 2009 11:12:57 +0100 Subject: [Freeipa-devel] [PATCH] Fix the default search scope Message-ID: <1234260777.9438.8.camel@jarilo.englab.brq.redhat.com> This actually fixes a bug that I introduced with my own search scope patch..the default value when no scope is specified in ldap.search is now SCOPE_SUBTREE. I'm sorry about the inconvenience, I should have tested the original patch better. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-the-default-search-scope.patch Type: text/x-patch Size: 937 bytes Desc: not available URL: From jhrozek at redhat.com Tue Feb 10 10:13:18 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 10 Feb 2009 11:13:18 +0100 Subject: [Freeipa-devel] [PATCH] Add make_xxx_dn routines for policy Message-ID: <1234260798.9438.9.camel@jarilo.englab.brq.redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Add-make_xxx_dn-routines-for-policy.patch Type: text/x-patch Size: 3165 bytes Desc: not available URL: From jhrozek at redhat.com Tue Feb 10 10:13:34 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 10 Feb 2009 11:13:34 +0100 Subject: [Freeipa-devel] [PATCH] Add policy-related container constants Message-ID: <1234260814.9438.10.camel@jarilo.englab.brq.redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-policy-related-container-constants.patch Type: text/x-patch Size: 1082 bytes Desc: not available URL: From jhrozek at redhat.com Tue Feb 10 10:14:09 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 10 Feb 2009 11:14:09 +0100 Subject: [Freeipa-devel] [PATCH] Add application frontend plugin + unittests Message-ID: <1234260849.9438.11.camel@jarilo.englab.brq.redhat.com> Adds a plugin for handling policy applications + its accompanying xmlrpc unit test. One problem I was thinking about is how to correctly handle special cases, like the "Shell Application". In this patch, I special cased it in the code (I think I saw something similar w.r.t. the 'admin' user in user plugin), but I was thinking that maybe protecting these on ACI level might be a cleaner solution...any thoughts are appreciated :-) Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-application-frontend-plugin.patch Type: text/x-patch Size: 8646 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-tests-for-the-application-frontend-plugin.patch Type: text/x-patch Size: 6021 bytes Desc: not available URL: From mnagy at redhat.com Tue Feb 10 10:30:01 2009 From: mnagy at redhat.com (Martin Nagy) Date: Tue, 10 Feb 2009 11:30:01 +0100 Subject: [Freeipa-devel] [PATCH] Fix the default search scope In-Reply-To: <1234260777.9438.8.camel@jarilo.englab.brq.redhat.com> References: <1234260777.9438.8.camel@jarilo.englab.brq.redhat.com> Message-ID: <20090210113001.7a73fa10@wolverine.englab.brq.redhat.com> On Tue, 10 Feb 2009 11:12:57 +0100, Jakub Hrozek wrote: > This actually fixes a bug that I introduced with my own search scope > patch..the default value when no scope is specified in ldap.search is > now SCOPE_SUBTREE. > > I'm sorry about the inconvenience, I should have tested the original > patch better. > > Jakub ack From rcritten at redhat.com Tue Feb 10 14:23:35 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 Feb 2009 09:23:35 -0500 Subject: [Freeipa-devel] [PATCH] fix group deletion in UI In-Reply-To: <1234217014.3787.7.camel@localhost.localdomain> References: <499096DA.9040102@redhat.com> <1234217014.3787.7.camel@localhost.localdomain> Message-ID: <49918DE7.9010108@redhat.com> Simo Sorce wrote: > On Mon, 2009-02-09 at 15:49 -0500, Rob Crittenden wrote: >> This patch is against the ipa-1-2 branch. >> >> We drop fields that aren't used in the UI. dn is such a field but we >> do >> need this in order to a delete so I added it as a hidden field. >> >> This fixes group deletes in the UI. > > ack > pushed to ipa-1-2 branch From rcritten at redhat.com Tue Feb 10 19:07:18 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 Feb 2009 14:07:18 -0500 Subject: [Freeipa-devel] [PATCH] Add make_xxx_dn routines for policy In-Reply-To: <1234260798.9438.9.camel@jarilo.englab.brq.redhat.com> References: <1234260798.9438.9.camel@jarilo.englab.brq.redhat.com> Message-ID: <4991D066.50308@redhat.com> Jakub Hrozek wrote: > I'm going to ack this but I suspect we'll rework it later. This isn't a criticism of the implementation but 3rd party plugin authors aren't going to have a way to integrate the make_xxx_dn into the ldap backend. There must be a more generic way to do this than to write a slew of 2-line functions like we have now. But since you were just following the convention that Jason and I started lets get this in. ack and pushed to master rob From rcritten at redhat.com Tue Feb 10 19:08:02 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 Feb 2009 14:08:02 -0500 Subject: [Freeipa-devel] [PATCH] Add policy-related container constants In-Reply-To: <1234260814.9438.10.camel@jarilo.englab.brq.redhat.com> References: <1234260814.9438.10.camel@jarilo.englab.brq.redhat.com> Message-ID: <4991D092.7080907@redhat.com> Jakub Hrozek wrote: > > > ack and pushed to master From rcritten at redhat.com Tue Feb 10 19:08:20 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 Feb 2009 14:08:20 -0500 Subject: [Freeipa-devel] [PATCH] Add application frontend plugin + unittests In-Reply-To: <1234260849.9438.11.camel@jarilo.englab.brq.redhat.com> References: <1234260849.9438.11.camel@jarilo.englab.brq.redhat.com> Message-ID: <4991D0A4.4070605@redhat.com> Jakub Hrozek wrote: > Adds a plugin for handling policy applications + its accompanying > xmlrpc unit test. > > One problem I was thinking about is how to correctly handle special > cases, like the "Shell Application". In this patch, I special cased it > in the code (I think I saw something similar w.r.t. the 'admin' user in > user plugin), but I was thinking that maybe protecting these on ACI > level might be a cleaner solution...any thoughts are appreciated :-) > > Jakub > ack and pushed to master rob From rcritten at redhat.com Tue Feb 10 19:10:36 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 Feb 2009 14:10:36 -0500 Subject: [Freeipa-devel] [PATCH] Fix the default search scope In-Reply-To: <20090210113001.7a73fa10@wolverine.englab.brq.redhat.com> References: <1234260777.9438.8.camel@jarilo.englab.brq.redhat.com> <20090210113001.7a73fa10@wolverine.englab.brq.redhat.com> Message-ID: <4991D12C.8090803@redhat.com> Martin Nagy wrote: > On Tue, 10 Feb 2009 11:12:57 +0100, Jakub Hrozek > wrote: > >> This actually fixes a bug that I introduced with my own search scope >> patch..the default value when no scope is specified in ldap.search is >> now SCOPE_SUBTREE. >> >> I'm sorry about the inconvenience, I should have tested the original >> patch better. >> >> Jakub > ack pushed to master From rcritten at redhat.com Tue Feb 10 19:15:31 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 Feb 2009 14:15:31 -0500 Subject: [Freeipa-devel] [PATCH] Add application frontend plugin + unittests In-Reply-To: <1234260849.9438.11.camel@jarilo.englab.brq.redhat.com> References: <1234260849.9438.11.camel@jarilo.englab.brq.redhat.com> Message-ID: <4991D253.4090005@redhat.com> Jakub Hrozek wrote: > Adds a plugin for handling policy applications + its accompanying > xmlrpc unit test. > > One problem I was thinking about is how to correctly handle special > cases, like the "Shell Application". In this patch, I special cased it > in the code (I think I saw something similar w.r.t. the 'admin' user in > user plugin), but I was thinking that maybe protecting these on ACI > level might be a cleaner solution...any thoughts are appreciated :-) > Sorry, forgot to comment on the ACI question. We will be adding a more configurable delegation system in the next couple of weeks. This is a multi-step process whereby you create a certain right, assign that to a group and assign that group to a role. Then you can assign users/groups to that role to allow fine-grained administration of parts of the tree. If this can *never* be removed we can create a custom ACI to protect it that is loaded when the schema for applications is added. If it can be removed by a certain subset of users then we can protect if via the delegation system I've proposed. And it may be beneficial to catch this special case so you can report good error messages back to users. rob From rcritten at redhat.com Tue Feb 10 21:05:03 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 Feb 2009 16:05:03 -0500 Subject: [Freeipa-devel] [PATCH] 121 - Add new schema for v2 Message-ID: <4991EBFF.2010302@redhat.com> Incorporate new schema for IPAv2 Loading this via LDIF is a temporary measure until we can load it online. This requires removing the dNSRecord declarations from 05rfc2247.ldif so a replacement copy is included for now. Also add the netgroups container. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-121-schema.patch URL: From rcritten at redhat.com Tue Feb 10 21:05:44 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 Feb 2009 16:05:44 -0500 Subject: [Freeipa-devel] [PATCH] 122 - Remove detail message Message-ID: <4991EC28.9070503@redhat.com> Remove references to detail from exceptions in ipa-ldap-updater. This was used by the v1 exception system. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-122-detail.patch URL: From ssorce at redhat.com Tue Feb 10 21:24:01 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Feb 2009 16:24:01 -0500 Subject: [Freeipa-devel] [PATCH] 121 - Add new schema for v2 In-Reply-To: <4991EBFF.2010302@redhat.com> References: <4991EBFF.2010302@redhat.com> Message-ID: <1234301041.3787.67.camel@localhost.localdomain> On Tue, 2009-02-10 at 16:05 -0500, Rob Crittenden wrote: > Incorporate new schema for IPAv2 > > Loading this via LDIF is a temporary measure until we can load it > online. This requires removing the dNSRecord declarations from > 05rfc2247.ldif so a replacement copy is included for now. > > Also add the netgroups container. ack. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Feb 10 21:24:47 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Feb 2009 16:24:47 -0500 Subject: [Freeipa-devel] [PATCH] 122 - Remove detail message In-Reply-To: <4991EC28.9070503@redhat.com> References: <4991EC28.9070503@redhat.com> Message-ID: <1234301087.3787.68.camel@localhost.localdomain> On Tue, 2009-02-10 at 16:05 -0500, Rob Crittenden wrote: > Remove references to detail from exceptions in ipa-ldap-updater. > This > was used by the v1 exception system. ack -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Wed Feb 11 18:49:09 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 11 Feb 2009 11:49:09 -0700 Subject: [Freeipa-devel] [PATCH] Add make_xxx_dn routines for policy In-Reply-To: <4991D066.50308@redhat.com> References: <1234260798.9438.9.camel@jarilo.englab.brq.redhat.com> <4991D066.50308@redhat.com> Message-ID: <1234378149.6516.13.camel@jgd-dsk> On Tue, 2009-02-10 at 14:07 -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > > > > I'm going to ack this but I suspect we'll rework it later. This isn't a > criticism of the implementation but 3rd party plugin authors aren't > going to have a way to integrate the make_xxx_dn into the ldap backend. > > There must be a more generic way to do this than to write a slew of > 2-line functions like we have now. But since you were just following the > convention that Jason and I started lets get this in. I think I was the one who starting this bad convention, but I was just starting to understand what we needed to do LDAP-wise. How about something like this: def get_container(self, name): if name in self.etc: # Need to implement this etc property return self.etc[name] return self.env['container_%s' % name] def make_dn(self, cn, container): return 'cn=%s,%s,%s' % ( self.dn.escape_dn_chars(cn), self.get_container(container), self.api.env.basedn, ) I'm still planning on implementing a ldap.etc property what will retrieve the cn=etc entry from ldap the first time it is accessed during a given request, so that the entry is only pulled at most once per request. Anyway, if the container is found in the etc entry, that value is used. Otherwise the static config/env value is used. Does this sound reasonable? How are the container attributes named in the etc entry? > ack and pushed to master > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Wed Feb 11 18:55:58 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 Feb 2009 13:55:58 -0500 Subject: [Freeipa-devel] [PATCH] Add make_xxx_dn routines for policy In-Reply-To: <1234378149.6516.13.camel@jgd-dsk> References: <1234260798.9438.9.camel@jarilo.englab.brq.redhat.com> <4991D066.50308@redhat.com> <1234378149.6516.13.camel@jgd-dsk> Message-ID: <49931F3E.6070101@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-02-10 at 14:07 -0500, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> >> I'm going to ack this but I suspect we'll rework it later. This isn't a >> criticism of the implementation but 3rd party plugin authors aren't >> going to have a way to integrate the make_xxx_dn into the ldap backend. >> >> There must be a more generic way to do this than to write a slew of >> 2-line functions like we have now. But since you were just following the >> convention that Jason and I started lets get this in. > > I think I was the one who starting this bad convention, but I was just > starting to understand what we needed to do LDAP-wise. No worries, I'm not passing an blame. When I added a 10th one I realized a pattern had formed and that is always a time for optimization :-) > How about something like this: > > def get_container(self, name): > if name in self.etc: # Need to implement this etc property > return self.etc[name] > return self.env['container_%s' % name] > > def make_dn(self, cn, container): > return 'cn=%s,%s,%s' % ( > self.dn.escape_dn_chars(cn), > self.get_container(container), > self.api.env.basedn, > ) > > I'm still planning on implementing a ldap.etc property what will > retrieve the cn=etc entry from ldap the first time it is accessed during > a given request, so that the entry is only pulled at most once per > request. We aren't actually storing this stuff in LDAP yet nor am I sure how/if we will. It does add a bit of flexibility but are these things ever going to change (and on-the-fly)? I'm not 100% sure all DNs are going to be this formulaic though we can probably handle those as 1-offs and do the majority this way. Perhaps a bit more generically like: def make_dn(self, attr, value, container): return '%s=%s,%s,%s' % ( attr, self.dn.escape_dn_chars(value), self.get_container(container), self.api.env.basedn, ) > Anyway, if the container is found in the etc entry, that value is used. > Otherwise the static config/env value is used. > > Does this sound reasonable? How are the container attributes named in > the etc entry? That's the tricky bit I guess. We would probably end up moving the hardcoding from one place to another (in the form of LDAP attributes). rob From jderose at redhat.com Wed Feb 11 19:28:19 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 11 Feb 2009 12:28:19 -0700 Subject: [Freeipa-devel] [PATCH] Add make_xxx_dn routines for policy In-Reply-To: <49931F3E.6070101@redhat.com> References: <1234260798.9438.9.camel@jarilo.englab.brq.redhat.com> <4991D066.50308@redhat.com> <1234378149.6516.13.camel@jgd-dsk> <49931F3E.6070101@redhat.com> Message-ID: <1234380499.6516.17.camel@jgd-dsk> On Wed, 2009-02-11 at 13:55 -0500, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > On Tue, 2009-02-10 at 14:07 -0500, Rob Crittenden wrote: > >> Jakub Hrozek wrote: > >>> > >> I'm going to ack this but I suspect we'll rework it later. This isn't a > >> criticism of the implementation but 3rd party plugin authors aren't > >> going to have a way to integrate the make_xxx_dn into the ldap backend. > >> > >> There must be a more generic way to do this than to write a slew of > >> 2-line functions like we have now. But since you were just following the > >> convention that Jason and I started lets get this in. > > > > I think I was the one who starting this bad convention, but I was just > > starting to understand what we needed to do LDAP-wise. > > No worries, I'm not passing an blame. When I added a 10th one I realized > a pattern had formed and that is always a time for optimization :-) > > > How about something like this: > > > > def get_container(self, name): > > if name in self.etc: # Need to implement this etc property > > return self.etc[name] > > return self.env['container_%s' % name] > > > > def make_dn(self, cn, container): > > return 'cn=%s,%s,%s' % ( > > self.dn.escape_dn_chars(cn), > > self.get_container(container), > > self.api.env.basedn, > > ) > > > > I'm still planning on implementing a ldap.etc property what will > > retrieve the cn=etc entry from ldap the first time it is accessed during > > a given request, so that the entry is only pulled at most once per > > request. > > We aren't actually storing this stuff in LDAP yet nor am I sure how/if > we will. It does add a bit of flexibility but are these things ever > going to change (and on-the-fly)? Well, that makes this even easier. ;) > I'm not 100% sure all DNs are going to be this formulaic though we can > probably handle those as 1-offs and do the majority this way. Perhaps a > bit more generically like: > > def make_dn(self, attr, value, container): > return '%s=%s,%s,%s' % ( > attr, > self.dn.escape_dn_chars(value), > self.get_container(container), > self.api.env.basedn, > ) Rob, are we currently doing anything that can't be captured by your generalized method above? Regardless, capturing most of them is still a big win. > > Anyway, if the container is found in the etc entry, that value is used. > > Otherwise the static config/env value is used. > > > > Does this sound reasonable? How are the container attributes named in > > the etc entry? > > That's the tricky bit I guess. We would probably end up moving the > hardcoding from one place to another (in the form of LDAP attributes). > > rob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Wed Feb 11 22:14:05 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 Feb 2009 17:14:05 -0500 Subject: [Freeipa-devel] [PATCH] 121 - Add new schema for v2 In-Reply-To: <1234301041.3787.67.camel@localhost.localdomain> References: <4991EBFF.2010302@redhat.com> <1234301041.3787.67.camel@localhost.localdomain> Message-ID: <49934DAD.1080906@redhat.com> Simo Sorce wrote: > On Tue, 2009-02-10 at 16:05 -0500, Rob Crittenden wrote: >> Incorporate new schema for IPAv2 >> >> Loading this via LDIF is a temporary measure until we can load it >> online. This requires removing the dNSRecord declarations from >> 05rfc2247.ldif so a replacement copy is included for now. >> >> Also add the netgroups container. > > ack. > pushed to master I did some testing today with the FDS tip and the problem I was having loading SUP entries online has been fixed. Once that has been released we can ditch this and load the schema online. I'll have some patches coming that makes this possible. I found a few problems while testing the new FDS code. rob From rcritten at redhat.com Wed Feb 11 22:14:14 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 Feb 2009 17:14:14 -0500 Subject: [Freeipa-devel] [PATCH] 122 - Remove detail message In-Reply-To: <1234301087.3787.68.camel@localhost.localdomain> References: <4991EC28.9070503@redhat.com> <1234301087.3787.68.camel@localhost.localdomain> Message-ID: <49934DB6.5040700@redhat.com> Simo Sorce wrote: > On Tue, 2009-02-10 at 16:05 -0500, Rob Crittenden wrote: >> Remove references to detail from exceptions in ipa-ldap-updater. >> This >> was used by the v1 exception system. > > ack > pushed to master From jhrozek at redhat.com Thu Feb 12 13:19:32 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 12 Feb 2009 14:19:32 +0100 Subject: [Freeipa-devel] [PATCH] Add make_xxx_dn routines for policy In-Reply-To: <49931F3E.6070101@redhat.com> References: <1234260798.9438.9.camel@jarilo.englab.brq.redhat.com> <4991D066.50308@redhat.com> <1234378149.6516.13.camel@jgd-dsk> <49931F3E.6070101@redhat.com> Message-ID: <1234444772.8320.6.camel@jarilo.englab.brq.redhat.com> On Wed, 2009-02-11 at 13:55 -0500, Rob Crittenden wrote: > I'm not 100% sure all DNs are going to be this formulaic though we > can > probably handle those as 1-offs and do the majority this way. Perhaps > a > bit more generically like: > > def make_dn(self, attr, value, container): > return '%s=%s,%s,%s' % ( > attr, > self.dn.escape_dn_chars(value), > self.get_container(container), > self.api.env.basedn, > ) This looks good to me and would cover most of the cases. It's important to have the 'attr' attribute generic as not all dn's start with cn= (most policy related ones actually start with ipaUniqueID=). Jakub From sgallagh at redhat.com Thu Feb 12 13:39:51 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 12 Feb 2009 08:39:51 -0500 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD Message-ID: <499426A7.8090708@redhat.com> These three patches provide beginning support for generating RPMs from the SSSD source tree. They are based on the Samba/LDB spec files. I also had to make a few modifications to our build tree to allow this. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fixing-TDB-autoconf-macros-to-require-version-1.1.3.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Build-system-modifications-to-simplify-RPM-generatio.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0003-Adding-support-for-generating-RPMS-for-sssd.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Thu Feb 12 13:40:40 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 12 Feb 2009 08:40:40 -0500 Subject: [Freeipa-devel] [PATCHES] Support for POSIX group creation and manipulation in the SSSD Message-ID: <499426D8.3090001@redhat.com> Adds support for POSIX groups to the SSSD, as well as the beginnings of a unit test framework to verify the functionality. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0004-Adding-sysdb_store_group_posix-with-unit-test.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0005-Adding-sysdb_add_acct_to_posix_group-and-associated.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0006-Add-sysdb_add_group_to_posix_group-refactored.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0007-Add-support-for-removing-members-from-groups.-Update.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0008-Added-sysdb_remove_group_posix-and-sysdb_remove_grou.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Thu Feb 12 14:24:11 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 Feb 2009 09:24:11 -0500 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <499426A7.8090708@redhat.com> References: <499426A7.8090708@redhat.com> Message-ID: <4994310B.4050300@redhat.com> Stephen Gallagher wrote: > These three patches provide beginning support for generating RPMs from > the SSSD source tree. They are based on the Samba/LDB spec files. I also > had to make a few modifications to our build tree to allow this. > With my rpm-reviewer hat on: - Just a nit, but you have a variable named 'tarball_name' that doesn't contain the .tar extension :-) Does it really provide clarity to have these separate variables? - You probably don't need explicit library Requires: libtalloc, libtevent, etc. rpm should add those. - I don't think you need/want separate Version/Release for subpackages. - For the infopipe package do you need the -n 'sssd-' part? - In %setup it looks like tarball_name just mirrors other variables. I suspect that plaint setup -q would work. - For all the %post/%postun I think it is recommended to have that on a single like like: % post -p /sbin/ldconfig - You should add: Requires(post): /sbin/ldconfig - For the configure call I'd replace /etc with %{_sysconfdir} and /usr with %{_usr} - There is no changelog For the other patches, should there be a distclean target at the top-level? Otherwise the code looks ok to me but I'm not that familiar with SSSD. rob From ssorce at redhat.com Thu Feb 12 14:52:47 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Feb 2009 09:52:47 -0500 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <4994310B.4050300@redhat.com> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> Message-ID: <1234450367.2488.34.camel@localhost.localdomain> Adding to rob comments. On Thu, 2009-02-12 at 09:24 -0500, Rob Crittenden wrote: > Stephen Gallagher wrote: > > These three patches provide beginning support for generating RPMs from > > the SSSD source tree. They are based on the Samba/LDB spec files. I also > > had to make a few modifications to our build tree to allow this. > > > > With my rpm-reviewer hat on: > > - Just a nit, but you have a variable named 'tarball_name' that doesn't > contain the .tar extension :-) Does it really provide clarity to have > these separate variables? Why do we have the pre_release thing at all, given we are using 0.9x we probably do not need that. > - You probably don't need explicit library Requires: libtalloc, > libtevent, etc. rpm should add those. At the same time why are libtevent-devel and libldb-devel commented ? > - I don't think you need/want separate Version/Release for subpackages. I am not sure why we have subpackages at all, what do we gain from shipping infopipe and polkit in separate packages? > - For the infopipe package do you need the -n 'sssd-' part? > - In %setup it looks like tarball_name just mirrors other variables. I > suspect that plaint setup -q would work. I think so too. > - For all the %post/%postun I think it is recommended to have that on a > single like like: % post -p /sbin/ldconfig > - You should add: Requires(post): /sbin/ldconfig > - For the configure call I'd replace /etc with %{_sysconfdir} and /usr > with %{_usr} > - There is no changelog Agree on the rest, I am also unclear about the complex path created in 'Buildroot:' > For the other patches, should there be a distclean target at the top-level? It wouldn't be bad, but we can add this in another patchset. > Otherwise the code looks ok to me but I'm not that familiar with SSSD. Looking at the code now. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Feb 12 15:03:30 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 Feb 2009 10:03:30 -0500 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <1234450367.2488.34.camel@localhost.localdomain> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> <1234450367.2488.34.camel@localhost.localdomain> Message-ID: <49943A42.6000902@redhat.com> Simo Sorce wrote: > Adding to rob comments. > > On Thu, 2009-02-12 at 09:24 -0500, Rob Crittenden wrote: >> Stephen Gallagher wrote: >>> These three patches provide beginning support for generating RPMs from >>> the SSSD source tree. They are based on the Samba/LDB spec files. I also >>> had to make a few modifications to our build tree to allow this. >>> >> With my rpm-reviewer hat on: >> >> - Just a nit, but you have a variable named 'tarball_name' that doesn't >> contain the .tar extension :-) Does it really provide clarity to have >> these separate variables? > > Why do we have the pre_release thing at all, given we are using 0.9x we > probably do not need that. > >> - You probably don't need explicit library Requires: libtalloc, >> libtevent, etc. rpm should add those. > > At the same time why are libtevent-devel and libldb-devel commented ? > >> - I don't think you need/want separate Version/Release for subpackages. > > I am not sure why we have subpackages at all, what do we gain from > shipping infopipe and polkit in separate packages? > >> - For the infopipe package do you need the -n 'sssd-' part? >> - In %setup it looks like tarball_name just mirrors other variables. I >> suspect that plaint setup -q would work. > > I think so too. > >> - For all the %post/%postun I think it is recommended to have that on a >> single like like: % post -p /sbin/ldconfig >> - You should add: Requires(post): /sbin/ldconfig >> - For the configure call I'd replace /etc with %{_sysconfdir} and /usr >> with %{_usr} >> - There is no changelog > > Agree on the rest, I am also unclear about the complex path created in > 'Buildroot:' The default one from rpmdev-newspec is probably preferred: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) rob From ssorce at redhat.com Thu Feb 12 15:32:55 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Feb 2009 10:32:55 -0500 Subject: [Freeipa-devel] [PATCHES] Support for POSIX group creation and manipulation in the SSSD In-Reply-To: <499426D8.3090001@redhat.com> References: <499426D8.3090001@redhat.com> Message-ID: <1234452775.2488.35.camel@localhost.localdomain> On Thu, 2009-02-12 at 08:40 -0500, Stephen Gallagher wrote: > Adds support for POSIX groups to the SSSD, as well as the beginnings > of > a unit test framework to verify the functionality. I'll push this one. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Feb 12 18:16:23 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 Feb 2009 13:16:23 -0500 Subject: [Freeipa-devel] [PATCH] remove unnecessary schema updates Message-ID: <49946777.8010607@redhat.com> This removes hosts.update and the schema part from automount.update. The schema is now handled via the LDIF we are copying. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-123-schema.patch URL: From ssorce at redhat.com Thu Feb 12 20:50:48 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Feb 2009 15:50:48 -0500 Subject: [Freeipa-devel] [PATCH] remove unnecessary schema updates In-Reply-To: <49946777.8010607@redhat.com> References: <49946777.8010607@redhat.com> Message-ID: <1234471848.2488.58.camel@localhost.localdomain> On Thu, 2009-02-12 at 13:16 -0500, Rob Crittenden wrote: > This removes hosts.update and the schema part from automount.update. > The > schema is now handled via the LDIF we are copying. ack -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Thu Feb 12 20:59:48 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 12 Feb 2009 15:59:48 -0500 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <49943A42.6000902@redhat.com> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> <1234450367.2488.34.camel@localhost.localdomain> <49943A42.6000902@redhat.com> Message-ID: <49948DC4.3090402@redhat.com> Rob Crittenden wrote: > Simo Sorce wrote: >> Adding to rob comments. >> >> On Thu, 2009-02-12 at 09:24 -0500, Rob Crittenden wrote: >>> Stephen Gallagher wrote: >>>> These three patches provide beginning support for generating RPMs from >>>> the SSSD source tree. They are based on the Samba/LDB spec files. I >>>> also >>>> had to make a few modifications to our build tree to allow this. >>>> >>> With my rpm-reviewer hat on: >>> >>> - Just a nit, but you have a variable named 'tarball_name' that >>> doesn't contain the .tar extension :-) Does it really provide clarity >>> to have these separate variables? >> >> Why do we have the pre_release thing at all, given we are using 0.9x we >> probably do not need that. >> >>> - You probably don't need explicit library Requires: libtalloc, >>> libtevent, etc. rpm should add those. >> >> At the same time why are libtevent-devel and libldb-devel commented ? >> >>> - I don't think you need/want separate Version/Release for subpackages. >> >> I am not sure why we have subpackages at all, what do we gain from >> shipping infopipe and polkit in separate packages? >> >>> - For the infopipe package do you need the -n 'sssd-' part? >>> - In %setup it looks like tarball_name just mirrors other variables. >>> I suspect that plaint setup -q would work. >> >> I think so too. >> >>> - For all the %post/%postun I think it is recommended to have that on >>> a single like like: % post -p /sbin/ldconfig >>> - You should add: Requires(post): /sbin/ldconfig >>> - For the configure call I'd replace /etc with %{_sysconfdir} and >>> /usr with %{_usr} >>> - There is no changelog >> >> Agree on the rest, I am also unclear about the complex path created in >> 'Buildroot:' > > The default one from rpmdev-newspec is probably preferred: > > %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) > > rob New patch attached with recommended changes. Please re-review. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Adding-support-for-generating-RPMS-for-sssd.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Thu Feb 12 21:06:38 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 Feb 2009 16:06:38 -0500 Subject: [Freeipa-devel] [PATCH] remove unnecessary schema updates In-Reply-To: <1234471848.2488.58.camel@localhost.localdomain> References: <49946777.8010607@redhat.com> <1234471848.2488.58.camel@localhost.localdomain> Message-ID: <49948F5E.2020306@redhat.com> Simo Sorce wrote: > On Thu, 2009-02-12 at 13:16 -0500, Rob Crittenden wrote: >> This removes hosts.update and the schema part from automount.update. >> The >> schema is now handled via the LDIF we are copying. > > ack > pushed to master From jhrozek at redhat.com Fri Feb 13 13:49:53 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 13 Feb 2009 14:49:53 +0100 Subject: [Freeipa-devel] [PATCH] Install policy schema Message-ID: <1234532993.1153.289.camel@jarilo.englab.brq.redhat.com> Incorporate policy schema for IPAv2. This adds all the objectclasses and attributetypes that are needed for policy. Also bootstraps the DIT for policy objects. As a side effects, makes the application plugin that was added earlier this week actually work out of the box :-) Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Install-policy-schema.patch Type: text/x-patch Size: 9417 bytes Desc: not available URL: From pzuna at redhat.com Fri Feb 13 16:04:47 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 13 Feb 2009 17:04:47 +0100 Subject: [Freeipa-devel] [PATCH] fix two minor bugs in LDAP backend plugin Message-ID: <49959A1F.9070207@redhat.com> This should fix two minor bugs I found in the LDAP backend plugin. retrieve method should now correctly return None when no entry is found as documented at: http://freeipa.org/developer-docs/ipaserver.plugins.b_ldap.ldap-class.html#retrieve search method seemed to generate invalid filters when no entry attributes where specified, making it impossible to, for example, search for all entries of a certain type or all entries with a common parent. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-two-minor-bugs-in-the-LDAP-backend-plugin.patch URL: From jhrozek at redhat.com Fri Feb 13 16:41:16 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 13 Feb 2009 17:41:16 +0100 Subject: [Freeipa-devel] [PATCH] Catch errors.EmptyModlist in b_ldap Message-ID: <1234543276.1153.349.camel@jarilo.englab.brq.redhat.com> I think we shouldn't let an EmptyModlist exception propagate all the way up to ldap.update(). The method is usually used in fronted plugins, like classes that derive from crud.Mod, where modifying an record to the same attributes can be done pretty easily, so all the crud.Mod plugins would have to catch that exception anyway. The attached patch modifies ldap.update to return None if no modification was done. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Return-None-instead-of-EmptyModlist-in-ldap.update.patch Type: text/x-patch Size: 1091 bytes Desc: not available URL: From rcritten at redhat.com Fri Feb 13 18:04:00 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 Feb 2009 13:04:00 -0500 Subject: [Freeipa-devel] [PATCH] Install policy schema In-Reply-To: <1234532993.1153.289.camel@jarilo.englab.brq.redhat.com> References: <1234532993.1153.289.camel@jarilo.englab.brq.redhat.com> Message-ID: <4995B610.6070908@redhat.com> Jakub Hrozek wrote: > Incorporate policy schema for IPAv2. > > This adds all the objectclasses and attributetypes that are needed for > policy. Also bootstraps the DIT for policy objects. > > As a side effects, makes the application plugin that was added earlier > this week actually work out of the box :-) > > Jakub ack and pushed to master rob From rcritten at redhat.com Fri Feb 13 18:11:17 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 Feb 2009 13:11:17 -0500 Subject: [Freeipa-devel] [PATCH] Catch errors.EmptyModlist in b_ldap In-Reply-To: <1234543276.1153.349.camel@jarilo.englab.brq.redhat.com> References: <1234543276.1153.349.camel@jarilo.englab.brq.redhat.com> Message-ID: <4995B7C5.8070808@redhat.com> Jakub Hrozek wrote: > I think we shouldn't let an EmptyModlist exception propagate all the way > up to ldap.update(). The method is usually used in fronted plugins, like > classes that derive from crud.Mod, where modifying an record to the same > attributes can be done pretty easily, so all the crud.Mod plugins would > have to catch that exception anyway. > > The attached patch modifies ldap.update to return None if no > modification was done. I think this is ok but I want to ponder it a little. How do you plan to alert the user that nothing changed? In other words, if you have to do a test against None to see if an error was returned, why not just catch the exception? Or should we use a different exception, one that hides more of the details? rob From jderose at redhat.com Fri Feb 13 21:34:19 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 13 Feb 2009 14:34:19 -0700 Subject: [Freeipa-devel] [PATCHES] jderose 0009-0019 Message-ID: <1234560859.9000.35.camel@jgd-dsk> These patches finish my (initial) cleanup and testing of Andrew's request authority plugins. These have been tested against a CA server Andrew has running (only accessible inside Red Hat firewall). The tests I ran aren't exhaustive by any means, but it's a start. A few other noteworthy changes: 1) I added a mechanism for an entire plugin module to be conditionally loaded. Previously individual plugins (classes) could be conditionally registered, but there wasn't a way to conditionally skip the entire module. Now you can raise errors2.SkipPluginModule. For example, if your plugin is included in the built-in freeIPA plugins but is only optionally enabled, you can use SkipPluginModule so that nothing in your module after the point where you raise SkipPluginModule gets processed: from ipalib import api, SkipPluginModule if api.env.enable_ra is not True: # In this case, abort loading this plugin module... raise SkipPluginModule(reason='env.enable_ra is not True') # The remaining is only processed when env.enable_ra is True... # So we don't get an import error here! import not_installed_python_package 2) I added a place-holder directory for integration tests: checks/ Inside is my still rather hacky check-ra.py script I was using to test the ra backend plugin. I'll send another email shortly with some thoughts about integration testing. P.S.: I put the patches in a tarball because it seems that Evolution is Windows-ifying the line endings in my attachments. -------------- next part -------------- A non-text attachment was scrubbed... Name: jderose.0009-0019.tar.gz Type: application/x-compressed-tar Size: 13715 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jhrozek at redhat.com Mon Feb 16 10:02:47 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 16 Feb 2009 11:02:47 +0100 Subject: [Freeipa-devel] [PATCH] Catch errors.EmptyModlist in b_ldap In-Reply-To: <4995B7C5.8070808@redhat.com> References: <1234543276.1153.349.camel@jarilo.englab.brq.redhat.com> <4995B7C5.8070808@redhat.com> Message-ID: <1234778567.11390.49.camel@jarilo.englab.brq.redhat.com> On Fri, 2009-02-13 at 13:11 -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > > I think we shouldn't let an EmptyModlist exception propagate all the way > > up to ldap.update(). The method is usually used in fronted plugins, like > > classes that derive from crud.Mod, where modifying an record to the same > > attributes can be done pretty easily, so all the crud.Mod plugins would > > have to catch that exception anyway. > > > > The attached patch modifies ldap.update to return None if no > > modification was done. > > I think this is ok but I want to ponder it a little. How do you plan to > alert the user that nothing changed? In other words, if you have to do a > test against None to see if an error was returned, why not just catch > the exception? I was using the code like this: class object_mod(crud.Mod): def execute(): # do stuff return ldap.update(dn, **modkw) def output_for_cli(self, textui, result, key, **options): if result: textui.print_entry(result) else: textui.print_plain("No modification") Before, I caught the exception, set the return value to None and used the same output_for_cli()..so I figured that if I'm putting this try..except around pretty much every ldap.update() I might as well move it into the method..while retaining the "nothing changed" information by using the return value. On the other hand, the documentation[1] says that ldap.update() should return None when no such entry exists..so maybe raising the exception is the right thing to do. I just think that the exception should never get all the way to the user as it's trivially invoked (call two modifications with the same parameters) > Or should we use a different exception, one that hides more of the details? > > rob OK, what about a PublicError-derived exception..that would be caught in the marshalled_dispatch() in a similar way NotFound or DuplicateEntry are handled? (Hope this is not a dumb proposal..I must say the difference between errors and errors2 isn't all that clear to me..) Jakub From sgallagh at redhat.com Mon Feb 16 16:12:04 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 16 Feb 2009 11:12:04 -0500 Subject: [Freeipa-devel] [PATCH] [SSSD] Modify sbus_message_handler to return DBUS_ERROR_UNKNOWN_METHOD when appropriate Message-ID: <49999054.4070506@redhat.com> Modifying sbus_message_handler to return DBUS_ERROR_UNKNOWN_METHOD when the requested method is not registered with the message handler. Previously, we returned DBUS_HANDLER_RESULT_HANDLED with no indication that nothing had happened. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Modifying-sbus_message_handler-to-return-DBUS_ERROR_.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Mon Feb 16 20:41:03 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 Feb 2009 15:41:03 -0500 Subject: [Freeipa-devel] [PATCH] make parentmap an autofill var, add more tests Message-ID: <4999CF5F.80007@redhat.com> The helper function automount-addindirectmap does a lot of work in the backend. It is supposed to assume that the new map is being attached to auto.master but the variable wasn't set with the newish autofill option. Set this option and add some tests where parentmap isn't specfied. rob -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: freeipa-124-automount.patch URL: From rcritten at redhat.com Mon Feb 16 20:44:23 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 Feb 2009 15:44:23 -0500 Subject: [Freeipa-devel] [PATCH] Catch errors.EmptyModlist in b_ldap In-Reply-To: <1234778567.11390.49.camel@jarilo.englab.brq.redhat.com> References: <1234543276.1153.349.camel@jarilo.englab.brq.redhat.com> <4995B7C5.8070808@redhat.com> <1234778567.11390.49.camel@jarilo.englab.brq.redhat.com> Message-ID: <4999D027.5090608@redhat.com> Jakub Hrozek wrote: > On Fri, 2009-02-13 at 13:11 -0500, Rob Crittenden wrote: >> Jakub Hrozek wrote: >>> I think we shouldn't let an EmptyModlist exception propagate all the way >>> up to ldap.update(). The method is usually used in fronted plugins, like >>> classes that derive from crud.Mod, where modifying an record to the same >>> attributes can be done pretty easily, so all the crud.Mod plugins would >>> have to catch that exception anyway. >>> >>> The attached patch modifies ldap.update to return None if no >>> modification was done. >> I think this is ok but I want to ponder it a little. How do you plan to >> alert the user that nothing changed? In other words, if you have to do a >> test against None to see if an error was returned, why not just catch >> the exception? > > I was using the code like this: > > class object_mod(crud.Mod): > def execute(): > # do stuff > return ldap.update(dn, **modkw) > > def output_for_cli(self, textui, result, key, **options): > if result: > textui.print_entry(result) > else: > textui.print_plain("No modification") > > Before, I caught the exception, set the return value to None and used > the same output_for_cli()..so I figured that if I'm putting this > try..except around pretty much every ldap.update() I might as well move > it into the method..while retaining the "nothing changed" information by > using the return value. > > On the other hand, the documentation[1] says that ldap.update() should > return None when no such entry exists..so maybe raising the exception is > the right thing to do. I just think that the exception should never get > all the way to the user as it's trivially invoked (call two > modifications with the same parameters) > >> Or should we use a different exception, one that hides more of the details? >> >> rob > > OK, what about a PublicError-derived exception..that would be caught in > the marshalled_dispatch() in a similar way NotFound or DuplicateEntry > are handled? (Hope this is not a dumb proposal..I must say the > difference between errors and errors2 isn't all that clear to me..) > This sounds ok. I think Jason has plans to unify these again. IIRC the original separation was due to Public/Private errors. rob From rcritten at redhat.com Mon Feb 16 20:50:31 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 Feb 2009 15:50:31 -0500 Subject: [Freeipa-devel] [PATCHES] jderose 0009-0019 In-Reply-To: <1234560859.9000.35.camel@jgd-dsk> References: <1234560859.9000.35.camel@jgd-dsk> Message-ID: <4999D197.7090200@redhat.com> Jason Gerard DeRose wrote: > These patches finish my (initial) cleanup and testing of Andrew's > request authority plugins. These have been tested against a CA server > Andrew has running (only accessible inside Red Hat firewall). The tests > I ran aren't exhaustive by any means, but it's a start. > > A few other noteworthy changes: > > 1) I added a mechanism for an entire plugin module to be conditionally > loaded. Previously individual plugins (classes) could be conditionally > registered, but there wasn't a way to conditionally skip the entire > module. Now you can raise errors2.SkipPluginModule. > > For example, if your plugin is included in the built-in freeIPA plugins > but is only optionally enabled, you can use SkipPluginModule so that > nothing in your module after the point where you raise SkipPluginModule > gets processed: > > from ipalib import api, SkipPluginModule > if api.env.enable_ra is not True: > # In this case, abort loading this plugin module... > raise SkipPluginModule(reason='env.enable_ra is not True') > > # The remaining is only processed when env.enable_ra is True... > > # So we don't get an import error here! > import not_installed_python_package > > 2) I added a place-holder directory for integration tests: checks/ > Inside is my still rather hacky check-ra.py script I was using to test > the ra backend plugin. I'll send another email shortly with some > thoughts about integration testing. > > > P.S.: I put the patches in a tarball because it seems that Evolution is > Windows-ifying the line endings in my attachments. I'm having a really hard time reviewing these since the patches aren't cumulative but build upon each other. Since patches 0001-0007 haven't been applied yet it isn't possible to cleanly apply these either. I'll see if I can slurp them all in together and make a single, unified patch so I can see what is going on. In the meantime we need to get the 1-7 patches imported. I had just a couple of comments. rob From sgallagh at redhat.com Mon Feb 16 20:54:27 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 16 Feb 2009 15:54:27 -0500 Subject: [Freeipa-devel] [PATCH] [SSSD] Enhancements and bugfixes to util/btreemap.c Message-ID: <4999D283.5060206@redhat.com> 1) Remove useless and unused btreemap_new() 2) Fix potentially serious memory allocation error. btreemap now requires a TALLOC_CTX to be passed in for assignment to the top node of the tree. Previously it was creating a new root TALLOC_CTX 3) Add new function btreemap_get_keys that will return a sorted array (newly allocated using talloc_realloc()) of keys (const void *) 4) Change the btreemap to use (const void *) keys instead of (void *) -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Enhancements-and-bugfixes-to-util-btreemap.c.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Mon Feb 16 21:05:28 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 Feb 2009 16:05:28 -0500 Subject: [Freeipa-devel] [PATCHES] jderose 0009-0019 In-Reply-To: <4999D197.7090200@redhat.com> References: <1234560859.9000.35.camel@jgd-dsk> <4999D197.7090200@redhat.com> Message-ID: <4999D518.3010302@redhat.com> Rob Crittenden wrote: > Jason Gerard DeRose wrote: >> These patches finish my (initial) cleanup and testing of Andrew's >> request authority plugins. These have been tested against a CA server >> Andrew has running (only accessible inside Red Hat firewall). The tests >> I ran aren't exhaustive by any means, but it's a start. >> >> A few other noteworthy changes: >> >> 1) I added a mechanism for an entire plugin module to be conditionally >> loaded. Previously individual plugins (classes) could be conditionally >> registered, but there wasn't a way to conditionally skip the entire >> module. Now you can raise errors2.SkipPluginModule. >> >> For example, if your plugin is included in the built-in freeIPA plugins >> but is only optionally enabled, you can use SkipPluginModule so that >> nothing in your module after the point where you raise SkipPluginModule >> gets processed: >> >> from ipalib import api, SkipPluginModule >> if api.env.enable_ra is not True: >> # In this case, abort loading this plugin module... >> raise SkipPluginModule(reason='env.enable_ra is not True') >> # The remaining is only processed when env.enable_ra >> is True... >> # So we don't get an import error here! >> import not_installed_python_package >> >> 2) I added a place-holder directory for integration tests: checks/ >> Inside is my still rather hacky check-ra.py script I was using to test >> the ra backend plugin. I'll send another email shortly with some >> thoughts about integration testing. >> >> >> P.S.: I put the patches in a tarball because it seems that Evolution is >> Windows-ifying the line endings in my attachments. > > I'm having a really hard time reviewing these since the patches aren't > cumulative but build upon each other. Since patches 0001-0007 haven't > been applied yet it isn't possible to cleanly apply these either. > > I'll see if I can slurp them all in together and make a single, unified > patch so I can see what is going on. > > In the meantime we need to get the 1-7 patches imported. I had just a > couple of comments. > > rob Ok, that actually worked out fairy well but I'll have to address things indirectly. I think that all command-arguments should have a help option to describe what it does. This affects all the functions in cert.py. ipaserver/plugins/ra.py:_request() doesn't close the connection on an exception ipaserver/plugins/ra.py:__create_* should probably verify that permissions are appropriate (probably 600). I think that a lot of things in ra.py will be pulled out at some point as they are run-once type functions that will be executed at install time. rob From ssorce at redhat.com Tue Feb 17 01:35:10 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 16 Feb 2009 20:35:10 -0500 Subject: [Freeipa-devel] [PATCH] [SSSD] Enhancements and bugfixes to util/btreemap.c In-Reply-To: <4999D283.5060206@redhat.com> References: <4999D283.5060206@redhat.com> Message-ID: <1234834511.4449.13.camel@localhost.localdomain> On Mon, 2009-02-16 at 15:54 -0500, Stephen Gallagher wrote: > 1) Remove useless and unused btreemap_new() > > 2) Fix potentially serious memory allocation error. btreemap now > requires a TALLOC_CTX to be passed in for assignment to the top node > of > the tree. Previously it was creating a new root TALLOC_CTX > > 3) Add new function btreemap_get_keys that will return a sorted array > (newly allocated using talloc_realloc()) of keys (const void *) > > 4) Change the btreemap to use (const void *) keys instead of (void *) ack and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Feb 17 01:35:21 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 16 Feb 2009 20:35:21 -0500 Subject: [Freeipa-devel] [PATCH] [SSSD] Modify sbus_message_handler to return DBUS_ERROR_UNKNOWN_METHOD when appropriate In-Reply-To: <49999054.4070506@redhat.com> References: <49999054.4070506@redhat.com> Message-ID: <1234834521.4449.14.camel@localhost.localdomain> On Mon, 2009-02-16 at 11:12 -0500, Stephen Gallagher wrote: > Modifying sbus_message_handler to return DBUS_ERROR_UNKNOWN_METHOD > when > the requested method is not registered with the message handler. > Previously, we returned DBUS_HANDLER_RESULT_HANDLED with no indication > that nothing had happened. ack and pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Feb 17 07:49:53 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 17 Feb 2009 07:49:53 +0000 Subject: [Freeipa-devel] [PATCH] Add optional support for enumeration and grou pretrieval in sssd_nss Message-ID: <1234856993.4449.16.camel@localhost.localdomain> It's certainly not perfect, but should be good enough and a jump start for other work needed in the dp and the backends Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-support-for-fetching-groups-in-nss.patch Type: text/x-patch Size: 35292 bytes Desc: not available URL: From jderose at redhat.com Tue Feb 17 19:08:48 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 17 Feb 2009 12:08:48 -0700 Subject: [Freeipa-devel] [PATCHES] jderose 0009-0019 In-Reply-To: <4999D197.7090200@redhat.com> References: <1234560859.9000.35.camel@jgd-dsk> <4999D197.7090200@redhat.com> Message-ID: <1234897728.7973.12.camel@jgd-lap> On Mon, 2009-02-16 at 15:50 -0500, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > These patches finish my (initial) cleanup and testing of Andrew's > > request authority plugins. These have been tested against a CA server > > Andrew has running (only accessible inside Red Hat firewall). The tests > > I ran aren't exhaustive by any means, but it's a start. > > > > A few other noteworthy changes: > > > > 1) I added a mechanism for an entire plugin module to be conditionally > > loaded. Previously individual plugins (classes) could be conditionally > > registered, but there wasn't a way to conditionally skip the entire > > module. Now you can raise errors2.SkipPluginModule. > > > > For example, if your plugin is included in the built-in freeIPA plugins > > but is only optionally enabled, you can use SkipPluginModule so that > > nothing in your module after the point where you raise SkipPluginModule > > gets processed: > > > > from ipalib import api, SkipPluginModule > > if api.env.enable_ra is not True: > > # In this case, abort loading this plugin module... > > raise SkipPluginModule(reason='env.enable_ra is not True') > > > > # The remaining is only processed when env.enable_ra is True... > > > > # So we don't get an import error here! > > import not_installed_python_package > > > > 2) I added a place-holder directory for integration tests: checks/ > > Inside is my still rather hacky check-ra.py script I was using to test > > the ra backend plugin. I'll send another email shortly with some > > thoughts about integration testing. > > > > > > P.S.: I put the patches in a tarball because it seems that Evolution is > > Windows-ifying the line endings in my attachments. > > I'm having a really hard time reviewing these since the patches aren't > cumulative but build upon each other. Since patches 0001-0007 haven't > been applied yet it isn't possible to cleanly apply these either. > > I'll see if I can slurp them all in together and make a single, unified > patch so I can see what is going on. Am I not submitting them correctly? What should I do differently? > In the meantime we need to get the 1-7 patches imported. I had just a > couple of comments. > > rob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Tue Feb 17 19:23:25 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 Feb 2009 14:23:25 -0500 Subject: [Freeipa-devel] [PATCHES] jderose 0009-0019 In-Reply-To: <1234897728.7973.12.camel@jgd-lap> References: <1234560859.9000.35.camel@jgd-dsk> <4999D197.7090200@redhat.com> <1234897728.7973.12.camel@jgd-lap> Message-ID: <499B0EAD.2060006@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-02-16 at 15:50 -0500, Rob Crittenden wrote: >> Jason Gerard DeRose wrote: >>> These patches finish my (initial) cleanup and testing of Andrew's >>> request authority plugins. These have been tested against a CA server >>> Andrew has running (only accessible inside Red Hat firewall). The tests >>> I ran aren't exhaustive by any means, but it's a start. >>> >>> A few other noteworthy changes: >>> >>> 1) I added a mechanism for an entire plugin module to be conditionally >>> loaded. Previously individual plugins (classes) could be conditionally >>> registered, but there wasn't a way to conditionally skip the entire >>> module. Now you can raise errors2.SkipPluginModule. >>> >>> For example, if your plugin is included in the built-in freeIPA plugins >>> but is only optionally enabled, you can use SkipPluginModule so that >>> nothing in your module after the point where you raise SkipPluginModule >>> gets processed: >>> >>> from ipalib import api, SkipPluginModule >>> if api.env.enable_ra is not True: >>> # In this case, abort loading this plugin module... >>> raise SkipPluginModule(reason='env.enable_ra is not True') >>> >>> # The remaining is only processed when env.enable_ra is True... >>> >>> # So we don't get an import error here! >>> import not_installed_python_package >>> >>> 2) I added a place-holder directory for integration tests: checks/ >>> Inside is my still rather hacky check-ra.py script I was using to test >>> the ra backend plugin. I'll send another email shortly with some >>> thoughts about integration testing. >>> >>> >>> P.S.: I put the patches in a tarball because it seems that Evolution is >>> Windows-ifying the line endings in my attachments. >> I'm having a really hard time reviewing these since the patches aren't >> cumulative but build upon each other. Since patches 0001-0007 haven't >> been applied yet it isn't possible to cleanly apply these either. >> >> I'll see if I can slurp them all in together and make a single, unified >> patch so I can see what is going on. > > Am I not submitting them correctly? What should I do differently? Well, for upstream it's easier to review the final patch rather than all the small patches it is made up of. You can still do incremental patching and then group it all together with git rebase -i The man page on it is so-so, this page describes it a little: http://blog.madism.org/index.php/2007/09/09/138-git-awsome-ness-git-rebase-interactive Basically you just squash all your small commits into one big one. You can still save all the commit messages. Note that this forces you to rebase your tree from the tip which isn't necessarily a bad thing as it ensures that the patch(es) will apply cleanly. rob From rcritten at redhat.com Tue Feb 17 19:57:00 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 Feb 2009 14:57:00 -0500 Subject: [Freeipa-devel] [PATCHES] jderose 0009-0019 In-Reply-To: <1234897728.7973.12.camel@jgd-lap> References: <1234560859.9000.35.camel@jgd-dsk> <4999D197.7090200@redhat.com> <1234897728.7973.12.camel@jgd-lap> Message-ID: <499B168C.9080909@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-02-16 at 15:50 -0500, Rob Crittenden wrote: >> Jason Gerard DeRose wrote: >>> These patches finish my (initial) cleanup and testing of Andrew's >>> request authority plugins. These have been tested against a CA server >>> Andrew has running (only accessible inside Red Hat firewall). The tests >>> I ran aren't exhaustive by any means, but it's a start. >>> >>> A few other noteworthy changes: >>> >>> 1) I added a mechanism for an entire plugin module to be conditionally >>> loaded. Previously individual plugins (classes) could be conditionally >>> registered, but there wasn't a way to conditionally skip the entire >>> module. Now you can raise errors2.SkipPluginModule. >>> >>> For example, if your plugin is included in the built-in freeIPA plugins >>> but is only optionally enabled, you can use SkipPluginModule so that >>> nothing in your module after the point where you raise SkipPluginModule >>> gets processed: >>> >>> from ipalib import api, SkipPluginModule >>> if api.env.enable_ra is not True: >>> # In this case, abort loading this plugin module... >>> raise SkipPluginModule(reason='env.enable_ra is not True') >>> >>> # The remaining is only processed when env.enable_ra is True... >>> >>> # So we don't get an import error here! >>> import not_installed_python_package >>> >>> 2) I added a place-holder directory for integration tests: checks/ >>> Inside is my still rather hacky check-ra.py script I was using to test >>> the ra backend plugin. I'll send another email shortly with some >>> thoughts about integration testing. >>> >>> >>> P.S.: I put the patches in a tarball because it seems that Evolution is >>> Windows-ifying the line endings in my attachments. >> I'm having a really hard time reviewing these since the patches aren't >> cumulative but build upon each other. Since patches 0001-0007 haven't >> been applied yet it isn't possible to cleanly apply these either. >> >> I'll see if I can slurp them all in together and make a single, unified >> patch so I can see what is going on. > > Am I not submitting them correctly? What should I do differently? > >> In the meantime we need to get the 1-7 patches imported. I had just a >> couple of comments. >> >> rob Jason, to make it easier since there aren't any real show-stoppers in patches 1-19 (minus 8 which is already pushed) I'll go ahead and push them upstream and have you address the issues that I raised. rob From rcritten at redhat.com Tue Feb 17 21:06:34 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 Feb 2009 16:06:34 -0500 Subject: [Freeipa-devel] [PATCHES] jderose 0001-0007 In-Reply-To: <1233952171.11736.30.camel@jgd-dsk> References: <1233952171.11736.30.camel@jgd-dsk> Message-ID: <499B26DA.3060503@redhat.com> Jason Gerard DeRose wrote: > * Various cleanup in RA frontend and backend plugins. > * Add pattern matching support to Str and Bytes > Pushed to master From rcritten at redhat.com Tue Feb 17 21:06:38 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 Feb 2009 16:06:38 -0500 Subject: [Freeipa-devel] [PATCHES] jderose 0009-0019 In-Reply-To: <499B168C.9080909@redhat.com> References: <1234560859.9000.35.camel@jgd-dsk> <4999D197.7090200@redhat.com> <1234897728.7973.12.camel@jgd-lap> <499B168C.9080909@redhat.com> Message-ID: <499B26DE.4000009@redhat.com> Rob Crittenden wrote: > Jason Gerard DeRose wrote: >> On Mon, 2009-02-16 at 15:50 -0500, Rob Crittenden wrote: >>> Jason Gerard DeRose wrote: >>>> These patches finish my (initial) cleanup and testing of Andrew's >>>> request authority plugins. These have been tested against a CA server >>>> Andrew has running (only accessible inside Red Hat firewall). The >>>> tests >>>> I ran aren't exhaustive by any means, but it's a start. >>>> >>>> A few other noteworthy changes: >>>> >>>> 1) I added a mechanism for an entire plugin module to be conditionally >>>> loaded. Previously individual plugins (classes) could be conditionally >>>> registered, but there wasn't a way to conditionally skip the entire >>>> module. Now you can raise errors2.SkipPluginModule. >>>> >>>> For example, if your plugin is included in the built-in freeIPA plugins >>>> but is only optionally enabled, you can use SkipPluginModule so that >>>> nothing in your module after the point where you raise SkipPluginModule >>>> gets processed: >>>> >>>> from ipalib import api, SkipPluginModule >>>> if api.env.enable_ra is not True: >>>> # In this case, abort loading this plugin module... >>>> raise SkipPluginModule(reason='env.enable_ra is not True') >>>> # The remaining is only processed when env.enable_ra >>>> is True... >>>> # So we don't get an import error here! >>>> import not_installed_python_package >>>> >>>> 2) I added a place-holder directory for integration tests: checks/ >>>> Inside is my still rather hacky check-ra.py script I was using to test >>>> the ra backend plugin. I'll send another email shortly with some >>>> thoughts about integration testing. >>>> >>>> >>>> P.S.: I put the patches in a tarball because it seems that Evolution is >>>> Windows-ifying the line endings in my attachments. >>> I'm having a really hard time reviewing these since the patches >>> aren't cumulative but build upon each other. Since patches 0001-0007 >>> haven't been applied yet it isn't possible to cleanly apply these >>> either. >>> >>> I'll see if I can slurp them all in together and make a single, >>> unified patch so I can see what is going on. >> >> Am I not submitting them correctly? What should I do differently? >> >>> In the meantime we need to get the 1-7 patches imported. I had just a >>> couple of comments. >>> >>> rob > > Jason, to make it easier since there aren't any real show-stoppers in > patches 1-19 (minus 8 which is already pushed) I'll go ahead and push > them upstream and have you address the issues that I raised. > pushed to master From jderose at redhat.com Wed Feb 18 07:59:27 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 18 Feb 2009 00:59:27 -0700 Subject: [Freeipa-devel] [PATCH] fix two minor bugs in LDAP backend plugin In-Reply-To: <49959A1F.9070207@redhat.com> References: <49959A1F.9070207@redhat.com> Message-ID: <1234943967.18899.46.camel@jgd-dsk> On Fri, 2009-02-13 at 17:04 +0100, Pavel Zuna wrote: > This should fix two minor bugs I found in the LDAP backend plugin. > > retrieve method should now correctly return None when no entry is found > as documented at: > http://freeipa.org/developer-docs/ipaserver.plugins.b_ldap.ldap-class.html#retrieve > > search method seemed to generate invalid filters when no entry > attributes where specified, making it impossible to, for example, search > for all entries of a certain type or all entries with a common parent. > > Pavel The patch looks fine, but this does raise the question as to where we want exceptions like NotFound to be raised (which wasn't really decided when Rob or I wrote the above documentation). It also *raises* the question as to whether we want some_command.execute() to return None or to raise an exception when an entry isn't found, when a search returns no entries, etc. I personally want some_command.execute() to raise an exception in the no-result case. For one, it means each output_for_cli() method doesn't need logic for the no-result case: def output_for_cli(self, textui, result, *args, **options): if result is None: print 'No entry found' else: print_the_result(result) # Whatever goes here Instead, output_for_cli() never gets called in the no-result case because an exception gets caught. So you just need: def output_for_cli(self, textui, result, *args, **options): # result wont be None... print_the_result(result) # Whatever goes here For another, it makes it easier to incorporate the CLI into shell scripts because the no-result case exits with a non-zero status, like: #!/bin/bash if ! ipa user-show $1 then echo "No user $1" exit 1 fi # ... do something with IPA user $1 I want the exception messages to contain information about the values causing the exception... this will make it easier for all the consumers, whether CLI, XML-RPC, or whatever. Instead of just "Entry not found" I want something like "Entry 'cn=foo,cn=bar' not found" or "No such user 'jderose'". Because some of these details might only be known by the some_command.execute() methods, it makes sense that they should raise the exception. Maybe the crud methods on the LDAP backend plugin should return None in the no-result case. Or maybe they should raise a generic exception and the some_command.execute() methods can catch this and raise something more specific if required. Anyone have any thoughts on the matter? Pavel, I think we should hold off on this patch till we brainstorm a bit more. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From pzuna at redhat.com Wed Feb 18 15:46:51 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Wed, 18 Feb 2009 16:46:51 +0100 Subject: [Freeipa-devel] [PATCH] fix two minor bugs in LDAP backend plugin In-Reply-To: <1234943967.18899.46.camel@jgd-dsk> References: <49959A1F.9070207@redhat.com> <1234943967.18899.46.camel@jgd-dsk> Message-ID: <499C2D6B.1060506@redhat.com> Jason Gerard DeRose wrote: > The patch looks fine, but this does raise the question as to where we > want exceptions like NotFound to be raised (which wasn't really decided > when Rob or I wrote the above documentation). It also *raises* the > question as to whether we want some_command.execute() to return None or > to raise an exception when an entry isn't found, when a search returns > no entries, etc. Sorry, I didn't think this patch through. I'm used to take documentation as somewhat binding, but obviously (and it didn't occur to me at the time) it doesn't apply to work in progress such as this. It actually makes more sense to raise an exception in most cases. > Pavel, I think we should hold off on this patch till we brainstorm a bit > more. Sure. What about the search method by the way? Should I make a separate patch? From jderose at redhat.com Wed Feb 18 19:30:12 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 18 Feb 2009 12:30:12 -0700 Subject: [Freeipa-devel] [PATCH] Catch errors.EmptyModlist in b_ldap In-Reply-To: <1234778567.11390.49.camel@jarilo.englab.brq.redhat.com> References: <1234543276.1153.349.camel@jarilo.englab.brq.redhat.com> <4995B7C5.8070808@redhat.com> <1234778567.11390.49.camel@jarilo.englab.brq.redhat.com> Message-ID: <1234985412.6676.2.camel@jgd-dsk> On Mon, 2009-02-16 at 11:02 +0100, Jakub Hrozek wrote: > On Fri, 2009-02-13 at 13:11 -0500, Rob Crittenden wrote: > > Jakub Hrozek wrote: > > > I think we shouldn't let an EmptyModlist exception propagate all the way > > > up to ldap.update(). The method is usually used in fronted plugins, like > > > classes that derive from crud.Mod, where modifying an record to the same > > > attributes can be done pretty easily, so all the crud.Mod plugins would > > > have to catch that exception anyway. > > > > > > The attached patch modifies ldap.update to return None if no > > > modification was done. > > > > I think this is ok but I want to ponder it a little. How do you plan to > > alert the user that nothing changed? In other words, if you have to do a > > test against None to see if an error was returned, why not just catch > > the exception? > > I was using the code like this: > > class object_mod(crud.Mod): > def execute(): > # do stuff > return ldap.update(dn, **modkw) > > def output_for_cli(self, textui, result, key, **options): > if result: > textui.print_entry(result) > else: > textui.print_plain("No modification") > > Before, I caught the exception, set the return value to None and used > the same output_for_cli()..so I figured that if I'm putting this > try..except around pretty much every ldap.update() I might as well move > it into the method..while retaining the "nothing changed" information by > using the return value. > > On the other hand, the documentation[1] says that ldap.update() should > return None when no such entry exists..so maybe raising the exception is > the right thing to do. I just think that the exception should never get > all the way to the user as it's trivially invoked (call two > modifications with the same parameters) > > > Or should we use a different exception, one that hides more of the details? > > > > rob > > OK, what about a PublicError-derived exception..that would be caught in > the marshalled_dispatch() in a similar way NotFound or DuplicateEntry > are handled? (Hope this is not a dumb proposal..I must say the > difference between errors and errors2 isn't all that clear to me..) `errors` is depreciated and we are migrated to `errors2`. After this is completed, we'll remove `errors` and renamed `errors2` => `errors`. I probably shouldn't have created a new module, but I was trying to migrate things piece-wise without breaking anything people were working on in the meantime. > Jakub > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Wed Feb 18 19:58:46 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 18 Feb 2009 12:58:46 -0700 Subject: [Freeipa-devel] Breaking changes at end of interation cycle Message-ID: <1234987126.6676.25.camel@jgd-dsk> There are some breaking changes that need to be made, and I think it makes sense to make them at the end of the current iteration cycle, right before we make our first V2 milestone/alpha release (or whatever we're going to call it). This way we don't interrupt anyone's work. So I propose that at the end of the cycle, we do a 1-2 day freeze during which I can quickly make some tree changes, depreciate a few features that need to be. Then everyone can help fix any problems that it might introduce (for stuff that has unit tests, I'll fix it as I go) and we'll do a release. My list of breaking changes is currently just 3 things: 1. Finish errors/errors2 cleanup: migrate any remaining needed exceptions from `errors` to the new `errors2` module, then remove `errors`, renamed `errors2` to `errors`, and renamed any references. 