From ssorce at redhat.com Sun Mar 1 16:27:05 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 01 Mar 2009 11:27:05 -0500 Subject: [Freeipa-devel] [PATCH] Fix tests Message-ID: <1235924825.9343.15.camel@localhost.localdomain> These 2 patches fixes the async sysdb interface by exposing a few more functions and makes the tests use them. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Expose-some-more-functions-needed-by-the-tests.patch Type: text/x-patch Size: 5577 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Adapt-test-to-changes-to-the-interface.patch Type: text/x-patch Size: 27343 bytes Desc: not available URL: From sgallagh at redhat.com Sun Mar 1 16:48:50 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 01 Mar 2009 11:48:50 -0500 Subject: [Freeipa-devel] [PATCH] Fix tests In-Reply-To: <1235924825.9343.15.camel@localhost.localdomain> References: <1235924825.9343.15.camel@localhost.localdomain> Message-ID: <49AABC72.20307@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > These 2 patches fixes the async sysdb interface by exposing a few more > functions and makes the tests use them. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmqvHEACgkQeiVVYja6o6O72gCgie7cG4877GxdQqo016Wx9Ck9 /gkAoIWmFFpktM2/0UMboefbUBezr4ZY =8CIL -----END PGP SIGNATURE----- From sgallagh at redhat.com Sun Mar 1 16:59:13 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 01 Mar 2009 11:59:13 -0500 Subject: [Freeipa-devel] [PATCH] convert sysdb_sync to async calls In-Reply-To: <1235810582.9343.6.camel@localhost.localdomain> References: <1235810582.9343.6.camel@localhost.localdomain> Message-ID: <49AABEE1.9010100@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > Convert sysdb_sync into sysdb_ops and make all calls use asynchronous > sysdb transaction in the process. > Remove currently not needed functions. > > I have not yet converted the tests, will do tomorrow, before pushing > this patch. > > The proxy provider has been converted and seem to work properly. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmqvuEACgkQeiVVYja6o6PgGQCgq8l4Armjou7lPASCmn5WrdNW MK8An0W9YlGz9cZ97By0gYBOA0gnaSon =m3+J -----END PGP SIGNATURE----- From jhrozek at redhat.com Sun Mar 1 17:13:17 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 01 Mar 2009 18:13:17 +0100 Subject: [Freeipa-devel] [PATCH][SSSD] Packaging fixes Message-ID: <1235927597.3616.3.camel@hendrix> Attached are two small packaging fixes. The first one creates the /var/lib/sss directory structure during make install and owns it in the specfile. The second one makes building the check-based tests configurable and disables them in the specfile so we can drop BR: check{,-devel}. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Create-and-own-var-lib-sss-structure.patch Type: application/mbox Size: 2274 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Make-tests-configurable.patch Type: application/mbox Size: 3059 bytes Desc: not available URL: From sgallagh at redhat.com Sun Mar 1 17:19:41 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 01 Mar 2009 12:19:41 -0500 Subject: [Freeipa-devel] Ack on the first patch, nack on the second., , The line, PKG_CHECK_MODULES([CHECK], [check]), should also be excluded from configure.ac if we are building,--without-tests. In-Reply-To: <1235927597.3616.3.camel@hendrix> References: <1235927597.3616.3.camel@hendrix> Message-ID: <49AAC3AD.6050302@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > Attached are two small packaging fixes. The first one creates > the /var/lib/sss directory structure during make install and owns it in > the specfile. The second one makes building the check-based tests > configurable and disables them in the specfile so we can drop BR: > check{,-devel}. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack on the first patch, nack on the second. The line PKG_CHECK_MODULES([CHECK],[check]) should also be excluded from configure.ac if we are building - --without-tests. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmqw60ACgkQeiVVYja6o6NyKQCgoh+/AqbT1/hzR9yzwM+RRRN0 cPsAoJXy7k5GFruNtB/MUDAczO7TZtFz =2Bjz -----END PGP SIGNATURE----- From sgallagh at redhat.com Sun Mar 1 20:19:42 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 01 Mar 2009 15:19:42 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe Message-ID: <49AAEDDE.3030604@redhat.com> This patch adds support for requesting user data in the sysdb via the InfoPipe. It currently has support for reading defined entries of integral, floating-point or string types. Tasks remaining: 1) Implement call to the provider when cache is out of date 2) Support byte arrays for userpic and similar I modified init_src_context in sysdb_search.c to accept an array of attributes to pass into the LDB search. I also made one additional related fix: the btreemap now sorts in the correct order. Previously I had accidentally transposed the two values for sorting, so the map would always have been in exact reverse order. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-GetUserAttributes-in-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Mon Mar 2 00:32:42 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 01 Mar 2009 19:32:42 -0500 Subject: [Freeipa-devel] [PATCH] convert sysdb_sync to async calls In-Reply-To: <49AABEE1.9010100@redhat.com> References: <1235810582.9343.6.camel@localhost.localdomain> <49AABEE1.9010100@redhat.com> Message-ID: <1235953962.9343.31.camel@localhost.localdomain> On Sun, 2009-03-01 at 11:59 -0500, Stephen Gallagher wrote: > Simo Sorce wrote: > > Convert sysdb_sync into sysdb_ops and make all calls use > asynchronous > > sysdb transaction in the process. > > Remove currently not needed functions. > > > > I have not yet converted the tests, will do tomorrow, before pushing > > this patch. > > > > The proxy provider has been converted and seem to work properly. > ack Pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 2 00:33:05 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 01 Mar 2009 19:33:05 -0500 Subject: [Freeipa-devel] [PATCH] Fix tests In-Reply-To: <49AABC72.20307@redhat.com> References: <1235924825.9343.15.camel@localhost.localdomain> <49AABC72.20307@redhat.com> Message-ID: <1235953985.9343.32.camel@localhost.localdomain> On Sun, 2009-03-01 at 11:48 -0500, Stephen Gallagher wrote: > Simo Sorce wrote: > > These 2 patches fixes the async sysdb interface by exposing a few more > > functions and makes the tests use them. > > > > Simo. > ack > Pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 2 00:33:57 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 01 Mar 2009 19:33:57 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Packaging fixes In-Reply-To: <1235927597.3616.3.camel@hendrix> References: <1235927597.3616.3.camel@hendrix> Message-ID: <1235954037.9343.33.camel@localhost.localdomain> On Sun, 2009-03-01 at 18:13 +0100, Jakub Hrozek wrote: > Attached are two small packaging fixes. The first one creates > the /var/lib/sss directory structure during make install and owns it in > the specfile. The second one makes building the check-based tests > configurable and disables them in the specfile so we can drop BR: > check{,-devel}. I see you use %{localstatedir}/lib, is there any change rpm has a specific macro for /var/lib ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 2 03:50:15 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 01 Mar 2009 22:50:15 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <49AAEDDE.3030604@redhat.com> References: <49AAEDDE.3030604@redhat.com> Message-ID: <1235965815.9343.229.camel@localhost.localdomain> Stephen, I think there is some work to do on the patch, as it is it will not work as, for example, the latest patches removed check_provider. (It's always true except for LOCAL, so I removed it in favor of checking explicitly for the domain name != LOCAL) See some minor comments inline, but the general approach looks ok. On Sun, 2009-03-01 at 15:19 -0500, Stephen Gallagher wrote: > This patch adds support for requesting user data in the sysdb via the > InfoPipe. It currently has support for reading defined entries of > integral, floating-point or string types. Some comments: - When you use btreemap_get_value() like in infp_get_domain_obj() you should probably use talloc_get_type() instead of doing a cast yourself, so that if something wrong comes out of it you get a null pointer and do not act on random data. - why in create_getattr_result_map() do you fetch uint64_t data but variant->data is cast to int ? - In infp_get_all_attributes() why do you copy all these static strings? As far as I can see they are not manipulated in any way, but just used as is. - I see that you added confdb/confbd.h to sysdb.h, but you also keep including them both explicitly in infopipe, any reason for this ? > Tasks remaining: > 1) Implement call to the provider when cache is out of date > 2) Support byte arrays for userpic and similar > > I modified init_src_context in sysdb_search.c to accept an array of > attributes to pass into the LDB search. I would rather not make attrs a parameter of init_src_context() but just assign it when necessary like we do for expression, given most of the time we would pass in NULL otherwise. > I also made one additional related fix: the btreemap now sorts in the > correct order. Previously I had accidentally transposed the two values > for sorting, so the map would always have been in exact reverse order. Thanks for this. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Mon Mar 2 11:56:00 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 02 Mar 2009 06:56:00 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <1235965815.9343.229.camel@localhost.localdomain> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> Message-ID: <49ABC950.20107@redhat.com> Replies inline. Simo Sorce wrote: > Stephen, > I think there is some work to do on the patch, as it is it will not work > as, for example, the latest patches removed check_provider. > (It's always true except for LOCAL, so I removed it in favor of checking > explicitly for the domain name != LOCAL) I like it the way I have it for now. When the infp_getattr_req is created, I do the strcasecmp("LOCAL") and assign that to infp_getattr_req, then I can just check the boolean value wherever I need to. Much faster than doing another string compare. (And since GetAttributes may call into the sysdb any number of times, depending on how many users they are requesting, this is a definite optimization). Also, for what it's worth, you are doing the same in nsssrv.c. > > See some minor comments inline, but the general approach looks ok. > > On Sun, 2009-03-01 at 15:19 -0500, Stephen Gallagher wrote: >> This patch adds support for requesting user data in the sysdb via the >> InfoPipe. It currently has support for reading defined entries of >> integral, floating-point or string types. > > Some comments: > > - When you use btreemap_get_value() like in infp_get_domain_obj() you > should probably use talloc_get_type() instead of doing a cast yourself, > so that if something wrong comes out of it you get a null pointer and do > not act on random data. Fixed. I'm not sure why I did that. I usually use talloc_get_type(). > > - why in create_getattr_result_map() do you fetch uint64_t data but > variant->data is cast to int ? That was a mistake. I was tinkering with smaller integral types to ensure that casting to other (and signed) types was working as expected. I thought I had switched everything back to uint64_t. Fixed. > > - In infp_get_all_attributes() why do you copy all these static strings? > As far as I can see they are not manipulated in any way, but just used > as is. Only talloc pointers can be added to btreemaps because they steal the reference (to make sure the data they hold doesn't disappear during the tree's life). Passing a static string == a segfault (this was an annoying bug to track down). > > - I see that you added confdb/confbd.h to sysdb.h, but you also keep > including them both explicitly in infopipe, any reason for this ? > >> Tasks remaining: >> 1) Implement call to the provider when cache is out of date >> 2) Support byte arrays for userpic and similar >> >> I modified init_src_context in sysdb_search.c to accept an array of >> attributes to pass into the LDB search. > > I would rather not make attrs a parameter of init_src_context() but just > assign it when necessary like we do for expression, given most of the > time we would pass in NULL otherwise. You're right, that makes more sense. Fixed. > >> I also made one additional related fix: the btreemap now sorts in the >> correct order. Previously I had accidentally transposed the two values >> for sorting, so the map would always have been in exact reverse order. > > Thanks for this. > > > Simo. > Please see new attached patch. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-GetUserAttributes-in-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sbose at redhat.com Mon Mar 2 12:14:38 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 02 Mar 2009 13:14:38 +0100 Subject: [Freeipa-devel] [PATCH] first version of LOCAL pam backend Message-ID: <49ABCDAE.3060507@redhat.com> Hi, please find enclosed a first version of the pam backend for the LOCAL domain. - currently authenticate, chauthtok and acct_mgmt work - so far only glibc compatible sha512 passwords are used - NSS is used for sha512 and random number generation - currently I use direct libldb calls to be able to test things, I will change this when Simo's work on sysdb is done bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-first-version-of-LOCAL-pam-backend.patch URL: From ssorce at redhat.com Mon Mar 2 13:32:03 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 08:32:03 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <49ABC950.20107@redhat.com> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> <49ABC950.20107@redhat.com> Message-ID: <1236000723.21030.6.camel@localhost.localdomain> On Mon, 2009-03-02 at 06:56 -0500, Stephen Gallagher wrote: > Replies inline. > > Simo Sorce wrote: > > Stephen, > > I think there is some work to do on the patch, as it is it will not work > > as, for example, the latest patches removed check_provider. > > (It's always true except for LOCAL, so I removed it in favor of checking > > explicitly for the domain name != LOCAL) > > I like it the way I have it for now. When the infp_getattr_req is > created, I do the strcasecmp("LOCAL") and assign that to > infp_getattr_req, then I can just check the boolean value wherever I > need to. Much faster than doing another string compare. (And since > GetAttributes may call into the sysdb any number of times, depending on > how many users they are requesting, this is a definite optimization). > > Also, for what it's worth, you are doing the same in nsssrv.c. That's what happen when you review late at night, I read check_provider and thought about has_provider, of course the use you make is fine here ... > > See some minor comments inline, but the general approach looks ok. > > > > On Sun, 2009-03-01 at 15:19 -0500, Stephen Gallagher wrote: > >> This patch adds support for requesting user data in the sysdb via the > >> InfoPipe. It currently has support for reading defined entries of > >> integral, floating-point or string types. > > > > Some comments: > > > > - When you use btreemap_get_value() like in infp_get_domain_obj() you > > should probably use talloc_get_type() instead of doing a cast yourself, > > so that if something wrong comes out of it you get a null pointer and do > > not act on random data. > > Fixed. I'm not sure why I did that. I usually use talloc_get_type(). > > > > > - why in create_getattr_result_map() do you fetch uint64_t data but > > variant->data is cast to int ? > > That was a mistake. I was tinkering with smaller integral types to > ensure that casting to other (and signed) types was working as expected. > I thought I had switched everything back to uint64_t. Fixed. > > > > > - In infp_get_all_attributes() why do you copy all these static strings? > > As far as I can see they are not manipulated in any way, but just used > > as is. > > Only talloc pointers can be added to btreemaps because they steal the > reference (to make sure the data they hold doesn't disappear during the > tree's life). Passing a static string == a segfault (this was an > annoying bug to track down). I thought you were passing the "attributes" array. However if this is the case, I would prefer btreemap to strdup the key instead of getting a reference, I really want to avoid talloc_reference() for now as it have subtle implications. I will commit a patch to btreemap to do that. > > - I see that you added confdb/confbd.h to sysdb.h, but you also keep > > including them both explicitly in infopipe, any reason for this ? > > > >> Tasks remaining: > >> 1) Implement call to the provider when cache is out of date > >> 2) Support byte arrays for userpic and similar > >> > >> I modified init_src_context in sysdb_search.c to accept an array of > >> attributes to pass into the LDB search. > > > > I would rather not make attrs a parameter of init_src_context() but just > > assign it when necessary like we do for expression, given most of the > > time we would pass in NULL otherwise. > > You're right, that makes more sense. Fixed. > > > > >> I also made one additional related fix: the btreemap now sorts in the > >> correct order. Previously I had accidentally transposed the two values > >> for sorting, so the map would always have been in exact reverse order. > > > > Thanks for this. > > > > > > Simo. > > > > Please see new attached patch. ack, I iwll push it as is and then fix btreemap. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 2 13:54:23 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 08:54:23 -0500 Subject: [Freeipa-devel] [PATCH] first version of LOCAL pam backend In-Reply-To: <49ABCDAE.3060507@redhat.com> References: <49ABCDAE.3060507@redhat.com> Message-ID: <1236002063.21030.10.camel@localhost.localdomain> On Mon, 2009-03-02 at 13:14 +0100, Sumit Bose wrote: > > please find enclosed a first version of the pam backend for the LOCAL > domain. > > - currently authenticate, chauthtok and acct_mgmt work > - so far only glibc compatible sha512 passwords are used > - NSS is used for sha512 and random number generation > - currently I use direct libldb calls to be able to test things, I > will > change this when Simo's work on sysdb is done Ack, although my work on sysdb infrastructure is done, we just need to add the calls you need. I will push this but we really need to move to sysdb asap, as using ldb_search() directly is forbidden (and it is a synchronous call that calls internally tevent_loop_once() which is creepy). Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Mon Mar 2 13:56:03 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 02 Mar 2009 08:56:03 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <1236000723.21030.6.camel@localhost.localdomain> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> <49ABC950.20107@redhat.com> <1236000723.21030.6.camel@localhost.localdomain> Message-ID: <49ABE573.7070704@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Mon, 2009-03-02 at 06:56 -0500, Stephen Gallagher wrote: >> Replies inline. >> >> Simo Sorce wrote: >>> Stephen, >>> I think there is some work to do on the patch, as it is it will not work >>> as, for example, the latest patches removed check_provider. >>> (It's always true except for LOCAL, so I removed it in favor of checking >>> explicitly for the domain name != LOCAL) >> I like it the way I have it for now. When the infp_getattr_req is >> created, I do the strcasecmp("LOCAL") and assign that to >> infp_getattr_req, then I can just check the boolean value wherever I >> need to. Much faster than doing another string compare. (And since >> GetAttributes may call into the sysdb any number of times, depending on >> how many users they are requesting, this is a definite optimization). >> >> Also, for what it's worth, you are doing the same in nsssrv.c. > > That's what happen when you review late at night, I read check_provider > and thought about has_provider, of course the use you make is fine > here ... > >>> See some minor comments inline, but the general approach looks ok. >>> >>> On Sun, 2009-03-01 at 15:19 -0500, Stephen Gallagher wrote: >>>> This patch adds support for requesting user data in the sysdb via the >>>> InfoPipe. It currently has support for reading defined entries of >>>> integral, floating-point or string types. >>> Some comments: >>> >>> - When you use btreemap_get_value() like in infp_get_domain_obj() you >>> should probably use talloc_get_type() instead of doing a cast yourself, >>> so that if something wrong comes out of it you get a null pointer and do >>> not act on random data. >> Fixed. I'm not sure why I did that. I usually use talloc_get_type(). >> >>> - why in create_getattr_result_map() do you fetch uint64_t data but >>> variant->data is cast to int ? >> That was a mistake. I was tinkering with smaller integral types to >> ensure that casting to other (and signed) types was working as expected. >> I thought I had switched everything back to uint64_t. Fixed. >> >>> - In infp_get_all_attributes() why do you copy all these static strings? >>> As far as I can see they are not manipulated in any way, but just used >>> as is. >> Only talloc pointers can be added to btreemaps because they steal the >> reference (to make sure the data they hold doesn't disappear during the >> tree's life). Passing a static string == a segfault (this was an >> annoying bug to track down). > > I thought you were passing the "attributes" array. However if this is > the case, I would prefer btreemap to strdup the key instead of getting a > reference, I really want to avoid talloc_reference() for now as it have > subtle implications. I will commit a patch to btreemap to do that. > You can't use strdup, because btreemap takes a void *. This is necessary so it can hold arbitrary data (see its use in create_getattr_result_map). Also, I wasn't using talloc_reference, it's talloc_steal. Yes, I know that's not ideal either. I'm open to suggestions. >>> - I see that you added confdb/confbd.h to sysdb.h, but you also keep >>> including them both explicitly in infopipe, any reason for this ? >>> >>>> Tasks remaining: >>>> 1) Implement call to the provider when cache is out of date >>>> 2) Support byte arrays for userpic and similar >>>> >>>> I modified init_src_context in sysdb_search.c to accept an array of >>>> attributes to pass into the LDB search. >>> I would rather not make attrs a parameter of init_src_context() but just >>> assign it when necessary like we do for expression, given most of the >>> time we would pass in NULL otherwise. >> You're right, that makes more sense. Fixed. >> >>>> I also made one additional related fix: the btreemap now sorts in the >>>> correct order. Previously I had accidentally transposed the two values >>>> for sorting, so the map would always have been in exact reverse order. >>> Thanks for this. >>> >>> >>> Simo. >>> >> Please see new attached patch. > > ack, I iwll push it as is and then fix btreemap. > > Simo. > - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmr5XMACgkQeiVVYja6o6OBygCePLQoBiK+nAcxc+RWt1rQN08D CHEAoIdFodN19AAJJJRgBhmKmUpH+lsY =7LK/ -----END PGP SIGNATURE----- From ssorce at redhat.com Mon Mar 2 14:08:07 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 09:08:07 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <49ABE573.7070704@redhat.com> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> <49ABC950.20107@redhat.com> <1236000723.21030.6.camel@localhost.localdomain> <49ABE573.7070704@redhat.com> Message-ID: <1236002887.21030.13.camel@localhost.localdomain> On Mon, 2009-03-02 at 08:56 -0500, Stephen Gallagher wrote: > You can't use strdup, because btreemap takes a void *. This is > necessary > so it can hold arbitrary data (see its use in > create_getattr_result_map). If thekeys are void we can turn them into a char *, are we ever going to use keys that are not strings? > Also, I wasn't using talloc_reference, it's talloc_steal. Yes, I know > that's not ideal either. I'm open to suggestions. talloc_steal() is much worse in this case. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 2 14:08:34 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 09:08:34 -0500 Subject: [Freeipa-devel] [PATCH] first version of LOCAL pam backend In-Reply-To: <1236002063.21030.10.camel@localhost.localdomain> References: <49ABCDAE.3060507@redhat.com> <1236002063.21030.10.camel@localhost.localdomain> Message-ID: <1236002914.21030.14.camel@localhost.localdomain> On Mon, 2009-03-02 at 08:54 -0500, Simo Sorce wrote: > On Mon, 2009-03-02 at 13:14 +0100, Sumit Bose wrote: > > > > please find enclosed a first version of the pam backend for the LOCAL > > domain. > > > > - currently authenticate, chauthtok and acct_mgmt work > > - so far only glibc compatible sha512 passwords are used > > - NSS is used for sha512 and random number generation > > - currently I use direct libldb calls to be able to test things, I > > will > > change this when Simo's work on sysdb is done > > Ack, although my work on sysdb infrastructure is done, we just need to > add the calls you need. > > I will push this but we really need to move to sysdb asap, as using > ldb_search() directly is forbidden (and it is a synchronous call that > calls internally tevent_loop_once() which is creepy). Pushed, Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Mon Mar 2 14:16:48 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 02 Mar 2009 09:16:48 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <1236002887.21030.13.camel@localhost.localdomain> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> <49ABC950.20107@redhat.com> <1236000723.21030.6.camel@localhost.localdomain> <49ABE573.7070704@redhat.com> <1236002887.21030.13.camel@localhost.localdomain> Message-ID: <49ABEA50.7040100@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Mon, 2009-03-02 at 08:56 -0500, Stephen Gallagher wrote: >> You can't use strdup, because btreemap takes a void *. This is >> necessary >> so it can hold arbitrary data (see its use in >> create_getattr_result_map). > > If thekeys are void we can turn them into a char *, are we ever going to > use keys that are not strings? Probably not, but I wanted to leave it expandable in case we discovered such a case. > >> Also, I wasn't using talloc_reference, it's talloc_steal. Yes, I know >> that's not ideal either. I'm open to suggestions. > > talloc_steal() is much worse in this case. > Can you explain to me what, exactly, is dangerous about talloc_reference? It seems to me that calling talloc_reference(btreemap_node, btreemap_value) would solve this handily. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmr6lAACgkQeiVVYja6o6PJogCfQCjRrGTEI8dIYL4P8Z3govo2 mogAnR0GMtq/xXa+04VPcDwCgxyJ0Gzw =3jlF -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Mar 2 14:30:40 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 02 Mar 2009 15:30:40 +0100 Subject: [Freeipa-devel] [PATCH][SSSD] Packaging fixes In-Reply-To: <1235954037.9343.33.camel@localhost.localdomain> References: <1235927597.3616.3.camel@hendrix> <1235954037.9343.33.camel@localhost.localdomain> Message-ID: <1236004240.1571.27.camel@zeppelin.englab.brq.redhat.com> On Sun, 2009-03-01 at 19:33 -0500, Simo Sorce wrote: > I see you use %{localstatedir}/lib, is there any change rpm has a > specific macro for /var/lib ? New patch attached. As discussed off-list, I used %{_sharedstatedir} instead of %{_localstatedir} as it expands to /var/lib/ on Fedora. Another change is that memberof.so is now packaged in /usr/lib/ldb as this is where ldb expects it. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Create-and-own-var-lib-sss-memberof.so-packaging.patch Type: text/x-patch Size: 4130 bytes Desc: not available URL: From jhrozek at redhat.com Mon Mar 2 14:31:56 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 02 Mar 2009 15:31:56 +0100 Subject: [Freeipa-devel] Ack on the first patch, nack on the second., , The line, PKG_CHECK_MODULES([CHECK], [check]), should also be excluded from configure.ac if we are building,--without-tests. In-Reply-To: <49AAC3AD.6050302@redhat.com> References: <1235927597.3616.3.camel@hendrix> <49AAC3AD.6050302@redhat.com> Message-ID: <1236004316.1571.30.camel@zeppelin.englab.brq.redhat.com> On Sun, 2009-03-01 at 12:19 -0500, Stephen Gallagher wrote: > The line > PKG_CHECK_MODULES([CHECK],[check]) > should also be excluded from configure.ac if we are building > --without-tests. > As discussed off-list, this is handled by a condition in configure.ac Jakub From rcritten at redhat.com Mon Mar 2 14:35:56 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 Mar 2009 09:35:56 -0500 Subject: [Freeipa-devel] [PATCH] first version of LOCAL pam backend In-Reply-To: <49ABCDAE.3060507@redhat.com> References: <49ABCDAE.3060507@redhat.com> Message-ID: <49ABEECC.1080507@redhat.com> Sumit Bose wrote: > Hi, > > please find enclosed a first version of the pam backend for the LOCAL > domain. > > - currently authenticate, chauthtok and acct_mgmt work > - so far only glibc compatible sha512 passwords are used > - NSS is used for sha512 and random number generation > - currently I use direct libldb calls to be able to test things, I will > change this when Simo's work on sysdb is done > > bye, > Sumit Just a really minor review... - Could the be used in a multi-threaded env? Do you need locking around nspr_nss_init()? - in gen_salt() it looks like buflen is unused - looks like you used TAB at least once rob From sgallagh at redhat.com Mon Mar 2 14:37:01 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 02 Mar 2009 09:37:01 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <49ABEA50.7040100@redhat.com> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> <49ABC950.20107@redhat.com> <1236000723.21030.6.camel@localhost.localdomain> <49ABE573.7070704@redhat.com> <1236002887.21030.13.camel@localhost.localdomain> <49ABEA50.7040100@redhat.com> Message-ID: <49ABEF0D.8030900@redhat.com> Stephen Gallagher wrote: > Simo Sorce wrote: >> On Mon, 2009-03-02 at 08:56 -0500, Stephen Gallagher wrote: >>> You can't use strdup, because btreemap takes a void *. This is >>> necessary >>> so it can hold arbitrary data (see its use in >>> create_getattr_result_map). >> If thekeys are void we can turn them into a char *, are we ever going to >> use keys that are not strings? > > Probably not, but I wanted to leave it expandable in case we discovered > such a case. > >>> Also, I wasn't using talloc_reference, it's talloc_steal. Yes, I know >>> that's not ideal either. I'm open to suggestions. >> talloc_steal() is much worse in this case. > > > Can you explain to me what, exactly, is dangerous about > talloc_reference? It seems to me that calling > talloc_reference(btreemap_node, btreemap_value) would solve this handily. > > Rebased patch atop current master. No other changes. _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-GetUserAttributes-in-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Mon Mar 2 14:39:32 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 09:39:32 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Packaging fixes In-Reply-To: <1236004240.1571.27.camel@zeppelin.englab.brq.redhat.com> References: <1235927597.3616.3.camel@hendrix> <1235954037.9343.33.camel@localhost.localdomain> <1236004240.1571.27.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1236004772.21030.20.camel@localhost.localdomain> On Mon, 2009-03-02 at 15:30 +0100, Jakub Hrozek wrote: > > New patch attached. > > As discussed off-list, I used %{_sharedstatedir} instead of > %{_localstatedir} as it expands to /var/lib/ on Fedora. > > Another change is that memberof.so is now packaged in /usr/lib/ldb as > this is where ldb expects it. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 2 14:40:59 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 09:40:59 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Packaging fixes In-Reply-To: <1236004772.21030.20.camel@localhost.localdomain> References: <1235927597.3616.3.camel@hendrix> <1235954037.9343.33.camel@localhost.localdomain> <1236004240.1571.27.camel@zeppelin.englab.brq.redhat.com> <1236004772.21030.20.camel@localhost.localdomain> Message-ID: <1236004859.21030.21.camel@localhost.localdomain> On Mon, 2009-03-02 at 09:39 -0500, Simo Sorce wrote: > On Mon, 2009-03-02 at 15:30 +0100, Jakub Hrozek wrote: > > > > New patch attached. > > > > As discussed off-list, I used %{_sharedstatedir} instead of > > %{_localstatedir} as it expands to /var/lib/ on Fedora. > > > > Another change is that memberof.so is now packaged in /usr/lib/ldb as > > this is where ldb expects it. > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 2 14:45:05 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 09:45:05 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <49ABEA50.7040100@redhat.com> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> <49ABC950.20107@redhat.com> <1236000723.21030.6.camel@localhost.localdomain> <49ABE573.7070704@redhat.com> <1236002887.21030.13.camel@localhost.localdomain> <49ABEA50.7040100@redhat.com> Message-ID: <1236005105.21030.23.camel@localhost.localdomain> On Mon, 2009-03-02 at 09:16 -0500, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > On Mon, 2009-03-02 at 08:56 -0500, Stephen Gallagher wrote: > >> You can't use strdup, because btreemap takes a void *. This is > >> necessary > >> so it can hold arbitrary data (see its use in > >> create_getattr_result_map). > > > > If thekeys are void we can turn them into a char *, are we ever going to > > use keys that are not strings? > > Probably not, but I wanted to leave it expandable in case we discovered > such a case. > > > > >> Also, I wasn't using talloc_reference, it's talloc_steal. Yes, I know > >> that's not ideal either. I'm open to suggestions. > > > > talloc_steal() is much worse in this case. > > > > Can you explain to me what, exactly, is dangerous about > talloc_reference? It seems to me that calling > talloc_reference(btreemap_node, btreemap_value) would solve this handily. The poroblem is the change in ownership when you free the original owner. It makes it very simple to loose track of who owns what, causing potential unintended consequences. The semantics are still not very clear imo, and they may change upstream at some point, so I prefer to simply not use it for now. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 2 14:46:31 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 09:46:31 -0500 Subject: [Freeipa-devel] [PATCH] first version of LOCAL pam backend In-Reply-To: <49ABEECC.1080507@redhat.com> References: <49ABCDAE.3060507@redhat.com> <49ABEECC.1080507@redhat.com> Message-ID: <1236005191.21030.24.camel@localhost.localdomain> On Mon, 2009-03-02 at 09:35 -0500, Rob Crittenden wrote: > Sumit Bose wrote: > > Hi, > > > > please find enclosed a first version of the pam backend for the LOCAL > > domain. > > > > - currently authenticate, chauthtok and acct_mgmt work > > - so far only glibc compatible sha512 passwords are used > > - NSS is used for sha512 and random number generation > > - currently I use direct libldb calls to be able to test things, I will > > change this when Simo's work on sysdb is done > > > > bye, > > Sumit > > Just a really minor review... > > - Could the be used in a multi-threaded env? Do you need locking around > nspr_nss_init()? Nothing is thread safe in sssd, so no. > - in gen_salt() it looks like buflen is unused > - looks like you used TAB at least once Sumit, please check these 2 and post a patch if needed. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 2 14:50:13 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 09:50:13 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <49ABEF0D.8030900@redhat.com> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> <49ABC950.20107@redhat.com> <1236000723.21030.6.camel@localhost.localdomain> <49ABE573.7070704@redhat.com> <1236002887.21030.13.camel@localhost.localdomain> <49ABEA50.7040100@redhat.com> <49ABEF0D.8030900@redhat.com> Message-ID: <1236005413.21030.25.camel@localhost.localdomain> On Mon, 2009-03-02 at 09:37 -0500, Stephen Gallagher wrote: > > > Rebased patch atop current master. No other changes. > ack, and pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Mon Mar 2 14:55:42 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 02 Mar 2009 15:55:42 +0100 Subject: [Freeipa-devel] [PATCH] first version of LOCAL pam backend In-Reply-To: <1236005191.21030.24.camel@localhost.localdomain> References: <49ABCDAE.3060507@redhat.com> <49ABEECC.1080507@redhat.com> <1236005191.21030.24.camel@localhost.localdomain> Message-ID: <49ABF36E.1020702@redhat.com> Simo Sorce schrieb: > On Mon, 2009-03-02 at 09:35 -0500, Rob Crittenden wrote: >> Sumit Bose wrote: >>> Hi, >>> >>> please find enclosed a first version of the pam backend for the LOCAL >>> domain. >>> >>> - currently authenticate, chauthtok and acct_mgmt work >>> - so far only glibc compatible sha512 passwords are used >>> - NSS is used for sha512 and random number generation >>> - currently I use direct libldb calls to be able to test things, I will >>> change this when Simo's work on sysdb is done >>> >>> bye, >>> Sumit >> Just a really minor review... >> >> - Could the be used in a multi-threaded env? Do you need locking around >> nspr_nss_init()? > > Nothing is thread safe in sssd, so no. > >> - in gen_salt() it looks like buflen is unused it is used in the b64_from_24bit macro >> - looks like you used TAB at least once I will fix the indentation > > Sumit, > please check these 2 and post a patch if needed. > > Simo. > From jhrozek at redhat.com Mon Mar 2 15:00:30 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 02 Mar 2009 16:00:30 +0100 Subject: [Freeipa-devel] Ack on the first patch, nack on the second., , The line, PKG_CHECK_MODULES([CHECK], [check]), should also be excluded from configure.ac if we are building,--without-tests. In-Reply-To: <1236004316.1571.30.camel@zeppelin.englab.brq.redhat.com> References: <1235927597.3616.3.camel@hendrix> <49AAC3AD.6050302@redhat.com> <1236004316.1571.30.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1236006030.1571.47.camel@zeppelin.englab.brq.redhat.com> On Mon, 2009-03-02 at 15:31 +0100, Jakub Hrozek wrote: > On Sun, 2009-03-01 at 12:19 -0500, Stephen Gallagher wrote: > > The line > > PKG_CHECK_MODULES([CHECK],[check]) > > should also be excluded from configure.ac if we are building > > --without-tests. > > > > As discussed off-list, this is handled by a condition in configure.ac > > Jakub > The original patch did not apply cleanly on HEAD anymore, here goes a rebased version.. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-tests-configurable.patch Type: text/x-patch Size: 2857 bytes Desc: not available URL: From mnagy at redhat.com Mon Mar 2 15:22:25 2009 From: mnagy at redhat.com (Martin Nagy) Date: Mon, 2 Mar 2009 16:22:25 +0100 Subject: [Freeipa-devel] [PATCH] first version of LOCAL pam backend In-Reply-To: <49ABCDAE.3060507@redhat.com> References: <49ABCDAE.3060507@redhat.com> Message-ID: <20090302162225.3eaaa498@wolverine.englab.brq.redhat.com> On Mon, 02 Mar 2009 13:14:38 +0100, Sumit Bose wrote: > Hi, > > please find enclosed a first version of the pam backend for the LOCAL > domain. > > - currently authenticate, chauthtok and acct_mgmt work > - so far only glibc compatible sha512 passwords are used > - NSS is used for sha512 and random number generation > - currently I use direct libldb calls to be able to test things, I > will change this when Simo's work on sysdb is done > > bye, > Sumit Hi, I didn't review the patch, but I have one tip: I'd personally change NEQ_CHECK_OR_JUMP macro to something like this: #define CHECK(expr, msg) do { \ if ((expr)) { \ DEBUG(1, (msg)); \ pam_status = PAM_SYSTEM_ERR; \ goto done; \ } \ } while (0) Same for NULL_CHECK_OR_JUMP: #define CHECK_NULL(var, msg) CHECK((var) == NULL, (msg)) It's less flexible, but also much less verbose, you just need to stick to one convention, which you already are doing. Names are of course just my opinion, but I wouldn't make them too long. If it's a commonly used macro, people reading the code will remember what it does. Martin. From sbose at redhat.com Mon Mar 2 15:33:23 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 02 Mar 2009 16:33:23 +0100 Subject: [Freeipa-devel] [PATCH] first version of LOCAL pam backend In-Reply-To: <20090302162225.3eaaa498@wolverine.englab.brq.redhat.com> References: <49ABCDAE.3060507@redhat.com> <20090302162225.3eaaa498@wolverine.englab.brq.redhat.com> Message-ID: <49ABFC43.90406@redhat.com> Martin Nagy schrieb: > On Mon, 02 Mar 2009 13:14:38 +0100, Sumit Bose wrote: > >> Hi, >> >> please find enclosed a first version of the pam backend for the LOCAL >> domain. >> >> - currently authenticate, chauthtok and acct_mgmt work >> - so far only glibc compatible sha512 passwords are used >> - NSS is used for sha512 and random number generation >> - currently I use direct libldb calls to be able to test things, I >> will change this when Simo's work on sysdb is done >> >> bye, >> Sumit > > Hi, I didn't review the patch, but I have one tip: > I'd personally change NEQ_CHECK_OR_JUMP macro to something like this: > #define CHECK(expr, msg) do { \ > if ((expr)) { \ > DEBUG(1, (msg)); \ > pam_status = PAM_SYSTEM_ERR; \ > goto done; \ > } \ > } while (0) > > Same for NULL_CHECK_OR_JUMP: > #define CHECK_NULL(var, msg) CHECK((var) == NULL, (msg)) > > It's less flexible, but also much less verbose, you just need to stick > to one convention, which you already are doing. Names are of course > just my opinion, but I wouldn't make them too long. If it's a commonly > used macro, people reading the code will remember what it does. > I basically took CONFDB_ZERO_CHECK_OR_JUMP from confdb.c and added a debug message. After I have applied the sysdb changes I will try to simplify the macros as you suggested. Thanks. bye, Sumit From sgallagh at redhat.com Mon Mar 2 16:43:49 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 02 Mar 2009 11:43:49 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <1236005105.21030.23.camel@localhost.localdomain> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> <49ABC950.20107@redhat.com> <1236000723.21030.6.camel@localhost.localdomain> <49ABE573.7070704@redhat.com> <1236002887.21030.13.camel@localhost.localdomain> <49ABEA50.7040100@redhat.com> <1236005105.21030.23.camel@localhost.localdomain> Message-ID: <49AC0CC5.5090404@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Mon, 2009-03-02 at 09:16 -0500, Stephen Gallagher wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Simo Sorce wrote: >>> On Mon, 2009-03-02 at 08:56 -0500, Stephen Gallagher wrote: >>>> You can't use strdup, because btreemap takes a void *. This is >>>> necessary >>>> so it can hold arbitrary data (see its use in >>>> create_getattr_result_map). >>> If thekeys are void we can turn them into a char *, are we ever going to >>> use keys that are not strings? >> Probably not, but I wanted to leave it expandable in case we discovered >> such a case. >> >>>> Also, I wasn't using talloc_reference, it's talloc_steal. Yes, I know >>>> that's not ideal either. I'm open to suggestions. >>> talloc_steal() is much worse in this case. >>> >> Can you explain to me what, exactly, is dangerous about >> talloc_reference? It seems to me that calling >> talloc_reference(btreemap_node, btreemap_value) would solve this handily. > > The poroblem is the change in ownership when you free the original > owner. It makes it very simple to loose track of who owns what, causing > potential unintended consequences. The semantics are still not very > clear imo, and they may change upstream at some point, so I prefer to > simply not use it for now. > > Simo. > Well, in this particular case, my whole argument is that we want to make sure that the btreemap is always valid, even if the original owner has gone away. I think if we just added a few verbose comments to the btreemap.h to state that the map acquires ownership of anything passed into it, it might be acceptable. Otherwise, we have to be worried about the original context disappearing. I understand the wariness to lose track of ownership, but I think this would be a very carefully controlled usage. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmsDMUACgkQeiVVYja6o6NhvwCgpSGgIq5CREaOZxfte0TCH0yK IRAAoIZq/REO6StT9S1PBtH8b1/djZbC =1ZyC -----END PGP SIGNATURE----- From ssorce at redhat.com Mon Mar 2 16:49:02 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 11:49:02 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <49AC0CC5.5090404@redhat.com> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> <49ABC950.20107@redhat.com> <1236000723.21030.6.camel@localhost.localdomain> <49ABE573.7070704@redhat.com> <1236002887.21030.13.camel@localhost.localdomain> <49ABEA50.7040100@redhat.com> <1236005105.21030.23.camel@localhost.localdomain> <49AC0CC5.5090404@redhat.com> Message-ID: <1236012542.21030.28.camel@localhost.localdomain> On Mon, 2009-03-02 at 11:43 -0500, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > On Mon, 2009-03-02 at 09:16 -0500, Stephen Gallagher wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Simo Sorce wrote: > >>> On Mon, 2009-03-02 at 08:56 -0500, Stephen Gallagher wrote: > >>>> You can't use strdup, because btreemap takes a void *. This is > >>>> necessary > >>>> so it can hold arbitrary data (see its use in > >>>> create_getattr_result_map). > >>> If thekeys are void we can turn them into a char *, are we ever going to > >>> use keys that are not strings? > >> Probably not, but I wanted to leave it expandable in case we discovered > >> such a case. > >> > >>>> Also, I wasn't using talloc_reference, it's talloc_steal. Yes, I know > >>>> that's not ideal either. I'm open to suggestions. > >>> talloc_steal() is much worse in this case. > >>> > >> Can you explain to me what, exactly, is dangerous about > >> talloc_reference? It seems to me that calling > >> talloc_reference(btreemap_node, btreemap_value) would solve this handily. > > > > The poroblem is the change in ownership when you free the original > > owner. It makes it very simple to loose track of who owns what, causing > > potential unintended consequences. The semantics are still not very > > clear imo, and they may change upstream at some point, so I prefer to > > simply not use it for now. > > > > Simo. > > > > Well, in this particular case, my whole argument is that we want to make > sure that the btreemap is always valid, even if the original owner has > gone away. I think if we just added a few verbose comments to the > btreemap.h to state that the map acquires ownership of anything passed > into it, it might be acceptable. I prefer to make it very clear that the owner of the map must own the contents as well. The map is useful only for its owner after all, I don't see a case where it would be useful for a map to survive its owner. > Otherwise, we have to be worried about the original context disappearing. Given the btreemap should be allocated by the owner, if it disappears it does not matter as the btreemap will be freed as well in cascade. > I understand the wariness to lose track of ownership, but I think this > would be a very carefully controlled usage. patch coming :) Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 2 18:58:21 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 13:58:21 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <1236012542.21030.28.camel@localhost.localdomain> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> <49ABC950.20107@redhat.com> <1236000723.21030.6.camel@localhost.localdomain> <49ABE573.7070704@redhat.com> <1236002887.21030.13.camel@localhost.localdomain> <49ABEA50.7040100@redhat.com> <1236005105.21030.23.camel@localhost.localdomain> <49AC0CC5.5090404@redhat.com> <1236012542.21030.28.camel@localhost.localdomain> Message-ID: <1236020301.21030.30.camel@localhost.localdomain> On Mon, 2009-03-02 at 11:49 -0500, Simo Sorce wrote: > I prefer to make it very clear that the owner of the map must own the > contents as well. > The map is useful only for its owner after all, I don't see a case where > it would be useful for a map to survive its owner. Patch attached, I did not convert keys to be char *, but I removed any stealing, we must just make sure the memory for keys or values is either static or allocated on the same mem context that holds the btreemap. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Do-not-steal-memory-in-btreemaps.patch Type: text/x-patch Size: 4010 bytes Desc: not available URL: From sgallagh at redhat.com Mon Mar 2 19:58:43 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 02 Mar 2009 14:58:43 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Support byte arrays in InfoPipe GetUserAttributes Message-ID: <49AC3A73.50904@redhat.com> We now have support for reading binary blobs such as userpic from the sysdb and returning it to an InfoPipe consumer as a byte array. I also cleaned up some code in create_getattr_result_map to make it easier to read. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Support-byte-arrays-in-InfoPipe-GetUserAttributes.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Mon Mar 2 20:05:17 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 15:05:17 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <1236020301.21030.30.camel@localhost.localdomain> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> <49ABC950.20107@redhat.com> <1236000723.21030.6.camel@localhost.localdomain> <49ABE573.7070704@redhat.com> <1236002887.21030.13.camel@localhost.localdomain> <49ABEA50.7040100@redhat.com> <1236005105.21030.23.camel@localhost.localdomain> <49AC0CC5.5090404@redhat.com> <1236012542.21030.28.camel@localhost.localdomain> <1236020301.21030.30.camel@localhost.localdomain> Message-ID: <1236024317.21030.31.camel@localhost.localdomain> On Mon, 2009-03-02 at 13:58 -0500, Simo Sorce wrote: > On Mon, 2009-03-02 at 11:49 -0500, Simo Sorce wrote: > > I prefer to make it very clear that the owner of the map must own the > > contents as well. > > The map is useful only for its owner after all, I don't see a case where > > it would be useful for a map to survive its owner. > > Patch attached, I did not convert keys to be char *, but I removed any > stealing, we must just make sure the memory for keys or values is either > static or allocated on the same mem context that holds the btreemap. Small update to remove dead code and some const warnings. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Do-not-steal-memory-in-btreemaps.patch Type: text/x-patch Size: 5398 bytes Desc: not available URL: From sgallagh at redhat.com Mon Mar 2 20:28:34 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 02 Mar 2009 15:28:34 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <1236024317.21030.31.camel@localhost.localdomain> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> <49ABC950.20107@redhat.com> <1236000723.21030.6.camel@localhost.localdomain> <49ABE573.7070704@redhat.com> <1236002887.21030.13.camel@localhost.localdomain> <49ABEA50.7040100@redhat.com> <1236005105.21030.23.camel@localhost.localdomain> <49AC0CC5.5090404@redhat.com> <1236012542.21030.28.camel@localhost.localdomain> <1236020301.21030.30.camel@localhost.localdomain> <1236024317.21030.31.camel@localhost.localdomain> Message-ID: <49AC4172.5030908@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Mon, 2009-03-02 at 13:58 -0500, Simo Sorce wrote: >> On Mon, 2009-03-02 at 11:49 -0500, Simo Sorce wrote: >>> I prefer to make it very clear that the owner of the map must own the >>> contents as well. >>> The map is useful only for its owner after all, I don't see a case where >>> it would be useful for a map to survive its owner. >> Patch attached, I did not convert keys to be char *, but I removed any >> stealing, we must just make sure the memory for keys or values is either >> static or allocated on the same mem context that holds the btreemap. > > Small update to remove dead code and some const warnings. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack Looks fine to me. Just need to make sure we don't drop the memory that the btreemap is looking at. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmsQXIACgkQeiVVYja6o6ND+gCffGyvRZ6v4BcoeYMGUjQtcIoj aKYAni8ulwsKWXv73hzR93nI4eNjAhxl =dF4p -----END PGP SIGNATURE----- From ssorce at redhat.com Mon Mar 2 21:03:26 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 16:03:26 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Support byte arrays in InfoPipe GetUserAttributes In-Reply-To: <49AC3A73.50904@redhat.com> References: <49AC3A73.50904@redhat.com> Message-ID: <1236027806.21030.33.camel@localhost.localdomain> On Mon, 2009-03-02 at 14:58 -0500, Stephen Gallagher wrote: > We now have support for reading binary blobs such as userpic from > the sysdb and returning it to an InfoPipe consumer as a byte array. > I also cleaned up some code in create_getattr_result_map to make > it easier to read. ack and pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 2 21:05:17 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 16:05:17 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetUserAttributes in the InfoPipe In-Reply-To: <49AC4172.5030908@redhat.com> References: <49AAEDDE.3030604@redhat.com> <1235965815.9343.229.camel@localhost.localdomain> <49ABC950.20107@redhat.com> <1236000723.21030.6.camel@localhost.localdomain> <49ABE573.7070704@redhat.com> <1236002887.21030.13.camel@localhost.localdomain> <49ABEA50.7040100@redhat.com> <1236005105.21030.23.camel@localhost.localdomain> <49AC0CC5.5090404@redhat.com> <1236012542.21030.28.camel@localhost.localdomain> <1236020301.21030.30.camel@localhost.localdomain> <1236024317.21030.31.camel@localhost.localdomain> <49AC4172.5030908@redhat.com> Message-ID: <1236027917.21030.34.camel@localhost.localdomain> On Mon, 2009-03-02 at 15:28 -0500, Stephen Gallagher wrote: > > Ack > > Looks fine to me. Just need to make sure we don't drop the memory that > the btreemap is looking at. pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 2 23:57:54 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 02 Mar 2009 18:57:54 -0500 Subject: [Freeipa-devel] [PATHC] provide sysdb_set_user_attr Message-ID: <1236038274.21030.35.camel@localhost.localdomain> See patch. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Provide-sysdb_set_user_attr-functions.patch Type: text/x-patch Size: 8561 bytes Desc: not available URL: From jderose at redhat.com Tue Mar 3 06:22:56 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 02 Mar 2009 23:22:56 -0700 Subject: [Freeipa-devel] LDAP connections and the new ldap backend plugin Message-ID: <1236061376.6616.675.camel@jgd-dsk> As I already mentioned, Pavel is working on a new ldap backend plugin which will live at Backend.ldap2 till it supersedes the current ldap plugin. Each time a request is received by the server, a connection is made to LDAP on behalf of the requesting user, using the user's forwarded Kerberos credentials. Currently this connection is an instance of the ipaserver.ipaldap.IPAdmin class, a subclass of SimpleLDAPObject. However, after giving it a lot of thought, I don't think we should take this approach with the new ldap plugin. The reason is if someone wants to glue some existing code written against the python-ldap bindings into an IPA plugin, they likely need access to a raw SimpleLDAPObject instance. Our custom SimpleLDAPObject subclass will no doubt break their code. Plus, any 3rd-party LDAP code *must* use the connection we create because we don't expose the Kerberos credentials in request.context (just the connection we create). So although 3rd-party LDAP code could create their own connection to LDAP, they don't have access to the credentials needed to authenticate to LDAP on behalf of the requesting user. So we need the LDAP connection to be a least-common-denominator, a raw SimpleLDAPObject instance. The new ldap backend plugin will still be the preferred way to talk to LDAP, and all our built-in plugins will do so, but this way the framework is more flexible and easy to integrate with. Many potential users will have important home-grow code they need to continue to use, so if they can easily integrate it with IPA, IPA becomes a more viable solution for them. So something like this: SimpleLDAPObject <=> Backend.ldap2 <=> typical IPA plugins \ \<=> can also glue-in existing code written against python-ldap Until we transition to the new ldap plugin, we can simply create two LDAP connections (one SimpleLDAPObject, one IPAdmin) so none of the current code is broken in the meantime. What does everyone think? Does this seem like a good approach? Cheers, Jason -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From sbose at redhat.com Tue Mar 3 09:23:21 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 03 Mar 2009 10:23:21 +0100 Subject: [Freeipa-devel] [PATHC] provide sysdb_set_user_attr In-Reply-To: <1236038274.21030.35.camel@localhost.localdomain> References: <1236038274.21030.35.camel@localhost.localdomain> Message-ID: <49ACF709.5050606@redhat.com> Simo Sorce schrieb: > See patch. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack, with the applied patch :) works great, thanks -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-copy-number-of-attributes-too.patch URL: From sbose at redhat.com Tue Mar 3 11:50:59 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 03 Mar 2009 12:50:59 +0100 Subject: [Freeipa-devel] [PATHC] provide sysdb_set_user_attr In-Reply-To: <49ACF709.5050606@redhat.com> References: <1236038274.21030.35.camel@localhost.localdomain> <49ACF709.5050606@redhat.com> Message-ID: <49AD19A3.5000508@redhat.com> Sumit Bose schrieb: > Simo Sorce schrieb: >> See patch. >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > ack, with the applied patch :) > > works great, thanks > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel please allpy the following patch, too. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-return-the-right-attribute-pointer.patch URL: From sbose at redhat.com Tue Mar 3 14:33:23 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 03 Mar 2009 15:33:23 +0100 Subject: [Freeipa-devel] [PATCH] replaced pure ldb calls with sysdb calls Message-ID: <49AD3FB3.7040905@redhat.com> Hi, please find enclosed a patch that will remove the synchronous ldb calls and replace them with asynchronous sysdb calls. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-replaced-pure-ldb-calls-with-sysdb-calls.patch URL: From rmeggins at redhat.com Tue Mar 3 15:49:33 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 03 Mar 2009 08:49:33 -0700 Subject: [Freeipa-devel] LDAP connections and the new ldap backend plugin In-Reply-To: <1236061376.6616.675.camel@jgd-dsk> References: <1236061376.6616.675.camel@jgd-dsk> Message-ID: <49AD518D.9010303@redhat.com> Jason Gerard DeRose wrote: > As I already mentioned, Pavel is working on a new ldap backend plugin > which will live at Backend.ldap2 till it supersedes the current ldap > plugin. > > Each time a request is received by the server, a connection is made to > LDAP on behalf of the requesting user, using the user's forwarded > Kerberos credentials. Currently this connection is an instance of the > ipaserver.ipaldap.IPAdmin class, a subclass of SimpleLDAPObject. > > However, after giving it a lot of thought, I don't think we should take > this approach with the new ldap plugin. The reason is if someone wants > to glue some existing code written against the python-ldap bindings into > an IPA plugin, they likely need access to a raw SimpleLDAPObject > instance. Our custom SimpleLDAPObject subclass will no doubt break > their code. > > Plus, any 3rd-party LDAP code *must* use the connection we create > because we don't expose the Kerberos credentials in request.context > (just the connection we create). So although 3rd-party LDAP code could > create their own connection to LDAP, they don't have access to the > credentials needed to authenticate to LDAP on behalf of the requesting > user. > > So we need the LDAP connection to be a least-common-denominator, a raw > SimpleLDAPObject instance. The new ldap backend plugin will still be > the preferred way to talk to LDAP, and all our built-in plugins will do > so, but this way the framework is more flexible and easy to integrate > with. Many potential users will have important home-grow code they need > to continue to use, so if they can easily integrate it with IPA, IPA > becomes a more viable solution for them. So something like this: > > > SimpleLDAPObject <=> Backend.ldap2 <=> typical IPA plugins > \ > \<=> can also glue-in existing code written against python-ldap > > > Until we transition to the new ldap plugin, we can simply create two > LDAP connections (one SimpleLDAPObject, one IPAdmin) so none of the > current code is broken in the meantime. > > What does everyone think? Does this seem like a good approach? > I'm not sure I understand. If the connection object is ipaserver.ipaldap.IPAdmin which is a subclass of SimpleLDAPObject, can't the connection object be "cast" and used directly as a SimpleLDAPObject? Or does the IPA code change/overload the methods such that it is not usable any more as a SimpleLDAPObject? > > Cheers, > Jason > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue Mar 3 16:00:19 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 03 Mar 2009 11:00:19 -0500 Subject: [Freeipa-devel] [PATCH] replaced pure ldb calls with sysdb calls In-Reply-To: <49AD3FB3.7040905@redhat.com> References: <49AD3FB3.7040905@redhat.com> Message-ID: <1236096020.15038.1.camel@localhost.localdomain> On Tue, 2009-03-03 at 15:33 +0100, Sumit Bose wrote: > + talloc_free(lreq); > + > + if (lreq->callback_delay > 0) { I don't think this is wise :-) I also don't get why you free the sysdb_ctx above. Simo. -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Tue Mar 3 16:02:23 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 03 Mar 2009 09:02:23 -0700 Subject: [Freeipa-devel] LDAP connections and the new ldap backend plugin In-Reply-To: <49AD518D.9010303@redhat.com> References: <1236061376.6616.675.camel@jgd-dsk> <49AD518D.9010303@redhat.com> Message-ID: <1236096143.6598.1.camel@jgd-dsk> On Tue, 2009-03-03 at 08:49 -0700, Rich Megginson wrote: > I'm not sure I understand. If the connection object is > ipaserver.ipaldap.IPAdmin which is a subclass of SimpleLDAPObject, can't > the connection object be "cast" and used directly as a > SimpleLDAPObject? Or does the IPA code change/overload the methods such > that it is not usable any more as a SimpleLDAPObject? The subclass overrides methods, so code written against SimpleLDAPObject would probably break. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From ssorce at redhat.com Tue Mar 3 20:07:06 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 03 Mar 2009 15:07:06 -0500 Subject: [Freeipa-devel] [PATHC] provide sysdb_set_user_attr In-Reply-To: <49AD19A3.5000508@redhat.com> References: <1236038274.21030.35.camel@localhost.localdomain> <49ACF709.5050606@redhat.com> <49AD19A3.5000508@redhat.com> Message-ID: <1236110826.15038.2.camel@localhost.localdomain> On Tue, 2009-03-03 at 12:50 +0100, Sumit Bose wrote: > Sumit Bose schrieb: > > Simo Sorce schrieb: > >> See patch. > >> > > ack, with the applied patch :) > > > > works great, thanks > > > please allpy the following patch, too. ok pushed with your fixes. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 3 20:58:33 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 03 Mar 2009 15:58:33 -0500 Subject: [Freeipa-devel] [PATCH] replaced pure ldb calls with sysdb calls In-Reply-To: <49AD3FB3.7040905@redhat.com> References: <49AD3FB3.7040905@redhat.com> Message-ID: <1236113913.15038.21.camel@localhost.localdomain> On Tue, 2009-03-03 at 15:33 +0100, Sumit Bose wrote: > Hi, > > please find enclosed a patch that will remove the synchronous ldb > calls > and replace them with asynchronous sysdb calls. Some more comments: - in set_user_attr_req() you must call sysdb_transaction_done() with the error so that the transaction is canceled in case of failure. Otherwise all your transactions will be stuck as they are serialized and you didn't close this one. Probably you didn't see this because you closed sysdb at each request (another reason not to do that). - FWIW, while the macros allows you to reduce the lines of code, IMO they makes the check less comprehensible, at least to me (I had to look it up a few time to get what they did). It also prevents you from controlling the debug level for each message and sometimes I think it means just too many debug messages too. But this may be just personal preference. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Mar 3 21:14:16 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Mar 2009 16:14:16 -0500 Subject: [Freeipa-devel] [PATCH] 138 - Add maxvalue and minvalue kwargs and rules to Int and Float Message-ID: <49AD9DA8.7020505@redhat.com> Add maxvalue and minvalue kwargs and rules to Int and Float data types. This will let us do things like: takes_options = ( Int('krbmaxpwdlife?', cli_name='maxlife', doc='Max. Password Lifetime (days)', minvalue=0, ), ) rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-138-values.patch Type: application/mbox Size: 9024 bytes Desc: not available URL: From jderose at redhat.com Tue Mar 3 21:38:37 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 03 Mar 2009 14:38:37 -0700 Subject: [Freeipa-devel] [PATCH] 138 - Add maxvalue and minvalue kwargs and rules to Int and Float In-Reply-To: <49AD9DA8.7020505@redhat.com> References: <49AD9DA8.7020505@redhat.com> Message-ID: <1236116317.7086.1.camel@jgd-dsk> On Tue, 2009-03-03 at 16:14 -0500, Rob Crittenden wrote: > Add maxvalue and minvalue kwargs and rules to Int and Float data types. > > This will let us do things like: > > takes_options = ( > Int('krbmaxpwdlife?', > cli_name='maxlife', > doc='Max. Password Lifetime (days)', > minvalue=0, > ), > ) > > rob ack. looks good. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From sbose at redhat.com Tue Mar 3 22:06:35 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 03 Mar 2009 23:06:35 +0100 Subject: [Freeipa-devel] [PATCH] replaced pure ldb calls with sysdb calls In-Reply-To: <1236113913.15038.21.camel@localhost.localdomain> References: <49AD3FB3.7040905@redhat.com> <1236113913.15038.21.camel@localhost.localdomain> Message-ID: <49ADA9EB.6080909@redhat.com> Simo Sorce schrieb: > On Tue, 2009-03-03 at 15:33 +0100, Sumit Bose wrote: >> Hi, >> >> please find enclosed a patch that will remove the synchronous ldb >> calls >> and replace them with asynchronous sysdb calls. > > Some more comments: > > - in set_user_attr_req() you must call sysdb_transaction_done() with the > error so that the transaction is canceled in case of failure. > Otherwise all your transactions will be stuck as they are serialized and > you didn't close this one. Probably you didn't see this because you > closed sysdb at each request (another reason not to do that). > > - FWIW, while the macros allows you to reduce the lines of code, IMO > they makes the check less comprehensible, at least to me (I had to look > it up a few time to get what they did). It also prevents you from > controlling the debug level for each message and sometimes I think it > means just too many debug messages too. > But this may be just personal preference. > > Simo. > I think the following patch addresses all discussed issues, except the DEBUG macros. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-replaced-pure-ldb-calls-with-sysdb-calls.patch URL: From ssorce at redhat.com Tue Mar 3 22:47:40 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 03 Mar 2009 17:47:40 -0500 Subject: [Freeipa-devel] [PATCH] replaced pure ldb calls with sysdb calls In-Reply-To: <49ADA9EB.6080909@redhat.com> References: <49AD3FB3.7040905@redhat.com> <1236113913.15038.21.camel@localhost.localdomain> <49ADA9EB.6080909@redhat.com> Message-ID: <1236120460.15038.26.camel@localhost.localdomain> On Tue, 2009-03-03 at 23:06 +0100, Sumit Bose wrote: > Simo Sorce schrieb: > > On Tue, 2009-03-03 at 15:33 +0100, Sumit Bose wrote: > >> Hi, > >> > >> please find enclosed a patch that will remove the synchronous ldb > >> calls > >> and replace them with asynchronous sysdb calls. > > > > Some more comments: > > > > - in set_user_attr_req() you must call sysdb_transaction_done() with the > > error so that the transaction is canceled in case of failure. > > Otherwise all your transactions will be stuck as they are serialized and > > you didn't close this one. Probably you didn't see this because you > > closed sysdb at each request (another reason not to do that). > > > > - FWIW, while the macros allows you to reduce the lines of code, IMO > > they makes the check less comprehensible, at least to me (I had to look > > it up a few time to get what they did). It also prevents you from > > controlling the debug level for each message and sometimes I think it > > means just too many debug messages too. > > But this may be just personal preference. > > > > Simo. > > > I think the following patch addresses all discussed issues, except the > DEBUG macros. ack and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Mar 3 22:49:31 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Mar 2009 17:49:31 -0500 Subject: [Freeipa-devel] [PATCH] 138 - Add maxvalue and minvalue kwargs and rules to Int and Float In-Reply-To: <1236116317.7086.1.camel@jgd-dsk> References: <49AD9DA8.7020505@redhat.com> <1236116317.7086.1.camel@jgd-dsk> Message-ID: <49ADB3FB.9090306@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-03-03 at 16:14 -0500, Rob Crittenden wrote: >> Add maxvalue and minvalue kwargs and rules to Int and Float data types. >> >> This will let us do things like: >> >> takes_options = ( >> Int('krbmaxpwdlife?', >> cli_name='maxlife', >> doc='Max. Password Lifetime (days)', >> minvalue=0, >> ), >> ) >> >> rob > > ack. looks good. pushed to master From sgallagh at redhat.com Wed Mar 4 02:21:20 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 03 Mar 2009 21:21:20 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Fixing memory leak in GetUserAttributes Message-ID: <49ADE5A0.2040702@redhat.com> Trivial fix. I forgot to unref the reply message after sending it (or if construction of the message failed). -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fixing-memory-leak-in-GetUserAttributes.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Wed Mar 4 03:28:30 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Mar 2009 22:28:30 -0500 Subject: [Freeipa-devel] [PATCH 139 - password policy min values Message-ID: <49ADF55E.3020900@redhat.com> Use the new minvalue Int param option to set a floor for some password policy values. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-139-pwpolicy.patch Type: application/mbox Size: 2048 bytes Desc: not available URL: From rcritten at redhat.com Wed Mar 4 03:29:23 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Mar 2009 22:29:23 -0500 Subject: [Freeipa-devel] [PATCH] 140 - IPA default options patch Message-ID: <49ADF593.7080004@redhat.com> Port the v1 options configuration tool. This lets us set things like the maximum loginname length, what attributes to search on, etc. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-140-options.patch Type: application/mbox Size: 5698 bytes Desc: not available URL: From jderose at redhat.com Wed Mar 4 06:33:54 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 03 Mar 2009 23:33:54 -0700 Subject: [Freeipa-devel] [PATCH 139 - password policy min values In-Reply-To: <49ADF55E.3020900@redhat.com> References: <49ADF55E.3020900@redhat.com> Message-ID: <1236148434.6841.0.camel@jgd-dsk> On Tue, 2009-03-03 at 22:28 -0500, Rob Crittenden wrote: > Use the new minvalue Int param option to set a floor for some password > policy values. > > rob ack. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Wed Mar 4 06:42:07 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 03 Mar 2009 23:42:07 -0700 Subject: [Freeipa-devel] [PATCH] 140 - IPA default options patch In-Reply-To: <49ADF593.7080004@redhat.com> References: <49ADF593.7080004@redhat.com> Message-ID: <1236148927.6841.1.camel@jgd-dsk> On Tue, 2009-03-03 at 22:29 -0500, Rob Crittenden wrote: > Port the v1 options configuration tool. This lets us set things like the > maximum loginname length, what attributes to search on, etc. > > rob ack. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From mnagy at redhat.com Wed Mar 4 07:43:28 2009 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 4 Mar 2009 08:43:28 +0100 Subject: [Freeipa-devel] [PATCH][SSSD] Fixing memory leak in GetUserAttributes In-Reply-To: <49ADE5A0.2040702@redhat.com> References: <49ADE5A0.2040702@redhat.com> Message-ID: <20090304084328.3f3325f6@notas> Stephen Gallagher wrote: > Trivial fix. I forgot to unref the reply message after sending it (or > if construction of the message failed). Hm, this seems to be a bit dangerous.. I think a better idea would be to initialize reply to NULL and then do a test after the done label: if (reply) dbus_message_unref(reply); Martin From sgallagh at redhat.com Wed Mar 4 11:54:24 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 04 Mar 2009 06:54:24 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Fixing memory leak in GetUserAttributes In-Reply-To: <20090304084328.3f3325f6@notas> References: <49ADE5A0.2040702@redhat.com> <20090304084328.3f3325f6@notas> Message-ID: <49AE6BF0.1020005@redhat.com> Martin Nagy wrote: > Stephen Gallagher wrote: >> Trivial fix. I forgot to unref the reply message after sending it (or >> if construction of the message failed). > > Hm, this seems to be a bit dangerous.. I think a better idea would be > to initialize reply to NULL and then do a test after the done label: > > if (reply) > dbus_message_unref(reply); > > Martin New patch attached incorporating Martin's suggestion. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fixing-memory-leak-in-GetUserAttributes.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Wed Mar 4 14:01:06 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 04 Mar 2009 09:01:06 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Fixing memory leak in GetUserAttributes In-Reply-To: <49AE6BF0.1020005@redhat.com> References: <49ADE5A0.2040702@redhat.com> <20090304084328.3f3325f6@notas> <49AE6BF0.1020005@redhat.com> Message-ID: <1236175266.19057.0.camel@localhost.localdomain> On Wed, 2009-03-04 at 06:54 -0500, Stephen Gallagher wrote: > Martin Nagy wrote: > > Stephen Gallagher wrote: > >> Trivial fix. I forgot to unref the reply message after sending it > (or > >> if construction of the message failed). > > > > Hm, this seems to be a bit dangerous.. I think a better idea would > be > > to initialize reply to NULL and then do a test after the done label: > > > > if (reply) > > dbus_message_unref(reply); > > > > Martin > > New patch attached incorporating Martin's suggestion. ack and pushed -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Mar 4 14:56:29 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Mar 2009 09:56:29 -0500 Subject: [Freeipa-devel] [PATCH 139 - password policy min values In-Reply-To: <1236148434.6841.0.camel@jgd-dsk> References: <49ADF55E.3020900@redhat.com> <1236148434.6841.0.camel@jgd-dsk> Message-ID: <49AE969D.9040101@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-03-03 at 22:28 -0500, Rob Crittenden wrote: >> Use the new minvalue Int param option to set a floor for some password >> policy values. >> >> rob > > ack. pushed to master From rcritten at redhat.com Wed Mar 4 14:56:36 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Mar 2009 09:56:36 -0500 Subject: [Freeipa-devel] [PATCH] 140 - IPA default options patch In-Reply-To: <1236148927.6841.1.camel@jgd-dsk> References: <49ADF593.7080004@redhat.com> <1236148927.6841.1.camel@jgd-dsk> Message-ID: <49AE96A4.80900@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-03-03 at 22:29 -0500, Rob Crittenden wrote: >> Port the v1 options configuration tool. This lets us set things like the >> maximum loginname length, what attributes to search on, etc. >> >> rob > > ack. pushed to master From ssorce at redhat.com Wed Mar 4 15:50:29 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 04 Mar 2009 10:50:29 -0500 Subject: [Freeipa-devel] [PATCH x2] Two patches to improve sysdb and simplify LOCAL pam Message-ID: <1236181829.19057.5.camel@localhost.localdomain> I think the first one is a no brainer. I did the second as part of a second review while testing the code. In the pam responder I changed 2 things for the better (imo). 1. use only one context for everything and just free it when all is done. The callback context was really unnecessary and added just more code. Also by keeping one context we do not have to remember when to free what if later on we change the code. As we know everything will be freed when the operation is completed and at the same time everything is available until the operation is completed. There are other modification I'd like to make but I want to discuss them firs on IRC. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Improve-sysdb.patch Type: text/x-patch Size: 7364 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Simplify-some-aspects-of-pam_LOCAL_domain.patch Type: text/x-patch Size: 19329 bytes Desc: not available URL: From sbose at redhat.com Wed Mar 4 16:17:06 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 04 Mar 2009 17:17:06 +0100 Subject: [Freeipa-devel] [PATCH x2] Two patches to improve sysdb and simplify LOCAL pam In-Reply-To: <1236181829.19057.5.camel@localhost.localdomain> References: <1236181829.19057.5.camel@localhost.localdomain> Message-ID: <49AEA982.705@redhat.com> Simo Sorce schrieb: > I think the first one is a no brainer. > > I did the second as part of a second review while testing the code. > In the pam responder I changed 2 things for the better (imo). > > 1. use only one context for everything and just free it when all is > done. The callback context was really unnecessary and added just more > code. Also by keeping one context we do not have to remember when to > free what if later on we change the code. As we know everything will be > freed when the operation is completed and at the same time everything is > available until the operation is completed. > > There are other modification I'd like to make but I want to discuss them > firs on IRC. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack bye, Sumit From ssorce at redhat.com Wed Mar 4 16:24:42 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 04 Mar 2009 11:24:42 -0500 Subject: [Freeipa-devel] [PATCH x2] Two patches to improve sysdb and simplify LOCAL pam In-Reply-To: <49AEA982.705@redhat.com> References: <1236181829.19057.5.camel@localhost.localdomain> <49AEA982.705@redhat.com> Message-ID: <1236183882.19057.7.camel@localhost.localdomain> On Wed, 2009-03-04 at 17:17 +0100, Sumit Bose wrote: > Simo Sorce schrieb: > > I think the first one is a no brainer. > > > > I did the second as part of a second review while testing the code. > > In the pam responder I changed 2 things for the better (imo). > > > > 1. use only one context for everything and just free it when all is > > done. The callback context was really unnecessary and added just more > > code. Also by keeping one context we do not have to remember when to > > free what if later on we change the code. As we know everything will be > > freed when the operation is completed and at the same time everything is > > available until the operation is completed. > > > > There are other modification I'd like to make but I want to discuss them > > firs on IRC. > ack pushed (and pushed also a COPYING file with the license in the root directory) -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Mar 4 16:54:46 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Mar 2009 11:54:46 -0500 Subject: [Freeipa-devel] LDAP connections and the new ldap backend plugin In-Reply-To: <1236096143.6598.1.camel@jgd-dsk> References: <1236061376.6616.675.camel@jgd-dsk> <49AD518D.9010303@redhat.com> <1236096143.6598.1.camel@jgd-dsk> Message-ID: <49AEB256.3000009@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-03-03 at 08:49 -0700, Rich Megginson wrote: >> I'm not sure I understand. If the connection object is >> ipaserver.ipaldap.IPAdmin which is a subclass of SimpleLDAPObject, can't >> the connection object be "cast" and used directly as a >> SimpleLDAPObject? Or does the IPA code change/overload the methods such >> that it is not usable any more as a SimpleLDAPObject? > > The subclass overrides methods, so code written against SimpleLDAPObject > would probably break. My concern is that we use this object in more places than just the XML-RPC server. What is this going to mean for those? I suppose just more complicated setup code though I guess we could write a few methods to handle that. How do you propse handling the other methods in IPAdmin such as getEntry, deleteEntry, etc? rob From sbose at redhat.com Wed Mar 4 18:50:20 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 04 Mar 2009 19:50:20 +0100 Subject: [Freeipa-devel] [PATCH] added scm_credentials exchange Message-ID: <49AECD6C.7040404@redhat.com> Hi, with this patch client and responder can identify the other side. So far uid, gid and pid are only exchanged and stored. As a next step I would include this information to the pam data to, e.g., allow passowrd reset by root. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-added-scm_credentials-exchange.patch URL: From rcritten at redhat.com Wed Mar 4 19:13:57 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Mar 2009 14:13:57 -0500 Subject: [Freeipa-devel] [PATCH] 141 - Don't build radius Message-ID: <49AED2F5.3070907@redhat.com> I kept the v1 radius code that hasn't been well-exercised so it could be ported to a v2 plugin. We don't need to build a separate RPM for radius nor install it by default. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-141-noradius.patch Type: application/mbox Size: 5803 bytes Desc: not available URL: From ssorce at redhat.com Wed Mar 4 19:38:21 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 04 Mar 2009 14:38:21 -0500 Subject: [Freeipa-devel] [PATCH] 141 - Don't build radius In-Reply-To: <49AED2F5.3070907@redhat.com> References: <49AED2F5.3070907@redhat.com> Message-ID: <1236195501.19057.8.camel@localhost.localdomain> On Wed, 2009-03-04 at 14:13 -0500, Rob Crittenden wrote: > I kept the v1 radius code that hasn't been well-exercised so it could be > ported to a v2 plugin. We don't need to build a separate RPM for > radius nor install it by default. ack -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Wed Mar 4 19:50:56 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 04 Mar 2009 14:50:56 -0500 Subject: [Freeipa-devel] Implement SetUserAttributes in the InfoPipe Message-ID: <49AEDBA0.7060309@redhat.com> SetUserAttributes is now available for use in the Infopipe. I also reorganized a few of the internal InfoPipe objects to reduce code duplication. One very simple test is included in this checkin to validate that the parser is working. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-SetUserAttributes-in-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Wed Mar 4 20:40:18 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Mar 2009 15:40:18 -0500 Subject: [Freeipa-devel] [PATCH] 141 - Don't build radius In-Reply-To: <1236195501.19057.8.camel@localhost.localdomain> References: <49AED2F5.3070907@redhat.com> <1236195501.19057.8.camel@localhost.localdomain> Message-ID: <49AEE732.5040703@redhat.com> Simo Sorce wrote: > On Wed, 2009-03-04 at 14:13 -0500, Rob Crittenden wrote: >> I kept the v1 radius code that hasn't been well-exercised so it could be >> ported to a v2 plugin. We don't need to build a separate RPM for >> radius nor install it by default. > > ack > pushed to master From ssorce at redhat.com Wed Mar 4 23:27:41 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 04 Mar 2009 18:27:41 -0500 Subject: [Freeipa-devel] Implement SetUserAttributes in the InfoPipe In-Reply-To: <49AEDBA0.7060309@redhat.com> References: <49AEDBA0.7060309@redhat.com> Message-ID: <1236209261.19057.11.camel@localhost.localdomain> On Wed, 2009-03-04 at 14:50 -0500, Stephen Gallagher wrote: > SetUserAttributes is now available for use in the Infopipe. > I also reorganized a few of the internal InfoPipe objects to > reduce code duplication. > > One very simple test is included in this checkin to validate that > the parser is working. > ack and pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Mar 4 23:29:32 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 04 Mar 2009 18:29:32 -0500 Subject: [Freeipa-devel] [PATCH] enum blackout period Message-ID: <1236209372.19057.13.camel@localhost.localdomain> I pushed the attached patch to have a blackout periods on enum requests. By default enumerations of remote backends should not be enabled anyway, but in case it is needed this blackout period will greatly improve performances if multiple enumerations are requested within the blackout period (currently hardcoded to 2 mins.) Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-enumeration-backout-period.patch Type: text/x-patch Size: 5206 bytes Desc: not available URL: From sgallagh at redhat.com Thu Mar 5 00:58:52 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 04 Mar 2009 19:58:52 -0500 Subject: [Freeipa-devel] [PATCH] enum blackout period In-Reply-To: <1236209372.19057.13.camel@localhost.localdomain> References: <1236209372.19057.13.camel@localhost.localdomain> Message-ID: <49AF23CC.4030805@redhat.com> Simo Sorce wrote: > I pushed the attached patch to have a blackout periods on enum requests. > By default enumerations of remote backends should not be enabled anyway, > but in case it is needed this blackout period will greatly improve > performances if multiple enumerations are requested within the blackout > period (currently hardcoded to 2 mins.) > > Simo. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack From ssorce at redhat.com Thu Mar 5 05:12:33 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 00:12:33 -0500 Subject: [Freeipa-devel] Initial patch for next id calls Message-ID: <1236229953.19057.25.camel@localhost.localdomain> This patch should work but is currently untested, I am going to grab Jakubs initial implementation of sysdb_store_user() tomorrow and make it use sysdb_get_next_available_id() to get new ids. I just wanted to share it here so that people know what is the direction I think we should take. Especially with the next id thing. On IRC yesterday we discussed to just scan the DB and always pick the highest free ID, but when I started to implement the function 2 things came up: 1. searching the whole db could be expensive 2. if you delete the last added user you will reuse its ID for the next new user, which may lead to access to files you should not have access to. So given these 2 considerations I actually decided to store an attribute called nextID on the domain object. And use that as the source of IDs, incrementing it each time a new ID is requested (of course the code also checks for duplicates in case admins set arbitrary IDs in the DB). Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-internal-min-max-next-id-management-fucntions.patch Type: text/x-patch Size: 15436 bytes Desc: not available URL: From sbose at redhat.com Thu Mar 5 11:05:25 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 05 Mar 2009 12:05:25 +0100 Subject: [Freeipa-devel] [PATCH] added a privileged pipe Message-ID: <49AFB1F5.90400@redhat.com> Hi, in some off-list discussion the scm_credentials solution was found not to be portable enough. This patch creates a second, privileged, pipe which only root can access. A flag in the client connection context indicates whether the connection was made via the privileged pipe or not. This information can be forwarded to the backend which can decided if they want to allow privileged operation or not. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-added-a-privileged-pipe.patch URL: From sbose at redhat.com Thu Mar 5 14:52:57 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 05 Mar 2009 15:52:57 +0100 Subject: [Freeipa-devel] [PATCH] added a privileged pipe In-Reply-To: <49AFB1F5.90400@redhat.com> References: <49AFB1F5.90400@redhat.com> Message-ID: <49AFE749.3030906@redhat.com> Sumit Bose schrieb: > Hi, > > in some off-list discussion the scm_credentials solution was found not > to be portable enough. This patch creates a second, privileged, pipe > which only root can access. A flag in the client connection context > indicates whether the connection was made via the privileged pipe or > not. This information can be forwarded to the backend which can decided > if they want to allow privileged operation or not. > new version with privileged pipe in private/. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-added-a-privileged-pipe.patch URL: From ssorce at redhat.com Thu Mar 5 15:01:03 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 10:01:03 -0500 Subject: [Freeipa-devel] [PATCH] added a privileged pipe In-Reply-To: <49AFE749.3030906@redhat.com> References: <49AFB1F5.90400@redhat.com> <49AFE749.3030906@redhat.com> Message-ID: <1236265263.6848.2.camel@localhost.localdomain> On Thu, 2009-03-05 at 15:52 +0100, Sumit Bose wrote: > Sumit Bose schrieb: > > Hi, > > > > in some off-list discussion the scm_credentials solution was found > not > > to be portable enough. This patch creates a second, privileged, pipe > > which only root can access. A flag in the client connection context > > indicates whether the connection was made via the privileged pipe or > > not. This information can be forwarded to the backend which can > decided > > if they want to allow privileged operation or not. > > > > new version with privileged pipe in private/. Pushed but renamed private/pam.priv to just private/pam, I think that's private enough :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Mar 5 15:01:40 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 10:01:40 -0500 Subject: [Freeipa-devel] Initial patch for next id calls In-Reply-To: <1236229953.19057.25.camel@localhost.localdomain> References: <1236229953.19057.25.camel@localhost.localdomain> Message-ID: <1236265300.6848.3.camel@localhost.localdomain> On Thu, 2009-03-05 at 00:12 -0500, Simo Sorce wrote: > > This patch should work but is currently untested, I am going to grab > Jakubs initial implementation of sysdb_store_user() tomorrow and make > it > use sysdb_get_next_available_id() to get new ids. > > I just wanted to share it here so that people know what is the > direction > I think we should take. > Especially with the next id thing. On IRC yesterday we discussed to > just > scan the DB and always pick the highest free ID, but when I started to > implement the function 2 things came up: > 1. searching the whole db could be expensive > 2. if you delete the last added user you will reuse its ID for the > next > new user, which may lead to access to files you should not have access > to. > > So given these 2 considerations I actually decided to store an > attribute > called nextID on the domain object. And use that as the source of IDs, > incrementing it each time a new ID is requested (of course the code > also > checks for duplicates in case admins set arbitrary IDs in the DB). Steve acked on IRC as he's having trouble with the mailing list. Pushed. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Mar 5 15:03:52 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 10:03:52 -0500 Subject: [Freeipa-devel] LDAP connections and the new ldap backend plugin In-Reply-To: <49AEB256.3000009@redhat.com> References: <1236061376.6616.675.camel@jgd-dsk> <49AD518D.9010303@redhat.com> <1236096143.6598.1.camel@jgd-dsk> <49AEB256.3000009@redhat.com> Message-ID: <1236265432.6848.5.camel@localhost.localdomain> On Wed, 2009-03-04 at 11:54 -0500, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > On Tue, 2009-03-03 at 08:49 -0700, Rich Megginson wrote: > >> I'm not sure I understand. If the connection object is > >> ipaserver.ipaldap.IPAdmin which is a subclass of SimpleLDAPObject, can't > >> the connection object be "cast" and used directly as a > >> SimpleLDAPObject? Or does the IPA code change/overload the methods such > >> that it is not usable any more as a SimpleLDAPObject? > > > > The subclass overrides methods, so code written against SimpleLDAPObject > > would probably break. > > My concern is that we use this object in more places than just the > XML-RPC server. What is this going to mean for those? I suppose just > more complicated setup code though I guess we could write a few methods > to handle that. > > How do you propse handling the other methods in IPAdmin such as > getEntry, deleteEntry, etc? I am wondering if we should really worry that plugins can't use our ldap object. Existing code would probably have to be adapted to our tree/conventions, otherwise it will probably do something stupid with the tree anyway. I am wondering if actually forcing adaptation of the code is actually a good idea so that people don't throw garbage in ? Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Thu Mar 5 15:05:29 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 05 Mar 2009 16:05:29 +0100 Subject: [Freeipa-devel] [PATCH] nonlegacy store_group and store_user Message-ID: <1236265529.11215.26.camel@zeppelin.englab.brq.redhat.com> I might send another version as I still have to write tests, but we can still do a review I guess Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-nonlegacy-store_group-and-store_user.patch Type: text/x-patch Size: 18687 bytes Desc: not available URL: From sbose at redhat.com Thu Mar 5 15:32:03 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 05 Mar 2009 16:32:03 +0100 Subject: [Freeipa-devel] [PATCH] added password reset by root Message-ID: <49AFF073.6040800@redhat.com> Hi, this patch adds logic to allow a user using the privileged pipe, hopefully this is only root, to reset a password without authentication. pam_sss now asks for a confirmation of the new password. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-added-password-reset-by-root.patch URL: From ssorce at redhat.com Thu Mar 5 15:44:07 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 10:44:07 -0500 Subject: [Freeipa-devel] [PATCH] Fix ss_client make install traget Message-ID: <1236267847.6848.6.camel@localhost.localdomain> As per $subject -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-sss_client-install-target.patch Type: text/x-patch Size: 1691 bytes Desc: not available URL: From ssorce at redhat.com Thu Mar 5 15:44:43 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 10:44:43 -0500 Subject: [Freeipa-devel] [PATCH] added password reset by root In-Reply-To: <49AFF073.6040800@redhat.com> References: <49AFF073.6040800@redhat.com> Message-ID: <1236267883.6848.7.camel@localhost.localdomain> On Thu, 2009-03-05 at 16:32 +0100, Sumit Bose wrote: > Hi, > > this patch adds logic to allow a user using the privileged pipe, > hopefully this is only root, to reset a password without > authentication. > pam_sss now asks for a confirmation of the new password. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Mar 5 15:45:45 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 10:45:45 -0500 Subject: [Freeipa-devel] [PATCH] nonlegacy store_group and store_user In-Reply-To: <1236265529.11215.26.camel@zeppelin.englab.brq.redhat.com> References: <1236265529.11215.26.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1236267945.6848.8.camel@localhost.localdomain> On Thu, 2009-03-05 at 16:05 +0100, Jakub Hrozek wrote: > I might send another version as I still have to write tests, but we > can > still do a review I guess Sorry have to nack this, sysdb_get_next_available_id is used improperly, can't work. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Thu Mar 5 15:51:04 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 05 Mar 2009 10:51:04 -0500 Subject: [Freeipa-devel] [PATCH] Fix ss_client make install traget In-Reply-To: <1236267847.6848.6.camel@localhost.localdomain> References: <1236267847.6848.6.camel@localhost.localdomain> Message-ID: <49AFF4E8.4030601@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > As per $subject > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmv9OgACgkQeiVVYja6o6OKPACfc2cvYMLJn0y1OMEdnio9ZCkk KEQAnRi4JjlxdUFgtMWPiwZCA/Rkkxkb =n1gd -----END PGP SIGNATURE----- From sgallagh at redhat.com Thu Mar 5 16:16:50 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 05 Mar 2009 11:16:50 -0500 Subject: [Freeipa-devel] [PATCH] Fix ss_client make install traget In-Reply-To: <49AFF4E8.4030601@redhat.com> References: <1236267847.6848.6.camel@localhost.localdomain> <49AFF4E8.4030601@redhat.com> Message-ID: <49AFFAF2.8080608@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Gallagher wrote: > Simo Sorce wrote: >> As per $subject > > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > ack > pushed _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmv+vIACgkQeiVVYja6o6PfRQCggH+KBn/pxWBnAXajsNPD63r/ LR0An1lGr1CZnyg3TDLTSy/yufsyX8Cf =Gp3N -----END PGP SIGNATURE----- From sgallagh at redhat.com Thu Mar 5 16:17:59 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 05 Mar 2009 11:17:59 -0500 Subject: [Freeipa-devel] [PATCH] added password reset by root In-Reply-To: <1236267883.6848.7.camel@localhost.localdomain> References: <49AFF073.6040800@redhat.com> <1236267883.6848.7.camel@localhost.localdomain> Message-ID: <49AFFB37.8030405@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Thu, 2009-03-05 at 16:32 +0100, Sumit Bose wrote: >> Hi, >> >> this patch adds logic to allow a user using the privileged pipe, >> hopefully this is only root, to reset a password without >> authentication. >> pam_sss now asks for a confirmation of the new password. > > ack > pushed - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmv+zcACgkQeiVVYja6o6PPkACfRVEyX2iSJUVe6JLz8LHyHqny fwcAoLBKLqO5a2wskfLFYILjZPQwaVp4 =jSME -----END PGP SIGNATURE----- From sbose at redhat.com Thu Mar 5 16:19:32 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 05 Mar 2009 17:19:32 +0100 Subject: [Freeipa-devel] [PATCH] Fix ss_client make install traget In-Reply-To: <1236267847.6848.6.camel@localhost.localdomain> References: <1236267847.6848.6.camel@localhost.localdomain> Message-ID: <49AFFB94.1060004@redhat.com> Simo Sorce schrieb: > As per $subject > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Maybe it is less error prone to change the default prefix with AC_PREFIX_DEFAULT in configure.ac. bye, Sumit From sgallagh at redhat.com Thu Mar 5 17:43:04 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 05 Mar 2009 12:43:04 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Adding support for SetUserUID to the InfoPipe Message-ID: <49B00F28.2000705@redhat.com> The InfoPipe interface Set_YouReallyDoNotWantToUseThisFunction_UserUID1 is now available. I also fixed a memory leak in SetUserAttributes and modified the prototype for infp_get_permissions to make it more clear that the first argument is the caller's username, not the username being checked for permission. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Adding-support-for-SetUserUID-to-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Thu Mar 5 18:51:07 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 13:51:07 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Adding support for SetUserUID to the InfoPipe In-Reply-To: <49B00F28.2000705@redhat.com> References: <49B00F28.2000705@redhat.com> Message-ID: <1236279067.6848.19.camel@localhost.localdomain> On Thu, 2009-03-05 at 12:43 -0500, Stephen Gallagher wrote: > The InfoPipe interface > Set_YouReallyDoNotWantToUseThisFunction_UserUID1 > is now available. > > I also fixed a memory leak in SetUserAttributes and modified the > prototype for infp_get_permissions to make it more clear that the > first > argument is the caller's username, not the username being checked for > permission. ack Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Thu Mar 5 18:52:36 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 05 Mar 2009 13:52:36 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Adding support for SetUserUID to the InfoPipe In-Reply-To: <1236279067.6848.19.camel@localhost.localdomain> References: <49B00F28.2000705@redhat.com> <1236279067.6848.19.camel@localhost.localdomain> Message-ID: <49B01F74.2050109@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Thu, 2009-03-05 at 12:43 -0500, Stephen Gallagher wrote: >> The InfoPipe interface >> Set_YouReallyDoNotWantToUseThisFunction_UserUID1 >> is now available. >> >> I also fixed a memory leak in SetUserAttributes and modified the >> prototype for infp_get_permissions to make it more clear that the >> first >> argument is the caller's username, not the username being checked for >> permission. > > ack > > Simo. > pushed - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmwH3QACgkQeiVVYja6o6M5MgCbB4Ajqni4K2li4pVCrgh/chau XsMAnRJTpCCnB8iYQPq3Dfz8z6J4XFgq =NGZL -----END PGP SIGNATURE----- From sgallagh at redhat.com Thu Mar 5 20:44:43 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 05 Mar 2009 15:44:43 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetCachedUsers in the InfoPipe Message-ID: <49B039BB.30400@redhat.com> This function allows a caller to retrieve a list of users who have logged in on the system, specifying an optional minimum last login time to trim the list. I modified sysdb_enumpwent to accept an optional search argument. GetCachedUsers takes advantage of this argument to limit the search by the last login time. I also found and fixed a few additional low-memory conditions around D-BUS message replies. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-GetCachedUsers-in-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Thu Mar 5 20:46:28 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 15:46:28 -0500 Subject: [Freeipa-devel] [PATCH] sysdb user/group add functions Message-ID: <1236285988.6848.23.camel@localhost.localdomain> see patch comments -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-functions-to-add-regular-users-and-groups.patch Type: text/x-patch Size: 21047 bytes Desc: not available URL: From sgallagh at redhat.com Thu Mar 5 21:05:50 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 05 Mar 2009 16:05:50 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetCachedUsers in the InfoPipe In-Reply-To: <49B039BB.30400@redhat.com> References: <49B039BB.30400@redhat.com> Message-ID: <49B03EAE.3010008@redhat.com> Stephen Gallagher wrote: > This function allows a caller to retrieve a list of users who have > logged in on the system, specifying an optional minimum last login > time to trim the list. > > I modified sysdb_enumpwent to accept an optional search argument. > GetCachedUsers takes advantage of this argument to limit the search > by the last login time. > > I also found and fixed a few additional low-memory conditions > around D-BUS message replies. > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Modified patch to better conform to coding style guidelines. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-GetCachedUsers-in-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Thu Mar 5 21:35:53 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 05 Mar 2009 16:35:53 -0500 Subject: [Freeipa-devel] [PATCH] sysdb user/group add functions In-Reply-To: <1236285988.6848.23.camel@localhost.localdomain> References: <1236285988.6848.23.camel@localhost.localdomain> Message-ID: <49B045B9.9000309@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > see patch comments > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmwRbkACgkQeiVVYja6o6OJdACglYqg8kWByvnjOBvaXj2zegyh ZGsAn1KIykiQx+z+yyZ7NkTTgNIVpIFG =LzRM -----END PGP SIGNATURE----- From sgallagh at redhat.com Thu Mar 5 21:51:30 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 05 Mar 2009 16:51:30 -0500 Subject: [Freeipa-devel] [PATCH] sysdb user/group add functions In-Reply-To: <49B045B9.9000309@redhat.com> References: <1236285988.6848.23.camel@localhost.localdomain> <49B045B9.9000309@redhat.com> Message-ID: <49B04962.4050503@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Gallagher wrote: > Simo Sorce wrote: >> see patch comments > > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Ack > Pushed _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmwSWIACgkQeiVVYja6o6MR6ACeJnvrqsUdjhGtPsYhNottK5ml /lUAoJvBUrZiIRsfopEeQbvhBWG41HsU =/1P9 -----END PGP SIGNATURE----- From sbose at redhat.com Thu Mar 5 22:24:12 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 05 Mar 2009 23:24:12 +0100 Subject: [Freeipa-devel] [PATCH] added sss_client to spec file Message-ID: <49B0510C.5010700@redhat.com> Hi, I added sss_client to the spec file and made some minor fixes to Makefile.in. Maybe it would make sense to put the NSS and PAM client in a separate sssd-clients package? bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-added-sss_client-to-spec-file.patch URL: From sgallagh at redhat.com Thu Mar 5 22:29:03 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 05 Mar 2009 17:29:03 -0500 Subject: [Freeipa-devel] [PATCH] added sss_client to spec file In-Reply-To: <49B0510C.5010700@redhat.com> References: <49B0510C.5010700@redhat.com> Message-ID: <49B0522F.1050403@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sumit Bose wrote: > Hi, > > I added sss_client to the spec file and made some minor fixes to > Makefile.in. Maybe it would make sense to put the NSS and PAM client in > a separate sssd-clients package? > > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel - -# infopipe files - -%{_libexecdir}/sssd/sssd_info %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.sssd.infopipe.conf %{_datadir}/%{name}/introspect/infopipe/org.freeipa.sssd.infopipe.Introspect.xml Why are you removing the sssd_info executable. That's for InfoPipe. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmwUi8ACgkQeiVVYja6o6MqkACgjCNDEaai72NJ5cQ7tVfoF94C DqwAnitT6NhQG47ywgtdj8LdRSRBspVC =deOT -----END PGP SIGNATURE----- From sbose at redhat.com Thu Mar 5 22:31:34 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 05 Mar 2009 23:31:34 +0100 Subject: [Freeipa-devel] [PATCH] added sss_client to spec file In-Reply-To: <49B0522F.1050403@redhat.com> References: <49B0510C.5010700@redhat.com> <49B0522F.1050403@redhat.com> Message-ID: <49B052C6.7070109@redhat.com> Stephen Gallagher schrieb: > Sumit Bose wrote: >> Hi, > >> I added sss_client to the spec file and made some minor fixes to >> Makefile.in. Maybe it would make sense to put the NSS and PAM client in >> a separate sssd-clients package? > >> bye, >> Sumit > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > -# infopipe files > -%{_libexecdir}/sssd/sssd_info > %config(noreplace) > %{_sysconfdir}/dbus-1/system.d/org.freeipa.sssd.infopipe.conf > %{_datadir}/%{name}/introspect/infopipe/org.freeipa.sssd.infopipe.Introspect.xml > > Why are you removing the sssd_info executable. That's for InfoPipe. > it is included by %{_libexecdir}/%{name}/ bye, Sumit From ssorce at redhat.com Thu Mar 5 22:48:15 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 17:48:15 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement GetCachedUsers in the InfoPipe In-Reply-To: <49B03EAE.3010008@redhat.com> References: <49B039BB.30400@redhat.com> <49B03EAE.3010008@redhat.com> Message-ID: <1236293295.6848.24.camel@localhost.localdomain> On Thu, 2009-03-05 at 16:05 -0500, Stephen Gallagher wrote: > > Modified patch to better conform to coding style guidelines. Pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Mar 5 22:51:16 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 17:51:16 -0500 Subject: [Freeipa-devel] [PATCH] added sss_client to spec file In-Reply-To: <49B0510C.5010700@redhat.com> References: <49B0510C.5010700@redhat.com> Message-ID: <1236293476.6848.25.camel@localhost.localdomain> On Thu, 2009-03-05 at 23:24 +0100, Sumit Bose wrote: > > I added sss_client to the spec file and made some minor fixes to > Makefile.in. Maybe it would make sense to put the NSS and PAM client > in > a separate sssd-clients package? yes I would even split it into pam_sss and nss_sss, ack for the rest Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Mar 5 22:55:16 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 17:55:16 -0500 Subject: [Freeipa-devel] [PATCH] restructure a bit sysdb.h Message-ID: <1236293716.6848.26.camel@localhost.localdomain> -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Remove-_PW_-and-_GR_-from-SYSDB_-defines.patch Type: text/x-patch Size: 24538 bytes Desc: not available URL: From sgallagh at redhat.com Thu Mar 5 22:59:46 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 05 Mar 2009 17:59:46 -0500 Subject: [Freeipa-devel] [PATCH] restructure a bit sysdb.h In-Reply-To: <1236293716.6848.26.camel@localhost.localdomain> References: <1236293716.6848.26.camel@localhost.localdomain> Message-ID: <49B05962.4060106@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmwWWIACgkQeiVVYja6o6PisQCbBnwThUUvTf97pybCBDR1MHJY dQcAnRqI5oRqvDwUzKFzzfxN1q4EJLgE =oMpu -----END PGP SIGNATURE----- From ssorce at redhat.com Thu Mar 5 23:05:37 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 18:05:37 -0500 Subject: [Freeipa-devel] [PATCH] restructure a bit sysdb.h In-Reply-To: <49B05962.4060106@redhat.com> References: <1236293716.6848.26.camel@localhost.localdomain> <49B05962.4060106@redhat.com> Message-ID: <1236294337.6848.27.camel@localhost.localdomain> On Thu, 2009-03-05 at 17:59 -0500, Stephen Gallagher wrote: > Ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 6 03:42:24 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 05 Mar 2009 22:42:24 -0500 Subject: [Freeipa-devel] [PATCH] Fix returning users from non-default domains Message-ID: <1236310944.21500.0.camel@localhost.localdomain> -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-reporting-non-default-users.patch Type: text/x-patch Size: 44148 bytes Desc: not available URL: From ssorce at redhat.com Fri Mar 6 08:18:36 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 06 Mar 2009 03:18:36 -0500 Subject: [Freeipa-devel] [PATCH] sss_useradd Message-ID: <1236327516.21500.4.camel@localhost.localdomain> I've taken up the skeleton made by Jakub and implemented a functioning (tested) sss_useradd The name is temporary, suggestions to make it friendlier and shorter are very welcome. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-userspace-tools-to-manipulate-accounts.patch Type: text/x-patch Size: 19298 bytes Desc: not available URL: From sbose at redhat.com Fri Mar 6 09:21:51 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 06 Mar 2009 10:21:51 +0100 Subject: [Freeipa-devel] [PATCH] minor fixes for the build process Message-ID: <49B0EB2F.9030809@redhat.com> Hi, this patch will fix some issues Martin found in bz487296. I have disabled the use of the mozilla ldap libraries so for, because ldb is compiled with openldap libraries and I looks like the binaries will use the openldap calls. --without-tests currently just give some error messages so I dropped it. To make sssd more user friendly, I have added two %doc files :). With this patch the current version builds with koji/mock. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-minor-fixes-for-the-build-process.patch URL: From jhrozek at redhat.com Fri Mar 6 09:58:58 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 06 Mar 2009 10:58:58 +0100 Subject: [Freeipa-devel] [PATCH] minor fixes for the build process In-Reply-To: <49B0EB2F.9030809@redhat.com> References: <49B0EB2F.9030809@redhat.com> Message-ID: <1236333538.24549.7.camel@hendrix> On Fri, 2009-03-06 at 10:21 +0100, Sumit Bose wrote: > Hi, > > this patch will fix some issues Martin found in bz487296. I have > disabled the use of the mozilla ldap libraries so for, because ldb is > compiled with openldap libraries and I looks like the binaries will use > the openldap calls. > > --without-tests currently just give some error messages so I dropped it. > > To make sssd more user friendly, I have added two %doc files :). > > With this patch the current version builds with koji/mock. > > bye, > Sumit I've fixed the check for check. Ack on the rest. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-minor-fixes-for-the-build-process.patch Type: application/mbox Size: 3231 bytes Desc: not available URL: From sbose at redhat.com Fri Mar 6 10:24:33 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 06 Mar 2009 11:24:33 +0100 Subject: [Freeipa-devel] [PATCH] minor fixes for the build process In-Reply-To: <1236333538.24549.7.camel@hendrix> References: <49B0EB2F.9030809@redhat.com> <1236333538.24549.7.camel@hendrix> Message-ID: <49B0F9E1.6050705@redhat.com> Jakub Hrozek schrieb: > On Fri, 2009-03-06 at 10:21 +0100, Sumit Bose wrote: >> Hi, >> >> this patch will fix some issues Martin found in bz487296. I have >> disabled the use of the mozilla ldap libraries so for, because ldb is >> compiled with openldap libraries and I looks like the binaries will use >> the openldap calls. >> >> --without-tests currently just give some error messages so I dropped it. >> >> To make sssd more user friendly, I have added two %doc files :). >> >> With this patch the current version builds with koji/mock. >> >> bye, >> Sumit > > I've fixed the check for check. > > Ack on the rest. > removed BUILD.txt from %doc, because packaging guidelines say build instructions shouldn't be included bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-minor-fixes-for-the-build-process.patch URL: From sgallagh at redhat.com Fri Mar 6 11:13:24 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 06:13:24 -0500 Subject: [Freeipa-devel] [PATCH] Fix returning users from non-default domains In-Reply-To: <1236310944.21500.0.camel@localhost.localdomain> References: <1236310944.21500.0.camel@localhost.localdomain> Message-ID: <49B10554.4010303@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxBVQACgkQeiVVYja6o6PLCQCffVHk58qgbP1t0EHuZ+XP7t5y FqUAoLIaVthwDCav2415yPQC/ZorV7gJ =R3AA -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 6 11:33:13 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 06:33:13 -0500 Subject: [Freeipa-devel] [PATCH] minor fixes for the build process In-Reply-To: <49B0F9E1.6050705@redhat.com> References: <49B0EB2F.9030809@redhat.com> <1236333538.24549.7.camel@hendrix> <49B0F9E1.6050705@redhat.com> Message-ID: <49B109F9.3080208@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sumit Bose wrote: > Jakub Hrozek schrieb: >> On Fri, 2009-03-06 at 10:21 +0100, Sumit Bose wrote: >>> Hi, >>> >>> this patch will fix some issues Martin found in bz487296. I have >>> disabled the use of the mozilla ldap libraries so for, because ldb is >>> compiled with openldap libraries and I looks like the binaries will use >>> the openldap calls. >>> >>> --without-tests currently just give some error messages so I dropped it. >>> >>> To make sssd more user friendly, I have added two %doc files :). >>> >>> With this patch the current version builds with koji/mock. >>> >>> bye, >>> Sumit >> I've fixed the check for check. >> >> Ack on the rest. >> > > removed BUILD.txt from %doc, because packaging guidelines say build > instructions shouldn't be included > > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxCfkACgkQeiVVYja6o6PXOQCcCVLeCs3qLPWl7OF52gUrjxUL rXIAn2zTO+K9vZdgtKAcnkS3V4Pn8BjU =tPTr -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 6 12:34:19 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 07:34:19 -0500 Subject: [Freeipa-devel] [PATCH] Fix returning users from non-default domains In-Reply-To: <49B10554.4010303@redhat.com> References: <1236310944.21500.0.camel@localhost.localdomain> <49B10554.4010303@redhat.com> Message-ID: <49B1184B.8020701@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Gallagher wrote: > Simo Sorce wrote: >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > ack > Pushed _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxGEsACgkQeiVVYja6o6NftgCZAcg3Q92Aatm+XuOclJfOwuLD eQMAoK1f8MqVQY4GXGpIcwjvxM7lFAIi =efTl -----END PGP SIGNATURE----- From sbose at redhat.com Fri Mar 6 12:36:28 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 06 Mar 2009 13:36:28 +0100 Subject: [Freeipa-devel] [PATCH] added PAM default configuration to confdb_init_db Message-ID: <49B118CC.4060109@redhat.com> see $subject. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-added-PAM-default-configuration-to-confdb_init_db.patch URL: From sgallagh at redhat.com Fri Mar 6 12:41:59 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 07:41:59 -0500 Subject: [Freeipa-devel] [PATCH] added PAM default configuration to confdb_init_db In-Reply-To: <49B118CC.4060109@redhat.com> References: <49B118CC.4060109@redhat.com> Message-ID: <49B11A17.3050203@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sumit Bose wrote: > see $subject. > > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I overlooked this when I wrote that function in the first place, but could you do a NULL check on all of the val[0] assignments that call talloc_asprintf()? We should be handling out-of-memory properly. Passing a NULL value of val[0] *will* cause a segfault in confdb_add_param(). - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxGhcACgkQeiVVYja6o6Nh4ACdFcWzTZnC2HtLFZZVl8uMq2xF +LoAn1SWz1DbYIWgET1Vluy8ZoLbX6uO =nRen -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 6 12:44:31 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 07:44:31 -0500 Subject: [Freeipa-devel] [PATCH] added PAM default configuration to confdb_init_db In-Reply-To: <49B11A17.3050203@redhat.com> References: <49B118CC.4060109@redhat.com> <49B11A17.3050203@redhat.com> Message-ID: <49B11AAF.1080804@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Gallagher wrote: > Sumit Bose wrote: >> see $subject. > >> bye, >> Sumit > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > I overlooked this when I wrote that function in the first place, but > could you do a NULL check on all of the val[0] assignments that call > talloc_asprintf()? We should be handling out-of-memory properly. Passing > a NULL value of val[0] *will* cause a segfault in confdb_add_param(). > I take that back, it won't cause a segfault, but it still would cause unexpected behavior (falsely reporting success, since NULL is the loop terminator for the values). _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxGq8ACgkQeiVVYja6o6PTQwCfadtnMymNnUoO/Xumj9TSZpmu IvMAoJmpL9Q1m3aj34B57Meair2rItBx =ytGt -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 6 13:13:40 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 08:13:40 -0500 Subject: [Freeipa-devel] [PATCH] added PAM default configuration to confdb_init_db In-Reply-To: <49B11AAF.1080804@redhat.com> References: <49B118CC.4060109@redhat.com> <49B11A17.3050203@redhat.com> <49B11AAF.1080804@redhat.com> Message-ID: <49B12184.4010508@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Gallagher wrote: > Stephen Gallagher wrote: >> Sumit Bose wrote: >>> see $subject. >>> bye, >>> Sumit > >>> ------------------------------------------------------------------------ >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> I overlooked this when I wrote that function in the first place, but >> could you do a NULL check on all of the val[0] assignments that call >> talloc_asprintf()? We should be handling out-of-memory properly. Passing >> a NULL value of val[0] *will* cause a segfault in confdb_add_param(). > > > I take that back, it won't cause a segfault, but it still would cause > unexpected behavior (falsely reporting success, since NULL is the loop > terminator for the values). > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Also, I have one more change for you to add into the confdb_init_db() function: Please change the InfoPipe configuration to use "config/services/info" instead of "config/services/infp", as Simo and I decided on this earlier. There was a patch to fix this at some point, but I think it never got pushed. Also, there's a typo in the confdb.ldif, the cn=infp line should also be cn=info. Would you mind correcting these and rolling it into this patch? _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxIYQACgkQeiVVYja6o6Mi4QCaA00s6Awop+KrLzrZYTPKRhAs aoAAoK5dSXyePPrNADhc7zBhUHvQBWeD =RuCd -----END PGP SIGNATURE----- From sbose at redhat.com Fri Mar 6 13:23:06 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 06 Mar 2009 14:23:06 +0100 Subject: [Freeipa-devel] [PATCH] added PAM default configuration to confdb_init_db In-Reply-To: <49B12184.4010508@redhat.com> References: <49B118CC.4060109@redhat.com> <49B11A17.3050203@redhat.com> <49B11AAF.1080804@redhat.com> <49B12184.4010508@redhat.com> Message-ID: <49B123BA.8000306@redhat.com> Stephen Gallagher schrieb: > Stephen Gallagher wrote: >> Stephen Gallagher wrote: >>> Sumit Bose wrote: >>>> see $subject. >>>> bye, >>>> Sumit >>>> ------------------------------------------------------------------------ >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> I overlooked this when I wrote that function in the first place, but >>> could you do a NULL check on all of the val[0] assignments that call >>> talloc_asprintf()? We should be handling out-of-memory properly. Passing >>> a NULL value of val[0] *will* cause a segfault in confdb_add_param(). > >> I take that back, it won't cause a segfault, but it still would cause >> unexpected behavior (falsely reporting success, since NULL is the loop >> terminator for the values). > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > Also, I have one more change for you to add into the confdb_init_db() > function: > Please change the InfoPipe configuration to use "config/services/info" > instead of "config/services/infp", as Simo and I decided on this > earlier. There was a patch to fix this at some point, but I think it > never got pushed. > > Also, there's a typo in the confdb.ldif, the cn=infp line should also be > cn=info. > > Would you mind correcting these and rolling it into this patch? > patch with changes attached. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-added-PAM-default-configuration-to-confdb_init_db.patch URL: From sgallagh at redhat.com Fri Mar 6 13:27:33 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 08:27:33 -0500 Subject: [Freeipa-devel] [PATCH] added PAM default configuration to confdb_init_db In-Reply-To: <49B123BA.8000306@redhat.com> References: <49B118CC.4060109@redhat.com> <49B11A17.3050203@redhat.com> <49B11AAF.1080804@redhat.com> <49B12184.4010508@redhat.com> <49B123BA.8000306@redhat.com> Message-ID: <49B124C5.2090000@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sumit Bose wrote: > Stephen Gallagher schrieb: >> Stephen Gallagher wrote: >>> Stephen Gallagher wrote: >>>> Sumit Bose wrote: >>>>> see $subject. >>>>> bye, >>>>> Sumit >>>>> ------------------------------------------------------------------------ >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> I overlooked this when I wrote that function in the first place, but >>>> could you do a NULL check on all of the val[0] assignments that call >>>> talloc_asprintf()? We should be handling out-of-memory properly. Passing >>>> a NULL value of val[0] *will* cause a segfault in confdb_add_param(). >>> I take that back, it won't cause a segfault, but it still would cause >>> unexpected behavior (falsely reporting success, since NULL is the loop >>> terminator for the values). >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> Also, I have one more change for you to add into the confdb_init_db() >> function: >> Please change the InfoPipe configuration to use "config/services/info" >> instead of "config/services/infp", as Simo and I decided on this >> earlier. There was a patch to fix this at some point, but I think it >> never got pushed. >> >> Also, there's a typo in the confdb.ldif, the cn=infp line should also be >> cn=info. >> >> Would you mind correcting these and rolling it into this patch? >> > > patch with changes attached. > > bye, > Sumit > ack and pushed. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxJMUACgkQeiVVYja6o6Mu9QCgnoeeYb+BoXB1yNfFXWQ0b5Jf e/gAn2y2Wltsxdg5SyCy3XXQLxP0Cefj =+eWq -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 6 13:50:32 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 08:50:32 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement CreateUser in InfoPipe Message-ID: <49B12A28.7060202@redhat.com> Changed the order of the arguments to CreateUser in the Introspection XML to match the other functions (domain belongs second on the list). A few other minor fixes as well: Fixed a typo in SYSDB_GETCACHED_FILTER and sysdb_transaction_end(). Added missing error handling in infp_do_user_set_uid(). -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-CreateUser-in-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Fri Mar 6 14:42:57 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 09:42:57 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Add infp_req_init() function to simplify method setup Message-ID: <49B13671.8090801@redhat.com> Move some duplicated code into a common function to reduce the risk of copy-paste errors. (Note: this patch only applies cleanly atop my previous "Implement CreateUser in Infopipe" patch, which is not yet in the master) -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-infp_req_init-function-to-simplify-method-setu.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Fri Mar 6 15:14:16 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 10:14:16 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Add sbus_reply_internal_error() feature to sbus_message_handler() Message-ID: <49B13DC8.5080603@redhat.com> If an SBUS function returns an error code, we'll immediately return an error reply to the client stating "Internal Error" instead of ignoring the request and forcing the client to wait for a timeout. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-sbus_reply_internal_error-feature-to-sbus_mess.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Fri Mar 6 15:32:28 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 06 Mar 2009 10:32:28 -0500 Subject: [Freeipa-devel] [PATCH] 142 Remove local DNA plugin Message-ID: <49B1420C.4060707@redhat.com> Remove the IPA dna plugin and use the DS one instead. The DS dna plugin does some configuration checking so we are dropping the cn=Posix subtree. All dna configuration will be stored in the same part of the tree. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-142-dna.patch Type: application/mbox Size: 50245 bytes Desc: not available URL: From jhrozek at redhat.com Fri Mar 6 16:04:23 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 06 Mar 2009 17:04:23 +0100 Subject: [Freeipa-devel] [PATCH] sss_useradd In-Reply-To: <1236327516.21500.4.camel@localhost.localdomain> References: <1236327516.21500.4.camel@localhost.localdomain> Message-ID: <1236355463.13140.0.camel@hendrix> On Fri, 2009-03-06 at 03:18 -0500, Simo Sorce wrote: > I've taken up the skeleton made by Jakub and implemented a functioning > (tested) sss_useradd > > The name is temporary, suggestions to make it friendlier and shorter > are > very welcome. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York Ack From sgallagh at redhat.com Fri Mar 6 16:13:36 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 11:13:36 -0500 Subject: [Freeipa-devel] [PATCH] sss_useradd In-Reply-To: <1236355463.13140.0.camel@hendrix> References: <1236327516.21500.4.camel@localhost.localdomain> <1236355463.13140.0.camel@hendrix> Message-ID: <49B14BB0.7010007@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Fri, 2009-03-06 at 03:18 -0500, Simo Sorce wrote: >> I've taken up the skeleton made by Jakub and implemented a functioning >> (tested) sss_useradd >> >> The name is temporary, suggestions to make it friendlier and shorter >> are >> very welcome. >> >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York > > Ack > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxS7AACgkQeiVVYja6o6MfGgCgm44pW1pDQiwCdnfzTVrUO9sv kb0An1WtSlTD1dxLqp0J+eUMBvLddXh1 =TkGm -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 6 16:26:31 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 11:26:31 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement DeleteUser in the InfoPipe Message-ID: <49B14EB7.8040503@redhat.com> $SUBJECT says it all -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-DeleteUser-in-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From jhrozek at redhat.com Fri Mar 6 16:28:33 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 06 Mar 2009 17:28:33 +0100 Subject: [Freeipa-devel] [PATCH][SSSD] Implement CreateUser in InfoPipe In-Reply-To: <49B12A28.7060202@redhat.com> References: <49B12A28.7060202@redhat.com> Message-ID: <1236356913.13140.2.camel@hendrix> On Fri, 2009-03-06 at 08:50 -0500, Stephen Gallagher wrote: > Changed the order of the arguments to CreateUser in the Introspection > XML to match the other functions (domain belongs second on the list). > > A few other minor fixes as well: > Fixed a typo in SYSDB_GETCACHED_FILTER and sysdb_transaction_end(). > > Added missing error handling in infp_do_user_set_uid(). Ack From jhrozek at redhat.com Fri Mar 6 16:28:57 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 06 Mar 2009 17:28:57 +0100 Subject: [Freeipa-devel] [PATCH][SSSD] Add sbus_reply_internal_error() feature to sbus_message_handler() In-Reply-To: <49B13DC8.5080603@redhat.com> References: <49B13DC8.5080603@redhat.com> Message-ID: <1236356937.13140.4.camel@hendrix> On Fri, 2009-03-06 at 10:14 -0500, Stephen Gallagher wrote: > If an SBUS function returns an error code, we'll immediately > return an error reply to the client stating "Internal Error" > instead of ignoring the request and forcing the client to wait > for a timeout. Ack From ssorce at redhat.com Fri Mar 6 17:27:09 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 06 Mar 2009 12:27:09 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Add infp_req_init() function to simplify method setup In-Reply-To: <49B13671.8090801@redhat.com> References: <49B13671.8090801@redhat.com> Message-ID: <1236360429.21500.11.camel@localhost.localdomain> On Fri, 2009-03-06 at 09:42 -0500, Stephen Gallagher wrote: > Move some duplicated code into a common function to reduce the risk of > copy-paste errors. > > (Note: this patch only applies cleanly atop my previous "Implement > CreateUser in Infopipe" patch, which is not yet in the master) ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 6 17:28:35 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 06 Mar 2009 12:28:35 -0500 Subject: [Freeipa-devel] [PATCH] 142 Remove local DNA plugin In-Reply-To: <49B1420C.4060707@redhat.com> References: <49B1420C.4060707@redhat.com> Message-ID: <1236360515.21500.12.camel@localhost.localdomain> On Fri, 2009-03-06 at 10:32 -0500, Rob Crittenden wrote: > Remove the IPA dna plugin and use the DS one instead. The DS dna > plugin > does some configuration checking so we are dropping the cn=Posix > subtree. All dna configuration will be stored in the same part of the > tree. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 6 17:32:29 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 06 Mar 2009 12:32:29 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement DeleteUser in the InfoPipe In-Reply-To: <49B14EB7.8040503@redhat.com> References: <49B14EB7.8040503@redhat.com> Message-ID: <1236360749.21500.13.camel@localhost.localdomain> On Fri, 2009-03-06 at 11:26 -0500, Stephen Gallagher wrote: > $SUBJECT says it all ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 6 17:40:00 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 06 Mar 2009 12:40:00 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement CreateUser in InfoPipe In-Reply-To: <1236356913.13140.2.camel@hendrix> References: <49B12A28.7060202@redhat.com> <1236356913.13140.2.camel@hendrix> Message-ID: <1236361200.21500.14.camel@localhost.localdomain> On Fri, 2009-03-06 at 17:28 +0100, Jakub Hrozek wrote: > On Fri, 2009-03-06 at 08:50 -0500, Stephen Gallagher wrote: > > Changed the order of the arguments to CreateUser in the > Introspection > > XML to match the other functions (domain belongs second on the > list). > > > > A few other minor fixes as well: > > Fixed a typo in SYSDB_GETCACHED_FILTER and sysdb_transaction_end(). > > > > Added missing error handling in infp_do_user_set_uid(). > > Ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 6 17:40:20 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 06 Mar 2009 12:40:20 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Add infp_req_init() function to simplify method setup In-Reply-To: <1236360429.21500.11.camel@localhost.localdomain> References: <49B13671.8090801@redhat.com> <1236360429.21500.11.camel@localhost.localdomain> Message-ID: <1236361220.21500.15.camel@localhost.localdomain> On Fri, 2009-03-06 at 12:27 -0500, Simo Sorce wrote: > On Fri, 2009-03-06 at 09:42 -0500, Stephen Gallagher wrote: > > Move some duplicated code into a common function to reduce the risk > of > > copy-paste errors. > > > > (Note: this patch only applies cleanly atop my previous "Implement > > CreateUser in Infopipe" patch, which is not yet in the master) > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 6 17:40:30 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 06 Mar 2009 12:40:30 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Add sbus_reply_internal_error() feature to sbus_message_handler() In-Reply-To: <1236356937.13140.4.camel@hendrix> References: <49B13DC8.5080603@redhat.com> <1236356937.13140.4.camel@hendrix> Message-ID: <1236361230.21500.16.camel@localhost.localdomain> On Fri, 2009-03-06 at 17:28 +0100, Jakub Hrozek wrote: > On Fri, 2009-03-06 at 10:14 -0500, Stephen Gallagher wrote: > > If an SBUS function returns an error code, we'll immediately > > return an error reply to the client stating "Internal Error" > > instead of ignoring the request and forcing the client to wait > > for a timeout. > > Ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 6 17:40:41 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 06 Mar 2009 12:40:41 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement DeleteUser in the InfoPipe In-Reply-To: <1236360749.21500.13.camel@localhost.localdomain> References: <49B14EB7.8040503@redhat.com> <1236360749.21500.13.camel@localhost.localdomain> Message-ID: <1236361241.21500.17.camel@localhost.localdomain> On Fri, 2009-03-06 at 12:32 -0500, Simo Sorce wrote: > > On Fri, 2009-03-06 at 11:26 -0500, Stephen Gallagher wrote: > > $SUBJECT says it all > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Fri Mar 6 17:45:34 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 06 Mar 2009 18:45:34 +0100 Subject: [Freeipa-devel] [PATCH] Specfile changes related to package review, package initscript Message-ID: <1236361534.13140.12.camel@hendrix> The attached patch addresses some of the concerns Martin had during the interview and adds an initscript as well. The ldap-module related build failures were already addressed by Sumit. I actually hit a problem with the initscript and wanted to discuss it - the script stops the sssd service by sending a TERM signal. However, this only stops the main sssd deamon, not the libexec children like sssd_dp although they have the same process group ID. I stumbled upon code in util/server.c where all the children in the process group are sent SIGTERM, so I'm not sure where the problem might be.. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Specfile-changes-related-to-package-review-package.patch Type: application/mbox Size: 6556 bytes Desc: not available URL: From sgallagh at redhat.com Fri Mar 6 19:37:30 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 14:37:30 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement CreateGroup in InfoPipe Message-ID: <49B17B7A.2060909@redhat.com> $SUBJECT Also fixed two trivial bugs in CreateUser. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-CreateGroup-in-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From jhrozek at redhat.com Fri Mar 6 20:26:06 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 06 Mar 2009 21:26:06 +0100 Subject: [Freeipa-devel] [PATCH] sss_userdel Message-ID: <1236371166.13140.17.camel@hendrix> Here finally goes sss_userdel. Since we now have two complementary tools, also install them in sbin and own them in the specfile. I've tested deleting both existing and non-existing user, if there are any other tests that should be done, please shout (I'm actually thinking about writing a simple testsuite for the tools). Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-sss_userdel.patch Type: application/mbox Size: 8192 bytes Desc: not available URL: From sgallagh at redhat.com Fri Mar 6 20:46:06 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 15:46:06 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement DeleteGroup in InfoPipe Message-ID: <49B18B8E.9060101@redhat.com> $SUBJECT -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-DeleteGroup-in-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From jhrozek at redhat.com Fri Mar 6 20:58:16 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 06 Mar 2009 21:58:16 +0100 Subject: [Freeipa-devel] [PATCH] Specfile changes related to package review, package initscript In-Reply-To: <1236361534.13140.12.camel@hendrix> References: <1236361534.13140.12.camel@hendrix> Message-ID: <1236373096.13140.22.camel@hendrix> On Fri, 2009-03-06 at 18:45 +0100, Jakub Hrozek wrote: > The attached patch addresses some of the concerns Martin had during > the > interview and adds an initscript as well. The ldap-module related > build > failures were already addressed by Sumit. Stephen suggested off-list that instead of %{_initrddir}/%{name} we should use %{_initrddir}/%{servicename}. I added this change, I also added a ldconfig call in %post and %postun, because we now ship libraries in %{_lib}, so Fedora packaging guidelines now require us to do so. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Specfile-changes-related-to-package-review-package.patch Type: application/mbox Size: 6774 bytes Desc: not available URL: From sgallagh at redhat.com Fri Mar 6 21:07:40 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 16:07:40 -0500 Subject: [Freeipa-devel] [PATCH] sss_userdel In-Reply-To: <1236371166.13140.17.camel@hendrix> References: <1236371166.13140.17.camel@hendrix> Message-ID: <49B1909C.6060501@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > Here finally goes sss_userdel. Since we now have two complementary > tools, also install them in sbin and own them in the specfile. > > I've tested deleting both existing and non-existing user, if there are > any other tests that should be done, please shout (I'm actually thinking > about writing a simple testsuite for the tools). > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxkJwACgkQeiVVYja6o6NuHgCdFaMV8Rjhr+3JrIsZCiEGTljT hPkAmgOdUlWvArlXhCM9Pq4rYEIi47V4 =vpsf -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 6 21:33:34 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 16:33:34 -0500 Subject: [Freeipa-devel] A In-Reply-To: <1236373096.13140.22.camel@hendrix> References: <1236361534.13140.12.camel@hendrix> <1236373096.13140.22.camel@hendrix> Message-ID: <49B196AE.1040402@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Fri, 2009-03-06 at 18:45 +0100, Jakub Hrozek wrote: >> The attached patch addresses some of the concerns Martin had during >> the >> interview and adds an initscript as well. The ldap-module related >> build >> failures were already addressed by Sumit. > > Stephen suggested off-list that instead of %{_initrddir}/%{name} we > should use %{_initrddir}/%{servicename}. I added this change, I also > added a ldconfig call in %post and %postun, because we now ship > libraries in %{_lib}, so Fedora packaging guidelines now require us to > do so. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxlq4ACgkQeiVVYja6o6OU6gCcCHCsFWni+l9nhCXKRN3W1bnj d1UAniWHiHxaIkwIIWf+L+WnlBIwlzFo =50Wg -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 6 21:35:02 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 16:35:02 -0500 Subject: [Freeipa-devel] [PATCH] Specfile changes related to package review, package initscript (Was: Re: [Freeipa-devel] A) In-Reply-To: <49B196AE.1040402@redhat.com> References: <1236361534.13140.12.camel@hendrix> <1236373096.13140.22.camel@hendrix> <49B196AE.1040402@redhat.com> Message-ID: <49B19706.9080405@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Gallagher wrote: > Jakub Hrozek wrote: >> On Fri, 2009-03-06 at 18:45 +0100, Jakub Hrozek wrote: >>> The attached patch addresses some of the concerns Martin had during >>> the >>> interview and adds an initscript as well. The ldap-module related >>> build >>> failures were already addressed by Sumit. >> Stephen suggested off-list that instead of %{_initrddir}/%{name} we >> should use %{_initrddir}/%{servicename}. I added this change, I also >> added a ldconfig call in %post and %postun, because we now ship >> libraries in %{_lib}, so Fedora packaging guidelines now require us to >> do so. > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Ack and pushed to master. > Accidentally changed the subject line. Resending to make sure the context is clear. _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxlwYACgkQeiVVYja6o6PCggCgm9MCIA1sc1Kb9oZjBPBszCkf gxkAnAy4C6DcSxuglfAFKhg7gk9wW/lR =PXRT -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Mar 6 21:52:47 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 06 Mar 2009 22:52:47 +0100 Subject: [Freeipa-devel] [PATCH][SSSD] Implement CreateGroup in InfoPipe In-Reply-To: <49B17B7A.2060909@redhat.com> References: <49B17B7A.2060909@redhat.com> Message-ID: <1236376367.13140.24.camel@hendrix> On Fri, 2009-03-06 at 14:37 -0500, Stephen Gallagher wrote: > $SUBJECT > > Also fixed two trivial bugs in CreateUser. Ack. From jhrozek at redhat.com Fri Mar 6 21:53:03 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 06 Mar 2009 22:53:03 +0100 Subject: [Freeipa-devel] [PATCH][SSSD] Implement DeleteGroup in InfoPipe In-Reply-To: <49B18B8E.9060101@redhat.com> References: <49B18B8E.9060101@redhat.com> Message-ID: <1236376383.13140.26.camel@hendrix> On Fri, 2009-03-06 at 15:46 -0500, Stephen Gallagher wrote: > $SUBJECT > Ack. From jderose at redhat.com Fri Mar 6 22:16:54 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 06 Mar 2009 15:16:54 -0700 Subject: [Freeipa-devel] LDAP connections and the new ldap backend plugin In-Reply-To: <1236265432.6848.5.camel@localhost.localdomain> References: <1236061376.6616.675.camel@jgd-dsk> <49AD518D.9010303@redhat.com> <1236096143.6598.1.camel@jgd-dsk> <49AEB256.3000009@redhat.com> <1236265432.6848.5.camel@localhost.localdomain> Message-ID: <1236377814.10475.56.camel@jgd-dsk> On Thu, 2009-03-05 at 10:03 -0500, Simo Sorce wrote: > On Wed, 2009-03-04 at 11:54 -0500, Rob Crittenden wrote: > > Jason Gerard DeRose wrote: > > > On Tue, 2009-03-03 at 08:49 -0700, Rich Megginson wrote: > > >> I'm not sure I understand. If the connection object is > > >> ipaserver.ipaldap.IPAdmin which is a subclass of SimpleLDAPObject, can't > > >> the connection object be "cast" and used directly as a > > >> SimpleLDAPObject? Or does the IPA code change/overload the methods such > > >> that it is not usable any more as a SimpleLDAPObject? > > > > > > The subclass overrides methods, so code written against SimpleLDAPObject > > > would probably break. > > > > My concern is that we use this object in more places than just the > > XML-RPC server. What is this going to mean for those? I suppose just > > more complicated setup code though I guess we could write a few methods > > to handle that. > > > > How do you propse handling the other methods in IPAdmin such as > > getEntry, deleteEntry, etc? > > I am wondering if we should really worry that plugins can't use our ldap > object. > > Existing code would probably have to be adapted to our tree/conventions, > otherwise it will probably do something stupid with the tree anyway. > I am wondering if actually forcing adaptation of the code is actually a > good idea so that people don't throw garbage in ? I'm talking about gluing existing code into IPA via a site-specific or 3rd-party plugin... the plugin need not be in our source tree and can import code from Python modules maintained in still other trees. Because the python-ldap bindings are the standard Python interface to LDAP, I think people will appreciate that we allow them to use that interface directly. I think lots of sysadmins have small scripts and libraries they would like to be able to integrate with IPA without a major rewrite. Keeping this layer separated will also make my favorite thing easier: unit testing. ;) > Simo. > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From jderose at redhat.com Fri Mar 6 22:26:58 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 06 Mar 2009 15:26:58 -0700 Subject: [Freeipa-devel] [PATCH] 142 Remove local DNA plugin In-Reply-To: <49B1420C.4060707@redhat.com> References: <49B1420C.4060707@redhat.com> Message-ID: <1236378418.10475.59.camel@jgd-dsk> On Fri, 2009-03-06 at 10:32 -0500, Rob Crittenden wrote: > Remove the IPA dna plugin and use the DS one instead. The DS dna plugin > does some configuration checking so we are dropping the cn=Posix > subtree. All dna configuration will be stored in the same part of the tree. > > rob ack. Rob did it, it must be right. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Fri Mar 6 22:37:58 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 06 Mar 2009 17:37:58 -0500 Subject: [Freeipa-devel] [PATCH] 142 Remove local DNA plugin In-Reply-To: <1236378418.10475.59.camel@jgd-dsk> References: <49B1420C.4060707@redhat.com> <1236378418.10475.59.camel@jgd-dsk> Message-ID: <49B1A5C6.5000805@redhat.com> Jason Gerard DeRose wrote: > On Fri, 2009-03-06 at 10:32 -0500, Rob Crittenden wrote: >> Remove the IPA dna plugin and use the DS one instead. The DS dna plugin >> does some configuration checking so we are dropping the cn=Posix >> subtree. All dna configuration will be stored in the same part of the tree. >> >> rob > > ack. > > Rob did it, it must be right. What a show of confidence! pushed to master From jderose at redhat.com Fri Mar 6 22:43:07 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 06 Mar 2009 15:43:07 -0700 Subject: [Freeipa-devel] LDAP connections and the new ldap backend plugin In-Reply-To: <49AEB256.3000009@redhat.com> References: <1236061376.6616.675.camel@jgd-dsk> <49AD518D.9010303@redhat.com> <1236096143.6598.1.camel@jgd-dsk> <49AEB256.3000009@redhat.com> Message-ID: <1236379387.10475.65.camel@jgd-dsk> On Wed, 2009-03-04 at 11:54 -0500, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > On Tue, 2009-03-03 at 08:49 -0700, Rich Megginson wrote: > >> I'm not sure I understand. If the connection object is > >> ipaserver.ipaldap.IPAdmin which is a subclass of SimpleLDAPObject, can't > >> the connection object be "cast" and used directly as a > >> SimpleLDAPObject? Or does the IPA code change/overload the methods such > >> that it is not usable any more as a SimpleLDAPObject? > > > > The subclass overrides methods, so code written against SimpleLDAPObject > > would probably break. > > My concern is that we use this object in more places than just the > XML-RPC server. What is this going to mean for those? I suppose just > more complicated setup code though I guess we could write a few methods > to handle that. So do you mean the installer? We can preserve the current IPAdmin class till when/if we integrate the installer more closely with the plugin architecture. > How do you propse handling the other methods in IPAdmin such as > getEntry, deleteEntry, etc? The equivalent to all these methods will be implemented on the ldap2 backend plugin... they will be very similar, just wont be implemented in a subclass as done currently. > rob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Fri Mar 6 22:52:46 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 17:52:46 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement CreateGroup in InfoPipe In-Reply-To: <1236376367.13140.24.camel@hendrix> References: <49B17B7A.2060909@redhat.com> <1236376367.13140.24.camel@hendrix> Message-ID: <49B1A93E.8050900@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Fri, 2009-03-06 at 14:37 -0500, Stephen Gallagher wrote: >> $SUBJECT >> >> Also fixed two trivial bugs in CreateUser. > > Ack. > Pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxqT4ACgkQeiVVYja6o6ME7QCgl3JEtIuyIbWpgUYOSp6MG1AL 73gAn2WEgAsZJIkd8MWKP7UG5DZofzUQ =fVYm -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 6 22:52:59 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 17:52:59 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement DeleteGroup in InfoPipe In-Reply-To: <1236376383.13140.26.camel@hendrix> References: <49B18B8E.9060101@redhat.com> <1236376383.13140.26.camel@hendrix> Message-ID: <49B1A94B.6030808@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Fri, 2009-03-06 at 15:46 -0500, Stephen Gallagher wrote: >> $SUBJECT >> > > Ack. > Pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxqUsACgkQeiVVYja6o6OD2wCfYcFV+WwsNtIHQdsP0FWAHrTs T6gAn3KS3IAYvK+K6uES8gNH9xM/kIFM =yBge -----END PGP SIGNATURE----- From jhrozek at redhat.com Fri Mar 6 23:37:35 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sat, 07 Mar 2009 00:37:35 +0100 Subject: [Freeipa-devel] [PATCH] sss_groupadd Message-ID: <1236382655.13140.38.camel@hendrix> att. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-sss_groupadd.patch Type: application/mbox Size: 6485 bytes Desc: not available URL: From jhrozek at redhat.com Fri Mar 6 23:38:07 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sat, 07 Mar 2009 00:38:07 +0100 Subject: [Freeipa-devel] [PATCH] sss_groupdel Message-ID: <1236382687.13140.40.camel@hendrix> att. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-sss_groupdel.patch Type: application/mbox Size: 7832 bytes Desc: not available URL: From sgallagh at redhat.com Sat Mar 7 00:31:00 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 19:31:00 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Fix race condition with initial sysdb creation Message-ID: <49B1C044.40305@redhat.com> When the sysdb LDB file does not exist on the system, the first attempt to connect to it will invoke a creation routine. However, both the NSS and the InfoPipe are started in parallel by the monitor, resulting in a race condition as they both try to initialize the sysdb. The easiest fix for this is to simply have the monitor create the sysdb before it launches NSS and InfoPipe. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-race-condition-with-initial-sysdb-creation.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Sat Mar 7 00:37:45 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 19:37:45 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement AddGroupMembers in the InfoPipe Message-ID: <49B1C1D9.9070704@redhat.com> $SUBJECT -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-AddGroupMembers-in-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Sat Mar 7 00:50:52 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 19:50:52 -0500 Subject: [Freeipa-devel] [PATCH] sss_groupdel In-Reply-To: <1236382687.13140.40.camel@hendrix> References: <1236382687.13140.40.camel@hendrix> Message-ID: <49B1C4EC.9050306@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > att. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack. Don't use sysdb_delete_group_by_gid(), it's a wrapper function around sysdb_delete_entry() that just does a lookup for the gid and converts it back into a name. I missed this in your sss_userdel patch as well, but that's already pushed. So please fix both in the corrections to this patch. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxxOwACgkQeiVVYja6o6PDPgCfRTuvkEXITwyX2va6+YkeAOgt K6gAn3uUFEm3V7+Uzfl+V3CKTFuNWUuB =/kce -----END PGP SIGNATURE----- From sgallagh at redhat.com Sat Mar 7 00:51:40 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 19:51:40 -0500 Subject: [Freeipa-devel] [PATCH] sss_groupadd In-Reply-To: <1236382655.13140.38.camel@hendrix> References: <1236382655.13140.38.camel@hendrix> Message-ID: <49B1C51C.6000109@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > att. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxxRwACgkQeiVVYja6o6MsKQCfWnOYve7afNS23ZDBBxbk/OTb 5tgAn3c2LLn389UKtXZ7+4K+sVNp3hT/ =L4e/ -----END PGP SIGNATURE----- From sgallagh at redhat.com Sat Mar 7 01:24:12 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 20:24:12 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement AddGroupMembers in the InfoPipe In-Reply-To: <49B1C1D9.9070704@redhat.com> References: <49B1C1D9.9070704@redhat.com> Message-ID: <49B1CCBC.1040406@redhat.com> Stephen Gallagher wrote: > $SUBJECT > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I am rescinding the original version of this patch and replacing it with a new version that includes both AddGroupMembers and RemoveGroupMembers. Since the code necessary to handle them differed only by the name of a single function call, I made them both wrappers around a common procedure. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-AddGroupMembers-and-RemoveGroupMembers-in.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Sat Mar 7 01:27:25 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 06 Mar 2009 20:27:25 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Implement AddGroupMembers in the InfoPipe In-Reply-To: <49B1CCBC.1040406@redhat.com> References: <49B1C1D9.9070704@redhat.com> <49B1CCBC.1040406@redhat.com> Message-ID: <49B1CD7D.9080408@redhat.com> Stephen Gallagher wrote: > Stephen Gallagher wrote: >> $SUBJECT >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > I am rescinding the original version of this patch and replacing it with > a new version that includes both AddGroupMembers and RemoveGroupMembers. > Since the code necessary to handle them differed only by the name of a > single function call, I made them both wrappers around a common procedure. > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel One more version. Forgot to update the permission check to reflect the correct modification type. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-AddGroupMembers-and-RemoveGroupMembers-in.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Sat Mar 7 06:27:00 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 7 Mar 2009 01:27:00 -0500 (EST) Subject: [Freeipa-devel] [PATCH] sss_groupdel In-Reply-To: <1236382687.13140.40.camel@hendrix> Message-ID: <972790273.1152881236407220913.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> "Jakub Hrozek" wrote: > > att. > q: why do you perform a getgrnam and then a delete by gid instead of directly calling sysdb_delete_entry() ? Simo. From ssorce at redhat.com Sat Mar 7 06:29:44 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 7 Mar 2009 01:29:44 -0500 (EST) Subject: [Freeipa-devel] [PATCH][SSSD] Fix race condition with initial sysdb creation In-Reply-To: <49B1C044.40305@redhat.com> Message-ID: <1730456497.1152911236407384897.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> "Stephen Gallagher" wrote: > When the sysdb LDB file does not exist on the system, the first > attempt to connect to it will invoke a creation routine. However, > both the NSS and the InfoPipe are started in parallel by the > monitor, resulting in a race condition as they both try to > initialize the sysdb. The easiest fix for this is to simply have > the monitor create the sysdb before it launches NSS and InfoPipe. ack Simo. From jhrozek at redhat.com Sat Mar 7 13:04:58 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sat, 07 Mar 2009 14:04:58 +0100 Subject: [Freeipa-devel] [PATCH] sss_groupdel In-Reply-To: <49B1C4EC.9050306@redhat.com> References: <1236382687.13140.40.camel@hendrix> <49B1C4EC.9050306@redhat.com> Message-ID: <1236431098.5575.1.camel@hendrix> On Fri, 2009-03-06 at 19:50 -0500, Stephen Gallagher wrote: > Nack. Don't use sysdb_delete_group_by_gid(), it's a wrapper function > around sysdb_delete_entry() that just does a lookup for the gid and > converts it back into a name. I missed this in your sss_userdel patch > as > well, but that's already pushed. So please fix both in the corrections > to this patch. attached -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-sss_groupdel-delete-by-DN-in-sss_userdel.patch Type: application/mbox Size: 10286 bytes Desc: not available URL: From sgallagh at redhat.com Sat Mar 7 14:09:23 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sat, 07 Mar 2009 09:09:23 -0500 Subject: [Freeipa-devel] [PATCH] sss_groupdel In-Reply-To: <1236431098.5575.1.camel@hendrix> References: <1236382687.13140.40.camel@hendrix> <49B1C4EC.9050306@redhat.com> <1236431098.5575.1.camel@hendrix> Message-ID: <49B28013.3030405@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Fri, 2009-03-06 at 19:50 -0500, Stephen Gallagher wrote: >> Nack. Don't use sysdb_delete_group_by_gid(), it's a wrapper function >> around sysdb_delete_entry() that just does a lookup for the gid and >> converts it back into a name. I missed this in your sss_userdel patch >> as >> well, but that's already pushed. So please fix both in the corrections >> to this patch. > > attached Ack and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmygBIACgkQeiVVYja6o6PFTgCgqhYWybQ8DEk7gCd0yoJTGy34 HloAnRZrysCeGP8mZKUi1z5tSdiY/jtT =xgL3 -----END PGP SIGNATURE----- From sgallagh at redhat.com Sat Mar 7 14:09:41 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sat, 07 Mar 2009 09:09:41 -0500 Subject: [Freeipa-devel] [PATCH][SSSD] Fix race condition with initial sysdb creation In-Reply-To: <1730456497.1152911236407384897.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <1730456497.1152911236407384897.