2. Finish migrating away from my bad f_* b_* naming convention for plugin modules. Seemed like a good idea at the time, but it's bad for the signal-to-noise ratio in the tree and in the epydoc pages. Also goes against Python module naming conventions. Easy change, but I don't want to interrupt anyone's work. 3. self.log.debug() etc. is depreciated and should be changed to self.debug() etc. After this has been fixed in the plugins, I'll remove the Plugin.log instance attribute. Thoughts? Cheers, Jason -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Wed Feb 18 20:04:05 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Feb 2009 15:04:05 -0500 Subject: [Freeipa-devel] Breaking changes at end of interation cycle In-Reply-To: <1234987126.6676.25.camel@jgd-dsk> References: <1234987126.6676.25.camel@jgd-dsk> Message-ID: <499C69B5.4030609@redhat.com> Jason Gerard DeRose wrote: > There are some breaking changes that need to be made, and I think it > makes sense to make them at the end of the current iteration cycle, > right before we make our first V2 milestone/alpha release (or whatever > we're going to call it). This way we don't interrupt anyone's work. > > So I propose that at the end of the cycle, we do a 1-2 day freeze during > which I can quickly make some tree changes, depreciate a few features > that need to be. Then everyone can help fix any problems that it might > introduce (for stuff that has unit tests, I'll fix it as I go) and we'll > do a release. > > My list of breaking changes is currently just 3 things: > > 1. Finish errors/errors2 cleanup: migrate any remaining needed > exceptions from `errors` to the new `errors2` module, then remove > `errors`, renamed `errors2` to `errors`, and renamed any references. > > 2. Finish migrating away from my bad f_* b_* naming convention for > plugin modules. Seemed like a good idea at the time, but it's bad for > the signal-to-noise ratio in the tree and in the epydoc pages. Also > goes against Python module naming conventions. Easy change, but I don't > want to interrupt anyone's work. > > 3. self.log.debug() etc. is depreciated and should be changed to > self.debug() etc. After this has been fixed in the plugins, I'll remove > the Plugin.log instance attribute. > > Thoughts? Sounds like a great plan to me. rob From jhrozek at redhat.com Wed Feb 18 21:31:50 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 18 Feb 2009 22:31:50 +0100 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <49948DC4.3090402@redhat.com> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> <1234450367.2488.34.camel@localhost.localdomain> <49943A42.6000902@redhat.com> <49948DC4.3090402@redhat.com> Message-ID: <1234992710.12447.6.camel@hendrix> On Thu, 2009-02-12 at 15:59 -0500, Stephen Gallagher wrote: > New patch attached with recommended changes. Please re-review. I did some minor tweaks to the specfile and Makefile, patch attached. Also, whether PolicyKit and InfoPipe support are built is now configurable. This patch is applicable on current master, if an iterative patch against Stephen's is more comfortable for you, I have that in my repo[1] rpmlint now outputs this: --- sssd.i386: W: no-documentation sssd.i386: W: non-conffile-in-etc /etc/dbus-1/system.d/org.freeipa.sssd.infopipe.conf sssd.i386: W: no-soname /usr/lib/libsss_proxy.so sssd.i386: W: no-soname /usr/lib/memberof.so sssd.i386: W: no-soname /usr/lib/libsysdb.so 1 packages and 0 specfiles checked; 0 errors, 5 warnings. --- I think that's OK, there really is no documentation so far, dbus conf files are typically not marked as %config and no-soname is not a packaging issue, I think. Jakub [1] http://fedorapeople.org/gitweb?p=jhrozek/public_git/sssd.git;a=summary -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Adding-support-for-generating-RPMS-for-sssd.patch Type: application/mbox Size: 11212 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 18 21:49:32 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Feb 2009 16:49:32 -0500 Subject: [Freeipa-devel] [PATCH] fix some ACI tests Message-ID: <499C826C.1070104@redhat.com> The old ACI system had some minimum unit tests. They are being picked up by nosetest as broken. This fixes some of them. The tests that fail have an embedded quote in the name which I don't think is legal but haven't confirmed. Leaving them failing for now. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-125-acitests.patch Type: application/mbox Size: 2571 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 18 21:50:43 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Feb 2009 16:50:43 -0500 Subject: [Freeipa-devel] [PATCH] add --all option to more commands Message-ID: <499C82B3.4090009@redhat.com> Add the --all option to show/find in group, host and service. Normally we want to limit the attributes returned to the things that are interesting. --all returns the whole entry, warts and all. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-126-all.patch Type: application/mbox Size: 5133 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 18 21:51:58 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Feb 2009 16:51:58 -0500 Subject: [Freeipa-devel] [PATCH] add new users as member of default group Message-ID: <499C82FE.6040805@redhat.com> Add new users as a member of the default group. Prior to this we were just setting the GID to be the default group. This way they will show up as a member of the group instead of implicitly being a member (by gid) rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-127-member.patch Type: application/mbox Size: 2518 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 18 21:52:47 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Feb 2009 16:52:47 -0500 Subject: [Freeipa-devel] [PATCH] display multi-valued results on separate lines Message-ID: <499C832F.5070809@redhat.com> Iterate over multi-valued return results and print each on a separate line instead of combining them into a comma-separated field. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-128-display.patch Type: application/mbox Size: 1079 bytes Desc: not available URL: From rcritten at redhat.com Wed Feb 18 21:54:55 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Feb 2009 16:54:55 -0500 Subject: [Freeipa-devel] [PATCH] initial crack at machine join Message-ID: <499C83AF.90005@redhat.com> A minimal start at machine join. All this does currently is verify that the host doesn't already exist (not joined) and if not, creates the host and pulls down the service principal. This has a few new things to it: - It runs some things locally, some remotely - A new exception is added, RootRequired. At some point we'll want to write to /etc/krb5.keytab - executing commands on a client machine I'm writing the keytab to a file in /tmp for now and have the root requirement disabled in order for easier testing. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-129-join.patch Type: application/mbox Size: 4183 bytes Desc: not available URL: From jderose at redhat.com Wed Feb 18 21:55:54 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 18 Feb 2009 14:55:54 -0700 Subject: [Freeipa-devel] [PATCH] fix some ACI tests In-Reply-To: <499C826C.1070104@redhat.com> References: <499C826C.1070104@redhat.com> Message-ID: <1234994154.6676.110.camel@jgd-dsk> On Wed, 2009-02-18 at 16:49 -0500, Rob Crittenden wrote: > The old ACI system had some minimum unit tests. They are being picked up > by nosetest as broken. This fixes some of them. The tests that fail have > an embedded quote in the name which I don't think is legal but haven't > confirmed. Leaving them failing for now. > > rob > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Wed Feb 18 22:13:03 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Feb 2009 17:13:03 -0500 Subject: [Freeipa-devel] [PATCH] add missing changes Message-ID: <499C87EF.7010403@redhat.com> I missed 2 files with the join patch. This adds the new exception and a helper function for determining the local fqdn. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-130-exception.patch Type: application/mbox Size: 1105 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-131-hostname.patch Type: application/mbox Size: 983 bytes Desc: not available URL: From jderose at redhat.com Wed Feb 18 22:25:45 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 18 Feb 2009 15:25:45 -0700 Subject: [Freeipa-devel] [PATCH] add --all option to more commands In-Reply-To: <499C82B3.4090009@redhat.com> References: <499C82B3.4090009@redhat.com> Message-ID: <1234995945.6676.143.camel@jgd-dsk> On Wed, 2009-02-18 at 16:50 -0500, Rob Crittenden wrote: > Add the --all option to show/find in group, host and service. Normally > we want to limit the attributes returned to the things that are > interesting. --all returns the whole entry, warts and all. > > rob ack. I was thinking of adding the --all option into the new crud Retrieve and Search base classes. What do you think about that? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Wed Feb 18 22:30:49 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 18 Feb 2009 15:30:49 -0700 Subject: [Freeipa-devel] [PATCH] add new users as member of default group In-Reply-To: <499C82FE.6040805@redhat.com> References: <499C82FE.6040805@redhat.com> Message-ID: <1234996249.6676.153.camel@jgd-dsk> On Wed, 2009-02-18 at 16:51 -0500, Rob Crittenden wrote: > Add new users as a member of the default group. Prior to this we were > just setting the GID to be the default group. > > This way they will show up as a member of the group instead of > implicitly being a member (by gid) > > rob ack, but we should clean this up later after the errors/errors2 cleanup. Also, Python exceptions are classes and you should raise instances: Yes: raise NotFound(my_msg) No: raise NotFound, my_msg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Wed Feb 18 22:31:10 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 18 Feb 2009 15:31:10 -0700 Subject: [Freeipa-devel] [PATCH] display multi-valued results on separate lines In-Reply-To: <499C832F.5070809@redhat.com> References: <499C832F.5070809@redhat.com> Message-ID: <1234996270.6676.155.camel@jgd-dsk> On Wed, 2009-02-18 at 16:52 -0500, Rob Crittenden wrote: > Iterate over multi-valued return results and print each on a separate > line instead of combining them into a comma-separated field. > > rob ack. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Wed Feb 18 22:32:11 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 18 Feb 2009 15:32:11 -0700 Subject: [Freeipa-devel] [PATCH] initial crack at machine join In-Reply-To: <499C83AF.90005@redhat.com> References: <499C83AF.90005@redhat.com> Message-ID: <1234996331.6676.158.camel@jgd-dsk> On Wed, 2009-02-18 at 16:54 -0500, Rob Crittenden wrote: > A minimal start at machine join. All this does currently is verify that > the host doesn't already exist (not joined) and if not, creates the host > and pulls down the service principal. > > This has a few new things to it: > > - It runs some things locally, some remotely > - A new exception is added, RootRequired. At some point we'll want to > write to /etc/krb5.keytab > - executing commands on a client machine > > I'm writing the keytab to a file in /tmp for now and have the root > requirement disabled in order for easier testing. > > rob ack. Looks like a good start. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Wed Feb 18 22:32:37 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 18 Feb 2009 15:32:37 -0700 Subject: [Freeipa-devel] [PATCH] add missing changes In-Reply-To: <499C87EF.7010403@redhat.com> References: <499C87EF.7010403@redhat.com> Message-ID: <1234996357.6676.159.camel@jgd-dsk> On Wed, 2009-02-18 at 17:13 -0500, Rob Crittenden wrote: > I missed 2 files with the join patch. This adds the new exception and a > helper function for determining the local fqdn. > > rob ack. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Thu Feb 19 00:03:14 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 18 Feb 2009 19:03:14 -0500 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <1234992710.12447.6.camel@hendrix> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> <1234450367.2488.34.camel@localhost.localdomain> <49943A42.6000902@redhat.com> <49948DC4.3090402@redhat.com> <1234992710.12447.6.camel@hendrix> Message-ID: <499CA1C2.60707@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Thu, 2009-02-12 at 15:59 -0500, Stephen Gallagher wrote: >> New patch attached with recommended changes. Please re-review. > > I did some minor tweaks to the specfile and Makefile, patch attached. > Also, whether PolicyKit and InfoPipe support are built is now > configurable. This patch is applicable on current master, if an > iterative patch against Stephen's is more comfortable for you, I have > that in my repo[1] Patches should definitely be from the master, as my patch was a work-in-progress that you've taken over. So this is fine. > rpmlint now outputs this: > --- > sssd.i386: W: no-documentation > sssd.i386: W: > non-conffile-in-etc /etc/dbus-1/system.d/org.freeipa.sssd.infopipe.conf > sssd.i386: W: no-soname /usr/lib/libsss_proxy.so > sssd.i386: W: no-soname /usr/lib/memberof.so > sssd.i386: W: no-soname /usr/lib/libsysdb.so > 1 packages and 0 specfiles checked; 0 errors, 5 warnings. > --- > > I think that's OK, there really is no documentation so far, dbus conf > files are typically not marked as %config and no-soname is not a > packaging issue, I think. We should probably be building the shared objects with '-Wl - -soname,' > Jakub > > [1] > http://fedorapeople.org/gitweb?p=jhrozek/public_git/sssd.git;a=summary > > I'd prefer if you used HAVE_INFOPIPE and HAVE_POLICYKIT as the macros. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmcocIACgkQeiVVYja6o6PeswCgqgPG9kBr5xjHl6IXxZYqcfzr 8aEAoIbF5uxkE71e1B/aziYGK1UCDYNW =/Rpw -----END PGP SIGNATURE----- From ssorce at redhat.com Thu Feb 19 00:40:56 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 18 Feb 2009 19:40:56 -0500 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <1234992710.12447.6.camel@hendrix> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> <1234450367.2488.34.camel@localhost.localdomain> <49943A42.6000902@redhat.com> <49948DC4.3090402@redhat.com> <1234992710.12447.6.camel@hendrix> Message-ID: <1235004056.4449.50.camel@localhost.localdomain> On Wed, 2009-02-18 at 22:31 +0100, Jakub Hrozek wrote: > On Thu, 2009-02-12 at 15:59 -0500, Stephen Gallagher wrote: > > New patch attached with recommended changes. Please re-review. > > I did some minor tweaks to the specfile and Makefile, patch attached. > Also, whether PolicyKit and InfoPipe support are built is now > configurable. This patch is applicable on current master, if an > iterative patch against Stephen's is more comfortable for you, I have > that in my repo[1] > > rpmlint now outputs this: > --- > sssd.i386: W: no-documentation > sssd.i386: W: > non-conffile-in-etc /etc/dbus-1/system.d/org.freeipa.sssd.infopipe.conf how does dbus mark these files ? > sssd.i386: W: no-soname /usr/lib/libsss_proxy.so > sssd.i386: W: no-soname /usr/lib/memberof.so > sssd.i386: W: no-soname /usr/lib/libsysdb.so these libraries are in the wrong place for a start, they should be under a package private library path as they are never meant to be used by any other application, I tentatively put them under /ust/lib/sssd/ on my machine. > 1 packages and 0 specfiles checked; 0 errors, 5 warnings. > --- > > I think that's OK, there really is no documentation so far, dbus conf > files are typically not marked as %config and no-soname is not a > packaging issue, I think. See above, we should probably build tehse libraries versioned (.so.0.0.1), and then just make the .so a symlink anyway. Simo. -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Thu Feb 19 03:48:34 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 18 Feb 2009 20:48:34 -0700 Subject: [Freeipa-devel] Thoughts on tests (unit, integration, self-test) Message-ID: <1235015314.9124.4.camel@jgd-dsk> This is a brain dump on all things related to the freeIPA tests included in its source tree... One of my big goals with the Python code I've written for v2 is to make freeIPA easier to test (especially easier to quickly test as you code, while running everything in-tree). This is a challenging problem because running full blown freeIPA requires some fairly invasive configuration changes... you don't want to make these changes to your workstation unless you're actually part of an IPA realm, and if you're part of an IPA realm, you don't want to run these tests against (and possibly break) a production realm. To get around this problem, everyone on the Red Hat team uses virtual machines extensively to test freeIPA. The problem is, we each do this somewhat by hand, with slightly differing setups and procedures. It will help everyone be more productive if these "invasive" sorts of tests are fully automated and repeatable. I also personally feel it's very important that the community be able to test their work the same way we do at Red Hat. So part of what I want to work on next is formalizing the setup for these invasive tests into the freeIPA code. Of course, many (if not most) of our tests will be of the non-invasive variety. Probably 90% of our current unit tests are non-invasive. Whenever possible, we should write non-invasive tests because they're fast to run and give the programmers immediate feedback. Unit tests can drastically improved productivity, but only if you run them very frequently. You want the time between when you break a test and when you find out you broke a test to be as small as possible... ideally not more than 5 or 10 minutes. That way you have fresh in your head what you changed, what likely caused the breakage. If a breakage is left for a few weeks, it can take you or another programmer hours to figure out what is wrong. In some cases we need to find ways to test stuff in a non-invasive way that we currently can only test in an invasive way. In particular, we need a non-invasive way to test the code in the command plugins, even if it doesn't test the full code path of a production server. Also, the non-invasive tests should be run automatically when the package is built (whereas the invasive tests will have to be manually started). So I'm proposing dividing the in-tree tests into three categories: unit tests; integration tests; and self-tests. The terminology doesn't exactly fit, but I haven't thought of anything better yet (suggestions welcome). 1. Unit tests (non-invasive) ---------------------------- I'm giving "unit test" some special meaning in this context: unit tests are completely non-invasive... they can be run without Kerberos or LDAP configured, can be run as a normal user, will not open network connections nor contact external services, etc. They will typically test a fairly isolated layer of code, but might also test a broader swath of the code path (as long as they're still non-invasive). We're doing our Python unit tests using nose. The core library has extensive unit tests, all located in the tests/ directory. Additionally, Rob has written some tests for individual command plugins (forwarded over XML-RPC, talking to live LDAP). Currently these tests get executed by nose automatically if the lite-xmlrpc.py script seems to be running when you run the tests. However, as they're what I'm calling "invasive" tests, I believe these should be moved into the integration tests below. They can also be supplemented with the self-tests, my 3rd category. So in summary, unit tests can be run without any unexpected side affects and without having any external services configured. Unit tests are excellent for testing the core library, but not as useful for testing individual plugins (especially backend plugins that talk to an external service like LDAP). 2. Integration tests (invasive) ------------------------------- I'm also giving "integration test" some special meaning in this context: integration tests are invasive simply because of what they test... they test the interaction with live LDAP, Kerberos, etc. These are tests you will only want to run in a virtual machine or on a dedicated test machine. They will often require you to run them as root or at least kinit to get Kerboros credentials. Even if a test is testing a fairly isolated component, I'm still calling it an integration test if it's invasive. Like I said, I'd like Rob's xmlrpc tests to be moved into the integration tests. And all the integration tests should include the full setup procedure so they're fully automatic and repeatable. In my opinion, the first integration tests we write should be for backend plugins like Backend.ldap. In the case of the LDAP backend plugin, the rest of the code is not supposed to use the python-ldap binding directly, but instead just use the API provided by api.Backend.ldap. So Obviously this API needs to be well tested in an isolated fashion. The integration test would: 1. Configure Kerberos and DS, put DS into a known initial state. 2. Run tests against api.Backend.ldap like this: >>> from ipalib import api >>> api.bootstrap(in_server=True) >>> api.finalize() >>> ldap = api.Backend.ldap >>> # And now test the ldap plugin... Rob's tests for individual command plugins can take a similar setup approach (if not just reuse the same). However, there's another cool way we can test individual command plugins that I think will give us a big productivity boost... 3. Self-tests (non-invasive, installed with plugins) ---------------------------------------------------- I don't recall if I ever made it clear why I was so insistent that for things like LDAP, plugins should interact strictly with api.Backend.ldap and never with the python-ldap bindings directly. The reason is it allows us to register dummy backend plugins and do very useful non-invasive tests where we otherwise couldn't. We can't test the full code path this way, but we can test that the command plugins do their part of the processing correctly and that they correctly call whatever backend plugins do the heavy lifting for them. This allows us to test via a transitive relationship: if A uses B correctly and B uses C correctly, then A uses C correctly. For example, we know Command.user_add calls Backend.ldap correctly, and we know Backend.ldap talks to FDS correctly, so we're pretty darn sure Command.user_add talks to FDS correctly. Obviously we will also want to test Command.user_add in the integration tests, where we test the full code path against a live LDAP server. But the point of the self-tests is to move more testing into the non-invasive realm so we can immediately get feedback while coding. Make a small change to Command.user_add, run the self-tests, and if they pass, you're 95% sure the live version will also work correctly. The self-tests also make it easier for plugin authors (even 3rd-party) to add tests because the self-tests are defined in the same module defining the plugins. As a consequence, the self-tests will ship in the distribution packages (.rpm, .deb, .whatever), whereas the unit and integration tests are only in the source tarball. This allows end users to run a lot of diagnostics easily. The self-tests for commands will be totally declarative. They're defined in the same module as the corresponding command plugins, although the exact mechanism is yet to be decided. But they'll look something like this (still using user_add as the example): SelfTest( # Calling this command with these args and options: 'user_add', tuple(), dict(givenname=u'Jason', sn=u'DeRose'), # Will return this value: dict(uid=u'jderose', givenname=u'Jason', sn=u'DeRose'), # And result in these calls to Backend.ldap: [ # 1st call is to ldap.make_user_dn() with these args, kw: 'ldap.make_user_dn', (u'jderose'), {}, # And will return this value: u'uid=jderose,cn=users,cn=accounts,dc=example,dc=com' ], [ # 2nd call is to ldap.create() with these args, kw: 'ldap.create', tuple(), dict( dn=u'uid=jderose,cn=users,cn=accounts,dc=example,dc=com', uid=u'jderose', givenname=u'Jason', sn=u'DeRose', ), # And will return this value: dict(uid=u'jderose', givenname=u'Jason', sn=u'DeRose'), ], ) So both the calls that the command plugin should make to various backend plugin methods and the values those calls will return are provided in the self-test. This illustrative self-test above would (if completed) test whether user_add processes its args and options correctly, whether user_add makes the correct sequence of calls to Backend.ldap, whether it does the right thing with the return values from Backend.ldap, and whether it ultimately returns to correct result. The exact API is yet do be decided, but that's the idea of it anyway. Obviously I got some ideas (and the "self-test" term) from my favorite embeddable DVCS, Bazaar. But as far as I know, Bazaar doesn't use its self-tests to make otherwise invasive tests into non-invasive ones (all its tests can easily be non-invasive, but it's also a different beast altogether). So there's my ramblings. Thoughts? Cheers, Jason -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From dpal at redhat.com Thu Feb 19 15:00:14 2009 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 19 Feb 2009 10:00:14 -0500 Subject: [Freeipa-devel] Thoughts on tests (unit, integration, self-test) In-Reply-To: <1235015314.9124.4.camel@jgd-dsk> References: <1235015314.9124.4.camel@jgd-dsk> Message-ID: <499D73FE.2000402@redhat.com> Jason Gerard DeRose wrote: > This is a brain dump on all things related to the freeIPA tests included > in its source tree... > > One of my big goals with the Python code I've written for v2 is to make > freeIPA easier to test (especially easier to quickly test as you code, > while running everything in-tree). This is a challenging problem > because running full blown freeIPA requires some fairly invasive > configuration changes... you don't want to make these changes to your > workstation unless you're actually part of an IPA realm, and if you're > part of an IPA realm, you don't want to run these tests against (and > possibly break) a production realm. > > To get around this problem, everyone on the Red Hat team uses virtual > machines extensively to test freeIPA. The problem is, we each do this > somewhat by hand, with slightly differing setups and procedures. It > will help everyone be more productive if these "invasive" sorts of tests > are fully automated and repeatable. I also personally feel it's very > important that the community be able to test their work the same way we > do at Red Hat. So part of what I want to work on next is formalizing > the setup for these invasive tests into the freeIPA code. > > Of course, many (if not most) of our tests will be of the non-invasive > variety. Probably 90% of our current unit tests are non-invasive. > Whenever possible, we should write non-invasive tests because they're > fast to run and give the programmers immediate feedback. Unit tests can > drastically improved productivity, but only if you run them very > frequently. You want the time between when you break a test and when > you find out you broke a test to be as small as possible... ideally not > more than 5 or 10 minutes. That way you have fresh in your head what > you changed, what likely caused the breakage. If a breakage is left for > a few weeks, it can take you or another programmer hours to figure out > what is wrong. > > In some cases we need to find ways to test stuff in a non-invasive way > that we currently can only test in an invasive way. In particular, we > need a non-invasive way to test the code in the command plugins, even if > it doesn't test the full code path of a production server. Also, the > non-invasive tests should be run automatically when the package is built > (whereas the invasive tests will have to be manually started). > > So I'm proposing dividing the in-tree tests into three categories: unit > tests; integration tests; and self-tests. The terminology doesn't > exactly fit, but I haven't thought of anything better yet (suggestions > welcome). > > > 1. Unit tests (non-invasive) > ---------------------------- > > I'm giving "unit test" some special meaning in this context: unit tests > are completely non-invasive... they can be run without Kerberos or LDAP > configured, can be run as a normal user, will not open network > connections nor contact external services, etc. They will typically > test a fairly isolated layer of code, but might also test a broader > swath of the code path (as long as they're still non-invasive). > > We're doing our Python unit tests using nose. The core library has > extensive unit tests, all located in the tests/ directory. > > Additionally, Rob has written some tests for individual command plugins > (forwarded over XML-RPC, talking to live LDAP). Currently these tests > get executed by nose automatically if the lite-xmlrpc.py script seems to > be running when you run the tests. However, as they're what I'm calling > "invasive" tests, I believe these should be moved into the integration > tests below. They can also be supplemented with the self-tests, my 3rd > category. > > So in summary, unit tests can be run without any unexpected side affects > and without having any external services configured. Unit tests are > excellent for testing the core library, but not as useful for testing > individual plugins (especially backend plugins that talk to an external > service like LDAP). > > > 2. Integration tests (invasive) > ------------------------------- > > I'm also giving "integration test" some special meaning in this context: > integration tests are invasive simply because of what they test... they > test the interaction with live LDAP, Kerberos, etc. These are tests you > will only want to run in a virtual machine or on a dedicated test > machine. They will often require you to run them as root or at least > kinit to get Kerboros credentials. Even if a test is testing a fairly > isolated component, I'm still calling it an integration test if it's > invasive. > > Like I said, I'd like Rob's xmlrpc tests to be moved into the > integration tests. And all the integration tests should include the > full setup procedure so they're fully automatic and repeatable. > > In my opinion, the first integration tests we write should be for > backend plugins like Backend.ldap. In the case of the LDAP backend > plugin, the rest of the code is not supposed to use the python-ldap > binding directly, but instead just use the API provided by > api.Backend.ldap. So Obviously this API needs to be well tested in an > isolated fashion. The integration test would: > > 1. Configure Kerberos and DS, put DS into a known initial state. > > 2. Run tests against api.Backend.ldap like this: > > >>> from ipalib import api > >>> api.bootstrap(in_server=True) > >>> api.finalize() > >>> ldap = api.Backend.ldap > >>> # And now test the ldap plugin... > > Rob's tests for individual command plugins can take a similar setup > approach (if not just reuse the same). However, there's another cool > way we can test individual command plugins that I think will give us a > big productivity boost... > > > 3. Self-tests (non-invasive, installed with plugins) > ---------------------------------------------------- > > I don't recall if I ever made it clear why I was so insistent that for > things like LDAP, plugins should interact strictly with api.Backend.ldap > and never with the python-ldap bindings directly. The reason is it > allows us to register dummy backend plugins and do very useful > non-invasive tests where we otherwise couldn't. We can't test the full > code path this way, but we can test that the command plugins do their > part of the processing correctly and that they correctly call whatever > backend plugins do the heavy lifting for them. > > This allows us to test via a transitive relationship: if A uses B > correctly and B uses C correctly, then A uses C correctly. For example, > we know Command.user_add calls Backend.ldap correctly, and we know > Backend.ldap talks to FDS correctly, so we're pretty darn sure > Command.user_add talks to FDS correctly. > > Obviously we will also want to test Command.user_add in the integration > tests, where we test the full code path against a live LDAP server. But > the point of the self-tests is to move more testing into the > non-invasive realm so we can immediately get feedback while coding. > Make a small change to Command.user_add, run the self-tests, and if they > pass, you're 95% sure the live version will also work correctly. > > The self-tests also make it easier for plugin authors (even 3rd-party) > to add tests because the self-tests are defined in the same module > defining the plugins. As a consequence, the self-tests will ship in the > distribution packages (.rpm, .deb, .whatever), whereas the unit and > integration tests are only in the source tarball. This allows end users > to run a lot of diagnostics easily. > > The self-tests for commands will be totally declarative. They're > defined in the same module as the corresponding command plugins, > although the exact mechanism is yet to be decided. But they'll look > something like this (still using user_add as the example): > > SelfTest( > # Calling this command with these args and options: > 'user_add', tuple(), dict(givenname=u'Jason', sn=u'DeRose'), > > # Will return this value: > dict(uid=u'jderose', givenname=u'Jason', sn=u'DeRose'), > > # And result in these calls to Backend.ldap: > [ > # 1st call is to ldap.make_user_dn() with these args, kw: > 'ldap.make_user_dn', (u'jderose'), {}, > > # And will return this value: > u'uid=jderose,cn=users,cn=accounts,dc=example,dc=com' > ], > [ > # 2nd call is to ldap.create() with these args, kw: > 'ldap.create', tuple(), dict( > dn=u'uid=jderose,cn=users,cn=accounts,dc=example,dc=com', > uid=u'jderose', > givenname=u'Jason', > sn=u'DeRose', > ), > > # And will return this value: > dict(uid=u'jderose', givenname=u'Jason', sn=u'DeRose'), > ], > ) > > So both the calls that the command plugin should make to various backend > plugin methods and the values those calls will return are provided in > the self-test. This illustrative self-test above would (if completed) > test whether user_add processes its args and options correctly, whether > user_add makes the correct sequence of calls to Backend.ldap, whether it > does the right thing with the return values from Backend.ldap, and > whether it ultimately returns to correct result. The exact API is yet > do be decided, but that's the idea of it anyway. > > Obviously I got some ideas (and the "self-test" term) from my favorite > embeddable DVCS, Bazaar. But as far as I know, Bazaar doesn't use its > self-tests to make otherwise invasive tests into non-invasive ones (all > its tests can easily be non-invasive, but it's also a different beast > altogether). > > > So there's my ramblings. Thoughts? > > Cheers, > Jason > > > > > I will defer to experts but this seems like a good idea to me. I do not know what are the conventions and best practices about the inclusion of the tests into the final deliverables. If we do not violate any convention with such approach I do not see a reason why we should not follow it. Rob, John and comments? Thanks Dmitri > > > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Thu Feb 19 15:06:20 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Feb 2009 10:06:20 -0500 Subject: [Freeipa-devel] [PATCH] add --all option to more commands In-Reply-To: <1234995945.6676.143.camel@jgd-dsk> References: <499C82B3.4090009@redhat.com> <1234995945.6676.143.camel@jgd-dsk> Message-ID: <499D756C.3070700@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-02-18 at 16:50 -0500, Rob Crittenden wrote: >> Add the --all option to show/find in group, host and service. Normally >> we want to limit the attributes returned to the things that are >> interesting. --all returns the whole entry, warts and all. >> >> rob > > ack. > > I was thinking of adding the --all option into the new crud Retrieve and > Search base classes. What do you think about that? Sounds good. How will that affect a plugin writer providing additional options? rob From rcritten at redhat.com Thu Feb 19 15:06:50 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Feb 2009 10:06:50 -0500 Subject: [Freeipa-devel] [PATCH] add --all option to more commands In-Reply-To: <1234995945.6676.143.camel@jgd-dsk> References: <499C82B3.4090009@redhat.com> <1234995945.6676.143.camel@jgd-dsk> Message-ID: <499D758A.30606@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-02-18 at 16:50 -0500, Rob Crittenden wrote: >> Add the --all option to show/find in group, host and service. Normally >> we want to limit the attributes returned to the things that are >> interesting. --all returns the whole entry, warts and all. >> >> rob > > ack. > > I was thinking of adding the --all option into the new crud Retrieve and > Search base classes. What do you think about that? pushed to master From rcritten at redhat.com Thu Feb 19 15:07:41 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Feb 2009 10:07:41 -0500 Subject: [Freeipa-devel] [PATCH] add new users as member of default group In-Reply-To: <1234996249.6676.153.camel@jgd-dsk> References: <499C82FE.6040805@redhat.com> <1234996249.6676.153.camel@jgd-dsk> Message-ID: <499D75BD.3050001@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-02-18 at 16:51 -0500, Rob Crittenden wrote: >> Add new users as a member of the default group. Prior to this we were >> just setting the GID to be the default group. >> >> This way they will show up as a member of the group instead of >> implicitly being a member (by gid) >> >> rob > > ack, but we should clean this up later after the errors/errors2 cleanup. > > Also, Python exceptions are classes and you should raise instances: > > Yes: > raise NotFound(my_msg) > > No: > raise NotFound, my_msg > > Ok, noted. I'll submit another patch later this morning Pushed to master. From rcritten at redhat.com Thu Feb 19 15:07:57 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Feb 2009 10:07:57 -0500 Subject: [Freeipa-devel] [PATCH] display multi-valued results on separate lines In-Reply-To: <1234996270.6676.155.camel@jgd-dsk> References: <499C832F.5070809@redhat.com> <1234996270.6676.155.camel@jgd-dsk> Message-ID: <499D75CD.6040301@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-02-18 at 16:52 -0500, Rob Crittenden wrote: >> Iterate over multi-valued return results and print each on a separate >> line instead of combining them into a comma-separated field. >> >> rob > > ack. pushed to master From rcritten at redhat.com Thu Feb 19 15:08:11 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Feb 2009 10:08:11 -0500 Subject: [Freeipa-devel] [PATCH] initial crack at machine join In-Reply-To: <1234996331.6676.158.camel@jgd-dsk> References: <499C83AF.90005@redhat.com> <1234996331.6676.158.camel@jgd-dsk> Message-ID: <499D75DB.3060707@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-02-18 at 16:54 -0500, Rob Crittenden wrote: >> A minimal start at machine join. All this does currently is verify that >> the host doesn't already exist (not joined) and if not, creates the host >> and pulls down the service principal. >> >> This has a few new things to it: >> >> - It runs some things locally, some remotely >> - A new exception is added, RootRequired. At some point we'll want to >> write to /etc/krb5.keytab >> - executing commands on a client machine >> >> I'm writing the keytab to a file in /tmp for now and have the root >> requirement disabled in order for easier testing. >> >> rob > > ack. Looks like a good start. pushed to master From rcritten at redhat.com Thu Feb 19 15:08:37 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Feb 2009 10:08:37 -0500 Subject: [Freeipa-devel] [PATCH] add missing changes In-Reply-To: <1234996357.6676.159.camel@jgd-dsk> References: <499C87EF.7010403@redhat.com> <1234996357.6676.159.camel@jgd-dsk> Message-ID: <499D75F5.5050208@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-02-18 at 17:13 -0500, Rob Crittenden wrote: >> I missed 2 files with the join patch. This adds the new exception and a >> helper function for determining the local fqdn. >> >> rob > > ack. pushed to master From jderose at redhat.com Thu Feb 19 16:26:45 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 19 Feb 2009 09:26:45 -0700 Subject: [Freeipa-devel] [PATCH] add --all option to more commands In-Reply-To: <499D756C.3070700@redhat.com> References: <499C82B3.4090009@redhat.com> <1234995945.6676.143.camel@jgd-dsk> <499D756C.3070700@redhat.com> Message-ID: <1235060805.7621.5.camel@jgd-dsk> On Thu, 2009-02-19 at 10:06 -0500, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > On Wed, 2009-02-18 at 16:50 -0500, Rob Crittenden wrote: > >> Add the --all option to show/find in group, host and service. Normally > >> we want to limit the attributes returned to the things that are > >> interesting. --all returns the whole entry, warts and all. > >> > >> rob > > > > ack. > > > > I was thinking of adding the --all option into the new crud Retrieve and > > Search base classes. What do you think about that? > > Sounds good. How will that affect a plugin writer providing additional > options? The new crud base classes all merge in the params from takes_args and takes_options, so stuff should work as they would expect (see Update.get_options() for example). This is also an easy way for us to enforce consistent options and behavior for user-show, user-find, and friends. > rob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Thu Feb 19 16:47:16 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Feb 2009 11:47:16 -0500 Subject: [Freeipa-devel] Thoughts on tests (unit, integration, self-test) In-Reply-To: <1235015314.9124.4.camel@jgd-dsk> References: <1235015314.9124.4.camel@jgd-dsk> Message-ID: <499D8D14.8070708@redhat.com> Jason Gerard DeRose wrote: > This is a brain dump on all things related to the freeIPA tests included > in its source tree... > > One of my big goals with the Python code I've written for v2 is to make > freeIPA easier to test (especially easier to quickly test as you code, > while running everything in-tree). This is a challenging problem > because running full blown freeIPA requires some fairly invasive > configuration changes... you don't want to make these changes to your > workstation unless you're actually part of an IPA realm, and if you're > part of an IPA realm, you don't want to run these tests against (and > possibly break) a production realm. [ snip ] I generally agree with this approach, particularly when it comes to separating the integration tests from the unit tests. I like the idea of selftests but I haven't yet wrapped my mind around it. I keep thinking of Jurassic park where you are only testing what you are expecting and therefore all tests pass (even though there are raptors about to bite you). I think we should have 2 types of integration testing too: lite and full. Lite testing would utilize the python-litexml.py script and a full test would test against Apache running the XML-RPC module. In theory they should work the same way, this will confirm the theory. It should be as simple as changing a config option on the client so running one vs the other should be straightforward. It might be nice to be able to run this with a remote IPA server as well as a local one too. So I think you are on the right track here, we just need to flesh out what the SelfTest might look like. Would it essentially be one test per-method or would we be able to fake negative testing too (to test throwing exceptions)? I gather you envision this as separate make-test scripts (or make targets)? I'm a little less jaded when it comes to setting up an environment. I drop and re-create my IPA server on an almost daily basis it seems testing one thing or another. Running in a VM is a good idea though simply because IPA is so invasive in overwriting config files. Great start. rob From rmeggins at redhat.com Thu Feb 19 17:02:36 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 19 Feb 2009 10:02:36 -0700 Subject: [Freeipa-devel] Thoughts on tests (unit, integration, self-test) In-Reply-To: <499D8D14.8070708@redhat.com> References: <1235015314.9124.4.camel@jgd-dsk> <499D8D14.8070708@redhat.com> Message-ID: <499D90AC.8040104@redhat.com> Rob Crittenden wrote: > Jason Gerard DeRose wrote: >> This is a brain dump on all things related to the freeIPA tests included >> in its source tree... >> >> One of my big goals with the Python code I've written for v2 is to make >> freeIPA easier to test (especially easier to quickly test as you code, >> while running everything in-tree). This is a challenging problem >> because running full blown freeIPA requires some fairly invasive >> configuration changes... you don't want to make these changes to your >> workstation unless you're actually part of an IPA realm, and if you're >> part of an IPA realm, you don't want to run these tests against (and >> possibly break) a production realm. > > [ snip ] > > I generally agree with this approach, particularly when it comes to > separating the integration tests from the unit tests. I like the idea > of selftests but I haven't yet wrapped my mind around it. I keep > thinking of Jurassic park where you are only testing what you are > expecting and therefore all tests pass (even though there are raptors > about to bite you). > > I think we should have 2 types of integration testing too: lite and > full. Lite testing would utilize the python-litexml.py script and a > full test would test against Apache running the XML-RPC module. In > theory they should work the same way, this will confirm the theory. It > should be as simple as changing a config option on the client so > running one vs the other should be straightforward. It might be nice > to be able to run this with a remote IPA server as well as a local one > too. > > So I think you are on the right track here, we just need to flesh out > what the SelfTest might look like. Would it essentially be one test > per-method or would we be able to fake negative testing too (to test > throwing exceptions)? > > I gather you envision this as separate make-test scripts (or make > targets)? > > I'm a little less jaded when it comes to setting up an environment. I > drop and re-create my IPA server on an almost daily basis it seems > testing one thing or another. Running in a VM is a good idea though > simply because IPA is so invasive in overwriting config files. Another sort of half-way option - using mock to run tests. mock is great if you need a full-blown OS file system with your packages installed and you also need root access. mock can run any rhel or fedora operating system (even 32-bit and 64-bit on a 64-bit machine). mock is much more lightweight than running a VM. The only problem is network connections e.g. you cannot have two directory servers running at the same time both listening to port 389 - there are probably other gotchas as well with hostnames (but some sort of /etc/hosts hack in the chroot might be possible). I have run the directory server acceptance test suite inside mock, including such tests as 4 way MMR. It's pretty nifty to be able to use mock to build and test packages in F-8, F-9, F-10, and even rhel platforms, from a single machine with no VM. > > Great start. > > rob > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jhrozek at redhat.com Thu Feb 19 17:22:06 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 19 Feb 2009 18:22:06 +0100 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <1235004056.4449.50.camel@localhost.localdomain> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> <1234450367.2488.34.camel@localhost.localdomain> <49943A42.6000902@redhat.com> <49948DC4.3090402@redhat.com> <1234992710.12447.6.camel@hendrix> <1235004056.4449.50.camel@localhost.localdomain> Message-ID: <1235064126.24395.60.camel@dhcp-lab-121.englab.brq.redhat.com> On Wed, 2009-02-18 at 19:40 -0500, Simo Sorce wrote: > > rpmlint now outputs this: > > --- > > sssd.i386: W: no-documentation > > sssd.i386: W: > > > non-conffile-in-etc /etc/dbus-1/system.d/org.freeipa.sssd.infopipe.conf > > how does dbus mark these files ? I don't think I follow you on this. Dbus doesn't own any of these files, they are owned by different packages. Some of them mark them as %config, some of them don't.. I tend not to think about it as typical configuration file that should be edited by admin, so I didn't mark it as %config, but I can be wrong. > > > sssd.i386: W: no-soname /usr/lib/libsss_proxy.so > > sssd.i386: W: no-soname /usr/lib/memberof.so > > sssd.i386: W: no-soname /usr/lib/libsysdb.so > > these libraries are in the wrong place for a start, they should be > under > a package private library path as they are never meant to be used by > any > other application, I tentatively put them under /ust/lib/sssd/ on my > machine. > > > 1 packages and 0 specfiles checked; 0 errors, 5 warnings. > > --- > > > > I think that's OK, there really is no documentation so far, dbus > conf > > files are typically not marked as %config and no-soname is not a > > packaging issue, I think. > > See above, we should probably build tehse libraries versioned > (.so.0.0.1), and then just make the .so a symlink anyway. > Done in the attached revision. There's a versioned library symlinked from soname-named file (.so.0) and versionless (.so). Also the macros are now called HAVE_INFOPIPE and HAVE_POLICYKIT as Stephen suggested in the other mail. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Adding-support-for-generating-RPMS-for-sssd.patch Type: text/x-patch Size: 15647 bytes Desc: not available URL: From sgallagh at redhat.com Thu Feb 19 17:24:38 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 19 Feb 2009 12:24:38 -0500 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <1235064126.24395.60.camel@dhcp-lab-121.englab.brq.redhat.com> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> <1234450367.2488.34.camel@localhost.localdomain> <49943A42.6000902@redhat.com> <49948DC4.3090402@redhat.com> <1234992710.12447.6.camel@hendrix> <1235004056.4449.50.camel@localhost.localdomain> <1235064126.24395.60.camel@dhcp-lab-121.englab.brq.redhat.com> Message-ID: <499D95D6.8000803@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Wed, 2009-02-18 at 19:40 -0500, Simo Sorce wrote: >> > rpmlint now outputs this: >>> --- >>> sssd.i386: W: no-documentation >>> sssd.i386: W: >>> >> non-conffile-in-etc /etc/dbus-1/system.d/org.freeipa.sssd.infopipe.conf >> >> how does dbus mark these files ? > > I don't think I follow you on this. Dbus doesn't own any of these files, > they are owned by different packages. Some of them mark them as %config, > some of them don't.. I tend not to think about it as typical > configuration file that should be edited by admin, so I didn't mark it > as %config, but I can be wrong. > I think you should consider this as a config file. The purpose of them is to set the access control on the API. I'm going to be providing a set of defaults that should be appropriate for most deployments, but it's possible that an admin will want to edit it. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmdldYACgkQeiVVYja6o6N48gCdFwlLBI2sVBzH8qb/fuZwuD+c dasAoJL8134/NIchY/p5xLT5is+w48YR =Tfny -----END PGP SIGNATURE----- From jdennis at redhat.com Thu Feb 19 17:58:12 2009 From: jdennis at redhat.com (John Dennis) Date: Thu, 19 Feb 2009 12:58:12 -0500 Subject: [Freeipa-devel] Thoughts on tests (unit, integration, self-test) In-Reply-To: <1235015314.9124.4.camel@jgd-dsk> References: <1235015314.9124.4.camel@jgd-dsk> Message-ID: <499D9DB4.1070103@redhat.com> Jason Gerard DeRose wrote: > So there's my ramblings. Thoughts? > Jason, this sounds great. I think it's a good approach and I'm appreciative of your attention to testing and robustness throughout the code lifecycle. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Thu Feb 19 18:06:49 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Feb 2009 13:06:49 -0500 Subject: [Freeipa-devel] Thoughts on tests (unit, integration, self-test) In-Reply-To: <499D90AC.8040104@redhat.com> References: <1235015314.9124.4.camel@jgd-dsk> <499D8D14.8070708@redhat.com> <499D90AC.8040104@redhat.com> Message-ID: <499D9FB9.1080106@redhat.com> Rich Megginson wrote: > Rob Crittenden wrote: >> Jason Gerard DeRose wrote: >>> This is a brain dump on all things related to the freeIPA tests included >>> in its source tree... >>> >>> One of my big goals with the Python code I've written for v2 is to make >>> freeIPA easier to test (especially easier to quickly test as you code, >>> while running everything in-tree). This is a challenging problem >>> because running full blown freeIPA requires some fairly invasive >>> configuration changes... you don't want to make these changes to your >>> workstation unless you're actually part of an IPA realm, and if you're >>> part of an IPA realm, you don't want to run these tests against (and >>> possibly break) a production realm. >> >> [ snip ] >> >> I generally agree with this approach, particularly when it comes to >> separating the integration tests from the unit tests. I like the idea >> of selftests but I haven't yet wrapped my mind around it. I keep >> thinking of Jurassic park where you are only testing what you are >> expecting and therefore all tests pass (even though there are raptors >> about to bite you). >> >> I think we should have 2 types of integration testing too: lite and >> full. Lite testing would utilize the python-litexml.py script and a >> full test would test against Apache running the XML-RPC module. In >> theory they should work the same way, this will confirm the theory. It >> should be as simple as changing a config option on the client so >> running one vs the other should be straightforward. It might be nice >> to be able to run this with a remote IPA server as well as a local one >> too. >> >> So I think you are on the right track here, we just need to flesh out >> what the SelfTest might look like. Would it essentially be one test >> per-method or would we be able to fake negative testing too (to test >> throwing exceptions)? >> >> I gather you envision this as separate make-test scripts (or make >> targets)? >> >> I'm a little less jaded when it comes to setting up an environment. I >> drop and re-create my IPA server on an almost daily basis it seems >> testing one thing or another. Running in a VM is a good idea though >> simply because IPA is so invasive in overwriting config files. > Another sort of half-way option - using mock to run tests. mock is > great if you need a full-blown OS file system with your packages > installed and you also need root access. mock can run any rhel or > fedora operating system (even 32-bit and 64-bit on a 64-bit machine). > mock is much more lightweight than running a VM. The only problem is > network connections e.g. you cannot have two directory servers running > at the same time both listening to port 389 - there are probably other > gotchas as well with hostnames (but some sort of /etc/hosts hack in the > chroot might be possible). > > I have run the directory server acceptance test suite inside mock, > including such tests as 4 way MMR. It's pretty nifty to be able to use > mock to build and test packages in F-8, F-9, F-10, and even rhel > platforms, from a single machine with no VM. > I actually thought about that but figured it would be too much of a pain to set up. Can you provide any details/tips? thanks rob From rmeggins at redhat.com Thu Feb 19 18:19:18 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 19 Feb 2009 11:19:18 -0700 Subject: [Freeipa-devel] Thoughts on tests (unit, integration, self-test) In-Reply-To: <499D9FB9.1080106@redhat.com> References: <1235015314.9124.4.camel@jgd-dsk> <499D8D14.8070708@redhat.com> <499D90AC.8040104@redhat.com> <499D9FB9.1080106@redhat.com> Message-ID: <499DA2A6.8010809@redhat.com> Rob Crittenden wrote: > Rich Megginson wrote: >> Rob Crittenden wrote: >>> Jason Gerard DeRose wrote: >>>> This is a brain dump on all things related to the freeIPA tests >>>> included >>>> in its source tree... >>>> >>>> One of my big goals with the Python code I've written for v2 is to >>>> make >>>> freeIPA easier to test (especially easier to quickly test as you code, >>>> while running everything in-tree). This is a challenging problem >>>> because running full blown freeIPA requires some fairly invasive >>>> configuration changes... you don't want to make these changes to your >>>> workstation unless you're actually part of an IPA realm, and if you're >>>> part of an IPA realm, you don't want to run these tests against (and >>>> possibly break) a production realm. >>> >>> [ snip ] >>> >>> I generally agree with this approach, particularly when it comes to >>> separating the integration tests from the unit tests. I like the >>> idea of selftests but I haven't yet wrapped my mind around it. I >>> keep thinking of Jurassic park where you are only testing what you >>> are expecting and therefore all tests pass (even though there are >>> raptors about to bite you). >>> >>> I think we should have 2 types of integration testing too: lite and >>> full. Lite testing would utilize the python-litexml.py script and a >>> full test would test against Apache running the XML-RPC module. In >>> theory they should work the same way, this will confirm the theory. >>> It should be as simple as changing a config option on the client so >>> running one vs the other should be straightforward. It might be nice >>> to be able to run this with a remote IPA server as well as a local >>> one too. >>> >>> So I think you are on the right track here, we just need to flesh >>> out what the SelfTest might look like. Would it essentially be one >>> test per-method or would we be able to fake negative testing too (to >>> test throwing exceptions)? >>> >>> I gather you envision this as separate make-test scripts (or make >>> targets)? >>> >>> I'm a little less jaded when it comes to setting up an environment. >>> I drop and re-create my IPA server on an almost daily basis it seems >>> testing one thing or another. Running in a VM is a good idea though >>> simply because IPA is so invasive in overwriting config files. >> Another sort of half-way option - using mock to run tests. mock is >> great if you need a full-blown OS file system with your packages >> installed and you also need root access. mock can run any rhel or >> fedora operating system (even 32-bit and 64-bit on a 64-bit >> machine). mock is much more lightweight than running a VM. The only >> problem is network connections e.g. you cannot have two directory >> servers running at the same time both listening to port 389 - there >> are probably other gotchas as well with hostnames (but some sort of >> /etc/hosts hack in the chroot might be possible). >> >> I have run the directory server acceptance test suite inside mock, >> including such tests as 4 way MMR. It's pretty nifty to be able to >> use mock to build and test packages in F-8, F-9, F-10, and even rhel >> platforms, from a single machine with no VM. >> > > I actually thought about that but figured it would be too much of a > pain to set up. Can you provide any details/tips? https://fedoraproject.org/wiki/Projects/Mock - basic info and links to more detailed info You'd basically do something like this: edit the mock config (/etc/mock/*.cfg) to add a local yum repo e.g. file:///my/local/repo - copy the rpms you want to install and test into this repo and do a createrepo mock -r platform --install packages you want to test mock -r platform --shell -- sh -c /path/inside/chroot/testScript > > thanks > > rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jderose at redhat.com Thu Feb 19 19:09:03 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 19 Feb 2009 12:09:03 -0700 Subject: [Freeipa-devel] Thoughts on tests (unit, integration, self-test) In-Reply-To: <499D8D14.8070708@redhat.com> References: <1235015314.9124.4.camel@jgd-dsk> <499D8D14.8070708@redhat.com> Message-ID: <1235070543.7621.47.camel@jgd-dsk> On Thu, 2009-02-19 at 11:47 -0500, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > This is a brain dump on all things related to the freeIPA tests included > > in its source tree... > > > > One of my big goals with the Python code I've written for v2 is to make > > freeIPA easier to test (especially easier to quickly test as you code, > > while running everything in-tree). This is a challenging problem > > because running full blown freeIPA requires some fairly invasive > > configuration changes... you don't want to make these changes to your > > workstation unless you're actually part of an IPA realm, and if you're > > part of an IPA realm, you don't want to run these tests against (and > > possibly break) a production realm. > > [ snip ] > > I generally agree with this approach, particularly when it comes to > separating the integration tests from the unit tests. I like the idea of > selftests but I haven't yet wrapped my mind around it. I keep thinking > of Jurassic park where you are only testing what you are expecting and > therefore all tests pass (even though there are raptors about to bite you). Well, I'm trying to wrap my mind how this made you think of Jurassic Park. ;) The self-tests just fake the behavior of the backend plugins... the command plugins still do all the param normalization, conversion, and validation, and all the logic in Command.execute() is still getting checked. So it gives the code in the command plugin itself a full workout. > I think we should have 2 types of integration testing too: lite and > full. Lite testing would utilize the python-litexml.py script and a full > test would test against Apache running the XML-RPC module. In theory > they should work the same way, this will confirm the theory. It should > be as simple as changing a config option on the client so running one vs > the other should be straightforward. It might be nice to be able to run > this with a remote IPA server as well as a local one too. Agreed. It will very be good to know that lite-xmlrpc.py and Apache truly are behaving the same. > So I think you are on the right track here, we just need to flesh out > what the SelfTest might look like. Would it essentially be one test > per-method or would we be able to fake negative testing too (to test > throwing exceptions)? A given command will have as many self-tests as it needs. So we would have a self-test for, say, user_show when the user doesn't exist and make sure user_show raises a NotFound exception. If you look at the DummyMethod and DummyClass classes in tests/util.py... these implement a test-harness similar to what we need for the self-tests (at least for emulating the backend plugins). DummyClass.__process() checks that the calls are made in the right order to the right methods, with the right args and options. If the return value is an Exception instance, the exception is raised. Otherwise the return value is returned. > I gather you envision this as separate make-test scripts (or make targets)? Maybe we have "unittest" and "selftest" targets, and the "test" target will run both. > I'm a little less jaded when it comes to setting up an environment. I > drop and re-create my IPA server on an almost daily basis it seems > testing one thing or another. Running in a VM is a good idea though > simply because IPA is so invasive in overwriting config files. Well, maybe I should be bolder about testing on my host system, but so far I just stick to the VM. Mostly I want the setup procedure to be codified so that the tests are easily repeatable by others. > Great start. > > rob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Thu Feb 19 19:54:39 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 19 Feb 2009 14:54:39 -0500 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <1235004056.4449.50.camel@localhost.localdomain> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> <1234450367.2488.34.camel@localhost.localdomain> <49943A42.6000902@redhat.com> <49948DC4.3090402@redhat.com> <1234992710.12447.6.camel@hendrix> <1235004056.4449.50.camel@localhost.localdomain> Message-ID: <499DB8FF.4010309@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > how does dbus mark these files ? > >> sssd.i386: W: no-soname /usr/lib/libsss_proxy.so >> sssd.i386: W: no-soname /usr/lib/memberof.so >> sssd.i386: W: no-soname /usr/lib/libsysdb.so > > these libraries are in the wrong place for a start, they should be under > a package private library path as they are never meant to be used by any > other application, I tentatively put them under /ust/lib/sssd/ on my > machine. > Simo and I discussed this off-list a little bit. Having libsysdb.so as a shared object doesn't make sense. We should have it as a static library instead. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmduP8ACgkQeiVVYja6o6M8TgCgpUwx0jUHJyVZ/tpwEVa2Rsdu FykAn3FqdmBPkHv4x2zBPpqOUtkYrpoJ =8Noi -----END PGP SIGNATURE----- From sgallagh at redhat.com Thu Feb 19 20:13:50 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 19 Feb 2009 15:13:50 -0500 Subject: [Freeipa-devel] [PATCH] [SSSD] Initial InfoPipe framework Message-ID: <499DBD7E.1080807@redhat.com> The attached patch lays out the basic structure of the code for the InfoPipe, specifies the function prototypes for the public D-BUS methods sets up the connection to the system bus and updates the D-BUS service config file. The next steps will be to implement the individual methods. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Adding-initial-framework-for-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Thu Feb 19 22:22:35 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Feb 2009 17:22:35 -0500 Subject: [Freeipa-devel] [PATCH] fix up some exception calls Message-ID: <499DDBAB.6030704@redhat.com> Fix up the way a couple of exceptions are raised to be done the right way (TM). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-132-exception.patch Type: application/mbox Size: 1675 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 19 22:27:43 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Feb 2009 17:27:43 -0500 Subject: [Freeipa-devel] [PATCH] Use OpenSSL Message-ID: <499DDCDF.4000204@redhat.com> Use OpenSSL as the SSL provider instead of the built-in python version so we can validate the CA. We can probably switch to python-nss when F9 is EOL'd rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-133-openssl.patch Type: application/mbox Size: 7023 bytes Desc: not available URL: From jderose at redhat.com Fri Feb 20 02:14:44 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 19 Feb 2009 19:14:44 -0700 Subject: [Freeipa-devel] [PATCH] fix up some exception calls In-Reply-To: <499DDBAB.6030704@redhat.com> References: <499DDBAB.6030704@redhat.com> Message-ID: <1235096084.9872.0.camel@jgd-dsk> On Thu, 2009-02-19 at 17:22 -0500, Rob Crittenden wrote: > Fix up the way a couple of exceptions are raised to be done the right > way (TM). > > rob ack. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Fri Feb 20 07:53:38 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 20 Feb 2009 00:53:38 -0700 Subject: [Freeipa-devel] [PATCH] Use OpenSSL In-Reply-To: <499DDCDF.4000204@redhat.com> References: <499DDCDF.4000204@redhat.com> Message-ID: <1235116418.7572.4.camel@jgd-dsk> On Thu, 2009-02-19 at 17:27 -0500, Rob Crittenden wrote: > Use OpenSSL as the SSL provider instead of the built-in python > version > so we can validate the CA. > > We can probably switch to python-nss when F9 is EOL'd > > rob ack, but I didn't test it under Apache yet. Rob, we should change the lite-xmlrpc.py script to use SSL so it's easy to test this part of the code path in-tree. I'll ping you tomorrow and we can try to get it working. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From pzuna at redhat.com Fri Feb 20 13:07:12 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Fri, 20 Feb 2009 14:07:12 +0100 Subject: [Freeipa-devel] [PATCH] Add ipalib.frontend.Command method to build an entry from params with attribute=True. Message-ID: <499EAB00.5050004@redhat.com> Add ipalib.frontend.Command method to build an entry from params with attribute=True Modify crud Method base classes to yield params cloned with attribute=True. Often plugins need to build entries from params. This should make things a bit easier. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-ipalib.frontend.Command-method-to-build-an-entry.patch URL: From rcritten at redhat.com Fri Feb 20 15:40:08 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Feb 2009 10:40:08 -0500 Subject: [Freeipa-devel] [PATCH] fix up some exception calls In-Reply-To: <1235096084.9872.0.camel@jgd-dsk> References: <499DDBAB.6030704@redhat.com> <1235096084.9872.0.camel@jgd-dsk> Message-ID: <499ECED8.7020509@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-02-19 at 17:22 -0500, Rob Crittenden wrote: >> Fix up the way a couple of exceptions are raised to be done the right >> way (TM). >> >> rob > > ack. pushed to master From rcritten at redhat.com Fri Feb 20 15:40:53 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Feb 2009 10:40:53 -0500 Subject: [Freeipa-devel] [PATCH] Use OpenSSL In-Reply-To: <1235116418.7572.4.camel@jgd-dsk> References: <499DDCDF.4000204@redhat.com> <1235116418.7572.4.camel@jgd-dsk> Message-ID: <499ECF05.9040407@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-02-19 at 17:27 -0500, Rob Crittenden wrote: >> Use OpenSSL as the SSL provider instead of the built-in python >> version >> so we can validate the CA. >> >> We can probably switch to python-nss when F9 is EOL'd >> >> rob > > ack, but I didn't test it under Apache yet. > > Rob, we should change the lite-xmlrpc.py script to use SSL so it's easy > to test this part of the code path in-tree. I'll ping you tomorrow and > we can try to get it working. Ok. pushed to master From sgallagh at redhat.com Fri Feb 20 16:00:58 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 20 Feb 2009 11:00:58 -0500 Subject: [Freeipa-devel] [PATCH] [SSSD] Initial InfoPipe framework In-Reply-To: <499DBD7E.1080807@redhat.com> References: <499DBD7E.1080807@redhat.com> Message-ID: <499ED3BA.1010403@redhat.com> Stephen Gallagher wrote: > The attached patch lays out the basic structure of the code for the > InfoPipe, specifies the function prototypes for the public D-BUS methods > sets up the connection to the system bus and updates the D-BUS service > config file. > > The next steps will be to implement the individual methods. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Attaching a new version of the patch. I made some changes to the sbus_message_handler to allow for the special case of D-BUS introspection (useful for sysbus.c). I also updated the Introspection XML to include reference to a CheckPermissions method. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Adding-initial-framework-for-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Fri Feb 20 16:25:28 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Feb 2009 11:25:28 -0500 Subject: [Freeipa-devel] [PATCH] Add ipalib.frontend.Command method to build an entry from params with attribute=True. In-Reply-To: <499EAB00.5050004@redhat.com> References: <499EAB00.5050004@redhat.com> Message-ID: <499ED978.9070801@redhat.com> Pavel Zuna wrote: > Add ipalib.frontend.Command method to build an entry from params with > attribute=True > Modify crud Method base classes to yield params cloned with attribute=True. > > Often plugins need to build entries from params. This should make things > a bit easier. How will this be used? Will a plugin author call it directly? rob From jhrozek at redhat.com Fri Feb 20 16:34:42 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 20 Feb 2009 17:34:42 +0100 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <499DB8FF.4010309@redhat.com> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> <1234450367.2488.34.camel@localhost.localdomain> <49943A42.6000902@redhat.com> <49948DC4.3090402@redhat.com> <1234992710.12447.6.camel@hendrix> <1235004056.4449.50.camel@localhost.localdomain> <499DB8FF.4010309@redhat.com> Message-ID: <1235147682.5059.2.camel@hendrix> On Thu, 2009-02-19 at 14:54 -0500, Stephen Gallagher wrote: > Simo and I discussed this off-list a little bit. Having libsysdb.so as > a > shared object doesn't make sense. We should have it as a static > library > instead. > OK, another revision, hopefully I got everything straightened out: * the dbus config file is now marked as %config * libsysdb is now a static library Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Adding-support-for-generating-RPMS-for-sssd.patch Type: application/mbox Size: 16097 bytes Desc: URL: From sgallagh at redhat.com Fri Feb 20 16:55:15 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 20 Feb 2009 11:55:15 -0500 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <1235147682.5059.2.camel@hendrix> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> <1234450367.2488.34.camel@localhost.localdomain> <49943A42.6000902@redhat.com> <49948DC4.3090402@redhat.com> <1234992710.12447.6.camel@hendrix> <1235004056.4449.50.camel@localhost.localdomain> <499DB8FF.4010309@redhat.com> <1235147682.5059.2.camel@hendrix> Message-ID: <499EE073.6010203@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Thu, 2009-02-19 at 14:54 -0500, Stephen Gallagher wrote: >> Simo and I discussed this off-list a little bit. Having libsysdb.so as >> a >> shared object doesn't make sense. We should have it as a static >> library >> instead. >> > > OK, another revision, hopefully I got everything straightened out: > * the dbus config file is now marked as %config > * libsysdb is now a static library > > Jakub Only one last suggestion: remove my name from the Changelog, since you're the one doing the packaging. Other than that, this looks good to me. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkme4HMACgkQeiVVYja6o6Mc+QCfaFxWJqbqPjZPX8AhIgRIYh5s fCAAn0WRD0MmnsAIyfoaMjHSQYB30JB/ =neDY -----END PGP SIGNATURE----- From jderose at redhat.com Fri Feb 20 17:33:46 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 20 Feb 2009 10:33:46 -0700 Subject: [Freeipa-devel] [PATCH] Add ipalib.frontend.Command method to build an entry from params with attribute=True. In-Reply-To: <499EAB00.5050004@redhat.com> References: <499EAB00.5050004@redhat.com> Message-ID: <1235151226.7560.0.camel@jgd-dsk> On Fri, 2009-02-20 at 14:07 +0100, Pavel Zuna wrote: > Add ipalib.frontend.Command method to build an entry from params with > attribute=True > Modify crud Method base classes to yield params cloned with attribute=True. > > Often plugins need to build entries from params. This should make things > a bit easier. ack. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Fri Feb 20 17:41:21 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 20 Feb 2009 10:41:21 -0700 Subject: [Freeipa-devel] [PATCH] Add ipalib.frontend.Command method to build an entry from params with attribute=True. In-Reply-To: <499ED978.9070801@redhat.com> References: <499EAB00.5050004@redhat.com> <499ED978.9070801@redhat.com> Message-ID: <1235151681.7560.7.camel@jgd-dsk> On Fri, 2009-02-20 at 11:25 -0500, Rob Crittenden wrote: > Pavel Zuna wrote: > > Add ipalib.frontend.Command method to build an entry from params with > > attribute=True > > Modify crud Method base classes to yield params cloned with attribute=True. > > > > Often plugins need to build entries from params. This should make things > > a bit easier. > > How will this be used? Will a plugin author call it directly? > > rob Yes, instead of the manual work being done in a plugin's execute() method to assemble the entry, the plugin author makes a call to args_options_2_entry(). This also makes things more plugable... if the plugin was making the entry by popping known flags (or other non-attributes) out of a dict, new flags/non-attributes can be added (like in a base class) without requiring every execute() method to be updated. Same thing if new attributes are added. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Fri Feb 20 18:07:34 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Feb 2009 13:07:34 -0500 Subject: [Freeipa-devel] [PATCH] Add ipalib.frontend.Command method to build an entry from params with attribute=True. In-Reply-To: <1235151681.7560.7.camel@jgd-dsk> References: <499EAB00.5050004@redhat.com> <499ED978.9070801@redhat.com> <1235151681.7560.7.camel@jgd-dsk> Message-ID: <499EF166.7020103@redhat.com> Jason Gerard DeRose wrote: > On Fri, 2009-02-20 at 11:25 -0500, Rob Crittenden wrote: >> Pavel Zuna wrote: >>> Add ipalib.frontend.Command method to build an entry from params with >>> attribute=True >>> Modify crud Method base classes to yield params cloned with attribute=True. >>> >>> Often plugins need to build entries from params. This should make things >>> a bit easier. >> How will this be used? Will a plugin author call it directly? >> >> rob > > Yes, instead of the manual work being done in a plugin's execute() > method to assemble the entry, the plugin author makes a call to > args_options_2_entry(). This also makes things more plugable... if the > plugin was making the entry by popping known flags (or other > non-attributes) out of a dict, new flags/non-attributes can be added > (like in a base class) without requiring every execute() method to be > updated. Same thing if new attributes are added. Ok, the code doesn't seem to work for me. I took the user plugin and added this at the top of user_add(): def execute(self, uid, **kw): assert 'uid' not in kw assert 'dn' not in kw ldap = self.api.Backend.ldap entry = self.args_options_2_entry(uid, **kw) And it fails with this truncated back trace: File "/home/rcrit/redhat/merge/freeipa/ipalib/frontend.py", line 188, in __attributes_2_entry if p.attribute and p.name in kw: AttributeError: 'str' object has no attribute 'attribute' At this point we don't have params anymore, they have already been converted, validated, etc. Unless I'm misusing this call. rob From sgallagh at redhat.com Fri Feb 20 18:18:16 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 20 Feb 2009 13:18:16 -0500 Subject: [Freeipa-devel] [PATCH] [SSSD] Initial InfoPipe framework In-Reply-To: <499ED3BA.1010403@redhat.com> References: <499DBD7E.1080807@redhat.com> <499ED3BA.1010403@redhat.com> Message-ID: <499EF3E8.9080706@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Gallagher wrote: > Stephen Gallagher wrote: >> The attached patch lays out the basic structure of the code for the >> InfoPipe, specifies the function prototypes for the public D-BUS methods >> sets up the connection to the system bus and updates the D-BUS service >> config file. >> >> The next steps will be to implement the individual methods. >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Attaching a new version of the patch. I made some changes to the > sbus_message_handler to allow for the special case of D-BUS > introspection (useful for sysbus.c). I also updated the Introspection > XML to include reference to a CheckPermissions method. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Sorry, just one more version of this patch. I forgot to include the D-BUS interface versioning as outlined here: http://0pointer.de/blog/projects/versioning-dbus.html This was recommended by the desktop team. The only changes from the previous patch is that all of the methods have the version number appended to their name. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkme8+gACgkQeiVVYja6o6Ny+gCeJROvh/IMosueLNPNns5UANwK 5tsAoKRWqPczGFlmtyOZIXrXfDnM1twb =bEbe -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Feb 20 18:47:52 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 20 Feb 2009 13:47:52 -0500 Subject: [Freeipa-devel] [PATCH] [SSSD] Initial InfoPipe framework In-Reply-To: <499EF3E8.9080706@redhat.com> References: <499DBD7E.1080807@redhat.com> <499ED3BA.1010403@redhat.com> <499EF3E8.9080706@redhat.com> Message-ID: <499EFAD8.3000401@redhat.com> Stephen Gallagher wrote: > Stephen Gallagher wrote: >> Stephen Gallagher wrote: >>> The attached patch lays out the basic structure of the code for the >>> InfoPipe, specifies the function prototypes for the public D-BUS methods >>> sets up the connection to the system bus and updates the D-BUS service >>> config file. >>> >>> The next steps will be to implement the individual methods. >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Attaching a new version of the patch. I made some changes to the >> sbus_message_handler to allow for the special case of D-BUS >> introspection (useful for sysbus.c). I also updated the Introspection >> XML to include reference to a CheckPermissions method. > > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Sorry, just one more version of this patch. I forgot to include the > D-BUS interface versioning as outlined here: > http://0pointer.de/blog/projects/versioning-dbus.html > > This was recommended by the desktop team. The only changes from the > previous patch is that all of the methods have the version number > appended to their name. > I lied. One more version. I forgot to update the D-BUS .service file to match the new versioning names. Full patch attached... again. _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Adding-initial-framework-for-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Fri Feb 20 20:38:38 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 20 Feb 2009 15:38:38 -0500 Subject: [Freeipa-devel] [PATCH] [SSSD] Initial InfoPipe framework In-Reply-To: <499EFAD8.3000401@redhat.com> References: <499DBD7E.1080807@redhat.com> <499ED3BA.1010403@redhat.com> <499EF3E8.9080706@redhat.com> <499EFAD8.3000401@redhat.com> Message-ID: <499F14CE.1030809@redhat.com> In an off-list review, Simo requested that I not move the sysbus code into util, since at present it's only being used for the InfoPipe. New patch. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Adding-initial-framework-for-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Fri Feb 20 23:37:29 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 20 Feb 2009 18:37:29 -0500 Subject: [Freeipa-devel] [PATCH] Add optional support for enumeration and grou pretrieval in sssd_nss In-Reply-To: <1234856993.4449.16.camel@localhost.localdomain> References: <1234856993.4449.16.camel@localhost.localdomain> Message-ID: <1235173049.28055.8.camel@localhost.localdomain> I retired this patch and pushed another set of more complex patches. I am going to integrate the other patches from Jakub and Steven next, before jumping at some other code. On Tue, 2009-02-17 at 07:49 +0000, Simo Sorce wrote: > It's certainly not perfect, but should be good enough and a jump start > for other work needed in the dp and the backends > > Simo. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Simo Sorce * Red Hat, Inc * New York From pzuna at redhat.com Mon Feb 23 11:12:12 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 23 Feb 2009 12:12:12 +0100 Subject: [Freeipa-devel] [PATCH] Add ipalib.frontend.Command method to build an entry from params with attribute=True. Message-ID: <49A2848C.1010308@redhat.com> Rob Crittenden wrote: > Jason Gerard DeRose wrote: >> On Fri, 2009-02-20 at 11:25 -0500, Rob Crittenden wrote: >>> Pavel Zuna wrote: >>>> Add ipalib.frontend.Command method to build an entry from params with >>>> attribute=True >>>> Modify crud Method base classes to yield params cloned with attribute=True. >>>> >>>> Often plugins need to build entries from params. This should make things >>>> a bit easier. >>> How will this be used? Will a plugin author call it directly? >>> >>> rob >> >> Yes, instead of the manual work being done in a plugin's execute() >> method to assemble the entry, the plugin author makes a call to >> args_options_2_entry(). This also makes things more plugable... if the >> plugin was making the entry by popping known flags (or other >> non-attributes) out of a dict, new flags/non-attributes can be added >> (like in a base class) without requiring every execute() method to be >> updated. Same thing if new attributes are added. > > Ok, the code doesn't seem to work for me. I took the user plugin and > added this at the top of user_add(): > > def execute(self, uid, **kw): > assert 'uid' not in kw > assert 'dn' not in kw > ldap = self.api.Backend.ldap > entry = self.args_options_2_entry(uid, **kw) > > And it fails with this truncated back trace: > > File "/home/rcrit/redhat/merge/freeipa/ipalib/frontend.py", line 188, > in __attributes_2_entry > if p.attribute and p.name in kw: > AttributeError: 'str' object has no attribute 'attribute' > > At this point we don't have params anymore, they have already been > converted, validated, etc. Unless I'm misusing this call. > > rob My mistake, I admit I didn't test it properly. I'll try not to rush things next time. I've attached a working patch to this e-mail. Sorry for the inconvenience. Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-ipalib.frontend.Command-method-to-build-an-entry.patch Type: application/octet-stream Size: 1173 bytes Desc: not available URL: From sgallagh at redhat.com Mon Feb 23 14:33:16 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 23 Feb 2009 09:33:16 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Combined InfoPipe patch Message-ID: <49A2B3AC.3040500@redhat.com> Merged two patches I had for the InfoPipe beginnings, one was for setting up the InfoPipe on the D-BUS system bus and the other was the earlier patch to this list. Additionally, I updated the sysdb-tests.c to use the refactored sysdb methods. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Attach-the-InfoPipe-to-the-D-BUS-system-bus.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Mon Feb 23 15:10:36 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 23 Feb 2009 10:10:36 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Combined InfoPipe patch In-Reply-To: <49A2B3AC.3040500@redhat.com> References: <49A2B3AC.3040500@redhat.com> Message-ID: <1235401836.3749.2.camel@localhost.localdomain> On Mon, 2009-02-23 at 09:33 -0500, Stephen Gallagher wrote: > Merged two patches I had for the InfoPipe beginnings, one was for > setting up the InfoPipe on the D-BUS system bus and the other was the > earlier patch to this list. > > Additionally, I updated the sysdb-tests.c to use the refactored sysdb > methods. ack and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Mon Feb 23 16:02:32 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 23 Feb 2009 17:02:32 +0100 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <1235147682.5059.2.camel@hendrix> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> <1234450367.2488.34.camel@localhost.localdomain> <49943A42.6000902@redhat.com> <49948DC4.3090402@redhat.com> <1234992710.12447.6.camel@hendrix> <1235004056.4449.50.camel@localhost.localdomain> <499DB8FF.4010309@redhat.com> <1235147682.5059.2.camel@hendrix> Message-ID: <1235404952.31771.32.camel@zeppelin.englab.brq.redhat.com> On Fri, 2009-02-20 at 17:34 +0100, Jakub Hrozek wrote: > OK, another revision, hopefully I got everything straightened out: Patch rebased against master, resolved conflicts with Simo's latest changes w.r.t libsysdb packaging. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Adding-support-for-generating-RPMS-for-sssd.patch Type: text/x-patch Size: 14185 bytes Desc: not available URL: From rcritten at redhat.com Mon Feb 23 16:45:19 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Feb 2009 11:45:19 -0500 Subject: [Freeipa-devel] [PATCH] Add ipalib.frontend.Command method to build an entry from params with attribute=True. In-Reply-To: <49A2848C.1010308@redhat.com> References: <49A2848C.1010308@redhat.com> Message-ID: <49A2D29F.2080604@redhat.com> Pavel Zuna wrote: > Rob Crittenden wrote: >> Jason Gerard DeRose wrote: >>> On Fri, 2009-02-20 at 11:25 -0500, Rob Crittenden wrote: >>>> Pavel Zuna wrote: >>>>> Add ipalib.frontend.Command method to build an entry from params >>>>> with attribute=True >>>>> Modify crud Method base classes to yield params cloned with >>>>> attribute=True. >>>>> >>>>> Often plugins need to build entries from params. This should make >>>>> things a bit easier. >>>> How will this be used? Will a plugin author call it directly? >>>> >>>> rob >>> >>> Yes, instead of the manual work being done in a plugin's execute() >>> method to assemble the entry, the plugin author makes a call to >>> args_options_2_entry(). This also makes things more plugable... if the >>> plugin was making the entry by popping known flags (or other >>> non-attributes) out of a dict, new flags/non-attributes can be added >>> (like in a base class) without requiring every execute() method to be >>> updated. Same thing if new attributes are added. >> >> Ok, the code doesn't seem to work for me. I took the user plugin and >> added this at the top of user_add(): >> >> def execute(self, uid, **kw): >> assert 'uid' not in kw >> assert 'dn' not in kw >> ldap = self.api.Backend.ldap >> entry = self.args_options_2_entry(uid, **kw) >> >> And it fails with this truncated back trace: >> >> File "/home/rcrit/redhat/merge/freeipa/ipalib/frontend.py", line >> 188, in __attributes_2_entry >> if p.attribute and p.name in kw: >> AttributeError: 'str' object has no attribute 'attribute' >> >> At this point we don't have params anymore, they have already been >> converted, validated, etc. Unless I'm misusing this call. >> >> rob > > My mistake, I admit I didn't test it properly. I'll try not to rush > things next time. > I've attached a working patch to this e-mail. Sorry for the inconvenience. This works but lacks setting param.attribute=True by default. I thought that was a good idea as I think the majority of things we query for will be attributes. Can you add that part back in? rob From jhrozek at redhat.com Mon Feb 23 17:52:54 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 23 Feb 2009 18:52:54 +0100 Subject: [Freeipa-devel] [PATCH] Add missing buildrequires for freeipa Message-ID: <1235411574.31771.50.camel@zeppelin.englab.brq.redhat.com> Noticed this when I installed a new workstation with a fresh package list. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-missing-buildrequires.patch Type: text/x-patch Size: 728 bytes Desc: not available URL: From pzuna at redhat.com Mon Feb 23 18:22:06 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Mon, 23 Feb 2009 19:22:06 +0100 Subject: [Freeipa-devel] [PATCH] Add ipalib.frontend.Command method to build an entry from params with attribute=True. In-Reply-To: <49A2D29F.2080604@redhat.com> References: <49A2848C.1010308@redhat.com> <49A2D29F.2080604@redhat.com> Message-ID: <49A2E94E.5010608@redhat.com> Rob Crittenden wrote: > Pavel Zuna wrote: >> Rob Crittenden wrote: >>> Jason Gerard DeRose wrote: >>>> On Fri, 2009-02-20 at 11:25 -0500, Rob Crittenden wrote: >>>>> Pavel Zuna wrote: >>>>>> Add ipalib.frontend.Command method to build an entry from params >>>>>> with attribute=True >>>>>> Modify crud Method base classes to yield params cloned with >>>>>> attribute=True. >>>>>> >>>>>> Often plugins need to build entries from params. This should make >>>>>> things a bit easier. >>>>> How will this be used? Will a plugin author call it directly? >>>>> >>>>> rob >>>> >>>> Yes, instead of the manual work being done in a plugin's execute() >>>> method to assemble the entry, the plugin author makes a call to >>>> args_options_2_entry(). This also makes things more plugable... if the >>>> plugin was making the entry by popping known flags (or other >>>> non-attributes) out of a dict, new flags/non-attributes can be added >>>> (like in a base class) without requiring every execute() method to be >>>> updated. Same thing if new attributes are added. >>> >>> Ok, the code doesn't seem to work for me. I took the user plugin and >>> added this at the top of user_add(): >>> >>> def execute(self, uid, **kw): >>> assert 'uid' not in kw >>> assert 'dn' not in kw >>> ldap = self.api.Backend.ldap >>> entry = self.args_options_2_entry(uid, **kw) >>> >>> And it fails with this truncated back trace: >>> >>> File "/home/rcrit/redhat/merge/freeipa/ipalib/frontend.py", line >>> 188, in __attributes_2_entry >>> if p.attribute and p.name in kw: >>> AttributeError: 'str' object has no attribute 'attribute' >>> >>> At this point we don't have params anymore, they have already been >>> converted, validated, etc. Unless I'm misusing this call. >>> >>> rob >> >> My mistake, I admit I didn't test it properly. I'll try not to rush >> things next time. >> I've attached a working patch to this e-mail. Sorry for the >> inconvenience. > > This works but lacks setting param.attribute=True by default. I thought > that was a good idea as I think the majority of things we query for will > be attributes. Can you add that part back in? > > rob Oh, I forgot about that. It should also work for multivalue params now. Talking of which, there was a small bug. multivalue params required default values to be of the same type as the param itself instead of tuple. I fixed it in a separate patch. Also, I had this idea. We could introduce a new kwarg into Param. Let's call it 'auto' (or 'hidden') for now. It would be a combination of 'required', 'autofill' and 'default', but the user wouldn't be able to see/set it. The point is to automatically generate static or predictable attributes like objectClass or dn. For example: takes_options=( #... Str('objectclass', multivalue=True, attribute=True, auto=(u'top', u'ipaUser'), ), #... ) What do you think? Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-ipalib.frontend.Command-method-to-build-an-entry.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-multivalue-params-requiring-default-to-be-of-typ.patch URL: From rcritten at redhat.com Mon Feb 23 18:48:41 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Feb 2009 13:48:41 -0500 Subject: [Freeipa-devel] [PATCH] Add ipalib.frontend.Command method to build an entry from params with attribute=True. In-Reply-To: <49A2E94E.5010608@redhat.com> References: <49A2848C.1010308@redhat.com> <49A2D29F.2080604@redhat.com> <49A2E94E.5010608@redhat.com> Message-ID: <49A2EF89.6020500@redhat.com> Pavel Zuna wrote: > Rob Crittenden wrote: >> Pavel Zuna wrote: >>> Rob Crittenden wrote: >>>> Jason Gerard DeRose wrote: >>>>> On Fri, 2009-02-20 at 11:25 -0500, Rob Crittenden wrote: >>>>>> Pavel Zuna wrote: >>>>>>> Add ipalib.frontend.Command method to build an entry from params >>>>>>> with attribute=True >>>>>>> Modify crud Method base classes to yield params cloned with >>>>>>> attribute=True. >>>>>>> >>>>>>> Often plugins need to build entries from params. This should make >>>>>>> things a bit easier. >>>>>> How will this be used? Will a plugin author call it directly? >>>>>> >>>>>> rob >>>>> >>>>> Yes, instead of the manual work being done in a plugin's execute() >>>>> method to assemble the entry, the plugin author makes a call to >>>>> args_options_2_entry(). This also makes things more plugable... if >>>>> the >>>>> plugin was making the entry by popping known flags (or other >>>>> non-attributes) out of a dict, new flags/non-attributes can be added >>>>> (like in a base class) without requiring every execute() method to be >>>>> updated. Same thing if new attributes are added. >>>> >>>> Ok, the code doesn't seem to work for me. I took the user plugin and >>>> added this at the top of user_add(): >>>> >>>> def execute(self, uid, **kw): >>>> assert 'uid' not in kw >>>> assert 'dn' not in kw >>>> ldap = self.api.Backend.ldap >>>> entry = self.args_options_2_entry(uid, **kw) >>>> >>>> And it fails with this truncated back trace: >>>> >>>> File "/home/rcrit/redhat/merge/freeipa/ipalib/frontend.py", line >>>> 188, in __attributes_2_entry >>>> if p.attribute and p.name in kw: >>>> AttributeError: 'str' object has no attribute 'attribute' >>>> >>>> At this point we don't have params anymore, they have already been >>>> converted, validated, etc. Unless I'm misusing this call. >>>> >>>> rob >>> >>> My mistake, I admit I didn't test it properly. I'll try not to rush >>> things next time. >>> I've attached a working patch to this e-mail. Sorry for the >>> inconvenience. >> >> This works but lacks setting param.attribute=True by default. I >> thought that was a good idea as I think the majority of things we >> query for will be attributes. Can you add that part back in? >> >> rob > > Oh, I forgot about that. It should also work for multivalue params now. > Talking of which, there was a small bug. multivalue params required > default values to be of the same type as the param itself instead of > tuple. I fixed it in a separate patch. > > Also, I had this idea. We could introduce a new kwarg into Param. Let's > call it 'auto' (or 'hidden') for now. It would be a combination of > 'required', 'autofill' and 'default', but the user wouldn't be able to > see/set it. The point is to automatically generate static or predictable > attributes like objectClass or dn. For example: > > takes_options=( > #... > Str('objectclass', > multivalue=True, > attribute=True, > auto=(u'top', u'ipaUser'), > ), > #... > ) > > What do you think? > > Pavel > Interesting idea. We'd need a way to supply a function that will fill in this value, and I think I'd want the function executed on the server side. For some object types (user, group) we pull the list of attributes out of LDAP. This is likely to expand in the future. This way the list of objectclasses is more easily configurable. I definitely think this is something to investigate. It will help reduce the amount of code in the CRUD objects to almost nothing. ack to both patches. Pushed to master. rob From rcritten at redhat.com Mon Feb 23 20:40:36 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Feb 2009 15:40:36 -0500 Subject: [Freeipa-devel] [PATCH] Add missing buildrequires for freeipa In-Reply-To: <1235411574.31771.50.camel@zeppelin.englab.brq.redhat.com> References: <1235411574.31771.50.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49A309C4.3000708@redhat.com> Jakub Hrozek wrote: > Noticed this when I installed a new workstation with a fresh package > list. > > Jakub > ack. I have some other, similar changes I need to finish up and get reviewed as well. pushed to master From sgallagh at redhat.com Mon Feb 23 20:50:03 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 23 Feb 2009 15:50:03 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Fix serious memory allocation bug Message-ID: <49A30BFB.7090106@redhat.com> Fixing serious memory allocation bug in sbus_message_handler. dbus_message_append_args() adds a reference to memory that is not copied to the outgoing message until dbus_connection_send() is called. Since we compile our reply messages in functions and then return the reply, we need a mechanism for deleting allocated memory after invoking dbus_connection_send. I have changed the arguments to sbus_msg_handler_fn so that it takes a talloc ctx containing the sbus_message_handler_ctx and a pointer to a reply object. We can now allocate memory as a child of the reply context and free it after calling dbus_connection_send. SSSD developers take note of the parameter change for sbus_method handlers. I have migrated all of the existing functions. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fixing-serious-memory-allocation-bug-in-sbus_message.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Mon Feb 23 21:20:45 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 23 Feb 2009 16:20:45 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Fix serious memory allocation bug In-Reply-To: <49A30BFB.7090106@redhat.com> References: <49A30BFB.7090106@redhat.com> Message-ID: <1235424045.3749.6.camel@localhost.localdomain> On Mon, 2009-02-23 at 15:50 -0500, Stephen Gallagher wrote: > > > Fixing serious memory allocation bug in sbus_message_handler. > dbus_message_append_args() adds a reference to memory that is not > copied > to the outgoing message until dbus_connection_send() is called. Since > we > compile our reply messages in functions and then return the reply, we > need a mechanism for deleting allocated memory after invoking > dbus_connection_send. I have changed the arguments to > sbus_msg_handler_fn so that it takes a talloc ctx containing the > sbus_message_handler_ctx and a pointer to a reply object. We can now > allocate memory as a child of the reply context and free it after > calling dbus_connection_send. > > SSSD developers take note of the parameter change for sbus_method > handlers. I have migrated all of the existing functions. ack and pushing -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Mon Feb 23 21:58:11 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 23 Feb 2009 16:58:11 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Add D-BUS introspection to InfoPipe Message-ID: <49A31BF3.6040104@redhat.com> This function is necessary to play nice with D-BUS clients built in multiple languages. It will read in the XML file on the first request and store the returned XML as a component of the sbus_message_handler_ctx for the connection. All subsequent requests during the process' lifetime will be returned from the stored memory. This is perfectly safe, as the available methods cannot change during the process lifetime. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-D-BUS-introspection-to-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From pzuna at redhat.com Tue Feb 24 15:49:20 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 24 Feb 2009 16:49:20 +0100 Subject: [Freeipa-devel] [PATCH] Add unit test for ipalib.frontend.Command.args_options_2_entry Message-ID: <49A41700.4060403@redhat.com> Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-unit-test-for-ipalib.frontend.Command.args_optio.patch URL: From ssorce at redhat.com Tue Feb 24 16:30:23 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 24 Feb 2009 11:30:23 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Add D-BUS introspection to InfoPipe In-Reply-To: <49A31BF3.6040104@redhat.com> References: <49A31BF3.6040104@redhat.com> Message-ID: <1235493023.2768.21.camel@localhost.localdomain> On Mon, 2009-02-23 at 16:58 -0500, Stephen Gallagher wrote: > This function is necessary to play nice with D-BUS clients built in > multiple languages. It will read in the XML file on the first request > and store the returned XML as a component of the > sbus_message_handler_ctx for the connection. All subsequent requests > during the process' lifetime will be returned from the stored memory. > This is perfectly safe, as the available methods cannot change during > the process lifetime. ack and pushed. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Feb 24 16:31:06 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 24 Feb 2009 11:31:06 -0500 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <1235404952.31771.32.camel@zeppelin.englab.brq.redhat.com> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> <1234450367.2488.34.camel@localhost.localdomain> <49943A42.6000902@redhat.com> <49948DC4.3090402@redhat.com> <1234992710.12447.6.camel@hendrix> <1235004056.4449.50.camel@localhost.localdomain> <499DB8FF.4010309@redhat.com> <1235147682.5059.2.camel@hendrix> <1235404952.31771.32.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1235493066.2768.22.camel@localhost.localdomain> On Mon, 2009-02-23 at 17:02 +0100, Jakub Hrozek wrote: > On Fri, 2009-02-20 at 17:34 +0100, Jakub Hrozek wrote: > > OK, another revision, hopefully I got everything straightened out: > > Patch rebased against master, resolved conflicts with Simo's latest > changes w.r.t libsysdb packaging. It seem like this patch does not apply cleanly on current master, I will fix it and push a fixed one. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Tue Feb 24 16:38:15 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 24 Feb 2009 11:38:15 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Adding support for CheckPermissions to the InfoPipe Message-ID: <49A42277.2000406@redhat.com> CheckPermissions will currently return unrestricted access to the root user, and no access to any other user. Once we decide on an ACL mechanism, this will be easy to change. I have also added very basic tests for the Introspect and CheckPermissions methods. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Adding-support-for-CheckPermissions-to-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Tue Feb 24 16:44:55 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 24 Feb 2009 11:44:55 -0500 Subject: [Freeipa-devel] [PATCHES] Support for RPM generation in SSSD In-Reply-To: <1235493066.2768.22.camel@localhost.localdomain> References: <499426A7.8090708@redhat.com> <4994310B.4050300@redhat.com> <1234450367.2488.34.camel@localhost.localdomain> <49943A42.6000902@redhat.com> <49948DC4.3090402@redhat.com> <1234992710.12447.6.camel@hendrix> <1235004056.4449.50.camel@localhost.localdomain> <499DB8FF.4010309@redhat.com> <1235147682.5059.2.camel@hendrix> <1235404952.31771.32.camel@zeppelin.englab.brq.redhat.com> <1235493066.2768.22.camel@localhost.localdomain> Message-ID: <1235493895.2768.23.camel@localhost.localdomain> On Tue, 2009-02-24 at 11:31 -0500, Simo Sorce wrote: > On Mon, 2009-02-23 at 17:02 +0100, Jakub Hrozek wrote: > > On Fri, 2009-02-20 at 17:34 +0100, Jakub Hrozek wrote: > > > OK, another revision, hopefully I got everything straightened out: > > > > Patch rebased against master, resolved conflicts with Simo's latest > > changes w.r.t libsysdb packaging. > > It seem like this patch does not apply cleanly on current master, I will > fix it and push a fixed one. pushed to master with fixes to Makefile.in (there were conflist with the other patch from steve, not your fault). Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Feb 24 16:45:54 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 24 Feb 2009 11:45:54 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Adding support for CheckPermissions to the InfoPipe In-Reply-To: <49A42277.2000406@redhat.com> References: <49A42277.2000406@redhat.com> Message-ID: <1235493954.2768.24.camel@localhost.localdomain> On Tue, 2009-02-24 at 11:38 -0500, Stephen Gallagher wrote: > CheckPermissions will currently return unrestricted access to the > root user, and no access to any other user. Once we decide on an > ACL mechanism, this will be easy to change. > I have also added very basic tests for the Introspect and > CheckPermissions methods. This will not apply cleanly on current master Makefile.in, please rebase. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Tue Feb 24 17:04:47 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 24 Feb 2009 12:04:47 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Adding support for CheckPermissions to the InfoPipe In-Reply-To: <1235493954.2768.24.camel@localhost.localdomain> References: <49A42277.2000406@redhat.com> <1235493954.2768.24.camel@localhost.localdomain> Message-ID: <49A428AF.2060504@redhat.com> Simo Sorce wrote: > On Tue, 2009-02-24 at 11:38 -0500, Stephen Gallagher wrote: >> CheckPermissions will currently return unrestricted access to the >> root user, and no access to any other user. Once we decide on an >> ACL mechanism, this will be easy to change. >> I have also added very basic tests for the Introspect and >> CheckPermissions methods. > > This will not apply cleanly on current master Makefile.in, please > rebase. > > Simo. > > Rebased onto current master. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Adding-support-for-CheckPermissions-to-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Tue Feb 24 17:09:47 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 24 Feb 2009 12:09:47 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Adding support for CheckPermissions to the InfoPipe In-Reply-To: <49A428AF.2060504@redhat.com> References: <49A42277.2000406@redhat.com> <1235493954.2768.24.camel@localhost.localdomain> <49A428AF.2060504@redhat.com> Message-ID: <49A429DB.4080106@redhat.com> Stephen Gallagher wrote: > Simo Sorce wrote: >> On Tue, 2009-02-24 at 11:38 -0500, Stephen Gallagher wrote: >>> CheckPermissions will currently return unrestricted access to the >>> root user, and no access to any other user. Once we decide on an >>> ACL mechanism, this will be easy to change. >>> I have also added very basic tests for the Introspect and >>> CheckPermissions methods. >> This will not apply cleanly on current master Makefile.in, please >> rebase. >> >> Simo. >> >> > > Rebased onto current master. > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I noticed a small mistake in 'make testclean'. Corrected. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Adding-support-for-CheckPermissions-to-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Tue Feb 24 18:51:12 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 24 Feb 2009 13:51:12 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Adding support for CheckPermissions to the InfoPipe In-Reply-To: <49A429DB.4080106@redhat.com> References: <49A42277.2000406@redhat.com> <1235493954.2768.24.camel@localhost.localdomain> <49A428AF.2060504@redhat.com> <49A429DB.4080106@redhat.com> Message-ID: <1235501472.2768.29.camel@localhost.localdomain> On Tue, 2009-02-24 at 12:09 -0500, Stephen Gallagher wrote: > Stephen Gallagher wrote: > > Simo Sorce wrote: > >> On Tue, 2009-02-24 at 11:38 -0500, Stephen Gallagher wrote: > >>> CheckPermissions will currently return unrestricted access to the > >>> root user, and no access to any other user. Once we decide on an > >>> ACL mechanism, this will be easy to change. > >>> I have also added very basic tests for the Introspect and > >>> CheckPermissions methods. > >> This will not apply cleanly on current master Makefile.in, please > >> rebase. > >> > > Rebased onto current master. > > > I noticed a small mistake in 'make testclean'. Corrected. Pushed -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Feb 24 19:37:52 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 Feb 2009 14:37:52 -0500 Subject: [Freeipa-devel] [PATCH] Some automount changes Message-ID: <49A44C90.9080903@redhat.com> I added a bit of documentation to the automount plugin. I also added a new command, tofiles, which will print out what the maps would look like if in flat files. I've only tested some basic maps. If anyone has any complex maps to try out I'm more than happy to try (I've requested some through other channels as well). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-134-automount.patch Type: application/mbox Size: 7450 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 24 19:40:00 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 Feb 2009 14:40:00 -0500 Subject: [Freeipa-devel] [PATCH] Add unit test for ipalib.frontend.Command.args_options_2_entry In-Reply-To: <49A41700.4060403@redhat.com> References: <49A41700.4060403@redhat.com> Message-ID: <49A44D10.1000300@redhat.com> Pavel Zuna wrote: > Pavel > > ack pushed to master rob From jderose at redhat.com Tue Feb 24 19:59:50 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 24 Feb 2009 12:59:50 -0700 Subject: [Freeipa-devel] [PATCH] Some automount changes In-Reply-To: <49A44C90.9080903@redhat.com> References: <49A44C90.9080903@redhat.com> Message-ID: <1235505590.8129.0.camel@jgd-dsk> On Tue, 2009-02-24 at 14:37 -0500, Rob Crittenden wrote: > I added a bit of documentation to the automount plugin. > > I also added a new command, tofiles, which will print out what the maps > would look like if in flat files. I've only tested some basic maps. If > anyone has any complex maps to try out I'm more than happy to try (I've > requested some through other channels as well). > > rob ack. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From ssorce at redhat.com Tue Feb 24 21:54:41 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 24 Feb 2009 16:54:41 -0500 Subject: [Freeipa-devel] [PATCH] revert and further fixes for memory handling issue Message-ID: <1235512481.2768.31.camel@localhost.localdomain> This patchset reverts a previous commit and uses an alternate method for fixing the memory handling issues that avoids making async calls more problematic than before. Now message handler functions are responsible for sending replies themselves. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Revert-Fixing-serious-memory-allocation-bug-in-sbus.patch Type: text/x-patch Size: 43361 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Proper-fix-for-memory-handling-problem.patch Type: text/x-patch Size: 48382 bytes Desc: not available URL: From rcritten at redhat.com Tue Feb 24 21:57:32 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 Feb 2009 16:57:32 -0500 Subject: [Freeipa-devel] [PATCH] Some automount changes In-Reply-To: <1235505590.8129.0.camel@jgd-dsk> References: <49A44C90.9080903@redhat.com> <1235505590.8129.0.camel@jgd-dsk> Message-ID: <49A46D4C.9090209@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-02-24 at 14:37 -0500, Rob Crittenden wrote: >> I added a bit of documentation to the automount plugin. >> >> I also added a new command, tofiles, which will print out what the maps >> would look like if in flat files. I've only tested some basic maps. If >> anyone has any complex maps to try out I'm more than happy to try (I've >> requested some through other channels as well). >> >> rob > > ack. pushed to master From sgallagh at redhat.com Tue Feb 24 22:15:22 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 24 Feb 2009 17:15:22 -0500 Subject: [Freeipa-devel] [PATCH] revert and further fixes for memory handling issue In-Reply-To: <1235512481.2768.31.camel@localhost.localdomain> References: <1235512481.2768.31.camel@localhost.localdomain> Message-ID: <49A4717A.2000606@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > This patchset reverts a previous commit and uses an alternate method for > fixing the memory handling issues that avoids making async calls more > problematic than before. > > Now message handler functions are responsible for sending replies > themselves. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I'm going to ack this patch, because these changes need to be in so we can all keep working. For some reason we're now getting a segfault around talloc_realloc() in infp_check_permissions(), though. It's reproduceable when running the infopipe-tests, so it should be easy to track down and fix in a subsequent patch. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmkcXoACgkQeiVVYja6o6MskwCeMFyg+RrO3XI1fdsoFKsvovNG XeMAn1zxlhJw0tZU5boMn7W1INs6eYol =PbbL -----END PGP SIGNATURE----- From sbose at redhat.com Tue Feb 24 22:15:49 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 24 Feb 2009 23:15:49 +0100 Subject: [Freeipa-devel] [PATCH] add pam support for sssd Message-ID: <49A47195.2040203@redhat.com> Hi, this patch will add pam support with an LDAP backend to sssd. It is quite huge and moves a couple of files to new directories. There are some rough edges but I think it might be easier to push now and smooth them later. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-add-pam-support.patch.gz Type: application/x-gzip Size: 118380 bytes Desc: not available URL: From sgallagh at redhat.com Tue Feb 24 22:23:49 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 24 Feb 2009 17:23:49 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Fix SEGFAULT in CheckPermissions Message-ID: <49A47375.6070906@redhat.com> Forgot to initialize a pointer to NULL before looping on talloc_realloc(). Must have been just a coincidence that it didn't show up before the massive sbus_message_handler patch. This patch applies cleanly atop the sbus_message_handler_patch Simo sent out (and I acked) a few minutes ago. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-SEGFAULT-in-CheckPermissions.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Tue Feb 24 22:25:25 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 24 Feb 2009 17:25:25 -0500 Subject: [Freeipa-devel] [PATCH] revert and further fixes for memory handling issue In-Reply-To: <49A4717A.2000606@redhat.com> References: <1235512481.2768.31.camel@localhost.localdomain> <49A4717A.2000606@redhat.com> Message-ID: <1235514325.2768.32.camel@localhost.localdomain> On Tue, 2009-02-24 at 17:15 -0500, Stephen Gallagher wrote: > I'm going to ack this patch, because these changes need to be in so we > can all keep working. For some reason we're now getting a segfault > around talloc_realloc() in infp_check_permissions(), though. It's > reproduceable when running the infopipe-tests, so it should be easy to > track down and fix in a subsequent patch. Thanks, pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Feb 24 23:15:12 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 24 Feb 2009 18:15:12 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Fix SEGFAULT in CheckPermissions In-Reply-To: <49A47375.6070906@redhat.com> References: <49A47375.6070906@redhat.com> Message-ID: <1235517312.2768.33.camel@localhost.localdomain> On Tue, 2009-02-24 at 17:23 -0500, Stephen Gallagher wrote: > > > Forgot to initialize a pointer to NULL before looping on > talloc_realloc(). Must have been just a coincidence that it didn't > show > up before the massive sbus_message_handler patch. > > This patch applies cleanly atop the sbus_message_handler_patch Simo > sent > out (and I acked) a few minutes ago. ack, and pushed. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 25 02:14:14 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 24 Feb 2009 21:14:14 -0500 Subject: [Freeipa-devel] [PATCH 0/1] add pam support for sssd In-Reply-To: <49A47195.2040203@redhat.com> References: <49A47195.2040203@redhat.com> Message-ID: <1235528054.2768.45.camel@localhost.localdomain> On Tue, 2009-02-24 at 23:15 +0100, Sumit Bose wrote: > Hi, > > this patch will add pam support with an LDAP backend to sssd. It is > quite huge and moves a couple of files to new directories. There are > some rough edges but I think it might be easier to push now and smooth > them later. Sumit, I've adapted the patch to the current code in master and split it into 2 parts, the client and the server code. I also fixed some minor issues in the server code wrt allocation, although you still have to add code to free arrays returned by dbus_message_get_args as arrays are allocated. I also fixed a bug in the pam protocol where you were using "int" as the size of a filed. I changed it to int32_t, because int can have different sized while we must keep the same protocol working even on machines that support multiple arch libs running at the same time like x86/x86_64 ppc32/ppc64 etc... (int in this case should not change size IIRC, but it is better to always make sure to use a specific sized type). Patches build and the client server pipe protocol works, but I had no time to test the ldap backend properly as I didn't have an ldap server handy at the moment. Attached the client patch, server patch will follow in the next email. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Add-PAM-client.patch Type: text/x-patch Size: 290858 bytes Desc: not available URL: From ssorce at redhat.com Wed Feb 25 02:15:14 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 24 Feb 2009 21:15:14 -0500 Subject: [Freeipa-devel] [PATCH 2/2] add pam support for sssd In-Reply-To: <49A47195.2040203@redhat.com> References: <49A47195.2040203@redhat.com> Message-ID: <1235528114.2768.46.camel@localhost.localdomain> Second patch, with the pam responder bits. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-PAM-responder.patch Type: text/x-patch Size: 317971 bytes Desc: not available URL: From sbose at redhat.com Wed Feb 25 08:51:34 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 25 Feb 2009 09:51:34 +0100 Subject: [Freeipa-devel] Re: [PATCH 0/1] add pam support for sssd In-Reply-To: <1235528054.2768.45.camel@localhost.localdomain> References: <49A47195.2040203@redhat.com> <1235528054.2768.45.camel@localhost.localdomain> Message-ID: <49A50696.7050903@redhat.com> Simo Sorce schrieb: > On Tue, 2009-02-24 at 23:15 +0100, Sumit Bose wrote: >> Hi, >> >> this patch will add pam support with an LDAP backend to sssd. It is >> quite huge and moves a couple of files to new directories. There are >> some rough edges but I think it might be easier to push now and smooth >> them later. > > Sumit, > I've adapted the patch to the current code in master and split it into 2 > parts, the client and the server code. > Thanks. > I also fixed some minor issues in the server code wrt allocation, > although you still have to add code to free arrays returned by > dbus_message_get_args as arrays are allocated. > ok > I also fixed a bug in the pam protocol where you were using "int" as the > size of a filed. I changed it to int32_t, because int can have different > sized while we must keep the same protocol working even on machines that > support multiple arch libs running at the same time like x86/x86_64 > ppc32/ppc64 etc... > > (int in this case should not change size IIRC, but it is better to > always make sure to use a specific sized type). > > Patches build and the client server pipe protocol works, but I had no > time to test the ldap backend properly as I didn't have an ldap server > handy at the moment. > I have applied the patches to the current master (4c6c0f77a505b6b0790cfa8eedd3133abebd4edb) and they work as expected against a LDAP server. From my point of view they can be pushed. bye, Sumit From sgallagh at redhat.com Wed Feb 25 14:17:34 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 25 Feb 2009 09:17:34 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Store the InfoPipe introspection XML for subsequent requests. Message-ID: <49A552FE.3080902@redhat.com> -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Store-the-InfoPipe-introspection-XML-for-subsequent.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Wed Feb 25 15:06:53 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 25 Feb 2009 10:06:53 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Store the InfoPipe introspection XML for subsequent requests. In-Reply-To: <49A552FE.3080902@redhat.com> References: <49A552FE.3080902@redhat.com> Message-ID: <49A55E8D.7060508@redhat.com> Stephen Gallagher wrote: > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel New patch. Instead of allocating the introspect_xml on the tmp_ctx and then stealing it, it is allocated directly on the infp_ctx. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Store-the-InfoPipe-introspection-XML-for-subsequent.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From jhrozek at redhat.com Wed Feb 25 15:21:13 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 25 Feb 2009 16:21:13 +0100 Subject: [Freeipa-devel] [PATCH] top-level Makefile, create libdir/name in server/Makefile.in Message-ID: <1235575273.14900.6.camel@zeppelin.englab.brq.redhat.com> This patch creates the top level Makefile, adds a directory to installdirs target of server/Makefile.in and adjusts the specfile to own the infopipe introspection XML file. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-top-level-Makefile-create-libdir-name-in-server-Mak.patch Type: text/x-patch Size: 2764 bytes Desc: not available URL: From ssorce at redhat.com Wed Feb 25 16:03:32 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 25 Feb 2009 16:03:32 +0000 Subject: [Freeipa-devel] Re: [PATCH 0/1] add pam support for sssd In-Reply-To: <49A50696.7050903@redhat.com> References: <49A47195.2040203@redhat.com> <1235528054.2768.45.camel@localhost.localdomain> <49A50696.7050903@redhat.com> Message-ID: <1235577812.2768.50.camel@localhost.localdomain> On Wed, 2009-02-25 at 09:51 +0100, Sumit Bose wrote: > > I have applied the patches to the current master > (4c6c0f77a505b6b0790cfa8eedd3133abebd4edb) and they work as expected > against a LDAP server. From my point of view they can be pushed. ok pushed please address the memory issues as well. (Ah also please check the coding style guide, from freeipa, sometimes I found some style issues :-) ie: dont't: if ( foo == NULL ) { but: if (foo == NULL) { or: if (!foo) { also when you create a function make sure the opening { is on a new line. ie: don't: void foo(bar) { but: void foo(bar) { Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 25 16:03:47 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 25 Feb 2009 11:03:47 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Store the InfoPipe introspection XML for subsequent requests. In-Reply-To: <49A55E8D.7060508@redhat.com> References: <49A552FE.3080902@redhat.com> <49A55E8D.7060508@redhat.com> Message-ID: <1235577827.2768.51.camel@localhost.localdomain> On Wed, 2009-02-25 at 10:06 -0500, Stephen Gallagher wrote: > New patch. Instead of allocating the introspect_xml on the tmp_ctx and > then stealing it, it is allocated directly on the infp_ctx. ack and pushed. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 25 16:04:03 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 25 Feb 2009 11:04:03 -0500 Subject: [Freeipa-devel] [PATCH] top-level Makefile, create libdir/name in server/Makefile.in In-Reply-To: <1235575273.14900.6.camel@zeppelin.englab.brq.redhat.com> References: <1235575273.14900.6.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1235577843.2768.52.camel@localhost.localdomain> On Wed, 2009-02-25 at 16:21 +0100, Jakub Hrozek wrote: > This patch creates the top level Makefile, adds a directory to > installdirs target of server/Makefile.in and adjusts the specfile to > own > the infopipe introspection XML file. ack and pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 25 16:41:38 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 25 Feb 2009 11:41:38 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Store the InfoPipe introspection XML for subsequent requests. In-Reply-To: <1235577827.2768.51.camel@localhost.localdomain> References: <49A552FE.3080902@redhat.com> <49A55E8D.7060508@redhat.com> <1235577827.2768.51.camel@localhost.localdomain> Message-ID: <1235580098.2768.53.camel@willson> On Wed, 2009-02-25 at 11:03 -0500, Simo Sorce wrote: > On Wed, 2009-02-25 at 10:06 -0500, Stephen Gallagher wrote: > > New patch. Instead of allocating the introspect_xml on the tmp_ctx and > > then stealing it, it is allocated directly on the infp_ctx. > > ack and pushed. I actually looked back again at the function an thnk it can be simplified: Patch attached. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Simplify-the-code-to-retrieve-the-introspection-file.patch Type: text/x-patch Size: 4564 bytes Desc: not available URL: From sgallagh at redhat.com Wed Feb 25 16:47:44 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 25 Feb 2009 11:47:44 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Store the InfoPipe introspection XML for subsequent requests. In-Reply-To: <1235580098.2768.53.camel@willson> References: <49A552FE.3080902@redhat.com> <49A55E8D.7060508@redhat.com> <1235577827.2768.51.camel@localhost.localdomain> <1235580098.2768.53.camel@willson> Message-ID: <49A57630.4080307@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Wed, 2009-02-25 at 11:03 -0500, Simo Sorce wrote: >> On Wed, 2009-02-25 at 10:06 -0500, Stephen Gallagher wrote: >>> New patch. Instead of allocating the introspect_xml on the tmp_ctx and >>> then stealing it, it is allocated directly on the infp_ctx. >> ack and pushed. > > I actually looked back again at the function an thnk it can be > simplified: > > Patch attached. > > Simo. > > ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmldjAACgkQeiVVYja6o6PcFQCdGVe0H3eWLr7InfY2dciLVxD6 eqYAn02IfR4iauVYtgHIjECRHjl1AqDf =dgF7 -----END PGP SIGNATURE----- From sgallagh at redhat.com Wed Feb 25 17:50:49 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 25 Feb 2009 12:50:49 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Adding InfoPipe entry to config.ldif example Message-ID: <49A584F9.4060903@redhat.com> $SUBJECT says it all. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Adding-InfoPipe-entry-to-config.ldif-example.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Wed Feb 25 18:02:28 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 25 Feb 2009 13:02:28 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Adding InfoPipe entry to config.ldif example In-Reply-To: <49A584F9.4060903@redhat.com> References: <49A584F9.4060903@redhat.com> Message-ID: <1235584948.6097.1.camel@localhost.localdomain> On Wed, 2009-02-25 at 12:50 -0500, Stephen Gallagher wrote: > $SUBJECT says it all. Why is the daemon called sssd_info and the entry infp ? I'd expect 'info' there as well ? Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Wed Feb 25 18:21:57 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 25 Feb 2009 13:21:57 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Adding InfoPipe entry to config.ldif example In-Reply-To: <1235584948.6097.1.camel@localhost.localdomain> References: <49A584F9.4060903@redhat.com> <1235584948.6097.1.camel@localhost.localdomain> Message-ID: <49A58C45.8000804@redhat.com> Simo Sorce wrote: > On Wed, 2009-02-25 at 12:50 -0500, Stephen Gallagher wrote: >> $SUBJECT says it all. > > Why is the daemon called sssd_info and the entry infp ? > I'd expect 'info' there as well ? > > Simo. > I don't remember the original reasoning, so I've changed it. See new patch. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Adding-InfoPipe-entry-to-config.ldif-example.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Wed Feb 25 18:53:06 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 Feb 2009 13:53:06 -0500 Subject: [Freeipa-devel] [PATCH] some work on netgroups Message-ID: <49A59392.9090704@redhat.com> The dn of a netgroup contains an ipaUniqueId value. This guarantees that every netgroup entry will be unique but it doesn't enforce that the cn of that group is unique. Add in a uniqueness plugin configuration to guarantee that. Add an option to allow netgroups to be members of netgroups When adding an entry, convert a constraint violation of "already exists" into a DuplicateEntry exception so the user gets a useful response. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-135-netgroup.patch Type: application/mbox Size: 6996 bytes Desc: not available URL: From sbose at redhat.com Wed Feb 25 19:07:32 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 25 Feb 2009 20:07:32 +0100 Subject: [Freeipa-devel] [PATCH] added more ldap backend options and an example configuration Message-ID: <49A596F4.4060504@redhat.com> Hi, here is my config.ldif patch plus some addition to the LDAP backend. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-added-more-ldap-backend-options-and-an-example-confi.patch URL: From ssorce at redhat.com Wed Feb 25 21:13:29 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 25 Feb 2009 16:13:29 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Adding InfoPipe entry to config.ldif example In-Reply-To: <49A58C45.8000804@redhat.com> References: <49A584F9.4060903@redhat.com> <1235584948.6097.1.camel@localhost.localdomain> <49A58C45.8000804@redhat.com> Message-ID: <1235596409.6097.3.camel@localhost.localdomain> On Wed, 2009-02-25 at 13:21 -0500, Stephen Gallagher wrote: > Simo Sorce wrote: > > On Wed, 2009-02-25 at 12:50 -0500, Stephen Gallagher wrote: > >> $SUBJECT says it all. > > > > Why is the daemon called sssd_info and the entry infp ? > > I'd expect 'info' there as well ? > > > > Simo. > > > > I don't remember the original reasoning, so I've changed it. See new > patch. > pushed but removed distinguishedname as that is an attribute autogenerated by ldb -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Feb 25 22:34:59 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 25 Feb 2009 17:34:59 -0500 Subject: [Freeipa-devel] [PATCH] REmove private copies of samba libraries Message-ID: <1235601299.6097.14.camel@localhost.localdomain> Initially we decided to copy samba libraries as they were not released and we need to make small changes before they were committed upstream. Now these libraries are being submitted as packages in Debian and Fedora, so we do not need anymore to carry them over. For Fedora people I also created a trimmed temporary package set that should be installable on Fedora 9 and later: http://simo.fedorapeople.org/samba-base/ (there is a conflict between the ldb-tools package and samba-common on F9 and F10 but a --force is enough to install it :-P) The first patch attached here deals with the renamed happened upstream events->tevent and updates the code to deal with it. It also adjust some headers that were relying on replace.h The second patch (not attached because it is 2MB i size) just removes /tevent, /talloc, /tdb, /ldb It still does not remove /replace because we use a lot of autoconf macros from there, but the code is not used otherwise. This patch touches a lot of code so you will probably have to rebase any other patch on top of it once committed. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Rebase-the-code-to-use-talloc-tdb-tevent-ldb-as-e.patch Type: text/x-patch Size: 65931 bytes Desc: not available URL: From sgallagh at redhat.com Thu Feb 26 11:58:56 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 26 Feb 2009 06:58:56 -0500 Subject: [Freeipa-devel] [PATCH] REmove private copies of samba libraries In-Reply-To: <1235601299.6097.14.camel@localhost.localdomain> References: <1235601299.6097.14.camel@localhost.localdomain> Message-ID: <49A68400.10309@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > Initially we decided to copy samba libraries as they were not released > and we need to make small changes before they were committed upstream. > > Now these libraries are being submitted as packages in Debian and > Fedora, so we do not need anymore to carry them over. > > For Fedora people I also created a trimmed temporary package set that > should be installable on Fedora 9 and later: > http://simo.fedorapeople.org/samba-base/ > > (there is a conflict between the ldb-tools package and samba-common on > F9 and F10 but a --force is enough to install it :-P) > > The first patch attached here deals with the renamed happened upstream > events->tevent and updates the code to deal with it. > It also adjust some headers that were relying on replace.h > > The second patch (not attached because it is 2MB i size) just > removes /tevent, /talloc, /tdb, /ldb > It still does not remove /replace because we use a lot of autoconf > macros from there, but the code is not used otherwise. > > This patch touches a lot of code so you will probably have to rebase any > other patch on top of it once committed. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmmhAAACgkQeiVVYja6o6NLawCfW4sxkrpCF6Y0O9mk0fpCmVMh FlAAniBB67o6jEDI1QGGEeufRAZrnFqU =4p9m -----END PGP SIGNATURE----- From sbose at redhat.com Thu Feb 26 12:04:21 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 26 Feb 2009 13:04:21 +0100 Subject: [Freeipa-devel] [PATCH] make ldb modules dir configurable Message-ID: <49A68545.4070708@redhat.com> Hi, I have found this patch useful, at least for testing and debugging. So far ldb searches for modules only in one directory. Would it make sense to extend this to a searchpath? If yes, I can write a patch. Simo? bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-make-ldb-modules-dir-configurable.patch URL: From ssorce at redhat.com Thu Feb 26 13:33:01 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Feb 2009 08:33:01 -0500 Subject: [Freeipa-devel] [PATCH] make ldb modules dir configurable In-Reply-To: <49A68545.4070708@redhat.com> References: <49A68545.4070708@redhat.com> Message-ID: <1235655181.6097.21.camel@localhost.localdomain> On Thu, 2009-02-26 at 13:04 +0100, Sumit Bose wrote: > Hi, > > I have found this patch useful, at least for testing and debugging. > > So far ldb searches for modules only in one directory. Would it make > sense to extend this to a searchpath? If yes, I can write a patch. > Simo? I need to check if that *Adds* a search path or changes it. If it adds, then we could pass in an sssd specific path so that memberof.so can be stored in /usr/lib/sssd Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Feb 26 14:18:14 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Feb 2009 09:18:14 -0500 Subject: [Freeipa-devel] [PATCH] REmove private copies of samba libraries In-Reply-To: <49A68400.10309@redhat.com> References: <1235601299.6097.14.camel@localhost.localdomain> <49A68400.10309@redhat.com> Message-ID: <1235657894.6097.22.camel@localhost.localdomain> On Thu, 2009-02-26 at 06:58 -0500, Stephen Gallagher wrote: > > ack > pushed -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Thu Feb 26 19:49:07 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 26 Feb 2009 12:49:07 -0700 Subject: [Freeipa-devel] [PATCH] Add ipalib.frontend.Command method to build an entry from params with attribute=True. In-Reply-To: <499EAB00.5050004@redhat.com> References: <499EAB00.5050004@redhat.com> Message-ID: <1235677747.9048.0.camel@jgd-dsk> Pavel, I get this patch to apply against master. Can you rebase your tree and send a single patch? On Fri, 2009-02-20 at 14:07 +0100, Pavel Zuna wrote: > Add ipalib.frontend.Command method to build an entry from params with > attribute=True > Modify crud Method base classes to yield params cloned with attribute=True. > > Often plugins need to build entries from params. This should make things > a bit easier. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Thu Feb 26 19:56:18 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 26 Feb 2009 12:56:18 -0700 Subject: [Freeipa-devel] [PATCH] Add ipalib.frontend.Command method to build an entry from params with attribute=True. In-Reply-To: <1235677747.9048.0.camel@jgd-dsk> References: <499EAB00.5050004@redhat.com> <1235677747.9048.0.camel@jgd-dsk> Message-ID: <1235678178.9048.1.camel@jgd-dsk> Oops, that was supposed to be, "I *can't* get this patch to apply against master". On Thu, 2009-02-26 at 12:49 -0700, Jason Gerard DeRose wrote: > Pavel, I get this patch to apply against master. Can you rebase your > tree and send a single patch? > > On Fri, 2009-02-20 at 14:07 +0100, Pavel Zuna wrote: > > Add ipalib.frontend.Command method to build an entry from params with > > attribute=True > > Modify crud Method base classes to yield params cloned with attribute=True. > > > > Often plugins need to build entries from params. This should make things > > a bit easier. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Thu Feb 26 20:13:36 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 26 Feb 2009 13:13:36 -0700 Subject: [Freeipa-devel] [PATCH] some work on netgroups In-Reply-To: <49A59392.9090704@redhat.com> References: <49A59392.9090704@redhat.com> Message-ID: <1235679216.9048.2.camel@jgd-dsk> On Wed, 2009-02-25 at 13:53 -0500, Rob Crittenden wrote: > The dn of a netgroup contains an ipaUniqueId value. This guarantees that > every netgroup entry will be unique but it doesn't enforce that the cn > of that group is unique. Add in a uniqueness plugin configuration to > guarantee that. > > Add an option to allow netgroups to be members of netgroups > > When adding an entry, convert a constraint violation of "already exists" > into a DuplicateEntry exception so the user gets a useful response. > > rob ack. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Thu Feb 26 22:49:04 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 26 Feb 2009 15:49:04 -0700 Subject: [Freeipa-devel] [PATCH] Fixed broken autfill logic in cli.prompt_interactively() Message-ID: <1235688544.9048.13.camel@jgd-dsk> Rob found a bug in cli.prompt_interactively(): although the autofill values got filled-in in Command.__call__(), meaning everyone was happy in Command.execute(), the autofill values were not present in the args and options passed to Command.output_for_cli(). This patch fixes this. -------------- next part -------------- A non-text attachment was scrubbed... Name: Fixed-broken-autfill-logic-in-cli.prompt_interactive.patch Type: text/x-patch Size: 2808 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From ssorce at redhat.com Fri Feb 27 00:18:24 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Feb 2009 19:18:24 -0500 Subject: [Freeipa-devel] [PATCH] Serialize access to sysdb Message-ID: <1235693905-16958-1-git-send-email-ssorce@redhat.com> This patch avoids problems with transactions by serializing access to the db. Note that it is necessary to serialize only within the same process, multiple processes do not interfere with each other. From ssorce at redhat.com Fri Feb 27 00:18:25 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Feb 2009 19:18:25 -0500 Subject: [Freeipa-devel] [PATCH] Serialize access to sysdb and also exposes ldb transactions. In-Reply-To: <1235693905-16958-1-git-send-email-ssorce@redhat.com> References: <1235693905-16958-1-git-send-email-ssorce@redhat.com> Message-ID: <1235693905-16958-2-git-send-email-ssorce@redhat.com> --- server/db/sysdb.c | 745 +------------------------------------ server/db/sysdb.h | 14 +- server/db/sysdb_internal.h | 70 ---- server/db/sysdb_private.h | 95 +++++ server/db/sysdb_req.c | 241 ++++++++++++ server/db/sysdb_search.c | 731 ++++++++++++++++++++++++++++++++++++ server/db/sysdb_sync.c | 2 +- server/responder/nss/nsssrv.c | 10 +- server/responder/nss/nsssrv_cmd.c | 73 +++-- server/server.mk | 2 + 10 files changed, 1133 insertions(+), 850 deletions(-) delete mode 100644 server/db/sysdb_internal.h create mode 100644 server/db/sysdb_private.h create mode 100644 server/db/sysdb_req.c create mode 100644 server/db/sysdb_search.c diff --git a/server/db/sysdb.c b/server/db/sysdb.c index ddd7fbe..1c91f12 100644 --- a/server/db/sysdb.c +++ b/server/db/sysdb.c @@ -20,743 +20,13 @@ */ #include "util/util.h" -#include "db/sysdb.h" -#include "db/sysdb_internal.h" +#include "db/sysdb_private.h" #include "confdb/confdb.h" #include -struct sysdb_search_ctx { - struct sysdb_ctx *dbctx; - const char *domain; - bool legacy; - sysdb_callback_t callback; - void *ptr; - struct ldb_result *res; -}; - -static int sysdb_error_to_errno(int lerr) -{ - /* fake it up for now, requires a mapping table */ - return EIO; -} - -static void request_error(struct sysdb_search_ctx *sctx, int ldb_error) -{ - sctx->callback(sctx->ptr, sysdb_error_to_errno(ldb_error), sctx->res); -} - -static void request_done(struct sysdb_search_ctx *sctx) -{ - sctx->callback(sctx->ptr, EOK, sctx->res); -} - -static int get_gen_callback(struct ldb_request *req, - struct ldb_reply *ares) -{ - struct sysdb_search_ctx *sctx; - struct ldb_result *res; - int n; - - sctx = talloc_get_type(req->context, struct sysdb_search_ctx); - res = sctx->res; - - if (!ares) { - request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - return LDB_ERR_OPERATIONS_ERROR; - } - if (ares->error != LDB_SUCCESS) { - request_error(sctx, ares->error); - return ares->error; - } - - switch (ares->type) { - case LDB_REPLY_ENTRY: - res->msgs = talloc_realloc(res, res->msgs, - struct ldb_message *, - res->count + 2); - if (!res->msgs) { - request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - return LDB_ERR_OPERATIONS_ERROR; - } - - res->msgs[res->count + 1] = NULL; - - res->msgs[res->count] = talloc_steal(res->msgs, ares->message); - res->count++; - break; - - case LDB_REPLY_REFERRAL: - if (res->refs) { - for (n = 0; res->refs[n]; n++) /*noop*/ ; - } else { - n = 0; - } - - res->refs = talloc_realloc(res, res->refs, char *, n + 2); - if (! res->refs) { - request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - return LDB_ERR_OPERATIONS_ERROR; - } - - res->refs[n] = talloc_steal(res->refs, ares->referral); - res->refs[n + 1] = NULL; - break; - - case LDB_REPLY_DONE: - res->controls = talloc_steal(res, ares->controls); - - /* this is the last message, and means the request is done */ - request_done(sctx); - return LDB_SUCCESS; - } - - talloc_free(ares); - return LDB_SUCCESS; -} - -static struct sysdb_search_ctx *init_src_ctx(TALLOC_CTX *mem_ctx, - const char *domain, - bool legacy, - struct sysdb_ctx *ctx, - sysdb_callback_t fn, - void *ptr) -{ - struct sysdb_search_ctx *sctx; - - sctx = talloc(mem_ctx, struct sysdb_search_ctx); - if (!sctx) { - return NULL; - } - sctx->dbctx = ctx; - sctx->callback = fn; - sctx->ptr = ptr; - sctx->res = talloc_zero(sctx, struct ldb_result); - if (!sctx->res) { - talloc_free(sctx); - return NULL; - } - sctx->domain = talloc_strdup(sctx, domain); - if (!sctx->domain) { - talloc_free(sctx); - return NULL; - } - sctx->legacy = legacy; - - return sctx; -} - -/* users */ - -static int pwd_search(struct sysdb_search_ctx *sctx, - struct sysdb_ctx *ctx, - const char *expression) -{ - static const char *attrs[] = SYSDB_PW_ATTRS; - struct ldb_request *req; - struct ldb_dn *base_dn; - int ret; - - base_dn = ldb_dn_new_fmt(sctx, ctx->ldb, - SYSDB_TMPL_USER_BASE, sctx->domain); - if (!base_dn) { - return ENOMEM; - } - - ret = ldb_build_search_req(&req, ctx->ldb, sctx, - base_dn, LDB_SCOPE_SUBTREE, - expression, attrs, NULL, - sctx, get_gen_callback, - NULL); - if (ret != LDB_SUCCESS) { - return sysdb_error_to_errno(ret); - } - - ret = ldb_request(ctx->ldb, req); - if (ret != LDB_SUCCESS) { - return sysdb_error_to_errno(ret); - } - - return EOK; -} - -int sysdb_getpwnam(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct sysdb_ctx *ctx, - const char *domain, - const char *name, - bool legacy, - sysdb_callback_t fn, void *ptr) -{ - struct sysdb_search_ctx *sctx; - char *expression; - - if (!domain) { - return EINVAL; - } - - sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); - if (!sctx) { - return ENOMEM; - } - - expression = talloc_asprintf(sctx, SYSDB_PWNAM_FILTER, name); - if (!expression) { - talloc_free(sctx); - return ENOMEM; - } - - return pwd_search(sctx, ctx, expression); -} - -int sysdb_getpwuid(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct sysdb_ctx *ctx, - const char *domain, - uid_t uid, - bool legacy, - sysdb_callback_t fn, void *ptr) -{ - struct sysdb_search_ctx *sctx; - unsigned long int filter_uid = uid; - char *expression; - - if (!domain) { - return EINVAL; - } - - sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); - if (!sctx) { - return ENOMEM; - } - - expression = talloc_asprintf(sctx, SYSDB_PWUID_FILTER, filter_uid); - if (!expression) { - talloc_free(sctx); - return ENOMEM; - } - - return pwd_search(sctx, ctx, expression); -} - -int sysdb_enumpwent(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct sysdb_ctx *ctx, - const char *domain, - bool legacy, - sysdb_callback_t fn, void *ptr) -{ - struct sysdb_search_ctx *sctx; - - if (!domain) { - return EINVAL; - } - - sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); - if (!sctx) { - return ENOMEM; - } - - return pwd_search(sctx, ctx, SYSDB_PWENT_FILTER); -} - -/* groups */ - -struct get_mem_ctx { - struct sysdb_search_ctx *ret_sctx; - struct ldb_message **grps; - int num_grps; -}; - -static void get_members(void *ptr, int status, struct ldb_result *res) -{ - struct sysdb_ctx *ctx; - struct sysdb_search_ctx *sctx; - struct get_mem_ctx *gmctx; - struct sysdb_search_ctx *mem_sctx; - struct ldb_request *req; - struct ldb_message *msg; - struct ldb_result *ret_res; - struct ldb_dn *dn; - static const char *attrs[] = SYSDB_GRPW_ATTRS; - const char *expression; - int ret, i; - - sctx = talloc_get_type(ptr, struct sysdb_search_ctx); - gmctx = talloc_get_type(sctx->ptr, struct get_mem_ctx); - ctx = sctx->dbctx; - - if (status != LDB_SUCCESS) { - return request_error(gmctx->ret_sctx, status); - } - - ret_res = gmctx->ret_sctx->res; - - /* append previous search results to final (if any) */ - if (res && res->count != 0) { - ret_res->msgs = talloc_realloc(ret_res, ret_res->msgs, - struct ldb_message *, - ret_res->count + res->count + 1); - for(i = 0; i < res->count; i++) { - ret_res->msgs[ret_res->count] = talloc_steal(ret_res, res->msgs[i]); - ret_res->count++; - } - ret_res->msgs[ret_res->count] = NULL; - } - - if (gmctx->grps[0] == NULL) { - return request_done(gmctx->ret_sctx); - } - - mem_sctx = init_src_ctx(gmctx, sctx->domain, sctx->legacy, - ctx, get_members, sctx); - if (!mem_sctx) { - return request_error(gmctx->ret_sctx, LDB_ERR_OPERATIONS_ERROR); - } - - /* fetch next group to search for members */ - gmctx->num_grps--; - msg = gmctx->grps[gmctx->num_grps]; - gmctx->grps[gmctx->num_grps] = NULL; - - /* queue the group entry on the final result structure */ - ret_res->msgs = talloc_realloc(ret_res, ret_res->msgs, - struct ldb_message *, - ret_res->count + 2); - if (!ret_res->msgs) { - return request_error(gmctx->ret_sctx, LDB_ERR_OPERATIONS_ERROR); - } - ret_res->msgs[ret_res->count + 1] = NULL; - ret_res->msgs[ret_res->count] = talloc_steal(ret_res->msgs, msg); - ret_res->count++; - - /* search for this group members */ - expression = talloc_asprintf(mem_sctx, SYSDB_GRNA2_FILTER, - ldb_dn_get_linearized(msg->dn)); - if (!expression) { - return request_error(gmctx->ret_sctx, LDB_ERR_OPERATIONS_ERROR); - } - - dn = ldb_dn_new_fmt(mem_sctx, ctx->ldb, - SYSDB_TMPL_USER_BASE, sctx->domain); - if (!dn) { - return request_error(gmctx->ret_sctx, LDB_ERR_OPERATIONS_ERROR); - } - - ret = ldb_build_search_req(&req, ctx->ldb, mem_sctx, - dn, LDB_SCOPE_SUBTREE, - expression, attrs, NULL, - mem_sctx, get_gen_callback, - NULL); - if (ret != LDB_SUCCESS) { - return request_error(gmctx->ret_sctx, ret); - } - - ret = ldb_request(ctx->ldb, req); - if (ret != LDB_SUCCESS) { - return request_error(gmctx->ret_sctx, ret); - } -} - -static int get_grp_callback(struct ldb_request *req, - struct ldb_reply *ares) -{ - struct sysdb_search_ctx *sctx; - struct sysdb_ctx *ctx; - struct ldb_result *res; - int n; - - sctx = talloc_get_type(req->context, struct sysdb_search_ctx); - ctx = sctx->dbctx; - res = sctx->res; - - if (!ares) { - request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - return LDB_ERR_OPERATIONS_ERROR; - } - if (ares->error != LDB_SUCCESS) { - request_error(sctx, ares->error); - return ares->error; - } - - switch (ares->type) { - case LDB_REPLY_ENTRY: - res->msgs = talloc_realloc(res, res->msgs, - struct ldb_message *, - res->count + 2); - if (!res->msgs) { - request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - return LDB_ERR_OPERATIONS_ERROR; - } - - res->msgs[res->count + 1] = NULL; - - res->msgs[res->count] = talloc_steal(res->msgs, ares->message); - res->count++; - break; - - case LDB_REPLY_REFERRAL: - if (res->refs) { - for (n = 0; res->refs[n]; n++) /*noop*/ ; - } else { - n = 0; - } - - res->refs = talloc_realloc(res, res->refs, char *, n + 2); - if (! res->refs) { - request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - return LDB_ERR_OPERATIONS_ERROR; - } - - res->refs[n] = talloc_steal(res->refs, ares->referral); - res->refs[n + 1] = NULL; - break; - - case LDB_REPLY_DONE: - res->controls = talloc_steal(res, ares->controls); - - /* no results, return */ - if (res->count == 0) { - request_done(sctx); - return LDB_SUCCESS; - } - if (res->count > 0) { - struct get_mem_ctx *gmctx; - - gmctx = talloc_zero(req, struct get_mem_ctx); - if (!gmctx) { - request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - return LDB_ERR_OPERATIONS_ERROR; - } - gmctx->ret_sctx = sctx; - gmctx->grps = talloc_steal(gmctx, res->msgs); - gmctx->num_grps = res->count; - res->msgs = NULL; - res->count = 0; - - /* re-use sctx to create a fake handler for the first call to - * get_members() */ - sctx = init_src_ctx(gmctx, - sctx->domain, sctx->legacy, - ctx, get_members, gmctx); - - get_members(sctx, LDB_SUCCESS, NULL); - return LDB_SUCCESS; - } - - /* anything else is an error */ - request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - return LDB_ERR_OPERATIONS_ERROR; - } - - talloc_free(ares); - return LDB_SUCCESS; -} - -static int grp_search(struct sysdb_search_ctx *sctx, - struct sysdb_ctx *ctx, - const char *expression) -{ - ldb_request_callback_t callback; - static const char *attrs[] = SYSDB_GRNAM_ATTRS; - struct ldb_request *req; - struct ldb_dn *base_dn; - int ret; - - if (sctx->legacy) { - callback = get_gen_callback; - } else { - callback = get_grp_callback; - } - - base_dn = ldb_dn_new_fmt(sctx, ctx->ldb, - SYSDB_TMPL_GROUP_BASE, sctx->domain); - if (!base_dn) { - return ENOMEM; - } - - ret = ldb_build_search_req(&req, ctx->ldb, sctx, - base_dn, LDB_SCOPE_SUBTREE, - expression, attrs, NULL, - sctx, callback, - NULL); - if (ret != LDB_SUCCESS) { - return sysdb_error_to_errno(ret); - } - - ret = ldb_request(ctx->ldb, req); - if (ret != LDB_SUCCESS) { - return sysdb_error_to_errno(ret); - } - - return EOK; -} - -int sysdb_getgrnam(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct sysdb_ctx *ctx, - const char *domain, - const char *name, - bool legacy, - sysdb_callback_t fn, void *ptr) -{ - struct sysdb_search_ctx *sctx; - char *expression; - - if (!domain) { - return EINVAL; - } - - sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); - if (!sctx) { - return ENOMEM; - } - - expression = talloc_asprintf(sctx, SYSDB_GRNAM_FILTER, name); - if (!expression) { - talloc_free(sctx); - return ENOMEM; - } - - return grp_search(sctx, ctx, expression); -} - -int sysdb_getgrgid(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct sysdb_ctx *ctx, - const char *domain, - gid_t gid, - bool legacy, - sysdb_callback_t fn, void *ptr) -{ - struct sysdb_search_ctx *sctx; - unsigned long int filter_gid = gid; - char *expression; - - if (!domain) { - return EINVAL; - } - - sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); - if (!sctx) { - return ENOMEM; - } - - expression = talloc_asprintf(sctx, SYSDB_GRGID_FILTER, filter_gid); - if (!expression) { - talloc_free(sctx); - return ENOMEM; - } - - return grp_search(sctx, ctx, expression); -} - -int sysdb_enumgrent(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct sysdb_ctx *ctx, - const char *domain, - bool legacy, - sysdb_callback_t fn, void *ptr) -{ - struct sysdb_search_ctx *sctx; - - if (!domain) { - return EINVAL; - } - - sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); - if (!sctx) { - return ENOMEM; - } - - return grp_search(sctx, ctx, SYSDB_GRENT_FILTER); -} - -static void sysdb_initgr_legacy(void *ptr, int status, - struct ldb_result *res) -{ - struct sysdb_ctx *ctx; - struct sysdb_search_ctx *sctx; - char *expression; - struct ldb_request *req; - struct ldb_dn *base_dn; - static const char *attrs[] = SYSDB_INITGR_ATTRS; - const char *userid; - int ret; - - sctx = talloc_get_type(ptr, struct sysdb_search_ctx); - ctx = sctx->dbctx; - - if (res->count == 0) { - return request_done(sctx); - } - if (res->count > 1) { - return request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - } - - userid = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_PW_NAME, NULL); - if (!userid) { - return request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - } - - expression = talloc_asprintf(sctx, SYSDB_INITGR_LEGACY_FILTER, userid); - if (!expression) { - return request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - } - - base_dn = ldb_dn_new_fmt(sctx, ctx->ldb, - SYSDB_TMPL_GROUP_BASE, sctx->domain); - if (!base_dn) { - return request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - } - - ret = ldb_build_search_req(&req, ctx->ldb, sctx, - base_dn, LDB_SCOPE_SUBTREE, - expression, attrs, NULL, - sctx, get_gen_callback, - NULL); - if (ret != LDB_SUCCESS) { - return request_error(sctx, ret); - } - - ret = ldb_request(ctx->ldb, req); - if (ret != LDB_SUCCESS) { - return request_error(sctx, ret); - } -} - -static void sysdb_initgr_search(void *ptr, int status, - struct ldb_result *res) -{ - struct sysdb_ctx *ctx; - struct sysdb_search_ctx *sctx; - char *expression; - struct ldb_request *req; - struct ldb_control **ctrl; - struct ldb_asq_control *control; - static const char *attrs[] = SYSDB_INITGR_ATTRS; - int ret; - - sctx = talloc_get_type(ptr, struct sysdb_search_ctx); - ctx = sctx->dbctx; - - if (res->count == 0) { - return request_done(sctx); - } - if (res->count > 1) { - return request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - } - - expression = talloc_asprintf(sctx, SYSDB_INITGR_FILTER); - if (!expression) { - return request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - } - - ctrl = talloc_array(sctx, struct ldb_control *, 2); - if (!ctrl) { - return request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - } - ctrl[1] = NULL; - ctrl[0] = talloc(ctrl, struct ldb_control); - if (!ctrl[0]) { - return request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - } - ctrl[0]->oid = LDB_CONTROL_ASQ_OID; - ctrl[0]->critical = 1; - control = talloc(ctrl[0], struct ldb_asq_control); - if (!control) { - return request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - } - control->request = 1; - control->source_attribute = talloc_strdup(control, SYSDB_INITGR_ATTR); - if (!control->source_attribute) { - return request_error(sctx, LDB_ERR_OPERATIONS_ERROR); - } - control->src_attr_len = strlen(control->source_attribute); - ctrl[0]->data = control; - - ret = ldb_build_search_req(&req, ctx->ldb, sctx, - res->msgs[0]->dn, - LDB_SCOPE_BASE, - expression, attrs, ctrl, - sctx, get_gen_callback, - NULL); - if (ret != LDB_SUCCESS) { - return request_error(sctx, ret); - } - - ret = ldb_request(ctx->ldb, req); - if (ret != LDB_SUCCESS) { - return request_error(sctx, ret); - } -} - -int sysdb_initgroups(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct sysdb_ctx *ctx, - const char *domain, - const char *name, - bool legacy, - sysdb_callback_t fn, void *ptr) -{ - sysdb_callback_t second_callback; - static const char *attrs[] = SYSDB_PW_ATTRS; - struct sysdb_search_ctx *ret_sctx; - struct sysdb_search_ctx *sctx; - char *expression; - struct ldb_request *req; - struct ldb_dn *base_dn; - int ret; - - if (!domain) { - return EINVAL; - } - - ret_sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); - if (!ret_sctx) { - return ENOMEM; - } - - if (legacy) { - second_callback = sysdb_initgr_legacy; - } else { - second_callback = sysdb_initgr_search; - } - - sctx = init_src_ctx(ret_sctx, domain, legacy, - ctx, second_callback, ret_sctx); - if (!sctx) { - talloc_free(ret_sctx); - return ENOMEM; - } - - expression = talloc_asprintf(sctx, SYSDB_PWNAM_FILTER, name); - if (!expression) { - talloc_free(ret_sctx); - return ENOMEM; - } - - base_dn = ldb_dn_new_fmt(sctx, ctx->ldb, SYSDB_TMPL_USER_BASE, domain); - if (!base_dn) { - talloc_free(ret_sctx); - return ENOMEM; - } - - ret = ldb_build_search_req(&req, ctx->ldb, sctx, - base_dn, LDB_SCOPE_SUBTREE, - expression, attrs, NULL, - sctx, get_gen_callback, - NULL); - if (ret != LDB_SUCCESS) { - return sysdb_error_to_errno(ret); - } - - ret = ldb_request(ctx->ldb, req); - if (ret != LDB_SUCCESS) { - return sysdb_error_to_errno(ret); - } - - return LDB_SUCCESS; -} +/************************************************ + * Initialiazation stuff + */ static int sysdb_read_var(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, @@ -896,15 +166,18 @@ int sysdb_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct confdb_ctx *cdb, const char *alt_db_path, - struct sysdb_ctx **dbctx) + struct sysdb_ctx **_ctx) { struct sysdb_ctx *ctx; int ret; + if (!ev) return EINVAL; + ctx = talloc_zero(mem_ctx, struct sysdb_ctx); if (!ctx) { return ENOMEM; } + ctx->ev = ev; if (!alt_db_path) { ret = sysdb_get_db_path(ctx, cdb, &ctx->ldb_file); @@ -938,7 +211,7 @@ int sysdb_init(TALLOC_CTX *mem_ctx, return ret; } - *dbctx = ctx; + *_ctx = ctx; return EOK; } diff --git a/server/db/sysdb.h b/server/db/sysdb.h index c6cc4de..c0ef361 100644 --- a/server/db/sysdb.h +++ b/server/db/sysdb.h @@ -23,7 +23,6 @@ #define __SYS_DB_H__ #include "ldb.h" -#include "ldb_errors.h" #define SYSDB_CONF_SECTION "config/sysdb" #define SYSDB_FILE "sssd.ldb" @@ -77,12 +76,8 @@ #define SYSDB_INITGR_ATTRS {SYSDB_GR_GIDNUM, SYSDB_LAST_UPDATE, \ NULL} -struct sysdb_ctx { - struct ldb_context *ldb; - char *ldb_file; -}; - struct confdb_ctx; +struct sysdb_ctx; typedef void (*sysdb_callback_t)(void *, int, struct ldb_result *); @@ -93,7 +88,6 @@ int sysdb_init(TALLOC_CTX *mem_ctx, struct sysdb_ctx **dbctx); int sysdb_getpwnam(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, struct sysdb_ctx *ctx, const char *domain, const char *name, @@ -101,7 +95,6 @@ int sysdb_getpwnam(TALLOC_CTX *mem_ctx, sysdb_callback_t fn, void *ptr); int sysdb_getpwuid(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, struct sysdb_ctx *ctx, const char *domain, uid_t uid, @@ -109,14 +102,12 @@ int sysdb_getpwuid(TALLOC_CTX *mem_ctx, sysdb_callback_t fn, void *ptr); int sysdb_enumpwent(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, struct sysdb_ctx *ctx, const char *domain, bool legacy, sysdb_callback_t fn, void *ptr); int sysdb_getgrnam(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, struct sysdb_ctx *ctx, const char *domain, const char *name, @@ -124,7 +115,6 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, sysdb_callback_t fn, void *ptr); int sysdb_getgrgid(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, struct sysdb_ctx *ctx, const char *domain, gid_t gid, @@ -132,14 +122,12 @@ int sysdb_getgrgid(TALLOC_CTX *mem_ctx, sysdb_callback_t fn, void *ptr); int sysdb_enumgrent(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, struct sysdb_ctx *ctx, const char *domain, bool legacy, sysdb_callback_t fn, void *ptr); int sysdb_initgroups(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, struct sysdb_ctx *ctx, const char *domain, const char *name, diff --git a/server/db/sysdb_internal.h b/server/db/sysdb_internal.h deleted file mode 100644 index 719f660..0000000 --- a/server/db/sysdb_internal.h +++ /dev/null @@ -1,70 +0,0 @@ - -/* - SSSD - - Private System Database Header - - Copyright (C) Simo Sorce 2008 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#ifndef __INT_SYS_DB_H__ -#define __INT_SYS_DB_H__ - -#define SYSDB_VERSION "0.1" - -#define SYSDB_BASE_LDIF \ - "dn: @ATTRIBUTES\n" \ - "userPrincipalName: CASE_INSENSITIVE\n" \ - "cn: CASE_INSENSITIVE\n" \ - "dc: CASE_INSENSITIVE\n" \ - "dn: CASE_INSENSITIVE\n" \ - "name: CASE_INSENSITIVE\n" \ - "objectclass: CASE_INSENSITIVE\n" \ - "\n" \ - "dn: @INDEXLIST\n" \ - "@IDXATTR: cn\n" \ - "@IDXATTR: objectclass\n" \ - "@IDXATTR: member\n" \ - "@IDXATTR: memberof\n" \ - "@IDXATTR: memberuid\n" \ - "@IDXATTR: uid\n" \ - "@IDXATTR: gid\n" \ - "@IDXATTR: uidNumber\n" \ - "@IDXATTR: gidNumber\n" \ - "@IDXATTR: lastUpdate\n" \ - "\n" \ - "dn: @MODULES\n" \ - "@LIST: asq,memberof\n" \ - "\n" \ - "dn: cn=sysdb\n" \ - "cn: sysdb\n" \ - "version: 0.1\n" \ - "description: base object\n" \ - "\n" \ - "dn: cn=LOCAL,cn=sysdb\n" \ - "cn: local\n" \ - "description: Local system data\n" \ - "\n" \ - "dn: cn=Users,cn=LOCAL,cn=sysdb\n" \ - "cn: users\n" \ - "description: Local POSIX users\n" \ - "\n" \ - "dn: cn=Groups,cn=LOCAL,cn=sysdb\n" \ - "cn: groups\n" \ - "description: Local POSIX groups\n" \ - "\n" - -#endif /* __INT_SYS_DB_H__ */ diff --git a/server/db/sysdb_private.h b/server/db/sysdb_private.h new file mode 100644 index 0000000..c649af4 --- /dev/null +++ b/server/db/sysdb_private.h @@ -0,0 +1,95 @@ + +/* + SSSD + + Private System Database Header + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __INT_SYS_DB_H__ +#define __INT_SYS_DB_H__ + +#define SYSDB_VERSION "0.1" + +#define SYSDB_BASE_LDIF \ + "dn: @ATTRIBUTES\n" \ + "userPrincipalName: CASE_INSENSITIVE\n" \ + "cn: CASE_INSENSITIVE\n" \ + "dc: CASE_INSENSITIVE\n" \ + "dn: CASE_INSENSITIVE\n" \ + "name: CASE_INSENSITIVE\n" \ + "objectclass: CASE_INSENSITIVE\n" \ + "\n" \ + "dn: @INDEXLIST\n" \ + "@IDXATTR: cn\n" \ + "@IDXATTR: objectclass\n" \ + "@IDXATTR: member\n" \ + "@IDXATTR: memberof\n" \ + "@IDXATTR: memberuid\n" \ + "@IDXATTR: uid\n" \ + "@IDXATTR: gid\n" \ + "@IDXATTR: uidNumber\n" \ + "@IDXATTR: gidNumber\n" \ + "@IDXATTR: lastUpdate\n" \ + "\n" \ + "dn: @MODULES\n" \ + "@LIST: asq,memberof\n" \ + "\n" \ + "dn: cn=sysdb\n" \ + "cn: sysdb\n" \ + "version: 0.1\n" \ + "description: base object\n" \ + "\n" \ + "dn: cn=LOCAL,cn=sysdb\n" \ + "cn: local\n" \ + "description: Local system data\n" \ + "\n" \ + "dn: cn=Users,cn=LOCAL,cn=sysdb\n" \ + "cn: users\n" \ + "description: Local POSIX users\n" \ + "\n" \ + "dn: cn=Groups,cn=LOCAL,cn=sysdb\n" \ + "cn: groups\n" \ + "description: Local POSIX groups\n" \ + "\n" + +#include "db/sysdb.h" + +struct sysdb_req; + +struct sysdb_ctx { + struct tevent_context *ev; + struct ldb_context *ldb; + char *ldb_file; + struct sysdb_req *queue; +}; + +typedef void (*sysdb_req_fn_t)(struct sysdb_req *, void *pvt); + +int sysdb_error_to_errno(int ldberr); + +int sysdb_transaction(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *ctx, + sysdb_req_fn_t fn, void *pvt); +void sysdb_transaction_done(struct sysdb_req *req, int status); + +int sysdb_operation(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *ctx, + sysdb_req_fn_t fn, void *pvt); +void sysdb_operation_done(struct sysdb_req *req); + +#endif /* __INT_SYS_DB_H__ */ diff --git a/server/db/sysdb_req.c b/server/db/sysdb_req.c new file mode 100644 index 0000000..fcbd17b --- /dev/null +++ b/server/db/sysdb_req.c @@ -0,0 +1,241 @@ +/* + SSSD + + System Database + + Copyright (C) Simo Sorce 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include "util/util.h" +#include "util/dlinklist.h" +#include "db/sysdb_private.h" +#include "ldb.h" + +struct sysdb_req { + struct sysdb_req *next, *prev; + struct sysdb_ctx *ctx; + sysdb_req_fn_t fn; + void *pvt; + int status; + bool transaction_active; +}; + +static void sysdb_req_run(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *ptr) +{ + struct sysdb_req *req = talloc_get_type(ptr, struct sysdb_req); + + if (req != req->ctx->queue) abort(); + + req->fn(req, req->pvt); +} + +static int sysdb_req_schedule(struct sysdb_req *req) +{ + struct tevent_timer *te = NULL; + struct timeval tv; + + /* call it asap */ + tv.tv_sec = 0; + tv.tv_usec = 0; + + te = tevent_add_timer(req->ctx->ev, req, tv, sysdb_req_run, req); + if (te == NULL) { + return EIO; + } + + return EOK; +} + +static int sysdb_req_enqueue(struct sysdb_req *req) +{ + int ret = EOK; + + DLIST_ADD_END(req->ctx->queue, req, struct sysdb_req *); + + if (req->ctx->queue == req) { + ret = sysdb_req_schedule(req); + } + + return ret; +} + +static void sysdb_transaction_end(struct sysdb_req *req); + +static int sysdb_req_destructor(void *ptr) +{ + struct sysdb_req *req; + int ret; + + req = talloc_get_type(ptr, struct sysdb_req); + + if (req->ctx->queue != req) { + DLIST_REMOVE(req->ctx->queue, req); + return 0; + } + + /* req is the currently running operation or + * scheduled to run operation */ + + if (req->transaction_active) { + /* freeing before the transaction is complete */ + req->status = ETIMEDOUT; + sysdb_transaction_end(req); + } + + DLIST_REMOVE(req->ctx->queue, req); + + /* make sure we schedule the next in line if any */ + if (req->ctx->queue) { + ret = sysdb_req_schedule(req->ctx->queue); + if (ret != EOK) abort(); + } + + return 0; +} + +static struct sysdb_req *sysdb_new_req(TALLOC_CTX *memctx, + struct sysdb_ctx *ctx, + sysdb_req_fn_t fn, void *pvt) +{ + struct sysdb_req *req; + + req = talloc_zero(memctx, struct sysdb_req); + if (!req) return NULL; + + req->ctx = ctx; + req->fn = fn; + req->pvt = pvt; + + talloc_set_destructor((TALLOC_CTX *)req, sysdb_req_destructor); + + return req; +} + +static void sysdb_transaction_int(struct sysdb_req *intreq, void *pvt) +{ + struct sysdb_req *req = talloc_get_type(pvt, struct sysdb_req); + int ret; + + /* first of all swap this internal request with the real one on the queue + * otherwise request_done() will later abort */ + DLIST_REMOVE(req->ctx->queue, intreq); + DLIST_ADD(req->ctx->queue, req); + + if (intreq->status != EOK) { + req->status = intreq->status; + req->fn(req, req->pvt); + return; + } + + ret = ldb_transaction_start(req->ctx->ldb); + if (ret != LDB_SUCCESS) { + DEBUG(1, ("Failed to start ldb transaction! (%d)\n", ret)); + req->status = sysdb_error_to_errno(ret); + } + req->transaction_active = true; + + req->fn(req, req->pvt); +} + +static void sysdb_transaction_end(struct sysdb_req *req) +{ + int ret; + + if (req->status == EOK) { + ret = ldb_transaction_commit(req->ctx->ldb); + if (ret != LDB_SUCCESS) { + DEBUG(1, ("Failed to commit ldb transaction! (%d)\n", ret)); + } + } else { + DEBUG(4, ("Canceling transaction (%d[%s)\n", + req->status, strerror(req->status))); + ret = ldb_transaction_cancel(req->ctx->ldb); + if (ret != LDB_SUCCESS) { + DEBUG(1, ("Failed to cancel ldb transaction! (%d)\n", ret)); + /* FIXME: abort() ? */ + } + } + req->transaction_active = false; +} + +int sysdb_transaction(TALLOC_CTX *memctx, struct sysdb_ctx *ctx, + sysdb_req_fn_t fn, void *pvt) +{ + struct sysdb_req *req, *intreq; + + req = sysdb_new_req(memctx, ctx, fn, pvt); + if (!req) return ENOMEM; + + intreq = sysdb_new_req(req, ctx, sysdb_transaction_int, req); + if (!intreq) { + talloc_free(intreq); + return ENOMEM; + } + + return sysdb_req_enqueue(intreq); +} + +void sysdb_transaction_done(struct sysdb_req *req, int status) +{ + int ret; + + if (req->ctx->queue != req) abort(); + if (!req->transaction_active) abort(); + + req->status = status; + + sysdb_transaction_end(req); + + DLIST_REMOVE(req->ctx->queue, req); + + if (req->ctx->queue) { + ret = sysdb_req_schedule(req->ctx->queue); + if (ret != EOK) abort(); + } + + talloc_free(req); +} + +int sysdb_operation(TALLOC_CTX *memctx, struct sysdb_ctx *ctx, + sysdb_req_fn_t fn, void *pvt) +{ + struct sysdb_req *req; + + req = sysdb_new_req(memctx, ctx, fn, pvt); + if (!req) return ENOMEM; + + return sysdb_req_enqueue(req); +} + +void sysdb_operation_done(struct sysdb_req *req) +{ + int ret; + + if (req->ctx->queue != req) abort(); + + DLIST_REMOVE(req->ctx->queue, req); + + if (req->ctx->queue) { + ret = sysdb_req_schedule(req->ctx->queue); + if (ret != EOK) abort(); + } + + talloc_free(req); +} + diff --git a/server/db/sysdb_search.c b/server/db/sysdb_search.c new file mode 100644 index 0000000..5a355a0 --- /dev/null +++ b/server/db/sysdb_search.c @@ -0,0 +1,731 @@ +/* + SSSD + + System Database + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "db/sysdb_private.h" +#include "confdb/confdb.h" +#include + +struct sysdb_search_ctx; + +typedef void (*gen_callback)(struct sysdb_search_ctx *); + +struct sysdb_search_ctx { + struct sysdb_ctx *ctx; + struct sysdb_req *req; + + const char *expression; + const char *domain; + bool legacy; + + sysdb_callback_t callback; + void *ptr; + + gen_callback gen_aux_fn; + + struct get_mem_ctx *gmctx; + + struct ldb_result *res; +}; + +static struct sysdb_search_ctx *init_src_ctx(TALLOC_CTX *mem_ctx, + const char *domain, + bool legacy, + struct sysdb_ctx *ctx, + sysdb_callback_t fn, + void *ptr) +{ + struct sysdb_search_ctx *sctx; + + sctx = talloc_zero(mem_ctx, struct sysdb_search_ctx); + if (!sctx) { + return NULL; + } + sctx->ctx = ctx; + sctx->callback = fn; + sctx->ptr = ptr; + sctx->res = talloc_zero(sctx, struct ldb_result); + if (!sctx->res) { + talloc_free(sctx); + return NULL; + } + sctx->domain = talloc_strdup(sctx, domain); + if (!sctx->domain) { + talloc_free(sctx); + return NULL; + } + sctx->legacy = legacy; + + return sctx; +} + +int sysdb_error_to_errno(int ldberr) +{ + /* fake it up for now, requires a mapping table */ + return EIO; +} + +static void request_ldberror(struct sysdb_search_ctx *sctx, int error) +{ + sysdb_operation_done(sctx->req); + sctx->callback(sctx->ptr, sysdb_error_to_errno(error), NULL); +} + +static void request_error(struct sysdb_search_ctx *sctx, int error) +{ + sysdb_operation_done(sctx->req); + sctx->callback(sctx->ptr, error, NULL); +} + +static void request_done(struct sysdb_search_ctx *sctx) +{ + sysdb_operation_done(sctx->req); + sctx->callback(sctx->ptr, EOK, sctx->res); +} + +static int get_gen_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct sysdb_search_ctx *sctx; + struct ldb_result *res; + int n; + + sctx = talloc_get_type(req->context, struct sysdb_search_ctx); + res = sctx->res; + + if (!ares) { + request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + return LDB_ERR_OPERATIONS_ERROR; + } + if (ares->error != LDB_SUCCESS) { + request_ldberror(sctx, ares->error); + return ares->error; + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + res->msgs = talloc_realloc(res, res->msgs, + struct ldb_message *, + res->count + 2); + if (!res->msgs) { + request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + return LDB_ERR_OPERATIONS_ERROR; + } + + res->msgs[res->count + 1] = NULL; + + res->msgs[res->count] = talloc_steal(res->msgs, ares->message); + res->count++; + break; + + case LDB_REPLY_REFERRAL: + if (res->refs) { + for (n = 0; res->refs[n]; n++) /*noop*/ ; + } else { + n = 0; + } + + res->refs = talloc_realloc(res, res->refs, char *, n + 2); + if (! res->refs) { + request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + return LDB_ERR_OPERATIONS_ERROR; + } + + res->refs[n] = talloc_steal(res->refs, ares->referral); + res->refs[n + 1] = NULL; + break; + + case LDB_REPLY_DONE: + res->controls = talloc_steal(res, ares->controls); + + /* check if we need to call any aux function */ + if (sctx->gen_aux_fn) { + sctx->gen_aux_fn(sctx); + } else { + /* no aux functions, this means the request is done */ + request_done(sctx); + } + return LDB_SUCCESS; + } + + talloc_free(ares); + return LDB_SUCCESS; +} + +/* users */ + +static void pwd_search(struct sysdb_req *sysreq, void *ptr) +{ + struct sysdb_search_ctx *sctx; + static const char *attrs[] = SYSDB_PW_ATTRS; + struct ldb_request *req; + struct ldb_dn *base_dn; + int ret; + + sctx = talloc_get_type(ptr, struct sysdb_search_ctx); + sctx->req = sysreq; + + base_dn = ldb_dn_new_fmt(sctx, sctx->ctx->ldb, + SYSDB_TMPL_USER_BASE, sctx->domain); + if (!base_dn) { + return request_error(sctx, ENOMEM); + } + + ret = ldb_build_search_req(&req, sctx->ctx->ldb, sctx, + base_dn, LDB_SCOPE_SUBTREE, + sctx->expression, attrs, NULL, + sctx, get_gen_callback, + NULL); + if (ret != LDB_SUCCESS) { + return request_ldberror(sctx, ret); + } + + ret = ldb_request(sctx->ctx->ldb, req); + if (ret != LDB_SUCCESS) { + return request_ldberror(sctx, ret); + } +} + +int sysdb_getpwnam(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *ctx, + const char *domain, + const char *name, + bool legacy, + sysdb_callback_t fn, void *ptr) +{ + struct sysdb_search_ctx *sctx; + + if (!domain) { + return EINVAL; + } + + sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); + if (!sctx) { + return ENOMEM; + } + + sctx->expression = talloc_asprintf(sctx, SYSDB_PWNAM_FILTER, name); + if (!sctx->expression) { + talloc_free(sctx); + return ENOMEM; + } + + return sysdb_operation(mem_ctx, ctx, pwd_search, sctx); +} + +int sysdb_getpwuid(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *ctx, + const char *domain, + uid_t uid, + bool legacy, + sysdb_callback_t fn, void *ptr) +{ + struct sysdb_search_ctx *sctx; + unsigned long int filter_uid = uid; + + if (!domain) { + return EINVAL; + } + + sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); + if (!sctx) { + return ENOMEM; + } + + sctx->expression = talloc_asprintf(sctx, SYSDB_PWUID_FILTER, filter_uid); + if (!sctx->expression) { + talloc_free(sctx); + return ENOMEM; + } + + return sysdb_operation(mem_ctx, ctx, pwd_search, sctx); +} + +int sysdb_enumpwent(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *ctx, + const char *domain, + bool legacy, + sysdb_callback_t fn, void *ptr) +{ + struct sysdb_search_ctx *sctx; + + if (!domain) { + return EINVAL; + } + + sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); + if (!sctx) { + return ENOMEM; + } + + sctx->expression = SYSDB_PWENT_FILTER; + + return sysdb_operation(mem_ctx, ctx, pwd_search, sctx); +} + +/* groups */ + +struct get_mem_ctx { + struct sysdb_search_ctx *ret_sctx; + struct ldb_message **grps; + int num_grps; +}; + +static void get_members(struct sysdb_search_ctx *sctx) +{ + struct get_mem_ctx *gmctx; + struct ldb_request *req; + struct ldb_message *msg; + struct ldb_dn *dn; + static const char *attrs[] = SYSDB_GRPW_ATTRS; + int ret; + + gmctx = sctx->gmctx; + + if (gmctx->grps[0] == NULL) { + return request_done(sctx); + } + + /* fetch next group to search for members */ + gmctx->num_grps--; + msg = gmctx->grps[gmctx->num_grps]; + gmctx->grps[gmctx->num_grps] = NULL; + + /* queue the group entry on the final result structure */ + sctx->res->msgs = talloc_realloc(sctx->res, sctx->res->msgs, + struct ldb_message *, + sctx->res->count + 2); + if (!sctx->res->msgs) { + return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + } + sctx->res->msgs[sctx->res->count + 1] = NULL; + sctx->res->msgs[sctx->res->count] = talloc_steal(sctx->res->msgs, msg); + sctx->res->count++; + + /* search for this group members */ + sctx->expression = talloc_asprintf(sctx, SYSDB_GRNA2_FILTER, + ldb_dn_get_linearized(msg->dn)); + if (!sctx->expression) { + return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + } + + dn = ldb_dn_new_fmt(sctx, sctx->ctx->ldb, + SYSDB_TMPL_USER_BASE, sctx->domain); + if (!dn) { + return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + } + + sctx->gen_aux_fn = get_members; + + ret = ldb_build_search_req(&req, sctx->ctx->ldb, sctx, + dn, LDB_SCOPE_SUBTREE, + sctx->expression, attrs, NULL, + sctx, get_gen_callback, + NULL); + if (ret != LDB_SUCCESS) { + return request_ldberror(sctx, ret); + } + + ret = ldb_request(sctx->ctx->ldb, req); + if (ret != LDB_SUCCESS) { + return request_ldberror(sctx, ret); + } +} + +static int get_grp_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct sysdb_search_ctx *sctx; + struct sysdb_ctx *ctx; + struct ldb_result *res; + int n; + + sctx = talloc_get_type(req->context, struct sysdb_search_ctx); + ctx = sctx->ctx; + res = sctx->res; + + if (!ares) { + request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + return LDB_ERR_OPERATIONS_ERROR; + } + if (ares->error != LDB_SUCCESS) { + request_ldberror(sctx, ares->error); + return ares->error; + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + res->msgs = talloc_realloc(res, res->msgs, + struct ldb_message *, + res->count + 2); + if (!res->msgs) { + request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + return LDB_ERR_OPERATIONS_ERROR; + } + + res->msgs[res->count + 1] = NULL; + + res->msgs[res->count] = talloc_steal(res->msgs, ares->message); + res->count++; + break; + + case LDB_REPLY_REFERRAL: + if (res->refs) { + for (n = 0; res->refs[n]; n++) /*noop*/ ; + } else { + n = 0; + } + + res->refs = talloc_realloc(res, res->refs, char *, n + 2); + if (! res->refs) { + request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + return LDB_ERR_OPERATIONS_ERROR; + } + + res->refs[n] = talloc_steal(res->refs, ares->referral); + res->refs[n + 1] = NULL; + break; + + case LDB_REPLY_DONE: + res->controls = talloc_steal(res, ares->controls); + + /* no results, return */ + if (res->count == 0) { + request_done(sctx); + return LDB_SUCCESS; + } + if (res->count > 0) { + + sctx->gmctx = talloc_zero(req, struct get_mem_ctx); + if (!sctx->gmctx) { + request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + return LDB_ERR_OPERATIONS_ERROR; + } + sctx->gmctx->grps = res->msgs; + sctx->gmctx->num_grps = res->count; + res->msgs = NULL; + res->count = 0; + + /* now get members */ + get_members(sctx); + return LDB_SUCCESS; + } + + /* anything else is an error */ + request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + return LDB_ERR_OPERATIONS_ERROR; + } + + talloc_free(ares); + return LDB_SUCCESS; +} + +static void grp_search(struct sysdb_req *sysreq, void *ptr) +{ + struct sysdb_search_ctx *sctx; + ldb_request_callback_t callback; + static const char *attrs[] = SYSDB_GRNAM_ATTRS; + struct ldb_request *req; + struct ldb_dn *base_dn; + int ret; + + sctx = talloc_get_type(ptr, struct sysdb_search_ctx); + sctx->req = sysreq; + + if (sctx->legacy) { + callback = get_gen_callback; + } else { + callback = get_grp_callback; + } + + base_dn = ldb_dn_new_fmt(sctx, sctx->ctx->ldb, + SYSDB_TMPL_GROUP_BASE, sctx->domain); + if (!base_dn) { + return request_error(sctx, ENOMEM); + } + + ret = ldb_build_search_req(&req, sctx->ctx->ldb, sctx, + base_dn, LDB_SCOPE_SUBTREE, + sctx->expression, attrs, NULL, + sctx, callback, + NULL); + if (ret != LDB_SUCCESS) { + return request_ldberror(sctx, ret); + } + + ret = ldb_request(sctx->ctx->ldb, req); + if (ret != LDB_SUCCESS) { + return request_ldberror(sctx, ret); + } +} + +int sysdb_getgrnam(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *ctx, + const char *domain, + const char *name, + bool legacy, + sysdb_callback_t fn, void *ptr) +{ + struct sysdb_search_ctx *sctx; + + if (!domain) { + return EINVAL; + } + + sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); + if (!sctx) { + return ENOMEM; + } + + sctx->expression = talloc_asprintf(sctx, SYSDB_GRNAM_FILTER, name); + if (!sctx->expression) { + talloc_free(sctx); + return ENOMEM; + } + + return sysdb_operation(mem_ctx, ctx, grp_search, sctx); +} + +int sysdb_getgrgid(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *ctx, + const char *domain, + gid_t gid, + bool legacy, + sysdb_callback_t fn, void *ptr) +{ + struct sysdb_search_ctx *sctx; + unsigned long int filter_gid = gid; + + if (!domain) { + return EINVAL; + } + + sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); + if (!sctx) { + return ENOMEM; + } + + sctx->expression = talloc_asprintf(sctx, SYSDB_GRGID_FILTER, filter_gid); + if (!sctx->expression) { + talloc_free(sctx); + return ENOMEM; + } + + return sysdb_operation(mem_ctx, ctx, grp_search, sctx); +} + +int sysdb_enumgrent(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *ctx, + const char *domain, + bool legacy, + sysdb_callback_t fn, void *ptr) +{ + struct sysdb_search_ctx *sctx; + + if (!domain) { + return EINVAL; + } + + sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); + if (!sctx) { + return ENOMEM; + } + + sctx->expression = SYSDB_GRENT_FILTER; + + return sysdb_operation(mem_ctx, ctx, grp_search, sctx); +} + +static void initgr_mem_legacy(struct sysdb_search_ctx *sctx) +{ + struct sysdb_ctx *ctx = sctx->ctx; + struct ldb_result *res = sctx->res; + struct ldb_request *req; + struct ldb_dn *base_dn; + static const char *attrs[] = SYSDB_INITGR_ATTRS; + const char *userid; + int ret; + + if (res->count == 0) { + return request_done(sctx); + } + if (res->count > 1) { + return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + } + + userid = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_PW_NAME, NULL); + if (!userid) { + return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + } + + sctx->expression = talloc_asprintf(sctx, + SYSDB_INITGR_LEGACY_FILTER, userid); + if (!sctx->expression) { + return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + } + + base_dn = ldb_dn_new_fmt(sctx, ctx->ldb, + SYSDB_TMPL_GROUP_BASE, sctx->domain); + if (!base_dn) { + return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + } + + ret = ldb_build_search_req(&req, ctx->ldb, sctx, + base_dn, LDB_SCOPE_SUBTREE, + sctx->expression, attrs, NULL, + sctx, get_gen_callback, + NULL); + if (ret != LDB_SUCCESS) { + return request_ldberror(sctx, ret); + } + + ret = ldb_request(ctx->ldb, req); + if (ret != LDB_SUCCESS) { + return request_ldberror(sctx, ret); + } +} + +static void initgr_mem_search(struct sysdb_search_ctx *sctx) +{ + struct sysdb_ctx *ctx = sctx->ctx; + struct ldb_result *res = sctx->res; + struct ldb_request *req; + struct ldb_control **ctrl; + struct ldb_asq_control *control; + static const char *attrs[] = SYSDB_INITGR_ATTRS; + int ret; + + if (res->count == 0) { + return request_done(sctx); + } + if (res->count > 1) { + return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + } + + sctx->expression = talloc_asprintf(sctx, SYSDB_INITGR_FILTER); + if (!sctx->expression) { + return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + } + + ctrl = talloc_array(sctx, struct ldb_control *, 2); + if (!ctrl) { + return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + } + ctrl[1] = NULL; + ctrl[0] = talloc(ctrl, struct ldb_control); + if (!ctrl[0]) { + return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + } + ctrl[0]->oid = LDB_CONTROL_ASQ_OID; + ctrl[0]->critical = 1; + control = talloc(ctrl[0], struct ldb_asq_control); + if (!control) { + return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + } + control->request = 1; + control->source_attribute = talloc_strdup(control, SYSDB_INITGR_ATTR); + if (!control->source_attribute) { + return request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); + } + control->src_attr_len = strlen(control->source_attribute); + ctrl[0]->data = control; + + ret = ldb_build_search_req(&req, ctx->ldb, sctx, + res->msgs[0]->dn, + LDB_SCOPE_BASE, + sctx->expression, attrs, ctrl, + sctx, get_gen_callback, + NULL); + if (ret != LDB_SUCCESS) { + return request_ldberror(sctx, ret); + } + + ret = ldb_request(ctx->ldb, req); + if (ret != LDB_SUCCESS) { + return request_ldberror(sctx, ret); + } +} + +static void initgr_search(struct sysdb_req *sysreq, void *ptr) +{ + struct sysdb_search_ctx *sctx; + static const char *attrs[] = SYSDB_PW_ATTRS; + struct ldb_request *req; + struct ldb_dn *base_dn; + int ret; + + sctx = talloc_get_type(ptr, struct sysdb_search_ctx); + sctx->req = sysreq; + + if (sctx->legacy) { + sctx->gen_aux_fn = initgr_mem_legacy; + } else { + sctx->gen_aux_fn = initgr_mem_search; + } + + base_dn = ldb_dn_new_fmt(sctx, sctx->ctx->ldb, + SYSDB_TMPL_USER_BASE, sctx->domain); + if (!base_dn) { + return request_error(sctx, ENOMEM); + } + + ret = ldb_build_search_req(&req, sctx->ctx->ldb, sctx, + base_dn, LDB_SCOPE_SUBTREE, + sctx->expression, attrs, NULL, + sctx, get_gen_callback, + NULL); + if (ret != LDB_SUCCESS) { + return request_ldberror(sctx, ret); + } + + ret = ldb_request(sctx->ctx->ldb, req); + if (ret != LDB_SUCCESS) { + return request_ldberror(sctx, ret); + } +} + +int sysdb_initgroups(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *ctx, + const char *domain, + const char *name, + bool legacy, + sysdb_callback_t fn, void *ptr) +{ + struct sysdb_search_ctx *sctx; + + if (!domain) { + return EINVAL; + } + + sctx = init_src_ctx(mem_ctx, domain, legacy, ctx, fn, ptr); + if (!sctx) { + return ENOMEM; + } + + sctx->expression = talloc_asprintf(sctx, SYSDB_PWNAM_FILTER, name); + if (!sctx->expression) { + talloc_free(sctx); + return ENOMEM; + } + + return sysdb_operation(mem_ctx, ctx, initgr_search, sctx); +} + diff --git a/server/db/sysdb_sync.c b/server/db/sysdb_sync.c index f2c992f..1910e9f 100644 --- a/server/db/sysdb_sync.c +++ b/server/db/sysdb_sync.c @@ -20,7 +20,7 @@ */ #include "util/util.h" -#include "db/sysdb.h" +#include "db/sysdb_private.h" #include /* the following are all SYNCHRONOUS calls diff --git a/server/responder/nss/nsssrv.c b/server/responder/nss/nsssrv.c index 0c5fd4c..2fbe397 100644 --- a/server/responder/nss/nsssrv.c +++ b/server/responder/nss/nsssrv.c @@ -397,7 +397,15 @@ failed: * only ASCII names for now */ static int _domain_comparator(const void *key1, const void *key2) { - return strcasecmp((const char *)key1, (const char *)key2); + int ret; + + ret = strcasecmp((const char *)key1, (const char *)key2); + if (ret) { + /* special case LOCAL to be always the first domain */ + if (strcmp(key1, "LOCAL") == 0) return 1; + if (strcmp(key2, "LOCAL") == 0) return -1; + } + return ret; } static int nss_init_domains(struct nss_ctx *nctx) diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c index c61eb4f..1614658 100644 --- a/server/responder/nss/nsssrv_cmd.c +++ b/server/responder/nss/nsssrv_cmd.c @@ -97,6 +97,9 @@ static int nss_parse_name(struct nss_dom_ctx *dctx, const char *fullname) char *delim; char *domain; + /* TODO: add list of names to filter to configuration */ + if (strcmp(fullname, "root") == 0) return ECANCELED; + domain_map = nctx->domain_map; if ((delim = strchr(fullname, NSS_DOMAIN_DELIM)) != NULL) { @@ -367,7 +370,7 @@ static void nss_cmd_getpwnam_dp_callback(uint16_t err_maj, uint32_t err_min, (unsigned int)err_maj, (unsigned int)err_min, err_msg)); } - ret = sysdb_getpwnam(cmdctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_getpwnam(cmdctx, cctx->nctx->sysdb, dctx->domain, cmdctx->name, dctx->legacy, nss_cmd_getpwnam_callback, dctx); @@ -386,6 +389,7 @@ static int nss_cmd_getpwnam(struct cli_ctx *cctx) { struct nss_cmd_ctx *cmdctx; struct nss_dom_ctx *dctx; + const char *rawname; uint8_t *body; size_t blen; int ret; @@ -407,23 +411,27 @@ static int nss_cmd_getpwnam(struct cli_ctx *cctx) talloc_free(cmdctx); return EINVAL; } + rawname = (const char *)body; - ret = nss_parse_name(dctx, (const char *)body); + ret = nss_parse_name(dctx, rawname); if (ret != EOK) { - DEBUG(1, ("Invalid name received\n")); - talloc_free(cmdctx); - return ret; + DEBUG(2, ("Invalid name received [%s]\n", rawname)); + goto done; } DEBUG(4, ("Requesting info for [%s] from [%s]\n", cmdctx->name, dctx->domain)); - ret = sysdb_getpwnam(cmdctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_getpwnam(cmdctx, cctx->nctx->sysdb, dctx->domain, cmdctx->name, dctx->legacy, nss_cmd_getpwnam_callback, dctx); + if (ret != EOK) { DEBUG(1, ("Failed to make request to our cache!\n")); + } +done: + if (ret != EOK) { ret = nss_cmd_send_error(cmdctx, ret); if (ret == EOK) { nss_cmd_done(cmdctx); @@ -586,7 +594,7 @@ static void nss_cmd_getpwuid_dp_callback(uint16_t err_maj, uint32_t err_min, (unsigned int)err_maj, (unsigned int)err_min, err_msg)); } - ret = sysdb_getpwuid(cmdctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_getpwuid(cmdctx, cctx->nctx->sysdb, dctx->domain, cmdctx->id, dctx->legacy, nss_cmd_getpwuid_callback, dctx); @@ -656,7 +664,7 @@ static int nss_cmd_getpwuid(struct cli_ctx *cctx) DEBUG(4, ("Requesting info for [%lu@%s]\n", cmdctx->id, dctx->domain)); - ret = sysdb_getpwuid(cmdctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_getpwuid(cmdctx, cctx->nctx->sysdb, dctx->domain, cmdctx->id, dctx->legacy, nss_cmd_getpwuid_callback, dctx); @@ -773,7 +781,7 @@ static void nss_cmd_setpw_dp_callback(uint16_t err_maj, uint32_t err_min, (unsigned int)err_maj, (unsigned int)err_min, err_msg)); } - ret = sysdb_enumpwent(cmdctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_enumpwent(cmdctx, cctx->nctx->sysdb, dctx->domain, dctx->legacy, nss_cmd_setpwent_callback, cmdctx); if (ret != EOK) { @@ -854,7 +862,7 @@ static int nss_cmd_setpwent_ext(struct cli_ctx *cctx, bool immediate) timeout, domains[i], NSS_DP_USER, NULL, 0); } else { - ret = sysdb_enumpwent(dctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_enumpwent(dctx, cctx->nctx->sysdb, dctx->domain, dctx->legacy, nss_cmd_setpwent_callback, cmdctx); } @@ -1280,7 +1288,7 @@ static void nss_cmd_getgrnam_dp_callback(uint16_t err_maj, uint32_t err_min, (unsigned int)err_maj, (unsigned int)err_min, err_msg)); } - ret = sysdb_getgrnam(cmdctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_getgrnam(cmdctx, cctx->nctx->sysdb, dctx->domain, cmdctx->name, dctx->legacy, nss_cmd_getgrnam_callback, dctx); @@ -1299,6 +1307,7 @@ static int nss_cmd_getgrnam(struct cli_ctx *cctx) { struct nss_cmd_ctx *cmdctx; struct nss_dom_ctx *dctx; + const char *rawname; uint8_t *body; size_t blen; int ret; @@ -1320,23 +1329,26 @@ static int nss_cmd_getgrnam(struct cli_ctx *cctx) talloc_free(cmdctx); return EINVAL; } + rawname = (const char *)body; - ret = nss_parse_name(dctx, (const char *)body); + ret = nss_parse_name(dctx, rawname); if (ret != EOK) { - DEBUG(1, ("Invalid name received\n")); - talloc_free(cmdctx); - return ret; + DEBUG(2, ("Invalid name received [%s]\n", rawname)); + goto done; } DEBUG(4, ("Requesting info for [%s] from [%s]\n", cmdctx->name, dctx->domain)); - ret = sysdb_getgrnam(cmdctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_getgrnam(cmdctx, cctx->nctx->sysdb, dctx->domain, cmdctx->name, dctx->legacy, nss_cmd_getgrnam_callback, dctx); if (ret != EOK) { DEBUG(1, ("Failed to make request to our cache!\n")); + } +done: + if (ret != EOK) { ret = nss_cmd_send_error(cmdctx, ret); if (ret == EOK) { nss_cmd_done(cmdctx); @@ -1484,7 +1496,7 @@ static void nss_cmd_getgrgid_dp_callback(uint16_t err_maj, uint32_t err_min, (unsigned int)err_maj, (unsigned int)err_min, err_msg)); } - ret = sysdb_getgrgid(cmdctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_getgrgid(cmdctx, cctx->nctx->sysdb, dctx->domain, cmdctx->id, dctx->legacy, nss_cmd_getgrgid_callback, dctx); @@ -1549,7 +1561,7 @@ static int nss_cmd_getgrgid(struct cli_ctx *cctx) DEBUG(4, ("Requesting info for [%lu@%s]\n", cmdctx->id, dctx->domain)); - ret = sysdb_getgrgid(cmdctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_getgrgid(cmdctx, cctx->nctx->sysdb, dctx->domain, cmdctx->id, dctx->legacy, nss_cmd_getgrgid_callback, dctx); @@ -1665,7 +1677,7 @@ static void nss_cmd_setgr_dp_callback(uint16_t err_maj, uint32_t err_min, (unsigned int)err_maj, (unsigned int)err_min, err_msg)); } - ret = sysdb_enumgrent(dctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_enumgrent(dctx, cctx->nctx->sysdb, dctx->domain, dctx->legacy, nss_cmd_setgrent_callback, cmdctx); if (ret != EOK) { @@ -1746,7 +1758,7 @@ static int nss_cmd_setgrent_ext(struct cli_ctx *cctx, bool immediate) timeout, domains[i], NSS_DP_GROUP, NULL, 0); } else { - ret = sysdb_enumgrent(dctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_enumgrent(dctx, cctx->nctx->sysdb, dctx->domain, dctx->legacy, nss_cmd_setgrent_callback, cmdctx); } @@ -1994,7 +2006,7 @@ static void nss_cmd_getinitgr_callback(uint16_t err_maj, uint32_t err_min, (unsigned int)err_maj, (unsigned int)err_min, err_msg)); } - ret = sysdb_initgroups(cmdctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_initgroups(cmdctx, cctx->nctx->sysdb, dctx->domain, cmdctx->name, dctx->legacy, nss_cmd_initgr_callback, cmdctx); @@ -2027,7 +2039,7 @@ static void nss_cmd_getinitnam_callback(uint16_t err_maj, uint32_t err_min, (unsigned int)err_maj, (unsigned int)err_min, err_msg)); } - ret = sysdb_getpwnam(cmdctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_getpwnam(cmdctx, cctx->nctx->sysdb, dctx->domain, cmdctx->name, dctx->legacy, nss_cmd_getinit_callback, dctx); @@ -2155,6 +2167,7 @@ static int nss_cmd_initgroups(struct cli_ctx *cctx) { struct nss_cmd_ctx *cmdctx; struct nss_dom_ctx *dctx; + const char *rawname; uint8_t *body; size_t blen; int ret; @@ -2171,28 +2184,30 @@ static int nss_cmd_initgroups(struct cli_ctx *cctx) /* get user name to query */ sss_packet_get_body(cctx->creq->in, &body, &blen); - cmdctx->name = (const char *)body; /* if not terminated fail */ - if (cmdctx->name[blen -1] != '\0') { + if (body[blen -1] != '\0') { return EINVAL; } + rawname = (const char *)body; - ret = nss_parse_name(dctx, (const char *)body); + ret = nss_parse_name(dctx, rawname); if (ret != EOK) { - DEBUG(1, ("Invalid name received\n")); - talloc_free(cmdctx); - return ret; + DEBUG(2, ("Invalid name received [%s]\n", rawname)); + goto done; } DEBUG(4, ("Requesting info for [%s] from [%s]\n", cmdctx->name, dctx->domain)); - ret = sysdb_getpwnam(cmdctx, cctx->ev, cctx->nctx->sysdb, + ret = sysdb_getpwnam(cmdctx, cctx->nctx->sysdb, dctx->domain, cmdctx->name, dctx->legacy, nss_cmd_getinit_callback, dctx); if (ret != EOK) { DEBUG(1, ("Failed to make request to our cache!\n")); + } +done: + if (ret != EOK) { ret = nss_cmd_send_error(cmdctx, ret); if (ret == EOK) { nss_cmd_done(cmdctx); diff --git a/server/server.mk b/server/server.mk index 386f56f..e029d4a 100644 --- a/server/server.mk +++ b/server/server.mk @@ -13,6 +13,8 @@ UTIL_OBJ = \ sbus/sbus_client.o \ confdb/confdb.o \ db/sysdb.o \ + db/sysdb_req.o \ + db/sysdb_search.o \ db/sysdb_sync.o RESPONDER_UTIL_OBJ = \ -- 1.5.6.6 From ssorce at redhat.com Fri Feb 27 00:51:38 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Feb 2009 19:51:38 -0500 Subject: [Freeipa-devel] [PATCH] Serialize access to sysdb Message-ID: <1235695898.954.10.camel@localhost.localdomain> Resending. My experimenting with git-send-email didn't work as expected (mail got split). This patch avoids problems with transactions by serializing access to the db. Note that it is necessary to serialize only within the same process, multiple processes do not interfere with each other. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Serialize-access-to-sysdb-and-also-exposes-ldb-trans.patch Type: text/x-patch Size: 70640 bytes Desc: not available URL: From jderose at redhat.com Fri Feb 27 08:20:08 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 27 Feb 2009 01:20:08 -0700 Subject: [Freeipa-devel] Thoughts on the new LDAP backend plugin Message-ID: <1235722808.6890.166.camel@jgd-dsk> Pavel is going to work on writing a new LDAP backend plugin, so now is the time for everyone to voice their two cents. Pavel's new backend plugin will coexist with the current till it's mature enough to replace it. Here are some of my thoughts on the new ldap plugin. I think we should: 1. Keep the command plugins completely isolated from the python-ldap bindings: for command plugins, Backend.ldap is their black box into the LDAP world. They should never need to import anything from python-ldap (even constants) and we should be able to use something besides the python-ldap bindings under the hood without the other plugins knowing the difference. This makes testing easy because we can plugin in a dummy Backend.ldap plugin. Plus it just leads to a more manageable, well-layered architecture. 2. Keep it simple: Backend.ldap needs to be easy to use and high level. Its methods should take as arguments simple scalar and compound values, and should return the same. We should put the smarts and the heavy lifting in Backend.ldap so we make the lives of our 69 (just counted) command plugins easier. 3. Keep it generalized: we want Backend.ldap to serve the needs of arbitrary 3rd-party plugins, so the API can't be in terms of adding users, adding groups, etc. We need to think in terms of adding *entries*. I know that I'm guilty for starting the infamous make_foo_dn() series of methods, but we've all seen their shortcomings, so now is our chance to fix it. 4. Design for testability... aka, write tests as we go. Everyone knows I love to beat this dead horse, but discipled test-driven development is the fastest way to develop. Now people may say, "but it takes time to write unit tests, so obviously it slows development". But people don't realize how much time they spend on their ephemeral tests. You know, add a bunch print statements, try some different inputs, and then once it seems like it's working, delete all these print statements. In that time, you could write a formal unit tests which will live on in the code and keep everyone more productive. Okay, stepping down from my dead horse, I mean soapbox... 5. Design for Unicode/UTF-8 correctness: Backend.ldap is one of those entry/exit points where we need explicitly to decode text on the way in, and explicit to encode text on the way out. Because text in DS (LDAP) will always be UTF-8 encoded (AFAIK), it's tempting only to decode the text when we first need to do text-stuff with it. But by that point, we have no idea that the text (stored in the `str` type) originated in DS... we have a multi-input, multi-output plugable framework. That `str` might be Unicode in some encoding other that UTF-8 or it might just as well be true binary data. Pavel missed out on the big internal Python-Unicode email discussion John and I had, but here is a diagram from one of my emails: ===> Entry from network, file, broken C extension, etc.: ===> * What is the source encoding? ===> * internal_unicode = input_str.decode(source_encoding) ########################################### Internal processing in pure Python: * character data is always `unicode` * `str` is only used for true binary data ########################################### <=== Exit to network, file, broken C extension, etc.: <=== * What encoding does the destination expect? <=== * output_str = internal_unicode.encode(destination_encoding) In freeIPA v2, we're taking a very Python-3.0-like approach to Unicode. Internally we use the Python `unicode` type for all text and only use `str` for true binary data, and we do explicit decoding and encoding. In Python 3.0, the `str` type has been renamed to `bytes`, the `unicode` type has been renamed to `str`, and the implicit decoding/encoding features have been removed. Or that's the gist of it. See: http://docs.python.org/3.0/whatsnew/3.0.html That's all for now! Cheers, Jason From sgallagh at redhat.com Fri Feb 27 13:35:17 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Feb 2009 08:35:17 -0500 Subject: [Freeipa-devel] [PATCH] Serialize access to sysdb In-Reply-To: <1235695898.954.10.camel@localhost.localdomain> References: <1235695898.954.10.camel@localhost.localdomain> Message-ID: <49A7EC15.8010003@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > Resending. > My experimenting with git-send-email didn't work as expected (mail got > split). > > This patch avoids problems with transactions by serializing access to > the db. Note that it is necessary to serialize only within the same > process, multiple processes do not interfere with each other. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmn7BUACgkQeiVVYja6o6OV0gCgkBsVXUfW6Xb5a83CRcyWKwWu fSsAn2S/cPfZk+Hk9H9zvIqdG/q1caUJ =XXRF -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Feb 27 13:44:32 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Feb 2009 08:44:32 -0500 Subject: [Freeipa-devel] [PATCH] Serialize access to sysdb In-Reply-To: <49A7EC15.8010003@redhat.com> References: <1235695898.954.10.camel@localhost.localdomain> <49A7EC15.8010003@redhat.com> Message-ID: <1235742272.954.20.camel@localhost.localdomain> On Fri, 2009-02-27 at 08:35 -0500, Stephen Gallagher wrote: > Simo Sorce wrote: > > Resending. > > My experimenting with git-send-email didn't work as expected (mail got > > split). > > > > This patch avoids problems with transactions by serializing access to > > the db. Note that it is necessary to serialize only within the same > > process, multiple processes do not interfere with each other. > ack Pushed -- Simo Sorce * Red Hat, Inc * New York From jdennis at redhat.com Fri Feb 27 15:00:25 2009 From: jdennis at redhat.com (John Dennis) Date: Fri, 27 Feb 2009 10:00:25 -0500 Subject: [Freeipa-devel] SSSD persistent storage Message-ID: <49A80009.9040503@redhat.com> I'm at the point now where I need to add persistent storage capability for the log file monitoring code. I need to be able to store and retrieve small pieces of structured information efficiently (i.e. timestamps and offsets of monitored files). My recollection is that SSSD has implemented persistent storage via a lightweight local LDAP (e.g. LDB). The LDAP paradigm is not well suited for the type of data I need to manage and as such I'd like to use some other persistent storage mechanism aside from LDAP for this purpose, a SQL database is a pretty good match however. FWIW the audit code on the server side will also need to use SQL to track the data it collects from the client so being able to share SQL code logic in both the client and server sides of the audit code would be a win. I'm considering using SQLite (at least on the client side because it's small, lightweight, efficient, portable, and uses a single simple flat file, server side might well use Postgresql or MySQL, but that's yet to be decided and tangential to the question being asked here). So before I go too far down the road of adding SQLite support in the client code I want to check if the SSSD code has some other persistent storage scheme other than an LDAP-like interface and if so what it is. I also want to get any comments back as to whether adding SQLite to the set of software we install with the client code might raise any issues which should be taken into consideration up front. It would be good to share as many software components on the client as is possible and minimize what we install. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Feb 27 16:29:20 2009 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 27 Feb 2009 11:29:20 -0500 Subject: [Freeipa-devel] SSSD persistent storage In-Reply-To: <49A80009.9040503@redhat.com> References: <49A80009.9040503@redhat.com> Message-ID: <49A814E0.6010504@redhat.com> John Dennis wrote: > I'm at the point now where I need to add persistent storage capability > for the log file monitoring code. I need to be able to store and > retrieve small pieces of structured information efficiently (i.e. > timestamps and offsets of monitored files). > > My recollection is that SSSD has implemented persistent storage via a > lightweight local LDAP (e.g. LDB). The LDAP paradigm is not well > suited for the type of data I need to manage and as such I'd like to > use some other persistent storage mechanism aside from LDAP for this > purpose, a SQL database is a pretty good match however. FWIW the audit > code on the server side will also need to use SQL to track the data it > collects from the client so being able to share SQL code logic in both > the client and server sides of the audit code would be a win. I'm > considering using SQLite (at least on the client side because it's > small, lightweight, efficient, portable, and uses a single simple flat > file, server side might well use Postgresql or MySQL, but that's yet > to be decided and tangential to the question being asked here). > > So before I go too far down the road of adding SQLite support in the > client code I want to check if the SSSD code has some other persistent > storage scheme other than an LDAP-like interface and if so what it is. > I also want to get any comments back as to whether adding SQLite to > the set of software we install with the client code might raise any > issues which should be taken into consideration up front. It would be > good to share as many software components on the client as is possible > and minimize what we install. > I am not particularly against SQLite or other DB but it seems that the data is pretty small and simple. If there is no need to search by different fields but rather by one key - file name (log stream name) for example. The LDB might be sufficient and I would not dismiss it right away unless Simo thinks that this data should not belong in LDB for security or other reasons. John can you please send out the proposed structure of the information you need to store and how it should be searched and retrieved. Based on this we would be able to select the right approach. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Fri Feb 27 17:25:37 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Feb 2009 12:25:37 -0500 Subject: [Freeipa-devel] SSSD persistent storage In-Reply-To: <49A80009.9040503@redhat.com> References: <49A80009.9040503@redhat.com> Message-ID: <1235755537.1022.1.camel@localhost.localdomain> On Fri, 2009-02-27 at 10:00 -0500, John Dennis wrote: > I'm at the point now where I need to add persistent storage capability > for the log file monitoring code. I need to be able to store and > retrieve small pieces of structured information efficiently (i.e. > timestamps and offsets of monitored files). > > My recollection is that SSSD has implemented persistent storage via a > lightweight local LDAP (e.g. LDB). The LDAP paradigm is not well suited > for the type of data I need to manage and as such I'd like to use some > other persistent storage mechanism aside from LDAP for this purpose, a > SQL database is a pretty good match however. FWIW the audit code on the > server side will also need to use SQL to track the data it collects from > the client so being able to share SQL code logic in both the client and > server sides of the audit code would be a win. I'm considering using > SQLite (at least on the client side because it's small, lightweight, > efficient, portable, and uses a single simple flat file, server side > might well use Postgresql or MySQL, but that's yet to be decided and > tangential to the question being asked here). > > So before I go too far down the road of adding SQLite support in the > client code I want to check if the SSSD code has some other persistent > storage scheme other than an LDAP-like interface and if so what it is. I > also want to get any comments back as to whether adding SQLite to the > set of software we install with the client code might raise any issues > which should be taken into consideration up front. It would be good to > share as many software components on the client as is possible and > minimize what we install. If you just need key/value pairs, you could use tdb (the underlying db used by ldb), so that we do not add a new dependency. If you need relational capabilites I don't see a problem with using sqlite. I even have an experimental (and broken) backend for ldb that uses sqlite instead of tdb :-P Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Feb 27 17:57:42 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 27 Feb 2009 12:57:42 -0500 Subject: [Freeipa-devel] [PATCH] some work on netgroups In-Reply-To: <1235679216.9048.2.camel@jgd-dsk> References: <49A59392.9090704@redhat.com> <1235679216.9048.2.camel@jgd-dsk> Message-ID: <49A82996.2070502@redhat.com> Jason Gerard DeRose wrote: > On Wed, 2009-02-25 at 13:53 -0500, Rob Crittenden wrote: >> The dn of a netgroup contains an ipaUniqueId value. This guarantees that >> every netgroup entry will be unique but it doesn't enforce that the cn >> of that group is unique. Add in a uniqueness plugin configuration to >> guarantee that. >> >> Add an option to allow netgroups to be members of netgroups >> >> When adding an entry, convert a constraint violation of "already exists" >> into a DuplicateEntry exception so the user gets a useful response. >> >> rob > > ack. pushed to master From rcritten at redhat.com Fri Feb 27 17:58:47 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 27 Feb 2009 12:58:47 -0500 Subject: [Freeipa-devel] [PATCH] Fixed broken autfill logic in cli.prompt_interactively() In-Reply-To: <1235688544.9048.13.camel@jgd-dsk> References: <1235688544.9048.13.camel@jgd-dsk> Message-ID: <49A829D7.1030206@redhat.com> Jason Gerard DeRose wrote: > Rob found a bug in cli.prompt_interactively(): although the autofill > values got filled-in in Command.__call__(), meaning everyone was happy > in Command.execute(), the autofill values were not present in the args > and options passed to Command.output_for_cli(). > > This patch fixes this. > ack and pushed rob From sgallagh at redhat.com Fri Feb 27 18:41:25 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Feb 2009 13:41:25 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Refactor creation of domain_map into confdb Message-ID: <49A833D5.5020707@redhat.com> The NSS provider, the Data Provider backends and the InfoPipe all need access to the domain map provided by the confdb. Instead of reimplimenting it in multiple places, it is now provided in a pair of helper functions from the confdb. confdb_get_domains() returns a domain map by reference. Always returns the most up-to-date set of domains from the confdb. confdb_get_domains_list() returns an array of strings of all the domain names. Always returns the most up-to-date set of domains from the confdb. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Refactor-creation-of-domain_map-into-confdb.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Fri Feb 27 18:44:11 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Feb 2009 13:44:11 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Refactor creation of domain_map into confdb In-Reply-To: <49A833D5.5020707@redhat.com> References: <49A833D5.5020707@redhat.com> Message-ID: <49A8347B.7040506@redhat.com> Stephen Gallagher wrote: > The NSS provider, the Data Provider backends and the InfoPipe all > need access to the domain map provided by the confdb. Instead of > reimplimenting it in multiple places, it is now provided in a pair > of helper functions from the confdb. > > confdb_get_domains() returns a domain map by reference. Always > returns the most up-to-date set of domains from the confdb. > > confdb_get_domains_list() returns an array of strings of all the > domain names. Always returns the most up-to-date set of domains > from the confdb. > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Sorry, original patch was missing a line of the commit message (reproduced here) that I meant to include: This patch also modifies the btreemap_get_keys() function to better handle memory and report allocation failures. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Refactor-creation-of-domain_map-into-confdb.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Fri Feb 27 18:45:32 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Feb 2009 13:45:32 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Refactor creation of domain_map into confdb In-Reply-To: <49A8347B.7040506@redhat.com> References: <49A833D5.5020707@redhat.com> <49A8347B.7040506@redhat.com> Message-ID: <49A834CC.5030105@redhat.com> I need more sleep. Attaching the correct patch this time. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Refactor-creation-of-domain_map-into-confdb.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Fri Feb 27 20:06:41 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 27 Feb 2009 15:06:41 -0500 Subject: [Freeipa-devel] [PATCH] 136 - Update group objectclasses Message-ID: <49A847D1.9020701@redhat.com> Update objectclasses for groups, by default not posix groups. This change depends on DS bugs 487574 and 487725. Groups cannot be promoted properly without these fixed. It will fail with an Object Class violation because gidNumber isn't set. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-136-groups.patch Type: application/mbox Size: 7157 bytes Desc: not available URL: From ssorce at redhat.com Fri Feb 27 22:14:19 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Feb 2009 17:14:19 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Refactor creation of domain_map into confdb In-Reply-To: <49A834CC.5030105@redhat.com> References: <49A833D5.5020707@redhat.com> <49A8347B.7040506@redhat.com> <49A834CC.5030105@redhat.com> Message-ID: <1235772859.1022.10.camel@localhost.localdomain> On Fri, 2009-02-27 at 13:45 -0500, Stephen Gallagher wrote: > I need more sleep. Attaching the correct patch this time. acked and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Fri Feb 27 22:40:06 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 27 Feb 2009 15:40:06 -0700 Subject: [Freeipa-devel] [PATCH] 136 - Update group objectclasses In-Reply-To: <49A847D1.9020701@redhat.com> References: <49A847D1.9020701@redhat.com> Message-ID: <1235774406.6741.11.camel@jgd-dsk> On Fri, 2009-02-27 at 15:06 -0500, Rob Crittenden wrote: > Update objectclasses for groups, by default not posix groups. > > This change depends on DS bugs 487574 and 487725. Groups cannot be > promoted properly without these fixed. It will fail with an > Object Class violation because gidNumber isn't set. > > rob ack. As discussed on #freeipa-devel, there are some issues in this patch, but as we're approaching our milestone, I say we commit this and commit a fix shortly. From rcritten at redhat.com Sat Feb 28 04:19:45 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 27 Feb 2009 23:19:45 -0500 Subject: [Freeipa-devel] [PATCH] 136 - Update group objectclasses In-Reply-To: <1235774406.6741.11.camel@jgd-dsk> References: <49A847D1.9020701@redhat.com> <1235774406.6741.11.camel@jgd-dsk> Message-ID: <49A8BB61.7010608@redhat.com> Jason Gerard DeRose wrote: > On Fri, 2009-02-27 at 15:06 -0500, Rob Crittenden wrote: >> Update objectclasses for groups, by default not posix groups. >> >> This change depends on DS bugs 487574 and 487725. Groups cannot be >> promoted properly without these fixed. It will fail with an >> Object Class violation because gidNumber isn't set. >> >> rob > > ack. > > As discussed on #freeipa-devel, there are some issues in this patch, but > as we're approaching our milestone, I say we commit this and commit a > fix shortly. > Pushed to master. I also pushed the attached patch to fix netgroups. Just 3 lines of change. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-137-netgroup.patch Type: application/mbox Size: 2130 bytes Desc: not available URL: From ssorce at redhat.com Sat Feb 28 08:05:37 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 28 Feb 2009 03:05:37 -0500 Subject: [Freeipa-devel] Patch to repo and bad merge Message-ID: <1235808337.9343.3.camel@localhost.localdomain> Hi, I just pushed a patch to fix problems introduced with the patch that moved domaim_map stuff to confdb. Unfortunately I messed up and didn't realize I already pushed it, so I pushed again after a merge (bah at this time I should have just shut off and waited for tomorrow). Nothing bad happened to the tree but it is ugly. Unfortunately I cannot fix it right now because the fedorahosted repo does not allow non-fastforward changes and I don't know how to temporarily change that configuration. Long story short, I will try to make a non-fastforward push tomorrow to "fix" the situation, so please do not pull if you do not want to have to mess with your copy of master later on. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Sat Feb 28 08:43:02 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 28 Feb 2009 03:43:02 -0500 Subject: [Freeipa-devel] [PATCH] convert sysdb_sync to async calls Message-ID: <1235810582.9343.6.camel@localhost.localdomain> Convert sysdb_sync into sysdb_ops and make all calls use asynchronous sysdb transaction in the process. Remove currently not needed functions. I have not yet converted the tests, will do tomorrow, before pushing this patch. The proxy provider has been converted and seem to work properly. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Convert-sync-calls-in-sysdb-to-async-transaction-de.patch Type: text/x-patch Size: 107065 bytes Desc: not available URL: From ssorce at redhat.com Sat Feb 28 21:33:23 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 28 Feb 2009 16:33:23 -0500 Subject: [Freeipa-devel] Patch to repo and bad merge In-Reply-To: <1235808337.9343.3.camel@localhost.localdomain> References: <1235808337.9343.3.camel@localhost.localdomain> Message-ID: <1235856803.9343.12.camel@localhost.localdomain> On Sat, 2009-02-28 at 03:05 -0500, Simo Sorce wrote: > Hi, I just pushed a patch to fix problems introduced with the patch that > moved domaim_map stuff to confdb. > > Unfortunately I messed up and didn't realize I already pushed it, so I > pushed again after a merge (bah at this time I should have just shut off > and waited for tomorrow). > > Nothing bad happened to the tree but it is ugly. Unfortunately I cannot > fix it right now because the fedorahosted repo does not allow > non-fastforward changes and I don't know how to temporarily change that > configuration. > > Long story short, I will try to make a non-fastforward push tomorrow to > "fix" the situation, so please do not pull if you do not want to have to > mess with your copy of master later on. Apparently changing the fedorahosted config for the tree requires sending tickets and making infrastructure people work on it. I don;t think the issue is important enough to warrant disturbing so many people. So we'll keep around the stupid merge I've done. The code is the same it's just the history that I don't like as it shows a fork and an immediate merge where the 2 branches are the same commit with just the commit message slightly different between the 2 versions. Simo. -- Simo Sorce * Red Hat, Inc * New York