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <49B28025.5040100@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > "Stephen Gallagher" wrote: > >> When the sysdb LDB file does not exist on the system, the first >> attempt to connect to it will invoke a creation routine. However, >> both the NSS and the InfoPipe are started in parallel by the >> monitor, resulting in a race condition as they both try to >> initialize the sysdb. The easiest fix for this is to simply have >> the monitor create the sysdb before it launches NSS and InfoPipe. > > ack > > Simo. Pushed to master - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmygCUACgkQeiVVYja6o6OpeQCeKGQZeCEAJdKCsjg41ukeygsX DoQAn0FBeqz1whMkNzRSzRCrJjHxeTc+ =gs8L -----END PGP SIGNATURE----- From sbose at redhat.com Sat Mar 7 22:33:44 2009 From: sbose at redhat.com (Sumit Bose) Date: Sat, 07 Mar 2009 23:33:44 +0100 Subject: [Freeipa-devel] setting default domain Message-ID: <49B2F648.40304@redhat.com> Hi, while playing around with sssd I recognized that the default domain for NSS is empty in the default configuration. It is not set in confdb_init_db and the supplied value in nss_init_domains is NULL. I think it should be set in one place or the other, because e.g. ssh will not work without it. bye, Sumit From jhrozek at redhat.com Sun Mar 8 13:36:40 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 08 Mar 2009 14:36:40 +0100 Subject: [Freeipa-devel] [PATCH] Clients subpackage Message-ID: <1236519400.8321.12.camel@hendrix> This patch splits the sssd rpm into sssd and sssd-client as discussed on IRC and in the review request. The -client package now contains the userspace tools as well as the NSS and PAM libraries (i.e. stuff built from sssd/sss_client subdirectory) Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Clients-subpackage.patch Type: application/mbox Size: 2357 bytes Desc: not available URL: From jhrozek at redhat.com Sun Mar 8 13:37:22 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 08 Mar 2009 14:37:22 +0100 Subject: [Freeipa-devel] [PATCH] Fix initialization problems in tools Message-ID: <1236519442.8321.13.camel@hendrix> This patch initializes variables on defining them. If the tools failed at some point and went to fini, they attempted to free the variables which had undefined values, resulting in segfault (Sumit actually discovered this - quick reproducer is running i.e. useradd or groupadd tool as non-root) Also, allocation of group_ctx and tools_ctx in groupadd was reversed. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-initialization-problems-in-useradd-and-groupadd.patch Type: application/mbox Size: 2996 bytes Desc: not available URL: From jhrozek at redhat.com Sun Mar 8 13:44:30 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 08 Mar 2009 14:44:30 +0100 Subject: [Freeipa-devel] [PATCH] Clients subpackage In-Reply-To: <1236519400.8321.12.camel@hendrix> References: <1236519400.8321.12.camel@hendrix> Message-ID: <1236519870.8321.15.camel@hendrix> On Sun, 2009-03-08 at 14:36 +0100, Jakub Hrozek wrote: > This patch splits the sssd rpm into sssd and sssd-client as discussed on > IRC and in the review request. > > The -client package now contains the userspace tools as well as the NSS > and PAM libraries (i.e. stuff built from sssd/sss_client subdirectory) > > Jakub > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel This incarnation of the patch also moves the ldconig calls in %post and %postun into %post client and %postun client Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Clients-subpackage.patch Type: application/mbox Size: 2608 bytes Desc: not available URL: From sgallagh at redhat.com Sun Mar 8 14:09:01 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 08 Mar 2009 10:09:01 -0400 Subject: [Freeipa-devel] setting default domain In-Reply-To: <49B2F648.40304@redhat.com> References: <49B2F648.40304@redhat.com> Message-ID: <49B3D17D.3040603@redhat.com> Sumit Bose wrote: > Hi, > > while playing around with sssd I recognized that the default domain for > NSS is empty in the default configuration. It is not set in > confdb_init_db and the supplied value in nss_init_domains is NULL. I > think it should be set in one place or the other, because e.g. ssh will > not work without it. > > bye, > Sumit > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel See attached patch. It belongs in confdb_init_db, because there may be non-NSS features of the SSSD that will require this information. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Use-LOCAL-for-the-default-domain-in-confdb_init_db.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Sun Mar 8 14:13:41 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 08 Mar 2009 10:13:41 -0400 Subject: [Freeipa-devel] [PATCH] Clients subpackage In-Reply-To: <1236519870.8321.15.camel@hendrix> References: <1236519400.8321.12.camel@hendrix> <1236519870.8321.15.camel@hendrix> Message-ID: <49B3D295.1010808@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Sun, 2009-03-08 at 14:36 +0100, Jakub Hrozek wrote: >> This patch splits the sssd rpm into sssd and sssd-client as discussed on >> IRC and in the review request. >> >> The -client package now contains the userspace tools as well as the NSS >> and PAM libraries (i.e. stuff built from sssd/sss_client subdirectory) >> >> Jakub >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > This incarnation of the patch also moves the ldconig calls in %post and > %postun into %post client and %postun client > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmz0pUACgkQeiVVYja6o6OdqgCfah8Olidw84V14BxBLSCJxTcx y3UAoJ9cd74I6hGnvSBFmOiThu8Fwq9B =VjRB -----END PGP SIGNATURE----- From sgallagh at redhat.com Sun Mar 8 14:15:10 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 08 Mar 2009 10:15:10 -0400 Subject: [Freeipa-devel] [PATCH] Fix initialization problems in tools In-Reply-To: <1236519442.8321.13.camel@hendrix> References: <1236519442.8321.13.camel@hendrix> Message-ID: <49B3D2EE.9010207@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > This patch initializes variables on defining them. If the tools failed > at some point and went to fini, they attempted to free the variables > which had undefined values, resulting in segfault (Sumit actually > discovered this - quick reproducer is running i.e. useradd or groupadd > tool as non-root) > > Also, allocation of group_ctx and tools_ctx in groupadd was reversed. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmz0u4ACgkQeiVVYja6o6NMTgCghc69leXUIGiKxyPzaQznWo2q K0YAoJ9mkQdtllxgQtgwQscSurDrAhDA =Xs08 -----END PGP SIGNATURE----- From sgallagh at redhat.com Sun Mar 8 15:21:06 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 08 Mar 2009 11:21:06 -0400 Subject: [Freeipa-devel] setting default domain In-Reply-To: <49B3E1AF.70305@redhat.com> References: <49B2F648.40304@redhat.com> <49B3D17D.3040603@redhat.com> <49B3E1AF.70305@redhat.com> Message-ID: <49B3E262.8070002@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sumit Bose wrote: > Stephen Gallagher schrieb: >> Sumit Bose wrote: >>> Hi, >>> >>> while playing around with sssd I recognized that the default domain for >>> NSS is empty in the default configuration. It is not set in >>> confdb_init_db and the supplied value in nss_init_domains is NULL. I >>> think it should be set in one place or the other, because e.g. ssh will >>> not work without it. >>> >>> bye, >>> Sumit >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> See attached patch. It belongs in confdb_init_db, because there may be >> non-NSS features of the SSSD that will require this information. >> >> > > ack, but an additional "if (ret != EOK) goto done;" would look nice, too. > > bye, > Sumit > > > Fixed and pushed to master (trivial enough change not to resubmit for code review) - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmz4mIACgkQeiVVYja6o6OrZwCggIr2uhJ2wAlnQsLTEzhnVgTH TTMAnipnIUys1fRDaZobieRghmJvsRHd =8vUF -----END PGP SIGNATURE----- From jhrozek at redhat.com Sun Mar 8 20:47:09 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 08 Mar 2009 21:47:09 +0100 Subject: [Freeipa-devel] [PATCH] defattr Message-ID: <1236545229.13030.2.camel@hendrix> While splitting the RPM into sssd and sssd-client, I forgot to add defattr definition to the %files client section. This one-line patch fixes that. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-defattr.patch Type: application/mbox Size: 603 bytes Desc: not available URL: From sgallagh at redhat.com Sun Mar 8 21:02:02 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 08 Mar 2009 17:02:02 -0400 Subject: [Freeipa-devel] [PATCH] defattr In-Reply-To: <1236545229.13030.2.camel@hendrix> References: <1236545229.13030.2.camel@hendrix> Message-ID: <49B4324A.9070909@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > While splitting the RPM into sssd and sssd-client, I forgot to add > defattr definition to the %files client section. This one-line patch > fixes that. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm0MkoACgkQeiVVYja6o6OZsACeI1vA4PLJYWVf3+nBYRx2Kq+4 PM4Anjqnonf8qqltU9y38W4hPMiF1012 =QnxK -----END PGP SIGNATURE----- From sgallagh at redhat.com Sun Mar 8 22:10:59 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Sun, 08 Mar 2009 18:10:59 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Implement SetGroupGID and improve error handling in the InfoPipe Message-ID: <49B44273.2040503@redhat.com> First patch completes the InfoPipe API by implementing the last function, SetGroupGID. The second patch updates the user and group functions to attempt to notify the clients of the InfoPipe immediately if an internal error has occurred, instead of leaving them to wait for a timeout (which may be very long, depending on the client application). Once these patches are in, the InfoPipe is complete for the Fedora 11 beta freeze. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-SetGroupGID-in-the-InfoPipe.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Improve-error-handling-and-replies-in-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From jhrozek at redhat.com Mon Mar 9 00:19:52 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 09 Mar 2009 01:19:52 +0100 Subject: [Freeipa-devel] [PATCH] Fix parameter parsing and adding to groups in useradd Message-ID: <1236557992.13030.5.camel@hendrix> This patch fixes several small problems in sss_useradd code that prevented adding to supplementary groups from working correctly. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-parameter-parsing-and-adding-to-groups-in-userad.patch Type: application/mbox Size: 2090 bytes Desc: not available URL: From ssorce at redhat.com Mon Mar 9 04:04:41 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 00:04:41 -0400 Subject: [Freeipa-devel] [PATCH] Clients subpackage In-Reply-To: <49B3D295.1010808@redhat.com> References: <1236519400.8321.12.camel@hendrix> <1236519870.8321.15.camel@hendrix> <49B3D295.1010808@redhat.com> Message-ID: <1236571481.21500.20.camel@localhost.localdomain> On Sun, 2009-03-08 at 10:13 -0400, Stephen Gallagher wrote: > Jakub Hrozek wrote: > > On Sun, 2009-03-08 at 14:36 +0100, Jakub Hrozek wrote: > >> This patch splits the sssd rpm into sssd and sssd-client as discussed on > >> IRC and in the review request. > >> > >> The -client package now contains the userspace tools as well as the NSS > >> and PAM libraries (i.e. stuff built from sssd/sss_client subdirectory) > >> > > This incarnation of the patch also moves the ldconig calls in %post and > > %postun into %post client and %postun client > > > Ack and pushed to master. Sorry but I really do not understand why the packages have been actually split. The clients can't work without the daemon and the daemon is unmanageable without the client. So what for ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 9 04:58:42 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 00:58:42 -0400 Subject: [Freeipa-devel] [PATCH] Fix parameter parsing and adding to groups in useradd In-Reply-To: <1236557992.13030.5.camel@hendrix> References: <1236557992.13030.5.camel@hendrix> Message-ID: <1236574722.21500.21.camel@localhost.localdomain> On Mon, 2009-03-09 at 01:19 +0100, Jakub Hrozek wrote: > This patch fixes several small problems in sss_useradd code that > prevented adding to supplementary groups from working correctly. ack -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Mon Mar 9 10:44:28 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 09 Mar 2009 11:44:28 +0100 Subject: [Freeipa-devel] [PATCH] use fixed paths to responders pipes Message-ID: <49B4F30C.1070206@redhat.com> Hi, it makes little sense to have the responder socket names configurable via confdb, because the pam and nss clients need to know them and will not have access to confdb by design. This patch will move these paths together with other protocol information to a common header file. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-use-fixed-paths-to-responders-pipes.patch URL: From sgallagh at redhat.com Mon Mar 9 10:56:28 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 09 Mar 2009 06:56:28 -0400 Subject: [Freeipa-devel] [PATCH] Clients subpackage In-Reply-To: <1236571481.21500.20.camel@localhost.localdomain> References: <1236519400.8321.12.camel@hendrix> <1236519870.8321.15.camel@hendrix> <49B3D295.1010808@redhat.com> <1236571481.21500.20.camel@localhost.localdomain> Message-ID: <49B4F5DC.3000400@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Sun, 2009-03-08 at 10:13 -0400, Stephen Gallagher wrote: >> Jakub Hrozek wrote: >>> On Sun, 2009-03-08 at 14:36 +0100, Jakub Hrozek wrote: >>>> This patch splits the sssd rpm into sssd and sssd-client as discussed on >>>> IRC and in the review request. >>>> >>>> The -client package now contains the userspace tools as well as the NSS >>>> and PAM libraries (i.e. stuff built from sssd/sss_client subdirectory) >>>> >>> This incarnation of the patch also moves the ldconig calls in %post and >>> %postun into %post client and %postun client >>> >> Ack and pushed to master. > > Sorry but I really do not understand why the packages have been actually > split. > > The clients can't work without the daemon and the daemon is unmanageable > without the client. > > So what for ? > > Simo. > The package reviewer demanded it, and since we're on a really tight schedule for getting this package out, we acquiesced. We can have a protracted argument about the merits of one vs. two packages after we meet our deadline. Right now, the reviewer gets whatever he wants. My 2 cents, anyway. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm09dwACgkQeiVVYja6o6M7BwCggqgxdHV/bMOHdWInXhLS8SCW MpMAoILyLmU6uqMxUD4W3WVnu34ssa3I =he4D -----END PGP SIGNATURE----- From sgallagh at redhat.com Mon Mar 9 11:00:52 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 09 Mar 2009 07:00:52 -0400 Subject: [Freeipa-devel] [PATCH] Fix parameter parsing and adding to groups in useradd In-Reply-To: <1236574722.21500.21.camel@localhost.localdomain> References: <1236557992.13030.5.camel@hendrix> <1236574722.21500.21.camel@localhost.localdomain> Message-ID: <49B4F6E4.4080803@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Mon, 2009-03-09 at 01:19 +0100, Jakub Hrozek wrote: >> This patch fixes several small problems in sss_useradd code that >> prevented adding to supplementary groups from working correctly. > > ack > Ack and pushed to master - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm09uQACgkQeiVVYja6o6POnQCgrpGkDqo0cuOJbgMlHYCV5C9b 8wQAn0dCduJld4Db/EbW7R19URfDBE5i =tWcm -----END PGP SIGNATURE----- From jhrozek at redhat.com Mon Mar 9 11:29:06 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 09 Mar 2009 12:29:06 +0100 Subject: [Freeipa-devel] [PATCH] sss_usermod Message-ID: <1236598146.4423.23.camel@zeppelin.englab.brq.redhat.com> This patch adds the sss_usermod tool and moves the parse_groups() function from sss_useradd.c to tools_utils.c as it's used in sss_usermod, too. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-sss_usermod.patch Type: text/x-patch Size: 16111 bytes Desc: not available URL: From sgallagh at redhat.com Mon Mar 9 11:42:35 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 09 Mar 2009 07:42:35 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix SIGSEGV in InfoPipe startup Message-ID: <49B500AB.5020301@redhat.com> If the user that starts InfoPipe is not permitted by the system bus to request the InfoPipe name, the sssd_info process would segfault, since the destructor for the connection object was called before it was completely created. I have moved the initialization of the destructor to later in the setup routine. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-SIGSEGV-in-InfoPipe-startup.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sbose at redhat.com Mon Mar 9 11:44:38 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 09 Mar 2009 12:44:38 +0100 Subject: [Freeipa-devel] [PATCH][SSSD] Fix SIGSEGV in InfoPipe startup In-Reply-To: <49B500AB.5020301@redhat.com> References: <49B500AB.5020301@redhat.com> Message-ID: <49B50126.502@redhat.com> Stephen Gallagher schrieb: > If the user that starts InfoPipe is not permitted by the system bus to > request the InfoPipe name, the sssd_info process would segfault, since > the destructor for the connection object was called before it was > completely created. I have moved the initialization of the destructor to > later in the setup routine. > ack From sgallagh at redhat.com Mon Mar 9 11:46:33 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 09 Mar 2009 07:46:33 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix SIGSEGV in InfoPipe startup In-Reply-To: <49B50126.502@redhat.com> References: <49B500AB.5020301@redhat.com> <49B50126.502@redhat.com> Message-ID: <49B50199.6050508@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sumit Bose wrote: > Stephen Gallagher schrieb: >> If the user that starts InfoPipe is not permitted by the system bus to >> request the InfoPipe name, the sssd_info process would segfault, since >> the destructor for the connection object was called before it was >> completely created. I have moved the initialization of the destructor to >> later in the setup routine. >> > ack Pushed to master - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm1AZkACgkQeiVVYja6o6P0FQCggwr8yXMMO7GPM8Ae8o+DLOeS R7gAoIUqs+uHBZcFhXHD7irPKSKqG185 =d4wP -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Mar 9 12:12:08 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 Mar 2009 08:12:08 -0400 Subject: [Freeipa-devel] [PATCH] fix broken build Message-ID: <49B50798.2050002@redhat.com> Remove reference to a file we removed that was causing the build to break. Pushed under 1-liner rule. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-143-build.patch Type: application/mbox Size: 686 bytes Desc: not available URL: From mnagy at redhat.com Mon Mar 9 12:18:18 2009 From: mnagy at redhat.com (Martin Nagy) Date: Mon, 9 Mar 2009 13:18:18 +0100 Subject: [Freeipa-devel] [PATCH] Clients subpackage In-Reply-To: <49B4F5DC.3000400@redhat.com> References: <1236519400.8321.12.camel@hendrix> <1236519870.8321.15.camel@hendrix> <49B3D295.1010808@redhat.com> <1236571481.21500.20.camel@localhost.localdomain> <49B4F5DC.3000400@redhat.com> Message-ID: <20090309131818.6800428b@notas> Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > On Sun, 2009-03-08 at 10:13 -0400, Stephen Gallagher wrote: > >> Jakub Hrozek wrote: > >>> On Sun, 2009-03-08 at 14:36 +0100, Jakub Hrozek wrote: > >>>> This patch splits the sssd rpm into sssd and sssd-client as > >>>> discussed on IRC and in the review request. > >>>> > >>>> The -client package now contains the userspace tools as well as > >>>> the NSS and PAM libraries (i.e. stuff built from sssd/sss_client > >>>> subdirectory) > >>>> > >>> This incarnation of the patch also moves the ldconig calls in > >>> %post and %postun into %post client and %postun client > >>> > >> Ack and pushed to master. > > > > Sorry but I really do not understand why the packages have been > > actually split. > > > > The clients can't work without the daemon and the daemon is > > unmanageable without the client. > > > > So what for ? > > > > Simo. > > > > The package reviewer demanded it, and since we're on a really tight > schedule for getting this package out, we acquiesced. We can have a > protracted argument about the merits of one vs. two packages after we > meet our deadline. Right now, the reviewer gets whatever he wants. > > My 2 cents, anyway. Sorry, this is a misunderstanding. In the review, I should have made it clear that it was only a suggestion. I saw 'client' and 'server' and immediately thought they should be separate. Instead I should have just asked if this wouldn't be a good idea. If the situation is as Simo says then by all means, let's don't split the package. Or let's split it in a way that makes sense. So, sorry for the confusion. Martin From jhrozek at redhat.com Mon Mar 9 12:31:10 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 09 Mar 2009 13:31:10 +0100 Subject: [Freeipa-devel] [PATCH] Clients subpackage In-Reply-To: <1236571481.21500.20.camel@localhost.localdomain> References: <1236519400.8321.12.camel@hendrix> <1236519870.8321.15.camel@hendrix> <49B3D295.1010808@redhat.com> <1236571481.21500.20.camel@localhost.localdomain> Message-ID: <1236601870.4423.32.camel@zeppelin.englab.brq.redhat.com> On Mon, 2009-03-09 at 00:04 -0400, Simo Sorce wrote: > > Sorry but I really do not understand why the packages have been > actually > split. > My reasoning was that tools can be substituted by InfoPipe (which is ultimately going to have its own package). sss_client is in a separate directory with its own autotools-chain upstream, so this lead me to splitting it on RPM level, too. After some more discussion off-list (on #freeipa-devel) maybe we could have sssd, sssd-tools and eventually sssd-infopipe? Or, for the time being, just revert this patch (and related defattr patch) and have a monolithic sssd package. Whatever works for a timely review. Jakub From sgallagh at redhat.com Mon Mar 9 12:34:25 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 09 Mar 2009 08:34:25 -0400 Subject: [Freeipa-devel] [PATCH] Clients subpackage In-Reply-To: <1236601870.4423.32.camel@zeppelin.englab.brq.redhat.com> References: <1236519400.8321.12.camel@hendrix> <1236519870.8321.15.camel@hendrix> <49B3D295.1010808@redhat.com> <1236571481.21500.20.camel@localhost.localdomain> <1236601870.4423.32.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49B50CD1.2000805@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Mon, 2009-03-09 at 00:04 -0400, Simo Sorce wrote: >> Sorry but I really do not understand why the packages have been >> actually >> split. >> > > My reasoning was that tools can be substituted by InfoPipe (which is > ultimately going to have its own package). sss_client is in a separate > directory with its own autotools-chain upstream, so this lead me to > splitting it on RPM level, too. > > After some more discussion off-list (on #freeipa-devel) maybe we could > have sssd, sssd-tools and eventually sssd-infopipe? > > Or, for the time being, just revert this patch (and related defattr > patch) and have a monolithic sssd package. Whatever works for a timely > review. > > Jakub > Short-term, I vote we stick with a monolithic patch. We can break it down later if we decide to, but I just want to see this in and installable in the easiest way possible right now. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm1DNEACgkQeiVVYja6o6PsJACgkYJBjwE3n4jDgCbA+2x10Hl8 NpUAnRuWQze02rX6PcBsu4ciI0xXRxYf =I8IV -----END PGP SIGNATURE----- From ssorce at redhat.com Mon Mar 9 12:59:36 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 9 Mar 2009 08:59:36 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] Clients subpackage In-Reply-To: <49B50CD1.2000805@redhat.com> Message-ID: <1810899495.1257981236603576153.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Stephen Gallagher" wrote: > Short-term, I vote we stick with a monolithic patch. We can break it > down later if we decide to, but I just want to see this in and > installable in the easiest way possible right now. I reverted the patches. Simo. From ssorce at redhat.com Mon Mar 9 13:02:52 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 9 Mar 2009 09:02:52 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] sss_usermod In-Reply-To: <1236598146.4423.23.camel@zeppelin.englab.brq.redhat.com> Message-ID: <740126057.1258561236603772336.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> "Jakub Hrozek" wrote: > This patch adds the sss_usermod tool and moves the parse_groups() > function from sss_useradd.c to tools_utils.c as it's used in > sss_usermod, too. ack From sgallagh at redhat.com Mon Mar 9 13:17:55 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 09 Mar 2009 09:17:55 -0400 Subject: [Freeipa-devel] [PATCH] sss_usermod In-Reply-To: <740126057.1258561236603772336.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <740126057.1258561236603772336.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <49B51703.8010009@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > "Jakub Hrozek" wrote: >> This patch adds the sss_usermod tool and moves the parse_groups() >> function from sss_useradd.c to tools_utils.c as it's used in >> sss_usermod, too. > > ack > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack. Please fix the following patch errors and resubmit. Applying: sss_usermod /home/sgallagh/workspace/sssd.upstream/.git/rebase-apply/patch:149: trailing whitespace. } while(0) /home/sgallagh/workspace/sssd.upstream/.git/rebase-apply/patch:387: trailing whitespace. ret = sysdb_attrs_add_string(user_ctx->attrs, /home/sgallagh/workspace/sssd.upstream/.git/rebase-apply/patch:394: trailing whitespace. ret = sysdb_attrs_add_string(user_ctx->attrs, /home/sgallagh/workspace/sssd.upstream/.git/rebase-apply/patch:401: trailing whitespace. ret = sysdb_attrs_add_string(user_ctx->attrs, /home/sgallagh/workspace/sssd.upstream/.git/rebase-apply/patch:408: trailing whitespace. ret = sysdb_attrs_add_long(user_ctx->attrs, warning: squelched 3 whitespace errors warning: 8 lines add whitespace errors. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm1FwMACgkQeiVVYja6o6ODGACfUht7FlhgClEBIS2nD2oFYSKi a7cAnRJL5prGVVgSIu+WamjsP1+zxJGF =EBga -----END PGP SIGNATURE----- From sbose at redhat.com Mon Mar 9 13:56:24 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 09 Mar 2009 14:56:24 +0100 Subject: [Freeipa-devel] [PATCH] use fixed paths to responders pipes In-Reply-To: <49B4F30C.1070206@redhat.com> References: <49B4F30C.1070206@redhat.com> Message-ID: <49B52008.1090709@redhat.com> Sumit Bose schrieb: > Hi, > > it makes little sense to have the responder socket names configurable > via confdb, because the pam and nss clients need to know them and will > not have access to confdb by design. This patch will move these paths > together with other protocol information to a common header file. > > bye, > Sumit > accidentally I disabled pam in the default configuration. The new patch fixes this. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-use-fixed-paths-to-responders-pipes.patch URL: From jhrozek at redhat.com Mon Mar 9 14:09:54 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 09 Mar 2009 15:09:54 +0100 Subject: [Freeipa-devel] [PATCH] sss_usermod In-Reply-To: <49B51703.8010009@redhat.com> References: <740126057.1258561236603772336.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <49B51703.8010009@redhat.com> Message-ID: <1236607794.4423.33.camel@zeppelin.englab.brq.redhat.com> On Mon, 2009-03-09 at 09:17 -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > "Jakub Hrozek" wrote: > >> This patch adds the sss_usermod tool and moves the parse_groups() > >> function from sss_useradd.c to tools_utils.c as it's used in > >> sss_usermod, too. > > > > ack > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > Nack. Please fix the following patch errors and resubmit. > Sorry, new patch attached. I've verified that it applies cleanly against current HEAD. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-sss_usermod.patch Type: text/x-patch Size: 16096 bytes Desc: not available URL: From ssorce at redhat.com Mon Mar 9 14:26:48 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 10:26:48 -0400 Subject: [Freeipa-devel] [PATCH] use fixed paths to responders pipes In-Reply-To: <49B52008.1090709@redhat.com> References: <49B4F30C.1070206@redhat.com> <49B52008.1090709@redhat.com> Message-ID: <1236608808.3975.1.camel@localhost.localdomain> On Mon, 2009-03-09 at 14:56 +0100, Sumit Bose wrote: > > > Sumit Bose schrieb: > > Hi, > > > > it makes little sense to have the responder socket names > configurable > > via confdb, because the pam and nss clients need to know them and > will > > not have access to confdb by design. This patch will move these > paths > > together with other protocol information to a common header file. > accidentally I disabled pam in the default configuration. The new > patch > fixes this. I think that the "/var/lib/sss" should be determined in config.h and passed as an argument within make. The default would probably be something like /usr/local/sss/lib I think we can ack this for now, because for all practical uses /var/lib/sss is the right place for Fedora, but we should fix it asap. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Mon Mar 9 14:29:20 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 09 Mar 2009 10:29:20 -0400 Subject: [Freeipa-devel] [PATCH] sss_usermod In-Reply-To: <1236607794.4423.33.camel@zeppelin.englab.brq.redhat.com> References: <740126057.1258561236603772336.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <49B51703.8010009@redhat.com> <1236607794.4423.33.camel@zeppelin.englab.brq.redhat.com> Message-ID: <49B527C0.8020202@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Mon, 2009-03-09 at 09:17 -0400, Stephen Gallagher wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Simo Sorce wrote: >>> "Jakub Hrozek" wrote: >>>> This patch adds the sss_usermod tool and moves the parse_groups() >>>> function from sss_useradd.c to tools_utils.c as it's used in >>>> sss_usermod, too. >>> ack >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Nack. Please fix the following patch errors and resubmit. >> > > Sorry, new patch attached. I've verified that it applies cleanly against > current HEAD. > Pushed to master - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm1J8AACgkQeiVVYja6o6O6EgCfXmGxpBxaDhVUqGJL37fZFDeS RxUAoJuJPHLxC8cigeczoaYOxRrJ7lSY =mMn8 -----END PGP SIGNATURE----- From sbose at redhat.com Mon Mar 9 14:32:56 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 09 Mar 2009 15:32:56 +0100 Subject: [Freeipa-devel] [PATCH] use fixed paths to responders pipes In-Reply-To: <1236608808.3975.1.camel@localhost.localdomain> References: <49B4F30C.1070206@redhat.com> <49B52008.1090709@redhat.com> <1236608808.3975.1.camel@localhost.localdomain> Message-ID: <49B52898.806@redhat.com> Simo Sorce schrieb: > On Mon, 2009-03-09 at 14:56 +0100, Sumit Bose wrote: >> >> Sumit Bose schrieb: >>> Hi, >>> >>> it makes little sense to have the responder socket names >> configurable >>> via confdb, because the pam and nss clients need to know them and >> will >>> not have access to confdb by design. This patch will move these >> paths >>> together with other protocol information to a common header file. > >> accidentally I disabled pam in the default configuration. The new >> patch >> fixes this. > > I think that the "/var/lib/sss" should be determined in config.h and > passed as an argument within make. > The default would probably be something like /usr/local/sss/lib I thought about this, too. But if we do this, we should not take it form config.h, but create a responder.h.in and let configure replace it. Because in the current setup the clients have their own config.h. > > I think we can ack this for now, because for all practical > uses /var/lib/sss is the right place for Fedora, but we should fix it > asap. > > Simo. > From sgallagh at redhat.com Mon Mar 9 14:50:08 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 09 Mar 2009 10:50:08 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Implement SetGroupGID and improve error handling in the InfoPipe In-Reply-To: <49B44273.2040503@redhat.com> References: <49B44273.2040503@redhat.com> Message-ID: <49B52CA0.40807@redhat.com> Stephen Gallagher wrote: > First patch completes the InfoPipe API by implementing the last > function, SetGroupGID. > > The second patch updates the user and group functions to attempt to > notify the clients of the InfoPipe immediately if an internal error has > occurred, instead of leaving them to wait for a timeout (which may be > very long, depending on the client application). > > Once these patches are in, the InfoPipe is complete for the Fedora 11 > beta freeze. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Per Simo's off-list review, I have changed the patch to use ERANGE instead of EDOM for GID out of range errors. Reattaching both patches for convenience. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Implement-SetGroupGID-in-the-InfoPipe.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Improve-error-handling-and-replies-in-the-InfoPipe.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Mon Mar 9 14:51:01 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 10:51:01 -0400 Subject: [Freeipa-devel] [PATCH] add conf option for MPG Message-ID: <1236610261.3975.2.camel@localhost.localdomain> as per subject -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-MPG-a-configurable-option-for-the-domain.patch Type: text/x-patch Size: 1991 bytes Desc: not available URL: From sbose at redhat.com Mon Mar 9 14:51:45 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 09 Mar 2009 15:51:45 +0100 Subject: [Freeipa-devel] [PATCH] added generic PAM return messages and a false login delay Message-ID: <49B52D01.60308@redhat.com> Hi, this patch integrates the data send back to the client into the main pam_data struct making it more flexible. It also move the delay after a wrong password from the LOCAL backend into the responder to allow other backends to use it. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-added-generic-PAM-return-messages-and-a-false-login.patch URL: From ssorce at redhat.com Mon Mar 9 14:51:50 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 10:51:50 -0400 Subject: [Freeipa-devel] [PATCH] no version for libnsss .so files Message-ID: <1236610310.3975.3.camel@localhost.localdomain> all libnss_*_.so files are not versioned in current distributions as far as I can see. Do the same here. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-NSS-libs-do-not-use-versioned-shared-objects.patch Type: text/x-patch Size: 834 bytes Desc: not available URL: From ssorce at redhat.com Mon Mar 9 14:53:35 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 10:53:35 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Implement AddGroupMembers in the InfoPipe In-Reply-To: <49B1CD7D.9080408@redhat.com> References: <49B1C1D9.9070704@redhat.com> <49B1CCBC.1040406@redhat.com> <49B1CD7D.9080408@redhat.com> Message-ID: <1236610415.3975.4.camel@localhost.localdomain> On Fri, 2009-03-06 at 20:27 -0500, Stephen Gallagher wrote: > Stephen Gallagher wrote: > > Stephen Gallagher wrote: > >> $SUBJECT > >> > > I am rescinding the original version of this patch and replacing it > with > > a new version that includes both AddGroupMembers and > RemoveGroupMembers. > > Since the code necessary to handle them differed only by the name of > a > > single function call, I made them both wrappers around a common > procedure. > > > > > One more version. Forgot to update the permission check to reflect the > correct modification type. Ack and pushed -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Mon Mar 9 14:53:55 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 09 Mar 2009 15:53:55 +0100 Subject: [Freeipa-devel] [PATCH] add conf option for MPG In-Reply-To: <1236610261.3975.2.camel@localhost.localdomain> References: <1236610261.3975.2.camel@localhost.localdomain> Message-ID: <49B52D83.6090404@redhat.com> Simo Sorce schrieb: > as per subject > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel please file the 'et enumeration of LOCAL domain to 1' comment :) From ssorce at redhat.com Mon Mar 9 14:58:57 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 10:58:57 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] Implement SetGroupGID and improve error handling in the InfoPipe In-Reply-To: <49B52CA0.40807@redhat.com> References: <49B44273.2040503@redhat.com> <49B52CA0.40807@redhat.com> Message-ID: <1236610737.3975.5.camel@localhost.localdomain> On Mon, 2009-03-09 at 10:50 -0400, Stephen Gallagher wrote: > Stephen Gallagher wrote: > > First patch completes the InfoPipe API by implementing the last > > function, SetGroupGID. > > > > The second patch updates the user and group functions to attempt to > > notify the clients of the InfoPipe immediately if an internal error > has > > occurred, instead of leaving them to wait for a timeout (which may > be > > very long, depending on the client application). > > > > Once these patches are in, the InfoPipe is complete for the Fedora > 11 > > beta freeze. > Per Simo's off-list review, I have changed the patch to use ERANGE > instead of EDOM for GID out of range errors. > > Reattaching both patches for convenience. ack and pushed -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Mon Mar 9 15:00:59 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 09 Mar 2009 11:00:59 -0400 Subject: [Freeipa-devel] [PATCH] no version for libnsss .so files In-Reply-To: <1236610310.3975.3.camel@localhost.localdomain> References: <1236610310.3975.3.camel@localhost.localdomain> Message-ID: <49B52F2B.7080801@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > all libnss_*_.so files are not versioned in current distributions as far > as I can see. > Do the same here. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm1LysACgkQeiVVYja6o6OG0wCfRvjkd4OuQYl3ZyKfdaq8pXd3 uwMAnAhF4NIfiT7YoeEEu6Zn+mM68ErC =1tc7 -----END PGP SIGNATURE----- From ssorce at redhat.com Mon Mar 9 15:07:39 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 11:07:39 -0400 Subject: [Freeipa-devel] [PATCH] use fixed paths to responders pipes In-Reply-To: <1236608808.3975.1.camel@localhost.localdomain> References: <49B4F30C.1070206@redhat.com> <49B52008.1090709@redhat.com> <1236608808.3975.1.camel@localhost.localdomain> Message-ID: <1236611259.3975.7.camel@localhost.localdomain> On Mon, 2009-03-09 at 10:26 -0400, Simo Sorce wrote: > On Mon, 2009-03-09 at 14:56 +0100, Sumit Bose wrote: > > > > > > Sumit Bose schrieb: > > > Hi, > > > > > > it makes little sense to have the responder socket names > > configurable > > > via confdb, because the pam and nss clients need to know them and > > will > > > not have access to confdb by design. This patch will move these > > paths > > > together with other protocol information to a common header file. > > > accidentally I disabled pam in the default configuration. The new > > patch > > fixes this. > > I think that the "/var/lib/sss" should be determined in config.h and > passed as an argument within make. > The default would probably be something like /usr/local/sss/lib > > I think we can ack this for now, because for all practical > uses /var/lib/sss is the right place for Fedora, but we should fix it > asap. Looking at it more closely I think I am for a NACK. This is the SSS protocol, both the macro names and the place (under /server/responder) seem quite wrong. If we need to move this stuff into a separate file at all, please do not change macros, and let's move it into /include/protocol.h Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 9 15:09:50 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 11:09:50 -0400 Subject: [Freeipa-devel] [PATCH] no version for libnsss .so files In-Reply-To: <49B52F2B.7080801@redhat.com> References: <1236610310.3975.3.camel@localhost.localdomain> <49B52F2B.7080801@redhat.com> Message-ID: <1236611390.3975.8.camel@localhost.localdomain> On Mon, 2009-03-09 at 11:00 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > all libnss_*_.so files are not versioned in current distributions as > far > > as I can see. > > Do the same here. > > Ack Pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 9 15:10:59 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 11:10:59 -0400 Subject: [Freeipa-devel] [PATCH] use fixed paths to responders pipes In-Reply-To: <49B52898.806@redhat.com> References: <49B4F30C.1070206@redhat.com> <49B52008.1090709@redhat.com> <1236608808.3975.1.camel@localhost.localdomain> <49B52898.806@redhat.com> Message-ID: <1236611459.3975.9.camel@localhost.localdomain> On Mon, 2009-03-09 at 15:32 +0100, Sumit Bose wrote: > Simo Sorce schrieb: > > On Mon, 2009-03-09 at 14:56 +0100, Sumit Bose wrote: > >> > >> Sumit Bose schrieb: > >>> Hi, > >>> > >>> it makes little sense to have the responder socket names > >> configurable > >>> via confdb, because the pam and nss clients need to know them and > >> will > >>> not have access to confdb by design. This patch will move these > >> paths > >>> together with other protocol information to a common header file. > > > >> accidentally I disabled pam in the default configuration. The new > >> patch > >> fixes this. > > > > I think that the "/var/lib/sss" should be determined in config.h and > > passed as an argument within make. > > The default would probably be something like /usr/local/sss/lib > > I thought about this, too. But if we do this, we should not take it form > config.h, but create a responder.h.in and let configure replace it. > Because in the current setup the clients have their own config.h. That's fine, they will both define the same variable in their respective configures. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 9 15:23:13 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 11:23:13 -0400 Subject: [Freeipa-devel] [PATCH] add conf option for MPG In-Reply-To: <49B52D83.6090404@redhat.com> References: <1236610261.3975.2.camel@localhost.localdomain> <49B52D83.6090404@redhat.com> Message-ID: <1236612193.3975.10.camel@localhost.localdomain> On Mon, 2009-03-09 at 15:53 +0100, Sumit Bose wrote: > Simo Sorce schrieb: > > as per subject > > please file the 'et enumeration of LOCAL domain to 1' comment :) ok I'll take this as an ack :-) fixed the comment and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Mon Mar 9 15:49:13 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 09 Mar 2009 16:49:13 +0100 Subject: [Freeipa-devel] [PATCH] sss_groupmod Message-ID: <1236613753.4423.41.camel@zeppelin.englab.brq.redhat.com> This patch adds the last userspace admin tool - sss_groupmod. It allows nesting of groups (i.e. adding a group as a member of another group) and modifying its GID. GID (and related UID) modification by the tools is something I wanted to bring up for discussion on the list. The sysdb API provides ways to do that, the InfoPipe methods use a name that makes it cleat that it's discouraged. So what about the userspace tools? Stephen suggested on IRC that we could leave the functionality there, but not expose the option by providing a custom usage() instead of the popt-autogenerated. I like his idea..opinions? Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-sss_groupmod.patch Type: text/x-patch Size: 9949 bytes Desc: not available URL: From sbose at redhat.com Mon Mar 9 16:28:18 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 09 Mar 2009 17:28:18 +0100 Subject: [Freeipa-devel] [PATCH] use fixed paths to sockets to make sure clients and server are (2nd try) In-Reply-To: <1236611259.3975.7.camel@localhost.localdomain> References: <49B4F30C.1070206@redhat.com> <49B52008.1090709@redhat.com> <1236608808.3975.1.camel@localhost.localdomain> <1236611259.3975.7.camel@localhost.localdomain> Message-ID: <49B543A2.1070606@redhat.com> Simo Sorce schrieb: > On Mon, 2009-03-09 at 10:26 -0400, Simo Sorce wrote: >> On Mon, 2009-03-09 at 14:56 +0100, Sumit Bose wrote: >>> >>> Sumit Bose schrieb: >>>> Hi, >>>> >>>> it makes little sense to have the responder socket names >>> configurable >>>> via confdb, because the pam and nss clients need to know them and >>> will >>>> not have access to confdb by design. This patch will move these >>> paths >>>> together with other protocol information to a common header file. >>> accidentally I disabled pam in the default configuration. The new >>> patch >>> fixes this. >> I think that the "/var/lib/sss" should be determined in config.h and >> passed as an argument within make. >> The default would probably be something like /usr/local/sss/lib >> >> I think we can ack this for now, because for all practical >> uses /var/lib/sss is the right place for Fedora, but we should fix it >> asap. > > Looking at it more closely I think I am for a NACK. > This is the SSS protocol, both the macro names and the place > (under /server/responder) seem quite wrong. > > If we need to move this stuff into a separate file at all, please do not > change macros, and let's move it into /include/protocol.h > Ok, find the new patch attached. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-use-fixed-paths-to-sockets-to-make-sure-clients-and.patch URL: From sbose at redhat.com Mon Mar 9 16:31:46 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 09 Mar 2009 17:31:46 +0100 Subject: [Freeipa-devel] [PATCH] typo, changed initrd to init Message-ID: <49B54472.1040502@redhat.com> Hi, just a typo or copy-and-paste. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-typo-changed-initrd-to-init.patch URL: From jhrozek at redhat.com Mon Mar 9 16:47:15 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 09 Mar 2009 17:47:15 +0100 Subject: [Freeipa-devel] [PATCH] typo, changed initrd to init In-Reply-To: <49B54472.1040502@redhat.com> References: <49B54472.1040502@redhat.com> Message-ID: <1236617235.4423.45.camel@zeppelin.englab.brq.redhat.com> On Mon, 2009-03-09 at 17:31 +0100, Sumit Bose wrote: > Hi, > > just a typo or copy-and-paste. > > bye, > Sumit It was on purpose - rpm has macro _initrddir defined as %{_sysconfdir}/rc.d/init.d so I was trying to model that after the RPM macro. But you are right, that for anyone not familiar with RPM macros, this is confusing. So +1 to this change, we just also need to adjust specfile and Makefile.in (patch attached). Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-typo-changed-initrd-to-init.patch Type: text/x-patch Size: 3252 bytes Desc: not available URL: From sbose at redhat.com Mon Mar 9 17:01:39 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 09 Mar 2009 18:01:39 +0100 Subject: [Freeipa-devel] [PATCH] make openldap the only used LDAP library Message-ID: <49B54B73.5020804@redhat.com> Hi, this patch disables the search for mozldap libraries in configure, but still allow the option '--with-openldap', because I do not know if we want to change the spec file again. If it is ok to change the spec file, please remove the "AC_ARG_WITH(openldap, [ --with-openldap Use OpenLDAP])" line, too bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-make-openldap-the-only-used-LDAP-library.patch URL: From kwade at redhat.com Mon Mar 9 17:56:33 2009 From: kwade at redhat.com (Karsten Wade) Date: Mon, 9 Mar 2009 10:56:33 -0700 Subject: [Freeipa-devel] [PATCH] Clients subpackage In-Reply-To: <49B4F5DC.3000400@redhat.com> References: <1236519400.8321.12.camel@hendrix> <1236519870.8321.15.camel@hendrix> <49B3D295.1010808@redhat.com> <1236571481.21500.20.camel@localhost.localdomain> <49B4F5DC.3000400@redhat.com> Message-ID: <20090309175633.GQ5313@calliope.phig.org> On Mon, Mar 09, 2009 at 06:56:28AM -0400, Stephen Gallagher wrote: > > The package reviewer demanded it, and since we're on a really tight > schedule for getting this package out, we acquiesced. We can have a > protracted argument about the merits of one vs. two packages after we > meet our deadline. Right now, the reviewer gets whatever he wants. Can someone point me at the review bug number(s)? Is this posted on freeipa.org's wiki? Thx - Karsten -- Karsten 'quaid' Wade, Community Gardener http://quaid.fedorapeople.org AD0E0C41 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From ssorce at redhat.com Mon Mar 9 18:42:37 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 14:42:37 -0400 Subject: [Freeipa-devel] [PATCH] sss_groupmod In-Reply-To: <1236613753.4423.41.camel@zeppelin.englab.brq.redhat.com> References: <1236613753.4423.41.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1236624157.3975.17.camel@localhost.localdomain> On Mon, 2009-03-09 at 16:49 +0100, Jakub Hrozek wrote: > This patch adds the last userspace admin tool - sss_groupmod. It allows > nesting of groups (i.e. adding a group as a member of another group) and > modifying its GID. > > GID (and related UID) modification by the tools is something I wanted to > bring up for discussion on the list. The sysdb API provides ways to do > that, the InfoPipe methods use a name that makes it cleat that it's > discouraged. So what about the userspace tools? Stephen suggested on IRC > that we could leave the functionality there, but not expose the option > by providing a custom usage() instead of the popt-autogenerated. I like > his idea..opinions? Yes, I would like to conceal the options to modify/set the uid/gid. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 9 18:48:09 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 14:48:09 -0400 Subject: [Freeipa-devel] [PATCH] Clients subpackage In-Reply-To: <20090309175633.GQ5313@calliope.phig.org> References: <1236519400.8321.12.camel@hendrix> <1236519870.8321.15.camel@hendrix> <49B3D295.1010808@redhat.com> <1236571481.21500.20.camel@localhost.localdomain> <49B4F5DC.3000400@redhat.com> <20090309175633.GQ5313@calliope.phig.org> Message-ID: <1236624489.3975.20.camel@localhost.localdomain> On Mon, 2009-03-09 at 10:56 -0700, Karsten Wade wrote: > On Mon, Mar 09, 2009 at 06:56:28AM -0400, Stephen Gallagher wrote: > > > > The package reviewer demanded it, and since we're on a really tight > > schedule for getting this package out, we acquiesced. We can have a > > protracted argument about the merits of one vs. two packages after we > > meet our deadline. Right now, the reviewer gets whatever he wants. > > Can someone point me at the review bug number(s)? Is this posted on > freeipa.org's wiki? This is the bug: https://bugzilla.redhat.com/show_bug.cgi?id=487296 No we haven't yet updated freeipa.org, we were a bit too busy. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 9 19:13:58 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 15:13:58 -0400 Subject: [Freeipa-devel] [PATCH] make openldap the only used LDAP library In-Reply-To: <49B54B73.5020804@redhat.com> References: <49B54B73.5020804@redhat.com> Message-ID: <1236626038.3975.28.camel@localhost.localdomain> On Mon, 2009-03-09 at 18:01 +0100, Sumit Bose wrote: > > Hi, > > this patch disables the search for mozldap libraries in configure, but > still allow the option '--with-openldap', because I do not know if we > want to change the spec file again. If it is ok to change the spec > file, > please remove the "AC_ARG_WITH(openldap, [ --with-openldap Use > OpenLDAP])" line, too ack and pushed with the following changes: - removed ac line for --with-openldap - fixed Makefile.in to remove references to unresolved MOZLDAP variables - removed --with-openldap from spec file Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 9 19:14:15 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 15:14:15 -0400 Subject: [Freeipa-devel] [PATCH] sss_groupmod In-Reply-To: <1236613753.4423.41.camel@zeppelin.englab.brq.redhat.com> References: <1236613753.4423.41.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1236626055.3975.29.camel@localhost.localdomain> On Mon, 2009-03-09 at 16:49 +0100, Jakub Hrozek wrote: > > This patch adds the last userspace admin tool - sss_groupmod. It > allows > nesting of groups (i.e. adding a group as a member of another group) > and > modifying its GID. ack and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 9 19:14:35 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 15:14:35 -0400 Subject: [Freeipa-devel] [PATCH] typo, changed initrd to init In-Reply-To: <1236617235.4423.45.camel@zeppelin.englab.brq.redhat.com> References: <49B54472.1040502@redhat.com> <1236617235.4423.45.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1236626075.3975.30.camel@localhost.localdomain> On Mon, 2009-03-09 at 17:47 +0100, Jakub Hrozek wrote: > It was on purpose - rpm has macro _initrddir defined as > %{_sysconfdir}/rc.d/init.d so I was trying to model that after the RPM > macro. > > But you are right, that for anyone not familiar with RPM macros, this > is > confusing. So +1 to this change, we just also need to adjust specfile > and Makefile.in (patch attached). ack and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 9 19:15:24 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 15:15:24 -0400 Subject: [Freeipa-devel] [PATCH] added generic PAM return messages and a false login delay In-Reply-To: <49B52D01.60308@redhat.com> References: <49B52D01.60308@redhat.com> Message-ID: <1236626124.3975.31.camel@localhost.localdomain> On Mon, 2009-03-09 at 15:51 +0100, Sumit Bose wrote: > Hi, > > this patch integrates the data send back to the client into the main > pam_data struct making it more flexible. It also move the delay after > a > wrong password from the LOCAL backend into the responder to allow > other > backends to use it. I guess you need to respin this one. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Mar 9 19:15:49 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 15:15:49 -0400 Subject: [Freeipa-devel] [PATCH] use fixed paths to sockets to make sure clients and server are (2nd try) In-Reply-To: <49B543A2.1070606@redhat.com> References: <49B4F30C.1070206@redhat.com> <49B52008.1090709@redhat.com> <1236608808.3975.1.camel@localhost.localdomain> <1236611259.3975.7.camel@localhost.localdomain> <49B543A2.1070606@redhat.com> Message-ID: <1236626149.3975.32.camel@localhost.localdomain> On Mon, 2009-03-09 at 17:28 +0100, Sumit Bose wrote: > > Ok, find the new patch attached. ack and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Mon Mar 9 21:34:38 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 09 Mar 2009 22:34:38 +0100 Subject: [Freeipa-devel] [PATCH] added generic PAM return messages and a false login delay In-Reply-To: <1236626124.3975.31.camel@localhost.localdomain> References: <49B52D01.60308@redhat.com> <1236626124.3975.31.camel@localhost.localdomain> Message-ID: <49B58B6E.8070100@redhat.com> Simo Sorce schrieb: > On Mon, 2009-03-09 at 15:51 +0100, Sumit Bose wrote: >> Hi, >> >> this patch integrates the data send back to the client into the main >> pam_data struct making it more flexible. It also move the delay after >> a >> wrong password from the LOCAL backend into the responder to allow >> other >> backends to use it. > > I guess you need to respin this one. > > Simo. > find it here. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-added-generic-PAM-return-messages-and-a-false-login.patch URL: From ssorce at redhat.com Tue Mar 10 03:05:41 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Mar 2009 23:05:41 -0400 Subject: [Freeipa-devel] [PATCH] Clean-up patches Message-ID: <1236654341.3731.18.camel@localhost.localdomain> 1. avoid duplication of attribute names definitions 2. move MPG logic within sysdb (for 2. next step will be returning users as groups if the domain is mpg enabled) Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Do-not-duplicate-attribute-names-macros.patch Type: text/x-patch Size: 6317 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Move-MPG-checks-within-sysdb.patch Type: text/x-patch Size: 14876 bytes Desc: not available URL: From ssorce at redhat.com Tue Mar 10 06:11:57 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 02:11:57 -0400 Subject: [Freeipa-devel] [PATCH] Always pass ss_domain_info to sysdb functions Message-ID: <1236665517.3731.19.camel@localhost.localdomain> Prerequisite for next MPG patch Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Always-pass-sss_domain_info-to-sysdb-functions.patch Type: text/x-patch Size: 23644 bytes Desc: not available URL: From ssorce at redhat.com Tue Mar 10 06:12:35 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 02:12:35 -0400 Subject: [Freeipa-devel] [PATCH] Fix bugs found while testing MPG groups Message-ID: <1236665555.3731.20.camel@localhost.localdomain> see $subject -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Fix-bugs-in-functions-dealing-with-groups.patch Type: text/x-patch Size: 1911 bytes Desc: not available URL: From ssorce at redhat.com Tue Mar 10 06:13:45 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 02:13:45 -0400 Subject: [Freeipa-devel] [PATCH] Implement returning users as MPGs Message-ID: <1236665625.3731.22.camel@localhost.localdomain> With this patch a domain set as MPG will return user entries as private groups as well when returnig getpwnam/getgrgid/getgrent calls. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-If-a-domain-is-MPG-enabled-return-users-a-groups.patch Type: text/x-patch Size: 6944 bytes Desc: not available URL: From ssorce at redhat.com Tue Mar 10 06:15:43 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 02:15:43 -0400 Subject: [Freeipa-devel] [PATCH] FIx nss protocol to return proper size for ids Message-ID: <1236665743.3731.24.camel@localhost.localdomain> Initially, for some reason I decided to use 64 bit numbers to hold uid and gid values. But no platform support 64 bit ids, only 32bit ones (and some platform have support for some sort of UUIDs which are 128bit and are not returned by the nss interface). Change the protocol to not waste bits needlessly and use 32 bit IDs Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Treat-uids-and-gids-as-32-bit-numbers-not-64.patch Type: text/x-patch Size: 10777 bytes Desc: not available URL: From ssorce at redhat.com Tue Mar 10 06:27:27 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 02:27:27 -0400 Subject: [Freeipa-devel] [PATCH] Implement returning users as MPGs In-Reply-To: <1236665625.3731.22.camel@localhost.localdomain> References: <1236665625.3731.22.camel@localhost.localdomain> Message-ID: <1236666447.7708.3.camel@localhost.localdomain> On Tue, 2009-03-10 at 02:13 -0400, Simo Sorce wrote: > With this patch a domain set as MPG will return user entries as private > groups as well when returnig getpwnam/getgrgid/getgrent calls. While working on this patch I found an ldb bug that may lead to segfaults in some case as access to already freed memory was performed. Amazing how it never happened before. I fixed the bug upstream and also applied the patch to the samba4 package and rebuilt it. So if you want to test without seeing segfaults, make sure to upgrade to the very latest samba4 rawhide package (or rebuild it yourself if you use < F11). I can provide a mock build for F10 i386 if necessary, and a custom make local build for F10 x86_64 if you really want it :) Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Tue Mar 10 09:04:11 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 10 Mar 2009 10:04:11 +0100 Subject: [Freeipa-devel] [PATCH] Correct use of chkconfig in initscript and specfile Message-ID: <1236675851.25487.6.camel@hendrix> This patch contains the final comments Martin had during the interview (incorrect use of chkconfig, don't need to explicitly set --prefix), owns groupmod and the new filename of libnss. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Correct-use-of-chkconfig-in-initscript-and-specfile.patch Type: application/mbox Size: 1898 bytes Desc: not available URL: From jhrozek at redhat.com Tue Mar 10 09:23:11 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 10 Mar 2009 10:23:11 +0100 Subject: [Freeipa-devel] [PATCH] sss_groupmod In-Reply-To: <1236624157.3975.17.camel@localhost.localdomain> References: <1236613753.4423.41.camel@zeppelin.englab.brq.redhat.com> <1236624157.3975.17.camel@localhost.localdomain> Message-ID: <1236676991.25487.8.camel@hendrix> On Mon, 2009-03-09 at 14:42 -0400, Simo Sorce wrote: > Yes, I would like to conceal the options to modify/set the uid/gid. > > Simo. Patch attached. Jakub -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Hide-uid-and-gid-options-in-usermod-and-groupmod.patch Type: application/mbox Size: 2017 bytes Desc: not available URL: From sgallagh at redhat.com Tue Mar 10 11:45:46 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 10 Mar 2009 07:45:46 -0400 Subject: [Freeipa-devel] [PATCH] Clean-up patches In-Reply-To: <1236654341.3731.18.camel@localhost.localdomain> References: <1236654341.3731.18.camel@localhost.localdomain> Message-ID: <49B652EA.7010809@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > 1. avoid duplication of attribute names definitions > 2. move MPG logic within sysdb > > (for 2. next step will be returning users as groups if the domain is mpg > enabled) > > Simo. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack to both patches, but I would like to recommend that we make sure to include the MPG constraints in any documentation we might write for SSSD. Notably, we should probably have some manpages for the commandline tools that spell this out explicitly. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm2UuoACgkQeiVVYja6o6M71QCgrBYYsp/edH2gSNpiHliCRiGL /wMAniTmYoyv5iqaYROKvv1gB72DlzQe =OuV3 -----END PGP SIGNATURE----- From sgallagh at redhat.com Tue Mar 10 11:53:54 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 10 Mar 2009 07:53:54 -0400 Subject: [Freeipa-devel] [PATCH] Always pass ss_domain_info to sysdb functions In-Reply-To: <1236665517.3731.19.camel@localhost.localdomain> References: <1236665517.3731.19.camel@localhost.localdomain> Message-ID: <49B654D2.7070305@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > Prerequisite for next MPG patch > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm2VNEACgkQeiVVYja6o6OHTwCdHrP1qlfYbakrCIkrjwhPNzpq G9AAoIGtJO9qzn0gUvsy1tU6/P/U2YAD =FifO -----END PGP SIGNATURE----- From sgallagh at redhat.com Tue Mar 10 11:55:06 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 10 Mar 2009 07:55:06 -0400 Subject: [Freeipa-devel] [PATCH] Fix bugs found while testing MPG groups In-Reply-To: <1236665555.3731.20.camel@localhost.localdomain> References: <1236665555.3731.20.camel@localhost.localdomain> Message-ID: <49B6551A.1070809@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > see $subject > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm2VRoACgkQeiVVYja6o6MBEACfc7pshSzW7l+eXDfkHDUgx5yN WVoAoJHvPDWjQ6QdUKbbHmQZ9zVrx08R =diNu -----END PGP SIGNATURE----- From sgallagh at redhat.com Tue Mar 10 11:59:04 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 10 Mar 2009 07:59:04 -0400 Subject: [Freeipa-devel] [PATCH] FIx nss protocol to return proper size for ids In-Reply-To: <1236665743.3731.24.camel@localhost.localdomain> References: <1236665743.3731.24.camel@localhost.localdomain> Message-ID: <49B65608.1070202@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > Initially, for some reason I decided to use 64 bit numbers to hold uid > and gid values. But no platform support 64 bit ids, only 32bit ones (and > some platform have support for some sort of UUIDs which are 128bit and > are not returned by the nss interface). > > Change the protocol to not waste bits needlessly and use 32 bit IDs > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm2VggACgkQeiVVYja6o6OeFQCfcLTPivGBOixv+mYdyhGws/9p dmMAnjFTRGxl/nd3/RxMleN9AVfvBJEp =MvMK -----END PGP SIGNATURE----- From sgallagh at redhat.com Tue Mar 10 12:08:52 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 10 Mar 2009 08:08:52 -0400 Subject: [Freeipa-devel] [PATCH] Implement returning users as MPGs In-Reply-To: <1236665625.3731.22.camel@localhost.localdomain> References: <1236665625.3731.22.camel@localhost.localdomain> Message-ID: <49B65854.60503@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > With this patch a domain set as MPG will return user entries as private > groups as well when returnig getpwnam/getgrgid/getgrent calls. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm2WFQACgkQeiVVYja6o6N8ggCgjmpbOFGLpAb9hHS8kehW3Iz0 tEMAnRdXopkJVNj04fb6T6Hs8tIdk1IT =yXBa -----END PGP SIGNATURE----- From sgallagh at redhat.com Tue Mar 10 12:18:55 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 10 Mar 2009 08:18:55 -0400 Subject: [Freeipa-devel] [PATCH] Correct use of chkconfig in initscript and specfile In-Reply-To: <1236675851.25487.6.camel@hendrix> References: <1236675851.25487.6.camel@hendrix> Message-ID: <49B65AAF.7000705@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > This patch contains the final comments Martin had during the interview > (incorrect use of chkconfig, don't need to explicitly set --prefix), > owns groupmod and the new filename of libnss. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm2Wq8ACgkQeiVVYja6o6N7dACgq7UrYwClaXPUwJPmYAD3NrAL 8XAAoJykfdK48ls8CvxsZf3InaL9ivaX =uGmu -----END PGP SIGNATURE----- From sgallagh at redhat.com Tue Mar 10 12:19:43 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 10 Mar 2009 08:19:43 -0400 Subject: [Freeipa-devel] [PATCH] sss_groupmod In-Reply-To: <1236676991.25487.8.camel@hendrix> References: <1236613753.4423.41.camel@zeppelin.englab.brq.redhat.com> <1236624157.3975.17.camel@localhost.localdomain> <1236676991.25487.8.camel@hendrix> Message-ID: <49B65ADF.3010205@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakub Hrozek wrote: > On Mon, 2009-03-09 at 14:42 -0400, Simo Sorce wrote: >> Yes, I would like to conceal the options to modify/set the uid/gid. >> >> Simo. > > Patch attached. > > Jakub > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I like this approach. Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm2Wt8ACgkQeiVVYja6o6NuigCgsPCUEyPSZKDo9ovAsD3kE2iy jTkAn23J5/nefptULiCjRiDkS6t/UG35 =UxRA -----END PGP SIGNATURE----- From ssorce at redhat.com Tue Mar 10 13:45:00 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 09:45:00 -0400 Subject: [Freeipa-devel] [PATCH] added generic PAM return messages and a false login delay In-Reply-To: <49B58B6E.8070100@redhat.com> References: <49B52D01.60308@redhat.com> <1236626124.3975.31.camel@localhost.localdomain> <49B58B6E.8070100@redhat.com> Message-ID: <1236692700.7708.5.camel@localhost.localdomain> On Mon, 2009-03-09 at 22:34 +0100, Sumit Bose wrote: > Simo Sorce schrieb: > > On Mon, 2009-03-09 at 15:51 +0100, Sumit Bose wrote: > >> Hi, > >> > >> this patch integrates the data send back to the client into the > main > >> pam_data struct making it more flexible. It also move the delay > after > >> a > >> wrong password from the LOCAL backend into the responder to allow > >> other > >> backends to use it. > > > > I guess you need to respin this one. > > > > Simo. > > > > find it here. ack and pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 10 13:45:49 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 09:45:49 -0400 Subject: [Freeipa-devel] [PATCH] Clean-up patches In-Reply-To: <49B652EA.7010809@redhat.com> References: <1236654341.3731.18.camel@localhost.localdomain> <49B652EA.7010809@redhat.com> Message-ID: <1236692749.7708.6.camel@localhost.localdomain> On Tue, 2009-03-10 at 07:45 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > 1. avoid duplication of attribute names definitions > > 2. move MPG logic within sysdb > > > > (for 2. next step will be returning users as groups if the domain is > mpg > > enabled) > > Ack to both patches, but I would like to recommend that we make sure > to > include the MPG constraints in any documentation we might write for > SSSD. Notably, we should probably have some manpages for the > commandline > tools that spell this out explicitly. pushed and yes we need to prominently doc it, who wants to volunteer to write manpages ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 10 13:46:17 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 09:46:17 -0400 Subject: [Freeipa-devel] [PATCH] Always pass ss_domain_info to sysdb functions In-Reply-To: <49B654D2.7070305@redhat.com> References: <1236665517.3731.19.camel@localhost.localdomain> <49B654D2.7070305@redhat.com> Message-ID: <1236692777.7708.7.camel@localhost.localdomain> On Tue, 2009-03-10 at 07:53 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > Prerequisite for next MPG patch > > Ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 10 13:46:42 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 09:46:42 -0400 Subject: [Freeipa-devel] [PATCH] Fix bugs found while testing MPG groups In-Reply-To: <49B6551A.1070809@redhat.com> References: <1236665555.3731.20.camel@localhost.localdomain> <49B6551A.1070809@redhat.com> Message-ID: <1236692802.7708.8.camel@localhost.localdomain> On Tue, 2009-03-10 at 07:55 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > see $subject > > Ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 10 13:46:58 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 09:46:58 -0400 Subject: [Freeipa-devel] [PATCH] FIx nss protocol to return proper size for ids In-Reply-To: <49B65608.1070202@redhat.com> References: <1236665743.3731.24.camel@localhost.localdomain> <49B65608.1070202@redhat.com> Message-ID: <1236692818.7708.9.camel@localhost.localdomain> On Tue, 2009-03-10 at 07:59 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > Initially, for some reason I decided to use 64 bit numbers to hold > uid > > and gid values. But no platform support 64 bit ids, only 32bit ones > (and > > some platform have support for some sort of UUIDs which are 128bit > and > > are not returned by the nss interface). > > > > Change the protocol to not waste bits needlessly and use 32 bit IDs > > Ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 10 13:47:15 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 09:47:15 -0400 Subject: [Freeipa-devel] [PATCH] Implement returning users as MPGs In-Reply-To: <49B65854.60503@redhat.com> References: <1236665625.3731.22.camel@localhost.localdomain> <49B65854.60503@redhat.com> Message-ID: <1236692835.7708.10.camel@localhost.localdomain> On Tue, 2009-03-10 at 08:08 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > With this patch a domain set as MPG will return user entries as > private > > groups as well when returnig getpwnam/getgrgid/getgrent calls. > > Ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 10 13:47:29 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 09:47:29 -0400 Subject: [Freeipa-devel] [PATCH] Correct use of chkconfig in initscript and specfile In-Reply-To: <1236675851.25487.6.camel@hendrix> References: <1236675851.25487.6.camel@hendrix> Message-ID: <1236692849.7708.11.camel@localhost.localdomain> On Tue, 2009-03-10 at 10:04 +0100, Jakub Hrozek wrote: > > This patch contains the final comments Martin had during the interview > (incorrect use of chkconfig, don't need to explicitly set --prefix), > owns groupmod and the new filename of libnss. ack and pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 10 13:47:48 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 09:47:48 -0400 Subject: [Freeipa-devel] [PATCH] sss_groupmod In-Reply-To: <1236676991.25487.8.camel@hendrix> References: <1236613753.4423.41.camel@zeppelin.englab.brq.redhat.com> <1236624157.3975.17.camel@localhost.localdomain> <1236676991.25487.8.camel@hendrix> Message-ID: <1236692868.7708.12.camel@localhost.localdomain> On Tue, 2009-03-10 at 10:23 +0100, Jakub Hrozek wrote: > On Mon, 2009-03-09 at 14:42 -0400, Simo Sorce wrote: > > Yes, I would like to conceal the options to modify/set the uid/gid. > > Patch attached. ack and pushed -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Tue Mar 10 14:09:21 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 10 Mar 2009 15:09:21 +0100 Subject: [Freeipa-devel] [PATCH] Clean-up patches In-Reply-To: <1236692749.7708.6.camel@localhost.localdomain> References: <1236654341.3731.18.camel@localhost.localdomain> <49B652EA.7010809@redhat.com> <1236692749.7708.6.camel@localhost.localdomain> Message-ID: <1236694161.3552.5.camel@zeppelin.englab.brq.redhat.com> On Tue, 2009-03-10 at 09:45 -0400, Simo Sorce wrote: > > Ack to both patches, but I would like to recommend that we make sure > > to > > include the MPG constraints in any documentation we might write for > > SSSD. Notably, we should probably have some manpages for the > > commandline > > tools that spell this out explicitly. > > pushed > > and yes we need to prominently doc it, who wants to volunteer to write > manpages ? I will certainly write manpages for the cmdline tools. I might as well write manpages for other parts of sssd, if needed. But the question is - what format? Pure troff? XML/Docbook? I'm in favor of XML as it gives as much more flexibility when it comes to output to various formats, etc. Jakub From sgallagh at redhat.com Tue Mar 10 14:31:45 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 10 Mar 2009 10:31:45 -0400 Subject: [Freeipa-devel] [PATCH] Fix copy-paste error in InfoPipe CreateUser Message-ID: <49B679D1.2090504@redhat.com> $SUBJECT plus add missing loginShell parameter. I'm not sure how this managed to get by both myself and code-review. Too much code, not enough time, I guess. Additionally, I found a problematic disconnect between the sysdb functions and the NSS provider. The sysdb allows setting users with no loginShell, fullName, etc. parameters, but any users missing any of the POSIX fields are not returned by getpw* functions because they are incomplete. Either we need to modify the sysdb user_add_call() to at least store an empty string, or we need to have the NSS provider handle nonexistent fields as an empty string. I'm more in favor of the latter, as it will catch further mistakes if they are made. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-copy-paste-error-in-InfoPipe-CreateUser.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Tue Mar 10 14:58:00 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 10:58:00 -0400 Subject: [Freeipa-devel] [PATCH] Clean-up patches In-Reply-To: <1236694161.3552.5.camel@zeppelin.englab.brq.redhat.com> References: <1236654341.3731.18.camel@localhost.localdomain> <49B652EA.7010809@redhat.com> <1236692749.7708.6.camel@localhost.localdomain> <1236694161.3552.5.camel@zeppelin.englab.brq.redhat.com> Message-ID: <1236697080.7708.15.camel@localhost.localdomain> On Tue, 2009-03-10 at 15:09 +0100, Jakub Hrozek wrote: > On Tue, 2009-03-10 at 09:45 -0400, Simo Sorce wrote: > > > Ack to both patches, but I would like to recommend that we make sure > > > to > > > include the MPG constraints in any documentation we might write for > > > SSSD. Notably, we should probably have some manpages for the > > > commandline > > > tools that spell this out explicitly. > > > > pushed > > > > and yes we need to prominently doc it, who wants to volunteer to write > > manpages ? > > I will certainly write manpages for the cmdline tools. I might as well > write manpages for other parts of sssd, if needed. > > But the question is - what format? Pure troff? XML/Docbook? I'm in favor > of XML as it gives as much more flexibility when it comes to output to > various formats, etc. I tend to favor XML but it had also been a pain in the past within the samba project at times. If we do that I would also vote to pre-build the man pages in the official tarballs, so that people don't have to get crazy just to build them. Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Tue Mar 10 14:59:17 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 10 Mar 2009 15:59:17 +0100 Subject: [Freeipa-devel] [PATCH] Clean-up patches In-Reply-To: <1236697080.7708.15.camel@localhost.localdomain> References: <1236654341.3731.18.camel@localhost.localdomain> <49B652EA.7010809@redhat.com> <1236692749.7708.6.camel@localhost.localdomain> <1236694161.3552.5.camel@zeppelin.englab.brq.redhat.com> <1236697080.7708.15.camel@localhost.localdomain> Message-ID: <49B68045.2020006@redhat.com> Simo Sorce schrieb: > On Tue, 2009-03-10 at 15:09 +0100, Jakub Hrozek wrote: >> On Tue, 2009-03-10 at 09:45 -0400, Simo Sorce wrote: >>>> Ack to both patches, but I would like to recommend that we make sure >>>> to >>>> include the MPG constraints in any documentation we might write for >>>> SSSD. Notably, we should probably have some manpages for the >>>> commandline >>>> tools that spell this out explicitly. >>> pushed >>> >>> and yes we need to prominently doc it, who wants to volunteer to write >>> manpages ? >> I will certainly write manpages for the cmdline tools. I might as well >> write manpages for other parts of sssd, if needed. >> >> But the question is - what format? Pure troff? XML/Docbook? I'm in favor >> of XML as it gives as much more flexibility when it comes to output to >> various formats, etc. > > I tend to favor XML but it had also been a pain in the past within the > samba project at times. If we do that I would also vote to pre-build the > man pages in the official tarballs, so that people don't have to get > crazy just to build them. > > Simo. > +1 bye, Sumit From ssorce at redhat.com Tue Mar 10 15:00:52 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 11:00:52 -0400 Subject: [Freeipa-devel] [PATCH] Make NSS responded less picky about missing attributes Message-ID: <1236697252.7708.16.camel@localhost.localdomain> This should solve the disconnect Steve found with sysdb interfaces and NSS Responder expectations. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-returning-user-with-missing-optional-attributes.patch Type: text/x-patch Size: 4750 bytes Desc: not available URL: From sgallagh at redhat.com Tue Mar 10 16:51:49 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 10 Mar 2009 12:51:49 -0400 Subject: [Freeipa-devel] Policy and multiple back-end domains Message-ID: <49B69AA5.1030206@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dmitri and I just had a very interesting discussion on policies in the SSSD. Since we support multiple domain back-ends, we need to consider the implications of multiple policy providers. We don't want a client machine that is connected to (for example) an IPA provider and a Samba provider to be attempting to apply conflicting policies. My suggestion is that we separate policy into two primary types: user and machine. User policy could be provided by any number of domains, as it would only apply to those users the domain served. This would be policy such as host-based access control, password complexity, etc. Machine policy should be restricted to only one domain (the domain that the SSSD client is enrolled with for machine identity) and would provide policy for global machine configuration. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm2mqUACgkQeiVVYja6o6OenwCdEHNRmNJAHVfAo08nDFY3qZ9X uosAoI0GRZxZMDukqcIPkEYSMmv6FQjq =D5Vl -----END PGP SIGNATURE----- From sgallagh at redhat.com Tue Mar 10 16:54:00 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 10 Mar 2009 12:54:00 -0400 Subject: [Freeipa-devel] [PATCH] Make NSS responded less picky about missing attributes In-Reply-To: <1236697252.7708.16.camel@localhost.localdomain> References: <1236697252.7708.16.camel@localhost.localdomain> Message-ID: <49B69B28.3040508@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > This should solve the disconnect Steve found with sysdb interfaces and > NSS Responder expectations. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel One issue. I thought our plan was that on initial user creation we were going to populate both GECOS and FULLNAME with the fullname, and then clients of the InfoPipe or commandline tools could change the values individually. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEUEARECAAYFAkm2mygACgkQeiVVYja6o6MxowCYjBwchykfMFeCIiqjHaEA6/WP RwCgirnknTEKYhpY8Pd2b5xDF43G7+Q= =OVig -----END PGP SIGNATURE----- From ssorce at redhat.com Tue Mar 10 18:33:01 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 14:33:01 -0400 Subject: [Freeipa-devel] [PATCH] Make NSS responded less picky about missing attributes In-Reply-To: <49B69B28.3040508@redhat.com> References: <1236697252.7708.16.camel@localhost.localdomain> <49B69B28.3040508@redhat.com> Message-ID: <1236709981.7708.25.camel@localhost.localdomain> On Tue, 2009-03-10 at 12:54 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > This should solve the disconnect Steve found with sysdb interfaces and > > NSS Responder expectations. > > > One issue. I thought our plan was that on initial user creation we were > going to populate both GECOS and FULLNAME with the fullname, and then > clients of the InfoPipe or commandline tools could change the values > individually. Yes but I think we should do this in the Infopipe. For pure CLI clients the fullname is not a visible field so I don't think it make sense to fill it. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 10 18:40:46 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 14:40:46 -0400 Subject: [Freeipa-devel] Policy and multiple back-end domains In-Reply-To: <49B69AA5.1030206@redhat.com> References: <49B69AA5.1030206@redhat.com> Message-ID: <1236710446.7708.32.camel@localhost.localdomain> On Tue, 2009-03-10 at 12:51 -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dmitri and I just had a very interesting discussion on policies in the > SSSD. Since we support multiple domain back-ends, we need to consider > the implications of multiple policy providers. We don't want a client > machine that is connected to (for example) an IPA provider and a Samba > provider to be attempting to apply conflicting policies. > > My suggestion is that we separate policy into two primary types: user > and machine. > > User policy could be provided by any number of domains, as it would only > apply to those users the domain served. This would be policy such as > host-based access control, password complexity, etc. > > Machine policy should be restricted to only one domain (the domain that > the SSSD client is enrolled with for machine identity) and would provide > policy for global machine configuration. We discussed this problem with Sumit at the time. We already decided that policies are only downloaded from the domain we are enrolled with and we have credentials in as you suggest. Identity related policies are indeed domain-bound, but password complexity is not something that is pushed down to the client for example, it is enforced in the server. As for host based access control that's not a clear cut user vs machine policy as it ties both. That one should be still tied to the joined domain IMO, otherwise it would be problematic if conflicting policies exist in different domains. What we might want to think about is how to represent foreign users in HABC rules in case that is needed. (For example allow foo at LOCAL access on machines using IPA HBAC policies) Simo. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Tue Mar 10 18:43:45 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 10 Mar 2009 14:43:45 -0400 Subject: [Freeipa-devel] [PATCH] Make NSS responded less picky about missing attributes In-Reply-To: <1236709981.7708.25.camel@localhost.localdomain> References: <1236697252.7708.16.camel@localhost.localdomain> <49B69B28.3040508@redhat.com> <1236709981.7708.25.camel@localhost.localdomain> Message-ID: <49B6B4E1.6040800@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Tue, 2009-03-10 at 12:54 -0400, Stephen Gallagher wrote: >> Simo Sorce wrote: >>> This should solve the disconnect Steve found with sysdb interfaces and >>> NSS Responder expectations. >>> > >> One issue. I thought our plan was that on initial user creation we were >> going to populate both GECOS and FULLNAME with the fullname, and then >> clients of the InfoPipe or commandline tools could change the values >> individually. > > Yes but I think we should do this in the Infopipe. > For pure CLI clients the fullname is not a visible field so I don't > think it make sense to fill it. > > Simo. > My primary concern here then is to make sure that both of those fields are exposed by add_user_call() - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm2tOEACgkQeiVVYja6o6OywwCfT2v3J3cob3MqAzTqNMJ12ckG X0wAnjqNmKxVtaaz5P1jgj3OeGIxk32W =PK2x -----END PGP SIGNATURE----- From ssorce at redhat.com Tue Mar 10 18:48:02 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 14:48:02 -0400 Subject: [Freeipa-devel] [PATCH] Make NSS responded less picky about missing attributes In-Reply-To: <49B6B4E1.6040800@redhat.com> References: <1236697252.7708.16.camel@localhost.localdomain> <49B69B28.3040508@redhat.com> <1236709981.7708.25.camel@localhost.localdomain> <49B6B4E1.6040800@redhat.com> Message-ID: <1236710882.7708.33.camel@localhost.localdomain> On Tue, 2009-03-10 at 14:43 -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > On Tue, 2009-03-10 at 12:54 -0400, Stephen Gallagher wrote: > >> Simo Sorce wrote: > >>> This should solve the disconnect Steve found with sysdb interfaces and > >>> NSS Responder expectations. > >>> > > > >> One issue. I thought our plan was that on initial user creation we were > >> going to populate both GECOS and FULLNAME with the fullname, and then > >> clients of the InfoPipe or commandline tools could change the values > >> individually. > > > > Yes but I think we should do this in the Infopipe. > > For pure CLI clients the fullname is not a visible field so I don't > > think it make sense to fill it. > > > > Simo. > > > > My primary concern here then is to make sure that both of those fields > are exposed by add_user_call() aah I see, uhmmmmm ok I will change add_user to set both and push the patch, ok? Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Tue Mar 10 18:54:03 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 10 Mar 2009 14:54:03 -0400 Subject: [Freeipa-devel] [PATCH] Make NSS responded less picky about missing attributes In-Reply-To: <1236710882.7708.33.camel@localhost.localdomain> References: <1236697252.7708.16.camel@localhost.localdomain> <49B69B28.3040508@redhat.com> <1236709981.7708.25.camel@localhost.localdomain> <49B6B4E1.6040800@redhat.com> <1236710882.7708.33.camel@localhost.localdomain> Message-ID: <49B6B74B.8090604@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Tue, 2009-03-10 at 14:43 -0400, Stephen Gallagher wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Simo Sorce wrote: >>> On Tue, 2009-03-10 at 12:54 -0400, Stephen Gallagher wrote: >>>> Simo Sorce wrote: >>>>> This should solve the disconnect Steve found with sysdb interfaces and >>>>> NSS Responder expectations. >>>>> >>>> One issue. I thought our plan was that on initial user creation we were >>>> going to populate both GECOS and FULLNAME with the fullname, and then >>>> clients of the InfoPipe or commandline tools could change the values >>>> individually. >>> Yes but I think we should do this in the Infopipe. >>> For pure CLI clients the fullname is not a visible field so I don't >>> think it make sense to fill it. >>> >>> Simo. >>> >> My primary concern here then is to make sure that both of those fields >> are exposed by add_user_call() > > aah I see, uhmmmmm ok I will change add_user to set both and push the > patch, ok? > > Simo. > Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm2t0sACgkQeiVVYja6o6O//QCeOKlFKu4YFU64mRMaNuPJqjkf 40AAn3B2mDWBHSeKMXtDRhKbTvyrqdwo =F8K9 -----END PGP SIGNATURE----- From ssorce at redhat.com Tue Mar 10 19:09:25 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 10 Mar 2009 15:09:25 -0400 Subject: [Freeipa-devel] [PATCH] Make NSS responded less picky about missing attributes In-Reply-To: <49B6B74B.8090604@redhat.com> References: <1236697252.7708.16.camel@localhost.localdomain> <49B69B28.3040508@redhat.com> <1236709981.7708.25.camel@localhost.localdomain> <49B6B4E1.6040800@redhat.com> <1236710882.7708.33.camel@localhost.localdomain> <49B6B74B.8090604@redhat.com> Message-ID: <1236712165.7708.34.camel@localhost.localdomain> On Tue, 2009-03-10 at 14:54 -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > On Tue, 2009-03-10 at 14:43 -0400, Stephen Gallagher wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Simo Sorce wrote: > >>> On Tue, 2009-03-10 at 12:54 -0400, Stephen Gallagher wrote: > >>>> Simo Sorce wrote: > >>>>> This should solve the disconnect Steve found with sysdb interfaces and > >>>>> NSS Responder expectations. > >>>>> > >>>> One issue. I thought our plan was that on initial user creation we were > >>>> going to populate both GECOS and FULLNAME with the fullname, and then > >>>> clients of the InfoPipe or commandline tools could change the values > >>>> individually. > >>> Yes but I think we should do this in the Infopipe. > >>> For pure CLI clients the fullname is not a visible field so I don't > >>> think it make sense to fill it. > >>> > >>> Simo. > >>> > >> My primary concern here then is to make sure that both of those fields > >> are exposed by add_user_call() > > > > aah I see, uhmmmmm ok I will change add_user to set both and push the > > patch, ok? > > > > Simo. > > > > Ack pushed -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Wed Mar 11 08:49:21 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 11 Mar 2009 09:49:21 +0100 Subject: [Freeipa-devel] Policy and multiple back-end domains In-Reply-To: <1236710446.7708.32.camel@localhost.localdomain> References: <49B69AA5.1030206@redhat.com> <1236710446.7708.32.camel@localhost.localdomain> Message-ID: <49B77B11.5000506@redhat.com> Simo Sorce schrieb: > On Tue, 2009-03-10 at 12:51 -0400, Stephen Gallagher wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Dmitri and I just had a very interesting discussion on policies in the >> SSSD. Since we support multiple domain back-ends, we need to consider >> the implications of multiple policy providers. We don't want a client >> machine that is connected to (for example) an IPA provider and a Samba >> provider to be attempting to apply conflicting policies. >> >> My suggestion is that we separate policy into two primary types: user >> and machine. >> >> User policy could be provided by any number of domains, as it would only >> apply to those users the domain served. This would be policy such as >> host-based access control, password complexity, etc. >> >> Machine policy should be restricted to only one domain (the domain that >> the SSSD client is enrolled with for machine identity) and would provide >> policy for global machine configuration. > > We discussed this problem with Sumit at the time. > We already decided that policies are only downloaded from the domain we > are enrolled with and we have credentials in as you suggest. > > Identity related policies are indeed domain-bound, but password > complexity is not something that is pushed down to the client for > example, it is enforced in the server. > > As for host based access control that's not a clear cut user vs machine > policy as it ties both. > That one should be still tied to the joined domain IMO, otherwise it > would be problematic if conflicting policies exist in different domains. > > What we might want to think about is how to represent foreign users in > HABC rules in case that is needed. (For example allow foo at LOCAL access > on machines using IPA HBAC policies) > I would prefer to to download the policies from the domain where the client is registered. If there are cases in the future where it makes sense to pull policies from other domains, we can implement a server side approach. The IPA server can request the relevant policies from the other domain, maybe filter them, and send to the client. With this we can control which policy from the other domain shall be valid in our domain with respect to the user and the client. bye, Sumit From sbose at redhat.com Wed Mar 11 13:22:38 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 11 Mar 2009 14:22:38 +0100 Subject: [Freeipa-devel] [PATCH] remove DEBUG option from pam_sss Message-ID: <49B7BB1E.5070802@redhat.com> Hi, I'm very sorry, but I forgot to remove the -DDEBUG from the pam_sss CFLAGS. As a result the user may see some uneeded debug messages. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-added-generic-PAM-return-messages-and-a-false-login.patch URL: From sbose at redhat.com Wed Mar 11 13:24:16 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 11 Mar 2009 14:24:16 +0100 Subject: [Freeipa-devel] [PATCH] remove DEBUG option from pam_sss In-Reply-To: <49B7BB1E.5070802@redhat.com> References: <49B7BB1E.5070802@redhat.com> Message-ID: <49B7BB80.9020305@redhat.com> bah, wrong patch, too. sorry again Sumit Bose schrieb: > Hi, > > I'm very sorry, but I forgot to remove the -DDEBUG from the pam_sss > CFLAGS. As a result the user may see some uneeded debug messages. > > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-remove-DEBUG-option-from-pam_sss.patch URL: From ssorce at redhat.com Wed Mar 11 15:38:53 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 11 Mar 2009 11:38:53 -0400 Subject: [Freeipa-devel] [PATCH] remove DEBUG option from pam_sss In-Reply-To: <49B7BB80.9020305@redhat.com> References: <49B7BB1E.5070802@redhat.com> <49B7BB80.9020305@redhat.com> Message-ID: <1236785933.14197.14.camel@localhost.localdomain> On Wed, 2009-03-11 at 14:24 +0100, Sumit Bose wrote: > > bah, wrong patch, too. sorry again > > Sumit Bose schrieb: > > Hi, > > > > I'm very sorry, but I forgot to remove the -DDEBUG from the pam_sss > > CFLAGS. As a result the user may see some uneeded debug messages. Sumit, I was thinking that maybe we want to fix Makefiles to be able to run: CFLAGS="-g -DDEBUG" make So that we can just rebuild with debug at will. Currently the makefile wipes out CFLAGS so this does not work. Can you spare sometime to address this problem and resend a patch ? Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Wed Mar 11 18:42:45 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 11 Mar 2009 19:42:45 +0100 Subject: [Freeipa-devel] [PATCH] remove DEBUG option from pam_sss In-Reply-To: <1236785933.14197.14.camel@localhost.localdomain> References: <49B7BB1E.5070802@redhat.com> <49B7BB80.9020305@redhat.com> <1236785933.14197.14.camel@localhost.localdomain> Message-ID: <49B80625.4080609@redhat.com> Simo Sorce schrieb: > On Wed, 2009-03-11 at 14:24 +0100, Sumit Bose wrote: >> bah, wrong patch, too. sorry again >> >> Sumit Bose schrieb: >>> Hi, >>> >>> I'm very sorry, but I forgot to remove the -DDEBUG from the pam_sss >>> CFLAGS. As a result the user may see some uneeded debug messages. > > Sumit, I was thinking that maybe we want to fix Makefiles to be able to > run: > CFLAGS="-g -DDEBUG" make > > So that we can just rebuild with debug at will. > Currently the makefile wipes out CFLAGS so this does not work. Can you > spare sometime to address this problem and resend a patch ? > find it here. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-append-CFLAGS-environment-variable-to-Makefiles-CFLA.patch URL: From sbose at redhat.com Wed Mar 11 18:59:51 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 11 Mar 2009 19:59:51 +0100 Subject: [Freeipa-devel] [PATCH] remove an unnecessary call to confdb Message-ID: <49B80A27.7090606@redhat.com> Hi, because the default domain is already present in the basic context, the call here is not needed. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-remove-an-unnecessary-call-to-confdb.patch URL: From ssorce at redhat.com Wed Mar 11 20:25:04 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 11 Mar 2009 16:25:04 -0400 Subject: [Freeipa-devel] [PATCH] Fix handling SIGTERM Message-ID: <1236803104.14197.47.camel@localhost.localdomain> When in forked mode we were failing to properly kill children when the monitor received a SIGTERM signal. See why in the patch. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-calling-setsid-and-resolve-the-sssd-signal-bug.patch Type: text/x-patch Size: 1300 bytes Desc: not available URL: From sgallagh at redhat.com Wed Mar 11 20:26:53 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 11 Mar 2009 16:26:53 -0400 Subject: [Freeipa-devel] [PATCH] Fix handling SIGTERM In-Reply-To: <1236803104.14197.47.camel@localhost.localdomain> References: <1236803104.14197.47.camel@localhost.localdomain> Message-ID: <49B81E8D.4050406@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > When in forked mode we were failing to properly kill children when the > monitor received a SIGTERM signal. > See why in the patch. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm4Ho0ACgkQeiVVYja6o6PO9QCgpL5E4PNKsYFdjVCRKwZhyIS4 9VgAoIDWRiMXINtSp3FpylLqhP+j5yuH =im85 -----END PGP SIGNATURE----- From ssorce at redhat.com Wed Mar 11 20:30:10 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 11 Mar 2009 16:30:10 -0400 Subject: [Freeipa-devel] [PATCH] Fix copy-paste error in InfoPipe CreateUser In-Reply-To: <49B679D1.2090504@redhat.com> References: <49B679D1.2090504@redhat.com> Message-ID: <1236803410.14197.48.camel@localhost.localdomain> On Tue, 2009-03-10 at 10:31 -0400, Stephen Gallagher wrote: > $SUBJECT plus add missing loginShell parameter. > > I'm not sure how this managed to get by both myself and code-review. > > Too much code, not enough time, I guess. ack and pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Mar 11 20:30:23 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 11 Mar 2009 16:30:23 -0400 Subject: [Freeipa-devel] [PATCH] remove an unnecessary call to confdb In-Reply-To: <49B80A27.7090606@redhat.com> References: <49B80A27.7090606@redhat.com> Message-ID: <1236803423.14197.49.camel@localhost.localdomain> On Wed, 2009-03-11 at 19:59 +0100, Sumit Bose wrote: > because the default domain is already present in the basic context, > the > call here is not needed. ack and pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Mar 11 20:30:46 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 11 Mar 2009 16:30:46 -0400 Subject: [Freeipa-devel] [PATCH] Fix handling SIGTERM In-Reply-To: <49B81E8D.4050406@redhat.com> References: <1236803104.14197.47.camel@localhost.localdomain> <49B81E8D.4050406@redhat.com> Message-ID: <1236803446.14197.50.camel@localhost.localdomain> On Wed, 2009-03-11 at 16:26 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > When in forked mode we were failing to properly kill children when > the > > monitor received a SIGTERM signal. > > See why in the patch. > > Ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 13 03:05:52 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Mar 2009 23:05:52 -0400 Subject: [Freeipa-devel] [PATCH] fix configure/makefile Message-ID: <1236913552.23130.1.camel@localhost.localdomain> We were setting absolute paths in conf_macros.m4 that's bad. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-makefiles.patch Type: text/x-patch Size: 5782 bytes Desc: not available URL: From ssorce at redhat.com Fri Mar 13 03:06:42 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Mar 2009 23:06:42 -0400 Subject: [Freeipa-devel] [PATCH] Implement negative cache in NSS Message-ID: <1236913602.23130.2.camel@localhost.localdomain> See $subjet & $commit Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Implement-Negative-cache-for-NSS.patch Type: text/x-patch Size: 19410 bytes Desc: not available URL: From jderose at redhat.com Fri Mar 13 07:01:22 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 13 Mar 2009 01:01:22 -0600 Subject: [Freeipa-devel] [PATCH] Make Executioner.execute() work with params named 'name' Message-ID: <1236927682.18679.5.camel@jgd-dsk> Rob discovered that Executioner.execute() would bomb out if the command had a param name 'name' and the value was supplied via a kwarg. This patch fixes the issue and also adds a test to confirm the fix. -------------- next part -------------- A non-text attachment was scrubbed... Name: Fix-Executioner-execute.patch Type: text/x-patch Size: 2389 bytes Desc: not available URL: From sgallagh at redhat.com Fri Mar 13 11:34:37 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 13 Mar 2009 07:34:37 -0400 Subject: [Freeipa-devel] [PATCH] fix configure/makefile In-Reply-To: <1236913552.23130.1.camel@localhost.localdomain> References: <1236913552.23130.1.camel@localhost.localdomain> Message-ID: <49BA44CD.3010004@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > We were setting absolute paths in conf_macros.m4 that's bad. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack. If you don't pass a value for the --with-* macros, the defaults in config.h are unusable. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm6RM0ACgkQeiVVYja6o6MFJgCfRSNTw9KDOnNHjZTRXj5ptTDt fAYAniuzDdLvMjCuiKcB44/BSU2YFTuJ =fzs0 -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 13 11:44:15 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 13 Mar 2009 07:44:15 -0400 Subject: [Freeipa-devel] [PATCH] Implement negative cache in NSS In-Reply-To: <1236913602.23130.2.camel@localhost.localdomain> References: <1236913602.23130.2.camel@localhost.localdomain> Message-ID: <49BA470F.1020208@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > See $subjet & $commit > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack. Missing the nsssrv_nc.c and .h files. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm6Rw8ACgkQeiVVYja6o6OynQCfSphu1FB7J3tCEhYkfM+nnhiC /rQAoIo9IczbV/4p48rPt6SwLySU3K1S =hfBe -----END PGP SIGNATURE----- From sbose at redhat.com Fri Mar 13 11:54:10 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 13 Mar 2009 12:54:10 +0100 Subject: [Freeipa-devel] [PATCH] fix configure/makefile In-Reply-To: <1236913552.23130.1.camel@localhost.localdomain> References: <1236913552.23130.1.camel@localhost.localdomain> Message-ID: <49BA4962.7090606@redhat.com> Simo Sorce schrieb: > We were setting absolute paths in conf_macros.m4 that's bad. > can you add the pipe-path stuff to sss_client, too, and change the fixed pipe path in sss_cli.h? Why do you want the config.h variable expand at compile time and not the ones the Makefile uses? bye, Sumit From ssorce at redhat.com Fri Mar 13 12:26:30 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 13 Mar 2009 08:26:30 -0400 Subject: [Freeipa-devel] [PATCH] fix configure/makefile In-Reply-To: <49BA4962.7090606@redhat.com> References: <1236913552.23130.1.camel@localhost.localdomain> <49BA4962.7090606@redhat.com> Message-ID: <1236947190.23130.6.camel@localhost.localdomain> On Fri, 2009-03-13 at 12:54 +0100, Sumit Bose wrote: > Simo Sorce schrieb: > > We were setting absolute paths in conf_macros.m4 that's bad. > > > > can you add the pipe-path stuff to sss_client, too, and change the fixed > pipe path in sss_cli.h? Why do you want the config.h variable expand at > compile time and not the ones the Makefile uses? It was a compromise, because you cannot fully expand variables that contains other variables at configure time. If I use ${libexec}/foo for example, in config.h I will usually get ${prefix}/libexec/foo and not /usr/libexec/foo, that because at configure time only the outpost variable is substituted. As for sss_cli.h I will address it in another patch. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 13 12:39:51 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 13 Mar 2009 08:39:51 -0400 Subject: [Freeipa-devel] [PATCH] fix configure/makefile In-Reply-To: <49BA44CD.3010004@redhat.com> References: <1236913552.23130.1.camel@localhost.localdomain> <49BA44CD.3010004@redhat.com> Message-ID: <1236947991.23130.17.camel@localhost.localdomain> On Fri, 2009-03-13 at 07:34 -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > We were setting absolute paths in conf_macros.m4 that's bad. > > > > Simo. > Nack. If you don't pass a value for the --with-* macros, the defaults in > config.h are unusable. Care to explain? Seem to work fine for me. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 13 12:42:18 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 13 Mar 2009 08:42:18 -0400 Subject: [Freeipa-devel] [PATCH] Implement negative cache in NSS In-Reply-To: <49BA470F.1020208@redhat.com> References: <1236913602.23130.2.camel@localhost.localdomain> <49BA470F.1020208@redhat.com> Message-ID: <1236948138.23130.18.camel@localhost.localdomain> On Fri, 2009-03-13 at 07:44 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > See $subjet & $commit > Nack. Missing the nsssrv_nc.c and .h files. Ouch, here is a new one with the _nc. files. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Implement-Negative-cache-for-NSS.patch Type: text/x-patch Size: 27875 bytes Desc: not available URL: From ssorce at redhat.com Fri Mar 13 12:43:53 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 13 Mar 2009 08:43:53 -0400 Subject: [Freeipa-devel] [PATCH] Make Executioner.execute() work with params named 'name' In-Reply-To: <1236927682.18679.5.camel@jgd-dsk> References: <1236927682.18679.5.camel@jgd-dsk> Message-ID: <1236948233.23130.19.camel@localhost.localdomain> On Fri, 2009-03-13 at 01:01 -0600, Jason Gerard DeRose wrote: > Rob discovered that Executioner.execute() would bomb out if the > command > had a param name 'name' and the value was supplied via a kwarg. > > This patch fixes the issue and also adds a test to confirm the fix. ack -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri Mar 13 13:28:26 2009 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 13 Mar 2009 09:28:26 -0400 Subject: [Freeipa-devel] Re: freeipa server + how to joining opensuse clients In-Reply-To: <1236930680.6988.10.camel@tango> References: <1236927682.18679.5.camel@jgd-dsk> <1236930680.6988.10.camel@tango> Message-ID: <49BA5F7A.3050107@redhat.com> Hi, The latest freeIPA version 1.2.1 is not capable of enrolling machines into domain. There is no thick client component that would work with the server and make the system a part of the domain. This is the functionality we are building as we speak. IPA 1.2.1 allows you to point your client pam_krb5 and nss_ldap to the central server IPA and to perform authentication and user/group information lookup against the central location. To configure pam and nss on the client see the documentation on the site: http://www.freeipa.org/page/ClientConfigurationGuide Also there will probably be a doc refresh on the site some time soon. Thanks, Dmitri Byambaa Mendbayar wrote: > Dear developers, > > I want to join my linux clients (opensuse 11.1) in freeipa server domain > (rmwg.mn.), how can I do that. Of course before I had read some > documents from freeipa.org web site [1]. But I have still unclear to > joining my clients on my server domain. > > Should I use 'Yast->Network Services->Windows Domain Membership' > function for joining my opensuse client to the freeipa server's > domain? > > [1] - > http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step > > Please, help to me. > > With best regards, > B.Mendbayar > > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mendbayar_b at e-map.mn Fri Mar 13 07:51:20 2009 From: mendbayar_b at e-map.mn (Byambaa Mendbayar) Date: Fri, 13 Mar 2009 15:51:20 +0800 Subject: [Freeipa-devel] freeipa server + how to joining opensuse clients In-Reply-To: <1236927682.18679.5.camel@jgd-dsk> References: <1236927682.18679.5.camel@jgd-dsk> Message-ID: <1236930680.6988.10.camel@tango> Dear developers, I want to join my linux clients (opensuse 11.1) in freeipa server domain (rmwg.mn.), how can I do that. Of course before I had read some documents from freeipa.org web site [1]. But I have still unclear to joining my clients on my server domain. Should I use 'Yast->Network Services->Windows Domain Membership' function for joining my opensuse client to the freeipa server's domain? [1] - http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step Please, help to me. With best regards, B.Mendbayar From sgallagh at redhat.com Fri Mar 13 13:40:03 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 13 Mar 2009 09:40:03 -0400 Subject: [Freeipa-devel] [PATCH] fix configure/makefile In-Reply-To: <1236947991.23130.17.camel@localhost.localdomain> References: <1236913552.23130.1.camel@localhost.localdomain> <49BA44CD.3010004@redhat.com> <1236947991.23130.17.camel@localhost.localdomain> Message-ID: <49BA6233.3050602@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Fri, 2009-03-13 at 07:34 -0400, Stephen Gallagher wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Simo Sorce wrote: >>> We were setting absolute paths in conf_macros.m4 that's bad. >>> >>> Simo. > >> Nack. If you don't pass a value for the --with-* macros, the defaults in >> config.h are unusable. > > Care to explain? > Seem to work fine for me. > > Simo. > ./autogen && ./configure && make && sudo make install sudo /usr/local/sbin/sssd [sssd] [server_setup] (0): ERROR: PID File reports daemon already running! Reason: config.h has: #define PID_PATH ""VARDIR"/run" PIPE_PATH, DATA_PROVIDER_PLUGIN_PATH, DB_PATH all have the same problem. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm6YjMACgkQeiVVYja6o6P0xgCdFJaWqEsZZQD8eDESK+ebt6IX yP8An2vs9ap3kCGeuVf79+JsqtKbSfoD =/2jq -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 13 13:43:29 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 13 Mar 2009 09:43:29 -0400 Subject: [Freeipa-devel] [PATCH] Implement negative cache in NSS In-Reply-To: <1236948138.23130.18.camel@localhost.localdomain> References: <1236913602.23130.2.camel@localhost.localdomain> <49BA470F.1020208@redhat.com> <1236948138.23130.18.camel@localhost.localdomain> Message-ID: <49BA6301.20904@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Fri, 2009-03-13 at 07:44 -0400, Stephen Gallagher wrote: > >> Simo Sorce wrote: >>> See $subjet & $commit > >> Nack. Missing the nsssrv_nc.c and .h files. > > Ouch, here is a new one with the _nc. files. > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm6YwAACgkQeiVVYja6o6Mw8wCdFSxswN2Z67eX8YRQPQRXTEP8 t40AnAporMyyq5q+yK+K+VI4a04tbxg0 =rItT -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 13 13:47:48 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 13 Mar 2009 09:47:48 -0400 Subject: [Freeipa-devel] [PATCH] Implement negative cache in NSS In-Reply-To: <49BA6301.20904@redhat.com> References: <1236913602.23130.2.camel@localhost.localdomain> <49BA470F.1020208@redhat.com> <1236948138.23130.18.camel@localhost.localdomain> <49BA6301.20904@redhat.com> Message-ID: <49BA6404.7060807@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Gallagher wrote: > Simo Sorce wrote: >> On Fri, 2009-03-13 at 07:44 -0400, Stephen Gallagher wrote: > >>> Simo Sorce wrote: >>>> See $subjet & $commit >>> Nack. Missing the nsssrv_nc.c and .h files. >> Ouch, here is a new one with the _nc. files. >> Simo. > > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Ack > Actually, one change. Please add libtdb to the Requires: in the spec file, as we are now using it directly (future-proof in case LDB switches low-level db implementation) _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm6ZAQACgkQeiVVYja6o6OowACcDUNqUaGnQzeO6Tgp8NmBNm8p 0NMAnigAEkZkAnrFAwi9TbCjGj+7cSyq =95ML -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Mar 13 13:49:20 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 13 Mar 2009 09:49:20 -0400 Subject: [Freeipa-devel] [PATCH] fix configure/makefile In-Reply-To: <49BA6233.3050602@redhat.com> References: <1236913552.23130.1.camel@localhost.localdomain> <49BA44CD.3010004@redhat.com> <1236947991.23130.17.camel@localhost.localdomain> <49BA6233.3050602@redhat.com> Message-ID: <1236952160.25780.28.camel@localhost.localdomain> On Fri, 2009-03-13 at 09:40 -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > On Fri, 2009-03-13 at 07:34 -0400, Stephen Gallagher wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Simo Sorce wrote: > >>> We were setting absolute paths in conf_macros.m4 that's bad. > >>> > >>> Simo. > > > >> Nack. If you don't pass a value for the --with-* macros, the defaults in > >> config.h are unusable. > > > > Care to explain? > > Seem to work fine for me. > > > > Simo. > > > > ./autogen && ./configure && make && sudo make install > > sudo /usr/local/sbin/sssd > [sssd] [server_setup] (0): ERROR: PID File reports daemon already running! > > Reason: config.h has: > #define PID_PATH ""VARDIR"/run" > > PIPE_PATH, DATA_PROVIDER_PLUGIN_PATH, DB_PATH all have the same problem. And where would be the problem ? VARDIR is passed to make with -D so it should resolve properly. The error is probably somewhere else, I guess we do not attempt to create PID_PATH on installation (which should be /usr/local/var/run in your case. Therefore creating a pid fails. And we also fail to report exactly what is happening when we try to create the pid. Can you create the PID_PATH and see if that helps ? Meanwhile I will make a patch to report better what error we saw in pidfile() Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Mar 13 14:31:13 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 Mar 2009 10:31:13 -0400 Subject: [Freeipa-devel] [PATCH] Make Executioner.execute() work with params named 'name' In-Reply-To: <1236948233.23130.19.camel@localhost.localdomain> References: <1236927682.18679.5.camel@jgd-dsk> <1236948233.23130.19.camel@localhost.localdomain> Message-ID: <49BA6E31.2090604@redhat.com> Simo Sorce wrote: > On Fri, 2009-03-13 at 01:01 -0600, Jason Gerard DeRose wrote: >> Rob discovered that Executioner.execute() would bomb out if the >> command >> had a param name 'name' and the value was supplied via a kwarg. >> >> This patch fixes the issue and also adds a test to confirm the fix. > > ack > pushed to master From rcritten at redhat.com Fri Mar 13 14:33:18 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 Mar 2009 10:33:18 -0400 Subject: [Freeipa-devel] [PATCH] Implement negative cache in NSS In-Reply-To: <49BA6404.7060807@redhat.com> References: <1236913602.23130.2.camel@localhost.localdomain> <49BA470F.1020208@redhat.com> <1236948138.23130.18.camel@localhost.localdomain> <49BA6301.20904@redhat.com> <49BA6404.7060807@redhat.com> Message-ID: <49BA6EAE.8030200@redhat.com> Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Stephen Gallagher wrote: >> Simo Sorce wrote: >>> On Fri, 2009-03-13 at 07:44 -0400, Stephen Gallagher wrote: >>>> Simo Sorce wrote: >>>>> See $subjet & $commit >>>> Nack. Missing the nsssrv_nc.c and .h files. >>> Ouch, here is a new one with the _nc. files. >>> Simo. >> >> >>> ------------------------------------------------------------------------ >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Ack >> > Actually, one change. Please add libtdb to the Requires: in the spec > file, as we are now using it directly (future-proof in case LDB switches > low-level db implementation) Aren't explicit lib Requires frowned upon in spec files? rob From ssorce at redhat.com Fri Mar 13 17:50:23 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 13 Mar 2009 13:50:23 -0400 Subject: [Freeipa-devel] [PATCH] Implement negative cache in NSS In-Reply-To: <49BA6EAE.8030200@redhat.com> References: <1236913602.23130.2.camel@localhost.localdomain> <49BA470F.1020208@redhat.com> <1236948138.23130.18.camel@localhost.localdomain> <49BA6301.20904@redhat.com> <49BA6404.7060807@redhat.com> <49BA6EAE.8030200@redhat.com> Message-ID: <1236966623.27917.1.camel@localhost.localdomain> On Fri, 2009-03-13 at 10:33 -0400, Rob Crittenden wrote: > Stephen Gallagher wrote: > > Actually, one change. Please add libtdb to the Requires: in the spec > > file, as we are now using it directly (future-proof in case LDB switches > > low-level db implementation) > > Aren't explicit lib Requires frowned upon in spec files? Why would they? Or should we only have BuildRequires for libs but not actual Requires ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Mar 13 17:54:50 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 Mar 2009 13:54:50 -0400 Subject: [Freeipa-devel] [PATCH] Implement negative cache in NSS In-Reply-To: <1236966623.27917.1.camel@localhost.localdomain> References: <1236913602.23130.2.camel@localhost.localdomain> <49BA470F.1020208@redhat.com> <1236948138.23130.18.camel@localhost.localdomain> <49BA6301.20904@redhat.com> <49BA6404.7060807@redhat.com> <49BA6EAE.8030200@redhat.com> <1236966623.27917.1.camel@localhost.localdomain> Message-ID: <49BA9DEA.7020604@redhat.com> Simo Sorce wrote: > On Fri, 2009-03-13 at 10:33 -0400, Rob Crittenden wrote: >> Stephen Gallagher wrote: >>> Actually, one change. Please add libtdb to the Requires: in the spec >>> file, as we are now using it directly (future-proof in case LDB switches >>> low-level db implementation) >> Aren't explicit lib Requires frowned upon in spec files? > > Why would they? > Or should we only have BuildRequires for libs but not actual Requires ? > > Simo. > The Fedora packaging guidelines say let rpm figure out the library dependencies. https://fedoraproject.org/wiki/Packaging:Guidelines#Requires rob From jhrozek at redhat.com Fri Mar 13 17:58:43 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 13 Mar 2009 18:58:43 +0100 Subject: [Freeipa-devel] [PATCH] Implement negative cache in NSS In-Reply-To: <49BA9DEA.7020604@redhat.com> References: <1236913602.23130.2.camel@localhost.localdomain> <49BA470F.1020208@redhat.com> <1236948138.23130.18.camel@localhost.localdomain> <49BA6301.20904@redhat.com> <49BA6404.7060807@redhat.com> <49BA6EAE.8030200@redhat.com> <1236966623.27917.1.camel@localhost.localdomain> <49BA9DEA.7020604@redhat.com> Message-ID: <1236967123.27007.42.camel@zeppelin.englab.brq.redhat.com> On Fri, 2009-03-13 at 13:54 -0400, Rob Crittenden wrote: > The Fedora packaging guidelines say let rpm figure out the library > dependencies. > > https://fedoraproject.org/wiki/Packaging:Guidelines#Requires > > rob Yes, there is only one exception and that is versioned Requires on libraries: https://fedoraproject.org/wiki/PackagingDrafts/ExplicitRequires Jakub From ssorce at redhat.com Fri Mar 13 18:38:35 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 13 Mar 2009 14:38:35 -0400 Subject: [Freeipa-devel] [PATCH] fix configure/makefile In-Reply-To: <1236952160.25780.28.camel@localhost.localdomain> References: <1236913552.23130.1.camel@localhost.localdomain> <49BA44CD.3010004@redhat.com> <1236947991.23130.17.camel@localhost.localdomain> <49BA6233.3050602@redhat.com> <1236952160.25780.28.camel@localhost.localdomain> Message-ID: <1236969515.27917.3.camel@localhost.localdomain> On Fri, 2009-03-13 at 09:49 -0400, Simo Sorce wrote: > On Fri, 2009-03-13 at 09:40 -0400, Stephen Gallagher wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Simo Sorce wrote: > > > On Fri, 2009-03-13 at 07:34 -0400, Stephen Gallagher wrote: > > >> -----BEGIN PGP SIGNED MESSAGE----- > > >> Hash: SHA1 > > >> > > >> Simo Sorce wrote: > > >>> We were setting absolute paths in conf_macros.m4 that's bad. > > >>> > > >>> Simo. > > > > > >> Nack. If you don't pass a value for the --with-* macros, the defaults in > > >> config.h are unusable. > > > > > > Care to explain? > > > Seem to work fine for me. > > > > > > Simo. > > > > > > > ./autogen && ./configure && make && sudo make install > > > > sudo /usr/local/sbin/sssd > > [sssd] [server_setup] (0): ERROR: PID File reports daemon already running! > > > > Reason: config.h has: > > #define PID_PATH ""VARDIR"/run" > > > > PIPE_PATH, DATA_PROVIDER_PLUGIN_PATH, DB_PATH all have the same problem. > > And where would be the problem ? > > VARDIR is passed to make with -D so it should resolve properly. > > The error is probably somewhere else, I guess we do not attempt to > create PID_PATH on installation (which should be /usr/local/var/run in > your case. Therefore creating a pid fails. > And we also fail to report exactly what is happening when we try to > create the pid. > > Can you create the PID_PATH and see if that helps ? Meanwhile I will > make a patch to report better what error we saw in pidfile() Ok I pushed a slightly modified patch that also creates the pid path and tested it with an arbitrary prefix. (The only thing we still need to fix is the sss_client paths but that will come with another patch). Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 13 18:38:51 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 13 Mar 2009 14:38:51 -0400 Subject: [Freeipa-devel] [PATCH] Implement negative cache in NSS In-Reply-To: <49BA6404.7060807@redhat.com> References: <1236913602.23130.2.camel@localhost.localdomain> <49BA470F.1020208@redhat.com> <1236948138.23130.18.camel@localhost.localdomain> <49BA6301.20904@redhat.com> <49BA6404.7060807@redhat.com> Message-ID: <1236969531.27917.4.camel@localhost.localdomain> On Fri, 2009-03-13 at 09:47 -0400, Stephen Gallagher wrote: > Actually, one change. Please add libtdb to the Requires: in the spec > file, as we are now using it directly (future-proof in case LDB > switches > low-level db implementation) Fixed and pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 13 18:39:58 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 13 Mar 2009 14:39:58 -0400 Subject: [Freeipa-devel] [PATCH] fix configure/makefile In-Reply-To: <1236969515.27917.3.camel@localhost.localdomain> References: <1236913552.23130.1.camel@localhost.localdomain> <49BA44CD.3010004@redhat.com> <1236947991.23130.17.camel@localhost.localdomain> <49BA6233.3050602@redhat.com> <1236952160.25780.28.camel@localhost.localdomain> <1236969515.27917.3.camel@localhost.localdomain> Message-ID: <1236969598.27917.5.camel@localhost.localdomain> On Fri, 2009-03-13 at 14:38 -0400, Simo Sorce wrote: > On Fri, 2009-03-13 at 09:49 -0400, Simo Sorce wrote: > > On Fri, 2009-03-13 at 09:40 -0400, Stephen Gallagher wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > Simo Sorce wrote: > > > > On Fri, 2009-03-13 at 07:34 -0400, Stephen Gallagher wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > > > >> Hash: SHA1 > > > >> > > > >> Simo Sorce wrote: > > > >>> We were setting absolute paths in conf_macros.m4 that's bad. > > > >>> > > > >>> Simo. > > > > > > > >> Nack. If you don't pass a value for the --with-* macros, the defaults in > > > >> config.h are unusable. > > > > > > > > Care to explain? > > > > Seem to work fine for me. > > > > > > > > Simo. > > > > > > > > > > ./autogen && ./configure && make && sudo make install > > > > > > sudo /usr/local/sbin/sssd > > > [sssd] [server_setup] (0): ERROR: PID File reports daemon already running! > > > > > > Reason: config.h has: > > > #define PID_PATH ""VARDIR"/run" > > > > > > PIPE_PATH, DATA_PROVIDER_PLUGIN_PATH, DB_PATH all have the same problem. > > > > And where would be the problem ? > > > > VARDIR is passed to make with -D so it should resolve properly. > > > > The error is probably somewhere else, I guess we do not attempt to > > create PID_PATH on installation (which should be /usr/local/var/run in > > your case. Therefore creating a pid fails. > > And we also fail to report exactly what is happening when we try to > > create the pid. > > > > Can you create the PID_PATH and see if that helps ? Meanwhile I will > > make a patch to report better what error we saw in pidfile() > > Ok I pushed a slightly modified patch that also creates the pid path and > tested it with an arbitrary prefix. > > (The only thing we still need to fix is the sss_client paths but that > will come with another patch). ah I also pushed another small patch that makes more clear why creating a pid failed. Meant to submit it to the list first, but I accidentally pushed it. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 13 18:50:50 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 13 Mar 2009 14:50:50 -0400 Subject: [Freeipa-devel] [PATCH] remove DEBUG option from pam_sss In-Reply-To: <49B80625.4080609@redhat.com> References: <49B7BB1E.5070802@redhat.com> <49B7BB80.9020305@redhat.com> <1236785933.14197.14.camel@localhost.localdomain> <49B80625.4080609@redhat.com> Message-ID: <1236970250.27917.6.camel@localhost.localdomain> On Wed, 2009-03-11 at 19:42 +0100, Sumit Bose wrote: > Simo Sorce schrieb: > > On Wed, 2009-03-11 at 14:24 +0100, Sumit Bose wrote: > >> bah, wrong patch, too. sorry again > >> > >> Sumit Bose schrieb: > >>> Hi, > >>> > >>> I'm very sorry, but I forgot to remove the -DDEBUG from the > pam_sss > >>> CFLAGS. As a result the user may see some uneeded debug messages. > > > > Sumit, I was thinking that maybe we want to fix Makefiles to be able > to > > run: > > CFLAGS="-g -DDEBUG" make > > > > So that we can just rebuild with debug at will. > > Currently the makefile wipes out CFLAGS so this does not work. Can > you > > spare sometime to address this problem and resend a patch ? > > > > find it here. Sumit, I almost lost track of this one, sorry for not pushing it earlier. I fixed it to apply on current master and pushed it. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 13 18:53:26 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 13 Mar 2009 18:53:26 +0000 Subject: [Freeipa-devel] Unpushed patches Message-ID: <1236970406.27917.9.camel@localhost.localdomain> Guys, if you sent a patch and you didn't get back an explicit ack or a nack (either by mail or via IRC discussions), and the patch is not pushed after a few days, please ping back. Every patch must get either an ack (and be pushed) or a nack, anything else probably means I messed with my mailbox and marked your patch as read when I shouldn't. So don't be silent, ping back. Simo. -- Simo Sorce * Red Hat, Inc * New York From mendbayar_b at e-map.mn Sat Mar 14 09:44:01 2009 From: mendbayar_b at e-map.mn (Byambaa Mendbayar) Date: Sat, 14 Mar 2009 17:44:01 +0800 Subject: [Freeipa-devel] Re: freeipa server + how to joining opensuse clients In-Reply-To: <49BA5F7A.3050107@redhat.com> References: <1236927682.18679.5.camel@jgd-dsk> <1236930680.6988.10.camel@tango> <49BA5F7A.3050107@redhat.com> Message-ID: <1237023841.5086.3.camel@tango> Dear Dmitri, Thank you very much for your response. With best regards, B. Mendbayar On Fri, 2009-03-13 at 09:28 -0400, Dmitri Pal wrote: > Hi, > > The latest freeIPA version 1.2.1 is not capable of enrolling machines > into domain. > There is no thick client component that would work with the server > and make the system a part of the domain. > This is the functionality we are building as we speak. > IPA 1.2.1 allows you to point your client pam_krb5 and nss_ldap to the > central server IPA and to perform authentication and user/group > information lookup against the central location. > To configure pam and nss on the client see the documentation on the site: > http://www.freeipa.org/page/ClientConfigurationGuide > > Also there will probably be a doc refresh on the site some time soon. > > Thanks, > Dmitri > > Byambaa Mendbayar wrote: > > Dear developers, > > > > I want to join my linux clients (opensuse 11.1) in freeipa server domain > > (rmwg.mn.), how can I do that. Of course before I had read some > > documents from freeipa.org web site [1]. But I have still unclear to > > joining my clients on my server domain. > > > > Should I use 'Yast->Network Services->Windows Domain Membership' > > function for joining my opensuse client to the freeipa server's > > domain? > > > > [1] - > > http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step > > > > Please, help to me. > > > > With best regards, > > B.Mendbayar > > > > > > > > From ssorce at redhat.com Mon Mar 16 14:37:31 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 16 Mar 2009 10:37:31 -0400 Subject: [Freeipa-devel] [PATCH] Fix segfault in delete_callback Message-ID: <1237214251.3708.0.camel@localhost.localdomain> Also change macros into functions and always return when calling them. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-segfault-error-caused-by-a-double-free.patch Type: text/x-patch Size: 30103 bytes Desc: not available URL: From sgallagh at redhat.com Mon Mar 16 15:00:50 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 16 Mar 2009 11:00:50 -0400 Subject: [Freeipa-devel] [PATCH] Fix segfault in delete_callback In-Reply-To: <1237214251.3708.0.camel@localhost.localdomain> References: <1237214251.3708.0.camel@localhost.localdomain> Message-ID: <49BE69A2.8070003@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > Also change macros into functions and always return when calling them. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm+aaEACgkQeiVVYja6o6MtKQCfWk41SgrHDJeSdWP7r6m2DVTs VEsAoKdB/P89atK4vPYwgokElb+bQ3tE =i9oy -----END PGP SIGNATURE----- From rcritten at redhat.com Tue Mar 17 01:36:12 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 Mar 2009 21:36:12 -0400 Subject: [Freeipa-devel] [PATCH] 144 Add taskgroup plugin Message-ID: <49BEFE8C.9070709@redhat.com> This adds a plugin for managing taskgroups. Taskgroups are what we will grant ACI access to. These are basically the atomic level of an ACI and will be used to grant access to other groups/users. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-144-taskgroup.patch Type: application/mbox Size: 8431 bytes Desc: not available URL: From rcritten at redhat.com Tue Mar 17 01:37:20 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 Mar 2009 21:37:20 -0400 Subject: [Freeipa-devel] [PATCH] 145 aci update Message-ID: <49BEFED0.2000700@redhat.com> This removes the backwards compatibility I had done for v1 ACIs and beefs up the types of targets we support. It also adds the beginning of a management plugin. This plugin is definitely for advanced use only with major "hose up your system" capabilities. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-145-aci.patch Type: application/mbox Size: 29102 bytes Desc: not available URL: From rcritten at redhat.com Tue Mar 17 01:38:04 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 Mar 2009 21:38:04 -0400 Subject: [Freeipa-devel] [PATCH] 146 todo item Message-ID: <49BEFEFC.4060705@redhat.com> Just a quickie todo item. I've pushed this one. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-146-small1.patch Type: application/mbox Size: 787 bytes Desc: not available URL: From rcritten at redhat.com Tue Mar 17 01:39:07 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 Mar 2009 21:39:07 -0400 Subject: [Freeipa-devel] [PATCH] 148 groups and services plugin fixes Message-ID: <49BEFF3B.8090208@redhat.com> Fix a few problems I found in the user groups and services plugins. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-147-small2.patch Type: application/mbox Size: 1500 bytes Desc: not available URL: From ssorce at redhat.com Tue Mar 17 12:56:42 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 17 Mar 2009 08:56:42 -0400 Subject: [Freeipa-devel] [PATCH] 144 Add taskgroup plugin In-Reply-To: <49BEFE8C.9070709@redhat.com> References: <49BEFE8C.9070709@redhat.com> Message-ID: <1237294602.20848.0.camel@localhost.localdomain> On Mon, 2009-03-16 at 21:36 -0400, Rob Crittenden wrote: > This adds a plugin for managing taskgroups. Taskgroups are what we will > grant ACI access to. These are basically the atomic level of an ACI and > will be used to grant access to other groups/users. ack. Btw, in taskgroup_show I think kw should indeed be able to contain the list of attributes you want to fetch. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 17 13:03:38 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 17 Mar 2009 09:03:38 -0400 Subject: [Freeipa-devel] [PATCH] 148 groups and services plugin fixes In-Reply-To: <49BEFF3B.8090208@redhat.com> References: <49BEFF3B.8090208@redhat.com> Message-ID: <1237295018.20848.1.camel@localhost.localdomain> On Mon, 2009-03-16 at 21:39 -0400, Rob Crittenden wrote: > > Fix a few problems I found in the user groups and services plugins. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 17 13:04:09 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 17 Mar 2009 09:04:09 -0400 Subject: [Freeipa-devel] [PATCH] 145 aci update In-Reply-To: <49BEFED0.2000700@redhat.com> References: <49BEFED0.2000700@redhat.com> Message-ID: <1237295049.20848.2.camel@localhost.localdomain> On Mon, 2009-03-16 at 21:37 -0400, Rob Crittenden wrote: > > This removes the backwards compatibility I had done for v1 ACIs and > beefs up the types of targets we support. It also adds the beginning > of > a management plugin. This plugin is definitely for advanced use only > with major "hose up your system" capabilities. big patch, I say a tentative ack -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Tue Mar 17 05:33:46 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 16 Mar 2009 23:33:46 -0600 Subject: [Freeipa-devel] [PATCH] 144 Add taskgroup plugin In-Reply-To: <49BEFE8C.9070709@redhat.com> References: <49BEFE8C.9070709@redhat.com> Message-ID: <1237268026.21792.0.camel@jgd-dsk> On Mon, 2009-03-16 at 21:36 -0400, Rob Crittenden wrote: > This adds a plugin for managing taskgroups. Taskgroups are what we will > grant ACI access to. These are basically the atomic level of an ACI and > will be used to grant access to other groups/users. > > rob ack. From rcritten at redhat.com Tue Mar 17 18:52:47 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 Mar 2009 14:52:47 -0400 Subject: [Freeipa-devel] [PATCH] 148 groups and services plugin fixes In-Reply-To: <1237295018.20848.1.camel@localhost.localdomain> References: <49BEFF3B.8090208@redhat.com> <1237295018.20848.1.camel@localhost.localdomain> Message-ID: <49BFF17F.2050407@redhat.com> Simo Sorce wrote: > On Mon, 2009-03-16 at 21:39 -0400, Rob Crittenden wrote: >> Fix a few problems I found in the user groups and services plugins. > > ack > pushed From rcritten at redhat.com Tue Mar 17 18:52:54 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 Mar 2009 14:52:54 -0400 Subject: [Freeipa-devel] [PATCH] 144 Add taskgroup plugin In-Reply-To: <1237294602.20848.0.camel@localhost.localdomain> References: <49BEFE8C.9070709@redhat.com> <1237294602.20848.0.camel@localhost.localdomain> Message-ID: <49BFF186.7060808@redhat.com> Simo Sorce wrote: > On Mon, 2009-03-16 at 21:36 -0400, Rob Crittenden wrote: >> This adds a plugin for managing taskgroups. Taskgroups are what we will >> grant ACI access to. These are basically the atomic level of an ACI and >> will be used to grant access to other groups/users. > > ack. > > Btw, in taskgroup_show I think kw should indeed be able to contain the > list of attributes you want to fetch. > > Simo. pushed From jderose at redhat.com Wed Mar 18 01:48:15 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 17 Mar 2009 19:48:15 -0600 Subject: [Freeipa-devel] [PATCH] 145 aci update In-Reply-To: <49BEFED0.2000700@redhat.com> References: <49BEFED0.2000700@redhat.com> Message-ID: <1237340895.23463.0.camel@jgd-dsk> On Mon, 2009-03-16 at 21:37 -0400, Rob Crittenden wrote: > This removes the backwards compatibility I had done for v1 ACIs and > beefs up the types of targets we support. It also adds the beginning of > a management plugin. This plugin is definitely for advanced use only > with major "hose up your system" capabilities. > > rob ack. I don't understand all of it, but what I do looks good. From sgallagh at redhat.com Wed Mar 18 13:46:23 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 18 Mar 2009 09:46:23 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Enable MPGs and user/group enumeration on the LOCAL domain by default Message-ID: <49C0FB2F.9090605@redhat.com> $SUBJECT -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Enable-MPGs-and-user-group-enumeration-on-the-LOCAL.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Wed Mar 18 13:48:26 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 18 Mar 2009 09:48:26 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Remove references to FreeIPA from D-BUS interfaces Message-ID: <49C0FBAA.6000201@redhat.com> Per discussion with the desktop team, using the org.freedesktop interface name will simplify adoption, as potential users won't feel like they're pulling in a FreeIPA dependency. I also changed the internal interfaces to use the org.freedesktop naming scheme, since it seemed only sensible to keep them uniform throughout, even if they're not being exposed. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Remove-references-to-FreeIPA-from-D-BUS-interfaces.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Wed Mar 18 13:58:55 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 18 Mar 2009 09:58:55 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Enable MPGs and user/group enumeration on the LOCAL domain by default In-Reply-To: <49C0FB2F.9090605@redhat.com> References: <49C0FB2F.9090605@redhat.com> Message-ID: <1237384735.26640.0.camel@localhost.localdomain> On Wed, 2009-03-18 at 09:46 -0400, Stephen Gallagher wrote: > $SUBJECT Ack -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Wed Mar 18 15:14:53 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 18 Mar 2009 11:14:53 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Enable MPGs and user/group enumeration on the LOCAL domain by default In-Reply-To: <1237384735.26640.0.camel@localhost.localdomain> References: <49C0FB2F.9090605@redhat.com> <1237384735.26640.0.camel@localhost.localdomain> Message-ID: <49C10FED.8090108@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Wed, 2009-03-18 at 09:46 -0400, Stephen Gallagher wrote: >> $SUBJECT > > Ack Pushed - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknBD+0ACgkQeiVVYja6o6M7CACbBJ2jZ77X954E20lrdMT12Ue8 3+0An1f9KAA3lADuweHuVDIizNNIoZ9w =xd85 -----END PGP SIGNATURE----- From sgallagh at redhat.com Wed Mar 18 16:22:50 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 18 Mar 2009 12:22:50 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] SBUS Reconnection logic Message-ID: <49C11FDA.1090906@redhat.com> The first patch implements reconnection logic in the SBUS itself. It will keep track of any outstanding requests while the reconnection is going on and submit them once reconnection succeeds. The second patch enables the Data Provider backends to take advantage of the auto-reconnection logic and can serve as a reference implementation for doing the same in NSS and PAM (forthcoming) -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-reconnection-logic-to-the-SBUS.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Enable-autoreconnection-of-Data-Provider-Backends-to.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sbose at redhat.com Wed Mar 18 16:26:46 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 18 Mar 2009 17:26:46 +0100 Subject: [Freeipa-devel] [PATCH] use pam_data as main data structure for dbus communication Message-ID: <49C120C6.4030305@redhat.com> Hi, this patch is a cleanup for the pam dbus communication. pam_data is now the main data structure holding all request and response data. All the packing and unpacking code for the dbus messages is collected in one file to make changes and debugging easier. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-use-pam_data-as-main-data-structure-for-dbus-communi.patch URL: From rcritten at redhat.com Wed Mar 18 19:46:29 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Mar 2009 15:46:29 -0400 Subject: [Freeipa-devel] [PATCH] List parameter type Message-ID: <49C14F95.10101@redhat.com> This adds a new parameter type, List. A List takes in a delimited list and breaks it into components. A plugin receives it as a tuple. The default delimiter is a comma. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-148-list.patch Type: application/mbox Size: 5477 bytes Desc: not available URL: From rcritten at redhat.com Wed Mar 18 19:47:22 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Mar 2009 15:47:22 -0400 Subject: [Freeipa-devel] [PATCH] 145 aci update In-Reply-To: <1237340895.23463.0.camel@jgd-dsk> References: <49BEFED0.2000700@redhat.com> <1237340895.23463.0.camel@jgd-dsk> Message-ID: <49C14FCA.4040009@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-03-16 at 21:37 -0400, Rob Crittenden wrote: >> This removes the backwards compatibility I had done for v1 ACIs and >> beefs up the types of targets we support. It also adds the beginning of >> a management plugin. This plugin is definitely for advanced use only >> with major "hose up your system" capabilities. >> >> rob > > ack. > > I don't understand all of it, but what I do looks good. > That plus Simo's qualified ack is good enough for me. Pushed to master. rob From ssorce at redhat.com Thu Mar 19 00:12:14 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 18 Mar 2009 20:12:14 -0400 Subject: [Freeipa-devel] [PATCH] fix getpwent and getgrent Message-ID: <1237421534.1893.0.camel@localhost.localdomain> bad code conversion when I changed how domain is used this patch fixes it -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-getgrent-and-getpwent-calls.patch Type: text/x-patch Size: 1630 bytes Desc: not available URL: From jderose at redhat.com Thu Mar 19 02:19:06 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Wed, 18 Mar 2009 20:19:06 -0600 Subject: [Freeipa-devel] [PATCH] List parameter type In-Reply-To: <49C14F95.10101@redhat.com> References: <49C14F95.10101@redhat.com> Message-ID: <1237429146.10272.61.camel@jgd-dsk> On Wed, 2009-03-18 at 15:46 -0400, Rob Crittenden wrote: > This adds a new parameter type, List. A List takes in a delimited list > and breaks it into components. A plugin receives it as a tuple. > > The default delimiter is a comma. > > rob ack. As Rob and I discussed on the phone, we will eventually move the comma (or whatever) delimited functionality into the Param base class, but in the meantime I don't want to hold up Rob's work. From sbose at redhat.com Thu Mar 19 07:22:01 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 19 Mar 2009 08:22:01 +0100 Subject: [Freeipa-devel] [PATCH] fix getpwent and getgrent In-Reply-To: <1237421534.1893.0.camel@localhost.localdomain> References: <1237421534.1893.0.camel@localhost.localdomain> Message-ID: <49C1F299.9010203@redhat.com> Simo Sorce schrieb: > bad code conversion when I changed how domain is used > this patch fixes it > ack bye, Sumit From ssorce at redhat.com Thu Mar 19 13:38:41 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 19 Mar 2009 09:38:41 -0400 Subject: [Freeipa-devel] [PATCH] use pam_data as main data structure for dbus communication In-Reply-To: <49C120C6.4030305@redhat.com> References: <49C120C6.4030305@redhat.com> Message-ID: <1237469921.1893.6.camel@localhost.localdomain> On Wed, 2009-03-18 at 17:26 +0100, Sumit Bose wrote: > > > Hi, > > this patch is a cleanup for the pam dbus communication. pam_data is > now > the main data structure holding all request and response data. All the > packing and unpacking code for the dbus messages is collected in one > file to make changes and debugging easier. Ack. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Mar 19 13:55:14 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 19 Mar 2009 09:55:14 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] SBUS Reconnection logic In-Reply-To: <49C11FDA.1090906@redhat.com> References: <49C11FDA.1090906@redhat.com> Message-ID: <1237470914.1893.8.camel@localhost.localdomain> On Wed, 2009-03-18 at 12:22 -0400, Stephen Gallagher wrote: > +static void be_cli_reconnect_init(struct sbus_conn_ctx *sconn, int > status, void *pvt) > +{ > + int ret; > + struct be_ctx *be_ctx = talloc_get_type(pvt, struct be_ctx); > + > + /* Did we reconnect successfully? */ > + if (status == SBUS_RECONNECT_SUCCESS) { > + /* Add the methods back to the new connection */ > + ret = sbus_conn_add_method_ctx(be_ctx->dp_ctx->scon_ctx, > + be_ctx->dp_ctx->sm_ctx); > + if (ret != EOK) { > + DEBUG(0, ("Could not re-add methods on > reconnection.\n")); > + be_finalize(be_ctx); > + } don't you miss a return statement here right after be_finalize ? > + DEBUG(1, ("Reconnected to the Data Provider.\n")); > + return; > + } > + > + /* Handle failure */ > + DEBUG(0, ("Could not reconnect to data provider.\n")); > + /* Kill the backend and let the monitor restart it */ > + be_finalize(be_ctx); > +} Also why be_finalize is a void * ? Doesn't it make sense to be able to return an errno so we can add a debug statement that explain what got wrong ? Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Thu Mar 19 13:55:13 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 19 Mar 2009 14:55:13 +0100 Subject: [Freeipa-devel] [PATCH] added response type PAM_ENV_ITEM and integrated response data Message-ID: <49C24EC1.7040707@redhat.com> Hi, with this patch we can send more complex responses like messages and environment variable back trough the sssd pam stack to the client. bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-added-response-type-PAM_ENV_ITEM-and-integrated-resp.patch URL: From ssorce at redhat.com Thu Mar 19 14:00:51 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 19 Mar 2009 10:00:51 -0400 Subject: [Freeipa-devel] [PATCH] Fix segfault in delete_callback In-Reply-To: <49BE69A2.8070003@redhat.com> References: <1237214251.3708.0.camel@localhost.localdomain> <49BE69A2.8070003@redhat.com> Message-ID: <1237471251.1893.9.camel@localhost.localdomain> On Mon, 2009-03-16 at 11:00 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > Also change macros into functions and always return when calling > them. > > > Ack pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Mar 19 14:01:16 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 19 Mar 2009 10:01:16 -0400 Subject: [Freeipa-devel] [PATCH] fix getpwent and getgrent In-Reply-To: <49C1F299.9010203@redhat.com> References: <1237421534.1893.0.camel@localhost.localdomain> <49C1F299.9010203@redhat.com> Message-ID: <1237471276.1893.10.camel@localhost.localdomain> On Thu, 2009-03-19 at 08:22 +0100, Sumit Bose wrote: > Simo Sorce schrieb: > > bad code conversion when I changed how domain is used > > this patch fixes it > > > ack pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Mar 19 14:01:42 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 19 Mar 2009 10:01:42 -0400 Subject: [Freeipa-devel] [PATCH] use pam_data as main data structure for dbus communication In-Reply-To: <1237469921.1893.6.camel@localhost.localdomain> References: <49C120C6.4030305@redhat.com> <1237469921.1893.6.camel@localhost.localdomain> Message-ID: <1237471302.1893.11.camel@localhost.localdomain> On Thu, 2009-03-19 at 09:38 -0400, Simo Sorce wrote: > On Wed, 2009-03-18 at 17:26 +0100, Sumit Bose wrote: > > Hi, > > > > this patch is a cleanup for the pam dbus communication. pam_data is > > now > > the main data structure holding all request and response data. All > the > > packing and unpacking code for the dbus messages is collected in one > > file to make changes and debugging easier. > > Ack. pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Mar 19 14:11:23 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 19 Mar 2009 10:11:23 -0400 Subject: [Freeipa-devel] [PATCH] added response type PAM_ENV_ITEM and integrated response data In-Reply-To: <49C24EC1.7040707@redhat.com> References: <49C24EC1.7040707@redhat.com> Message-ID: <1237471883.1893.13.camel@localhost.localdomain> On Thu, 2009-03-19 at 14:55 +0100, Sumit Bose wrote: > + ret = putenv((char *) &buf[p]); > + if (ret == -1) { > + D(("putenv failed.\n")); > + break; > + } Nack here, putenv uses the string passed in, so you have to, at least strdup() the string before using it, and not free it, or you will end up corrupting the environment. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Thu Mar 19 15:07:28 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 19 Mar 2009 11:07:28 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Remove references to FreeIPA from D-BUS interfaces In-Reply-To: <49C0FBAA.6000201@redhat.com> References: <49C0FBAA.6000201@redhat.com> Message-ID: <49C25FB0.8010909@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Gallagher wrote: > Per discussion with the desktop team, using the org.freedesktop > interface name will simplify adoption, as potential users won't feel > like they're pulling in a FreeIPA dependency. > > I also changed the internal interfaces to use the org.freedesktop naming > scheme, since it seemed only sensible to keep them uniform throughout, > even if they're not being exposed. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Simo acked this offline. Pushed. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknCX7AACgkQeiVVYja6o6PAdwCeJi4eVrLzXJogDDeVQLvEOrOU DrgAnAxEo/r/O/lK83zOxMQ4WTpvurwn =sBLb -----END PGP SIGNATURE----- From sgallagh at redhat.com Thu Mar 19 16:03:19 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 19 Mar 2009 12:03:19 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] SBUS Reconnection logic In-Reply-To: <1237470914.1893.8.camel@localhost.localdomain> References: <49C11FDA.1090906@redhat.com> <1237470914.1893.8.camel@localhost.localdomain> Message-ID: <49C26CC7.6040604@redhat.com> Simo Sorce wrote: > On Wed, 2009-03-18 at 12:22 -0400, Stephen Gallagher wrote: >> +static void be_cli_reconnect_init(struct sbus_conn_ctx *sconn, int >> status, void *pvt) >> +{ >> + int ret; >> + struct be_ctx *be_ctx = talloc_get_type(pvt, struct be_ctx); >> + >> + /* Did we reconnect successfully? */ >> + if (status == SBUS_RECONNECT_SUCCESS) { >> + /* Add the methods back to the new connection */ >> + ret = sbus_conn_add_method_ctx(be_ctx->dp_ctx->scon_ctx, >> + be_ctx->dp_ctx->sm_ctx); >> + if (ret != EOK) { >> + DEBUG(0, ("Could not re-add methods on >> reconnection.\n")); >> + be_finalize(be_ctx); >> + } > > don't you miss a return statement here right after be_finalize ? > >> + DEBUG(1, ("Reconnected to the Data Provider.\n")); >> + return; >> + } >> + >> + /* Handle failure */ >> + DEBUG(0, ("Could not reconnect to data provider.\n")); >> + /* Kill the backend and let the monitor restart it */ >> + be_finalize(be_ctx); >> +} > > Also why be_finalize is a void * ? Doesn't it make sense to be able to > return an errno so we can add a debug statement that explain what got > wrong ? > > Simo. > > New patch attached (I attached both again, for reference, but only the back-end patch has changed) I've made the recommended changes above. Please review. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-reconnection-logic-to-the-SBUS.patch URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Enable-autoreconnection-of-Data-Provider-Backends-to.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sbose at redhat.com Thu Mar 19 16:12:13 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu, 19 Mar 2009 17:12:13 +0100 Subject: [Freeipa-devel] [PATCH] added response type PAM_ENV_ITEM and integrated response data In-Reply-To: <1237471883.1893.13.camel@localhost.localdomain> References: <49C24EC1.7040707@redhat.com> <1237471883.1893.13.camel@localhost.localdomain> Message-ID: <49C26EDD.4020503@redhat.com> Simo Sorce schrieb: > On Thu, 2009-03-19 at 14:55 +0100, Sumit Bose wrote: >> + ret = putenv((char *) &buf[p]); >> + if (ret == -1) { >> + D(("putenv failed.\n")); >> + break; >> + } > > Nack here, putenv uses the string passed in, so you have to, at least > strdup() the string before using it, and not free it, or you will end up > corrupting the environment. > > Simo. > new version attached bye, Sumit -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-added-response-type-PAM_ENV_ITEM-and-integrated-resp.patch URL: From ssorce at redhat.com Thu Mar 19 16:13:52 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 19 Mar 2009 12:13:52 -0400 Subject: [Freeipa-devel] [PATCH] cope with confdb sync calls to its ldb Message-ID: <1237479232.1893.18.camel@localhost.localdomain> Needed to avoid calling events from within a confdb call. I do not expect this to impact any code because the confdb is tiny and is mmaped so all reading operations should rarely cause any I/O and in that case it is disk I/O on the local disk, so perfectly tolerable the rare times that happens. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Avoid-nested-events-in-confdb.patch Type: text/x-patch Size: 1281 bytes Desc: not available URL: From sgallagh at redhat.com Thu Mar 19 16:20:27 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 19 Mar 2009 12:20:27 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] SBUS Reconnection logic In-Reply-To: <49C26CC7.6040604@redhat.com> References: <49C11FDA.1090906@redhat.com> <1237470914.1893.8.camel@localhost.localdomain> <49C26CC7.6040604@redhat.com> Message-ID: <49C270CB.60908@redhat.com> Stephen Gallagher wrote: > Simo Sorce wrote: >> On Wed, 2009-03-18 at 12:22 -0400, Stephen Gallagher wrote: >>> +static void be_cli_reconnect_init(struct sbus_conn_ctx *sconn, int >>> status, void *pvt) >>> +{ >>> + int ret; >>> + struct be_ctx *be_ctx = talloc_get_type(pvt, struct be_ctx); >>> + >>> + /* Did we reconnect successfully? */ >>> + if (status == SBUS_RECONNECT_SUCCESS) { >>> + /* Add the methods back to the new connection */ >>> + ret = sbus_conn_add_method_ctx(be_ctx->dp_ctx->scon_ctx, >>> + be_ctx->dp_ctx->sm_ctx); >>> + if (ret != EOK) { >>> + DEBUG(0, ("Could not re-add methods on >>> reconnection.\n")); >>> + be_finalize(be_ctx); >>> + } >> don't you miss a return statement here right after be_finalize ? >> >>> + DEBUG(1, ("Reconnected to the Data Provider.\n")); >>> + return; >>> + } >>> + >>> + /* Handle failure */ >>> + DEBUG(0, ("Could not reconnect to data provider.\n")); >>> + /* Kill the backend and let the monitor restart it */ >>> + be_finalize(be_ctx); >>> +} >> Also why be_finalize is a void * ? Doesn't it make sense to be able to >> return an errno so we can add a debug statement that explain what got >> wrong ? >> >> Simo. >> >> > > > New patch attached (I attached both again, for reference, but only the > back-end patch has changed) > > I've made the recommended changes above. Please review. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Sorry, resent the wrong patch. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Enable-autoreconnection-of-Data-Provider-Backends-to.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Thu Mar 19 16:24:19 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 19 Mar 2009 12:24:19 -0400 Subject: [Freeipa-devel] [PATCH] cope with confdb sync calls to its ldb In-Reply-To: <1237479232.1893.18.camel@localhost.localdomain> References: <1237479232.1893.18.camel@localhost.localdomain> Message-ID: <49C271B3.5000804@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > Needed to avoid calling events from within a confdb call. > I do not expect this to impact any code because the confdb is tiny and > is mmaped so all reading operations should rarely cause any I/O and in > that case it is disk I/O on the local disk, so perfectly tolerable the > rare times that happens. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel There's no longer a need to pass tevent_ctx() to confdb_init(). I suggest removing it for clarity. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknCcbMACgkQeiVVYja6o6OGeACgjQ7Z57Tcm5CRyOmdb//Oylts a4oAoJtfzkrHPNUkgerLRinit8ahmTaa =10Y0 -----END PGP SIGNATURE----- From ssorce at redhat.com Thu Mar 19 17:35:12 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 19 Mar 2009 13:35:12 -0400 Subject: [Freeipa-devel] [PATCH] cope with confdb sync calls to its ldb In-Reply-To: <49C271B3.5000804@redhat.com> References: <1237479232.1893.18.camel@localhost.localdomain> <49C271B3.5000804@redhat.com> Message-ID: <1237484112.1893.21.camel@localhost.localdomain> On Thu, 2009-03-19 at 12:24 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > Needed to avoid calling events from within a confdb call. > > I do not expect this to impact any code because the confdb is tiny and > > is mmaped so all reading operations should rarely cause any I/O and in > > that case it is disk I/O on the local disk, so perfectly tolerable the > > rare times that happens. > > > There's no longer a need to pass tevent_ctx() to confdb_init(). I > suggest removing it for clarity. I does not hurt anyway, and it may turn out to be useful again later, I felt no need to change the interface (and all callers). Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Thu Mar 19 19:07:56 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 19 Mar 2009 15:07:56 -0400 Subject: [Freeipa-devel] [PATCH] cope with confdb sync calls to its ldb In-Reply-To: <1237484112.1893.21.camel@localhost.localdomain> References: <1237479232.1893.18.camel@localhost.localdomain> <49C271B3.5000804@redhat.com> <1237484112.1893.21.camel@localhost.localdomain> Message-ID: <49C2980C.8060105@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Thu, 2009-03-19 at 12:24 -0400, Stephen Gallagher wrote: >> Simo Sorce wrote: >>> Needed to avoid calling events from within a confdb call. >>> I do not expect this to impact any code because the confdb is tiny and >>> is mmaped so all reading operations should rarely cause any I/O and in >>> that case it is disk I/O on the local disk, so perfectly tolerable the >>> rare times that happens. >>> > >> There's no longer a need to pass tevent_ctx() to confdb_init(). I >> suggest removing it for clarity. > > I does not hurt anyway, and it may turn out to be useful again later, I > felt no need to change the interface (and all callers). > > Simo. > I'm not a huge fan of useless parameters, but I'll let it slide. Ack. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknCmAwACgkQeiVVYja6o6PMuQCgidj3tvPDk6XCo9wDKpSJcf2Y 20oAn03tQ3ZUpq2/9lKFjsTi4nMcaKYC =NZzH -----END PGP SIGNATURE----- From rcritten at redhat.com Thu Mar 19 19:54:39 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Mar 2009 15:54:39 -0400 Subject: [Freeipa-devel] [PATCH] 149 basegroup patch Message-ID: <49C2A2FF.8010707@redhat.com> We have a lot of different kinds of groups in IPA. This patch provides a basegroup class that will remove most of the code duplication in groups now. I'm submitting patches for the groups that will use this as discrete patches to make things a little easier to review. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-149-basegroup.patch Type: application/mbox Size: 14837 bytes Desc: not available URL: From rcritten at redhat.com Thu Mar 19 19:55:41 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Mar 2009 15:55:41 -0400 Subject: [Freeipa-devel] [PATCH] 150 role groups Message-ID: <49C2A33D.5080303@redhat.com> Add rolegroups. A rolegroup will be used in the ACI subsystem to break down the permissions a bit. Rolegroups will be things like: helpdesk, user_admin, group_admin, etc. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-150-rolegroup.patch Type: application/mbox Size: 8327 bytes Desc: not available URL: From rcritten at redhat.com Thu Mar 19 19:57:07 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Mar 2009 15:57:07 -0400 Subject: [Freeipa-devel] [PATCH] 141 taskgroups Message-ID: <49C2A393.7050401@redhat.com> Add taskgroups. Taskgroups are part of the ACI subsystem. ACIs will grant permissions to a taskgroup. rolegroups will be assigned to taskgroups to delegation this permission. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-151-taskgroup.patch Type: application/mbox Size: 17206 bytes Desc: not available URL: From rcritten at redhat.com Thu Mar 19 19:58:03 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Mar 2009 15:58:03 -0400 Subject: [Freeipa-devel] [PATCH] 152 new group Message-ID: <49C2A3CB.1010804@redhat.com> This patch is the replacement group plugin patch. The old one will be removed in another patch. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-152-group.patch Type: application/mbox Size: 6815 bytes Desc: not available URL: From rcritten at redhat.com Thu Mar 19 19:58:38 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Mar 2009 15:58:38 -0400 Subject: [Freeipa-devel] [PATCH] 153 hostgroup plugin Message-ID: <49C2A3EE.8040405@redhat.com> New hostgroup plugin that uses the basegroup class. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-153-hostgroup.py Type: text/x-python Size: 5980 bytes Desc: not available URL: From rcritten at redhat.com Thu Mar 19 19:59:56 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Mar 2009 15:59:56 -0400 Subject: [Freeipa-devel] [PATCH] 155 add posix group test Message-ID: <49C2A43C.8090901@redhat.com> Add a tests for posix groups to the group plugin test. One test will fail because of a bug in the FDS DNA plugin. Once the next FDS release is made this test will start working (the bug is fixed upstream). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-155-grouptest.patch Type: application/mbox Size: 4590 bytes Desc: not available URL: From rcritten at redhat.com Thu Mar 19 20:00:50 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Mar 2009 16:00:50 -0400 Subject: [Freeipa-devel] [PATCH 156 remove old plugins Message-ID: <49C2A472.6070803@redhat.com> Remove the old standalone group plugins. I elected to add new ones and remove the old one since I am also renaming at the same time, and it's easier to review. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-156-remove.patch Type: application/mbox Size: 41782 bytes Desc: not available URL: From rcritten at redhat.com Thu Mar 19 20:01:44 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Mar 2009 16:01:44 -0400 Subject: [Freeipa-devel] [PATCH] 157/157 kw should be lower Message-ID: <49C2A4A8.6090005@redhat.com> I found a couple of places where kw used a mixed-case variable. We want this to be lower-case. I've already pushed these under the 1-liner rule. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-157-kwlower.patch Type: application/mbox Size: 1083 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-158-kwlower.patch Type: application/mbox Size: 828 bytes Desc: not available URL: From ssorce at redhat.com Fri Mar 20 06:32:09 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 20 Mar 2009 02:32:09 -0400 Subject: [Freeipa-devel] [PATCH] Simplify configuration options Message-ID: <1237530730.1893.54.camel@localhost.localdomain> While working on some patches to handle default domains that elect not to use fully qualified domains, I found myself simplifying some of our configuration code. 4 patches. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-better-error-reporting-to-confdb-functions.patch Type: text/x-patch Size: 6712 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Simplify-default-configuration.patch Type: text/x-patch Size: 15942 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Enhance-server_setup.patch Type: text/x-patch Size: 9011 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Retrieve-some-options-from-confdb.patch Type: text/x-patch Size: 4295 bytes Desc: not available URL: From jderose at redhat.com Fri Mar 20 06:43:14 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 20 Mar 2009 00:43:14 -0600 Subject: [Freeipa-devel] [PATCH] 149 basegroup patch In-Reply-To: <49C2A2FF.8010707@redhat.com> References: <49C2A2FF.8010707@redhat.com> Message-ID: <1237531394.6777.2.camel@jgd-dsk> On Thu, 2009-03-19 at 15:54 -0400, Rob Crittenden wrote: > We have a lot of different kinds of groups in IPA. This patch provides a > basegroup class that will remove most of the code duplication in > groups now. > > I'm submitting patches for the groups that will use this as discrete > patches to make things a little easier to review. > > rob ack. In another patch we should change the `base_classes` class attributes to tuples instead of lists... we don't want public class attributes on the base classes to be mutable objects. From jderose at redhat.com Fri Mar 20 06:49:38 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 20 Mar 2009 00:49:38 -0600 Subject: [Freeipa-devel] [PATCH] 149 basegroup patch In-Reply-To: <1237531394.6777.2.camel@jgd-dsk> References: <49C2A2FF.8010707@redhat.com> <1237531394.6777.2.camel@jgd-dsk> Message-ID: <1237531778.6777.4.camel@jgd-dsk> On Fri, 2009-03-20 at 00:43 -0600, Jason Gerard DeRose wrote: > On Thu, 2009-03-19 at 15:54 -0400, Rob Crittenden wrote: > > We have a lot of different kinds of groups in IPA. This patch provides a > > basegroup class that will remove most of the code duplication in > > groups now. > > > > I'm submitting patches for the groups that will use this as discrete > > patches to make things a little easier to review. > > > > rob > > ack. > > In another patch we should change the `base_classes` class attributes to > tuples instead of lists... we don't want public class attributes on the > base classes to be mutable objects. Also, this requires freeipa-148-list.patch, which hasn't been committed yet (but I did ack it). From jderose at redhat.com Fri Mar 20 07:15:43 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 20 Mar 2009 01:15:43 -0600 Subject: [Freeipa-devel] [PATCH] 150 role groups In-Reply-To: <49C2A33D.5080303@redhat.com> References: <49C2A33D.5080303@redhat.com> Message-ID: <1237533343.6777.5.camel@jgd-dsk> On Thu, 2009-03-19 at 15:55 -0400, Rob Crittenden wrote: > Add rolegroups. A rolegroup will be used in the ACI subsystem to break > down the permissions a bit. Rolegroups will be things like: helpdesk, > user_admin, group_admin, etc. > > rob ack. From jderose at redhat.com Fri Mar 20 07:39:05 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 20 Mar 2009 01:39:05 -0600 Subject: [Freeipa-devel] [PATCH] 141 taskgroups In-Reply-To: <49C2A393.7050401@redhat.com> References: <49C2A393.7050401@redhat.com> Message-ID: <1237534745.6777.6.camel@jgd-dsk> On Thu, 2009-03-19 at 15:57 -0400, Rob Crittenden wrote: > Add taskgroups. Taskgroups are part of the ACI subsystem. ACIs will > grant permissions to a taskgroup. rolegroups will be assigned to > taskgroups to delegation this permission. > > rob ack. From jderose at redhat.com Fri Mar 20 07:47:35 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 20 Mar 2009 01:47:35 -0600 Subject: [Freeipa-devel] [PATCH] 152 new group In-Reply-To: <49C2A3CB.1010804@redhat.com> References: <49C2A3CB.1010804@redhat.com> Message-ID: <1237535255.6777.8.camel@jgd-dsk> On Thu, 2009-03-19 at 15:58 -0400, Rob Crittenden wrote: > This patch is the replacement group plugin patch. The old one will be > removed in another patch. > > rob ack, but I needed to apply through freeipa-156-remove.patch to get this working. From jderose at redhat.com Fri Mar 20 07:47:48 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 20 Mar 2009 01:47:48 -0600 Subject: [Freeipa-devel] [PATCH] 153 hostgroup plugin In-Reply-To: <49C2A3EE.8040405@redhat.com> References: <49C2A3EE.8040405@redhat.com> Message-ID: <1237535268.6777.9.camel@jgd-dsk> On Thu, 2009-03-19 at 15:58 -0400, Rob Crittenden wrote: > New hostgroup plugin that uses the basegroup class. > > rob ack, but I needed to apply through freeipa-156-remove.patch to get this working. From jderose at redhat.com Fri Mar 20 07:48:00 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 20 Mar 2009 01:48:00 -0600 Subject: [Freeipa-devel] [PATCH] 155 add posix group test In-Reply-To: <49C2A43C.8090901@redhat.com> References: <49C2A43C.8090901@redhat.com> Message-ID: <1237535280.6777.10.camel@jgd-dsk> On Thu, 2009-03-19 at 15:59 -0400, Rob Crittenden wrote: > Add a tests for posix groups to the group plugin test. One test will > fail because of a bug in the FDS DNA plugin. Once the next FDS release > is made this test will start working (the bug is fixed upstream). > > rob ack, but I needed to apply through freeipa-156-remove.patch to get this working. From jderose at redhat.com Fri Mar 20 07:48:11 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 20 Mar 2009 01:48:11 -0600 Subject: [Freeipa-devel] [PATCH 156 remove old plugins In-Reply-To: <49C2A472.6070803@redhat.com> References: <49C2A472.6070803@redhat.com> Message-ID: <1237535291.6777.11.camel@jgd-dsk> On Thu, 2009-03-19 at 16:00 -0400, Rob Crittenden wrote: > Remove the old standalone group plugins. I elected to add new ones and > remove the old one since I am also renaming at the same time, and it's > easier to review. > > rob ack. From sgallagh at redhat.com Fri Mar 20 11:32:56 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 20 Mar 2009 07:32:56 -0400 Subject: [Freeipa-devel] [PATCH] Simplify configuration options In-Reply-To: <1237530730.1893.54.camel@localhost.localdomain> References: <1237530730.1893.54.camel@localhost.localdomain> Message-ID: <49C37EE8.4050305@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > While working on some patches to handle default domains that elect not > to use fully qualified domains, I found myself simplifying some of our > configuration code. > > 4 patches. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Patch 0001: Ack Patch 0002: Ack Patch 0003: Ack Patch 0004: Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknDfuUACgkQeiVVYja6o6O3UwCfd+k3HG2MU4NbFSu01qvTXrCH 0/sAn3YqPfMtNgjHMzT0aX+hISQ8MziT =wjSS -----END PGP SIGNATURE----- From rcritten at redhat.com Fri Mar 20 12:50:37 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Mar 2009 08:50:37 -0400 Subject: [Freeipa-devel] [PATCH] fix broken build Message-ID: <49C3911D.5030705@redhat.com> Fix a typo in install/updates/Makefile.am. Pushed to master rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-159-fixbuild.patch Type: application/mbox Size: 697 bytes Desc: not available URL: From rcritten at redhat.com Fri Mar 20 13:29:23 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Mar 2009 09:29:23 -0400 Subject: [Freeipa-devel] [PATCH] 149 basegroup patch In-Reply-To: <1237531394.6777.2.camel@jgd-dsk> References: <49C2A2FF.8010707@redhat.com> <1237531394.6777.2.camel@jgd-dsk> Message-ID: <49C39A33.4080702@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-03-19 at 15:54 -0400, Rob Crittenden wrote: >> We have a lot of different kinds of groups in IPA. This patch provides a >> basegroup class that will remove most of the code duplication in >> groups now. >> >> I'm submitting patches for the groups that will use this as discrete >> patches to make things a little easier to review. >> >> rob > > ack. > > In another patch we should change the `base_classes` class attributes to > tuples instead of lists... we don't want public class attributes on the > base classes to be mutable objects. > Ok. Pushed. From rcritten at redhat.com Fri Mar 20 13:29:53 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Mar 2009 09:29:53 -0400 Subject: [Freeipa-devel] [PATCH] 150 role groups In-Reply-To: <1237533343.6777.5.camel@jgd-dsk> References: <49C2A33D.5080303@redhat.com> <1237533343.6777.5.camel@jgd-dsk> Message-ID: <49C39A51.3000800@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-03-19 at 15:55 -0400, Rob Crittenden wrote: >> Add rolegroups. A rolegroup will be used in the ACI subsystem to break >> down the permissions a bit. Rolegroups will be things like: helpdesk, >> user_admin, group_admin, etc. >> >> rob > > ack. > pushed From rcritten at redhat.com Fri Mar 20 13:30:00 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Mar 2009 09:30:00 -0400 Subject: [Freeipa-devel] [PATCH] 141 taskgroups In-Reply-To: <1237534745.6777.6.camel@jgd-dsk> References: <49C2A393.7050401@redhat.com> <1237534745.6777.6.camel@jgd-dsk> Message-ID: <49C39A58.3070806@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-03-19 at 15:57 -0400, Rob Crittenden wrote: >> Add taskgroups. Taskgroups are part of the ACI subsystem. ACIs will >> grant permissions to a taskgroup. rolegroups will be assigned to >> taskgroups to delegation this permission. >> >> rob > > ack. > pushed From rcritten at redhat.com Fri Mar 20 13:30:21 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Mar 2009 09:30:21 -0400 Subject: [Freeipa-devel] [PATCH] 152 new group In-Reply-To: <1237535255.6777.8.camel@jgd-dsk> References: <49C2A3CB.1010804@redhat.com> <1237535255.6777.8.camel@jgd-dsk> Message-ID: <49C39A6D.8020009@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-03-19 at 15:58 -0400, Rob Crittenden wrote: >> This patch is the replacement group plugin patch. The old one will be >> removed in another patch. >> >> rob > > ack, but I needed to apply through freeipa-156-remove.patch to get this > working. > pushed to master From rcritten at redhat.com Fri Mar 20 13:30:28 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Mar 2009 09:30:28 -0400 Subject: [Freeipa-devel] [PATCH] 153 hostgroup plugin In-Reply-To: <1237535268.6777.9.camel@jgd-dsk> References: <49C2A3EE.8040405@redhat.com> <1237535268.6777.9.camel@jgd-dsk> Message-ID: <49C39A74.506@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-03-19 at 15:58 -0400, Rob Crittenden wrote: >> New hostgroup plugin that uses the basegroup class. >> >> rob > > ack, but I needed to apply through freeipa-156-remove.patch to get this > working. > pushed to master From rcritten at redhat.com Fri Mar 20 13:30:36 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Mar 2009 09:30:36 -0400 Subject: [Freeipa-devel] [PATCH] 155 add posix group test In-Reply-To: <1237535280.6777.10.camel@jgd-dsk> References: <49C2A43C.8090901@redhat.com> <1237535280.6777.10.camel@jgd-dsk> Message-ID: <49C39A7C.3070705@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-03-19 at 15:59 -0400, Rob Crittenden wrote: >> Add a tests for posix groups to the group plugin test. One test will >> fail because of a bug in the FDS DNA plugin. Once the next FDS release >> is made this test will start working (the bug is fixed upstream). >> >> rob > > ack, but I needed to apply through freeipa-156-remove.patch to get this > working. > pushed to master From rcritten at redhat.com Fri Mar 20 13:30:44 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Mar 2009 09:30:44 -0400 Subject: [Freeipa-devel] [PATCH 156 remove old plugins In-Reply-To: <1237535291.6777.11.camel@jgd-dsk> References: <49C2A472.6070803@redhat.com> <1237535291.6777.11.camel@jgd-dsk> Message-ID: <49C39A84.6030008@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-03-19 at 16:00 -0400, Rob Crittenden wrote: >> Remove the old standalone group plugins. I elected to add new ones and >> remove the old one since I am also renaming at the same time, and it's >> easier to review. >> >> rob > > ack. > pushed to master From ssorce at redhat.com Fri Mar 20 14:52:00 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 20 Mar 2009 10:52:00 -0400 Subject: [Freeipa-devel] [PATCH] added response type PAM_ENV_ITEM and integrated response data In-Reply-To: <49C26EDD.4020503@redhat.com> References: <49C24EC1.7040707@redhat.com> <1237471883.1893.13.camel@localhost.localdomain> <49C26EDD.4020503@redhat.com> Message-ID: <1237560720.1893.67.camel@localhost.localdomain> On Thu, 2009-03-19 at 17:12 +0100, Sumit Bose wrote: > Simo Sorce schrieb: > > On Thu, 2009-03-19 at 14:55 +0100, Sumit Bose wrote: > >> + ret = putenv((char *) &buf[p]); > >> + if (ret == -1) { > >> + D(("putenv failed.\n")); > >> + break; > >> + } > > > > Nack here, putenv uses the string passed in, so you have to, at > least > > strdup() the string before using it, and not free it, or you will > end up > > corrupting the environment. > > > > Simo. > > > new version attached Ack. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 20 14:57:42 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 20 Mar 2009 10:57:42 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] SBUS Reconnection logic In-Reply-To: <49C270CB.60908@redhat.com> References: <49C11FDA.1090906@redhat.com> <1237470914.1893.8.camel@localhost.localdomain> <49C26CC7.6040604@redhat.com> <49C270CB.60908@redhat.com> Message-ID: <1237561062.1893.68.camel@localhost.localdomain> On Thu, 2009-03-19 at 12:20 -0400, Stephen Gallagher wrote: > > > > New patch attached (I attached both again, for reference, but only > the > > back-end patch has changed) > > > > I've made the recommended changes above. Please review. > > > > Sorry, resent the wrong patch. ack. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Fri Mar 20 14:59:41 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 20 Mar 2009 10:59:41 -0400 Subject: [Freeipa-devel] [PATCHES][SSSD] SBUS Reconnection logic In-Reply-To: <1237561062.1893.68.camel@localhost.localdomain> References: <49C11FDA.1090906@redhat.com> <1237470914.1893.8.camel@localhost.localdomain> <49C26CC7.6040604@redhat.com> <49C270CB.60908@redhat.com> <1237561062.1893.68.camel@localhost.localdomain> Message-ID: <49C3AF5D.20509@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Thu, 2009-03-19 at 12:20 -0400, Stephen Gallagher wrote: >>> New patch attached (I attached both again, for reference, but only >> the >>> back-end patch has changed) >>> >>> I've made the recommended changes above. Please review. >>> >> Sorry, resent the wrong patch. > > ack. > Pushed - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknDr1IACgkQeiVVYja6o6P4IwCfXYpOfJ51Xkl2NOdILr5IODkM HKEAmwf54o2ftIjD8zmYy0tQMV9zaHtA =giuI -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Mar 20 17:34:15 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 20 Mar 2009 13:34:15 -0400 Subject: [Freeipa-devel] [PATCH] added response type PAM_ENV_ITEM and integrated response data In-Reply-To: <1237560720.1893.67.camel@localhost.localdomain> References: <49C24EC1.7040707@redhat.com> <1237471883.1893.13.camel@localhost.localdomain> <49C26EDD.4020503@redhat.com> <1237560720.1893.67.camel@localhost.localdomain> Message-ID: <1237570455.1893.69.camel@localhost.localdomain> On Fri, 2009-03-20 at 10:52 -0400, Simo Sorce wrote: > On Thu, 2009-03-19 at 17:12 +0100, Sumit Bose wrote: > > Simo Sorce schrieb: > > > On Thu, 2009-03-19 at 14:55 +0100, Sumit Bose wrote: > > >> + ret = putenv((char *) &buf[p]); > > >> + if (ret == -1) { > > >> + D(("putenv failed.\n")); > > >> + break; > > >> + } > > > > > > Nack here, putenv uses the string passed in, so you have to, at > > least > > > strdup() the string before using it, and not free it, or you will > > end up > > > corrupting the environment. > > > > > > Simo. > > > > > new version attached > > Ack. > Pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 20 17:34:39 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 20 Mar 2009 13:34:39 -0400 Subject: [Freeipa-devel] [PATCH] cope with confdb sync calls to its ldb In-Reply-To: <49C2980C.8060105@redhat.com> References: <1237479232.1893.18.camel@localhost.localdomain> <49C271B3.5000804@redhat.com> <1237484112.1893.21.camel@localhost.localdomain> <49C2980C.8060105@redhat.com> Message-ID: <1237570479.1893.70.camel@localhost.localdomain> On Thu, 2009-03-19 at 15:07 -0400, Stephen Gallagher wrote: > Simo Sorce wrote: > > On Thu, 2009-03-19 at 12:24 -0400, Stephen Gallagher wrote: > >> Simo Sorce wrote: > >>> Needed to avoid calling events from within a confdb call. > >>> I do not expect this to impact any code because the confdb is tiny > and > >>> is mmaped so all reading operations should rarely cause any I/O > and in > >>> that case it is disk I/O on the local disk, so perfectly tolerable > the > >>> rare times that happens. > >>> > > > >> There's no longer a need to pass tevent_ctx() to confdb_init(). I > >> suggest removing it for clarity. > > > > I does not hurt anyway, and it may turn out to be useful again > later, I > > felt no need to change the interface (and all callers). > > > > Simo. > > > > I'm not a huge fan of useless parameters, but I'll let it slide. > > Ack. pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 20 17:34:56 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 20 Mar 2009 13:34:56 -0400 Subject: [Freeipa-devel] [PATCH] Simplify configuration options In-Reply-To: <49C37EE8.4050305@redhat.com> References: <1237530730.1893.54.camel@localhost.localdomain> <49C37EE8.4050305@redhat.com> Message-ID: <1237570496.1893.71.camel@localhost.localdomain> On Fri, 2009-03-20 at 07:32 -0400, Stephen Gallagher wrote: > > Patch 0001: Ack > > Patch 0002: Ack > > Patch 0003: Ack > > Patch 0004: Ack all pushed -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Mar 23 19:44:57 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Mar 2009 15:44:57 -0400 Subject: [Freeipa-devel] [PATCH] print dn first Message-ID: <49C7E6B9.5030902@redhat.com> We should do like ldapsearch and print the end first when printing an entire entry. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-160-textui.patch Type: application/mbox Size: 794 bytes Desc: not available URL: From rcritten at redhat.com Mon Mar 23 19:45:53 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Mar 2009 15:45:53 -0400 Subject: [Freeipa-devel] [PATCH] better exceptions for insufficient perms Message-ID: <49C7E6F1.5010100@redhat.com> Return a useful error message when the LDAP server returns insufficient access. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-161-permission.patch Type: application/mbox Size: 2582 bytes Desc: not available URL: From rcritten at redhat.com Mon Mar 23 19:46:44 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Mar 2009 15:46:44 -0400 Subject: [Freeipa-devel] [PATCH] group plugin cleanup Message-ID: <49C7E724.1060503@redhat.com> Change some lists of things to be tuples instead so that classes that subclass us replace them rather than update them. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-162-groupcleanup.patch Type: application/mbox Size: 2225 bytes Desc: not available URL: From rcritten at redhat.com Mon Mar 23 19:48:06 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Mar 2009 15:48:06 -0400 Subject: [Freeipa-devel] [PATCH] taskgroup showall function Message-ID: <49C7E776.9040907@redhat.com> We will need a mechanism to show all taskgroups in order to setup rolegroups so I've added a showall function. This is an exception to our "don't iterate over everything" rule. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-163-showall.patch Type: application/mbox Size: 2226 bytes Desc: not available URL: From rcritten at redhat.com Mon Mar 23 19:48:58 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Mar 2009 15:48:58 -0400 Subject: [Freeipa-devel] [PATCH] allow only exact searches Message-ID: <49C7E7AA.1000600@redhat.com> Add an option to ldap.search() so one can do an exact search of a set of attributes only instead of doing both an exact and a substring search. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-164-exactsearch.patch Type: application/mbox Size: 1843 bytes Desc: not available URL: From rcritten at redhat.com Mon Mar 23 19:53:16 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Mar 2009 15:53:16 -0400 Subject: [Freeipa-devel] [PATCH] don't configure DNA Message-ID: <49C7E8AC.9070300@redhat.com> I thought I had already done this but I guess not. We switched to the DS dna plugin and don't ship ours anymore so don't try to enable it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-165-dna.patch Type: application/mbox Size: 1427 bytes Desc: not available URL: From rcritten at redhat.com Mon Mar 23 19:55:22 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Mar 2009 15:55:22 -0400 Subject: [Freeipa-devel] [PATCH] fix ldapupdate bugs Message-ID: <49C7E92A.7060603@redhat.com> I found a number of corner-case bugs in ldapupdate. If an entry spans multiple lines, only the first line got passed through the template function so things like $SUFFIX wouldn't get replaced. It also wasn't detecting whether it should do updates properly, so if only one minor change was made it got silently dropped :-( And this now sorts any update filenames it finds. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-166-ldapupdate.patch Type: application/mbox Size: 2344 bytes Desc: not available URL: From rcritten at redhat.com Mon Mar 23 19:56:40 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Mar 2009 15:56:40 -0400 Subject: [Freeipa-devel] [PATCH] enhance the ACI Plugin Message-ID: <49C7E978.1080406@redhat.com> Added some more target options when creating ACIs including some helpers for users, groups and hosts. This list may grow, we'll see. Switched to use the StrEnum parameter type for some of the options so it can do the member enforcement. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-167-aci.patch Type: application/mbox Size: 3783 bytes Desc: not available URL: From rcritten at redhat.com Mon Mar 23 19:58:12 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Mar 2009 15:58:12 -0400 Subject: [Freeipa-devel] [PATCH] sort the update files Message-ID: <49C7E9D4.4080702@redhat.com> Some of the update files need to be applied in a certain order. Up until now they were processed in whatever order the FS gave us the files. Switching to an init-like format with a little breathing room for ordering the files. Much of this diff is just git renaming the files. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-168-sortupdate.patch Type: application/mbox Size: 39449 bytes Desc: not available URL: From jderose at redhat.com Tue Mar 24 03:00:07 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 23 Mar 2009 21:00:07 -0600 Subject: [Freeipa-devel] [PATCH] print dn first In-Reply-To: <49C7E6B9.5030902@redhat.com> References: <49C7E6B9.5030902@redhat.com> Message-ID: <1237863607.15035.0.camel@jgd-dsk> On Mon, 2009-03-23 at 15:44 -0400, Rob Crittenden wrote: > We should do like ldapsearch and print the end first when printing an > entire entry. > > rob ack. From jderose at redhat.com Tue Mar 24 03:01:02 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 23 Mar 2009 21:01:02 -0600 Subject: [Freeipa-devel] [PATCH] better exceptions for insufficient perms In-Reply-To: <49C7E6F1.5010100@redhat.com> References: <49C7E6F1.5010100@redhat.com> Message-ID: <1237863662.15035.1.camel@jgd-dsk> On Mon, 2009-03-23 at 15:45 -0400, Rob Crittenden wrote: > Return a useful error message when the LDAP server returns insufficient > access. > > rob ack. From jderose at redhat.com Tue Mar 24 03:03:06 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 23 Mar 2009 21:03:06 -0600 Subject: [Freeipa-devel] [PATCH] group plugin cleanup In-Reply-To: <49C7E724.1060503@redhat.com> References: <49C7E724.1060503@redhat.com> Message-ID: <1237863786.15035.2.camel@jgd-dsk> On Mon, 2009-03-23 at 15:46 -0400, Rob Crittenden wrote: > Change some lists of things to be tuples instead so that classes that > subclass us replace them rather than update them. > > rob ack. From jderose at redhat.com Tue Mar 24 03:04:26 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 23 Mar 2009 21:04:26 -0600 Subject: [Freeipa-devel] [PATCH] taskgroup showall function In-Reply-To: <49C7E776.9040907@redhat.com> References: <49C7E776.9040907@redhat.com> Message-ID: <1237863866.15035.3.camel@jgd-dsk> On Mon, 2009-03-23 at 15:48 -0400, Rob Crittenden wrote: > We will need a mechanism to show all taskgroups in order to setup > rolegroups so I've added a showall function. This is an exception to our > "don't iterate over everything" rule. > > rob ack. From jderose at redhat.com Tue Mar 24 03:08:53 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 23 Mar 2009 21:08:53 -0600 Subject: [Freeipa-devel] [PATCH] allow only exact searches In-Reply-To: <49C7E7AA.1000600@redhat.com> References: <49C7E7AA.1000600@redhat.com> Message-ID: <1237864133.15035.4.camel@jgd-dsk> On Mon, 2009-03-23 at 15:48 -0400, Rob Crittenden wrote: > Add an option to ldap.search() so one can do an exact search of a set of > attributes only instead of doing both an exact and a substring search. > > rob ack. From jderose at redhat.com Tue Mar 24 03:09:50 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 23 Mar 2009 21:09:50 -0600 Subject: [Freeipa-devel] [PATCH] don't configure DNA In-Reply-To: <49C7E8AC.9070300@redhat.com> References: <49C7E8AC.9070300@redhat.com> Message-ID: <1237864190.15035.5.camel@jgd-dsk> On Mon, 2009-03-23 at 15:53 -0400, Rob Crittenden wrote: > I thought I had already done this but I guess not. We switched to the DS > dna plugin and don't ship ours anymore so don't try to enable it. > > rob ack. From jderose at redhat.com Tue Mar 24 03:14:36 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 23 Mar 2009 21:14:36 -0600 Subject: [Freeipa-devel] [PATCH] fix ldapupdate bugs In-Reply-To: <49C7E92A.7060603@redhat.com> References: <49C7E92A.7060603@redhat.com> Message-ID: <1237864476.15035.6.camel@jgd-dsk> On Mon, 2009-03-23 at 15:55 -0400, Rob Crittenden wrote: > I found a number of corner-case bugs in ldapupdate. If an entry spans > multiple lines, only the first line got passed through the template > function so things like $SUFFIX wouldn't get replaced. > > It also wasn't detecting whether it should do updates properly, so if > only one minor change was made it got silently dropped :-( > > And this now sorts any update filenames it finds. > > rob ack. From jderose at redhat.com Tue Mar 24 03:16:02 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 23 Mar 2009 21:16:02 -0600 Subject: [Freeipa-devel] [PATCH] enhance the ACI Plugin In-Reply-To: <49C7E978.1080406@redhat.com> References: <49C7E978.1080406@redhat.com> Message-ID: <1237864562.15035.7.camel@jgd-dsk> On Mon, 2009-03-23 at 15:56 -0400, Rob Crittenden wrote: > Added some more target options when creating ACIs including some helpers > for users, groups and hosts. This list may grow, we'll see. > > Switched to use the StrEnum parameter type for some of the options so it > can do the member enforcement. > > rob ack. From jderose at redhat.com Tue Mar 24 03:21:29 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Mon, 23 Mar 2009 21:21:29 -0600 Subject: [Freeipa-devel] [PATCH] sort the update files In-Reply-To: <49C7E9D4.4080702@redhat.com> References: <49C7E9D4.4080702@redhat.com> Message-ID: <1237864889.15035.11.camel@jgd-dsk> On Mon, 2009-03-23 at 15:58 -0400, Rob Crittenden wrote: > Some of the update files need to be applied in a certain order. Up until > now they were processed in whatever order the FS gave us the files. > > Switching to an init-like format with a little breathing room for > ordering the files. > > Much of this diff is just git renaming the files. > > rob ack... Rob did it, it must be right. I don't know enough to comment either way on this patch, but I trust Rob's judgment. Simo, can you comment on this patch? From ssorce at redhat.com Tue Mar 24 14:27:49 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 24 Mar 2009 10:27:49 -0400 Subject: [Freeipa-devel] [PATCH] fix build Message-ID: <1237904869.1893.154.camel@localhost.localdomain> fix the build :/ -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-build.patch Type: text/x-patch Size: 1291 bytes Desc: not available URL: From sgallagh at redhat.com Tue Mar 24 14:30:45 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 24 Mar 2009 10:30:45 -0400 Subject: [Freeipa-devel] [PATCH] fix build In-Reply-To: <1237904869.1893.154.camel@localhost.localdomain> References: <1237904869.1893.154.camel@localhost.localdomain> Message-ID: <49C8EE95.2090500@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > fix the build :/ > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknI7pEACgkQeiVVYja6o6MbegCbBLzTXhCDmxxAkeHgR3QvggQZ v8sAn1Vp2Rq3XcVPVu56YUp9XjeHJbwI =dEwe -----END PGP SIGNATURE----- From pzuna at redhat.com Tue Mar 24 17:24:22 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 24 Mar 2009 18:24:22 +0100 Subject: [Freeipa-devel] new ldap backend Message-ID: <49C91746.9090009@redhat.com> Dear freeipa-devel, here's the current state of the new LDAP backend, that will hopefully replace the old one someday. If you find something wrong with the functionality or interface, please tell me. Even if you spot a typo, or just don't like my coding style - anything that helps me make it better is welcome. I also included a (dirty) testing module for reference. It might give you a better understanding of how the code should actually work in action. Thanks, Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ldap2.py URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: check-ldap2.py URL: From sgallagh at redhat.com Wed Mar 25 13:52:13 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 25 Mar 2009 09:52:13 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix compliation error due to implicit cast Message-ID: <49CA370D.6050008@redhat.com> -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-compilation-error-due-to-implicit-cast.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sbose at redhat.com Wed Mar 25 13:54:15 2009 From: sbose at redhat.com (Sumit Bose) Date: Wed, 25 Mar 2009 14:54:15 +0100 Subject: [Freeipa-devel] [PATCH][SSSD] Fix compliation error due to implicit cast In-Reply-To: <49CA370D.6050008@redhat.com> References: <49CA370D.6050008@redhat.com> Message-ID: <49CA3787.1030004@redhat.com> ack From sgallagh at redhat.com Wed Mar 25 13:56:23 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 25 Mar 2009 09:56:23 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix compliation error due to implicit cast In-Reply-To: <49CA3787.1030004@redhat.com> References: <49CA370D.6050008@redhat.com> <49CA3787.1030004@redhat.com> Message-ID: <49CA3807.4010505@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sumit Bose wrote: > ack Pushed to master - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknKOAcACgkQeiVVYja6o6PHeACeLZycdUiRePuxPi4GypgIbb0m iAQAoKd1wPM73O6TtG4QN4JlYVTDsrU2 =fpU2 -----END PGP SIGNATURE----- From rcritten at redhat.com Wed Mar 25 15:04:38 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 Mar 2009 11:04:38 -0400 Subject: [Freeipa-devel] [PATCH] print dn first In-Reply-To: <1237863607.15035.0.camel@jgd-dsk> References: <49C7E6B9.5030902@redhat.com> <1237863607.15035.0.camel@jgd-dsk> Message-ID: <49CA4806.1090905@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-03-23 at 15:44 -0400, Rob Crittenden wrote: >> We should do like ldapsearch and print the end first when printing an >> entire entry. >> >> rob > > ack. > pushed to master From rcritten at redhat.com Wed Mar 25 15:04:46 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 Mar 2009 11:04:46 -0400 Subject: [Freeipa-devel] [PATCH] better exceptions for insufficient perms In-Reply-To: <1237863662.15035.1.camel@jgd-dsk> References: <49C7E6F1.5010100@redhat.com> <1237863662.15035.1.camel@jgd-dsk> Message-ID: <49CA480E.2000400@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-03-23 at 15:45 -0400, Rob Crittenden wrote: >> Return a useful error message when the LDAP server returns insufficient >> access. >> >> rob > > ack. > pushed to master From rcritten at redhat.com Wed Mar 25 15:04:54 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 Mar 2009 11:04:54 -0400 Subject: [Freeipa-devel] [PATCH] group plugin cleanup In-Reply-To: <1237863786.15035.2.camel@jgd-dsk> References: <49C7E724.1060503@redhat.com> <1237863786.15035.2.camel@jgd-dsk> Message-ID: <49CA4816.7010502@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-03-23 at 15:46 -0400, Rob Crittenden wrote: >> Change some lists of things to be tuples instead so that classes that >> subclass us replace them rather than update them. >> >> rob > > ack. > pushed to master From rcritten at redhat.com Wed Mar 25 15:05:01 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 Mar 2009 11:05:01 -0400 Subject: [Freeipa-devel] [PATCH] taskgroup showall function In-Reply-To: <1237863866.15035.3.camel@jgd-dsk> References: <49C7E776.9040907@redhat.com> <1237863866.15035.3.camel@jgd-dsk> Message-ID: <49CA481D.201@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-03-23 at 15:48 -0400, Rob Crittenden wrote: >> We will need a mechanism to show all taskgroups in order to setup >> rolegroups so I've added a showall function. This is an exception to our >> "don't iterate over everything" rule. >> >> rob > > ack. > > pushed to master From rcritten at redhat.com Wed Mar 25 15:05:08 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 Mar 2009 11:05:08 -0400 Subject: [Freeipa-devel] [PATCH] allow only exact searches In-Reply-To: <1237864133.15035.4.camel@jgd-dsk> References: <49C7E7AA.1000600@redhat.com> <1237864133.15035.4.camel@jgd-dsk> Message-ID: <49CA4824.1080708@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-03-23 at 15:48 -0400, Rob Crittenden wrote: >> Add an option to ldap.search() so one can do an exact search of a set of >> attributes only instead of doing both an exact and a substring search. >> >> rob > > ack. > pushed to master From rcritten at redhat.com Wed Mar 25 15:05:17 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 Mar 2009 11:05:17 -0400 Subject: [Freeipa-devel] [PATCH] don't configure DNA In-Reply-To: <1237864190.15035.5.camel@jgd-dsk> References: <49C7E8AC.9070300@redhat.com> <1237864190.15035.5.camel@jgd-dsk> Message-ID: <49CA482D.5020008@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-03-23 at 15:53 -0400, Rob Crittenden wrote: >> I thought I had already done this but I guess not. We switched to the DS >> dna plugin and don't ship ours anymore so don't try to enable it. >> >> rob > > ack. > pushed to master From rcritten at redhat.com Wed Mar 25 15:05:24 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 Mar 2009 11:05:24 -0400 Subject: [Freeipa-devel] [PATCH] fix ldapupdate bugs In-Reply-To: <1237864476.15035.6.camel@jgd-dsk> References: <49C7E92A.7060603@redhat.com> <1237864476.15035.6.camel@jgd-dsk> Message-ID: <49CA4834.1040001@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-03-23 at 15:55 -0400, Rob Crittenden wrote: >> I found a number of corner-case bugs in ldapupdate. If an entry spans >> multiple lines, only the first line got passed through the template >> function so things like $SUFFIX wouldn't get replaced. >> >> It also wasn't detecting whether it should do updates properly, so if >> only one minor change was made it got silently dropped :-( >> >> And this now sorts any update filenames it finds. >> >> rob > > ack. > pushed to master From rcritten at redhat.com Wed Mar 25 15:05:33 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 Mar 2009 11:05:33 -0400 Subject: [Freeipa-devel] [PATCH] enhance the ACI Plugin In-Reply-To: <1237864562.15035.7.camel@jgd-dsk> References: <49C7E978.1080406@redhat.com> <1237864562.15035.7.camel@jgd-dsk> Message-ID: <49CA483D.3060806@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-03-23 at 15:56 -0400, Rob Crittenden wrote: >> Added some more target options when creating ACIs including some helpers >> for users, groups and hosts. This list may grow, we'll see. >> >> Switched to use the StrEnum parameter type for some of the options so it >> can do the member enforcement. >> >> rob > > ack. > pushed to master From rcritten at redhat.com Wed Mar 25 15:05:56 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 Mar 2009 11:05:56 -0400 Subject: [Freeipa-devel] [PATCH] sort the update files In-Reply-To: <1237864889.15035.11.camel@jgd-dsk> References: <49C7E9D4.4080702@redhat.com> <1237864889.15035.11.camel@jgd-dsk> Message-ID: <49CA4854.60608@redhat.com> Jason Gerard DeRose wrote: > On Mon, 2009-03-23 at 15:58 -0400, Rob Crittenden wrote: >> Some of the update files need to be applied in a certain order. Up until >> now they were processed in whatever order the FS gave us the files. >> >> Switching to an init-like format with a little breathing room for >> ordering the files. >> >> Much of this diff is just git renaming the files. >> >> rob > > ack... Rob did it, it must be right. > > I don't know enough to comment either way on this patch, but I trust > Rob's judgment. Simo, can you comment on this patch? > I went ahead and pushed this. This is just renaming some files, should be safe. rob From rcritten at redhat.com Wed Mar 25 15:17:03 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 Mar 2009 11:17:03 -0400 Subject: [Freeipa-devel] [PATCH] add more delegation rules Message-ID: <49CA4AEF.7070506@redhat.com> Fill in the ACIs and taskgroups for most of the plugins. This adds: group administration host administration host group administration delegation administration service administration automount administration netgroup administration So far I've focused on granting write/add/del permissions. At some point I may add in read/search ACIs as well. This still isn't going to, by default, allow one to grant write access to different containers as we still have a flat tree. The way that can be handled is by setting some attribute (say ou) to a value and then adding that to the ACI. How one would do this without manually updating the ACI by hand is still up in the air. It may be that we still won't support it directly but doing so will be a lot more possible in v2. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-169-delegation.patch Type: application/mbox Size: 16238 bytes Desc: not available URL: From jderose at redhat.com Thu Mar 26 06:21:31 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 26 Mar 2009 00:21:31 -0600 Subject: [Freeipa-devel] new ldap backend In-Reply-To: <49C91746.9090009@redhat.com> References: <49C91746.9090009@redhat.com> Message-ID: <1238048491.11778.118.camel@jgd-dsk> On Tue, 2009-03-24 at 18:24 +0100, Pavel Zuna wrote: > Dear freeipa-devel, > here's the current state of the new LDAP backend, that will hopefully replace > the old one someday. If you find something wrong with the functionality or > interface, please tell me. Even if you spot a typo, or just don't like my coding > style - anything that helps me make it better is welcome. > > I also included a (dirty) testing module for reference. It might give you a > better understanding of how the code should actually work in action. > > Thanks, > Pavel This code is really looking good, Pavel! A lot of it is beyond my LDAP knowledge, so I can't comment on many of the particulars, but I do have some overall comments. 1. Make sure consumers of the API don't need to import the python-ldap bindings... I see a few places where the you're using constants from _ldap (like in find_entries() line 382). I think it might be better to have these constants be specified with a str like 'subtree' instead of _ldap.SCOPE_SUBTREE (using a private dict to map to the python-ldap constant). If you don't like this idea, feel free to argue the point, but that's my gut feeling. 2. Look for places where you can write tests that don't required connecting to a live LDAP server, and put these in the unit-tests in tests/. The more easy-to-run (non-invasive) tests we have the better. (Although most of your tests will necessarily be invasive, like the ones you already have in check-ldap2.py). I think this code is ready for the next step: I think you should submit a patch, we'll get this into master, and then you should port a small number of command plugins (that talk to LDAP) to use ldap2. I think the user commands would probably be a good choice. Then you can go through a number of iterations in refining the new API, while only needing to update several reference commands that are using ldap2. Then once everyone feels ldap2 is ready, we can port all the commands to use it. I think you're on the right track and this looks like high quality code. Thanks for all your work! Cheers, Jason From sgallagh at redhat.com Thu Mar 26 15:02:03 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 26 Mar 2009 11:02:03 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Refactor nss_ctx to resp_ctx in responders Message-ID: <49CB98EB.8020307@redhat.com> The generic responder code was copied from the NSS code, but it was still using nss_ctx everywhere. The NSS code subsequently branched off, so the implementation of the nss_ctx was different in the two places. I have refactored the version of nss_ctx in the responder code to be a resp_ctx instead. This patch is essentially just a global search-and-replace for "nss_ctx"->"resp_ctx" (and "nctx"->"rctx") in the PAM and common responder code. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Refactor-nss_ctx-to-resp_ctx-in-responders.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sgallagh at redhat.com Thu Mar 26 15:04:24 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 26 Mar 2009 11:04:24 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Enable autoreconnection to the Data Provider in PAM Message-ID: <49CB9978.2040101@redhat.com> If the Data Provider dies and restarts, allow PAM to reconnect to it instead of exiting and restarting (which may cause interruption of ongoing PAM conversations) -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0002-Enable-autoreconnection-to-the-Data-Provider-in-PAM.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Thu Mar 26 18:18:28 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Mar 2009 14:18:28 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Refactor nss_ctx to resp_ctx in responders In-Reply-To: <49CB98EB.8020307@redhat.com> References: <49CB98EB.8020307@redhat.com> Message-ID: <1238091508.20998.0.camel@localhost.localdomain> On Thu, 2009-03-26 at 11:02 -0400, Stephen Gallagher wrote: > The generic responder code was copied from the NSS code, but it was > still using nss_ctx everywhere. The NSS code subsequently branched > off, > so the implementation of the nss_ctx was different in the two places. > > I have refactored the version of nss_ctx in the responder code to be a > resp_ctx instead. > > This patch is essentially just a global search-and-replace for > "nss_ctx"->"resp_ctx" (and "nctx"->"rctx") in the PAM and common > responder code. ack and pushed I will take on the job of merging nss' nss_ctx into resp_ctx too. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Mar 26 18:18:46 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Mar 2009 14:18:46 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Enable autoreconnection to the Data Provider in PAM In-Reply-To: <49CB9978.2040101@redhat.com> References: <49CB9978.2040101@redhat.com> Message-ID: <1238091526.20998.1.camel@localhost.localdomain> On Thu, 2009-03-26 at 11:04 -0400, Stephen Gallagher wrote: > If the Data Provider dies and restarts, allow PAM to reconnect to it > instead of exiting and restarting (which may cause interruption of > ongoing PAM conversations) ack and pushed Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Fri Mar 27 11:31:13 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Mar 2009 07:31:13 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix bug where services restarted by the monitor would be pinged more than once per cycle Message-ID: <49CCB901.1020208@redhat.com> Whenever a service is started by the monitor, we start a series of timed events to poll the child service for responsiveness every N seconds. However, when a dead process is restarted, we weren't terminating the original polling, so each time a process died, we were adding another ping to the event loop, causing a resource leak. This patch allows us to store the current event_timer for the ping in the service object, so we can destroy it when restarting a service. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Fix-bug-where-services-restarted-by-the-monitor-woul.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From sbose at redhat.com Fri Mar 27 11:34:39 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 27 Mar 2009 12:34:39 +0100 Subject: [Freeipa-devel] [PATCH][SSSD] Fix bug where services restarted by the monitor would be pinged more than once per cycle In-Reply-To: <49CCB901.1020208@redhat.com> References: <49CCB901.1020208@redhat.com> Message-ID: <49CCB9CF.3000805@redhat.com> Stephen Gallagher schrieb: > Whenever a service is started by the monitor, we start a series of timed > events to poll the child service for responsiveness every N seconds. > However, when a dead process is restarted, we weren't terminating the > original polling, so each time a process died, we were adding another > ping to the event loop, causing a resource leak. > > This patch allows us to store the current event_timer for the ping in > the service object, so we can destroy it when restarting a service. > > ack bye, Sumit From sgallagh at redhat.com Fri Mar 27 11:38:57 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Mar 2009 07:38:57 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Fix bug where services restarted by the monitor would be pinged more than once per cycle In-Reply-To: <49CCB9CF.3000805@redhat.com> References: <49CCB901.1020208@redhat.com> <49CCB9CF.3000805@redhat.com> Message-ID: <49CCBAD1.4090403@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sumit Bose wrote: > Stephen Gallagher schrieb: >> Whenever a service is started by the monitor, we start a series of timed >> events to poll the child service for responsiveness every N seconds. >> However, when a dead process is restarted, we weren't terminating the >> original polling, so each time a process died, we were adding another >> ping to the event loop, causing a resource leak. >> >> This patch allows us to store the current event_timer for the ping in >> the service object, so we can destroy it when restarting a service. >> >> > ack > > bye, > Sumit Pushed to master - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknMuswACgkQeiVVYja6o6NCzwCgoeb06m2Zetq9XeUXtj1U3grU s94An0uGvM9qpZ2mTvV6mstZgLTpJQcH =HLhZ -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Mar 27 14:55:07 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Mar 2009 10:55:07 -0400 Subject: [Freeipa-devel] [PATCH] align nsssrv to use the common responder code Message-ID: <1238165707.20998.6.camel@localhost.localdomain> In the process I have also simplified sss_cmd_done removing the needles use of sss_cmd_ctx. I also fixed a couple of variables names that were misleading. Seems to work fine here. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-nsssrv-use-the-common-responder-functions.patch Type: text/x-patch Size: 69977 bytes Desc: not available URL: From ssorce at redhat.com Fri Mar 27 14:58:54 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Mar 2009 10:58:54 -0400 Subject: [Freeipa-devel] [PATCH] align nsssrv to use the common responder code In-Reply-To: <1238165707.20998.6.camel@localhost.localdomain> References: <1238165707.20998.6.camel@localhost.localdomain> Message-ID: <1238165934.20998.7.camel@localhost.localdomain> On Fri, 2009-03-27 at 10:55 -0400, Simo Sorce wrote: > In the process I have also simplified sss_cmd_done removing the needles > use of sss_cmd_ctx. > I also fixed a couple of variables names that were misleading. > > Seems to work fine here. Ooops forgot a one line fix I had in my tree, patch updated. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-nsssrv-use-the-common-responder-functions.patch Type: text/x-patch Size: 69977 bytes Desc: not available URL: From ssorce at redhat.com Fri Mar 27 15:04:39 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Mar 2009 11:04:39 -0400 Subject: [Freeipa-devel] [PATCH] align nsssrv to use the common responder code In-Reply-To: <1238165934.20998.7.camel@localhost.localdomain> References: <1238165707.20998.6.camel@localhost.localdomain> <1238165934.20998.7.camel@localhost.localdomain> Message-ID: <1238166279.20998.10.camel@localhost.localdomain> On Fri, 2009-03-27 at 10:58 -0400, Simo Sorce wrote: > On Fri, 2009-03-27 at 10:55 -0400, Simo Sorce wrote: > > In the process I have also simplified sss_cmd_done removing the needles > > use of sss_cmd_ctx. > > I also fixed a couple of variables names that were misleading. > > > > Seems to work fine here. > > Ooops forgot a one line fix I had in my tree, patch updated. Not my day, resent the same patch by mistake :-/ this one should be the right one simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-nsssrv-use-the-common-responder-functions.patch Type: text/x-patch Size: 69984 bytes Desc: not available URL: From sgallagh at redhat.com Fri Mar 27 15:26:47 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Mar 2009 11:26:47 -0400 Subject: [Freeipa-devel] [PATCH] align nsssrv to use the common responder code In-Reply-To: <1238166279.20998.10.camel@localhost.localdomain> References: <1238165707.20998.6.camel@localhost.localdomain> <1238165934.20998.7.camel@localhost.localdomain> <1238166279.20998.10.camel@localhost.localdomain> Message-ID: <49CCF037.50309@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Fri, 2009-03-27 at 10:58 -0400, Simo Sorce wrote: >> On Fri, 2009-03-27 at 10:55 -0400, Simo Sorce wrote: >>> In the process I have also simplified sss_cmd_done removing the needles >>> use of sss_cmd_ctx. >>> I also fixed a couple of variables names that were misleading. >>> >>> Seems to work fine here. >> Ooops forgot a one line fix I had in my tree, patch updated. > > Not my day, > resent the same patch by mistake :-/ > > this one should be the right one > > simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack: compilation errors [sgallagh at sgallagh server]$ make server will be compiled with flags: CFLAGS = -I./include -Iinclude -I. -I./.. -I/usr/include/dbus-1.0 - -I/usr/lib64/dbus-1.0/include -DLIBDIR=\"/usr/lib64\" - -DVARDIR=\"/var\" -DSHLIBEXT=\"so\" - -DSSSD_LIBEXEC_PATH=\"/usr/libexec/sssd\" - -DSSSD_INTROSPECT_PATH=\"/usr/share/sssd/introspect\" -DUSE_MMAP=1 LIBS = -ltalloc -ltdb -ltevent -lpopt -lldb -L/lib64 -ldbus-1 Compiling monitor/monitor.c Compiling util/debug.c Compiling util/signal.c Compiling util/server.c Compiling util/memory.c Compiling util/btreemap.c Compiling util/usertools.c Compiling monitor/monitor_sbus.c Compiling providers/dp_sbus.c Compiling sbus/sssd_dbus_common.c Compiling sbus/sssd_dbus_connection.c Compiling sbus/sssd_dbus_server.c Compiling sbus/sbus_client.c Compiling confdb/confdb.c Compiling db/sysdb.c Compiling db/sysdb_req.c Compiling db/sysdb_search.c Compiling db/sysdb_ops.c gcc -o sbin/sssd monitor/monitor.o util/debug.o util/signal.o util/server.o util/memory.o util/btreemap.o util/usertools.o monitor/monitor_sbus.o providers/dp_sbus.o sbus/sssd_dbus_common.o sbus/sssd_dbus_connection.o sbus/sssd_dbus_server.o sbus/sbus_client.o confdb/confdb.o db/sysdb.o db/sysdb_req.o db/sysdb_search.o db/sysdb_ops.o -L./lib -ltalloc -ltdb -ltevent -lpopt -lldb -L/lib64 - -ldbus-1 Compiling responder/nss/nsssrv.c In file included from responder/nss/nsssrv.c:34: ./responder/nss/nsssrv.h:37:18: error: pcre.h: No such file or directory In file included from responder/nss/nsssrv.c:34: ./responder/nss/nsssrv.h:68: error: expected specifier-qualifier-list before ?pcre? responder/nss/nsssrv.c: In function ?nss_get_config?: responder/nss/nsssrv.c:141: error: ?struct nss_ctx? has no member named ?filter_users? responder/nss/nsssrv.c:145: error: ?struct nss_ctx? has no member named ?filter_groups? make: *** [responder/nss/nsssrv.o] Error 1 I suspect the pcre.h thing was something you mixed in from another patch you're working on, because the only reference to it is "pcre *parse_name_re;" in nss_ctx, which is not used anywhere. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknM8DMACgkQeiVVYja6o6PBkACfbVMp1IVvaUXDi8qdmFKFqDjO CvcAnjwWxggon6HbSFiDjHBnJh2yXTNW =ORQL -----END PGP SIGNATURE----- From sbose at redhat.com Fri Mar 27 15:28:12 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 27 Mar 2009 16:28:12 +0100 Subject: [Freeipa-devel] [PATCH] fixed a call the the wrong callback Message-ID: <49CCF08C.5080100@redhat.com> Hi, I think I have found a copy-n-paste error. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fixed-a-call-the-the-wrong-callback.patch Type: text/x-patch Size: 789 bytes Desc: not available URL: From ssorce at redhat.com Fri Mar 27 15:44:52 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Mar 2009 11:44:52 -0400 Subject: [Freeipa-devel] [PATCH] align nsssrv to use the common responder code In-Reply-To: <49CCF037.50309@redhat.com> References: <1238165707.20998.6.camel@localhost.localdomain> <1238165934.20998.7.camel@localhost.localdomain> <1238166279.20998.10.camel@localhost.localdomain> <49CCF037.50309@redhat.com> Message-ID: <1238168692.20998.11.camel@localhost.localdomain> On Fri, 2009-03-27 at 11:26 -0400, Stephen Gallagher wrote: > > > I suspect the pcre.h thing was something you mixed in from another > patch > you're working on, because the only reference to it is "pcre > *parse_name_re;" in nss_ctx, which is not used anywhere. Correct, the pcre stuff got in by mistake. New patch. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-nsssrv-use-the-common-responder-functions.patch Type: text/x-patch Size: 69855 bytes Desc: not available URL: From ssorce at redhat.com Fri Mar 27 15:45:41 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Mar 2009 11:45:41 -0400 Subject: [Freeipa-devel] [PATCH] fixed a call the the wrong callback In-Reply-To: <49CCF08C.5080100@redhat.com> References: <49CCF08C.5080100@redhat.com> Message-ID: <1238168741.20998.12.camel@localhost.localdomain> On Fri, 2009-03-27 at 16:28 +0100, Sumit Bose wrote: > Hi, > > I think I have found a copy-n-paste error. yeah I have a fix for that in the patch that makes nsssrv.c use resp_ctx :) Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Fri Mar 27 15:50:35 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Mar 2009 11:50:35 -0400 Subject: [Freeipa-devel] [PATCH] align nsssrv to use the common responder code In-Reply-To: <1238168692.20998.11.camel@localhost.localdomain> References: <1238165707.20998.6.camel@localhost.localdomain> <1238165934.20998.7.camel@localhost.localdomain> <1238166279.20998.10.camel@localhost.localdomain> <49CCF037.50309@redhat.com> <1238168692.20998.11.camel@localhost.localdomain> Message-ID: <49CCF5CB.6060500@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Fri, 2009-03-27 at 11:26 -0400, Stephen Gallagher wrote: >> >> I suspect the pcre.h thing was something you mixed in from another >> patch >> you're working on, because the only reference to it is "pcre >> *parse_name_re;" in nss_ctx, which is not used anywhere. > > Correct, > the pcre stuff got in by mistake. > > New patch. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack: segmentation fault Action: "getent passwd" with LOCAL and proxy LDAP backends Core was generated by `/usr/libexec/sssd/sssd_nss'. Program terminated with signal 11, Segmentation fault. [New process 17817] #0 strlen () at ../sysdeps/x86_64/strlen.S:37 37 0: cmpb $0x0,(%rax) /* is byte NUL? */ Missing separate debuginfos, use: debuginfo-install libselinux-2.0.78-1.fc10.x86_64 (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:37 #1 0x00000000004048ce in fill_pwent () #2 0x0000000000407144 in nss_cmd_retpwent () #3 0x00000000004071f1 in nss_cmd_getpwent_immediate () #4 0x00000000004068b3 in nss_cmd_setpwent_callback () #5 0x0000000000412dd4 in request_done () #6 0x0000000000413077 in get_gen_callback () #7 0x0000003daa2180fe in ltdb_callback (ev=, te=, t={tv_sec = 0, tv_usec = 0}, private_data=) at ldb_tdb/ldb_tdb.c:1120 #8 0x0000003daba02f21 in tevent_common_loop_timer_delay (ev=0x1fb3880) at tevent_timed.c:254 #9 0x0000003daba04608 in std_event_loop_once (ev=0x1fb3880) at tevent_standard.c:543 #10 0x0000003daba048ae in std_event_loop_wait (ev=0x1fb3880) at tevent_standard.c:567 #11 0x000000000040ccf6 in server_loop () #12 0x000000000040465d in main () Current language: auto; currently asm - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknM9ccACgkQeiVVYja6o6OLfACfS9F7AfxUtrtBfqZX6FY5i+s1 hNoAmwZ/Ugh8ouN+700S7XNsIzEKTK+X =xf4U -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Mar 27 17:56:52 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Mar 2009 13:56:52 -0400 Subject: [Freeipa-devel] [PATCH] align nsssrv to use the common responder code In-Reply-To: <49CCF5CB.6060500@redhat.com> References: <1238165707.20998.6.camel@localhost.localdomain> <1238165934.20998.7.camel@localhost.localdomain> <1238166279.20998.10.camel@localhost.localdomain> <49CCF037.50309@redhat.com> <1238168692.20998.11.camel@localhost.localdomain> <49CCF5CB.6060500@redhat.com> Message-ID: <1238176612.20998.13.camel@localhost.localdomain> On Fri, 2009-03-27 at 11:50 -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > On Fri, 2009-03-27 at 11:26 -0400, Stephen Gallagher wrote: > >> > >> I suspect the pcre.h thing was something you mixed in from another > >> patch > >> you're working on, because the only reference to it is "pcre > >> *parse_name_re;" in nss_ctx, which is not used anywhere. > > > > Correct, > > the pcre stuff got in by mistake. > > > > New patch. > Nack: segmentation fault > > Action: "getent passwd" with LOCAL and proxy LDAP backends > > Core was generated by `/usr/libexec/sssd/sssd_nss'. > Program terminated with signal 11, Segmentation fault. > [New process 17817] > #0 strlen () at ../sysdeps/x86_64/strlen.S:37 > 37 0: cmpb $0x0,(%rax) /* is byte NUL? */ > Missing separate debuginfos, use: debuginfo-install > libselinux-2.0.78-1.fc10.x86_64 > (gdb) bt > #0 strlen () at ../sysdeps/x86_64/strlen.S:37 > #1 0x00000000004048ce in fill_pwent () > #2 0x0000000000407144 in nss_cmd_retpwent () > #3 0x00000000004071f1 in nss_cmd_getpwent_immediate () > #4 0x00000000004068b3 in nss_cmd_setpwent_callback () > #5 0x0000000000412dd4 in request_done () > #6 0x0000000000413077 in get_gen_callback () > #7 0x0000003daa2180fe in ltdb_callback (ev=, > te=, t={tv_sec = 0, tv_usec = 0}, > private_data=) at ldb_tdb/ldb_tdb.c:1120 > #8 0x0000003daba02f21 in tevent_common_loop_timer_delay (ev=0x1fb3880) > at tevent_timed.c:254 > #9 0x0000003daba04608 in std_event_loop_once (ev=0x1fb3880) at > tevent_standard.c:543 > #10 0x0000003daba048ae in std_event_loop_wait (ev=0x1fb3880) at > tevent_standard.c:567 > #11 0x000000000040ccf6 in server_loop () > #12 0x000000000040465d in main () > Current language: auto; currently asm This fault was actually cause by a preexisting problem. Sending new patches in a separate email. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 27 18:02:30 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Mar 2009 14:02:30 -0400 Subject: [Freeipa-devel] [PATCH] refactor nss_ctx and other bugfixes Message-ID: <1238176950.20998.19.camel@localhost.localdomain> Ok split my previous patch to fix the bug that Sumit found and another segfault bug Steven found. So now we have a bugfix patch and the nss_ctx/resp_ctx refactoring as separate patches. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-uninitailized-pointer-and-cut-paste-error.patch Type: text/x-patch Size: 1679 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Make-nsssrv-use-the-common-responder-functions.patch Type: text/x-patch Size: 69693 bytes Desc: not available URL: From sgallagh at redhat.com Fri Mar 27 18:09:28 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Mar 2009 14:09:28 -0400 Subject: [Freeipa-devel] [PATCH] refactor nss_ctx and other bugfixes In-Reply-To: <1238176950.20998.19.camel@localhost.localdomain> References: <1238176950.20998.19.camel@localhost.localdomain> Message-ID: <49CD1658.4030808@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > Ok split my previous patch to fix the bug that Sumit found and another > segfault bug Steven found. > > So now we have a bugfix patch and the nss_ctx/resp_ctx refactoring as > separate patches. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Not your day, my friend: Core was generated by `/usr/libexec/sssd/sssd_nss'. Program terminated with signal 11, Segmentation fault. [New process 2801] #0 0x000000000040b2cd in nss_dp_send_acct_req (rctx=0x1877a40, memctx=0x187f680, callback=0x4069f0 , callback_ctx=0x187fad0, timeout=100000, domain=0x1878e90 "TEST", type=1, opt_name=0x0, opt_id=0) at responder/nss/nsssrv_dp.c:145 145 conn = sbus_get_connection(rctx->dp_ctx->scon_ctx); Missing separate debuginfos, use: debuginfo-install libselinux-2.0.78-1.fc10.x86_64 (gdb) bt #0 0x000000000040b2cd in nss_dp_send_acct_req (rctx=0x1877a40, memctx=0x187f680, callback=0x4069f0 , callback_ctx=0x187fad0, timeout=100000, domain=0x1878e90 "TEST", type=1, opt_name=0x0, opt_id=0) at responder/nss/nsssrv_dp.c:145 #1 0x0000000000406e55 in nss_cmd_setpwent_ext (cctx=0x187d210, immediate=false) at responder/nss/nsssrv_cmd.c:967 #2 0x0000000000406fc7 in nss_cmd_setpwent (cctx=0x187d210) at responder/nss/nsssrv_cmd.c:1006 #3 0x000000000041b248 in sss_cmd_execute (cctx=0x187d210, sss_cmds=0x622860) at responder/common/responder_cmd.c:66 #4 0x0000000000419d5a in client_recv (ev=0x1876880, cctx=0x187d210) at responder/common/responder_common.c:120 #5 0x0000000000419efb in client_fd_handler (ev=0x1876880, fde=0x187cfb0, flags=1, ptr=0x187d210) at responder/common/responder_common.c:158 #6 0x0000003daba042bd in std_event_loop_select (std_ev=0x1876920, tvalp=0x7fffadd9c270) at tevent_standard.c:523 #7 0x0000003daba047fb in std_event_loop_once (ev=0x1876880) at tevent_standard.c:554 #8 0x0000003daba048ae in std_event_loop_wait (ev=0x1876880) at tevent_standard.c:567 #9 0x000000000040cd4a in server_loop (main_ctx=0x18769e0) at util/server.c:325 #10 0x000000000040465d in main (argc=1, argv=0x7fffadd9c4c8) at responder/nss/nsssrv.c:227 - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknNFlUACgkQeiVVYja6o6Mo+wCcCWP7ryUdFyZ4H56102idmpzw oA4AnjtqYgJVbgLM+hNDAtxWfyygeuY1 =fgRz -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Mar 27 18:20:00 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Mar 2009 14:20:00 -0400 Subject: [Freeipa-devel] [PATCH] refactor nss_ctx and other bugfixes In-Reply-To: <49CD1658.4030808@redhat.com> References: <1238176950.20998.19.camel@localhost.localdomain> <49CD1658.4030808@redhat.com> Message-ID: <1238178000.20998.24.camel@localhost.localdomain> On Fri, 2009-03-27 at 14:09 -0400, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > Ok split my previous patch to fix the bug that Sumit found and another > > segfault bug Steven found. > > > > So now we have a bugfix patch and the nss_ctx/resp_ctx refactoring as > > separate patches. > > > > Simo. > > > Not your day, my friend: > > Core was generated by `/usr/libexec/sssd/sssd_nss'. > Program terminated with signal 11, Segmentation fault. > [New process 2801] > #0 0x000000000040b2cd in nss_dp_send_acct_req (rctx=0x1877a40, > memctx=0x187f680, callback=0x4069f0 , > callback_ctx=0x187fad0, > timeout=100000, domain=0x1878e90 "TEST", type=1, opt_name=0x0, > opt_id=0) at responder/nss/nsssrv_dp.c:145 > 145 conn = sbus_get_connection(rctx->dp_ctx->scon_ctx); > Missing separate debuginfos, use: debuginfo-install > libselinux-2.0.78-1.fc10.x86_64 > (gdb) bt > #0 0x000000000040b2cd in nss_dp_send_acct_req (rctx=0x1877a40, > memctx=0x187f680, callback=0x4069f0 , > callback_ctx=0x187fad0, > timeout=100000, domain=0x1878e90 "TEST", type=1, opt_name=0x0, > opt_id=0) at responder/nss/nsssrv_dp.c:145 > #1 0x0000000000406e55 in nss_cmd_setpwent_ext (cctx=0x187d210, > immediate=false) at responder/nss/nsssrv_cmd.c:967 > #2 0x0000000000406fc7 in nss_cmd_setpwent (cctx=0x187d210) at > responder/nss/nsssrv_cmd.c:1006 > #3 0x000000000041b248 in sss_cmd_execute (cctx=0x187d210, > sss_cmds=0x622860) at responder/common/responder_cmd.c:66 > #4 0x0000000000419d5a in client_recv (ev=0x1876880, cctx=0x187d210) at > responder/common/responder_common.c:120 > #5 0x0000000000419efb in client_fd_handler (ev=0x1876880, > fde=0x187cfb0, flags=1, ptr=0x187d210) at > responder/common/responder_common.c:158 > #6 0x0000003daba042bd in std_event_loop_select (std_ev=0x1876920, > tvalp=0x7fffadd9c270) at tevent_standard.c:523 > #7 0x0000003daba047fb in std_event_loop_once (ev=0x1876880) at > tevent_standard.c:554 > #8 0x0000003daba048ae in std_event_loop_wait (ev=0x1876880) at > tevent_standard.c:567 > #9 0x000000000040cd4a in server_loop (main_ctx=0x18769e0) at > util/server.c:325 > #10 0x000000000040465d in main (argc=1, argv=0x7fffadd9c4c8) at > responder/nss/nsssrv.c:227 > What operation were you performing? Can't repro this one, all getent calls I am performing seem to go through just fine. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Fri Mar 27 18:24:03 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Mar 2009 14:24:03 -0400 Subject: [Freeipa-devel] [PATCH] refactor nss_ctx and other bugfixes In-Reply-To: <1238178000.20998.24.camel@localhost.localdomain> References: <1238176950.20998.19.camel@localhost.localdomain> <49CD1658.4030808@redhat.com> <1238178000.20998.24.camel@localhost.localdomain> Message-ID: <49CD19C3.2000906@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Fri, 2009-03-27 at 14:09 -0400, Stephen Gallagher wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Simo Sorce wrote: >>> Ok split my previous patch to fix the bug that Sumit found and another >>> segfault bug Steven found. >>> >>> So now we have a bugfix patch and the nss_ctx/resp_ctx refactoring as >>> separate patches. >>> >>> Simo. >>> > >> Not your day, my friend: >> >> Core was generated by `/usr/libexec/sssd/sssd_nss'. >> Program terminated with signal 11, Segmentation fault. >> [New process 2801] >> #0 0x000000000040b2cd in nss_dp_send_acct_req (rctx=0x1877a40, >> memctx=0x187f680, callback=0x4069f0 , >> callback_ctx=0x187fad0, >> timeout=100000, domain=0x1878e90 "TEST", type=1, opt_name=0x0, >> opt_id=0) at responder/nss/nsssrv_dp.c:145 >> 145 conn = sbus_get_connection(rctx->dp_ctx->scon_ctx); >> Missing separate debuginfos, use: debuginfo-install >> libselinux-2.0.78-1.fc10.x86_64 >> (gdb) bt >> #0 0x000000000040b2cd in nss_dp_send_acct_req (rctx=0x1877a40, >> memctx=0x187f680, callback=0x4069f0 , >> callback_ctx=0x187fad0, >> timeout=100000, domain=0x1878e90 "TEST", type=1, opt_name=0x0, >> opt_id=0) at responder/nss/nsssrv_dp.c:145 >> #1 0x0000000000406e55 in nss_cmd_setpwent_ext (cctx=0x187d210, >> immediate=false) at responder/nss/nsssrv_cmd.c:967 >> #2 0x0000000000406fc7 in nss_cmd_setpwent (cctx=0x187d210) at >> responder/nss/nsssrv_cmd.c:1006 >> #3 0x000000000041b248 in sss_cmd_execute (cctx=0x187d210, >> sss_cmds=0x622860) at responder/common/responder_cmd.c:66 >> #4 0x0000000000419d5a in client_recv (ev=0x1876880, cctx=0x187d210) at >> responder/common/responder_common.c:120 >> #5 0x0000000000419efb in client_fd_handler (ev=0x1876880, >> fde=0x187cfb0, flags=1, ptr=0x187d210) at >> responder/common/responder_common.c:158 >> #6 0x0000003daba042bd in std_event_loop_select (std_ev=0x1876920, >> tvalp=0x7fffadd9c270) at tevent_standard.c:523 >> #7 0x0000003daba047fb in std_event_loop_once (ev=0x1876880) at >> tevent_standard.c:554 >> #8 0x0000003daba048ae in std_event_loop_wait (ev=0x1876880) at >> tevent_standard.c:567 >> #9 0x000000000040cd4a in server_loop (main_ctx=0x18769e0) at >> util/server.c:325 >> #10 0x000000000040465d in main (argc=1, argv=0x7fffadd9c4c8) at >> responder/nss/nsssrv.c:227 >> > > What operation were you performing? > Can't repro this one, all getent calls I am performing seem to go > through just fine. > > Simo. > Same as before "getent passwd". Here's my confdb: # record 1 dn: cn=dp,cn=services,cn=config cn: dp description: Data Provider Configuration timeout: 20 command: /usr/libexec/sssd/sssd_dp distinguishedName: cn=dp,cn=services,cn=config # record 2 dn: cn=TEST,cn=domains,cn=config cn: TEST description: TEST Ldap domain provider: proxy libName: ldap libPath: /usr/lib64/libnss_ldap.so.2 legacy: TRUE timeout: 20 enumerate: 3 command: /usr/libexec/sssd/sssd_be --provider proxy --domain TEST distinguishedName: cn=TEST,cn=domains,cn=config # record 3 dn: cn=config cn: config version: 0.1 distinguishedName: cn=config # record 4 dn: cn=nss,cn=services,cn=config cn: nss description: NSS Responder Configuration unixSocket: /var/lib/sss/pipes/sssd_nss timeout: 20 command: /usr/libexec/sssd/sssd_nss distinguishedName: cn=nss,cn=services,cn=config # record 5 dn: cn=services,cn=config cn: services description: Local service configuration activeServices: dp activeServices: pam activeServices: nss distinguishedName: cn=services,cn=config # record 6 dn: cn=info,cn=services,cn=config cn: info description: InfoPipe Configuration command: /usr/libexec/sssd/sssd_info timeout: 20 distinguishedName: cn=info,cn=services,cn=config # record 7 dn: @BASEINFO sequenceNumber: 61 whenChanged: 20090327105622.0Z distinguishedName: @BASEINFO # record 8 dn: cn=pam,cn=services,cn=config cn: pam description: PAM Responder Configuration unixSocket: /var/lib/sss/pipes/pam timeout: 20 command: /usr/libexec/sssd/sssd_pam distinguishedName: cn=pam,cn=services,cn=config # record 9 dn: cn=domains,cn=config cn: domains description: Domains served by SSSD default: LOCAL distinguishedName: cn=domains,cn=config # record 10 dn: cn=LOCAL,cn=domains,cn=config cn: LOCAL description: Reserved domain for local configurations enumerate: 3 magicPrivateGroups: TRUE distinguishedName: cn=LOCAL,cn=domains,cn=config # returned 10 records # 10 entries # 0 referrals - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknNGb8ACgkQeiVVYja6o6NKPACfeZ3dvKcopbkYHkbj3kSXorgD hBcAnRjBnlOlMMakf6LpzhkZwVimjuTP =6J7O -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Mar 27 18:57:39 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Mar 2009 14:57:39 -0400 Subject: [Freeipa-devel] [PATCH] refactor nss_ctx and other bugfixes In-Reply-To: <49CD1658.4030808@redhat.com> References: <1238176950.20998.19.camel@localhost.localdomain> <49CD1658.4030808@redhat.com> Message-ID: <1238180259.20998.26.camel@localhost.localdomain> On Fri, 2009-03-27 at 14:09 -0400, Stephen Gallagher wrote: > Not your day, my friend: > > Core was generated by `/usr/libexec/sssd/sssd_nss'. > Program terminated with signal 11, Segmentation fault. > [New process 2801] > #0 0x000000000040b2cd in nss_dp_send_acct_req (rctx=0x1877a40, > memctx=0x187f680, callback=0x4069f0 , > callback_ctx=0x187fad0, > timeout=100000, domain=0x1878e90 "TEST", type=1, opt_name=0x0, > opt_id=0) at responder/nss/nsssrv_dp.c:145 > 145 conn = sbus_get_connection(rctx->dp_ctx->scon_ctx); > Missing separate debuginfos, use: debuginfo-install > libselinux-2.0.78-1.fc10.x86_64 > (gdb) bt > #0 0x000000000040b2cd in nss_dp_send_acct_req (rctx=0x1877a40, > memctx=0x187f680, callback=0x4069f0 , > callback_ctx=0x187fad0, > timeout=100000, domain=0x1878e90 "TEST", type=1, opt_name=0x0, > opt_id=0) at responder/nss/nsssrv_dp.c:145 > #1 0x0000000000406e55 in nss_cmd_setpwent_ext (cctx=0x187d210, > immediate=false) at responder/nss/nsssrv_cmd.c:967 > #2 0x0000000000406fc7 in nss_cmd_setpwent (cctx=0x187d210) at > responder/nss/nsssrv_cmd.c:1006 > #3 0x000000000041b248 in sss_cmd_execute (cctx=0x187d210, > sss_cmds=0x622860) at responder/common/responder_cmd.c:66 > #4 0x0000000000419d5a in client_recv (ev=0x1876880, cctx=0x187d210) at > responder/common/responder_common.c:120 > #5 0x0000000000419efb in client_fd_handler (ev=0x1876880, > fde=0x187cfb0, flags=1, ptr=0x187d210) at > responder/common/responder_common.c:158 > #6 0x0000003daba042bd in std_event_loop_select (std_ev=0x1876920, > tvalp=0x7fffadd9c270) at tevent_standard.c:523 > #7 0x0000003daba047fb in std_event_loop_once (ev=0x1876880) at > tevent_standard.c:554 > #8 0x0000003daba048ae in std_event_loop_wait (ev=0x1876880) at > tevent_standard.c:567 > #9 0x000000000040cd4a in server_loop (main_ctx=0x18769e0) at > util/server.c:325 > #10 0x000000000040465d in main (argc=1, argv=0x7fffadd9c4c8) at > responder/nss/nsssrv.c:227 > Ok I have a theory that the initial reconnection code may not be kicking in in time in some cases that I do not experience. attached a bandaid patch, the code responsible for this should be replaced by your new reconnection code anyway. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-potential-segfault-if-dp_ctx-is-still-NULL.patch Type: text/x-patch Size: 1166 bytes Desc: not available URL: From sgallagh at redhat.com Fri Mar 27 19:08:23 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Mar 2009 15:08:23 -0400 Subject: [Freeipa-devel] [PATCH] refactor nss_ctx and other bugfixes In-Reply-To: <1238180259.20998.26.camel@localhost.localdomain> References: <1238176950.20998.19.camel@localhost.localdomain> <49CD1658.4030808@redhat.com> <1238180259.20998.26.camel@localhost.localdomain> Message-ID: <49CD2427.4080800@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Fri, 2009-03-27 at 14:09 -0400, Stephen Gallagher wrote: > >> Not your day, my friend: >> >> Core was generated by `/usr/libexec/sssd/sssd_nss'. >> Program terminated with signal 11, Segmentation fault. >> [New process 2801] >> #0 0x000000000040b2cd in nss_dp_send_acct_req (rctx=0x1877a40, >> memctx=0x187f680, callback=0x4069f0 , >> callback_ctx=0x187fad0, >> timeout=100000, domain=0x1878e90 "TEST", type=1, opt_name=0x0, >> opt_id=0) at responder/nss/nsssrv_dp.c:145 >> 145 conn = sbus_get_connection(rctx->dp_ctx->scon_ctx); >> Missing separate debuginfos, use: debuginfo-install >> libselinux-2.0.78-1.fc10.x86_64 >> (gdb) bt >> #0 0x000000000040b2cd in nss_dp_send_acct_req (rctx=0x1877a40, >> memctx=0x187f680, callback=0x4069f0 , >> callback_ctx=0x187fad0, >> timeout=100000, domain=0x1878e90 "TEST", type=1, opt_name=0x0, >> opt_id=0) at responder/nss/nsssrv_dp.c:145 >> #1 0x0000000000406e55 in nss_cmd_setpwent_ext (cctx=0x187d210, >> immediate=false) at responder/nss/nsssrv_cmd.c:967 >> #2 0x0000000000406fc7 in nss_cmd_setpwent (cctx=0x187d210) at >> responder/nss/nsssrv_cmd.c:1006 >> #3 0x000000000041b248 in sss_cmd_execute (cctx=0x187d210, >> sss_cmds=0x622860) at responder/common/responder_cmd.c:66 >> #4 0x0000000000419d5a in client_recv (ev=0x1876880, cctx=0x187d210) at >> responder/common/responder_common.c:120 >> #5 0x0000000000419efb in client_fd_handler (ev=0x1876880, >> fde=0x187cfb0, flags=1, ptr=0x187d210) at >> responder/common/responder_common.c:158 >> #6 0x0000003daba042bd in std_event_loop_select (std_ev=0x1876920, >> tvalp=0x7fffadd9c270) at tevent_standard.c:523 >> #7 0x0000003daba047fb in std_event_loop_once (ev=0x1876880) at >> tevent_standard.c:554 >> #8 0x0000003daba048ae in std_event_loop_wait (ev=0x1876880) at >> tevent_standard.c:567 >> #9 0x000000000040cd4a in server_loop (main_ctx=0x18769e0) at >> util/server.c:325 >> #10 0x000000000040465d in main (argc=1, argv=0x7fffadd9c4c8) at >> responder/nss/nsssrv.c:227 >> > > Ok I have a theory that the initial reconnection code may not be kicking > in in time in some cases that I do not experience. > > attached a bandaid patch, the code responsible for this should be > replaced by your new reconnection code anyway. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack: this is insufficient as PAM is also vulnerable to this race condition. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknNJCQACgkQeiVVYja6o6PGWwCcCbNtg7I97z4VMUZjrtk+mgMr IxAAn15RVdvhw3e7icss9fTpcseocMDg =0seo -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Mar 27 19:16:33 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Mar 2009 15:16:33 -0400 Subject: [Freeipa-devel] [PATCH] refactor nss_ctx and other bugfixes In-Reply-To: <49CD2427.4080800@redhat.com> References: <1238176950.20998.19.camel@localhost.localdomain> <49CD1658.4030808@redhat.com> <1238180259.20998.26.camel@localhost.localdomain> <49CD2427.4080800@redhat.com> Message-ID: <1238181393.20998.30.camel@localhost.localdomain> On Fri, 2009-03-27 at 15:08 -0400, Stephen Gallagher wrote: > > Nack: this is insufficient as PAM is also vulnerable to this race > condition. Ok attached yet another patch that applies the same fix to the pam responder and also prints back a debug statement if the condition is met. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-potential-segfault-if-dp_ctx-is-still-NULL.patch Type: text/x-patch Size: 2553 bytes Desc: not available URL: From sgallagh at redhat.com Fri Mar 27 19:22:44 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Mar 2009 15:22:44 -0400 Subject: [Freeipa-devel] [PATCH] refactor nss_ctx and other bugfixes In-Reply-To: <1238181393.20998.30.camel@localhost.localdomain> References: <1238176950.20998.19.camel@localhost.localdomain> <49CD1658.4030808@redhat.com> <1238180259.20998.26.camel@localhost.localdomain> <49CD2427.4080800@redhat.com> <1238181393.20998.30.camel@localhost.localdomain> Message-ID: <49CD2784.40806@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Fri, 2009-03-27 at 15:08 -0400, Stephen Gallagher wrote: >> Nack: this is insufficient as PAM is also vulnerable to this race >> condition. > > Ok attached yet another patch that applies the same fix to the pam > responder and also prints back a debug statement if the condition is > met. > > Simo. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Ack - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknNJ4EACgkQeiVVYja6o6PYTgCeOdkR8rr/rMRuMz6S/rt6H4/X 8xoAnjqBvzp2GFg7wnnBOrxSJUasec6i =dwZj -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 27 19:23:17 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Mar 2009 15:23:17 -0400 Subject: [Freeipa-devel] [PATCH] refactor nss_ctx and other bugfixes In-Reply-To: <49CD2784.40806@redhat.com> References: <1238176950.20998.19.camel@localhost.localdomain> <49CD1658.4030808@redhat.com> <1238180259.20998.26.camel@localhost.localdomain> <49CD2427.4080800@redhat.com> <1238181393.20998.30.camel@localhost.localdomain> <49CD2784.40806@redhat.com> Message-ID: <49CD27A5.4020208@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Gallagher wrote: > Simo Sorce wrote: >> On Fri, 2009-03-27 at 15:08 -0400, Stephen Gallagher wrote: >>> Nack: this is insufficient as PAM is also vulnerable to this race >>> condition. >> Ok attached yet another patch that applies the same fix to the pam >> responder and also prints back a debug statement if the condition is >> met. > >> Simo. > > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Ack > Sorry, clarifying: this is acking the original patch along with the band-aid _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknNJ6UACgkQeiVVYja6o6OGcwCfQmYaV+kuFU0dFTL3vBj3EKTM GXIAnjeYmja0Yzc2YXyPFjy4UkfBsWNw =MwLP -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Mar 27 19:29:02 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Mar 2009 15:29:02 -0400 Subject: [Freeipa-devel] [PATCH] refactor nss_ctx and other bugfixes In-Reply-To: <49CD27A5.4020208@redhat.com> References: <1238176950.20998.19.camel@localhost.localdomain> <49CD1658.4030808@redhat.com> <1238180259.20998.26.camel@localhost.localdomain> <49CD2427.4080800@redhat.com> <1238181393.20998.30.camel@localhost.localdomain> <49CD2784.40806@redhat.com> <49CD27A5.4020208@redhat.com> Message-ID: <1238182142.20998.31.camel@localhost.localdomain> On Fri, 2009-03-27 at 15:23 -0400, Stephen Gallagher wrote: > > Sorry, clarifying: this is acking the original patch along with the > band-aid Yup, pushed all three patches Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Mar 27 20:09:02 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Mar 2009 16:09:02 -0400 Subject: [Freeipa-devel] [PATCH] add more delegation rules In-Reply-To: <49CA4AEF.7070506@redhat.com> References: <49CA4AEF.7070506@redhat.com> Message-ID: <1238184542.20998.33.camel@localhost.localdomain> On Wed, 2009-03-25 at 11:17 -0400, Rob Crittenden wrote: > Fill in the ACIs and taskgroups for most of the plugins. > > This adds: > group administration > host administration > host group administration > delegation administration > service administration > automount administration > netgroup administration > > So far I've focused on granting write/add/del permissions. At some > point I may add in read/search ACIs as well. > > This still isn't going to, by default, allow one to grant write > access > to different containers as we still have a flat tree. The way that > can > be handled is by setting some attribute (say ou) to a value and then > adding that to the ACI. How one would do this without manually > updating > the ACI by hand is still up in the air. It may be that we still won't > support it directly but doing so will be a lot more possible in v2. ack although I wonder if just allowing 'add'/'delete' is always sufficient and you don't need 'write' ? Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Mon Mar 30 11:17:49 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 30 Mar 2009 13:17:49 +0200 Subject: [Freeipa-devel] [PATCH] fixed two issues in the initial configuration Message-ID: <49D0AA5D.2060609@redhat.com> Hi, I have found two problems with the initial configuration. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fixed-two-issues-in-the-initial-configuration.patch Type: text/x-patch Size: 1315 bytes Desc: not available URL: From sgallagh at redhat.com Mon Mar 30 11:27:46 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 30 Mar 2009 07:27:46 -0400 Subject: [Freeipa-devel] [PATCH] fixed two issues in the initial configuration In-Reply-To: <49D0AA5D.2060609@redhat.com> References: <49D0AA5D.2060609@redhat.com> Message-ID: <49D0ACB2.3010303@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sumit Bose wrote: > Hi, > > I have found two problems with the initial configuration. > > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel Nack. The val[1]=NULL; should be right after the declaration, otherwise the command path, activeServices and PolicyKit settings would have the same uninitialized values. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknQrK8ACgkQeiVVYja6o6NRDgCfeBwKyMd9931AGJ2xwi59fIu8 d6oAnR3RiCds2oVPI0sC4nkPlto4CjzE =w78n -----END PGP SIGNATURE----- From sbose at redhat.com Mon Mar 30 11:34:59 2009 From: sbose at redhat.com (Sumit Bose) Date: Mon, 30 Mar 2009 13:34:59 +0200 Subject: [Freeipa-devel] [PATCH] fixed two issues in the initial configuration In-Reply-To: <49D0ACB2.3010303@redhat.com> References: <49D0AA5D.2060609@redhat.com> <49D0ACB2.3010303@redhat.com> Message-ID: <49D0AE63.7070905@redhat.com> Stephen Gallagher schrieb: > Sumit Bose wrote: >> Hi, > >> I have found two problems with the initial configuration. > >> bye, >> Sumit > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > Nack. > > The val[1]=NULL; should be right after the declaration, otherwise the > command path, activeServices and PolicyKit settings would have the same > uninitialized values. > Thanks, I didn't recognized the ifdef. New version attached. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fixed-two-issues-in-the-initial-configuration.patch Type: text/x-patch Size: 1237 bytes Desc: not available URL: From sgallagh at redhat.com Mon Mar 30 11:40:32 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 30 Mar 2009 07:40:32 -0400 Subject: [Freeipa-devel] [PATCH] fixed two issues in the initial configuration In-Reply-To: <49D0AE63.7070905@redhat.com> References: <49D0AA5D.2060609@redhat.com> <49D0ACB2.3010303@redhat.com> <49D0AE63.7070905@redhat.com> Message-ID: <49D0AFB0.3020105@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sumit Bose wrote: > Stephen Gallagher schrieb: >> Sumit Bose wrote: >>> Hi, >>> I have found two problems with the initial configuration. >>> bye, >>> Sumit >> >>> ------------------------------------------------------------------------ >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Nack. >> >> The val[1]=NULL; should be right after the declaration, otherwise the >> command path, activeServices and PolicyKit settings would have the same >> uninitialized values. >> > Thanks, I didn't recognized the ifdef. New version attached. > > bye, > Sumit > > > Ack, and pushed to master. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknQr6oACgkQeiVVYja6o6M97gCfcI6FW+yNAbZNEe4BpE6XbGG7 zx0AnifmQh8OWh/ZuiJ6GxZO5lQMwff2 =ZCde -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Mar 30 14:18:51 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 30 Mar 2009 10:18:51 -0400 Subject: [Freeipa-devel] [PATCH] add more delegation rules In-Reply-To: <1238184542.20998.33.camel@localhost.localdomain> References: <49CA4AEF.7070506@redhat.com> <1238184542.20998.33.camel@localhost.localdomain> Message-ID: <49D0D4CB.2090605@redhat.com> Simo Sorce wrote: > On Wed, 2009-03-25 at 11:17 -0400, Rob Crittenden wrote: >> Fill in the ACIs and taskgroups for most of the plugins. >> >> This adds: >> group administration >> host administration >> host group administration >> delegation administration >> service administration >> automount administration >> netgroup administration >> >> So far I've focused on granting write/add/del permissions. At some >> point I may add in read/search ACIs as well. >> >> This still isn't going to, by default, allow one to grant write >> access >> to different containers as we still have a flat tree. The way that >> can >> be handled is by setting some attribute (say ou) to a value and then >> adding that to the ACI. How one would do this without manually >> updating >> the ACI by hand is still up in the air. It may be that we still won't >> support it directly but doing so will be a lot more possible in v2. > > ack > > although I wonder if just allowing 'add'/'delete' is always sufficient > and you don't need 'write' ? > > Simo. > add lets you write any attribute during entry creation. Likewise delete permission lets you delete an entire entry, even if you lack write permission on one or more of the attributes. rob From sgallagh at redhat.com Mon Mar 30 20:53:03 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 30 Mar 2009 16:53:03 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Build the sss_client code in the same tree as the server Message-ID: <49D1312F.2040000@redhat.com> Move the contents of the sss_client tree into the server directory so that we can build them from a common makefile and build command. This will allow us to share a config.h between the server and client so we don't have to separately configure pipe paths on both sides so they are in agreement. This code also modifies the monitor so the service pipe is always fixed at compile-time, rather than at runtime. Allowing the monitor to change pipes while running adds needless complexity to config reloading. This patch is not nearly as large as it looks, since it also includes moving sss_client/* to server/sss_client/* with very few changes (only sss_cli.h changed). This patch is also (provisionally) pushed to http://fedorapeople.org/gitweb?p=sgallagh/public_git/sssd.git;a=commit;h=bfff6c844273444bbf3e2609f8df1372f110c0f1 so it's easier to verify that only the one file changed during the move. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Build-the-sss_client-code-in-the-same-tree-as-the-se.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From ssorce at redhat.com Mon Mar 30 21:47:57 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 30 Mar 2009 17:47:57 -0400 Subject: [Freeipa-devel] [PATCH][SSSD] Build the sss_client code in the same tree as the server In-Reply-To: <49D1312F.2040000@redhat.com> References: <49D1312F.2040000@redhat.com> Message-ID: <1238449677.3597.37.camel@localhost.localdomain> On Mon, 2009-03-30 at 16:53 -0400, Stephen Gallagher wrote: > Move the contents of the sss_client tree into the server directory > so that we can build them from a common makefile and build command. > > This will allow us to share a config.h between the server and > client so we don't have to separately configure pipe paths on both > sides so they are in agreement. > > This code also modifies the monitor so the service pipe is always > fixed at compile-time, rather than at runtime. Allowing the monitor > to change pipes while running adds needless complexity to config > reloading. > > This patch is not nearly as large as it looks, since it also includes > moving sss_client/* to server/sss_client/* with very few changes (only > sss_cli.h changed). > > This patch is also (provisionally) pushed to > http://fedorapeople.org/gitweb?p=sgallagh/public_git/sssd.git;a=commit;h=bfff6c844273444bbf3e2609f8df1372f110c0f1 > so it's easier to verify that only the one file changed during the > move. I am not sure I agree with moving sss_client into server. If the reason is just so that we can build them at the same time and have just one config.h I would rather explore the chance of moving configure and makefiles into the root and leave the code where it is now. But I would like to discuss merit and cons of both approaches I still also like the ability to build them separately because on systems that have both 32 and 64 bit libraries you will want to built the client both for 32bit and 64bit while the server will probably just be 64 bit, and you don't want to build it 32bit again nor install the 32 bit version of the server. So whatever the final shape it must be possible to build just the client if needed. Simo. -- Simo Sorce * Red Hat, Inc * New York From sbose at redhat.com Tue Mar 31 13:50:45 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 31 Mar 2009 15:50:45 +0200 Subject: [Freeipa-devel] [PATCH] allow compilation with older version of dbus Message-ID: <49D21FB5.6080306@redhat.com> Hi, there was an API change in dbus around version 1.1.1. This patch checks for the new API call dbus_watch_get_unix_fd and sets a definition in config.h is found. I found AC_CHECK_FUNC and AC_DEFINE reasonable to handle this but I'm open to change it if we prefer a different way. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-allow-compilation-with-older-version-of-dbus.patch Type: text/x-patch Size: 2045 bytes Desc: not available URL: From ssorce at redhat.com Tue Mar 31 14:07:14 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 31 Mar 2009 10:07:14 -0400 Subject: [Freeipa-devel] [PATCH] allow compilation with older version of dbus In-Reply-To: <49D21FB5.6080306@redhat.com> References: <49D21FB5.6080306@redhat.com> Message-ID: <1238508434.4858.5.camel@localhost.localdomain> On Tue, 2009-03-31 at 15:50 +0200, Sumit Bose wrote: > there was an API change in dbus around version 1.1.1. This patch > checks > for the new API call dbus_watch_get_unix_fd and sets a definition in > config.h is found. I found AC_CHECK_FUNC and AC_DEFINE reasonable to > handle this but I'm open to change it if we prefer a different way. Should we just fail if we do not have dbus >= 1.1.1 ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 31 14:11:07 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 31 Mar 2009 10:11:07 -0400 Subject: [Freeipa-devel] [PATCH] tentative reworking of parse name and filters Message-ID: <1238508667.4858.9.camel@localhost.localdomain> While working on making it possible to have multiple domains that do not require to use fully qualified names I found myself changing how we parse names and how we could filter names. This patch works here, although I am not 100% satisfied yet. I will probably build more on top of it unless someone vehemently disagrees with something in this patch. Please look at how nss_parse_name works, and how permanent filtering works right now. If there are no strongly negative comments then we can push it and eventually work on improving things, if necessary, later. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-a-more-flexible-way-to-parse-and-filter-names.patch Type: text/x-patch Size: 66353 bytes Desc: not available URL: From sbose at redhat.com Tue Mar 31 14:43:09 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 31 Mar 2009 16:43:09 +0200 Subject: [Freeipa-devel] [PATCH] allow compilation with older version of dbus In-Reply-To: <1238508434.4858.5.camel@localhost.localdomain> References: <49D21FB5.6080306@redhat.com> <1238508434.4858.5.camel@localhost.localdomain> Message-ID: <49D22BFD.70809@redhat.com> Simo Sorce schrieb: > On Tue, 2009-03-31 at 15:50 +0200, Sumit Bose wrote: >> there was an API change in dbus around version 1.1.1. This patch >> checks >> for the new API call dbus_watch_get_unix_fd and sets a definition in >> config.h is found. I found AC_CHECK_FUNC and AC_DEFINE reasonable to >> handle this but I'm open to change it if we prefer a different way. > > Should we just fail if we do not have dbus >= 1.1.1 ? > Many, still widespread, distributions like SLES10 and RHEL versions before 5.3 are using dbus version lesser than 1.1.1. It would be nice if we can support them. bye, Sumit From ssorce at redhat.com Tue Mar 31 14:52:52 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 31 Mar 2009 10:52:52 -0400 Subject: [Freeipa-devel] [PATCH] allow compilation with older version of dbus In-Reply-To: <49D22BFD.70809@redhat.com> References: <49D21FB5.6080306@redhat.com> <1238508434.4858.5.camel@localhost.localdomain> <49D22BFD.70809@redhat.com> Message-ID: <1238511172.4858.14.camel@localhost.localdomain> On Tue, 2009-03-31 at 16:43 +0200, Sumit Bose wrote: > Simo Sorce schrieb: > > On Tue, 2009-03-31 at 15:50 +0200, Sumit Bose wrote: > >> there was an API change in dbus around version 1.1.1. This patch > >> checks > >> for the new API call dbus_watch_get_unix_fd and sets a definition in > >> config.h is found. I found AC_CHECK_FUNC and AC_DEFINE reasonable to > >> handle this but I'm open to change it if we prefer a different way. > > > > Should we just fail if we do not have dbus >= 1.1.1 ? > > > Many, still widespread, distributions like SLES10 and RHEL versions > before 5.3 are using dbus version lesser than 1.1.1. It would be nice if > we can support them. ok then it's an ack. Simo. -- Simo Sorce * Red Hat, Inc * New York From jderose at redhat.com Tue Mar 31 15:44:11 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 31 Mar 2009 09:44:11 -0600 Subject: [Freeipa-devel] [PATCH] jderose 001 plugin module name cleanup Message-ID: <1238514251.8656.10.camel@jgd-dsk> This patch renames the remaining plugin modules still using the bad f_* b_* naming convention that I started. The renames are as follows: ipalib/plugins/f_application.py -> ipalib/plugins/application.py ipalib/plugins/f_automount.py -> ipalib/plugins/automount.py ipalib/plugins/f_defaultoptions.py -> ipalib/plugins/defaultoptions.py ipalib/plugins/f_delegation.py -> ipalib/plugins/delegation.py ipalib/plugins/f_host.py -> ipalib/plugins/host.py ipalib/plugins/b_kerberos.py -> ipalib/plugins/kerberos.py ipalib/plugins/f_passwd.py -> ipalib/plugins/passwd.py ipalib/plugins/f_pwpolicy.py -> ipalib/plugins/pwpolicy.py ipalib/plugins/f_service.py -> ipalib/plugins/service.py ipalib/plugins/f_user.py -> ipalib/plugins/user.py ipaserver/plugins/b_ldap.py -> ipaserver/plugins/ldap.py -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jderose-001-plugin-module-name-cleanup.patch Type: text/x-patch Size: 183717 bytes Desc: not available URL: From sbose at redhat.com Tue Mar 31 17:44:44 2009 From: sbose at redhat.com (Sumit Bose) Date: Tue, 31 Mar 2009 19:44:44 +0200 Subject: [Freeipa-devel] sssd on suse Message-ID: <49D2568C.4020805@redhat.com> Hi, I have build sssd-0.2.1 (the current F11 version) for some suse versions. You can find them in http://download.opensuse.org/repositories/home:/sbose/ . Especially for SLES10 the following patches were needed. I do not think that we should include any of the patches, but maybe they help porting to other platforms. bye, Sumit - older version of autotools: diff -Nurb sssd-0.2.1/server/configure.ac new-sssd-0.2.1//server/configure.ac --- sssd-0.2.1/server/configure.ac 2009-03-10 22:26:55.000000000 +0100 +++ new-sssd-0.2.1//server/configure.ac 2009-03-31 17:46:13.000000000 +0200 @@ -29,7 +29,7 @@ SSSD_LIBEXEC_PATH=$libexecdir/$PACKAGE_NAME AC_SUBST(SSSD_LIBEXEC_PATH) -SSSD_INTROSPECT_PATH=$datarootdir/$PACKAGE_NAME/introspect +SSSD_INTROSPECT_PATH=$datadir/$PACKAGE_NAME/introspect AC_SUBST(SSSD_INTROSPECT_PATH) m4_include(build_macros.m4) - pre 1.0.0 version of dbus diff -Nurb sssd-0.2.1/server/infopipe/infopipe.h new-sssd-0.2.1//server/infopipe/infopipe.h --- sssd-0.2.1/server/infopipe/infopipe.h 2009-03-10 22:26:55.000000000 +0100 +++ new-sssd-0.2.1//server/infopipe/infopipe.h 2009-03-31 17:05:58.000000000 +0200 @@ -25,6 +25,10 @@ #include #include "sbus/sssd_dbus.h" +#ifndef DBUS_ERROR_FILE_EXISTS +#define DBUS_ERROR_FILE_EXISTS "org.freedesktop.DBus.Error.FileExists" +#endif + #define INFP_INTROSPECT_XML "infopipe/org.freeipa.sssd.infopipe.Introspect.xml" #define INFOPIPE_DBUS_NAME "org.freeipa.sssd.infopipe1" - LBS style init diff -Nurb sssd-0.2.1/server/sysv/sssd new-sssd-0.2.1//server/sysv/sssd --- sssd-0.2.1/server/sysv/sssd 2009-03-10 22:26:55.000000000 +0100 +++ new-sssd-0.2.1//server/sysv/sssd 2009-03-30 19:54:35.000000000 +0200 @@ -1,5 +1,21 @@ #!/bin/sh # +### BEGIN INIT INFO +# Provides: sssd +# Required-Start: $remote_fs $time +# Should-Start: $syslog +# Should-Stop: $null +# Required-Stop: $null +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: System Security Services Daemon +# Description: Provides a set of daemons to manage access to remote directories +# and authentication mechanisms. It provides an NSS and PAM +# interface toward the system and a pluggable backend system to +# connect to multiple different account sources. It is also the +# basis to provide client auditing and policy services for projects +# like FreeIPA. +### END INIT INFO # # chkconfig: - 30 80 # description: Provides a set of daemons to manage access to remote directories @@ -14,7 +30,7 @@ prog="sssd" # Source function library. -. /etc/init.d/functions +test -r /etc/init.d/functions && . /etc/init.d/functions SSSD=/usr/sbin/sssd - older version of pam diff -Nurb sssd-0.2.1/sss_client/pam_sss.c new-sssd-0.2.1//sss_client/pam_sss.c --- sssd-0.2.1/sss_client/pam_sss.c 2009-03-10 22:26:55.000000000 +0100 +++ new-sssd-0.2.1//sss_client/pam_sss.c 2009-03-31 17:02:51.000000000 +0200 @@ -11,6 +11,19 @@ #include #include +/* for older suse versions */ +#ifndef _pam_overwrite_n +#define _pam_overwrite_n(x,n) \ +do { \ + register char *__xx__; \ + register unsigned int __i__ = 0; \ + if ((__xx__=(x))) \ + for (;__i__ References: <49D2568C.4020805@redhat.com> Message-ID: <1238522008.4858.37.camel@localhost.localdomain> On Tue, 2009-03-31 at 19:44 +0200, Sumit Bose wrote: > #include > > +/* for older suse versions */ > +#ifndef _pam_overwrite_n > +#define _pam_overwrite_n(x,n) \ > +do { \ > + register char *__xx__; \ > + register unsigned int __i__ = 0; \ > + if ((__xx__=(x))) \ Are you really ^^^ checking that x != 0 while at the same time assigning it to __xx__ ? If so at least a comment is warrant. Attached how I'd write it if checking x for NULL is the point with the same number of lines but in a much cleaner way (IMO). > + for (;__i__ + __xx__[__i__] = 0; \ > +} while (0) > +#endif > + > + > #include "sss_cli.h" #define _pam_overwrite_n(x,n) \ do { \ register char *__xx__; \ register unsigned int __i__ = 0; \ if (!(x)) break; \ for (__xx__=(x); __i__ < n; __i__++) \ __xx__[__i__] = 0; \ } while (0) Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Mar 31 17:54:30 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 31 Mar 2009 13:54:30 -0400 Subject: [Freeipa-devel] sssd on suse In-Reply-To: <49D2568C.4020805@redhat.com> References: <49D2568C.4020805@redhat.com> Message-ID: <1238522070.4858.38.camel@localhost.localdomain> On Tue, 2009-03-31 at 19:44 +0200, Sumit Bose wrote: > > Hi, > > I have build sssd-0.2.1 (the current F11 version) for some suse > versions. You can find them in > http://download.opensuse.org/repositories/home:/sbose/ . Very cool, its nice to see that we do not have any more fedora-isms than your patches would suggest :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Tue Mar 31 18:06:06 2009 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 31 Mar 2009 20:06:06 +0200 Subject: [Freeipa-devel] sssd on suse In-Reply-To: <49D2568C.4020805@redhat.com> References: <49D2568C.4020805@redhat.com> Message-ID: <1238522766.2826.15.camel@zeppelin.englab.brq.redhat.com> On Tue, 2009-03-31 at 19:44 +0200, Sumit Bose wrote: > Especially for SLES10 the following patches were needed. I do not > think > that we should include any of the patches, but maybe they help porting > to other platforms. I think we can merge the initscript patch. Per looking at Fedora initscript guidelines, the Provides, Should-Start,... directives (a.k.a. the LSB header) are now even suggested part of an initscript. (I copied the initscript from an older package of mine that did not have them yet.) Jakub From pzuna at redhat.com Tue Mar 31 18:11:04 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 31 Mar 2009 20:11:04 +0200 Subject: [Freeipa-devel] new ldap backend In-Reply-To: <1238048491.11778.118.camel@jgd-dsk> References: <49C91746.9090009@redhat.com> <1238048491.11778.118.camel@jgd-dsk> Message-ID: <49D25CB8.4060307@redhat.com> Jason Gerard DeRose wrote: > On Tue, 2009-03-24 at 18:24 +0100, Pavel Zuna wrote: >> Dear freeipa-devel, >> here's the current state of the new LDAP backend, that will hopefully replace >> the old one someday. If you find something wrong with the functionality or >> interface, please tell me. Even if you spot a typo, or just don't like my coding >> style - anything that helps me make it better is welcome. >> >> I also included a (dirty) testing module for reference. It might give you a >> better understanding of how the code should actually work in action. >> >> Thanks, >> Pavel > > This code is really looking good, Pavel! A lot of it is beyond my LDAP > knowledge, so I can't comment on many of the particulars, but I do have > some overall comments. > > 1. Make sure consumers of the API don't need to import the python-ldap > bindings... I see a few places where the you're using constants from > _ldap (like in find_entries() line 382). I think it might be better to > have these constants be specified with a str like 'subtree' instead of > _ldap.SCOPE_SUBTREE (using a private dict to map to the python-ldap > constant). If you don't like this idea, feel free to argue the point, > but that's my gut feeling. They shouldn't have to. There are class constants defined (ldap2.SCOPE_SUBTREE etc.) - I just couldn't use them in the method definition as default value. > 2. Look for places where you can write tests that don't required > connecting to a live LDAP server, and put these in the unit-tests in > tests/. The more easy-to-run (non-invasive) tests we have the better. > (Although most of your tests will necessarily be invasive, like the ones > you already have in check-ldap2.py). Ok. > I think this code is ready for the next step: I think you should submit > a patch, we'll get this into master, and then you should port a small > number of command plugins (that talk to LDAP) to use ldap2. I think the > user commands would probably be a good choice. Then you can go through > a number of iterations in refining the new API, while only needing to > update several reference commands that are using ldap2. Then once > everyone feels ldap2 is ready, we can port all the commands to use it. I'm going to submit the patch in a separate e-mail. > I think you're on the right track and this looks like high quality code. > Thanks for all your work! > > Cheers, > Jason I'm glad you like it. Thanks for the feedback and sorry for late reply. I wanted to reply right away, but didn't and then forgot about it, as I was busy with HBAC plugin. Pavel From pzuna at redhat.com Tue Mar 31 18:21:11 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 31 Mar 2009 20:21:11 +0200 Subject: [Freeipa-devel] [PATCH] Add 'container_hbac' env variable Message-ID: <49D25F17.6040102@redhat.com> Env variable used by HBAC management plugin. Submitting this now, so it doesn't get in my way anymore. Plugin should follow in a couple of days. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-container_hbac-env-variable.patch URL: From pzuna at redhat.com Tue Mar 31 18:22:50 2009 From: pzuna at redhat.com (Pavel Zuna) Date: Tue, 31 Mar 2009 20:22:50 +0200 Subject: [Freeipa-devel] [PATCH] Add new LDAP backend plugin Message-ID: <49D25F7A.30404@redhat.com> ldap2 I posted last week, this time as a patch. Pavel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-new-LDAP-backend-plugin.patch URL: